changelog.xml

markt Wed, 18 Nov 2009 05:32:53 -0800

Author: markt
Date: Wed Nov 18 13:32:25 2009
New Revision: 881771

URL: http://svn.apache.org/viewvc?rev=881771&view=rev
Log:
Fix CVE-2009-3548
When installing using defaults, don't create an administrative user with a 
blank password
Note: This is already public - it was discussed on the users list. The formal 
announcement will go out shortly.
The patch also includes making the Manager and Host-Manager applications 
separately selectable with the addition of an administrative user only enabled 
if one of the manager apps is selected


Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/res/tomcat.nsi
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Wed Nov 18 13:32:25 2009
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,770876,772872,77
 
6921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,815972,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,831106,831774,831785,831828,831850,831860,832218,833121,833545,835036,835336
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,753039,757335,757774,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,770809,770876,772872,77
 
6921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,815972,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,831106,831774,831785,831828,831850,831860,832218,833121,833545,834047,835036,835336

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=881771&r1=881770&r2=881771&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Wed Nov 18 13:32:25 2009
@@ -358,23 +358,16 @@
   +1: kkolinko, markt
   -1:
 
-* Fix CVE-2009-3548 - Windows installer uses insecure default password
-  http://svn.apache.org/viewvc?rev=834047&view=rev
-  +1: markt, mturk, kkolinko
-  -1:
-
-  Additional patches:
-  (
+* Further improvements to Windows installer password handling
     http://svn.apache.org/viewvc?rev=836036&view=rev
     http://svn.apache.org/viewvc?rev=836045&view=rev
     http://svn.apache.org/viewvc?rev=836209&view=rev
-  )
   The following patch file is a combination of rev. 834047, 836036, 836045,
   836209:
   
http://people.apache.org/~kkolinko/patches/2009-11-14_Installer_password_tc6.patch
   +1: kkolinko
   -1:
-
+  +0: markt Combined patch needs to have 834047 removed and 881765 added
 
 * Disable TLS renegotiation be default with an option to re-enable it
   Based on Costin's patch for trunk with Mark's modifications

Modified: tomcat/tc6.0.x/trunk/res/tomcat.nsi
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/res/tomcat.nsi?rev=881771&r1=881770&r2=881771&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/res/tomcat.nsi (original)
+++ tomcat/tc6.0.x/trunk/res/tomcat.nsi Wed Nov 18 13:32:25 2009
@@ -99,7 +99,9 @@
 ;    LangString DESC_SecTomcatSource ${LANG_ENGLISH} "Install the Tomcat 
source code."
     LangString DESC_SecMenu ${LANG_ENGLISH} "Create a Start Menu program group 
for Tomcat."
     LangString DESC_SecDocs ${LANG_ENGLISH} "Install the Tomcat documentation 
bundle. This include documentation on the servlet container and its 
configuration options, on the Jasper JSP page compiler, as well as on the 
native webserver connectors."
-    LangString DESC_SecExamples ${LANG_ENGLISH} "Installs some examples web 
applications."
+    LangString DESC_SecManager ${LANG_ENGLISH} "Install the Tomcat Manager 
administrative web application."
+    LangString DESC_SecHostManager ${LANG_ENGLISH} "Install the Tomcat Host 
Manager administrative web application."
+    LangString DESC_SecExamples ${LANG_ENGLISH} "Install the Servlet and JSP 
example web applications."
     LangString DESC_SecAdmin ${LANG_ENGLISH} "Installs the administration web 
application.";
 ;    LangString DESC_SecWebapps ${LANG_ENGLISH} "Installs other utility web 
applications (WebDAV, balancer, etc)."
 
@@ -152,10 +154,6 @@
   File conf\*.*
   SetOutPath $INSTDIR\webapps\ROOT
   File /r webapps\ROOT\*.*
-  SetOutPath $INSTDIR\webapps\host-manager
-  File /r webapps\host-manager\*.*
-  SetOutPath $INSTDIR\webapps\manager
-  File /r webapps\manager\*.*
 
   Call configure
   Call findJavaPath
@@ -309,6 +307,26 @@
 
 SectionEnd
 
+Section "Manager" SecManager
+
+  SectionIn 1 3
+
+  SetOverwrite on
+  SetOutPath $INSTDIR\webapps\manager
+  File /r webapps\manager\*.*
+
+SectionEnd
+
+Section "Host Manager" SecHostManager
+
+  SectionIn 3
+
+  SetOverwrite on
+  SetOutPath $INSTDIR\webapps\host-manager
+  File /r webapps\host-manager\*.*
+
+SectionEnd
+
 Section "Examples" SecExamples
 
   SectionIn 3
@@ -386,7 +404,38 @@
 
 Function SetConfiguration
   !insertmacro MUI_HEADER_TEXT "$(TEXT_CONF_TITLE)" "$(TEXT_CONF_SUBTITLE)"
+
+  SectionGetFlags ${SecManager} $0
+  IntOp $0 $0 & ${SF_SELECTED}
+  IntCmp $0 0 0 Enable Enable
+  SectionGetFlags ${SecHostManager} $0
+  IntOp $0 $0 & ${SF_SELECTED}
+  IntCmp $0 0 Disable 0 0
+
+Enable:
+  ; Enable the user and password controls if the manager or host-manager app is
+  ; being installed
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" ""
+  EnableWindow $0 1
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" ""
+  EnableWindow $0 1
+  Goto Display
+
+Disable:
+  ; Disable the user and password controls if neither the manager nor
+  ; host-manager app is being installed
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 5" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 5" "Flags" 
"DISABLED"
+  EnableWindow $0 0
+  !insertmacro MUI_INSTALLOPTIONS_READ $0 "config.ini" "Field 7" "HWND"
+  !insertmacro MUI_INSTALLOPTIONS_WRITE "config.ini" "Field 7" "Flags" 
"DISABLED"
+  EnableWindow $0 0
+
+Display:
   !insertmacro MUI_INSTALLOPTIONS_DISPLAY "config.ini"
+
 FunctionEnd
 
 Function Void
@@ -404,6 +453,8 @@
 ;  !insertmacro MUI_DESCRIPTION_TEXT ${SecCompat} $(DESC_SecCompat)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecMenu} $(DESC_SecMenu)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecDocs} $(DESC_SecDocs)
+  !insertmacro MUI_DESCRIPTION_TEXT ${SecManager} $(DESC_SecManager)
+  !insertmacro MUI_DESCRIPTION_TEXT ${SecHostManager} $(DESC_SecHostManager)
   !insertmacro MUI_DESCRIPTION_TEXT ${SecExamples} $(DESC_SecExamples)
 ;  !insertmacro MUI_DESCRIPTION_TEXT ${SecAdmin} $(DESC_SecAdmin)
 ;  !insertmacro MUI_DESCRIPTION_TEXT ${SecWebapps} $(DESC_SecWebapps)
@@ -614,11 +665,13 @@
   Call xmlEscape
   Pop $R2
   
+  StrCmp $R1 "" +4 0  ; Blank user - do not add anything to tomcat-users.xml
+  StrCmp $R2 "" +3 0  ; Blank password - do not add anything to 
tomcat-users.xml
   StrCpy $R5 '<user name="$R1" password="$R2" roles="admin,manager" />'
-
+  DetailPrint 'Admin user added: "$R1"'
+  
 Silent:
   DetailPrint 'HTTP/1.1 Connector configured on port "$R0"'
-  DetailPrint 'Admin user added: "$R1"'
 
   SetOutPath $TEMP
   File /r confinstall

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=881771&r1=881770&r2=881771&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Nov 18 13:32:25 2009
@@ -534,6 +534,13 @@
         ${catalina.base}/lib/*.jar to the start of the common loader class
         path. (markt)
       </add>
+      <fix>
+        Correct CVE-2009-3548. When installed via the Windows installer and
+        using defaults, don't create an administrative user with a blank
+        password. Additionally, the administrative user is only created of the
+        manager or host-manager web applications are selected for installation.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
 </section>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r881771 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt res/tomcat.nsi webapps/docs/changelog.xml

Reply via email to