From b2fc5bc4aedeff9edd3475e63de7277fd70ed3a70717b7827e47940c71fd64be Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 21 Sep 2023 14:49:07 +0000 Subject: [PATCH] Accepting request 1112820 from home:mbussolotto:branches:Java:packages - Fixed CVEs: * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666) - Added patches: * tomcat-9.0.75-CVE-2023-41080.patch OBS-URL: https://build.opensuse.org/request/show/1112820 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=272 --- tomcat-9.0.75-CVE-2023-41080.patch | 41 ++++++++++++++++++++++++++++++ tomcat.changes | 8 ++++++ tomcat.spec | 2 ++ 3 files changed, 51 insertions(+) create mode 100644 tomcat-9.0.75-CVE-2023-41080.patch diff --git a/tomcat-9.0.75-CVE-2023-41080.patch b/tomcat-9.0.75-CVE-2023-41080.patch new file mode 100644 index 0000000..6d54c25 --- /dev/null +++ b/tomcat-9.0.75-CVE-2023-41080.patch @@ -0,0 +1,41 @@ +From 77c0ce2d169efa248b64b992e547aad549ec906b Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Tue, 22 Aug 2023 11:31:23 -0700 +Subject: [PATCH] Avoid protocol relative redirects + +--- + .../apache/catalina/authenticator/FormAuthenticator.java | 6 ++++++ + webapps/docs/changelog.xml | 3 +++ + 2 files changed, 9 insertions(+) + +Index: apache-tomcat-9.0.75-src/java/org/apache/catalina/authenticator/FormAuthenticator.java +=================================================================== +--- apache-tomcat-9.0.75-src.orig/java/org/apache/catalina/authenticator/FormAuthenticator.java ++++ apache-tomcat-9.0.75-src/java/org/apache/catalina/authenticator/FormAuthenticator.java +@@ -747,6 +747,12 @@ public class FormAuthenticator extends A + sb.append('?'); + sb.append(saved.getQueryString()); + } ++ ++ // Avoid protocol relative redirects ++ while (sb.length() > 1 && sb.charAt(1) == '/') { ++ sb.deleteCharAt(0); ++ } ++ + return sb.toString(); + } + } +Index: apache-tomcat-9.0.75-src/webapps/docs/changelog.xml +=================================================================== +--- apache-tomcat-9.0.75-src.orig/webapps/docs/changelog.xml ++++ apache-tomcat-9.0.75-src/webapps/docs/changelog.xml +@@ -134,6 +134,9 @@ + file locking protection or the manager servlet. Submitted + by Jack Shirazi. (remm) + ++ ++ Avoid protocol relative redirects in FORM authentication. (markt) ++ + + + diff --git a/tomcat.changes b/tomcat.changes index 03c9fe6..a342904 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Sep 21 13:19:54 UTC 2023 - Michele Bussolotto + +- Fixed CVEs: + * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666) +- Added patches: + * tomcat-9.0.75-CVE-2023-41080.patch + ------------------------------------------------------------------- Mon Sep 18 06:03:34 UTC 2023 - Fridrich Strba diff --git a/tomcat.spec b/tomcat.spec index 6d83a5d..caa07c3 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -83,6 +83,7 @@ Patch5: %{name}-%{major_version}.%{minor_version}-jdt.patch Patch6: tomcat-9.0.75-secretRequired-default.patch Patch7: tomcat-9.0-fix_catalina.patch Patch8: tomcat-9.0-logrotate_everything.patch +Patch9: tomcat-9.0.75-CVE-2023-41080.patch BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr BuildRequires: apache-commons-collections @@ -255,6 +256,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch6 -p1 %patch7 -p1 %patch8 -p1 +%patch9 -p1 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl