Accepting request 1112820 from home:mbussolotto:branches:Java:packages

- Fixed CVEs: * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666) - Added patches: * tomcat-9.0.75-CVE-2023-41080.patch OBS-URL: https://build.opensuse.org/request/show/1112820 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=272
2023-09-21 14:49:07 +00:00 · 2023-09-21 14:49:07 +00:00 · b2fc5bc4ae
commit b2fc5bc4ae
parent 1d620875c8
3 changed files with 51 additions and 0 deletions
--- a/tomcat-9.0.75-CVE-2023-41080.patch
+++ b/tomcat-9.0.75-CVE-2023-41080.patch
@ -0,0 +1,41 @@
+From 77c0ce2d169efa248b64b992e547aad549ec906b Mon Sep 17 00:00:00 2001
+From: Mark Thomas <markt@apache.org>
+Date: Tue, 22 Aug 2023 11:31:23 -0700
+Subject: [PATCH] Avoid protocol relative redirects
+
+---
+ .../apache/catalina/authenticator/FormAuthenticator.java    | 6 ++++++
+ webapps/docs/changelog.xml                                  | 3 +++
+ 2 files changed, 9 insertions(+)
+
+Index: apache-tomcat-9.0.75-src/java/org/apache/catalina/authenticator/FormAuthenticator.java
+===================================================================
+--- apache-tomcat-9.0.75-src.orig/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ apache-tomcat-9.0.75-src/java/org/apache/catalina/authenticator/FormAuthenticator.java
+@@ -747,6 +747,12 @@ public class FormAuthenticator extends A
+             sb.append('?');
+             sb.append(saved.getQueryString());
+         }
+
+        // Avoid protocol relative redirects
+        while (sb.length() > 1 && sb.charAt(1) == '/') {
+            sb.deleteCharAt(0);
+        }
+
+         return sb.toString();
+     }
+ }
+Index: apache-tomcat-9.0.75-src/webapps/docs/changelog.xml
+===================================================================
+--- apache-tomcat-9.0.75-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.75-src/webapps/docs/changelog.xml
+@@ -134,6 +134,9 @@
+         file locking protection or the manager servlet. Submitted
+         by Jack Shirazi. (remm)
+       </fix>
+      <fix>
+        Avoid protocol relative redirects in FORM authentication. (markt)
+      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Coyote">
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Sep 21 13:19:54 UTC 2023 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Fixed CVEs:
+  * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
+- Added patches:
+  * tomcat-9.0.75-CVE-2023-41080.patch
+
 -------------------------------------------------------------------
 Mon Sep 18 06:03:34 UTC 2023 - Fridrich Strba <fstrba@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -83,6 +83,7 @@ Patch5:         %{name}-%{major_version}.%{minor_version}-jdt.patch
 Patch6:         tomcat-9.0.75-secretRequired-default.patch
 Patch7:         tomcat-9.0-fix_catalina.patch
 Patch8:         tomcat-9.0-logrotate_everything.patch
+Patch9:         tomcat-9.0.75-CVE-2023-41080.patch
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
 BuildRequires:  apache-commons-collections
@ -255,6 +256,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1

 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl