eb7ec9843b
- Fixed CVEs: * CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279) * CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278) * CVE-2021-41079: Validate incoming TLS packet (bsc#1190558) - Added patches: * tomcat-9.0-CVE-2021-30640.patch * tomcat-9.0-CVE-2021-33037.patch * tomcat-9.0-CVE-2021-41079.patch OBS-URL: https://build.opensuse.org/request/show/928113 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=229
56 lines
2.9 KiB
Diff
56 lines
2.9 KiB
Diff
From d4b340fa8feaf55831f9a59350578f7b6ca048b8 Mon Sep 17 00:00:00 2001
|
|
From: Mark Thomas <markt@apache.org>
|
|
Date: Wed, 3 Mar 2021 12:00:46 +0000
|
|
Subject: [PATCH] Improve robustness
|
|
|
|
---
|
|
.../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
|
|
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 6 ++++--
|
|
webapps/docs/changelog.xml | 4 ++++
|
|
3 files changed, 9 insertions(+), 2 deletions(-)
|
|
|
|
Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
|
|
===================================================================
|
|
--- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
|
|
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
|
|
@@ -17,6 +17,7 @@ engine.ciphersFailure=Failed getting cip
|
|
engine.emptyCipherSuite=Empty cipher suite
|
|
engine.engineClosed=Engine is closed
|
|
engine.failedCipherSuite=Failed to enable cipher suite [{0}]
|
|
+engine.failedToReadAvailableBytes=There are plain text bytes available to read but no bytes were read
|
|
engine.inboundClose=Inbound closed before receiving peer's close_notify
|
|
engine.invalidBufferArray=offset: [{0}], length: [{1}] (expected: offset <= offset + length <= srcs.length [{2}])
|
|
engine.invalidDestinationBuffersState=The state of the destination buffers changed concurrently while unwrapping bytes
|
|
Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
|
|
===================================================================
|
|
--- apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
|
|
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
|
|
@@ -592,8 +592,10 @@ public final class OpenSSLEngine extends
|
|
throw new SSLException(e);
|
|
}
|
|
|
|
- if (bytesRead == 0) {
|
|
- break;
|
|
+ if (bytesRead <= 0) {
|
|
+ // This should not be possible. pendingApp is positive
|
|
+ // therefore the read should have read at least one byte.
|
|
+ throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes"));
|
|
}
|
|
|
|
bytesProduced += bytesRead;
|
|
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
|
|
===================================================================
|
|
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
|
|
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
|
|
@@ -173,6 +173,10 @@
|
|
the access log file, include information on the current user in the
|
|
associated log message (markt)
|
|
</fix>
|
|
+ <fix>
|
|
+ Make handling of OpenSSL read errors more robust when plain text data is
|
|
+ reported to be available to read. (markt)
|
|
+ </fix>
|
|
</changelog>
|
|
</subsection>
|
|
<subsection name="Coyote">
|