debian/0000755000000000000000000000000013357144265007200 5ustar debian/javaxpoms/0000755000000000000000000000000013067502611011177 5ustar debian/javaxpoms/servlet-api.pom0000644000000000000000000000351213067437273014163 0ustar 4.0.0 javax.servlet servlet-api @MAVEN.DEPLOY.VERSION@ javax.servlet package http://tomcat.apache.org/ Apache License, Version 2.0 and Common Development And Distribution License (CDDL) Version 1.0 http://www.apache.org/licenses/LICENSE-2.0.txt and http://www.opensource.org/licenses/cddl1.txt repo The Apache License, version 2.0 applies to all files apart from javaee_5.xsd, javaee_web_services_1_2.xsd, javaee_web_services_client_1_2.xsd, javaee_6.xsd, javaee_web_services_1_3.xsd, javaee_web_services_client_1_3.xsd, web-app_3_0.xsd, web-common_3_0.xsd, web-fragment_3_0.xsd to which the CDDL version 1.0 applies. debian/javaxpoms/el-api.pom0000644000000000000000000000242013067437273013074 0ustar 4.0.0 javax.el el-api @MAVEN.DEPLOY.VERSION@ Expression language package http://tomcat.apache.org/ Apache License, Version 2.0 http://www.apache.org/licenses/LICENSE-2.0.txt repo debian/javaxpoms/jsp-api.pom0000644000000000000000000000373613067502611013270 0ustar 4.0.0 javax.servlet.jsp jsp-api @MAVEN.DEPLOY.VERSION@ JSP package http://tomcat.apache.org/ Apache License, Version 2.0 and Common Development And Distribution License (CDDL) Version 1.0 http://www.apache.org/licenses/LICENSE-2.0.txt and http://www.opensource.org/licenses/cddl1.txt repo The Apache License, version 2.0 applies to all files apart from jsp_2_2.xsd to which the CDDL version 1.0 applies. javax.el el-api @MAVEN.DEPLOY.VERSION@ compile javax.servlet servlet-api 3.0 compile debian/tomcat7.init0000644000000000000000000001764413067502611011446 0ustar #!/bin/sh # # /etc/init.d/tomcat7 -- startup script for the Tomcat 6 servlet engine # # Written by Miquel van Smoorenburg . # Modified for Debian GNU/Linux by Ian Murdock . # Modified for Tomcat by Stefan Gybas . # Modified for Tomcat6 by Thierry Carrez . # Modified for Tomcat7 by Ernesto Hernandez-Novich . # Additional improvements by Jason Brittain . # ### BEGIN INIT INFO # Provides: tomcat7 # Required-Start: $local_fs $remote_fs $network # Required-Stop: $local_fs $remote_fs $network # Should-Start: $named # Should-Stop: $named # Default-Start: 2 3 4 5 # Default-Stop: 0 1 6 # Short-Description: Start Tomcat. # Description: Start the Tomcat servlet engine. ### END INIT INFO set -e PATH=/bin:/usr/bin:/sbin:/usr/sbin NAME=tomcat7 DESC="Tomcat servlet engine" DEFAULT=/etc/default/$NAME JVM_TMP=/tmp/tomcat7-$NAME-tmp if [ `id -u` -ne 0 ]; then echo "You need root privileges to run this script" exit 1 fi # Make sure tomcat is started with system locale if [ -r /etc/default/locale ]; then . /etc/default/locale export LANG fi . /lib/lsb/init-functions if [ -r /etc/default/rcS ]; then . /etc/default/rcS fi # The following variables can be overwritten in $DEFAULT # Run Tomcat 7 as this user ID and group ID TOMCAT7_USER=tomcat7 TOMCAT7_GROUP=tomcat7 # this is a work-around until there is a suitable runtime replacement # for dpkg-architecture for arch:all packages # this function sets the variable OPENJDKS find_openjdks() { for jvmdir in /usr/lib/jvm/java-7-openjdk-* do if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-7-openjdk-common" ] then OPENJDKS=$jvmdir fi done for jvmdir in /usr/lib/jvm/java-6-openjdk-* do if [ -d "${jvmdir}" -a "${jvmdir}" != "/usr/lib/jvm/java-6-openjdk-common" ] then OPENJDKS="${OPENJDKS} ${jvmdir}" fi done } OPENJDKS="" find_openjdks # The first existing directory is used for JAVA_HOME (if JAVA_HOME is not # defined in $DEFAULT) JDK_DIRS="/usr/lib/jvm/default-java ${OPENJDKS} /usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-sun /usr/lib/jvm/java-7-oracle" # Look for the right JVM to use for jdir in $JDK_DIRS; do if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then JAVA_HOME="$jdir" fi done export JAVA_HOME # Directory where the Tomcat 6 binary distribution resides CATALINA_HOME=/usr/share/$NAME # Directory for per-instance configuration files and webapps CATALINA_BASE=/var/lib/$NAME # Use the Java security manager? (yes/no) TOMCAT7_SECURITY=no # Default Java options # Set java.awt.headless=true if JAVA_OPTS is not set so the # Xalan XSL transformer can work without X11 display on JDK 1.4+ # It also looks like the default heap size of 64M is not enough for most cases # so the maximum heap size is set to 128M if [ -z "$JAVA_OPTS" ]; then JAVA_OPTS="-Djava.awt.headless=true -Xmx128M" fi # End of variables that can be overwritten in $DEFAULT # overwrite settings from default file if [ -f "$DEFAULT" ]; then . "$DEFAULT" fi if [ ! -f "$CATALINA_HOME/bin/bootstrap.jar" ]; then log_failure_msg "$NAME is not installed" exit 1 fi POLICY_CACHE="$CATALINA_BASE/policy/catalina.policy" if [ -z "$CATALINA_TMPDIR" ]; then CATALINA_TMPDIR="$JVM_TMP" fi # Set the JSP compiler if set in the tomcat7.default file if [ -n "$JSP_COMPILER" ]; then JAVA_OPTS="$JAVA_OPTS -Dbuild.compiler=\"$JSP_COMPILER\"" fi SECURITY="" if [ "$TOMCAT7_SECURITY" = "yes" ]; then SECURITY="-security" fi # Define other required variables CATALINA_PID="/var/run/$NAME.pid" CATALINA_SH="$CATALINA_HOME/bin/catalina.sh" # Look for Java Secure Sockets Extension (JSSE) JARs if [ -z "${JSSE_HOME}" -a -r "${JAVA_HOME}/jre/lib/jsse.jar" ]; then JSSE_HOME="${JAVA_HOME}/jre/" fi catalina_sh() { # Escape any double quotes in the value of JAVA_OPTS JAVA_OPTS="$(echo $JAVA_OPTS | sed 's/\"/\\\"/g')" AUTHBIND_COMMAND="" if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then AUTHBIND_COMMAND="/usr/bin/authbind --deep /bin/bash -c " fi # Define the command to run Tomcat's catalina.sh as a daemon # set -a tells sh to export assigned variables to spawned shells. TOMCAT_SH="set -a; JAVA_HOME=\"$JAVA_HOME\"; source \"$DEFAULT\"; \ CATALINA_HOME=\"$CATALINA_HOME\"; \ CATALINA_BASE=\"$CATALINA_BASE\"; \ JAVA_OPTS=\"$JAVA_OPTS\"; \ CATALINA_PID=\"$CATALINA_PID\"; \ CATALINA_TMPDIR=\"$CATALINA_TMPDIR\"; \ LANG=\"$LANG\"; JSSE_HOME=\"$JSSE_HOME\"; \ cd \"$CATALINA_BASE\"; \ \"$CATALINA_SH\" $@" if [ "$AUTHBIND" = "yes" -a "$1" = "start" ]; then TOMCAT_SH="'$TOMCAT_SH'" fi # Run the catalina.sh script as a daemon set +e if [ ! -f "$CATALINA_BASE"/logs/catalina.out ]; then # run install as tomcat7 to work around #841371 su $TOMCAT7_USER -s /bin/bash -c "install -m 644 /dev/null $CATALINA_BASE/logs/catalina.out" fi install -o $TOMCAT7_USER -g adm -m 644 /dev/null "$CATALINA_PID" start-stop-daemon --start -b -u "$TOMCAT7_USER" -g "$TOMCAT7_GROUP" \ -c "$TOMCAT7_USER" -d "$CATALINA_TMPDIR" -p "$CATALINA_PID" \ -x /bin/bash -- -c "$AUTHBIND_COMMAND $TOMCAT_SH" status="$?" set +a -e return $status } case "$1" in start) if [ -z "$JAVA_HOME" ]; then log_failure_msg "no JDK or JRE found - please set JAVA_HOME" exit 1 fi if [ ! -d "$CATALINA_BASE/conf" ]; then log_failure_msg "invalid CATALINA_BASE: $CATALINA_BASE" exit 1 fi log_daemon_msg "Starting $DESC" "$NAME" if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT7_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null; then # Regenerate POLICY_CACHE file umask 022 rm -rf "$CATALINA_BASE/policy" mkdir "$CATALINA_BASE/policy" echo "// AUTO-GENERATED FILE from /etc/tomcat7/policy.d/" \ > "$POLICY_CACHE" echo "" >> "$POLICY_CACHE" cat $CATALINA_BASE/conf/policy.d/*.policy \ >> "$POLICY_CACHE" # Remove / recreate JVM_TMP directory rm -rf "$JVM_TMP" mkdir "$JVM_TMP" || { log_failure_msg "could not create JVM temporary directory" exit 1 } chown -h $TOMCAT7_USER "$JVM_TMP" catalina_sh start $SECURITY sleep 5 if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT7_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null; then if [ -f "$CATALINA_PID" ]; then rm -f "$CATALINA_PID" fi log_end_msg 1 else log_end_msg 0 fi else log_progress_msg "(already running)" log_end_msg 0 fi ;; stop) log_daemon_msg "Stopping $DESC" "$NAME" set +e if [ -f "$CATALINA_PID" ]; then start-stop-daemon --stop --pidfile "$CATALINA_PID" \ --user "$TOMCAT7_USER" \ --retry=TERM/20/KILL/5 >/dev/null if [ $? -eq 1 ]; then log_progress_msg "$DESC is not running but pid file exists, cleaning up" elif [ $? -eq 3 ]; then PID="`cat $CATALINA_PID`" log_failure_msg "Failed to stop $NAME (pid $PID)" exit 1 fi rm -f "$CATALINA_PID" rm -rf "$JVM_TMP" else log_progress_msg "(not running)" fi log_end_msg 0 set -e ;; status) set +e start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT7_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null 2>&1 if [ "$?" = "0" ]; then if [ -f "$CATALINA_PID" ]; then log_success_msg "$DESC is not running, but pid file exists." exit 1 else log_success_msg "$DESC is not running." exit 3 fi else log_success_msg "$DESC is running with pid `cat $CATALINA_PID`" fi set -e ;; restart|force-reload) if [ -f "$CATALINA_PID" ]; then $0 stop sleep 1 fi $0 start ;; try-restart) if start-stop-daemon --test --start --pidfile "$CATALINA_PID" \ --user $TOMCAT7_USER --exec "$JAVA_HOME/bin/java" \ >/dev/null; then $0 start fi ;; *) log_success_msg "Usage: $0 {start|stop|restart|try-restart|force-reload|status}" exit 1 ;; esac exit 0 debian/tomcat7.templates0000644000000000000000000000172413067437273012504 0ustar Template: tomcat7/username Type: string Default: tomcat7 _Description: Dedicated system account for the tomcat7 daemon: The tomcat7 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges. Template: tomcat7/groupname Type: string Default: tomcat7 _Description: Dedicated system group for the tomcat7 daemon: The tomcat7 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges. Template: tomcat7/javaopts Type: string Default: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC _Description: Please choose the tomcat7 JVM Java options: Tomcat's JVM will be launched with a specific set of Java options. . Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores. debian/setenv.sh0000644000000000000000000000132213067502611011025 0ustar #!/bin/sh # CATALINA_HOME=/usr/share/tomcat7 # The first existing directory is used for JAVA_HOME (if JAVA_HOME is not # defined in $DEFAULT) JDK_DIRS="/usr/lib/jvm/java-6-openjdk /usr/lib/jvm/java-6-sun /usr/lib/jvm/java-1.5.0-sun /usr/lib/j2sdk1.5-sun /usr/lib/j2sdk1.5-ibm" # Look for the right JVM to use for jdir in $JDK_DIRS; do if [ -r "$jdir/bin/java" -a -z "${JAVA_HOME}" ]; then JAVA_HOME_TMP="$jdir" # checks for a real JDK like environment, needed to check if # really the java-gcj-compat-dev package is installed if [ -r "$jdir/bin/jdb" ]; then JAVA_HOME="$JAVA_HOME_TMP" fi fi done # Default Java options if [ -z "$JAVA_OPTS" ]; then JAVA_OPTS="-Djava.awt.headless=true -Xmx128M" fi debian/tomcat7-common.links0000644000000000000000000000067513067437273013120 0ustar /usr/share/java/tomcat-juli.jar /usr/share/tomcat7/bin/tomcat-juli.jar /usr/share/java/commons-dbcp.jar /usr/share/tomcat7/lib/commons-dbcp.jar /usr/share/java/commons-pool.jar /usr/share/tomcat7/lib/commons-pool.jar /usr/share/java/tomcat-el-api-2.2.jar /usr/share/tomcat7/lib/el-api.jar /usr/share/java/tomcat-jsp-api-2.2.jar /usr/share/tomcat7/lib/jsp-api.jar /usr/share/java/tomcat-servlet-api-3.0.jar /usr/share/tomcat7/lib/servlet-api.jar debian/README.Debian0000644000000000000000000000366713067437273011257 0ustar Getting started: * After installing the tomcat7 package, the server should be accessible at http://localhost:8080/ * If you install tomcat7-admin, then you need to edit /etc/tomcat7/tomcat-users.xml and add to it the following: Tomcat administration will be accessible on http://localhost:8080/manager/html * Tomcat is not running under a Java security manager by default. If you expose your Tomcat instance to the internet, please consider editing your /etc/default/tomcat7 file and set TOMCAT7_SECURITY="yes", then adjust policy files in /etc/tomcat7/policy.d/ as explained in http://tomcat.apache.org/tomcat-7.0-doc/security-manager-howto.html * To run more than one Tomcat instance on your server, install the package tomcat7-user and run the tomcat7-instance-create utility. You should remove the tomcat7 package if you don't want Tomcat to start as a daemon at boot time. * If you configure your Tomcat to listen on one or more privileged ports (such as port 80 or port 443), then you may now enable authbind in your /etc/default/tomcat7 file. The authbind package can allow your Tomcat JVM user (a non-root user) to listen on privileged ports. Set AUTHBIND="yes" to enable it, and then configure your Tomcat to listen on any port number you wish. See the "man authbind" for information on configuring authbind. Deviations from upstream's tomcat7: * In order to prevent library duplication, this version of tomcat does not provide tomcat-dbcp.jar. Instead, it uses the lightweight, scalable JDBC Pool implementation provided as part of tomcat7. This also means that libtomcat7-java does not provide the tomcat-dbcp.pom for the local maven-repo. For more information and rationale, see: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/283852 debian/tomcat7-user.install0000644000000000000000000000035713067437273013131 0ustar conf/*.xml /usr/share/tomcat7/skel/conf/ conf/catalina.properties /usr/share/tomcat7/skel/conf/ debian/logging.properties /usr/share/tomcat7/skel/conf/ debian/tomcat7-instance-create /usr/bin/ debian/setenv.sh /usr/share/tomcat7/skel/bin/ debian/maven.publishedRules0000644000000000000000000000044213067437273013224 0ustar # Convert tomcat version of the standard apis to the javax apis s/org.apache.tomcat/javax.servlet/ s/tomcat-servlet-api/servlet-api/ jar s/.*/3.0/ s/org.apache.tomcat/javax.servlet/ s/tomcat-jsp-api/jsp-api/ jar s/.*/2.2/ s/org.apache.tomcat/javax.el/ s/tomcat-el-api/el-api/ jar s/.*/2.2/ debian/rules0000755000000000000000000001761613067502611010262 0ustar #!/usr/bin/make -f JAVA_HOME := /usr/lib/jvm/default-java JAVA_CMD := $(JAVA_HOME)/bin/java BLDLIB := output/build/lib BLDBIN := output/build/bin DEB_JARS_BASE := /usr/share/java DEB_JARS := ant ant-launcher ant-trax ant-nodeps ant-junit4 ant-junit junit4 hamcrest-1.3 DEB_CLASSPATH = $(shell for jar in $(DEB_JARS); do \ if [ -f "$$jar" ]; then echo -n "$${jar}:"; fi; \ if [ -f "$$jar".jar ]; then echo -n "$${jar}.jar:"; fi; \ if [ -f $(DEB_JARS_BASE)/"$$jar" ]; then \ echo -n "$(DEB_JARS_BASE)/$${jar}:"; fi; \ if [ -f $(DEB_JARS_BASE)/"$$jar".jar ]; then \ echo -n "$(DEB_JARS_BASE)/$${jar}.jar:"; fi; \ done; \ if [ -f "$(JAVA_HOME)/lib/tools.jar" ]; then \ echo -n "$(JAVA_HOME)/lib/tools.jar"; fi) T_VER := $(shell dpkg-parsechangelog | egrep '^Version:' \ | cut -f 2 -d ' ' | cut -f 2 -d ' '|sed 's/-[^-]*$$//') T_JARS := tomcat-i18n-fr tomcat-i18n-es tomcat-i18n-ja catalina-ant T_MAVENIZED_JARS := jasper-el annotations-api jasper catalina-ha catalina T_VER_MAJOR := $(shell echo $(T_VER) | cut -d'.' -f1) T_VER_MINOR := $(shell echo $(T_VER) | cut -d'.' -f2) T_VER_BUILD := $(shell echo $(T_VER) | cut -d'.' -f3) # root webapp file locations (during the build) RWLOC := debian/default_root RWFILES := $(RWLOC)/index.html $(RWLOC)/META-INF/context.xml # Add distribution.name as system property to grab it when showing version TOMCAT7_DISTRIBUTION := "$(shell lsb_release -si)" ANT_ARGS := -Dcompile.debug=true \ -Dant.build.javac.source=1.6 \ -Dant.build.javac.target=1.6 \ -Djdt.jar=/usr/share/java/ecj.jar \ -Djunit.jar=/usr/share/java/junit4.jar \ -Dhamcrest.jar=/usr/share/java/hamcrest-core.jar \ -Dversion=$(T_VER) \ -Dversion.major="$(T_VER_MAJOR)" \ -Dversion.minor="$(T_VER_MINOR)" \ -Dversion.build="$(T_VER_BUILD)" \ -Dversion.patch="0" \ -Ddistribution.name=$(TOMCAT7_DISTRIBUTION) \ -Dversion.suffix="" ifneq (,$(findstring noopt,$(DEB_BUILD_OPTIONS))) ANT_ARGS += -Dcompile.optimize=false else ANT_ARGS += -Dcompile.optimize=true endif ANT_INVOKE := $(JAVA_CMD) -classpath "$(DEB_CLASSPATH)" \ org.apache.tools.ant.Main $(ANT_ARGS) build: build-arch build-indep build-arch: build-stamp build-indep: build-stamp build-stamp: dh_testdir ifeq (,$(findstring nocheck, $(DEB_BUILD_OPTIONS))) mkdir -p webapps/examples/WEB-INF/lib cp /usr/share/java/jstl1.1.jar webapps/examples/WEB-INF/lib/jstl.jar cp /usr/share/java/standard.jar webapps/examples/WEB-INF/lib/standard.jar $(ANT_INVOKE) deploy test else $(ANT_INVOKE) deploy endif javadoc -subpackages "javax.servlet" -d "output/api" \ -sourcepath "java" -author -version -breakiterator \ -windowtitle "Tomcat API Documentation" -doctitle "Tomcat API" \ -bottom "Copyright © 2000-2013 Apache Software Foundation. All Rights Reserved." touch build-stamp clean: dh_testdir dh_testroot -$(ANT_INVOKE) clean rm -rf "output/" rm -rf webapps/examples/WEB-INF/lib/*.jar rm -f build-stamp modules/jdbc-pool/output/resources/MANIFEST.MF rm -f debian/tomcat7.postrm dh_clean mh_clean install: build dh_testdir dh_testroot dh_prep dh_installdirs binary-indep: build install dh_testdir dh_testroot dh_installchangelogs dh_installdocs dh_installman -ptomcat7-user debian/tomcat7-instance-create.1 dh_installexamples dh_installinit --error-handler=true -- defaults 92 08 dh_installdebconf dh_installcron mkdir -p debian/poms cp res/maven/*.pom debian/poms perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/3.0/' \ debian/poms/tomcat-servlet-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/3.0/' \ debian/javaxpoms/servlet-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.2/' \ debian/poms/tomcat-el-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.2/' \ debian/javaxpoms/el-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.2/' \ debian/poms/tomcat-jsp-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/2.2/' \ debian/javaxpoms/jsp-api.pom perl -p -i -e 's/\@MAVEN.DEPLOY.VERSION\@/$(T_VER)/' \ debian/poms/*.pom mh_installpoms -plibtomcat7-java for i in $(T_MAVENIZED_JARS); \ do \ mh_installjar -plibtomcat7-java -l \ debian/poms/tomcat-$$i.pom \ $(BLDLIB)/$$i.jar \ usr/share/tomcat7/lib/$$i.jar; \ done mh_installjar -plibtomcat7-java -l --usj-name=catalina-tribes \ debian/poms/tomcat-tribes.pom \ $(BLDLIB)/catalina-tribes.jar \ usr/share/tomcat7/lib/catalina-tribes.jar mh_installjar -plibtomcat7-java -l --usj-name=tomcat-api \ debian/poms/tomcat-api.pom \ $(BLDLIB)/tomcat-api.jar \ usr/share/tomcat7/lib/tomcat-api.jar mh_installjar -plibtomcat7-java -l --usj-name=tomcat-coyote \ debian/poms/tomcat-coyote.pom \ $(BLDLIB)/tomcat-coyote.jar \ usr/share/tomcat7/lib/tomcat-coyote.jar mh_installjar -plibtomcat7-java -l --usj-name=tomcat-juli \ debian/poms/tomcat-juli.pom \ $(BLDBIN)/tomcat-juli.jar mh_installjar -plibtomcat7-java -l --usj-name=tomcat-util \ debian/poms/tomcat-util.pom \ $(BLDLIB)/tomcat-util.jar \ usr/share/tomcat7/lib/tomcat-util.jar mh_installjar -plibtomcat7-java -l --usj-name=tomcat-jdbc \ debian/poms/tomcat-jdbc.pom \ output/jdbc-pool/tomcat-jdbc.jar \ usr/share/tomcat7/lib/tomcat-jdbc.jar for i in $(T_JARS); do \ mv $(BLDLIB)/$$i.jar $(BLDLIB)/$$i-$(T_VER).jar && \ dh_install -plibtomcat7-java \ $(BLDLIB)/$$i-$(T_VER).jar usr/share/java && \ dh_link -plibtomcat7-java usr/share/java/$$i-$(T_VER).jar \ usr/share/java/$$i.jar && \ dh_link -ptomcat7-common usr/share/java/$$i-$(T_VER).jar \ usr/share/tomcat7/lib/$$i.jar; done dh_install --exclude=.bat --exclude=Thumbs.db dh_link mh_installpoms -plibservlet3.0-java mh_installjar -plibservlet3.0-java -l -s \ debian/poms/tomcat-servlet-api.pom \ output/build/lib/servlet-api.jar mh_installjar -plibservlet3.0-java -l -s \ debian/javaxpoms/servlet-api.pom \ output/build/lib/servlet-api.jar mh_installjar -plibservlet3.0-java -l -s \ debian/poms/tomcat-jsp-api.pom \ output/build/lib/jsp-api.jar mh_installjar -plibservlet3.0-java -l -s \ debian/javaxpoms/jsp-api.pom \ output/build/lib/jsp-api.jar mh_installjar -plibservlet3.0-java -l -s \ debian/poms/tomcat-el-api.pom \ output/build/lib/el-api.jar mh_installjar -plibservlet3.0-java -l -s \ debian/javaxpoms/el-api.pom \ output/build/lib/el-api.jar rm -r debian/poms rm -rf \ debian/tomcat7/usr/share/tomcat7/webapps/default_root/.svn \ debian/tomcat7/usr/share/tomcat7/webapps/default_root/META-INF/.svn chmod a+x debian/tomcat7-common/usr/share/tomcat7/bin/*.sh chmod a+x debian/tomcat7-user/usr/bin/tomcat7-instance-create chmod a+x debian/tomcat7-user/usr/share/tomcat7/skel/bin/*.sh # update the checksum for the root webapp unset rwmd5sum \ && rwmd5sum=`cat $(RWFILES) | md5sum - 2>/dev/null | cut -d " " -f1` \ && sed "s/\@ROOT_WEBAPP_MD5SUM\@/$$rwmd5sum/" debian/tomcat7.postrm.in > debian/tomcat7.postrm jh_manifest dh_compress dh_fixperms # Make the /etc/tomcat7/Catalina/localhost directory writable by the tomcat user for PACKAGE in tomcat7 tomcat7-admin tomcat7-docs tomcat7-examples; do \ chmod 775 --verbose debian/$$PACKAGE/etc/tomcat7/Catalina/localhost; \ done dh_installdeb dh_gencontrol dh_md5sums dh_builddeb binary-arch: build install binary: binary-indep binary-arch get-orig-source: -uscan --download-version $(T_VER) --force-download --rename .PHONY: build clean binary-indep binary-arch binary install get-orig-source debian/tomcat7-common.docs0000644000000000000000000000003213067437273012713 0ustar RELEASE-NOTES RUNNING.txt debian/logrotate.template0000644000000000000000000000016613067437273012742 0ustar /var/log/tomcat7/catalina.out { copytruncate weekly rotate 52 compress missingok create 640 tomcat7 adm } debian/control0000644000000000000000000001330013067502611010567 0ustar Source: tomcat7 Section: java Priority: optional Maintainer: Ubuntu Developers XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: James Page , Miguel Landaeta , tony mancill , Jakub Adam Build-Depends: default-jdk, ant-optional, debhelper (>= 9), po-debconf, libhamcrest-java (>= 1.3) Build-Depends-Indep: maven-repo-helper, libecj-java, javahelper, junit4, libjstl1.1-java, libjakarta-taglibs-standard-java, lsb-release Standards-Version: 3.9.5 Vcs-Git: git://anonscm.debian.org/pkg-java/tomcat7.git Vcs-Browser: http://anonscm.debian.org/gitweb/?p=pkg-java/tomcat7.git Homepage: http://tomcat.apache.org Package: tomcat7-common Architecture: all Depends: libtomcat7-java (>= ${source:Version}), ${misc:Depends}, default-jre-headless | java6-runtime-headless | java6-runtime | java-6-runtime Description: Servlet and JSP engine -- common files Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains common files needed by the tomcat7 and tomcat7-user packages (Tomcat 6 scripts and libraries). Package: tomcat7 Architecture: all Depends: tomcat7-common (>= ${source:Version}), ucf, adduser, ${misc:Depends} Recommends: authbind Suggests: tomcat7-docs (>= ${source:Version}), tomcat7-admin (>= ${source:Version}), tomcat7-examples (>= ${source:Version}), tomcat7-user (>= ${source:Version}), libtcnative-1 (>= 1.1.24) Description: Servlet and JSP engine Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains only the startup scripts for the system-wide daemon. No documentation or web applications are included here, please install the tomcat7-docs and tomcat7-examples packages if you want them. Install the authbind package if you need to use Tomcat on ports 1-1023. Install tomcat7-user instead of this package if you don't want Tomcat to start as a service. Package: tomcat7-user Architecture: all Depends: tomcat7-common (>= ${source:Version}), netcat, ${misc:Depends} Suggests: tomcat7-docs (>= ${source:Version}), tomcat7-admin (>= ${source:Version}), tomcat7-examples (>= ${source:Version}), tomcat7 (>= ${source:Version}) Description: Servlet and JSP engine -- tools to create user instances Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains files needed to create a user Tomcat instance. This user Tomcat instance can be started and stopped using the scripts provided in the Tomcat instance directory. Package: libtomcat7-java Architecture: all Depends: libecj-java, libcommons-pool-java, libcommons-dbcp-java, libservlet3.0-java (>= ${source:Version}), ${misc:Depends} Conflicts: libtomcat6-java Suggests: tomcat7 (>= ${source:Version}) Description: Servlet and JSP engine -- core libraries Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains the Tomcat core classes which can be used by other Java applications to embed Tomcat. Package: libservlet3.0-java Architecture: all Depends: ${misc:Depends} Description: Servlet 3.0 and JSP 2.2 Java API classes Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains the Java Servlet and JSP library. Package: libservlet3.0-java-doc Section: doc Architecture: all Depends: ${misc:Depends} Suggests: libservlet3.0-java (>= ${source:Version}) Description: Servlet 3.0 and JSP 2.2 Java API documentation Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains the documentation for the Java Servlet and JSP library. Package: tomcat7-admin Architecture: all Depends: tomcat7-common (>= ${source:Version}), ${misc:Depends} Description: Servlet and JSP engine -- admin web applications Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains the administrative web interfaces. Package: tomcat7-examples Architecture: all Depends: tomcat7-common (>= ${source:Version}), ${misc:Depends}, libjstl1.1-java, libjakarta-taglibs-standard-java Description: Servlet and JSP engine -- example web applications Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains the default Tomcat example webapps. Package: tomcat7-docs Section: doc Architecture: all Depends: tomcat7-common (>= ${source:Version}), ${misc:Depends} Description: Servlet and JSP engine -- documentation Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP) specifications from Sun Microsystems, and provides a "pure Java" HTTP web server environment for Java code to run. . This package contains the online documentation web application. debian/watch0000644000000000000000000000022713067437273010234 0ustar version=3 opts=uversionmangle=s/_/./g \ http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/ TOMCAT_([0-9_]*[0123456789])/ debian debian/orig-tar.sh debian/tomcat7.install0000644000000000000000000000056513067437273012156 0ustar conf/catalina.properties /etc/tomcat7/ debian/logging.properties /etc/tomcat7/ conf/*.xml /etc/tomcat7/ debian/policy/*.policy /etc/tomcat7/policy.d/ debian/default_root /usr/share/tomcat7-root/ debian/defaults.template /usr/share/tomcat7/ debian/defaults.md5sum /usr/share/tomcat7/ debian/logrotate.template /usr/share/tomcat7/ debian/logrotate.md5sum /usr/share/tomcat7/ debian/tomcat7.cron.daily0000644000000000000000000000133013067437273012541 0ustar #!/bin/sh NAME=tomcat7 DEFAULT=/etc/default/$NAME LOGEXT=log # The following variables can be overwritten in $DEFAULT # Default for number of days to keep old log files in /var/log/tomcatN/ LOGFILE_DAYS=14 # Whether to compress logfiles older than today's LOGFILE_COMPRESS=1 # End of variables that can be overwritten in $DEFAULT # overwrite settings from default file if [ -f "$DEFAULT" ]; then . "$DEFAULT" fi if [ -d /var/log/$NAME ]; then if [ $LOGFILE_COMPRESS = 1 ]; then find /var/log/$NAME/ -name \*.$LOGEXT -daystart -mtime +0 -print0 \ | xargs --no-run-if-empty -0 gzip -9 LOGEXT=log.gz fi find /var/log/$NAME/ -name \*.$LOGEXT -mtime +$LOGFILE_DAYS -print0 \ | xargs --no-run-if-empty -0 rm -- fi debian/tomcat7-examples.install0000644000000000000000000000025713067437273013770 0ustar debian/context/examples.xml /etc/tomcat7/Catalina/localhost/ output/build/webapps/examples /usr/share/tomcat7-examples/ debian/policy/examples/*.policy /etc/tomcat7/policy.d/ debian/gbp.conf0000644000000000000000000000004113067437273010614 0ustar [DEFAULT] debian-branch = master debian/tomcat7-docs.install0000644000000000000000000000015413067437273013076 0ustar debian/context/docs.xml /etc/tomcat7/Catalina/localhost/ output/build/webapps/docs /usr/share/tomcat7-docs/ debian/patches/0000755000000000000000000000000013357144310010616 5ustar debian/patches/0014-JDTCompiler.patch0000644000000000000000000000103613067502611014335 0ustar diff --git a/java/org/apache/jasper/compiler/JDTCompiler.java b/java/org/apache/jasper/compiler/JDTCompiler.java index 2ee9e95..75f3c67 100644 --- a/java/org/apache/jasper/compiler/JDTCompiler.java +++ b/java/org/apache/jasper/compiler/JDTCompiler.java @@ -166,7 +166,7 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler { return result; } - @Override + //@Override public boolean ignoreOptionalProblems() { return false; } debian/patches/CVE-2015-5345-2.patch0000644000000000000000000000520313067502611013376 0ustar Description: revert change in behaviour after security update Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1716860 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1721883 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58660 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=58765 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1609819 Index: tomcat7-7.0.52/java/org/apache/catalina/connector/MapperListener.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/connector/MapperListener.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/connector/MapperListener.java 2016-09-16 09:23:55.401566399 -0400 @@ -360,7 +360,9 @@ String[] welcomeFiles = context.findWelcomeFiles(); mapper.addContextVersion(host.getName(), host, contextPath, - context.getWebappVersion(), context, welcomeFiles, resources); + context.getWebappVersion(), context, welcomeFiles, resources, + context.getMapperContextRootRedirectEnabled(), + context.getMapperDirectoryRedirectEnabled()); for (Container container : context.findChildren()) { registerWrapper((Wrapper) container); Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardContext.java 2016-09-16 08:14:53.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java 2016-09-16 09:25:34.818766485 -0400 @@ -894,7 +894,7 @@ private String containerSciFilter; - boolean mapperContextRootRedirectEnabled = false; + boolean mapperContextRootRedirectEnabled = true; boolean mapperDirectoryRedirectEnabled = false; Index: tomcat7-7.0.52/webapps/docs/config/context.xml =================================================================== --- tomcat7-7.0.52.orig/webapps/docs/config/context.xml 2016-09-16 08:14:53.000000000 -0400 +++ tomcat7-7.0.52/webapps/docs/config/context.xml 2016-09-16 09:25:07.282434088 -0400 @@ -357,7 +357,7 @@ redirected (adding a trailing slash) if necessary by the Mapper rather than the default Servlet. This is more efficient but has the side effect of confirming that the context path exists. If not specified, the - default value of false is used.

+ default value of true is used.

debian/patches/CVE-2018-8034.patch0000644000000000000000000001031413326066430013241 0ustar Description: fix missing hostname verification in WebSocket client Origin: backport, https://svn.apache.org/r1833760 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Index: tomcat7-7.0.52/java/org/apache/tomcat/websocket/WsWebSocketContainer.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/tomcat/websocket/WsWebSocketContainer.java 2013-12-07 15:19:37.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/tomcat/websocket/WsWebSocketContainer.java 2018-07-25 08:26:31.949816852 -0400 @@ -53,6 +53,7 @@ import java.util.concurrent.atomic.Atomi import javax.net.ssl.SSLContext; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLException; +import javax.net.ssl.SSLParameters; import javax.net.ssl.TrustManagerFactory; import javax.websocket.ClientEndpoint; import javax.websocket.ClientEndpointConfig; @@ -304,7 +305,7 @@ public class WsWebSocketContainer AsyncChannelWrapper channel; if (secure) { SSLEngine sslEngine = createSSLEngine( - clientEndpointConfiguration.getUserProperties()); + clientEndpointConfiguration.getUserProperties(), host, port); channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine); } else { channel = new AsyncChannelWrapperNonSecure(socketChannel); @@ -674,7 +675,7 @@ public class WsWebSocketContainer } - private SSLEngine createSSLEngine(Map userProperties) + private SSLEngine createSSLEngine(Map userProperties, String host, int port) throws DeploymentException { try { @@ -722,7 +723,7 @@ public class WsWebSocketContainer } } - SSLEngine engine = sslContext.createSSLEngine(); + SSLEngine engine = sslContext.createSSLEngine(host, port); String sslProtocolsValue = (String) userProperties.get(SSL_PROTOCOLS_PROPERTY); @@ -732,6 +733,14 @@ public class WsWebSocketContainer engine.setUseClientMode(true); + // Enable host verification + // Start with current settings (returns a copy) + SSLParameters sslParams = engine.getSSLParameters(); + // Use HTTPS since WebSocket starts over HTTP(S) + sslParams.setEndpointIdentificationAlgorithm("HTTPS"); + // Write the parameters back + engine.setSSLParameters(sslParams); + return engine; } catch (Exception e) { throw new DeploymentException(sm.getString( Index: tomcat7-7.0.52/webapps/docs/web-socket-howto.xml =================================================================== --- tomcat7-7.0.52.orig/webapps/docs/web-socket-howto.xml 2013-12-07 15:19:37.000000000 -0500 +++ tomcat7-7.0.52/webapps/docs/web-socket-howto.xml 2018-07-25 08:27:04.049887378 -0400 @@ -131,10 +131,22 @@
  • org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD
  • The default truststore password is changeit.

    -

    If the org.apache.tomcat.websocket.SSL_CONTEXT property is - set then the org.apache.tomcat.websocket.SSL_TRUSTSTORE and - org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD properties - will be ignored.

    + +

    If the org.apache.tomcat.websocket.SSL_CONTEXT property is + set then the org.apache.tomcat.websocket.SSL_TRUSTSTORE and + org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD properties + will be ignored.

    + +

    For secure server end points, host name verification is enabled by default. + To bypass this verification (not recommended), it is necessary to provide a + custom SSLContext via the + org.apache.tomcat.websocket.SSL_CONTEXT user property. The + custom SSLContext must be configured with a custom + TrustManager that extends + javax.net.ssl.X509ExtendedTrustManager. The desired verification + (or lack of verification) can then be controlled by appropriate + implementations of the individual abstract methods.

    +
    debian/patches/CVE-2017-5648.patch0000644000000000000000000000576213101645753013265 0ustar Description: fix incorrect facade object use Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1785777 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860069 Index: tomcat7-7.0.52/java/org/apache/catalina/authenticator/FormAuthenticator.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/authenticator/FormAuthenticator.java 2017-05-01 10:42:23.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/authenticator/FormAuthenticator.java 2017-05-01 10:48:12.535611415 -0400 @@ -433,9 +433,9 @@ public class FormAuthenticator RequestDispatcher disp = context.getServletContext().getRequestDispatcher(loginPage); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t); @@ -477,12 +477,11 @@ public class FormAuthenticator } RequestDispatcher disp = - context.getServletContext().getRequestDispatcher - (config.getErrorPage()); + context.getServletContext().getRequestDispatcher(config.getErrorPage()); try { - if (context.fireRequestInitEvent(request)) { + if (context.fireRequestInitEvent(request.getRequest())) { disp.forward(request.getRequest(), response); - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } catch (Throwable t) { ExceptionUtils.handleThrowable(t); Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardHostValve.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardHostValve.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardHostValve.java 2017-05-01 10:49:38.720674959 -0400 @@ -163,7 +163,7 @@ final class StandardHostValve extends Va // An async error page may dispatch to another resource. This flag helps // ensure an infinite error handling loop is not entered boolean errorAtStart = response.isError(); - if (asyncAtStart || context.fireRequestInitEvent(request)) { + if (asyncAtStart || context.fireRequestInitEvent(request.getRequest())) { // Ask this Context to process this request try { @@ -203,7 +203,7 @@ final class StandardHostValve extends Va } } - context.fireRequestDestroyEvent(request); + context.fireRequestDestroyEvent(request.getRequest()); } } } debian/patches/series0000644000000000000000000000274413357144071012046 0ustar 0001-set-UTF-8-as-default-character-encoding.patch 0002-do-not-load-AJP13-connector-by-default.patch 0003-disable-APR-library-loading.patch 0004-split-deploy-webapps-target-from-deploy-target.patch 0006-add-JARs-below-var-to-class-loader.patch 0009-Use-java.security.policy-file-in-catalina.sh.patch 0010-debianize-build-xml.patch 0011-fix-classpath-lintian-warnings.patch 0012-java7-compat.patch 0013-dont-look-for-build-properties-in-user-home.patch 0014-JDTCompiler.patch 0015_disable_test_TestCometProcessor.patch 0017-use-jdbc-pool-default.patch 0018-fix-manager-webapp.patch 0019-add-distribution-to-error-page.patch CVE-2014-0075.patch CVE-2014-0096.patch CVE-2014-0099.patch CVE-2014-0119.patch CVE-2014-0227.patch CVE-2014-0230.patch CVE-2014-7810.patch 0022-use-tls-in-ssl-unit-tests.patch 0023-replace-expired-ssl-certificates.patch CVE-2015-5174.patch CVE-2015-5345.patch CVE-2015-5346.patch CVE-2015-5351.patch CVE-2016-0706.patch CVE-2016-0714.patch CVE-2016-0763.patch fix_cookie_names_in_tests.patch CVE-2016-3092.patch CVE-2015-5345-2.patch CVE-2016-5018.patch CVE-2016-5388.patch CVE-2016-6794.patch CVE-2016-6796.patch CVE-2016-6797.patch CVE-2016-6816.patch CVE-2016-8735-pre.patch CVE-2016-8735.patch CVE-2016-8745.patch CVE-2017-6056.patch CVE-2017-5647.patch CVE-2017-5648-pre.patch CVE-2017-5648.patch CVE-2017-5664.patch CVE-2017-7674.patch CVE-2017-1261x.patch CVE-2018-1304.patch CVE-2018-1305.patch CVE-2018-8014.patch CVE-2018-1336.patch CVE-2018-8034.patch CVE-2018-11784.patch debian/patches/0012-java7-compat.patch0000644000000000000000000000142013067437273014520 0ustar Description: Compatibility patch to support compilation of tomcat7 using openjdk-7 Author: James Page Forwarded: not-needed --- a/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/DataSource.java +++ b/modules/jdbc-pool/src/main/java/org/apache/tomcat/jdbc/pool/DataSource.java @@ -28,6 +28,8 @@ import org.apache.juli.logging.Log; import org.apache.juli.logging.LogFactory; +import java.sql.SQLFeatureNotSupportedException; +import java.util.logging.Logger; /** * A DataSource that can be instantiated through IoC and implements the DataSource interface @@ -157,5 +159,7 @@ } } - + public Logger getParentLogger() throws SQLFeatureNotSupportedException { + throw new SQLFeatureNotSupportedException(); + } } debian/patches/0022-use-tls-in-ssl-unit-tests.patch0000644000000000000000000000453113067502611017137 0ustar Description: Use TLS in SSL unit tests Author: Miguel Landaeta Bug-Debian: https://bugs.debian.org/780519 Forwarded: no Last-Update: 2015-03-24 Index: tomcat7-7.0.55/test/org/apache/tomcat/util/net/TesterSupport.java =================================================================== --- tomcat7-7.0.55.orig/test/org/apache/tomcat/util/net/TesterSupport.java 2015-06-19 15:38:11.514003663 -0400 +++ tomcat7-7.0.55/test/org/apache/tomcat/util/net/TesterSupport.java 2015-06-19 15:38:11.510003618 -0400 @@ -312,7 +312,7 @@ throws IOException { SSLSocket result = (SSLSocket) factory.createSocket(socket, s, i, flag); - result.setEnabledProtocols(new String[] { "SSLv3" } ); + result.setEnabledProtocols(new String[] { "TLSv1" } ); return result; } @@ -320,7 +320,7 @@ public Socket createSocket(String s, int i) throws IOException, UnknownHostException { SSLSocket result = (SSLSocket) factory.createSocket(s, i); - result.setEnabledProtocols(new String[] { "SSLv3" } ); + result.setEnabledProtocols(new String[] { "TLSv1" } ); return result; } @@ -329,7 +329,7 @@ int j) throws IOException, UnknownHostException { SSLSocket result = (SSLSocket) factory.createSocket(s, i, inetaddress, j); - result.setEnabledProtocols(new String[] { "SSLv3" } ); + result.setEnabledProtocols(new String[] { "TLSv1" } ); return result; } @@ -337,7 +337,7 @@ public Socket createSocket(InetAddress inetaddress, int i) throws IOException { SSLSocket result = (SSLSocket) factory.createSocket(inetaddress, i); - result.setEnabledProtocols(new String[] { "SSLv3" } ); + result.setEnabledProtocols(new String[] { "TLSv1" } ); return result; } @@ -346,7 +346,7 @@ InetAddress inetaddress1, int j) throws IOException { SSLSocket result = (SSLSocket) factory.createSocket( inetaddress, i, inetaddress1, j); - result.setEnabledProtocols(new String[] { "SSLv3" } ); + result.setEnabledProtocols(new String[] { "TLSv1" } ); return result; } } debian/patches/CVE-2014-0099.patch0000644000000000000000000001045713067502611013246 0ustar Description: fix HTTP request smuggling attack via crafted Content-Length HTTP header Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1578814 Index: tomcat7-7.0.52/java/org/apache/tomcat/util/buf/Ascii.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/buf/Ascii.java 2014-01-27 07:08:56.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/buf/Ascii.java 2014-07-24 13:22:53.735256863 -0400 @@ -40,10 +40,11 @@ private static final boolean[] isWhite = new boolean[256]; private static final boolean[] isDigit = new boolean[256]; + private static final long OVERFLOW_LIMIT = Long.MAX_VALUE / 10; + /* * Initialize character translation and type tables. */ - static { for (int i = 0; i < 256; i++) { toUpper[i] = (byte)i; @@ -206,19 +207,12 @@ } long n = c - '0'; - long m; - while (--len > 0) { - if (!isDigit(c = b[off++])) { - throw new NumberFormatException(); - } - m = n * 10 + c - '0'; - - if (m < n) { - // Overflow - throw new NumberFormatException(); + if (isDigit(c = b[off++]) && + (n < OVERFLOW_LIMIT || (n == OVERFLOW_LIMIT && (c - '0') < 8))) { + n = n * 10 + c - '0'; } else { - n = m; + throw new NumberFormatException(); } } Index: tomcat7-7.0.52/test/org/apache/tomcat/util/buf/TestAscii.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/test/org/apache/tomcat/util/buf/TestAscii.java 2014-07-24 13:23:20.831256730 -0400 @@ -0,0 +1,65 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.buf; + +import java.math.BigInteger; + +import org.junit.Assert; +import org.junit.Test; + +public class TestAscii { + + @Test + public void testParseLong1() { + String value = "9223372036854775807"; // Long.MAX_VALUE + byte[] bytes = value.getBytes(); + long result = Ascii.parseLong(bytes, 0, bytes.length); + Assert.assertEquals(value, String.valueOf(result)); + } + + @Test(expected = NumberFormatException.class) + public void testParseLong2() { + byte[] bytes = "9223372036854775808".getBytes(); // Long.MAX_VALUE + 1 + long result = Ascii.parseLong(bytes, 0, bytes.length); + Assert.fail("NumberFormatException expected, got: " + result); + } + + @Test(expected = NumberFormatException.class) + public void testParseLong3() { + byte[] bytes = "9223372036854775810".getBytes(); // Long.MAX_VALUE + 3 + long result = Ascii.parseLong(bytes, 0, bytes.length); + Assert.fail("NumberFormatException expected, got: " + result); + } + + @Test(expected = NumberFormatException.class) + public void testParseLong4() { + BigInteger x = BigInteger.valueOf(5000000000L).shiftLeft(32); + byte[] bytes = String.valueOf(x).getBytes(); + long result = Ascii.parseLong(bytes, 0, bytes.length); + Assert.fail("NumberFormatException expected, got: " + result); + } + + @Test + public void testParseLong5() { + String value = "9223372036854775806"; // Long.MAX_VALUE - 1 + byte[] bytes = value.getBytes(); + long result = Ascii.parseLong(bytes, 0, bytes.length); + Assert.assertEquals(value, String.valueOf(result)); + } + + +} debian/patches/CVE-2014-0230.patch0000644000000000000000000004240513067502611013227 0ustar Description: fix denial of service via aborted upload attempts Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1603781 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1449975 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785316 Index: tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractHttp11Processor.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/AbstractHttp11Processor.java 2014-02-12 09:39:04.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractHttp11Processor.java 2015-06-19 12:29:14.801560246 -0400 @@ -688,14 +688,15 @@ /** * Initialize standard input and output filters. */ - protected void initializeFilters(int maxTrailerSize, int maxExtensionSize) { + protected void initializeFilters(int maxTrailerSize, int maxExtensionSize, + int maxSwallowSize) { // Create and add the identity filters. - getInputBuffer().addFilter(new IdentityInputFilter()); + getInputBuffer().addFilter(new IdentityInputFilter(maxSwallowSize)); getOutputBuffer().addFilter(new IdentityOutputFilter()); // Create and add the chunked filters. getInputBuffer().addFilter( - new ChunkedInputFilter(maxTrailerSize, maxExtensionSize)); + new ChunkedInputFilter(maxTrailerSize, maxExtensionSize, maxSwallowSize)); getOutputBuffer().addFilter(new ChunkedOutputFilter()); // Create and add the void filters. Index: tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractHttp11Protocol.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/AbstractHttp11Protocol.java 2013-09-11 10:19:50.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractHttp11Protocol.java 2015-06-19 12:29:17.445591668 -0400 @@ -163,6 +163,16 @@ /** + * Maximum amount of request body to swallow. + */ + private int maxSwallowSize = 2 * 1024 * 1024; + public int getMaxSwallowSize() { return maxSwallowSize; } + public void setMaxSwallowSize(int maxSwallowSize) { + this.maxSwallowSize = maxSwallowSize; + } + + + /** * This field indicates if the protocol is treated as if it is secure. This * normally means https is being used but can be used to fake https e.g * behind a reverse proxy. Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11AprProcessor.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11AprProcessor.java 2014-02-12 10:19:49.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11AprProcessor.java 2015-06-19 12:29:19.725618761 -0400 @@ -58,7 +58,7 @@ public Http11AprProcessor(int headerBufferSize, AprEndpoint endpoint, - int maxTrailerSize, int maxExtensionSize) { + int maxTrailerSize, int maxExtensionSize, int maxSwallowSize) { super(endpoint); @@ -68,7 +68,7 @@ outputBuffer = new InternalAprOutputBuffer(response, headerBufferSize); response.setOutputBuffer(outputBuffer); - initializeFilters(maxTrailerSize, maxExtensionSize); + initializeFilters(maxTrailerSize, maxExtensionSize, maxSwallowSize); } Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11AprProtocol.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11AprProtocol.java 2014-01-27 08:45:27.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11AprProtocol.java 2015-06-19 12:29:22.017646003 -0400 @@ -300,7 +300,8 @@ protected Http11AprProcessor createProcessor() { Http11AprProcessor processor = new Http11AprProcessor( proto.getMaxHttpHeaderSize(), (AprEndpoint)proto.endpoint, - proto.getMaxTrailerSize(), proto.getMaxExtensionSize()); + proto.getMaxTrailerSize(), proto.getMaxExtensionSize(), + proto.getMaxSwallowSize()); processor.setAdapter(proto.adapter); processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests()); processor.setKeepAliveTimeout(proto.getKeepAliveTimeout()); Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11NioProcessor.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11NioProcessor.java 2014-02-12 09:26:13.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11NioProcessor.java 2015-06-19 12:29:24.149671339 -0400 @@ -63,7 +63,7 @@ public Http11NioProcessor(int maxHttpHeaderSize, NioEndpoint endpoint, - int maxTrailerSize, int maxExtensionSize) { + int maxTrailerSize, int maxExtensionSize, int maxSwallowSize) { super(endpoint); @@ -73,7 +73,7 @@ outputBuffer = new InternalNioOutputBuffer(response, maxHttpHeaderSize); response.setOutputBuffer(outputBuffer); - initializeFilters(maxTrailerSize, maxExtensionSize); + initializeFilters(maxTrailerSize, maxExtensionSize, maxSwallowSize); } Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11NioProtocol.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11NioProtocol.java 2014-01-27 08:45:27.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11NioProtocol.java 2015-06-19 12:29:31.153754572 -0400 @@ -259,7 +259,8 @@ public Http11NioProcessor createProcessor() { Http11NioProcessor processor = new Http11NioProcessor( proto.getMaxHttpHeaderSize(), (NioEndpoint)proto.endpoint, - proto.getMaxTrailerSize(), proto.getMaxExtensionSize()); + proto.getMaxTrailerSize(), proto.getMaxExtensionSize(), + proto.getMaxSwallowSize()); processor.setAdapter(proto.adapter); processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests()); processor.setKeepAliveTimeout(proto.getKeepAliveTimeout()); Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11Processor.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11Processor.java 2014-02-12 10:19:49.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11Processor.java 2015-06-19 12:29:33.737785274 -0400 @@ -50,7 +50,7 @@ public Http11Processor(int headerBufferSize, JIoEndpoint endpoint, - int maxTrailerSize, int maxExtensionSize) { + int maxTrailerSize, int maxExtensionSize, int maxSwallowSize) { super(endpoint); @@ -60,7 +60,7 @@ outputBuffer = new InternalOutputBuffer(response, headerBufferSize); response.setOutputBuffer(outputBuffer); - initializeFilters(maxTrailerSize, maxExtensionSize); + initializeFilters(maxTrailerSize, maxExtensionSize, maxSwallowSize); } Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11Protocol.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11Protocol.java 2014-01-27 08:45:27.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11Protocol.java 2015-06-19 12:29:36.129813701 -0400 @@ -164,7 +164,8 @@ protected Http11Processor createProcessor() { Http11Processor processor = new Http11Processor( proto.getMaxHttpHeaderSize(), (JIoEndpoint)proto.endpoint, - proto.getMaxTrailerSize(),proto.getMaxExtensionSize()); + proto.getMaxTrailerSize(),proto.getMaxExtensionSize(), + proto.getMaxSwallowSize()); processor.setAdapter(proto.adapter); processor.setMaxKeepAliveRequests(proto.getMaxKeepAliveRequests()); processor.setKeepAliveTimeout(proto.getKeepAliveTimeout()); Index: tomcat7-7.0.52/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-19 12:25:41.075018249 -0400 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-19 12:29:38.545842410 -0400 @@ -138,6 +138,9 @@ private long extensionSize; + private final int maxSwallowSize; + + /** * Flag that indicates if an error has occurred. */ @@ -146,10 +149,11 @@ // ----------------------------------------------------------- Constructors - public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) { + public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize, int maxSwallowSize) { this.trailingHeaders.setLimit(maxTrailerSize); this.maxExtensionSize = maxExtensionSize; this.maxTrailerSize = maxTrailerSize; + this.maxSwallowSize = maxSwallowSize; } @@ -235,9 +239,14 @@ */ @Override public long end() throws IOException { + long swallowed = 0; + int read = 0; // Consume extra bytes : parse the stream until the end chunk is found - while (doRead(readChunk, null) >= 0) { - // NOOP: Just consume the input + while ((read = doRead(readChunk, null)) >= 0) { + swallowed += read; + if (maxSwallowSize > -1 && swallowed > maxSwallowSize) { + throwIOException(sm.getString("inputFilter.maxSwallow")); + } } // Return the number of extra bytes which were consumed Index: tomcat7-7.0.52/java/org/apache/coyote/http11/filters/IdentityInputFilter.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/filters/IdentityInputFilter.java 2014-01-27 08:45:27.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/filters/IdentityInputFilter.java 2015-06-19 12:29:40.873870070 -0400 @@ -24,6 +24,7 @@ import org.apache.coyote.Request; import org.apache.coyote.http11.InputFilter; import org.apache.tomcat.util.buf.ByteChunk; +import org.apache.tomcat.util.res.StringManager; /** * Identity input filter. @@ -32,6 +33,9 @@ */ public class IdentityInputFilter implements InputFilter { + private static final StringManager sm = StringManager.getManager( + IdentityInputFilter.class.getPackage().getName()); + // -------------------------------------------------------------- Constants @@ -76,8 +80,10 @@ protected ByteChunk endChunk = new ByteChunk(); - // ------------------------------------------------------------- Properties + private final int maxSwallowSize; + + // ------------------------------------------------------------- Properties /** * Get content length. @@ -101,6 +107,13 @@ } + // ------------------------------------------------------------ Constructor + + public IdentityInputFilter(int maxSwallowSize) { + this.maxSwallowSize = maxSwallowSize; + } + + // ---------------------------------------------------- InputBuffer Methods @@ -163,8 +176,11 @@ * End the current request. */ @Override - public long end() - throws IOException { + public long end() throws IOException { + + if (maxSwallowSize > -1 && remaining > maxSwallowSize) { + throw new IOException(sm.getString("inputFilter.maxSwallow")); + } // Consume extra bytes. while (remaining > 0) { Index: tomcat7-7.0.52/java/org/apache/coyote/http11/filters/LocalStrings.properties =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/filters/LocalStrings.properties 2015-06-19 12:25:41.075018249 -0400 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/filters/LocalStrings.properties 2015-06-19 12:29:43.109896642 -0400 @@ -22,4 +22,6 @@ chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read) chunkedInputFilter.invalidHeader=Invalid chunk header chunkedInputFilter.maxExtension=maxExtensionSize exceeded -chunkedInputFilter.maxTrailer=maxTrailerSize exceeded \ No newline at end of file +chunkedInputFilter.maxTrailer=maxTrailerSize exceeded + +inputFilter.maxSwallow=maxSwallowSize exceeded \ No newline at end of file Index: tomcat7-7.0.52/test/org/apache/catalina/core/TestSwallowAbortedUploads.java =================================================================== --- tomcat7-7.0.52.orig/test/org/apache/catalina/core/TestSwallowAbortedUploads.java 2013-07-30 04:16:59.000000000 -0400 +++ tomcat7-7.0.52/test/org/apache/catalina/core/TestSwallowAbortedUploads.java 2015-06-19 12:29:45.237921927 -0400 @@ -16,8 +16,14 @@ */ package org.apache.catalina.core; +import java.io.BufferedReader; import java.io.IOException; +import java.io.InputStreamReader; +import java.io.OutputStreamWriter; import java.io.PrintWriter; +import java.io.Writer; +import java.net.Socket; +import java.nio.charset.StandardCharsets; import java.util.Arrays; import java.util.Collection; @@ -32,6 +38,7 @@ import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import org.junit.Assert; import org.junit.Test; import org.apache.catalina.Context; @@ -113,7 +120,7 @@ Exception ex = doAbortedUploadTest(client, true, true); assertNull("Limited upload with swallow enabled generates client exception", ex); - assertTrue("Limited upload with swallow enabled returns error status code", + assertTrue("Limited upload with swallow enabled returns non-500 status code", client.isResponse500()); client.reset(); } @@ -410,4 +417,78 @@ } } + + @Test + public void testChunkedPUTLimit() throws Exception { + doTestChunkedPUT(true); + } + + + @Test + public void testChunkedPUTNoLimit() throws Exception { + doTestChunkedPUT(false); + } + + + public void doTestChunkedPUT(boolean limit) throws Exception { + + Tomcat tomcat = getTomcatInstance(); + tomcat.addContext("", TEMP_DIR); + // No need for target to exist. + + if (!limit) { + tomcat.getConnector().setAttribute("maxSwallowSize", "-1"); + } + + tomcat.start(); + + Exception writeEx = null; + Exception readEx = null; + String responseLine = null; + Socket conn = null; + + try { + conn = new Socket("localhost", getPort()); + Writer writer = new OutputStreamWriter( + conn.getOutputStream(), StandardCharsets.US_ASCII); + writer.write("PUT /does-not-exist HTTP/1.1\r\n"); + writer.write("Host: any\r\n"); + writer.write("Transfer-encoding: chunked\r\n"); + writer.write("\r\n"); + + // Smarter than the typical client. Attempts to read the response + // even if the request is not fully written. + try { + // Write (or try to write) 16MB + for (int i = 0; i < 1024 * 1024; i++) { + writer.write("10\r\n"); + writer.write("0123456789ABCDEF\r\n"); + } + } catch (Exception e) { + writeEx = e; + } + + try { + BufferedReader reader = new BufferedReader(new InputStreamReader( + conn.getInputStream(), StandardCharsets.US_ASCII)); + + responseLine = reader.readLine(); + } catch (IOException e) { + readEx = e; + } + } finally { + if (conn != null) { + conn.close(); + } + } + + if (limit) { + Assert.assertNotNull(writeEx); + } else { + Assert.assertNull(writeEx); + Assert.assertNull(readEx); + Assert.assertNotNull(responseLine); + Assert.assertTrue(responseLine.contains("404")); + } + } } Index: tomcat7-7.0.52/webapps/docs/config/http.xml =================================================================== --- tomcat7-7.0.52.orig/webapps/docs/config/http.xml 2014-01-26 17:13:11.000000000 -0500 +++ tomcat7-7.0.52/webapps/docs/config/http.xml 2015-06-19 12:29:47.801952390 -0400 @@ -431,6 +431,16 @@ If not specified, this attribute is set to 100.

    + +

    The maximum number of request body bytes (excluding transfer encoding + overhead) that will be swallowed by Tomcat for an aborted upload. An + aborted upload is when Tomcat knows that the request body is going to be + ignored but the client still sends it. If Tomcat does not swallow the body + the client is unlikely to see the response. If not specified the default + of 2097152 (2 megabytes) will be used. A value of less than zero indicates + that no limit should be enforced.

    +
    +

    The maximum number of request processing threads to be created by this Connector, which therefore determines the debian/patches/CVE-2015-5351.patch0000644000000000000000000001004213067502611013231 0ustar Description: fix CSRF protection mechanism bypass Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1720661 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1720663 Index: tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/401.jsp =================================================================== --- tomcat7-7.0.64.orig/webapps/host-manager/WEB-INF/jsp/401.jsp 2016-06-17 12:02:00.280256721 +0300 +++ tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/401.jsp 2016-06-17 12:02:00.276256670 +0300 @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. --%> +<%@ page session="false" trimDirectiveWhitespaces="true" %> Index: tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/403.jsp =================================================================== --- tomcat7-7.0.64.orig/webapps/host-manager/WEB-INF/jsp/403.jsp 2016-06-17 12:02:00.280256721 +0300 +++ tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/403.jsp 2016-06-17 12:02:00.276256670 +0300 @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. --%> +<%@ page session="false" trimDirectiveWhitespaces="true" %> Index: tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/404.jsp =================================================================== --- tomcat7-7.0.64.orig/webapps/host-manager/WEB-INF/jsp/404.jsp 2016-06-17 12:02:00.280256721 +0300 +++ tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/404.jsp 2016-06-17 12:02:00.276256670 +0300 @@ -14,7 +14,8 @@ See the License for the specific language governing permissions and limitations under the License. --%> -<%@ page import="org.apache.catalina.util.RequestUtil" %> +<%@ page import="org.apache.catalina.util.RequestUtil" session="false" + trimDirectiveWhitespaces="true" %> Index: tomcat7-7.0.64/webapps/host-manager/index.jsp =================================================================== --- tomcat7-7.0.64.orig/webapps/host-manager/index.jsp 2016-06-17 12:02:00.280256721 +0300 +++ tomcat7-7.0.64/webapps/host-manager/index.jsp 2016-06-17 12:02:00.276256670 +0300 @@ -14,5 +14,5 @@ See the License for the specific language governing permissions and limitations under the License. --%> -<% response.sendRedirect(response.encodeRedirectURL(request.getContextPath() + - "/html")); %> \ No newline at end of file +<%@ page session="false" trimDirectiveWhitespaces="true" %> +<% response.sendRedirect(request.getContextPath() + "/html"); %> \ No newline at end of file Index: tomcat7-7.0.64/webapps/manager/WEB-INF/web.xml =================================================================== --- tomcat7-7.0.64.orig/webapps/manager/WEB-INF/web.xml 2016-06-17 12:02:00.280256721 +0300 +++ tomcat7-7.0.64/webapps/manager/WEB-INF/web.xml 2016-06-17 12:02:00.276256670 +0300 @@ -116,7 +116,6 @@ CSRF HTMLManager - jsp Index: tomcat7-7.0.64/webapps/manager/index.jsp =================================================================== --- tomcat7-7.0.64.orig/webapps/manager/index.jsp 2016-06-17 12:02:00.280256721 +0300 +++ tomcat7-7.0.64/webapps/manager/index.jsp 2016-06-17 12:02:00.276256670 +0300 @@ -14,5 +14,5 @@ See the License for the specific language governing permissions and limitations under the License. --%> -<% response.sendRedirect(response.encodeRedirectURL(request.getContextPath() + - "/html")); %> \ No newline at end of file +<%@ page session="false" %> +<% response.sendRedirect(request.getContextPath() + "/html"); %> \ No newline at end of file debian/patches/CVE-2017-6056.patch0000644000000000000000000000335313067502611013245 0ustar Description: fix DoS via CPU consumption Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=57544 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=851304 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1663318 Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1657910 Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1658209 Index: tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractInputBuffer.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/AbstractInputBuffer.java 2017-02-17 08:21:21.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractInputBuffer.java 2017-02-17 08:51:01.704575168 -0500 @@ -220,16 +220,12 @@ request.recycle(); // Copy leftover bytes to the beginning of the buffer - if (lastValid - pos > 0) { - int npos = 0; - int opos = pos; - while (lastValid - opos > opos - npos) { - System.arraycopy(buf, opos, buf, npos, opos - npos); - npos += pos; - opos += pos; - } - System.arraycopy(buf, opos, buf, npos, lastValid - opos); + if (lastValid - pos > 0 && pos > 0) { + System.arraycopy(buf, pos, buf, 0, lastValid - pos); } + // Always reset pos to zero + lastValid = lastValid - pos; + pos = 0; // Recycle filters for (int i = 0; i <= lastActiveFilter; i++) { @@ -237,12 +233,9 @@ } // Reset pointers - lastValid = lastValid - pos; - pos = 0; lastActiveFilter = -1; parsingHeader = true; swallowInput = true; - } debian/patches/0013-dont-look-for-build-properties-in-user-home.patch0000644000000000000000000000117713067502611022515 0ustar From: Jakub Adam Date: Mon, 9 Jul 2012 20:53:38 +0000 Subject: 0013-dont-look-for-build-properties-in-user-home --- build.xml | 1 - 1 file changed, 1 deletion(-) --- a/build.xml +++ b/build.xml @@ -469,7 +469,6 @@ - debian/patches/CVE-2015-5345.patch0000644000000000000000000004702113067502611013243 0ustar Description: fix information disclosure via redirects by mapper Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1715213 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1717212 Index: tomcat7-7.0.52/java/org/apache/catalina/Context.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/Context.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/Context.java 2016-06-29 12:31:54.800360921 -0400 @@ -1603,4 +1603,44 @@ * method names. */ public Map findPreDestroyMethods(); + + /** + * If enabled, requests for a web application context root will be + * redirected (adding a trailing slash) by the Mapper. This is more + * efficient but has the side effect of confirming that the context path is + * valid. + * + * @param mapperContextRootRedirectEnabled Should the redirects be enabled? + */ + public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled); + + /** + * Determines if requests for a web application context root will be + * redirected (adding a trailing slash) by the Mapper. This is more + * efficient but has the side effect of confirming that the context path is + * valid. + * + * @return {@code true} if the Mapper level redirect is enabled for this + * Context. + */ + public boolean getMapperContextRootRedirectEnabled(); + + /** + * If enabled, requests for a directory will be redirected (adding a + * trailing slash) by the Mapper. This is more efficient but has the + * side effect of confirming that the directory is valid. + * + * @param mapperDirectoryRedirectEnabled Should the redirects be enabled? + */ + public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled); + + /** + * Determines if requests for a directory will be redirected (adding a + * trailing slash) by the Mapper. This is more efficient but has the + * side effect of confirming that the directory is valid. + * + * @return {@code true} if the Mapper level redirect is enabled for this + * Context. + */ + public boolean getMapperDirectoryRedirectEnabled(); } Index: tomcat7-7.0.52/java/org/apache/catalina/authenticator/FormAuthenticator.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/authenticator/FormAuthenticator.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/authenticator/FormAuthenticator.java 2016-06-29 12:31:54.800360921 -0400 @@ -263,6 +263,20 @@ // No -- Save this request and redirect to the form login page if (!loginAction) { + // If this request was to the root of the context without a trailing + // '/', need to redirect to add it else the submit of the login form + // may not go to the correct web application + if (request.getServletPath().length() == 0 && request.getPathInfo() == null) { + StringBuilder location = new StringBuilder(requestURI); + location.append('/'); + if (request.getQueryString() != null) { + location.append('?'); + location.append(request.getQueryString()); + } + response.sendRedirect(response.encodeRedirectURL(location.toString())); + return false; + } + session = request.getSessionInternal(true); if (log.isDebugEnabled()) { log.debug("Save request in session '" + session.getIdInternal() + "'"); Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardContext.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java 2016-06-29 12:31:54.804360969 -0400 @@ -894,8 +894,45 @@ private String containerSciFilter; + boolean mapperContextRootRedirectEnabled = false; + + boolean mapperDirectoryRedirectEnabled = false; + // ----------------------------------------------------- Context Properties - + + @Override + public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) { + this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled; + } + + + /** + * {@inheritDoc} + *

    + * The default value for this implementation is {@code false}. + */ + @Override + public boolean getMapperContextRootRedirectEnabled() { + return mapperContextRootRedirectEnabled; + } + + + @Override + public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) { + this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled; + } + + + /** + * {@inheritDoc} + *

    + * The default value for this implementation is {@code false}. + */ + @Override + public boolean getMapperDirectoryRedirectEnabled() { + return mapperDirectoryRedirectEnabled; + } + @Override public void setContainerSciFilter(String containerSciFilter) { this.containerSciFilter = containerSciFilter; @@ -1087,7 +1124,7 @@ this.instanceManager = instanceManager; } - + @Override public String getEncodedPath() { return encodedPath; Index: tomcat7-7.0.52/java/org/apache/catalina/core/mbeans-descriptors.xml =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/mbeans-descriptors.xml 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/core/mbeans-descriptors.xml 2016-06-29 12:31:54.804360969 -0400 @@ -221,6 +221,14 @@ description="The object used for mapping" type="java.lang.Object"/> + + + + Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java 2016-06-29 12:31:54.804360969 -0400 @@ -364,6 +364,10 @@ * @param request The servlet request we are processing */ protected String getRelativePath(HttpServletRequest request) { + return getRelativePath(request, false); + } + + protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) { // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always // serves resources from the web app root with context rooted paths. // i.e. it can not be used to mount the web app root under a sub-path @@ -395,7 +399,7 @@ } else { result = request.getServletPath() + result; } - if ((result == null) || (result.equals(""))) { + if (((result == null) || (result.equals(""))) && !allowEmptyPath) { result = "/"; } return (result); @@ -773,7 +777,8 @@ boolean serveContent = content; // Identify the requested resource path - String path = getRelativePath(request); + String path = getRelativePath(request, true); + if (debug > 0) { if (serveContent) log("DefaultServlet.serveResource: Serving resource '" + @@ -783,6 +788,12 @@ path + "' headers only"); } + if (path.length() == 0) { + // Context root redirect + doDirectoryRedirect(request, response); + return; + } + CacheEntry cacheEntry = resources.lookupCache(path); if (!cacheEntry.exists) { @@ -851,6 +862,11 @@ if (cacheEntry.context != null) { + if (!path.endsWith("/")) { + doDirectoryRedirect(request, response); + return; + } + // Skip directory listings if we have been configured to // suppress them if (!listings) { @@ -1058,6 +1074,16 @@ } + private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response) + throws IOException { + StringBuilder location = new StringBuilder(request.getRequestURI()); + location.append('/'); + if (request.getQueryString() != null) { + location.append('?'); + location.append(request.getQueryString()); + } + response.sendRedirect(response.encodeRedirectURL(location.toString())); + } /** * Parse the content-range header. Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/WebdavServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/WebdavServlet.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/WebdavServlet.java 2016-06-29 12:31:54.804360969 -0400 @@ -430,6 +430,11 @@ */ @Override protected String getRelativePath(HttpServletRequest request) { + return getRelativePath(request, false); + } + + @Override + protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) { // Are we being processed by a RequestDispatcher.include()? if (request.getAttribute( RequestDispatcher.INCLUDE_REQUEST_URI) != null) { Index: tomcat7-7.0.52/java/org/apache/catalina/startup/FailedContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/startup/FailedContext.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/startup/FailedContext.java 2016-06-29 12:31:54.804360969 -0400 @@ -703,4 +703,21 @@ @Override public String getContainerSciFilter() { return null; } -} \ No newline at end of file + + @Override + public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) { + // NO-OP + } + + @Override + public boolean getMapperContextRootRedirectEnabled() { return false; } + + @Override + public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) { + // NO-OP + } + + @Override + public boolean getMapperDirectoryRedirectEnabled() { return false; } + +} Index: tomcat7-7.0.52/java/org/apache/tomcat/util/http/mapper/Mapper.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/http/mapper/Mapper.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/http/mapper/Mapper.java 2016-06-29 12:39:48.354060095 -0400 @@ -195,11 +195,36 @@ * @param context Context object * @param welcomeResources Welcome files defined for this context * @param resources Static resources of the context + * @deprecated Use {@link #addContextVersion(String, Object, String, String, Object, String[], + * javax.naming.Context, boolean, boolean)} */ + @Deprecated public void addContextVersion(String hostName, Object host, String path, String version, Object context, String[] welcomeResources, javax.naming.Context resources) { - + addContextVersion(hostName, host, path, version, context, welcomeResources, resources, + false, false); + } + + + /** + * Add a new Context to an existing Host. + * + * @param hostName Virtual host name this context belongs to + * @param host Host object + * @param path Context path + * @param version Context version + * @param context Context object + * @param welcomeResources Welcome files defined for this context + * @param resources Static resources of the context + * @param mapperContextRootRedirectEnabled Mapper does context root redirects + * @param mapperDirectoryRedirectEnabled Mapper does directory redirects + */ + public void addContextVersion(String hostName, Object host, String path, + String version, Object context, String[] welcomeResources, + javax.naming.Context resources, + boolean mapperContextRootRedirectEnabled, boolean mapperDirectoryRedirectEnabled) { + Host[] hosts = this.hosts; int pos = find(hosts, hostName); if( pos <0 ) { @@ -241,6 +266,9 @@ newContextVersion.object = context; newContextVersion.welcomeResources = welcomeResources; newContextVersion.resources = resources; + newContextVersion.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled; + newContextVersion.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled; + if (insertMap(contextVersions, newContextVersions, newContextVersion)) { mappedContext.versions = newContextVersions; } @@ -250,6 +278,7 @@ } + /** * Remove a context from an existing host. * @@ -834,20 +863,13 @@ int pathOffset = path.getOffset(); int pathEnd = path.getEnd(); - int servletPath = pathOffset; boolean noServletPath = false; int length = contextVersion.path.length(); - if (length != (pathEnd - pathOffset)) { - servletPath = pathOffset + length; - } else { + if (length == (pathEnd - pathOffset)) { noServletPath = true; - path.append('/'); - pathOffset = path.getOffset(); - pathEnd = path.getEnd(); - servletPath = pathOffset+length; } - + int servletPath = pathOffset + length; path.setOffset(servletPath); // Rule 1 -- Exact Match @@ -882,10 +904,13 @@ } } - if(mappingData.wrapper == null && noServletPath) { + if(mappingData.wrapper == null && noServletPath && + contextVersion.mapperContextRootRedirectEnabled) { // The path is empty, redirect to "/" + path.append('/'); + pathEnd = path.getEnd(); mappingData.redirectPath.setChars - (path.getBuffer(), pathOffset, pathEnd-pathOffset); + (path.getBuffer(), pathOffset, pathEnd - pathOffset); path.setEnd(pathEnd - 1); return; } @@ -1006,11 +1031,16 @@ Object file = null; String pathStr = path.toString(); try { - file = contextVersion.resources.lookup(pathStr); + if (pathStr.length() == 0) { + file = contextVersion.resources.lookup("/"); + } else { + file = contextVersion.resources.lookup(pathStr); + } } catch(NamingException nex) { // Swallow, since someone else handles the 404 } - if (file != null && file instanceof DirContext) { + if (file != null && file instanceof DirContext && + contextVersion.mapperDirectoryRedirectEnabled) { // Note: this mutates the path: do not do any processing // after this (since we set the redirectPath, there // shouldn't be any) @@ -1027,7 +1057,6 @@ path.setOffset(pathOffset); path.setEnd(pathEnd); - } @@ -1510,6 +1539,8 @@ public Wrapper[] wildcardWrappers = new Wrapper[0]; public Wrapper[] extensionWrappers = new Wrapper[0]; public int nesting = 0; + public boolean mapperContextRootRedirectEnabled = false; + public boolean mapperDirectoryRedirectEnabled = false; } Index: tomcat7-7.0.52/test/org/apache/catalina/startup/TomcatBaseTest.java =================================================================== --- tomcat7-7.0.52.orig/test/org/apache/catalina/startup/TomcatBaseTest.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/test/org/apache/catalina/startup/TomcatBaseTest.java 2016-06-29 12:31:54.804360969 -0400 @@ -223,8 +223,7 @@ String method) throws IOException { URL url = new URL(path); - HttpURLConnection connection = - (HttpURLConnection) url.openConnection(); + HttpURLConnection connection = (HttpURLConnection) url.openConnection(); connection.setUseCaches(false); connection.setReadTimeout(readTimeout); connection.setRequestMethod(method); Index: tomcat7-7.0.52/webapps/docs/config/context.xml =================================================================== --- tomcat7-7.0.52.orig/webapps/docs/config/context.xml 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/webapps/docs/config/context.xml 2016-06-29 12:31:54.808361018 -0400 @@ -352,6 +352,22 @@ default value of false is used.

    + +

    If enabled, requests for a web application context root will be + redirected (adding a trailing slash) if necessary by the Mapper rather + than the default Servlet. This is more efficient but has the side effect + of confirming that the context path exists. If not specified, the + default value of false is used.

    +
    + + +

    If enabled, requests for a web application directory will be + redirected (adding a trailing slash) if necessary by the Mapper rather + than the default Servlet. This is more efficient but has the side effect + of confirming that the directory is exists. If not specified, the + default value of false is used.

    +
    +

    Set to true to ignore any settings in both the global or Host default contexts. By default, settings Index: tomcat7-7.0.52/test/org/apache/catalina/core/TesterContext.java =================================================================== --- tomcat7-7.0.52.orig/test/org/apache/catalina/core/TesterContext.java 2016-06-29 12:31:54.808361018 -0400 +++ tomcat7-7.0.52/test/org/apache/catalina/core/TesterContext.java 2016-06-29 12:31:54.808361018 -0400 @@ -1219,4 +1219,20 @@ @Override public String getContainerSciFilter() { return null; } + + @Override + public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) { + // NO-OP + } + + @Override + public boolean getMapperContextRootRedirectEnabled() { return false; } + + @Override + public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) { + // NO-OP + } + + @Override + public boolean getMapperDirectoryRedirectEnabled() { return false; } } debian/patches/CVE-2015-5346.patch0000644000000000000000000000544413067502611013247 0ustar Description: fix session fixation vulnerability Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1713187 Index: tomcat7-7.0.52/java/org/apache/catalina/connector/CoyoteAdapter.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/connector/CoyoteAdapter.java 2016-06-29 12:41:19.823161652 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/connector/CoyoteAdapter.java 2016-06-29 12:41:57.651617285 -0400 @@ -712,6 +712,9 @@ version = ctxt.getWebappVersion(); // Reset mapping request.getMappingData().recycle(); + // Recycle session info in case the correct + // context is configured with different settings + request.recycleSessionInfo(); break; } } Index: tomcat7-7.0.52/java/org/apache/catalina/connector/Request.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/connector/Request.java 2016-06-29 12:41:19.823161652 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/connector/Request.java 2016-06-29 12:41:19.819161605 -0400 @@ -494,18 +494,7 @@ notes.clear(); cookies = null; - if (session != null) { - try { - session.endAccess(); - } catch (Throwable t) { - ExceptionUtils.handleThrowable(t); - log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); - } - } - session = null; - requestedSessionCookie = false; - requestedSessionId = null; - requestedSessionURL = false; + recycleSessionInfo(); if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { parameterMap = new ParameterMap(); @@ -553,11 +542,24 @@ } - /** - * Clear cached encoders (to save memory for Comet requests). - */ - public boolean read() - throws IOException { + protected void recycleSessionInfo() { + if (session != null) { + try { + session.endAccess(); + } catch (Throwable t) { + ExceptionUtils.handleThrowable(t); + log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); + } + } + session = null; + requestedSessionCookie = false; + requestedSessionId = null; + requestedSessionURL = false; + requestedSessionSSL = false; + } + + + public boolean read() throws IOException { return (inputBuffer.realReadBytes(null, 0, 0) > 0); } debian/patches/0018-fix-manager-webapp.patch0000644000000000000000000000455113067502611015704 0ustar DESCRIPTION: this patch changes the manager path from webapps/manager to ../tomcat7-admin/manager Author: TJ , Gianfranco Costamagna Bug-Ubuntu: https://bugs.launchpad.net/bugs/1128067 Reviewed-By: Gianfranco Costamagna Last-Update: <2013-08-01> --- a/webapps/host-manager/manager.xml +++ b/webapps/host-manager/manager.xml @@ -20,7 +20,7 @@ Context configuration file for the Tomcat Manager Web App --> - --- a/webapps/docs/manager-howto.xml +++ b/webapps/docs/manager-howto.xml @@ -72,7 +72,7 @@ example:

     <Context privileged="true" antiResourceLocking="false"
    -         docBase="${catalina.home}/webapps/manager">
    +         docBase="${catalina.home}/../tomcat7-admin/manager">
       <Valve className="org.apache.catalina.valves.RemoteAddrValve"
              allow="127\.0\.0\.1" />
     </Context>
    --- a/conf/catalina.policy
    +++ b/conf/catalina.policy
    @@ -199,14 +199,14 @@
     // - default CATALINA_HOME == CATALINA_BASE
     // - CATALINA_HOME != CATALINA_BASE, per instance Manager in CATALINA_BASE
     // - CATALINA_HOME != CATALINA_BASE, shared Manager in CATALINA_HOME
    -grant codeBase "file:${catalina.base}/webapps/manager/-" {
    +grant codeBase "file:${catalina.base}/../tomcat7-admin/manager/-" {
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager.util";
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.util";
     };
    -grant codeBase "file:${catalina.home}/webapps/manager/-" {
    +grant codeBase "file:${catalina.home}/../tomcat7-admin/manager/-" {
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina";
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.ha.session";
         permission java.lang.RuntimePermission "accessClassInPackage.org.apache.catalina.manager";
    debian/patches/CVE-2016-8745.patch0000644000000000000000000000251613067502611013253 0ustar  Description: fix information leakage between requests
    Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1777471
    Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312
    Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
    
    Index: tomcat7-7.0.52/java/org/apache/tomcat/util/net/NioEndpoint.java
    ===================================================================
    --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/net/NioEndpoint.java	2014-01-27 07:48:36.000000000 -0500
    +++ tomcat7-7.0.52/java/org/apache/tomcat/util/net/NioEndpoint.java	2017-01-18 09:41:58.600528200 -0500
    @@ -1379,11 +1379,15 @@
                     }
                 }catch ( IOException x ) {
                     if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x);
    -                cancelledKey(sk,SocketStatus.ERROR,false);
    +                if (!event) {
    +                    cancelledKey(sk,SocketStatus.ERROR,false);
    +                }
                     return false;
                 }catch ( Throwable t ) {
                     log.error("",t);
    -                cancelledKey(sk, SocketStatus.ERROR, false);
    +                if (!event) {
    +                    cancelledKey(sk, SocketStatus.ERROR, false);
    +                }
                     return false;
                 }finally {
                     if (sc!=null) sc.setSendFile(false);
    debian/patches/CVE-2018-1336.patch0000644000000000000000000000214013326066420013234 0ustar  Description: fix DoS via issue in UTF-8 decoder
    Origin: upstream, https://svn.apache.org/r1830376
    Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312
    
    Index: tomcat7-7.0.52/java/org/apache/tomcat/util/buf/Utf8Decoder.java
    ===================================================================
    --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/buf/Utf8Decoder.java	2013-03-05 06:28:45.000000000 -0500
    +++ tomcat7-7.0.52/java/org/apache/tomcat/util/buf/Utf8Decoder.java	2018-07-25 08:24:57.057606454 -0400
    @@ -277,6 +277,11 @@ public class Utf8Decoder extends Charset
                     outRemaining--;
                 } else {
                     if (outRemaining < 2) {
    +                    // Encoded with 4 bytes. inIndex currently points
    +                    // to the final byte. Move it back to first byte.
    +                    inIndex -= 3;
    +                    in.position(inIndex - in.arrayOffset());
    +                    out.position(outIndex - out.arrayOffset());
                         return CoderResult.OVERFLOW;
                     }
                     cArr[outIndex++] = (char) ((jchar >> 0xA) + 0xD7C0);
    debian/patches/CVE-2017-5648-pre.patch0000644000000000000000000006557513102636163014055 0ustar  Description: fix keep-alive with asynchronous servlet
    Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=56190
    Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1574937
    
    Index: tomcat7-7.0.52/java/org/apache/catalina/core/AsyncContextImpl.java
    ===================================================================
    --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/AsyncContextImpl.java	2013-08-08 14:38:34.000000000 -0400
    +++ tomcat7-7.0.52/java/org/apache/catalina/core/AsyncContextImpl.java	2017-05-04 09:55:19.493279337 -0400
    @@ -88,12 +88,13 @@ public class AsyncContextImpl implements
                 logDebug("complete   ");
             }
             check();
    -        request.getCoyoteRequest().action(ActionCode.COMMIT, null);
             request.getCoyoteRequest().action(ActionCode.ASYNC_COMPLETE, null);
         }
     
         @Override
    -    public void fireOnComplete() {
    +    public void fireOnComplete() throws IOException {
    +        // Before firing the event, close the response
    +        request.getResponse().finishResponse();
             List listenersCopy =
                 new ArrayList();
             listenersCopy.addAll(listeners);
    Index: tomcat7-7.0.52/java/org/apache/coyote/AsyncContextCallback.java
    ===================================================================
    --- tomcat7-7.0.52.orig/java/org/apache/coyote/AsyncContextCallback.java	2010-12-11 13:27:15.000000000 -0500
    +++ tomcat7-7.0.52/java/org/apache/coyote/AsyncContextCallback.java	2017-05-04 09:55:19.493279337 -0400
    @@ -16,6 +16,8 @@
      */
     package org.apache.coyote;
     
    +import java.io.IOException;
    +
     /**
      * Provides a mechanism for the Coyote connectors to signal to a
      * {@link javax.servlet.AsyncContext} implementation that an action, such as
    @@ -24,5 +26,5 @@ package org.apache.coyote;
      * org.apache.coyote package.  
      */
     public interface AsyncContextCallback {
    -    public void fireOnComplete();
    +    public void fireOnComplete() throws IOException;
     }
    Index: tomcat7-7.0.52/java/org/apache/coyote/AsyncStateMachine.java
    ===================================================================
    --- tomcat7-7.0.52.orig/java/org/apache/coyote/AsyncStateMachine.java	2013-08-01 06:08:29.000000000 -0400
    +++ tomcat7-7.0.52/java/org/apache/coyote/AsyncStateMachine.java	2017-05-04 09:55:19.493279337 -0400
    @@ -16,6 +16,7 @@
      */
     package org.apache.coyote;
     
    +import java.io.IOException;
     import java.security.AccessController;
     import java.security.PrivilegedAction;
     
    @@ -187,11 +188,21 @@ public class AsyncStateMachine {
                 state = AsyncState.STARTED;
                 return SocketState.LONG;
             } else if (state == AsyncState.MUST_COMPLETE) {
    -            asyncCtxt.fireOnComplete();
    +            try {
    +                asyncCtxt.fireOnComplete();
    +            } catch (IOException e) {
    +                // Socket is in unknown state. Close it.
    +                return SocketState.CLOSED;
    +            }
                 state = AsyncState.DISPATCHED;
                 return SocketState.ASYNC_END;
             } else if (state == AsyncState.COMPLETING) {
    -            asyncCtxt.fireOnComplete();
    +            try {
    +                asyncCtxt.fireOnComplete();
    +            } catch (IOException e) {
    +                // Socket is in unknown state. Close it.
    +                return SocketState.CLOSED;
    +            }
                 state = AsyncState.DISPATCHED;
                 return SocketState.ASYNC_END;
             } else if (state == AsyncState.MUST_DISPATCH) {
    Index: tomcat7-7.0.52/test/org/apache/catalina/core/TestAsyncContextImpl.java
    ===================================================================
    --- tomcat7-7.0.52.orig/test/org/apache/catalina/core/TestAsyncContextImpl.java	2013-08-01 06:08:29.000000000 -0400
    +++ tomcat7-7.0.52/test/org/apache/catalina/core/TestAsyncContextImpl.java	2017-05-04 09:55:19.489279283 -0400
    @@ -14,12 +14,12 @@
      *  See the License for the specific language governing permissions and
      *  limitations under the License.
      */
    -
     package org.apache.catalina.core;
     
     import java.io.File;
     import java.io.IOException;
     import java.io.PrintWriter;
    +import java.util.HashMap;
     import java.util.LinkedHashMap;
     import java.util.List;
     import java.util.Map;
    @@ -46,12 +46,12 @@ import javax.servlet.http.HttpServletRes
     import static org.junit.Assert.assertEquals;
     import static org.junit.Assert.assertNotNull;
     import static org.junit.Assert.assertTrue;
    +
     import org.junit.Assert;
     import org.junit.Test;
     
     import org.apache.catalina.Context;
     import org.apache.catalina.Wrapper;
    -import org.apache.catalina.connector.Request;
     import org.apache.catalina.deploy.ApplicationListener;
     import org.apache.catalina.deploy.ErrorPage;
     import org.apache.catalina.startup.Tomcat;
    @@ -68,6 +68,20 @@ public class TestAsyncContextImpl extend
         // Default timeout for these tests
         private static final long TIMEOUT = 3000;
     
    +    private static StringBuilder tracker;
    +
    +    public static synchronized void resetTracker() {
    +        tracker = new StringBuilder();
    +    }
    +
    +    public static synchronized void track(String trace) {
    +        tracker.append(trace);
    +    }
    +
    +    public static synchronized String getTrack() {
    +        return tracker.toString();
    +    }
    +
         @Test
         public void testBug49528() throws Exception {
             // Setup Tomcat instance
    @@ -146,6 +160,7 @@ public class TestAsyncContextImpl extend
     
         @Test
         public void testAsyncStartNoComplete() throws Exception {
    +        resetTracker();
             // Setup Tomcat instance
             Tomcat tomcat = getTomcatInstance();
     
    @@ -170,14 +185,16 @@ public class TestAsyncContextImpl extend
             tomcat.start();
     
             // Call the servlet the first time
    -        ByteChunk bc1 = getUrl("http://localhost:" + getPort() +
    -                "/?echo=run1");
    -        assertEquals("OK-run1", bc1.toString());
    +        getUrl("http://localhost:" + getPort() + "/?echo=run1");
    +        Assert.assertEquals("OK-run1", getTrack());
    +        resetTracker();
     
             // Call the servlet the second time with a request parameter
    -        ByteChunk bc2 = getUrl("http://localhost:" + getPort() +
    -                "/?echo=run2");
    -        assertEquals("OK-run2", bc2.toString());
    +        getUrl("http://localhost:" + getPort() + "/?echo=run2");
    +        Assert.assertEquals("OK-run2", getTrack());
    +
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
     
             // Check the access log
             alv.validateAccessLog(2, 500,
    @@ -208,8 +225,15 @@ public class TestAsyncContextImpl extend
             tomcat.start();
     
             // Call the servlet once
    -        ByteChunk bc = getUrl("http://localhost:" + getPort() + "/");
    +        ByteChunk bc = new ByteChunk();
    +        Map> headers = new HashMap>();
    +        getUrl("http://localhost:" + getPort() + "/", bc, headers);
    +
             assertEquals("OK", bc.toString());
    +        List contentLength = headers.get("Content-Length");
    +        Assert.assertNotNull(contentLength);
    +        Assert.assertEquals(1,  contentLength.size());
    +        Assert.assertEquals("2", contentLength.get(0));
     
             // Check the access log
             alv.validateAccessLog(1, 200, 0, REQUEST_TIME);
    @@ -356,10 +380,9 @@ public class TestAsyncContextImpl extend
     
                 String echo = req.getParameter("echo");
                 AsyncContext actxt = req.startAsync();
    -            resp.setContentType("text/plain");
    -            resp.getWriter().print("OK");
    +            TestAsyncContextImpl.track("OK");
                 if (echo != null) {
    -                resp.getWriter().print("-" + echo);
    +                TestAsyncContextImpl.track("-" + echo);
                 }
                 // Speed up the test by reducing the timeout
                 actxt.setTimeout(ASYNC_TIMEOUT);
    @@ -429,6 +452,8 @@ public class TestAsyncContextImpl extend
         private void doTestTimeout(Boolean completeOnTimeout, Boolean asyncDispatch)
                 throws Exception {
     
    +        resetTracker();
    +
             String dispatchUrl = null;
             if (asyncDispatch != null) {
                 if (asyncDispatch.booleanValue()) {
    @@ -477,9 +502,8 @@ public class TestAsyncContextImpl extend
             tomcat.getHost().getPipeline().addValve(alvGlobal);
     
             tomcat.start();
    -        ByteChunk res = new ByteChunk();
             try {
    -            getUrl("http://localhost:" + getPort() + "/start", res, null);
    +            getUrl("http://localhost:" + getPort() + "/start");
             } catch (IOException ioe) {
                 // Ignore - expected for some error conditions
             }
    @@ -503,10 +527,19 @@ public class TestAsyncContextImpl extend
                 expected.append("onComplete-");
                 expected.append("requestDestroyed");
             }
    -        assertEquals(expected.toString(), res.toString());
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = expected.toString();
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        assertEquals(expectedTrack, getTrack());
     
             // Check the access log
    -        if (completeOnTimeout == null) {
    +        if (completeOnTimeout == null ||
    +                (!completeOnTimeout.booleanValue() && asyncDispatch == null)) {
                 alvGlobal.validateAccessLog(1, 500, TimeoutServlet.ASYNC_TIMEOUT,
                         TimeoutServlet.ASYNC_TIMEOUT + TIMEOUT_MARGIN +
                         REQUEST_TIME);
    @@ -544,7 +577,7 @@ public class TestAsyncContextImpl extend
             protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                     throws ServletException, IOException {
                 if (req.isAsyncSupported()) {
    -                resp.getWriter().print("TimeoutServletGet-");
    +                TestAsyncContextImpl.track("TimeoutServletGet-");
                     final AsyncContext ac = req.startAsync();
                     ac.setTimeout(ASYNC_TIMEOUT);
     
    @@ -589,6 +622,7 @@ public class TestAsyncContextImpl extend
         }
     
         private void doTestDispatch(int iter, boolean useThread) throws Exception {
    +        resetTracker();
             // Setup Tomcat instance
             Tomcat tomcat = getTomcatInstance();
     
    @@ -623,7 +657,7 @@ public class TestAsyncContextImpl extend
             if (useThread) {
                 url.append("&useThread=y");
             }
    -        ByteChunk res = getUrl(url.toString());
    +        getUrl(url.toString());
     
             StringBuilder expected = new StringBuilder("requestInitialized-");
             int loop = iter;
    @@ -633,7 +667,15 @@ public class TestAsyncContextImpl extend
             }
             expected.append("NonAsyncServletGet-");
             expected.append("requestDestroyed");
    -        assertEquals(expected.toString(), res.toString());
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = expected.toString();
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        assertEquals(expectedTrack, getTrack());
     
             // Check the access log
             alv.validateAccessLog(1, 200, 0, REQUEST_TIME);
    @@ -659,11 +701,10 @@ public class TestAsyncContextImpl extend
     
                 if ("y".equals(req.getParameter(DISPATCH_CHECK))) {
                     if (req.getDispatcherType() != DispatcherType.ASYNC) {
    -                    resp.getWriter().write("WrongDispatcherType-");
    +                    track("WrongDispatcherType-");
                     }
                 }
    -            resp.getWriter().write("DispatchingServletGet-");
    -            resp.flushBuffer();
    +            track("DispatchingServletGet-");
                 final int iter = Integer.parseInt(req.getParameter(ITER_PARAM)) - 1;
                 final AsyncContext ctxt = req.startAsync();
                 if (addTrackingListener) {
    @@ -697,13 +738,13 @@ public class TestAsyncContextImpl extend
             @Override
             protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                     throws ServletException, IOException {
    -            resp.getWriter().write("NonAsyncServletGet-");
    -            resp.flushBuffer();
    +            TestAsyncContextImpl.track("NonAsyncServletGet-");
             }
         }
     
         @Test
         public void testListeners() throws Exception {
    +        resetTracker();
             // Setup Tomcat instance
             Tomcat tomcat = getTomcatInstance();
     
    @@ -732,12 +773,19 @@ public class TestAsyncContextImpl extend
             url.append(getPort());
             url.append("/stage1");
     
    -        ByteChunk res = getUrl(url.toString());
    +        getUrl(url.toString());
     
    -        assertEquals(
    -                "DispatchingServletGet-DispatchingServletGet-onStartAsync-" +
    -                "TimeoutServletGet-onStartAsync-onTimeout-onComplete-",
    -                res.toString());
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = "DispatchingServletGet-DispatchingServletGet-" +
    +                "onStartAsync-TimeoutServletGet-onStartAsync-onTimeout-" +
    +                "onComplete-";
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        Assert.assertEquals(expectedTrack, getTrack());
     
             // Check the access log
             alv.validateAccessLog(1, 200, TimeoutServlet.ASYNC_TIMEOUT,
    @@ -753,7 +801,7 @@ public class TestAsyncContextImpl extend
             @Override
             protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                     throws ServletException, IOException {
    -            resp.getWriter().write("DispatchingServletGet-");
    +            TestAsyncContextImpl.track("DispatchingServletGet-");
                 resp.flushBuffer();
     
                 final boolean first = TrackingServlet.first;
    @@ -797,16 +845,12 @@ public class TestAsyncContextImpl extend
     
             @Override
             public void onComplete(AsyncEvent event) throws IOException {
    -            ServletResponse resp = event.getAsyncContext().getResponse();
    -            resp.getWriter().write("onComplete-");
    -            resp.flushBuffer();
    +            TestAsyncContextImpl.track("onComplete-");
             }
     
             @Override
             public void onTimeout(AsyncEvent event) throws IOException {
    -            ServletResponse resp = event.getAsyncContext().getResponse();
    -            resp.getWriter().write("onTimeout-");
    -            resp.flushBuffer();
    +            TestAsyncContextImpl.track("onTimeout-");
                 if (completeOnTimeout){
                     event.getAsyncContext().complete();
                 }
    @@ -817,9 +861,7 @@ public class TestAsyncContextImpl extend
     
             @Override
             public void onError(AsyncEvent event) throws IOException {
    -            ServletResponse resp = event.getAsyncContext().getResponse();
    -            resp.getWriter().write("onError-");
    -            resp.flushBuffer();
    +            TestAsyncContextImpl.track("onError-");
                 if (completeOnError) {
                     event.getAsyncContext().complete();
                 }
    @@ -827,9 +869,7 @@ public class TestAsyncContextImpl extend
     
             @Override
             public void onStartAsync(AsyncEvent event) throws IOException {
    -            ServletResponse resp = event.getAsyncContext().getResponse();
    -            resp.getWriter().write("onStartAsync-");
    -            resp.flushBuffer();
    +            TestAsyncContextImpl.track("onStartAsync-");
             }
         }
     
    @@ -838,26 +878,12 @@ public class TestAsyncContextImpl extend
     
             @Override
             public void requestDestroyed(ServletRequestEvent sre) {
    -            // Need the response and it isn't available via the Servlet API
    -            Request r = (Request) sre.getServletRequest();
    -            try {
    -                r.getResponse().getWriter().print("requestDestroyed");
    -            } catch (IOException e) {
    -                // Test will fail if this happens
    -                e.printStackTrace();
    -            }
    +            TestAsyncContextImpl.track("requestDestroyed");
             }
     
             @Override
             public void requestInitialized(ServletRequestEvent sre) {
    -            // Need the response and it isn't available via the Servlet API
    -            Request r = (Request) sre.getServletRequest();
    -            try {
    -                r.getResponse().getWriter().print("requestInitialized-");
    -            } catch (IOException e) {
    -                // Test will fail if this happens
    -                e.printStackTrace();
    -            }
    +            TestAsyncContextImpl.track("requestInitialized-");
             }
         }
     
    @@ -927,6 +953,7 @@ public class TestAsyncContextImpl extend
         private void doTestDispatchError(int iter, boolean useThread,
                 boolean completeOnError)
                 throws Exception {
    +        resetTracker();
             // Setup Tomcat instance
             Tomcat tomcat = getTomcatInstance();
     
    @@ -941,7 +968,7 @@ public class TestAsyncContextImpl extend
             wrapper.setAsyncSupported(true);
             ctx.addServletMapping("/stage1", "dispatch");
     
    -        ErrorServlet error = new ErrorServlet(true);
    +        ErrorServlet error = new ErrorServlet();
             Tomcat.addServlet(ctx, "error", error);
             ctx.addServletMapping("/stage2", "error");
     
    @@ -961,7 +988,7 @@ public class TestAsyncContextImpl extend
             if (useThread) {
                 url.append("&useThread=y");
             }
    -        ByteChunk res = getUrl(url.toString());
    +        getUrl(url.toString());
     
             StringBuilder expected = new StringBuilder("requestInitialized-");
             int loop = iter;
    @@ -973,29 +1000,28 @@ public class TestAsyncContextImpl extend
                 loop--;
             }
             expected.append("ErrorServletGet-onError-onComplete-requestDestroyed");
    -        assertEquals(expected.toString(), res.toString());
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = expected.toString();
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        assertEquals(expectedTrack, getTrack());
     
             // Check the access log
    -        alv.validateAccessLog(1, 200, 0, REQUEST_TIME);
    +        alv.validateAccessLog(1, 500, 0, REQUEST_TIME);
         }
     
         private static class ErrorServlet extends HttpServlet {
     
             private static final long serialVersionUID = 1L;
     
    -        private boolean flush = false;
    -
    -        public ErrorServlet(boolean flush) {
    -            this.flush = flush;
    -        }
    -
             @Override
             protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                     throws ServletException, IOException {
    -            resp.getWriter().write("ErrorServletGet-");
    -            if (flush) {
    -                resp.flushBuffer();
    -            }
    +            TestAsyncContextImpl.track("ErrorServletGet-");
                 try {
                     // Give the original thread a chance to exit the
                     // ErrorReportValve before we throw this exception
    @@ -1009,6 +1035,7 @@ public class TestAsyncContextImpl extend
     
         @Test
         public void testBug50352() throws Exception {
    +        resetTracker();
             // Setup Tomcat instance
             Tomcat tomcat = getTomcatInstance();
     
    @@ -1027,9 +1054,17 @@ public class TestAsyncContextImpl extend
     
             tomcat.start();
     
    -        ByteChunk res = getUrl("http://localhost:" + getPort() + "/");
    +        getUrl("http://localhost:" + getPort() + "/");
     
    -        assertEquals("Runnable-onComplete-", res.toString());
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = "Runnable-onComplete-";
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        assertEquals(expectedTrack, getTrack());
     
             // Check the access log
             alv.validateAccessLog(1, 200, AsyncStartRunnable.THREAD_SLEEP_TIME,
    @@ -1058,8 +1093,7 @@ public class TestAsyncContextImpl extend
                     public void run() {
                         try {
                             Thread.sleep(THREAD_SLEEP_TIME);
    -                        asyncContext.getResponse().getWriter().write(
    -                                "Runnable-");
    +                        TestAsyncContextImpl.track("Runnable-");
                             asyncContext.complete();
                         } catch (Exception e) {
                             e.printStackTrace();
    @@ -1145,7 +1179,7 @@ public class TestAsyncContextImpl extend
     
             Context ctx = tomcat.addContext("", docBase.getAbsolutePath());
     
    -        ErrorServlet error = new ErrorServlet(false);
    +        ErrorServlet error = new ErrorServlet();
             Tomcat.addServlet(ctx, "error", error);
             ctx.addServletMapping("/error", "error");
     
    @@ -1529,6 +1563,7 @@ public class TestAsyncContextImpl extend
     
         private void doTestTimeoutErrorDispatch(Boolean asyncError,
                 ErrorPageAsyncMode mode) throws Exception {
    +        resetTracker();
             // Setup Tomcat instance
             Tomcat tomcat = getTomcatInstance();
     
    @@ -1581,12 +1616,7 @@ public class TestAsyncContextImpl extend
             }
     
             StringBuilder expected = new StringBuilder();
    -        if (asyncError == null) {
    -            // No error handler - just get the 500 response
    -            expected.append("requestInitialized-TimeoutServletGet-");
    -            // Note: With an error handler the response will be reset and these
    -            //       will be lost
    -        }
    +        expected.append("requestInitialized-TimeoutServletGet-");
             if (asyncError != null) {
                 if (asyncError.booleanValue()) {
                     expected.append("AsyncErrorPageGet-");
    @@ -1603,7 +1633,15 @@ public class TestAsyncContextImpl extend
             }
             expected.append("requestDestroyed");
     
    -        Assert.assertEquals(expected.toString(), res.toString());
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = expected.toString();
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        Assert.assertEquals(expectedTrack, getTrack());
     
             // Check the access log
             alvGlobal.validateAccessLog(1, 500, TimeoutServlet.ASYNC_TIMEOUT,
    @@ -1633,23 +1671,21 @@ public class TestAsyncContextImpl extend
             @Override
             protected void doGet(HttpServletRequest req, HttpServletResponse resp)
                     throws ServletException, IOException {
    -            PrintWriter writer = resp.getWriter();
    -            writer.write("AsyncErrorPageGet-");
    -            resp.flushBuffer();
    +            TestAsyncContextImpl.track("AsyncErrorPageGet-");
     
                 final AsyncContext ctxt = req.getAsyncContext();
     
                 switch(mode) {
                     case COMPLETE:
    -                    writer.write("Complete-");
    +                    TestAsyncContextImpl.track("Complete-");
                         ctxt.complete();
                         break;
                     case DISPATCH:
    -                    writer.write("Dispatch-");
    +                    TestAsyncContextImpl.track("Dispatch-");
                         ctxt.dispatch("/error/nonasync");
                         break;
                     case NO_COMPLETE:
    -                    writer.write("NoOp-");
    +                    TestAsyncContextImpl.track("NoOp-");
                         break;
                     default:
                         // Impossible
    @@ -1764,6 +1800,7 @@ public class TestAsyncContextImpl extend
     
         @Test
         public void testForbiddenDispatching() throws Exception {
    +        resetTracker();
             // Setup Tomcat instance
             Tomcat tomcat = getTomcatInstance();
     
    @@ -1787,19 +1824,24 @@ public class TestAsyncContextImpl extend
     
             tomcat.start();
     
    -        ByteChunk body = new ByteChunk();
    -
             try {
                 getUrl("http://localhost:" + getPort()
    -                    + "/forbiddenDispatchingServlet", body, null);
    +                    + "/forbiddenDispatchingServlet");
             } catch (IOException ioe) {
                 // This may happen if test fails. Output the exception in case it is
                 // useful and let asserts handle the failure
                 ioe.printStackTrace();
             }
     
    -        assertTrue(body.toString().contains("OK"));
    -        assertTrue(body.toString().contains("NonAsyncServletGet"));
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = "OKNonAsyncServletGet-";
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        Assert.assertEquals(expectedTrack, getTrack());
         }
     
         private static class DispatchingGenericServlet extends GenericServlet {
    @@ -1827,12 +1869,12 @@ public class TestAsyncContextImpl extend
                     }
                     try {
                         asyncContext.dispatch("/nonExistingServlet");
    -                    resp.getWriter().print("FAIL");
    +                    TestAsyncContextImpl.track("FAIL");
                     } catch (IllegalStateException e) {
    -                    resp.getWriter().print("OK");
    +                    TestAsyncContextImpl.track("OK");
                     }
                 } else {
    -                resp.getWriter().print("DispatchingGenericServletGet-");
    +                TestAsyncContextImpl.track("DispatchingGenericServletGet-");
                 }
             }
     
    @@ -1863,7 +1905,7 @@ public class TestAsyncContextImpl extend
                     throws ServletException, IOException {
                 if (req instanceof ServletRequestWrapper
                         && res instanceof ServletResponseWrapper) {
    -                res.getWriter().print("CustomGenericServletGet-");
    +                TestAsyncContextImpl.track("CustomGenericServletGet-");
                 }
             }
     
    @@ -1935,8 +1977,17 @@ public class TestAsyncContextImpl extend
     
         private void requestApplicationWithGenericServlet(String path,
                 StringBuilder expectedContent) throws Exception {
    -        ByteChunk res = getUrl("http://localhost:" + getPort() + path);
    +        resetTracker();
    +        getUrl("http://localhost:" + getPort() + path);
     
    -        assertEquals(expectedContent.toString(), res.toString());
    +        // Request may complete before listener has finished processing so wait
    +        // up to 5 seconds for the right response
    +        String expectedTrack = expectedContent.toString();
    +        int count = 0;
    +        while (!expectedTrack.equals(getTrack()) && count < 100) {
    +            Thread.sleep(50);
    +            count ++;
    +        }
    +        Assert.assertEquals(expectedTrack, getTrack());
         }
     }
    debian/patches/CVE-2016-3092.patch0000644000000000000000000000416713067502611013245 0ustar  From: Markus Koschany 
    Date: Sun, 26 Jun 2016 19:14:54 +0200
    Subject: CVE-2016-3092
    
    A denial of service vulnerability was identified in Commons FileUpload that
    occurred when the length of the multipart boundary was just below the size of
    the buffer (4096 bytes) used to read the uploaded file. This caused the file
    upload process to take several orders of magnitude longer than if the boundary
    was the typical tens of bytes long.
    
    Upstream advisory:
    http://markmail.org/message/oyxfv73jb2g7rjg3
    
    Origin: https://svn.apache.org/r1743480
    Origin: https://svn.apache.org/viewvc?view=revision&revision=1743742
    ---
     .../apache/tomcat/util/http/fileupload/MultipartStream.java  | 12 ++++++++----
     1 file changed, 8 insertions(+), 4 deletions(-)
    
    Index: tomcat7-7.0.68/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
    ===================================================================
    --- tomcat7-7.0.68.orig/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java	2016-06-27 14:12:36.278176085 -0400
    +++ tomcat7-7.0.68/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java	2016-06-27 14:12:36.274176038 -0400
    @@ -282,11 +282,10 @@
                 byte[] boundary,
                 int bufSize,
                 ProgressNotifier pNotifier) {
    -        this.input = input;
    -        this.bufSize = bufSize;
    -        this.buffer = new byte[bufSize];
    -        this.notifier = pNotifier;
     
    +        if (boundary == null) {
    +            throw new IllegalArgumentException("boundary may not be null");
    +        }
             // We prepend CR/LF to the boundary to chop trailing CR/LF from
             // body-data tokens.
             this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
    @@ -294,6 +293,11 @@
                 throw new IllegalArgumentException(
                         "The buffer size specified for the MultipartStream is too small");
             }
    +        this.input = input;
    +        this.bufSize = Math.max(bufSize, boundaryLength*2);
    +        this.buffer = new byte[this.bufSize];
    +        this.notifier = pNotifier;
    +
             this.boundary = new byte[this.boundaryLength];
             this.keepRegion = this.boundary.length;
     
    debian/patches/CVE-2015-5174.patch0000644000000000000000000001461413067502611013245 0ustar  Description: fix directory traversal vulnerability in RequestUtil.java
    Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1696284
    Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1700898
    
    Index: tomcat7-7.0.52/java/org/apache/tomcat/util/http/RequestUtil.java
    ===================================================================
    --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/http/RequestUtil.java	2012-02-01 05:52:00.000000000 -0500
    +++ tomcat7-7.0.52/java/org/apache/tomcat/util/http/RequestUtil.java	2016-06-21 13:03:30.575220112 -0400
    @@ -30,6 +30,9 @@
          * try to perform security checks for malicious input.
          *
          * @param path Relative path to be normalized
    +     *
    +     * @return The normalized path or null of the path cannot be
    +     *         normalized
          */
         public static String normalize(String path) {
             return normalize(path, true);
    @@ -44,11 +47,15 @@
          *
          * @param path Relative path to be normalized
          * @param replaceBackSlash Should '\\' be replaced with '/'
    +     *
    +     * @return The normalized path or null of the path cannot be
    +     *         normalized
          */
         public static String normalize(String path, boolean replaceBackSlash) {
     
    -        if (path == null)
    +        if (path == null) {
                 return null;
    +        }
     
             // Create a place for the normalized path
             String normalized = path;
    @@ -56,9 +63,6 @@
             if (replaceBackSlash && normalized.indexOf('\\') >= 0)
                 normalized = normalized.replace('\\', '/');
     
    -        if (normalized.equals("/."))
    -            return "/";
    -
             // Add a leading "/" if necessary
             if (!normalized.startsWith("/"))
                 normalized = "/" + normalized;
    @@ -66,34 +70,43 @@
             // Resolve occurrences of "//" in the normalized path
             while (true) {
                 int index = normalized.indexOf("//");
    -            if (index < 0)
    +            if (index < 0) {
                     break;
    -            normalized = normalized.substring(0, index) +
    -                normalized.substring(index + 1);
    +            }
    +            normalized = normalized.substring(0, index) + normalized.substring(index + 1);
             }
     
             // Resolve occurrences of "/./" in the normalized path
             while (true) {
                 int index = normalized.indexOf("/./");
    -            if (index < 0)
    +            if (index < 0) {
                     break;
    -            normalized = normalized.substring(0, index) +
    -                normalized.substring(index + 2);
    +            }
    +            normalized = normalized.substring(0, index) + normalized.substring(index + 2);
             }
     
             // Resolve occurrences of "/../" in the normalized path
             while (true) {
                 int index = normalized.indexOf("/../");
    -            if (index < 0)
    +            if (index < 0) {
                     break;
    -            if (index == 0)
    -                return (null);  // Trying to go outside our context
    +            }
    +            if (index == 0) {
    +                return null;  // Trying to go outside our context
    +            }
                 int index2 = normalized.lastIndexOf('/', index - 1);
    -            normalized = normalized.substring(0, index2) +
    -                normalized.substring(index + 3);
    +            normalized = normalized.substring(0, index2) + normalized.substring(index + 3);
    +        }
    +
    +        if (normalized.equals("/.")) {
    +            return "/";
    +        }
    +
    +        if (normalized.equals("/..")) {
    +            return null;  // Trying to go outside our context
             }
     
             // Return the normalized path that we have completed
    -        return (normalized);
    +        return normalized;
         }
     }
    Index: tomcat7-7.0.52/test/org/apache/tomcat/util/http/TestRequestUtil.java
    ===================================================================
    --- tomcat7-7.0.52.orig/test/org/apache/tomcat/util/http/TestRequestUtil.java	2012-02-01 05:52:00.000000000 -0500
    +++ tomcat7-7.0.52/test/org/apache/tomcat/util/http/TestRequestUtil.java	2016-06-21 13:03:32.787241711 -0400
    @@ -23,11 +23,101 @@
     public class TestRequestUtil {
     
         @Test
    -    public void testNormalizeString() {
    -        assertEquals("/something",RequestUtil.normalize("//something"));
    -        assertEquals("/some/thing",RequestUtil.normalize("some//thing"));
    -        assertEquals("/something/",RequestUtil.normalize("something//"));
    -        assertEquals("/",RequestUtil.normalize("//"));
    +    public void testNormalize01() {
    +        doTestNormalize("//something", "/something");
         }
     
    +    @Test
    +    public void testNormalize02() {
    +        doTestNormalize("some//thing", "/some/thing");
    +    }
    +
    +    @Test
    +    public void testNormalize03() {
    +        doTestNormalize("something//", "/something/");
    +    }
    +
    +    @Test
    +    public void testNormalize04() {
    +        doTestNormalize("//", "/");
    +    }
    +
    +        @Test
    +    public void testNormalize05() {
    +        doTestNormalize("//", "/");
    +    }
    +
    +    @Test
    +    public void testNormalize06() {
    +        doTestNormalize("///", "/");
    +    }
    +
    +    @Test
    +    public void testNormalize07() {
    +        doTestNormalize("////", "/");
    +    }
    +
    +    @Test
    +    public void testNormalize08() {
    +        doTestNormalize("/.", "/");
    +    }
    +
    +    @Test
    +    public void testNormalize09() {
    +        doTestNormalize("/./", "/");
    +    }
    +
    +    @Test
    +    public void testNormalize10() {
    +        doTestNormalize(".", "/");
    +    }
    +
    +    @Test
    +    public void testNormalize11() {
    +        doTestNormalize("/..", null);
    +    }
    +
    +    @Test
    +    public void testNormalize12() {
    +        doTestNormalize("/../", null);
    +    }
    +
    +    @Test
    +    public void testNormalize13() {
    +        doTestNormalize("..", null);
    +    }
    +
    +    @Test
    +    public void testNormalize14() {
    +        doTestNormalize("//..", null);
    +    }
    +
    +    @Test
    +    public void testNormalize15() {
    +        doTestNormalize("//../", null);
    +    }
    +
    +    @Test
    +    public void testNormalize16() {
    +        doTestNormalize("/./..", null);
    +    }
    +
    +    @Test
    +    public void testNormalize17() {
    +        doTestNormalize("/./../", null);
    +    }
    +
    +    @Test
    +    public void testNormalize18() {
    +        doTestNormalize("/a/../..", null);
    +    }
    +
    +    @Test
    +    public void testNormalize19() {
    +        doTestNormalize("/a/../../", null);
    +    }
    +
    +    private void doTestNormalize(String input, String expected) {
    +        assertEquals(expected,RequestUtil.normalize(input));
    +    }
     }
    debian/patches/CVE-2016-5388.patch0000644000000000000000000001226713067502611013257 0ustar  Description: add mitigaton for httpoxy issue
    Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1756942
    
    Index: tomcat7-7.0.52/conf/web.xml
    ===================================================================
    --- tomcat7-7.0.52.orig/conf/web.xml	2017-01-18 09:17:31.000000000 -0500
    +++ tomcat7-7.0.52/conf/web.xml	2017-01-18 09:18:03.996626843 -0500
    @@ -321,6 +321,15 @@
       
       
       
    +  
    +  
    +  
    +  
    +  
    +  
    +  
    +  
    +  
       
       
       
    @@ -344,7 +353,7 @@
               cgiPathPrefix
               WEB-INF/cgi
             
    -         5
    +        5
         
     -->
     
    Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/CGIServlet.java
    ===================================================================
    --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/CGIServlet.java	2014-01-27 09:53:14.000000000 -0500
    +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/CGIServlet.java	2017-01-18 09:18:03.996626843 -0500
    @@ -36,6 +36,7 @@
     import java.util.Locale;
     import java.util.StringTokenizer;
     import java.util.Vector;
    +import java.util.regex.Pattern;
     
     import javax.servlet.RequestDispatcher;
     import javax.servlet.ServletConfig;
    @@ -268,6 +269,16 @@
          */
         private long stderrTimeout = 2000;
     
    +    /**
    +     * The regular expression used to select HTTP headers to be passed to the
    +     * CGI process as environment variables. The name of the environment
    +     * variable will be the name of the HTTP header converter to upper case,
    +     * prefixed with HTTP_ and with all - characters
    +     * converted to _.
    +     */
    +    private Pattern envHttpHeadersPattern = Pattern.compile(
    +            "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT");
    +
         /** object used to ensure multiple threads don't try to expand same file */
         static Object expandFileLock = new Object();
     
    @@ -331,6 +342,10 @@
                         "stderrTimeout"));
             }
     
    +        if (getServletConfig().getInitParameter("envHttpHeaders") != null) {
    +            envHttpHeadersPattern =
    +                    Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders"));
    +        }
         }
     
     
    @@ -1072,12 +1087,8 @@
                     //REMIND: rewrite multiple headers as if received as single
                     //REMIND: change character set
                     //REMIND: I forgot what the previous REMIND means
    -                if ("AUTHORIZATION".equalsIgnoreCase(header) ||
    -                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
    -                    //NOOP per CGI specification section 11.2
    -                } else {
    -                    envp.put("HTTP_" + header.replace('-', '_'),
    -                             req.getHeader(header));
    +                if (envHttpHeadersPattern.matcher(header).matches()) {
    +                    envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header));
                     }
                 }
     
    Index: tomcat7-7.0.52/webapps/docs/cgi-howto.xml
    ===================================================================
    --- tomcat7-7.0.52.orig/webapps/docs/cgi-howto.xml	2014-01-26 17:13:11.000000000 -0500
    +++ tomcat7-7.0.52/webapps/docs/cgi-howto.xml	2017-01-18 09:18:03.996626843 -0500
    @@ -86,6 +86,12 @@
     
  • executable-arg-1, executable-arg-2, and so on - additional arguments for the executable. These precede the CGI script name. By default there are no additional arguments.
  • +
  • envHttpHeaders - A regular expression used to select the +HTTP headers passed to the CGI process as environment variables. Note that +headers are converted to upper case before matching and that the entire header +name must match the pattern. Default is +ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT +
  • parameterEncoding - Name of the parameter encoding to be used with the CGI servlet. Default is System.getProperty("file.encoding","UTF-8").
  • debian/patches/CVE-2016-6794.patch0000644000000000000000000001334413067502611013256 0ustar Description: fix system properties read SecurityManager bypass Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1754728 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842664 Index: tomcat7-7.0.52/java/org/apache/catalina/loader/WebappClassLoader.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/loader/WebappClassLoader.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/loader/WebappClassLoader.java 2017-01-18 09:21:16.875497156 -0500 @@ -79,6 +79,7 @@ import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.IntrospectionUtils; import org.apache.tomcat.util.res.StringManager; +import org.apache.tomcat.util.security.PermissionCheck; /** * Specialized web application class loader. @@ -123,7 +124,7 @@ */ public class WebappClassLoader extends URLClassLoader - implements Lifecycle + implements Lifecycle, PermissionCheck { private static final org.apache.juli.logging.Log log= @@ -1751,6 +1752,27 @@ } + @Override + public boolean check(Permission permission) { + if (!Globals.IS_SECURITY_ENABLED) { + return true; + } + Policy currentPolicy = Policy.getPolicy(); + if (currentPolicy != null) { + ResourceEntry entry = findResourceInternal("/", "/"); + if (entry != null) { + CodeSource cs = new CodeSource( + entry.codeBase, (java.security.cert.Certificate[]) null); + PermissionCollection pc = currentPolicy.getPermissions(cs); + if (pc.implies(permission)) { + return true; + } + } + } + return false; + } + + /** * Returns the search path of URLs for loading classes and resources. * This includes the original list of URLs specified to the constructor, Index: tomcat7-7.0.52/java/org/apache/tomcat/util/digester/Digester.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/digester/Digester.java 2014-01-27 07:42:39.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/digester/Digester.java 2017-01-18 09:19:17.473729084 -0500 @@ -26,11 +26,13 @@ import java.lang.reflect.InvocationTargetException; import java.net.URI; import java.net.URISyntaxException; +import java.security.Permission; import java.util.EmptyStackException; import java.util.HashMap; import java.util.Iterator; import java.util.List; import java.util.Map; +import java.util.PropertyPermission; import javax.xml.parsers.ParserConfigurationException; import javax.xml.parsers.SAXParser; @@ -40,6 +42,7 @@ import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.ExceptionUtils; import org.apache.tomcat.util.IntrospectionUtils; +import org.apache.tomcat.util.security.PermissionCheck; import org.xml.sax.Attributes; import org.xml.sax.EntityResolver; import org.xml.sax.ErrorHandler; @@ -81,6 +84,13 @@ implements IntrospectionUtils.PropertySource { @Override public String getProperty( String key ) { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + if (cl instanceof PermissionCheck) { + Permission p = new PropertyPermission(key, "read"); + if (!((PermissionCheck) cl).check(p)) { + return null; + } + } return System.getProperty(key); } } Index: tomcat7-7.0.52/java/org/apache/tomcat/util/security/PermissionCheck.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/security/PermissionCheck.java 2017-01-18 09:19:17.477729143 -0500 @@ -0,0 +1,43 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.security; + +import java.security.Permission; + +/** + * This interface is implemented by components to enable privileged code to + * check whether the component has a given permission. + * This is typically used when a privileged component (e.g. the container) is + * performing an action on behalf of an untrusted component (e.g. a web + * application) without the current thread having passed through a code source + * provided by the untrusted component. Because the current thread has not + * passed through a code source provided by the untrusted component the + * SecurityManager assumes the code is trusted so the standard checking + * mechanisms can't be used. + */ +public interface PermissionCheck { + + /** + * Does this component have the given permission? + * + * @param permission The permission to test + * + * @return {@code false} if a SecurityManager is enabled and the component + * does not have the given permission, otherwise {@code false} + */ + boolean check(Permission permission); +} debian/patches/CVE-2017-5664.patch0000644000000000000000000001001713163007324013242 0ustar Description: fix unexpected and undesirable results for static error pages Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1793471 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1793491 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2017-09-27 16:48:28.783806316 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java 2017-09-27 16:48:56.920156504 -0400 @@ -43,6 +43,7 @@ import javax.naming.NameClassPair; import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.DirContext; +import javax.servlet.DispatcherType; import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; import javax.servlet.ServletException; @@ -239,7 +240,7 @@ public class DefaultServlet urlEncoder.addSafeCharacter('.'); urlEncoder.addSafeCharacter('*'); urlEncoder.addSafeCharacter('/'); - + if (Globals.IS_SECURITY_ENABLED) { factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); @@ -419,6 +420,18 @@ public class DefaultServlet } + @Override + protected void service(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + + if (req.getDispatcherType() == DispatcherType.ERROR) { + doGet(req, resp); + } else { + super.service(req, resp); + } + } + + /** * Process a GET request for the specified resource. * @@ -833,8 +846,7 @@ public class DefaultServlet } } - boolean isError = - response.getStatus() >= HttpServletResponse.SC_BAD_REQUEST; + boolean isError = DispatcherType.ERROR == request.getDispatcherType(); // Check if the conditions specified in the optional If headers are // satisfied. @@ -1299,7 +1311,7 @@ public class DefaultServlet } - + /** * Return an InputStream to an HTML representation of the contents * of this directory. @@ -1714,15 +1726,15 @@ public class DefaultServlet private File validateGlobalXsltFile() { - + File result = null; String base = System.getProperty(Globals.CATALINA_BASE_PROP); - + if (base != null) { File baseConf = new File(base, "conf"); result = validateGlobalXsltFile(baseConf); } - + if (result == null) { String home = System.getProperty(Globals.CATALINA_HOME_PROP); if (home != null && !home.equals(base)) { @@ -2306,6 +2318,8 @@ public class DefaultServlet /** * Validate range. + * + * @return true if the range is valid, otherwise false */ public boolean validate() { if (end >= length) Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/WebdavServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/WebdavServlet.java 2017-09-27 16:48:28.783806316 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/WebdavServlet.java 2017-09-27 16:48:28.779806267 -0400 @@ -40,6 +40,7 @@ import javax.naming.NameClassPair; import javax.naming.NamingEnumeration; import javax.naming.NamingException; import javax.naming.directory.DirContext; +import javax.servlet.DispatcherType; import javax.servlet.RequestDispatcher; import javax.servlet.ServletContext; import javax.servlet.ServletException; @@ -353,6 +354,11 @@ public class WebdavServlet return; } + if (req.getDispatcherType() == DispatcherType.ERROR) { + doGet(req, resp); + return; + } + final String method = req.getMethod(); if (debug > 0) { debian/patches/fix_cookie_names_in_tests.patch0000644000000000000000000000714413067502611017057 0ustar Description: fix FTBFS by removing colons in cookie names which is illegal in newer java versions Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1715547 Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1715550 Index: tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java =================================================================== --- tomcat7-7.0.52.orig/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.053815019 -0400 +++ tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.049814992 -0400 @@ -412,7 +412,7 @@ new HashMap>(); if (useCookie && (cookies != null)) { - reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies); + reqHeaders.put(CLIENT_COOKIE_HEADER, cookies); } ByteChunk bc = new ByteChunk(); @@ -437,7 +437,7 @@ new HashMap>(); if (useCookie && (cookies != null)) { - reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies); + reqHeaders.put(CLIENT_COOKIE_HEADER, cookies); } else { if (credentials != null) { @@ -625,4 +625,4 @@ return credentials; } } -} \ No newline at end of file +} Index: tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java =================================================================== --- tomcat7-7.0.52.orig/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.053815019 -0400 +++ tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.053815019 -0400 @@ -358,7 +358,7 @@ new HashMap>(); if (useCookie && (cookies != null)) { - reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies); + reqHeaders.put(CLIENT_COOKIE_HEADER, cookies); } ByteChunk bc = new ByteChunk(); @@ -382,7 +382,7 @@ Map> respHeaders = new HashMap>(); if (useCookie && (cookies != null)) { - reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies); + reqHeaders.put(CLIENT_COOKIE_HEADER, cookies); } else { if (credentials != null) { @@ -568,7 +568,7 @@ protected void addCookies(Map> reqHeaders) { if ((cookies != null) && (cookies.size() > 0)) { - reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies); + reqHeaders.put(CLIENT_COOKIE_HEADER, cookies); } } @@ -655,4 +655,4 @@ return credentials; } } -} \ No newline at end of file +} Index: tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndDigestAuthenticator.java =================================================================== --- tomcat7-7.0.52.orig/test/org/apache/catalina/authenticator/TestSSOnonLoginAndDigestAuthenticator.java 2016-06-27 10:50:06.053815019 -0400 +++ tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndDigestAuthenticator.java 2016-06-27 10:50:06.053815019 -0400 @@ -485,7 +485,7 @@ protected void addCookies(Map> reqHeaders) { if ((cookies != null) && (cookies.size() > 0)) { - reqHeaders.put(BROWSER_COOKIES + ":", cookies); + reqHeaders.put(BROWSER_COOKIES, cookies); } } -} \ No newline at end of file +} debian/patches/CVE-2018-1304.patch0000644000000000000000000000306313303261435013232 0ustar Description: fix security constraints mapped to context root are ignored Origin: backport, https://svn.apache.org/r1823309 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=62067 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Index: tomcat7-7.0.52/java/org/apache/catalina/realm/RealmBase.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/realm/RealmBase.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/realm/RealmBase.java 2018-05-29 10:16:16.964962972 -0400 @@ -618,9 +618,9 @@ public abstract class RealmBase extends // Check each defined security constraint String uri = request.getRequestPathMB().toString(); - // Bug47080 - in rare cases this may be null + // Bug47080 - in rare cases this may be null or "" // Mapper treats as '/' do the same to prevent NPE - if (uri == null) { + if (uri == null || uri.length() == 0) { uri = "/"; } @@ -652,7 +652,8 @@ public abstract class RealmBase extends } for(int k=0; k < patterns.length; k++) { - if(uri.equals(patterns[k])) { + // Exact match including special case for the context root. + if(uri.equals(patterns[k]) || patterns[k].length() == 0 && uri.equals("/")) { found = true; if(collection[j].findMethod(method)) { if(results == null) { debian/patches/CVE-2018-1305.patch0000644000000000000000000007614113303261734013244 0ustar Description: fix security constraint annotations applied too late Origin: backport, https://svn.apache.org/r1823320 Origin: backport, https://svn.apache.org/r1823322 Origin: backport, https://svn.apache.org/r1824360 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Index: tomcat7-7.0.52/java/org/apache/catalina/Wrapper.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/Wrapper.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/Wrapper.java 2018-05-29 10:18:03.560946342 -0400 @@ -370,19 +370,23 @@ public interface Wrapper extends Contain public void setEnabled(boolean enabled); /** - * Set the flag that indicates - * {@link javax.servlet.annotation.ServletSecurity} annotations must be - * scanned when the Servlet is first used. + * This method is no longer used. All implementations should be NO-OPs. * - * @param b The new value of the flag + * @param b Unused. + * + * @deprecated This will be removed in Tomcat 9. */ + @Deprecated public void setServletSecurityAnnotationScanRequired(boolean b); /** - * Scan for (if necessary) and process (if found) the - * {@link javax.servlet.annotation.ServletSecurity} annotations for the - * Servlet associated with this wrapper. + * This method is no longer used. All implementations should be NO-OPs. + * + * @throws ServletException Never thrown + * + * @deprecated This will be removed in Tomcat 9. */ + @Deprecated public void servletSecurityAnnotationScan() throws ServletException; /** Index: tomcat7-7.0.52/java/org/apache/catalina/authenticator/AuthenticatorBase.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/authenticator/AuthenticatorBase.java 2018-05-29 10:18:03.564946343 -0400 @@ -39,7 +39,6 @@ import org.apache.catalina.Manager; import org.apache.catalina.Realm; import org.apache.catalina.Session; import org.apache.catalina.Valve; -import org.apache.catalina.Wrapper; import org.apache.catalina.connector.Request; import org.apache.catalina.connector.Response; import org.apache.catalina.deploy.LoginConfig; @@ -483,13 +482,6 @@ public abstract class AuthenticatorBase } } - // The Servlet may specify security constraints through annotations. - // Ensure that they have been processed before constraints are checked - Wrapper wrapper = (Wrapper) request.getMappingData().wrapper; - if (wrapper != null) { - wrapper.servletSecurityAnnotationScan(); - } - Realm realm = this.context.getRealm(); // Is this request URI subject to a security constraint? SecurityConstraint [] constraints Index: tomcat7-7.0.52/java/org/apache/catalina/core/ApplicationContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/ApplicationContext.java 2014-02-05 07:43:49.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/core/ApplicationContext.java 2018-05-29 10:18:03.576946344 -0400 @@ -49,8 +49,10 @@ import javax.servlet.ServletException; import javax.servlet.ServletRegistration; import javax.servlet.ServletRequestAttributeListener; import javax.servlet.ServletRequestListener; +import javax.servlet.ServletSecurityElement; import javax.servlet.SessionCookieConfig; import javax.servlet.SessionTrackingMode; +import javax.servlet.annotation.ServletSecurity; import javax.servlet.descriptor.JspConfigDescriptor; import javax.servlet.http.HttpSessionAttributeListener; import javax.servlet.http.HttpSessionListener; @@ -66,6 +68,7 @@ import org.apache.catalina.Wrapper; import org.apache.catalina.connector.Connector; import org.apache.catalina.deploy.FilterDef; import org.apache.catalina.util.ResourceSet; +import org.apache.catalina.util.Introspection; import org.apache.catalina.util.ServerInfo; import org.apache.naming.resources.DirContextURLStreamHandler; import org.apache.naming.resources.Resource; @@ -1133,14 +1136,27 @@ public class ApplicationContext } } + ServletSecurity annotation = null; if (servlet == null) { wrapper.setServletClass(servletClass); + Class clazz = Introspection.loadClass(context, servletClass); + if (clazz != null) { + annotation = clazz.getAnnotation(ServletSecurity.class); + } } else { wrapper.setServletClass(servlet.getClass().getName()); wrapper.setServlet(servlet); + if (context.wasCreatedDynamicServlet(servlet)) { + annotation = servlet.getClass().getAnnotation(ServletSecurity.class); + } } - return context.dynamicServletAdded(wrapper); + ServletRegistration.Dynamic registration = + new ApplicationServletRegistration(wrapper, context); + if (annotation != null) { + registration.setServletSecurity(new ServletSecurityElement(annotation)); + } + return registration; } Index: tomcat7-7.0.52/java/org/apache/catalina/core/ApplicationServletRegistration.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/ApplicationServletRegistration.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/core/ApplicationServletRegistration.java 2018-05-29 10:18:03.560946342 -0400 @@ -5,9 +5,9 @@ * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -41,15 +41,16 @@ public class ApplicationServletRegistrat */ private static final StringManager sm = StringManager.getManager(Constants.Package); - - private Wrapper wrapper; - private Context context; - + + private final Wrapper wrapper; + private final Context context; + private ServletSecurityElement constraint; + public ApplicationServletRegistration(Wrapper wrapper, Context context) { this.wrapper = wrapper; this.context = context; - + } @Override @@ -65,9 +66,9 @@ public class ApplicationServletRegistrat @Override public Map getInitParameters() { ParameterMap result = new ParameterMap(); - + String[] parameterNames = wrapper.findInitParameters(); - + for (String parameterName : parameterNames) { result.put(parameterName, wrapper.findInitParameter(parameterName)); } @@ -91,7 +92,7 @@ public class ApplicationServletRegistrat if (getInitParameter(name) != null) { return false; } - + wrapper.addInitParameter(name, value); return true; @@ -99,9 +100,9 @@ public class ApplicationServletRegistrat @Override public Set setInitParameters(Map initParameters) { - + Set conflicts = new HashSet(); - + for (Map.Entry entry : initParameters.entrySet()) { if (entry.getKey() == null || entry.getValue() == null) { throw new IllegalArgumentException(sm.getString( @@ -151,13 +152,14 @@ public class ApplicationServletRegistrat "applicationServletRegistration.setServletSecurity.iae", getName(), context.getName())); } - + if (!context.getState().equals(LifecycleState.STARTING_PREP)) { throw new IllegalStateException(sm.getString( "applicationServletRegistration.setServletSecurity.ise", getName(), context.getName())); } + this.constraint = constraint; return context.addServletSecurity(this, constraint); } @@ -167,9 +169,9 @@ public class ApplicationServletRegistrat if (urlPatterns == null) { return Collections.emptySet(); } - + Set conflicts = new HashSet(); - + for (String urlPattern : urlPatterns) { String wrapperName = context.findServletMapping(urlPattern); if (wrapperName != null) { @@ -187,10 +189,15 @@ public class ApplicationServletRegistrat if (!conflicts.isEmpty()) { return conflicts; } - + for (String urlPattern : urlPatterns) { context.addServletMapping(urlPattern, wrapper.getName()); } + + if (constraint != null) { + context.addServletSecurity(this, constraint); + } + return Collections.emptySet(); } @@ -199,7 +206,7 @@ public class ApplicationServletRegistrat Set result = new HashSet(); String servletName = wrapper.getName(); - + String[] urlPatterns = context.findServletMappings(); for (String urlPattern : urlPatterns) { String name = context.findServletMapping(urlPattern); @@ -214,5 +221,5 @@ public class ApplicationServletRegistrat public String getRunAsRole() { return wrapper.getRunAs(); } - + } Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardContext.java 2018-05-29 10:09:51.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java 2018-05-29 10:18:03.576946344 -0400 @@ -4700,27 +4700,36 @@ public class StandardContext extends Con } /** - * hook to register that we need to scan for security annotations. - * @param wrapper The wrapper for the Servlet that was added + * Create a servlet registration. + * + * @param wrapper The wrapper for which the registration should be created. + * + * @return An appropriate registration + * + * @deprecated This will be removed in Tomcat 9. The registration should be + * created directly. */ + @Deprecated public ServletRegistration.Dynamic dynamicServletAdded(Wrapper wrapper) { - Servlet s = wrapper.getServlet(); - if (s != null && createdServlets.contains(s)) { - // Mark the wrapper to indicate annotations need to be scanned - wrapper.setServletSecurityAnnotationScanRequired(true); - } return new ApplicationServletRegistration(wrapper, this); } /** - * hook to track which registrations need annotation scanning - * @param servlet + * Hook to track which Servlets were created via + * {@link ServletContext#createServlet(Class)}. + * + * @param servlet the created Servlet */ public void dynamicServletCreated(Servlet servlet) { createdServlets.add(servlet); } + public boolean wasCreatedDynamicServlet(Servlet servlet) { + return createdServlets.contains(servlet); + } + + /** * A helper class to manage the filter mappings in a Context. */ Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardWrapper.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardWrapper.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardWrapper.java 2018-05-29 10:18:03.564946343 -0400 @@ -5,17 +5,15 @@ * The ASF licenses this file to You under the Apache License, Version 2.0 * (the "License"); you may not use this file except in compliance with * the License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ - - package org.apache.catalina.core; import java.io.PrintStream; @@ -44,11 +42,9 @@ import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.ServletRequest; import javax.servlet.ServletResponse; -import javax.servlet.ServletSecurityElement; import javax.servlet.SingleThreadModel; import javax.servlet.UnavailableException; import javax.servlet.annotation.MultipartConfig; -import javax.servlet.annotation.ServletSecurity; import org.apache.catalina.Container; import org.apache.catalina.ContainerServlet; @@ -114,12 +110,12 @@ public class StandardWrapper extends Con * servlet is considered permanent. */ protected long available = 0L; - + /** - * The broadcaster that sends j2ee notifications. + * The broadcaster that sends j2ee notifications. */ protected NotificationBroadcasterSupport broadcaster = null; - + /** * The count of allocations that are currently active (even if they * are for the same instance, as will be true on a non-STM servlet). @@ -231,12 +227,12 @@ public class StandardWrapper extends Con */ protected Stack instancePool = null; - + /** * Wait time for servlet unload in ms. */ protected long unloadDelay = 2000; - + /** * True if this StandardWrapper is for the JspServlet @@ -259,12 +255,12 @@ public class StandardWrapper extends Con protected StandardWrapperValve swValve; protected long loadTime=0; protected int classLoadTime=0; - + /** * Multipart config */ protected MultipartConfigElement multipartConfigElement = null; - + /** * Async support */ @@ -275,26 +271,24 @@ public class StandardWrapper extends Con */ protected boolean enabled = true; - protected volatile boolean servletSecurityAnnotationScanRequired = false; - private boolean overridable = false; - + /** - * Static class array used when the SecurityManager is turned on and + * Static class array used when the SecurityManager is turned on and * Servlet.init is invoked. */ protected static Class[] classType = new Class[]{ServletConfig.class}; - - + + /** - * Static class array used when the SecurityManager is turned on and + * Static class array used when the SecurityManager is turned on and * Servlet.service is invoked. - */ + */ @Deprecated protected static Class[] classTypeUsedInService = new Class[]{ ServletRequest.class, ServletResponse.class}; - + private final ReentrantReadWriteLock parametersLock = new ReentrantReadWriteLock(); @@ -638,7 +632,7 @@ public class StandardWrapper extends Con public String[] getServletMethods() throws ServletException { instance = loadServlet(); - + Class servletClazz = instance.getClass(); if (!javax.servlet.http.HttpServlet.class.isAssignableFrom( servletClazz)) { @@ -678,8 +672,8 @@ public class StandardWrapper extends Con public Servlet getServlet() { return instance; } - - + + /** * Set the associated servlet instance. */ @@ -688,13 +682,13 @@ public class StandardWrapper extends Con instance = servlet; } - + /** * {@inheritDoc} */ @Override public void setServletSecurityAnnotationScanRequired(boolean b) { - this.servletSecurityAnnotationScanRequired = b; + // NO-OP } // --------------------------------------------------------- Public Methods @@ -708,19 +702,19 @@ public class StandardWrapper extends Con @Override public void backgroundProcess() { super.backgroundProcess(); - + if (!getState().isAvailable()) return; - + if (getServlet() != null && (getServlet() instanceof PeriodicEventListener)) { ((PeriodicEventListener) getServlet()).periodicEvent(); } } - - + + /** * Extract the root cause from a servlet exception. - * + * * @param e The servlet exception */ public static Throwable getRootCause(ServletException e) { @@ -849,7 +843,7 @@ public class StandardWrapper extends Con (sm.getString("standardWrapper.unloading", getName())); boolean newInstance = false; - + // If not SingleThreadedModel, return the same instance every time if (!singleThreadModel) { @@ -1085,7 +1079,7 @@ public class StandardWrapper extends Con @Override public synchronized void load() throws ServletException { instance = loadServlet(); - + if (!instanceInitialized) { initServlet(instance); } @@ -1093,12 +1087,12 @@ public class StandardWrapper extends Con if (isJspServlet) { StringBuilder oname = new StringBuilder(MBeanUtils.getDomain(getParent())); - + oname.append(":type=JspMonitor,name="); oname.append(getName()); - + oname.append(getWebModuleKeyProperties()); - + try { jspMonitorON = new ObjectName(oname.toString()); Registry.getRegistry(null, null) @@ -1171,8 +1165,6 @@ public class StandardWrapper extends Con } } - processServletSecurityAnnotation(servlet.getClass()); - // Special handling for ContainerServlet instances if ((servlet instanceof ContainerServlet) && (isContainerProvidedServlet(servletClass) || @@ -1215,44 +1207,13 @@ public class StandardWrapper extends Con */ @Override public void servletSecurityAnnotationScan() throws ServletException { - if (getServlet() == null) { - Class clazz = null; - try { - clazz = getParent().getLoader().getClassLoader().loadClass( - getServletClass()); - processServletSecurityAnnotation(clazz); - } catch (ClassNotFoundException e) { - // Safe to ignore. No class means no annotations to process - } - } else { - if (servletSecurityAnnotationScanRequired) { - processServletSecurityAnnotation(getServlet().getClass()); - } - } + // NO-OP } - private void processServletSecurityAnnotation(Class clazz) { - // Calling this twice isn't harmful so no syncs - servletSecurityAnnotationScanRequired = false; - - Context ctxt = (Context) getParent(); - - if (ctxt.getIgnoreAnnotations()) { - return; - } - - ServletSecurity secAnnotation = - clazz.getAnnotation(ServletSecurity.class); - if (secAnnotation != null) { - ctxt.addServletSecurity( - new ApplicationServletRegistration(this, ctxt), - new ServletSecurityElement(secAnnotation)); - } - } private synchronized void initServlet(Servlet servlet) throws ServletException { - + if (instanceInitialized && !singleThreadModel) return; // Call the initialization method of this servlet @@ -1464,12 +1425,12 @@ public class StandardWrapper extends Con if (swallowOutput) { SystemLogHandler.startCapture(); } - + // Call the servlet destroy() method try { instanceSupport.fireInstanceEvent (InstanceEvent.BEFORE_DESTROY_EVENT, instance); - + if( Globals.IS_SECURITY_ENABLED) { try { SecurityUtil.doAsPrivilege("destroy", @@ -1480,7 +1441,7 @@ public class StandardWrapper extends Con } else { instance.destroy(); } - + instanceSupport.fireInstanceEvent (InstanceEvent.AFTER_DESTROY_EVENT, instance); @@ -1706,7 +1667,7 @@ public class StandardWrapper extends Con public boolean isAsyncSupported() { return asyncSupported; } - + @Override public void setAsyncSupported(boolean asyncSupported) { this.asyncSupported = asyncSupported; @@ -1716,7 +1677,7 @@ public class StandardWrapper extends Con public boolean isEnabled() { return enabled; } - + @Override public void setEnabled(boolean enabled) { this.enabled = enabled; @@ -1792,24 +1753,24 @@ public class StandardWrapper extends Con */ @Override protected synchronized void startInternal() throws LifecycleException { - - // Send j2ee.state.starting notification + + // Send j2ee.state.starting notification if (this.getObjectName() != null) { - Notification notification = new Notification("j2ee.state.starting", - this.getObjectName(), + Notification notification = new Notification("j2ee.state.starting", + this.getObjectName(), sequenceNumber++); broadcaster.sendNotification(notification); } - + // Start up this component super.startInternal(); setAvailable(0L); - // Send j2ee.state.running notification + // Send j2ee.state.running notification if (this.getObjectName() != null) { - Notification notification = - new Notification("j2ee.state.running", this.getObjectName(), + Notification notification = + new Notification("j2ee.state.running", this.getObjectName(), sequenceNumber++); broadcaster.sendNotification(notification); } @@ -1828,15 +1789,15 @@ public class StandardWrapper extends Con protected synchronized void stopInternal() throws LifecycleException { setAvailable(Long.MAX_VALUE); - - // Send j2ee.state.stopping notification + + // Send j2ee.state.stopping notification if (this.getObjectName() != null) { - Notification notification = - new Notification("j2ee.state.stopping", this.getObjectName(), + Notification notification = + new Notification("j2ee.state.stopping", this.getObjectName(), sequenceNumber++); broadcaster.sendNotification(notification); } - + // Shut down our servlet instance (if it has been initialized) try { unload(); @@ -1892,7 +1853,7 @@ public class StandardWrapper extends Con } else { keyProperties.append(hostName); } - + String contextName = ((Context) getParent()).getName(); if (!contextName.startsWith("/")) { keyProperties.append('/'); @@ -1903,7 +1864,7 @@ public class StandardWrapper extends Con if (parent instanceof StandardContext) { ctx = (StandardContext) getParent(); } - + keyProperties.append(",J2EEApplication="); if (ctx == null) { keyProperties.append("none"); @@ -1916,10 +1877,10 @@ public class StandardWrapper extends Con } else { keyProperties.append(ctx.getJ2EEServer()); } - + return keyProperties.toString(); } - + /** * JSR 77. Always return false. @@ -1954,7 +1915,7 @@ public class StandardWrapper extends Con "j2ee.object.created"}, Notification.class.getName(), "servlet is created" - ), + ), new MBeanNotificationInfo(new String[] { "j2ee.state.starting"}, Notification.class.getName(), @@ -1985,37 +1946,37 @@ public class StandardWrapper extends Con return notificationInfo; } - - + + /* Add a JMX-NotificationListener * @see javax.management.NotificationBroadcaster#addNotificationListener(javax.management.NotificationListener, javax.management.NotificationFilter, java.lang.Object) */ @Override - public void addNotificationListener(NotificationListener listener, + public void addNotificationListener(NotificationListener listener, NotificationFilter filter, Object object) throws IllegalArgumentException { broadcaster.addNotificationListener(listener,filter,object); } - - + + /** - * Remove a JMX-NotificationListener + * Remove a JMX-NotificationListener * @see javax.management.NotificationBroadcaster#removeNotificationListener(javax.management.NotificationListener) */ @Override - public void removeNotificationListener(NotificationListener listener) + public void removeNotificationListener(NotificationListener listener) throws ListenerNotFoundException { broadcaster.removeNotificationListener(listener); } - - + + // ------------------------------------------------------------- Attributes - - + + @Deprecated public boolean isEventProvider() { return false; } - + @Deprecated public boolean isStatisticsProvider() { return false; Index: tomcat7-7.0.52/java/org/apache/catalina/startup/ContextConfig.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/startup/ContextConfig.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/startup/ContextConfig.java 2018-05-29 10:20:35.396991762 -0400 @@ -414,20 +414,10 @@ public class ContextConfig implements Li protected void authenticatorConfig() { LoginConfig loginConfig = context.getLoginConfig(); - - SecurityConstraint constraints[] = context.findConstraints(); - if (context.getIgnoreAnnotations() && - (constraints == null || constraints.length ==0) && - !context.getPreemptiveAuthentication()) { - return; - } else { - if (loginConfig == null) { - // Not metadata-complete or security constraints present, need - // an authenticator to support @ServletSecurity annotations - // and/or constraints - loginConfig = DUMMY_LOGIN_CONFIG; - context.setLoginConfig(loginConfig); - } + if (loginConfig == null) { + // Need an authenticator to support HttpServletRequest.login() + loginConfig = DUMMY_LOGIN_CONFIG; + context.setLoginConfig(loginConfig); } // Has an authenticator been configured already? Index: tomcat7-7.0.52/java/org/apache/catalina/startup/Tomcat.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/startup/Tomcat.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/startup/Tomcat.java 2018-05-29 10:18:03.564946343 -0400 @@ -801,13 +801,17 @@ public class Tomcat { Context context = (Context) event.getLifecycle(); if (event.getType().equals(Lifecycle.CONFIGURE_START_EVENT)) { context.setConfigured(true); - } - // LoginConfig is required to process @ServletSecurity - // annotations - if (context.getLoginConfig() == null) { - context.setLoginConfig( - new LoginConfig("NONE", null, null, null)); - context.getPipeline().addValve(new NonLoginAuthenticator()); + + // Process annotations + WebAnnotationSet.loadApplicationAnnotations(context); + + // LoginConfig is required to process @ServletSecurity + // annotations + if (context.getLoginConfig() == null) { + context.setLoginConfig( + new LoginConfig("NONE", null, null, null)); + context.getPipeline().addValve(new NonLoginAuthenticator()); + } } } catch (ClassCastException e) { return; Index: tomcat7-7.0.52/java/org/apache/catalina/startup/WebAnnotationSet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/startup/WebAnnotationSet.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/startup/WebAnnotationSet.java 2018-05-29 10:20:10.452979527 -0400 @@ -23,10 +23,13 @@ import javax.annotation.Resource; import javax.annotation.Resources; import javax.annotation.security.DeclareRoles; import javax.annotation.security.RunAs; +import javax.servlet.ServletSecurityElement; +import javax.servlet.annotation.ServletSecurity; import org.apache.catalina.Container; import org.apache.catalina.Context; import org.apache.catalina.Wrapper; +import org.apache.catalina.core.ApplicationServletRegistration; import org.apache.catalina.deploy.ContextEnvironment; import org.apache.catalina.deploy.ContextResource; import org.apache.catalina.deploy.ContextResourceEnvRef; @@ -144,9 +147,17 @@ public class WebAnnotationSet { * Ref JSR 250, equivalent to the run-as element in * the deployment descriptor */ - if (classClass.isAnnotationPresent(RunAs.class)) { - RunAs annotation = classClass.getAnnotation(RunAs.class); - wrapper.setRunAs(annotation.value()); + RunAs runAs = classClass.getAnnotation(RunAs.class); + if (runAs != null) { + wrapper.setRunAs(runAs.value()); + } + + // Process ServletSecurity annotation + ServletSecurity servletSecurity = classClass.getAnnotation(ServletSecurity.class); + if (servletSecurity != null) { + context.addServletSecurity( + new ApplicationServletRegistration(wrapper, context), + new ServletSecurityElement(servletSecurity)); } } } debian/patches/CVE-2016-8735.patch0000644000000000000000000000306413067502611013251 0ustar Description: fix remote code execution via JmxRemoteLifecycleListener Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1767676 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Index: tomcat7-7.0.52/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2017-01-18 09:40:32.291409357 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2017-01-18 09:40:50.175641847 -0500 @@ -264,6 +264,10 @@ serverCsf = new RmiClientLocalhostSocketFactory(serverCsf); } + env.put("jmx.remote.rmi.server.credential.types", new String[] { + String[].class.getName(), + String.class.getName() }); + // Populate the env properties used to create the server if (serverCsf != null) { env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, serverCsf); @@ -328,7 +332,7 @@ cs = new RMIConnectorServer(serviceUrl, theEnv, server, ManagementFactory.getPlatformMBeanServer()); cs.start(); - registry.bind("jmxrmi", server); + registry.bind("jmxrmi", server.toStub()); log.info(sm.getString("jmxRemoteLifecycleListener.start", Integer.toString(theRmiRegistryPort), Integer.toString(theRmiServerPort), serverName)); debian/patches/CVE-2016-8735-pre.patch0000644000000000000000000004237513067502611014045 0ustar Description: remove the restriction that prevented the use of SSL when specifying a bind address. Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1666762 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Index: tomcat7-7.0.52/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2017-01-18 09:38:24.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java 2017-01-18 09:40:32.291409357 -0500 @@ -25,17 +25,25 @@ import java.net.ServerSocket; import java.net.Socket; import java.net.UnknownHostException; +import java.rmi.AlreadyBoundException; import java.rmi.RemoteException; import java.rmi.registry.LocateRegistry; +import java.rmi.registry.Registry; import java.rmi.server.RMIClientSocketFactory; import java.rmi.server.RMIServerSocketFactory; +import java.security.NoSuchAlgorithmException; +import java.util.ArrayList; import java.util.HashMap; +import java.util.List; +import java.util.Locale; -import javax.management.MBeanServer; import javax.management.remote.JMXConnectorServer; -import javax.management.remote.JMXConnectorServerFactory; import javax.management.remote.JMXServiceURL; import javax.management.remote.rmi.RMIConnectorServer; +import javax.management.remote.rmi.RMIJRMPServerImpl; +import javax.net.ssl.SSLContext; +import javax.net.ssl.SSLServerSocket; +import javax.net.ssl.SSLServerSocketFactory; import javax.rmi.ssl.SslRMIClientSocketFactory; import javax.rmi.ssl.SslRMIServerSocketFactory; @@ -55,19 +63,16 @@ */ public class JmxRemoteLifecycleListener implements LifecycleListener { - private static final Log log = - LogFactory.getLog(JmxRemoteLifecycleListener.class); + private static final Log log = LogFactory.getLog(JmxRemoteLifecycleListener.class); - /** - * The string resources for this package. - */ protected static final StringManager sm = - StringManager.getManager(Constants.Package); + StringManager.getManager(Constants.Package); protected String rmiBindAddress = null; protected int rmiRegistryPortPlatform = -1; protected int rmiServerPortPlatform = -1; - protected boolean rmiSSL = true; + protected boolean rmiRegistrySSL = true; + protected boolean rmiServerSSL = true; protected String ciphers[] = null; protected String protocols[] = null; protected boolean clientAuth = true; @@ -154,9 +159,13 @@ // Get all the other parameters required from the standard system // properties. Only need to get the parameters that affect the creation // of the server port. - String rmiSSLValue = System.getProperty( + String rmiRegistrySSLValue = System.getProperty( + "com.sun.management.jmxremote.registry.ssl", "false"); + rmiRegistrySSL = Boolean.parseBoolean(rmiRegistrySSLValue); + + String rmiServerSSLValue = System.getProperty( "com.sun.management.jmxremote.ssl", "true"); - rmiSSL = Boolean.parseBoolean(rmiSSLValue); + rmiServerSSL = Boolean.parseBoolean(rmiServerSSLValue); String protocolsValue = System.getProperty( "com.sun.management.jmxremote.ssl.enabled.protocols"); @@ -171,7 +180,7 @@ } String clientAuthValue = System.getProperty( - "com.sun.management.jmxremote.ssl.need.client.auth", "true"); + "com.sun.management.jmxremote.ssl.need.client.auth", "true"); clientAuth = Boolean.parseBoolean(clientAuthValue); String authenticateValue = System.getProperty( @@ -204,47 +213,64 @@ // Create the environment HashMap env = new HashMap(); - RMIClientSocketFactory csf = null; - RMIServerSocketFactory ssf = null; + RMIClientSocketFactory registryCsf = null; + RMIServerSocketFactory registrySsf = null; + + RMIClientSocketFactory serverCsf = null; + RMIServerSocketFactory serverSsf = null; - // Configure SSL for RMI connection if required - if (rmiSSL) { + // Configure registry socket factories + if (rmiRegistrySSL) { + registryCsf = new SslRMIClientSocketFactory(); + if (rmiBindAddress == null) { + registrySsf = new SslRMIServerSocketFactory( + ciphers, protocols, clientAuth); + } else { + registrySsf = new SslRmiServerBindSocketFactory( + ciphers, protocols, clientAuth, rmiBindAddress); + } + } else { if (rmiBindAddress != null) { - throw new IllegalStateException(sm.getString( - "jmxRemoteLifecycleListener.sslRmiBindAddress")); + registrySsf = new RmiServerBindSocketFactory(rmiBindAddress); } + } - csf = new SslRMIClientSocketFactory(); - ssf = new SslRMIServerSocketFactory(ciphers, protocols, - clientAuth); + // Configure server socket factories + if (rmiServerSSL) { + serverCsf = new SslRMIClientSocketFactory(); + if (rmiBindAddress == null) { + serverSsf = new SslRMIServerSocketFactory( + ciphers, protocols, clientAuth); + } else { + serverSsf = new SslRmiServerBindSocketFactory( + ciphers, protocols, clientAuth, rmiBindAddress); + } + } else { + if (rmiBindAddress != null) { + serverSsf = new RmiServerBindSocketFactory(rmiBindAddress); + } } - // Force server bind address if required + // By default, the registry will pick an address to listen on. + // Setting this property overrides that and ensures it listens on + // the configured address. if (rmiBindAddress != null) { - try { - ssf = new RmiServerBindSocketFactory( - InetAddress.getByName(rmiBindAddress)); - } catch (UnknownHostException e) { - log.error(sm.getString( - "jmxRemoteLifecycleListener.invalidRmiBindAddress", - rmiBindAddress), e); - } + System.setProperty("java.rmi.server.hostname", rmiBindAddress); } // Force the use of local ports if required if (useLocalPorts) { - csf = new RmiClientLocalhostSocketFactory(csf); + registryCsf = new RmiClientLocalhostSocketFactory(registryCsf); + serverCsf = new RmiClientLocalhostSocketFactory(serverCsf); } // Populate the env properties used to create the server - if (csf != null) { - env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, - csf); - env.put("com.sun.jndi.rmi.factory.socket", csf); - } - if (ssf != null) { - env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, - ssf); + if (serverCsf != null) { + env.put(RMIConnectorServer.RMI_CLIENT_SOCKET_FACTORY_ATTRIBUTE, serverCsf); + env.put("com.sun.jndi.rmi.factory.socket", registryCsf); + } + if (serverSsf != null) { + env.put(RMIConnectorServer.RMI_SERVER_SOCKET_FACTORY_ATTRIBUTE, serverSsf); } // Configure authentication @@ -254,25 +280,27 @@ env.put("jmx.remote.x.login.config", loginModuleName); } - // Create the Platform server csPlatform = createServer("Platform", rmiBindAddress, rmiRegistryPortPlatform, - rmiServerPortPlatform, env, csf, ssf, - ManagementFactory.getPlatformMBeanServer()); + rmiServerPortPlatform, env, registryCsf, registrySsf, serverCsf, serverSsf); } else if (Lifecycle.STOP_EVENT == event.getType()) { destroyServer("Platform", csPlatform); } } + private JMXConnectorServer createServer(String serverName, String bindAddress, int theRmiRegistryPort, int theRmiServerPort, - HashMap theEnv, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf, MBeanServer theMBeanServer) { + HashMap theEnv, + RMIClientSocketFactory registryCsf, RMIServerSocketFactory registrySsf, + RMIClientSocketFactory serverCsf, RMIServerSocketFactory serverSsf) { // Create the RMI registry + Registry registry; try { - LocateRegistry.createRegistry(theRmiRegistryPort, csf, ssf); + registry = LocateRegistry.createRegistry( + theRmiRegistryPort, registryCsf, registrySsf); } catch (RemoteException e) { log.error(sm.getString( "jmxRemoteLifecycleListener.createRegistryFailed", @@ -284,33 +312,23 @@ bindAddress = "localhost"; } - // Build the connection string with fixed ports - StringBuilder url = new StringBuilder(); - url.append("service:jmx:rmi://"); - url.append(bindAddress); - url.append(":"); - url.append(theRmiServerPort); - url.append("/jndi/rmi://"); - url.append(bindAddress); - url.append(":"); - url.append(theRmiRegistryPort); - url.append("/jmxrmi"); + String url = "service:jmx:rmi://" + bindAddress; JMXServiceURL serviceUrl; try { serviceUrl = new JMXServiceURL(url.toString()); } catch (MalformedURLException e) { - log.error(sm.getString( - "jmxRemoteLifecycleListener.invalidURL", - serverName, url.toString()), e); + log.error(sm.getString("jmxRemoteLifecycleListener.invalidURL", serverName, url), e); return null; } - // Start the JMX server with the connection string - JMXConnectorServer cs = null; + RMIConnectorServer cs = null; try { - cs = JMXConnectorServerFactory.newJMXConnectorServer( - serviceUrl, theEnv, theMBeanServer); + RMIJRMPServerImpl server = new RMIJRMPServerImpl( + rmiServerPortPlatform, serverCsf, serverSsf, theEnv); + cs = new RMIConnectorServer(serviceUrl, theEnv, server, + ManagementFactory.getPlatformMBeanServer()); cs.start(); + registry.bind("jmxrmi", server); log.info(sm.getString("jmxRemoteLifecycleListener.start", Integer.toString(theRmiRegistryPort), Integer.toString(theRmiServerPort), serverName)); @@ -318,10 +336,15 @@ log.error(sm.getString( "jmxRemoteLifecycleListener.createServerFailed", serverName), e); + } catch (AlreadyBoundException e) { + log.error(sm.getString( + "jmxRemoteLifecycleListener.createServerFailed", + serverName), e); } return cs; } + private void destroyServer(String serverName, JMXConnectorServer theConnectorServer) { if (theConnectorServer != null) { @@ -335,6 +358,7 @@ } } + public static class RmiClientLocalhostSocketFactory implements RMIClientSocketFactory, Serializable { @@ -358,13 +382,22 @@ } } - public static class RmiServerBindSocketFactory - implements RMIServerSocketFactory { + + public static class RmiServerBindSocketFactory implements RMIServerSocketFactory { private final InetAddress bindAddress; - public RmiServerBindSocketFactory(InetAddress address) { - bindAddress = address; + public RmiServerBindSocketFactory(String address) { + InetAddress bindAddress = null; + try { + bindAddress = InetAddress.getByName(address); + } catch (UnknownHostException e) { + log.error(sm.getString( + "jmxRemoteLifecycleListener.invalidRmiBindAddress", address), e); + // bind address will be null which means any/all local addresses + // which should be safe + } + this.bindAddress = bindAddress; } @Override @@ -372,4 +405,64 @@ return new ServerSocket(port, 0, bindAddress); } } + + + public static class SslRmiServerBindSocketFactory extends SslRMIServerSocketFactory { + + private static final SSLServerSocketFactory sslServerSocketFactory; + private static final String[] defaultProtocols; + + static { + SSLContext sslContext; + try { + sslContext = SSLContext.getDefault(); + } catch (NoSuchAlgorithmException e) { + // Can't continue. Force a failure. + throw new IllegalStateException(e); + } + sslServerSocketFactory = sslContext.getServerSocketFactory(); + String[] protocols = sslContext.getDefaultSSLParameters().getProtocols(); + List filteredProtocols = new ArrayList(protocols.length); + for (String protocol : protocols) { + if (protocol.toUpperCase(Locale.ENGLISH).contains("SSL")) { + continue; + } + filteredProtocols.add(protocol); + } + defaultProtocols = filteredProtocols.toArray(new String[filteredProtocols.size()]); + } + + private final InetAddress bindAddress; + + public SslRmiServerBindSocketFactory(String[] enabledCipherSuites, + String[] enabledProtocols, boolean needClientAuth, String address) { + super(enabledCipherSuites, enabledProtocols, needClientAuth); + InetAddress bindAddress = null; + try { + bindAddress = InetAddress.getByName(address); + } catch (UnknownHostException e) { + log.error(sm.getString( + "jmxRemoteLifecycleListener.invalidRmiBindAddress", address), e); + // bind address will be null which means any/all local addresses + // which should be safe + } + this.bindAddress = bindAddress; + } + + @Override + public ServerSocket createServerSocket(int port) throws IOException { + SSLServerSocket sslServerSocket = + (SSLServerSocket) sslServerSocketFactory.createServerSocket(port, 0, bindAddress); + if (getEnabledCipherSuites() != null) { + sslServerSocket.setEnabledCipherSuites(getEnabledCipherSuites()); + } + if (getEnabledProtocols() == null) { + sslServerSocket.setEnabledProtocols(defaultProtocols); + } else { + sslServerSocket.setEnabledProtocols(getEnabledProtocols()); + } + sslServerSocket.setNeedClientAuth(getNeedClientAuth()); + return sslServerSocket; + } + } } Index: tomcat7-7.0.52/java/org/apache/catalina/mbeans/LocalStrings.properties =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/mbeans/LocalStrings.properties 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/mbeans/LocalStrings.properties 2017-01-18 09:40:32.291409357 -0500 @@ -18,5 +18,4 @@ jmxRemoteLifecycleListener.destroyServerFailed=The JMX connector server could not be stopped for the {0} server jmxRemoteLifecycleListener.invalidURL=The JMX Service URL requested for the {0} server, "{1}", was invalid jmxRemoteLifecycleListener.start=The JMX Remote Listener has configured the registry on port {0} and the server on port {1} for the {2} server -jmxRemoteLifecycleListener.sslRmiBindAddress=rmiBindAddress is incompatible with setting the system property com.sun.management.jmxremote.ssl to true jmxRemoteLifecycleListener.invalidRmiBindAddress=Invalid RMI bind address [{0}] Index: tomcat7-7.0.52/webapps/docs/config/listeners.xml =================================================================== --- tomcat7-7.0.52.orig/webapps/docs/config/listeners.xml 2014-02-03 12:53:34.000000000 -0500 +++ tomcat7-7.0.52/webapps/docs/config/listeners.xml 2017-01-18 09:40:32.291409357 -0500 @@ -436,10 +436,7 @@ -

    The address of the interface to be used by JMX/RMI server. - This option is incompatible with setting the system - property com.sun.management.jmxremote.ssl to - true.

    +

    The address of the interface to be used by JMX/RMI server.

    debian/patches/CVE-2017-5647.patch0000644000000000000000000004405313101645630013252 0ustar Description: fix loss of pipeline requests Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1731119 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1731304 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1789008 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=860068 Index: tomcat7-7.0.52/java/org/apache/coyote/AbstractProtocol.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/AbstractProtocol.java 2013-11-21 10:34:27.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/AbstractProtocol.java 2017-05-01 10:45:47.101816726 -0400 @@ -663,10 +663,9 @@ public abstract class AbstractProtocol i release(wrapper, processor, false, true); } else if (state == SocketState.SENDFILE) { // Sendfile in progress. If it fails, the socket will be - // closed. If it works, the socket will be re-added to the - // poller - connections.remove(socket); - release(wrapper, processor, false, false); + // closed. If it works, the socket either be added to the + // poller (or equivalent) to await more data or processed + // if there are any pipe-lined requests remaining. } else if (state == SocketState.UPGRADED) { // Need to keep the connection associated with the processor connections.put(socket, processor); Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11AprProcessor.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11AprProcessor.java 2017-05-01 10:42:23.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11AprProcessor.java 2017-05-01 10:46:31.594365775 -0400 @@ -36,6 +36,7 @@ import org.apache.tomcat.util.ExceptionU import org.apache.tomcat.util.net.AbstractEndpoint.Handler.SocketState; import org.apache.tomcat.util.net.AprEndpoint; import org.apache.tomcat.util.net.SSLSupport; +import org.apache.tomcat.util.net.SendfileKeepAliveState; import org.apache.tomcat.util.net.SocketStatus; import org.apache.tomcat.util.net.SocketWrapper; @@ -215,7 +216,15 @@ public class Http11AprProcessor extends // Do sendfile as needed: add socket to sendfile and end if (sendfileData != null && !error) { sendfileData.socket = socketWrapper.getSocket().longValue(); - sendfileData.keepAlive = keepAlive; + if (keepAlive) { + if (getInputBuffer().available() == 0) { + sendfileData.keepAliveState = SendfileKeepAliveState.OPEN; + } else { + sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED; + } + } else { + sendfileData.keepAliveState = SendfileKeepAliveState.NONE; + } if (!((AprEndpoint)endpoint).getSendfile().add(sendfileData)) { // Didn't send all of the data to sendfile. if (sendfileData.socket == 0) { Index: tomcat7-7.0.52/java/org/apache/coyote/http11/Http11NioProcessor.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/Http11NioProcessor.java 2017-05-01 10:42:23.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/Http11NioProcessor.java 2017-05-01 10:45:47.093816628 -0400 @@ -35,6 +35,7 @@ import org.apache.tomcat.util.net.NioEnd import org.apache.tomcat.util.net.NioEndpoint.KeyAttachment; import org.apache.tomcat.util.net.SSLSupport; import org.apache.tomcat.util.net.SecureNioChannel; +import org.apache.tomcat.util.net.SendfileKeepAliveState; import org.apache.tomcat.util.net.SocketStatus; import org.apache.tomcat.util.net.SocketWrapper; @@ -274,21 +275,35 @@ public class Http11NioProcessor extends // Do sendfile as needed: add socket to sendfile and end if (sendfileData != null && !error) { ((KeyAttachment) socketWrapper).setSendfileData(sendfileData); - sendfileData.keepAlive = keepAlive; + if (keepAlive) { + if (getInputBuffer().available() == 0) { + sendfileData.keepAliveState = SendfileKeepAliveState.OPEN; + } else { + sendfileData.keepAliveState = SendfileKeepAliveState.PIPELINED; + } + } else { + sendfileData.keepAliveState = SendfileKeepAliveState.NONE; + } SelectionKey key = socketWrapper.getSocket().getIOChannel().keyFor( socketWrapper.getSocket().getPoller().getSelector()); //do the first write on this thread, might as well - if (socketWrapper.getSocket().getPoller().processSendfile(key, - (KeyAttachment) socketWrapper, true)) { + switch (socketWrapper.getSocket().getPoller().processSendfile( + key, (KeyAttachment) socketWrapper, true)) { + case DONE: + // If sendfile is complete, no need to break keep-alive loop + sendfileData = null; + return false; + case PENDING: sendfileInProgress = true; - } else { + return true; + case ERROR: // Write failed if (log.isDebugEnabled()) { log.debug(sm.getString("http11processor.sendfile.error")); } error = true; + return true; } - return true; } return false; } Index: tomcat7-7.0.52/java/org/apache/tomcat/util/net/AprEndpoint.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/net/AprEndpoint.java 2014-01-27 07:48:36.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/net/AprEndpoint.java 2017-05-01 10:45:47.097816677 -0400 @@ -2011,7 +2011,7 @@ public class AprEndpoint extends Abstrac // Position public long pos; // KeepAlive flag - public boolean keepAlive; + public SendfileKeepAliveState keepAliveState = SendfileKeepAliveState.NONE; } @@ -2254,20 +2254,33 @@ public class AprEndpoint extends Abstrac state.pos = state.pos + nw; if (state.pos >= state.end) { remove(state); - if (state.keepAlive) { + switch (state.keepAliveState) { + case NONE: { + // Close the socket since this is + // the end of the not keep-alive request. + closeSocket(state.socket); + break; + } + case PIPELINED: { + // Destroy file descriptor pool, which should close the file + Pool.destroy(state.fdpool); + Socket.timeoutSet(state.socket, getSoTimeout() * 1000); + // Process the pipelined request data + if (!processSocket(state.socket, SocketStatus.OPEN_READ)) { + closeSocket(state.socket); + } + break; + } + case OPEN: { // Destroy file descriptor pool, which should close the file Pool.destroy(state.fdpool); - Socket.timeoutSet(state.socket, - getSoTimeout() * 1000); - // If all done put the socket back in the - // poller for processing of further requests - getPoller().add( - state.socket, getKeepAliveTimeout(), + Socket.timeoutSet(state.socket, getSoTimeout() * 1000); + // Put the socket back in the poller for + // processing of further requests + getPoller().add(state.socket, getKeepAliveTimeout(), true, false); - } else { - // Close the socket since this is - // the end of not keep-alive request. - closeSocket(state.socket); + break; + } } } } Index: tomcat7-7.0.52/java/org/apache/tomcat/util/net/NioEndpoint.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/net/NioEndpoint.java 2017-05-01 10:42:23.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/net/NioEndpoint.java 2017-05-01 10:47:34.199138333 -0400 @@ -1284,17 +1284,8 @@ public class NioEndpoint extends Abstrac return result; } - /** - * @deprecated Replaced by processSendfile(sk, attachment, event) - */ - @Deprecated - public boolean processSendfile(SelectionKey sk, - KeyAttachment attachment, - @SuppressWarnings("unused") boolean reg, boolean event) { - return processSendfile(sk, attachment, event); - } - - public boolean processSendfile(SelectionKey sk, KeyAttachment attachment, boolean event) { + public SendfileState processSendfile(SelectionKey sk, KeyAttachment attachment, + boolean calledByProcessor) { NioChannel sc = null; try { unreg(sk, attachment, sk.readyOps()); @@ -1309,7 +1300,7 @@ public class NioEndpoint extends Abstrac File f = new File(sd.fileName); if ( !f.exists() ) { cancelledKey(sk,SocketStatus.ERROR,false); - return false; + return SendfileState.ERROR; } @SuppressWarnings("resource") // Closed when channel is closed FileInputStream fis = new FileInputStream(f); @@ -1351,48 +1342,63 @@ public class NioEndpoint extends Abstrac sd.fchannel.close(); } catch (Exception ignore) { } - if ( sd.keepAlive ) { + // For calls from outside the Poller, the caller is + // responsible for registering the socket for the + // appropriate event(s) if sendfile completes. + if (!calledByProcessor) { + switch (sd.keepAliveState) { + case NONE: { + if (log.isDebugEnabled()) { + log.debug("Send file connection is being closed"); + } + cancelledKey(sk,SocketStatus.STOP,false); + break; + } + case PIPELINED: { if (log.isDebugEnabled()) { - log.debug("Connection is keep alive, registering back for OP_READ"); + log.debug("Connection is keep alive, processing pipe-lined data"); } - if (event) { - this.add(attachment.getChannel(),SelectionKey.OP_READ); - } else { - reg(sk,attachment,SelectionKey.OP_READ); + if (!processSocket(sc, SocketStatus.OPEN_READ, true)) { + cancelledKey(sk, SocketStatus.DISCONNECT, false); } - } else { - if (log.isDebugEnabled()) { - log.debug("Send file connection is being closed"); + break; + } + case OPEN: { + if (log.isDebugEnabled()) { + log.debug("Connection is keep alive, registering back for OP_READ"); + } + reg(sk, attachment, SelectionKey.OP_READ); + break; + } } - cancelledKey(sk,SocketStatus.STOP,false); - return false; } + return SendfileState.DONE; } else { if (log.isDebugEnabled()) { log.debug("OP_WRITE for sendfile: " + sd.fileName); } - if (event) { + if (calledByProcessor) { add(attachment.getChannel(),SelectionKey.OP_WRITE); } else { reg(sk,attachment,SelectionKey.OP_WRITE); } + return SendfileState.PENDING; } }catch ( IOException x ) { if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x); - if (!event) { + if (!calledByProcessor) { cancelledKey(sk,SocketStatus.ERROR,false); } - return false; + return SendfileState.ERROR; }catch ( Throwable t ) { log.error("",t); - if (!event) { + if (!calledByProcessor) { cancelledKey(sk, SocketStatus.ERROR, false); } - return false; + return SendfileState.ERROR; }finally { if (sc!=null) sc.setSendFile(false); } - return true; } protected void unreg(SelectionKey sk, KeyAttachment attachment, int readyOps) { @@ -1809,6 +1815,6 @@ public class NioEndpoint extends Abstrac public long pos; public long length; // KeepAlive flag - public boolean keepAlive; + public SendfileKeepAliveState keepAliveState = SendfileKeepAliveState.NONE; } } Index: tomcat7-7.0.52/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/net/SendfileKeepAliveState.java 2017-05-01 10:45:47.097816677 -0400 @@ -0,0 +1,39 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.net; + +public enum SendfileKeepAliveState { + + /** + * Keep-alive is not in use. The socket can be closed when the response has + * been written. + */ + NONE, + + /** + * Keep-alive is in use and there is pipelined data in the input buffer to + * be read as soon as the current response has been written. + */ + PIPELINED, + + /** + * Keep-alive is in use. The socket should be added to the poller (or + * equivalent) to await more data as soon as the current response has been + * written. + */ + OPEN +} Index: tomcat7-7.0.52/java/org/apache/tomcat/util/net/SendfileState.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/net/SendfileState.java 2017-05-01 10:42:34.367438337 -0400 @@ -0,0 +1,37 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.net; + +public enum SendfileState { + + /** + * The sending of the file has started but has not completed. Sendfile is + * still using the socket. + */ + PENDING, + + /** + * The file has been fully sent. Sendfile is no longer using the socket. + */ + DONE, + + /** + * Something went wrong. The file may or may not have been sent. The socket + * is in an unknown state. + */ + ERROR +} debian/patches/CVE-2016-5018.patch0000644000000000000000000001350413067502611013240 0ustar Description: fix SecurityManager bypass via a utility method Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1754902 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1760309 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842663 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60101 Index: tomcat7-7.0.52/java/org/apache/jasper/compiler/JspRuntimeContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/compiler/JspRuntimeContext.java 2014-01-27 08:35:02.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/jasper/compiler/JspRuntimeContext.java 2017-01-18 09:17:48.900398996 -0500 @@ -90,8 +90,6 @@ factory.getClass().getClassLoader().loadClass( basePackage + "runtime.JspRuntimeLibrary"); factory.getClass().getClassLoader().loadClass( basePackage + - "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); - factory.getClass().getClassLoader().loadClass( basePackage + "runtime.ServletResponseWrapperInclude"); factory.getClass().getClassLoader().loadClass( basePackage + "servlet.JspServletWrapper"); Index: tomcat7-7.0.52/java/org/apache/jasper/runtime/JspRuntimeLibrary.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/runtime/JspRuntimeLibrary.java 2014-01-27 08:35:02.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/jasper/runtime/JspRuntimeLibrary.java 2017-01-18 09:17:46.480362426 -0500 @@ -14,7 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package org.apache.jasper.runtime; import java.beans.PropertyEditor; @@ -23,9 +22,6 @@ import java.io.IOException; import java.io.OutputStreamWriter; import java.lang.reflect.Method; -import java.security.AccessController; -import java.security.PrivilegedActionException; -import java.security.PrivilegedExceptionAction; import java.util.Enumeration; import javax.servlet.RequestDispatcher; @@ -37,7 +33,6 @@ import javax.servlet.jsp.PageContext; import javax.servlet.jsp.tagext.BodyContent; -import org.apache.jasper.Constants; import org.apache.jasper.JasperException; import org.apache.jasper.compiler.Localizer; import org.apache.jasper.util.ExceptionUtils; @@ -56,36 +51,6 @@ */ public class JspRuntimeLibrary { - protected static class PrivilegedIntrospectHelper - implements PrivilegedExceptionAction { - - private Object bean; - private String prop; - private String value; - private ServletRequest request; - private String param; - private boolean ignoreMethodNF; - - PrivilegedIntrospectHelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - { - this.bean = bean; - this.prop = prop; - this.value = value; - this.request = request; - this.param = param; - this.ignoreMethodNF = ignoreMethodNF; - } - - @Override - public Void run() throws JasperException { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - return null; - } - } - /** * Returns the value of the javax.servlet.error.exception request * attribute value, if present, otherwise the value of the @@ -290,29 +255,7 @@ public static void introspecthelper(Object bean, String prop, String value, ServletRequest request, String param, boolean ignoreMethodNF) - throws JasperException - { - if( Constants.IS_SECURITY_ENABLED ) { - try { - PrivilegedIntrospectHelper dp = - new PrivilegedIntrospectHelper( - bean,prop,value,request,param,ignoreMethodNF); - AccessController.doPrivileged(dp); - } catch( PrivilegedActionException pe) { - Exception e = pe.getException(); - throw (JasperException)e; - } - } else { - internalIntrospecthelper( - bean,prop,value,request,param,ignoreMethodNF); - } - } - - private static void internalIntrospecthelper(Object bean, String prop, - String value, ServletRequest request, - String param, boolean ignoreMethodNF) - throws JasperException - { + throws JasperException { Method method = null; Class type = null; Class propertyEditorClass = null; Index: tomcat7-7.0.52/java/org/apache/jasper/security/SecurityClassLoad.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/security/SecurityClassLoad.java 2017-01-18 09:17:31.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/jasper/security/SecurityClassLoad.java 2017-01-18 09:17:48.900398996 -0500 @@ -46,8 +46,6 @@ loader.loadClass( basePackage + "runtime.JspRuntimeLibrary"); - loader.loadClass( basePackage + - "runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper"); loader.loadClass( basePackage + "runtime.ServletResponseWrapperInclude"); debian/patches/0002-do-not-load-AJP13-connector-by-default.patch0000644000000000000000000000101713067502611021130 0ustar From: Thierry Carrez Date: Mon, 28 Jun 2010 21:32:21 +0200 Subject: [PATCH] do not load AJP13 connector by default --- conf/server.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) --- a/conf/server.xml +++ b/conf/server.xml @@ -89,7 +89,9 @@ --> + + + @@ -219,6 +221,8 @@ + + Index: tomcat7-7.0.52/java/org/apache/jasper/EmbeddedServletOptions.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/EmbeddedServletOptions.java 2014-01-27 08:35:02.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/jasper/EmbeddedServletOptions.java 2017-01-18 09:21:44.847907378 -0500 @@ -635,6 +635,10 @@ * scratchdir */ String dir = config.getInitParameter("scratchdir"); + if (dir != null && Constants.IS_SECURITY_ENABLED) { + log.info(Localizer.getMessage("jsp.info.ignoreSetting", "scratchdir", dir)); + dir = null; + } if (dir != null) { scratchDir = new File(dir); } else { Index: tomcat7-7.0.52/java/org/apache/jasper/resources/LocalStrings.properties =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/resources/LocalStrings.properties 2014-01-27 08:35:02.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/jasper/resources/LocalStrings.properties 2017-01-18 09:21:44.851907437 -0500 @@ -454,6 +454,7 @@ jsp.error.invalid.bean=The value for the useBean class attribute {0} is invalid. jsp.error.prefix.use_before_dcl=The prefix {0} specified in this tag directive has been previously used by an action in file {1} line {2}. jsp.error.lastModified=Unable to determine last modified date for file [{0}] +jsp.info.ignoreSetting=Ignored setting for [{0}] of [{1}] because a SecurityManager was enabled jsp.exception=An exception occurred processing JSP page {0} at line {1} Index: tomcat7-7.0.52/java/org/apache/jasper/servlet/JspServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/servlet/JspServlet.java 2014-01-27 08:35:02.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/jasper/servlet/JspServlet.java 2017-01-18 09:22:20.916434163 -0500 @@ -71,8 +71,8 @@ private ServletConfig config; private transient Options options; private transient JspRuntimeContext rctxt; - //jspFile for a jsp configured explicitly as a servlet, in environments where this configuration is - //translated into an init-param for this servlet. + // jspFile for a jsp configured explicitly as a servlet, in environments where this + // configuration is translated into an init-param for this servlet. private String jspFile; @@ -90,6 +90,11 @@ // Check for a custom Options implementation String engineOptionsName = config.getInitParameter("engineOptionsClass"); + if (Constants.IS_SECURITY_ENABLED && engineOptionsName != null) { + log.info(Localizer.getMessage( + "jsp.info.ignoreSetting", "engineOptionsClass", engineOptionsName)); + engineOptionsName = null; + } if (engineOptionsName != null) { // Instantiate the indicated Options implementation try { Index: tomcat7-7.0.52/webapps/docs/jasper-howto.xml =================================================================== --- tomcat7-7.0.52.orig/webapps/docs/jasper-howto.xml 2014-01-26 17:13:11.000000000 -0500 +++ tomcat7-7.0.52/webapps/docs/jasper-howto.xml 2017-01-18 09:21:44.851907437 -0500 @@ -132,7 +132,7 @@
  • engineOptionsClass - Allows specifying the Options class used to configure Jasper. If not present, the default EmbeddedServletOptions -will be used. +will be used. This option is ignored if running under a SecurityManager.
  • errorOnUseBeanInvalidClassAttribute - Should Jasper issue @@ -185,7 +185,7 @@
  • scratchdir - What scratch directory should we use when compiling JSP pages? Default is the work directory for the current web -application.
  • +application. This option is ignored if running under a SecurityManager.
  • suppressSmap - Should the generation of SMAP info for JSR45 debugging be suppressed? true or false, default debian/patches/CVE-2014-0096.patch0000644000000000000000000004155513067502611013246 0ustar Description: fix file disclosure via XXE issue Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1578637 Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1578655 Index: tomcat7-7.0.52/conf/web.xml =================================================================== --- tomcat7-7.0.52.orig/conf/web.xml 2014-01-25 15:13:05.000000000 -0500 +++ tomcat7-7.0.52/conf/web.xml 2014-07-24 13:22:10.407257076 -0400 @@ -88,10 +88,12 @@ - - - - + + + + + + default Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java 2014-07-24 13:22:13.019257063 -0400 @@ -14,8 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - - package org.apache.catalina.servlets; @@ -36,6 +34,7 @@ import java.io.StringWriter; import java.util.ArrayList; import java.util.Iterator; +import java.util.Locale; import java.util.StringTokenizer; import javax.naming.InitialContext; @@ -53,10 +52,14 @@ import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; +import javax.xml.parsers.DocumentBuilder; +import javax.xml.parsers.DocumentBuilderFactory; +import javax.xml.parsers.ParserConfigurationException; import javax.xml.transform.Source; import javax.xml.transform.Transformer; import javax.xml.transform.TransformerException; import javax.xml.transform.TransformerFactory; +import javax.xml.transform.dom.DOMSource; import javax.xml.transform.stream.StreamResult; import javax.xml.transform.stream.StreamSource; @@ -71,6 +74,10 @@ import org.apache.naming.resources.Resource; import org.apache.naming.resources.ResourceAttributes; import org.apache.tomcat.util.res.StringManager; +import org.w3c.dom.Document; +import org.xml.sax.InputSource; +import org.xml.sax.SAXException; +import org.xml.sax.ext.EntityResolver2; /** @@ -120,9 +127,14 @@ private static final long serialVersionUID = 1L; - // ----------------------------------------------------- Instance Variables + private static final DocumentBuilderFactory factory; + + private static final SecureEntityResolver secureEntityResolver = + new SecureEntityResolver(); + // ----------------------------------------------------- Instance Variables + /** * The debugging detail level for this servlet. */ @@ -225,6 +237,10 @@ urlEncoder.addSafeCharacter('.'); urlEncoder.addSafeCharacter('*'); urlEncoder.addSafeCharacter('/'); + + factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setValidating(false); } @@ -1234,23 +1250,22 @@ } - /** * Decide which way to render. HTML or XML. */ protected InputStream render(String contextPath, CacheEntry cacheEntry) throws IOException, ServletException { - InputStream xsltInputStream = - findXsltInputStream(cacheEntry.context); + Source xsltSource = findXsltInputStream(cacheEntry.context); - if (xsltInputStream==null) { + if (xsltSource == null) { return renderHtml(contextPath, cacheEntry); } - return renderXml(contextPath, cacheEntry, xsltInputStream); + return renderXml(contextPath, cacheEntry, xsltSource); } + /** * Return an InputStream to an HTML representation of the contents * of this directory. @@ -1260,7 +1275,7 @@ */ protected InputStream renderXml(String contextPath, CacheEntry cacheEntry, - InputStream xsltInputStream) + Source xsltSource) throws IOException, ServletException { StringBuilder sb = new StringBuilder(); @@ -1354,8 +1369,7 @@ try { TransformerFactory tFactory = TransformerFactory.newInstance(); Source xmlSource = new StreamSource(new StringReader(sb.toString())); - Source xslSource = new StreamSource(xsltInputStream); - Transformer transformer = tFactory.newTransformer(xslSource); + Transformer transformer = tFactory.newTransformer(xsltSource); ByteArrayOutputStream stream = new ByteArrayOutputStream(); OutputStreamWriter osWriter = new OutputStreamWriter(stream, "UTF8"); @@ -1574,9 +1588,9 @@ /** - * Return the xsl template inputstream (if possible) + * Return a Source for the xsl template (if possible) */ - protected InputStream findXsltInputStream(DirContext directory) + protected Source findXsltInputStream(DirContext directory) throws IOException { if (localXsltFile != null) { @@ -1584,8 +1598,13 @@ Object obj = directory.lookup(localXsltFile); if ((obj != null) && (obj instanceof Resource)) { InputStream is = ((Resource) obj).streamContent(); - if (is != null) - return is; + if (is != null) { + if (Globals.IS_SECURITY_ENABLED) { + return secureXslt(is); + } else { + return new StreamSource(is); + } + } } } catch (NamingException e) { if (debug > 10) @@ -1596,8 +1615,13 @@ if (contextXsltFile != null) { InputStream is = getServletContext().getResourceAsStream(contextXsltFile); - if (is != null) - return is; + if (is != null) { + if (Globals.IS_SECURITY_ENABLED) { + return secureXslt(is); + } else { + return new StreamSource(is); + } + } if (debug > 10) log("contextXsltFile '" + contextXsltFile + "' not found"); @@ -1606,20 +1630,24 @@ /* Open and read in file in one fell swoop to reduce chance * chance of leaving handle open. */ - if (globalXsltFile!=null) { - FileInputStream fis = null; - - try { - File f = new File(globalXsltFile); - if (f.exists()){ - fis =new FileInputStream(f); + if (globalXsltFile != null) { + File f = validateGlobalXsltFile(); + if (f != null){ + FileInputStream fis = null; + try { + fis = new FileInputStream(f); byte b[] = new byte[(int)f.length()]; /* danger! */ fis.read(b); - return new ByteArrayInputStream(b); + return new StreamSource(new ByteArrayInputStream(b)); + } finally { + if (fis != null) { + try { + fis.close(); + } catch (IOException ioe) { + // Ignore + } + } } - } finally { - if (fis!=null) - fis.close(); } } @@ -1628,8 +1656,91 @@ } - // -------------------------------------------------------- protected Methods + private File validateGlobalXsltFile() { + + File result = null; + String base = System.getProperty(Globals.CATALINA_BASE_PROP); + + if (base != null) { + File baseConf = new File(base, "conf"); + result = validateGlobalXsltFile(baseConf); + } + + if (result == null) { + String home = System.getProperty(Globals.CATALINA_HOME_PROP); + if (home != null && !home.equals(base)) { + File homeConf = new File(home, "conf"); + result = validateGlobalXsltFile(homeConf); + } + } + + return result; + } + + private File validateGlobalXsltFile(File base) { + File candidate = new File(globalXsltFile); + if (!candidate.isAbsolute()) { + candidate = new File(base, globalXsltFile); + } + + if (!candidate.isFile()) { + return null; + } + + // First check that the resulting path is under the provided base + try { + if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) { + return null; + } + } catch (IOException ioe) { + return null; + } + + // Next check that an .xsl or .xslt file has been specified + String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH); + if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xsl")) { + return null; + } + + return candidate; + } + + + private Source secureXslt(InputStream is) { + // Need to filter out any external entities + Source result = null; + try { + DocumentBuilder builder = factory.newDocumentBuilder(); + builder.setEntityResolver(secureEntityResolver); + Document document = builder.parse(is); + result = new DOMSource(document); + } catch (ParserConfigurationException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } catch (SAXException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } catch (IOException e) { + if (debug > 0) { + log(e.getMessage(), e); + } + } finally { + if (is != null) { + try { + is.close(); + } catch (IOException e) { + // Ignore + } + } + } + return result; + } + + + // -------------------------------------------------------- protected Methods /** * Check if sendfile can be used. @@ -2130,9 +2241,6 @@ } - // ------------------------------------------------------ Range Inner Class - - protected static class Range { public long start; @@ -2148,4 +2256,34 @@ return (start >= 0) && (end >= 0) && (start <= end) && (length > 0); } } + + + /** + * This is secure in the sense that any attempt to use an external entity + * will trigger an exception. + */ + private static class SecureEntityResolver implements EntityResolver2 { + + @Override + public InputSource resolveEntity(String publicId, String systemId) + throws SAXException, IOException { + throw new SAXException(sm.getString("defaultServlet.blockExternalEntity", + publicId, systemId)); + } + + @Override + public InputSource getExternalSubset(String name, String baseURI) + throws SAXException, IOException { + throw new SAXException(sm.getString("defaultServlet.blockExternalSubset", + name, baseURI)); + } + + @Override + public InputSource resolveEntity(String name, String publicId, + String baseURI, String systemId) throws SAXException, + IOException { + throw new SAXException(sm.getString("defaultServlet.blockExternalEntity2", + name, publicId, baseURI, systemId)); + } + } } Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/LocalStrings.properties =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/LocalStrings.properties 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/LocalStrings.properties 2014-07-24 13:22:15.703257050 -0400 @@ -13,6 +13,9 @@ # See the License for the specific language governing permissions and # limitations under the License. +defaultServlet.blockExternalEntity=Blocked access to external entity with publicId [{0}] and systemId [{0}] +defaultServlet.blockExternalEntity2=Blocked access to external entity with name [{0}], publicId [{1}], baseURI [{2}] and systemId [{3}] +defaultServlet.blockExternalSubset=Blocked access to external subset with name [{0}] and baseURI [{1}] defaultServlet.missingResource=The requested resource ({0}) is not available defaultservlet.directorylistingfor=Directory Listing for: defaultservlet.upto=Up to: Index: tomcat7-7.0.52/webapps/docs/default-servlet.xml =================================================================== --- tomcat7-7.0.52.orig/webapps/docs/default-servlet.xml 2014-01-26 17:13:11.000000000 -0500 +++ tomcat7-7.0.52/webapps/docs/default-servlet.xml 2014-07-24 13:22:18.471257037 -0400 @@ -110,21 +110,23 @@ globalXsltFile If you wish to customize your directory listing, you - can use an XSL transformation. This value is an absolute - file name which be used for all directory listings. - This can be overridden per context and/or per directory. See - contextXsltFile and localXsltFile - below. The format of the xml is shown below. + can use an XSL transformation. This value is a relative file name (to + either $CATALINA_BASE/conf/ or $CATALINA_HOME/conf/) which will be used + for all directory listings. This can be overridden per context and/or + per directory. See contextXsltFile and + localXsltFile below. The format of the xml is shown + below. contextXsltFile You may also customize your directory listing by context by - configuring contextXsltFile. This should be a context - relative path (e.g.: /path/to/context.xslt). This - overrides globalXsltFile. If this value is present but a - file does not exist, then globalXsltFile will be used. If + configuring contextXsltFile. This must be a context + relative path (e.g.: /path/to/context.xslt) to a file with + a .xsl or .xslt extension. This overrides + globalXsltFile. If this value is present but a file does + not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default directory listing will be shown. @@ -133,11 +135,12 @@ localXsltFile You may also customize your directory listing by directory by - configuring localXsltFile. This should be a relative - file name in the directory where the listing will take place. - This overrides globalXsltFile and - contextXsltFile. If this value is present but a file - does not exist, then contextXsltFile will be used. If + configuring localXsltFile. This must be a file in the + directory where the listing will take place to with a + .xsl or .xslt extension. This overrides + globalXsltFile and contextXsltFile. If this + value is present but a file does not exist, then + contextXsltFile will be used. If contextXsltFile does not exist, then globalXsltFile will be used. If globalXsltFile does not exist, then the default debian/patches/CVE-2016-0763.patch0000644000000000000000000000171413067502611013242 0ustar Description: fix securityManager restrictions bypass via crafted global context Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1725931 Index: tomcat7-7.0.64/java/org/apache/naming/factory/ResourceLinkFactory.java =================================================================== --- tomcat7-7.0.64.orig/java/org/apache/naming/factory/ResourceLinkFactory.java 2016-06-17 12:04:45.074390009 +0300 +++ tomcat7-7.0.64/java/org/apache/naming/factory/ResourceLinkFactory.java 2016-06-17 12:04:45.070389958 +0300 @@ -60,6 +60,11 @@ * @param newGlobalContext new global context value */ public static void setGlobalContext(Context newGlobalContext) { + SecurityManager sm = System.getSecurityManager(); + if (sm != null) { + sm.checkPermission(new RuntimePermission( + ResourceLinkFactory.class.getName() + ".setGlobalContext")); + } globalContext = newGlobalContext; } debian/patches/CVE-2017-7674.patch0000644000000000000000000000302013163005541013240 0ustar Description: fix client and server side cache poisoning in CORS filter Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1795816 Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61101 Index: tomcat7-7.0.52/java/org/apache/catalina/filters/CorsFilter.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/filters/CorsFilter.java 2013-06-05 05:58:22.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/filters/CorsFilter.java 2017-09-27 16:28:43.472940479 -0400 @@ -298,6 +298,10 @@ public final class CorsFilter implements exposedHeadersString); } + // Indicate the response depends on the origin + response.addHeader(CorsFilter.REQUEST_HEADER_VARY, + CorsFilter.REQUEST_HEADER_ORIGIN); + // Forward the request down the filter chain. filterChain.doFilter(request, response); } @@ -941,6 +945,13 @@ public final class CorsFilter implements "Access-Control-Allow-Headers"; // -------------------------------------------------- CORS Request Headers + + /** + * The Vary header indicates allows disabling proxy caching by indicating + * the the response depends on the origin. + */ + public static final String REQUEST_HEADER_VARY = "Vary"; + /** * The Origin header indicates where the cross-origin request or preflight * request originates from. debian/patches/CVE-2017-1261x.patch0000644000000000000000000007260713303261414013432 0ustar Description: fix missing checks when HTTP PUTs enabled Origin: backport, https://svn.apache.org/r1804604 Origin: backport, https://svn.apache.org/r1804643 Origin: backport, https://svn.apache.org/r1804729 Origin: backport, https://svn.apache.org/r1806940 Origin: backport, https://svn.apache.org/r1809288 Origin: backport, https://svn.apache.org/r1809293 Origin: backport, https://svn.apache.org/r1809298 Origin: backport, https://svn.apache.org/r1809358 Origin: backport, https://svn.apache.org/r1809978 Origin: backport, https://svn.apache.org/r1809992 Origin: backport, https://svn.apache.org/r1810014 Origin: backport, https://svn.apache.org/r1810026 Bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=61542 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat8/+bug/1721749 Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2018-05-29 10:09:51.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java 2018-05-29 10:12:50.949149044 -0400 @@ -829,23 +829,6 @@ public class DefaultServlet return; } - // If the resource is not a collection, and the resource path - // ends with "/" or "\", return NOT FOUND - if (cacheEntry.context == null) { - if (path.endsWith("/") || (path.endsWith("\\"))) { - // Check if we're included so we can return the appropriate - // missing resource name in the error - String requestUri = (String) request.getAttribute( - RequestDispatcher.INCLUDE_REQUEST_URI); - if (requestUri == null) { - requestUri = request.getRequestURI(); - } - response.sendError(HttpServletResponse.SC_NOT_FOUND, - requestUri); - return; - } - } - boolean isError = DispatcherType.ERROR == request.getDispatcherType(); // Check if the conditions specified in the optional If headers are Index: tomcat7-7.0.52/java/org/apache/naming/resources/FileDirContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/naming/resources/FileDirContext.java 2014-01-27 08:05:23.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/naming/resources/FileDirContext.java 2018-05-29 10:15:52.144973726 -0400 @@ -14,8 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - - package org.apache.naming.resources; import java.io.File; @@ -75,6 +73,8 @@ public class FileDirContext extends Base /** * Builds a file directory context using the given environment. + * + * @param env The environment with which to build the context */ public FileDirContext(Hashtable env) { super(env); @@ -95,6 +95,8 @@ public class FileDirContext extends Base */ protected String absoluteBase = null; + private String canonicalBase = null; + /** * Allow linking. @@ -104,7 +106,6 @@ public class FileDirContext extends Base // ------------------------------------------------------------- Properties - /** * Set the document root. * @@ -117,32 +118,41 @@ public class FileDirContext extends Base */ @Override public void setDocBase(String docBase) { + // Validate the format of the proposed document root + if (docBase == null) { + throw new IllegalArgumentException(sm.getString("resources.null")); + } - // Validate the format of the proposed document root - if (docBase == null) - throw new IllegalArgumentException - (sm.getString("resources.null")); - - // Calculate a File object referencing this document base directory - base = new File(docBase); + // Calculate a File object referencing this document base directory + base = new File(docBase); try { base = base.getCanonicalFile(); } catch (IOException e) { // Ignore } - // Validate that the document base is an existing directory - if (!base.exists() || !base.isDirectory() || !base.canRead()) - throw new IllegalArgumentException - (sm.getString("fileResources.base", docBase)); - this.absoluteBase = base.getAbsolutePath(); - super.setDocBase(docBase); + // Validate that the document base is an existing directory + if (!base.exists() || !base.isDirectory() || !base.canRead()) { + throw new IllegalArgumentException(sm.getString("fileResources.base", docBase)); + } + this.absoluteBase = normalize(base.getAbsolutePath()); + + // absoluteBase also needs to be normalized. Using the canonical path is + // the simplest way of doing this. + try { + this.canonicalBase = base.getCanonicalPath(); + } catch (IOException e) { + throw new IllegalArgumentException(e); + } + super.setDocBase(docBase); } /** * Set allow linking. + * + * @param allowLinking The new value for the attribute */ public void setAllowLinking(boolean allowLinking) { this.allowLinking = allowLinking; @@ -151,6 +161,8 @@ public class FileDirContext extends Base /** * Is linking allowed. + * + * @return {@code true} is linking is allowed, otherwise {@code false} */ public boolean getAllowLinking() { return allowLinking; @@ -193,7 +205,7 @@ public class FileDirContext extends Base @Override protected Object doLookup(String name) { Object result = null; - File file = file(name); + File file = file(name, true); if (file == null) return null; @@ -230,7 +242,7 @@ public class FileDirContext extends Base public void unbind(String name) throws NamingException { - File file = file(name); + File file = file(name, true); if (file == null) throw new NameNotFoundException( @@ -255,22 +267,22 @@ public class FileDirContext extends Base * @exception NamingException if a naming exception is encountered */ @Override - public void rename(String oldName, String newName) - throws NamingException { + public void rename(String oldName, String newName) throws NamingException { - File file = file(oldName); + File file = file(oldName, true); - if (file == null) - throw new NameNotFoundException - (sm.getString("resources.notFound", oldName)); + if (file == null) { + throw new NameNotFoundException(sm.getString("resources.notFound", oldName)); + } - File newFile = new File(base, newName); + File newFile = file(newName, false); + if (newFile == null) { + throw new NamingException(sm.getString("resources.renameFail", oldName, newName)); + } if (!file.renameTo(newFile)) { - throw new NamingException(sm.getString("resources.renameFail", - oldName, newName)); + throw new NamingException(sm.getString("resources.renameFail", oldName, newName)); } - } @@ -291,11 +303,11 @@ public class FileDirContext extends Base protected List doListBindings(String name) throws NamingException { - File file = file(name); + File file = file(name, true); if (file == null) return null; - + return list(file); } @@ -395,7 +407,7 @@ public class FileDirContext extends Base throws NamingException { // Building attribute list - File file = file(name); + File file = file(name, true); if (file == null) return null; @@ -463,12 +475,20 @@ public class FileDirContext extends Base * @exception NamingException if a naming exception is encountered */ @Override - public void bind(String name, Object obj, Attributes attrs) - throws NamingException { + public void bind(String name, Object obj, Attributes attrs) throws NamingException { // Note: No custom attributes allowed - File file = new File(base, name); + // bind() is meant to create a file so ensure that the path doesn't end + // in '/' + if (name.endsWith("/")) { + throw new NamingException(sm.getString("resources.bindFailed", name)); + } + + File file = file(name, false); + if (file == null) { + throw new NamingException(sm.getString("resources.bindFailed", name)); + } if (file.exists()) throw new NameAlreadyBoundException (sm.getString("resources.alreadyBound", name)); @@ -503,7 +523,10 @@ public class FileDirContext extends Base // Note: No custom attributes allowed // Check obj type - File file = new File(base, name); + File file = file(name, false); + if (file == null) { + throw new NamingException(sm.getString("resources.bindFailed", name)); + } InputStream is = null; if (obj instanceof Resource) { @@ -578,13 +601,14 @@ public class FileDirContext extends Base public DirContext createSubcontext(String name, Attributes attrs) throws NamingException { - File file = new File(base, name); + File file = file(name, false); + if (file == null) { + throw new NamingException(sm.getString("resources.bindFailed", name)); + } if (file.exists()) - throw new NameAlreadyBoundException - (sm.getString("resources.alreadyBound", name)); + throw new NameAlreadyBoundException(sm.getString("resources.alreadyBound", name)); if (!file.mkdir()) - throw new NamingException - (sm.getString("resources.bindFailed", name)); + throw new NamingException(sm.getString("resources.bindFailed", name)); return (DirContext) lookup(name); } @@ -753,6 +777,7 @@ public class FileDirContext extends Base } + /** * Return a File object representing the specified normalized * context-relative path if it exists and is readable. Otherwise, @@ -761,53 +786,133 @@ public class FileDirContext extends Base * @param name Normalized context-relative path (with leading '/') */ protected File file(String name) { + return file(name, true); + } + + + /** + * Return a File object representing the specified normalized + * context-relative path if it exists and is readable. Otherwise, + * return null. + * + * @param name Normalized context-relative path (with leading '/') + * @param mustExist Must the specified resource exist? + */ + protected File file(String name, boolean mustExist) { + if (name.equals("/")) { + name = ""; + } File file = new File(base, name); - if (file.exists() && file.canRead()) { + return validate(file, name, mustExist, absoluteBase, canonicalBase); + } - if (allowLinking) - return file; - - // Check that this file belongs to our root path - String canPath = null; - try { - canPath = file.getCanonicalPath(); - } catch (IOException e) { - // Ignore - } - if (canPath == null) - return null; - // Check to see if going outside of the web application root - if (!canPath.startsWith(absoluteBase)) { - return null; - } + protected File validate(File file, String name, boolean mustExist, String absoluteBase, + String canonicalBase) { - // Case sensitivity check - this is now always done - String fileAbsPath = file.getAbsolutePath(); - if (fileAbsPath.endsWith(".")) - fileAbsPath = fileAbsPath + "/"; - String absPath = normalize(fileAbsPath); - canPath = normalize(canPath); - if ((absoluteBase.length() < absPath.length()) - && (absoluteBase.length() < canPath.length())) { - absPath = absPath.substring(absoluteBase.length() + 1); - if (absPath == null) - return null; - if (absPath.equals("")) - absPath = "/"; - canPath = canPath.substring(absoluteBase.length() + 1); - if (canPath.equals("")) - canPath = "/"; - if (!canPath.equals(absPath)) - return null; - } + // If the requested names ends in '/', the Java File API will return a + // matching file if one exists. This isn't what we want as it is not + // consistent with the Servlet spec rules for request mapping. + if (name.endsWith("/") && file.isFile()) { + return null; + } - } else { + // If the file/dir must exist but the identified file/dir can't be read + // then signal that the resource was not found + if (mustExist && !file.canRead()) { + return null; + } + + // If allow linking is enabled, files are not limited to being located + // under the fileBase so all further checks are disabled. + if (allowLinking) { + return file; + } + + // Additional Windows specific checks to handle known problems with + // File.getCanonicalPath() + if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) { + return null; + } + + // Check that this file is located under the web application root + String canPath = null; + try { + canPath = file.getCanonicalPath(); + } catch (IOException e) { + // Ignore + } + if (canPath == null || !canPath.startsWith(canonicalBase)) { + return null; + } + + // Ensure that the file is not outside the fileBase. This should not be + // possible for standard requests (the request is normalized early in + // the request processing) but might be possible for some access via the + // Servlet API (RequestDispatcher etc.) therefore these checks are + // retained as an additional safety measure. absoluteBase has been + // normalized so absPath needs to be normalized as well. + String absPath = normalize(file.getAbsolutePath()); + if ((absoluteBase.length() > absPath.length())) { return null; } + + // Remove the fileBase location from the start of the paths since that + // was not part of the requested path and the remaining check only + // applies to the request path + absPath = absPath.substring(absoluteBase.length()); + canPath = canPath.substring(canonicalBase.length()); + + // Case sensitivity check + // The normalized requested path should be an exact match the equivalent + // canonical path. If it is not, possible reasons include: + // - case differences on case insensitive file systems + // - Windows removing a trailing ' ' or '.' from the file name + // + // In all cases, a mis-match here results in the resource not being + // found + // + // absPath is normalized so canPath needs to be normalized as well + // Can't normalize canPath earlier as canonicalBase is not normalized + if (canPath.length() > 0) { + canPath = normalize(canPath); + } + if (!canPath.equals(absPath)) { + return null; + } + return file; + } + + private boolean isInvalidWindowsFilename(String name) { + final int len = name.length(); + if (len == 0) { + return false; + } + // This consistently ~10 times faster than the equivalent regular + // expression irrespective of input length. + for (int i = 0; i < len; i++) { + char c = name.charAt(i); + if (c == '\"' || c == '<' || c == '>') { + // These characters are disallowed in Windows file names and + // there are known problems for file names with these characters + // when using File#getCanonicalPath(). + // Note: There are additional characters that are disallowed in + // Windows file names but these are not known to cause + // problems when using File#getCanonicalPath(). + return true; + } + } + // Windows does not allow file names to end in ' ' unless specific low + // level APIs are used to create the files that bypass various checks. + // File names that end in ' ' are known to cause problems when using + // File#getCanonicalPath(). + if (name.charAt(len -1) == ' ') { + return true; + } + return false; } @@ -1051,10 +1156,10 @@ public class FileDirContext extends Base return super.getResourceType(); } - + /** * Get canonical path. - * + * * @return String the file's canonical path */ @Override @@ -1068,10 +1173,6 @@ public class FileDirContext extends Base } return canonicalPath; } - - } - - } Index: tomcat7-7.0.52/java/org/apache/naming/resources/JrePlatform.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/java/org/apache/naming/resources/JrePlatform.java 2018-05-29 10:15:43.732978017 -0400 @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.naming.resources; + +import java.security.AccessController; +import java.security.PrivilegedAction; + +public class JrePlatform { + + private static final String OS_NAME_PROPERTY = "os.name"; + private static final String OS_NAME_WINDOWS_PREFIX = "Windows"; + + static { + /* + * There are a few places where a) the behaviour of the Java API depends + * on the underlying platform and b) those behavioural differences have + * an impact on Tomcat. + * + * Tomcat therefore needs to be able to determine the platform it is + * running on to account for those differences. + * + * In an ideal world this code would not exist. + */ + + // This check is derived from the check in Apache Commons Lang + String osName; + if (System.getSecurityManager() == null) { + osName = System.getProperty(OS_NAME_PROPERTY); + } else { + osName = AccessController.doPrivileged( + new PrivilegedAction() { + + @Override + public String run() { + return System.getProperty(OS_NAME_PROPERTY); + } + }); + } + + IS_WINDOWS = osName.startsWith(OS_NAME_WINDOWS_PREFIX); + } + + + public static final boolean IS_WINDOWS; +} Index: tomcat7-7.0.52/java/org/apache/naming/resources/LocalStrings.properties =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/naming/resources/LocalStrings.properties 2014-01-27 08:05:23.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/naming/resources/LocalStrings.properties 2018-05-29 10:12:22.109195257 -0400 @@ -14,6 +14,7 @@ # limitations under the License. fileResources.base=Document base {0} does not exist or is not a readable directory +fileResources.canonical.fail=A canonical path could not be determined for [{0}] fileResources.listingNull=Could not get dir listing for {0} warResources.notWar=Doc base must point to a WAR file warResources.invalidWar=Invalid or unreadable WAR file : {0} Index: tomcat7-7.0.52/java/org/apache/naming/resources/VirtualDirContext.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/naming/resources/VirtualDirContext.java 2014-01-27 08:05:23.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/naming/resources/VirtualDirContext.java 2018-05-29 10:15:49.452975063 -0400 @@ -17,6 +17,7 @@ package org.apache.naming.resources; import java.io.File; +import java.io.IOException; import java.util.ArrayList; import java.util.HashMap; import java.util.HashSet; @@ -58,6 +59,10 @@ import org.apache.naming.NamingEntry; * @author Fabrizio Giustina */ public class VirtualDirContext extends FileDirContext { + + private static final org.apache.juli.logging.Log log= + org.apache.juli.logging.LogFactory.getLog(VirtualDirContext.class); + private String extraResourcePaths = ""; private Map> mappedResourcePaths; @@ -76,7 +81,8 @@ public class VirtualDirContext extends F * be listed twice. *

    * - * @param path + * @param path The set of file system paths and virtual paths to map them to + * in the required format */ public void setExtraResourcePaths(String path) { extraResourcePaths = path; @@ -106,13 +112,19 @@ public class VirtualDirContext extends F } path = resSpec.substring(0, idx); } - String dir = resSpec.substring(idx + 1); + File dir = new File(resSpec.substring(idx + 1)); List resourcePaths = mappedResourcePaths.get(path); if (resourcePaths == null) { resourcePaths = new ArrayList(); mappedResourcePaths.put(path, resourcePaths); } - resourcePaths.add(dir); + try { + resourcePaths.add(dir.getCanonicalPath()); + } catch (IOException e) { + log.warn(sm.getString("fileResources.canonical.fail", dir.getPath())); + // Fall back to the absolute path + resourcePaths.add(dir.getAbsolutePath()); + } } } if (mappedResourcePaths.isEmpty()) { @@ -151,15 +163,17 @@ public class VirtualDirContext extends F String resourcesDir = dirList.get(0); if (name.equals(path)) { File f = new File(resourcesDir); - if (f.exists() && f.canRead()) { + f = validate(f, name, true, resourcesDir); + if (f != null) { return new FileResourceAttributes(f); } } path += "/"; if (name.startsWith(path)) { String res = name.substring(path.length()); - File f = new File(resourcesDir + "/" + res); - if (f.exists() && f.canRead()) { + File f = new File(resourcesDir, res); + f = validate(f, res, true, resourcesDir); + if (f != null) { return new FileResourceAttributes(f); } } @@ -168,9 +182,16 @@ public class VirtualDirContext extends F throw initialException; } + @Override protected File file(String name) { - File file = super.file(name); + return file(name, true); + } + + + @Override + protected File file(String name, boolean mustExist) { + File file = super.file(name, true); if (file != null || mappedResourcePaths == null) { return file; } @@ -185,7 +206,8 @@ public class VirtualDirContext extends F if (name.equals(path)) { for (String resourcesDir : dirList) { file = new File(resourcesDir); - if (file.exists() && file.canRead()) { + file = validate(file, name, true, resourcesDir); + if (file != null) { return file; } } @@ -194,7 +216,8 @@ public class VirtualDirContext extends F String res = name.substring(path.length()); for (String resourcesDir : dirList) { file = new File(resourcesDir, res); - if (file.exists() && file.canRead()) { + file = validate(file, res, true, resourcesDir); + if (file != null) { return file; } } @@ -229,7 +252,8 @@ public class VirtualDirContext extends F if (res != null) { for (String resourcesDir : dirList) { File f = new File(resourcesDir, res); - if (f.exists() && f.canRead() && f.isDirectory()) { + f = validate(f, res, true, resourcesDir); + if (f != null && f.isDirectory()) { List virtEntries = super.list(f); for (NamingEntry entry : virtEntries) { // filter duplicate @@ -264,7 +288,8 @@ public class VirtualDirContext extends F if (name.equals(path)) { for (String resourcesDir : dirList) { File f = new File(resourcesDir); - if (f.exists() && f.canRead()) { + f = validate(f, name, true, resourcesDir); + if (f != null) { if (f.isFile()) { return new FileResource(f); } @@ -279,8 +304,9 @@ public class VirtualDirContext extends F if (name.startsWith(path)) { String res = name.substring(path.length()); for (String resourcesDir : dirList) { - File f = new File(resourcesDir + "/" + res); - if (f.exists() && f.canRead()) { + File f = new File(resourcesDir, res); + f = validate(f, res, true, resourcesDir); + if (f != null) { if (f.isFile()) { return new FileResource(f); } @@ -304,4 +330,9 @@ public class VirtualDirContext extends F return null; } } + + + protected File validate(File file, String name, boolean mustExist, String absoluteBase) { + return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase); + } } Index: tomcat7-7.0.52/test/org/apache/naming/resources/TestFileDirContext.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/test/org/apache/naming/resources/TestFileDirContext.java 2018-05-29 10:12:24.485191232 -0400 @@ -0,0 +1,46 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.naming.resources; + +import java.io.File; + +import javax.servlet.http.HttpServletResponse; + +import org.junit.Assert; +import org.junit.Test; + +import org.apache.catalina.startup.Tomcat; +import org.apache.catalina.startup.TomcatBaseTest; +import org.apache.tomcat.util.buf.ByteChunk; + +public class TestFileDirContext extends TomcatBaseTest { + + @Test + public void testLookupResourceWithTrailingSlash() throws Exception { + Tomcat tomcat = getTomcatInstance(); + + File appDir = new File("test/webapp-3.0"); + // app dir is relative to server home + tomcat.addWebapp(null, "/test", appDir.getAbsolutePath()); + + tomcat.start(); + + int sc = getUrl("http://localhost:" + getPort() + + "/test/index.html/", new ByteChunk(), null); + Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, sc); + } +} debian/patches/0011-fix-classpath-lintian-warnings.patch0000644000000000000000000000502613067502611020251 0ustar Description: Fix codeless-jar and missing-classpath lintian warnings Author: Miguel Landaeta Forwarded: no Last-Update: 2011-05-16 --- a/build.xml +++ b/build.xml @@ -754,7 +754,8 @@ + filesId="files.jasper" + manifest="${tomcat.manifests}/jasper.jar.manifest" /> - + @@ -771,9 +771,8 @@ fullpath="META-INF/NOTICE" /> - - + + @@ -781,9 +780,8 @@ fullpath="META-INF/NOTICE" /> - - + + @@ -791,7 +789,7 @@ fullpath="META-INF/NOTICE" /> - + --- /dev/null +++ b/res/META-INF/jasper.jar.manifest @@ -0,0 +1,10 @@ +Manifest-Version: 1.0 +Specification-Title: Apache Tomcat +Specification-Version: @VERSION_MAJOR_MINOR@ +Specification-Vendor: Apache Software Foundation +Implementation-Title: Apache Tomcat +Implementation-Version: @VERSION@ +Implementation-Vendor: Apache Software Foundation +X-Compile-Source-JDK: @source.jdk@ +X-Compile-Target-JDK: @target.jdk@ +Class-Path: ecj.jar tomcat-el-api-2.2.jar tomcat-servlet-api-3.0.jar tomcat-jsp-api-2.2.jar debian/patches/CVE-2014-0227.patch0000644000000000000000000003261113067502611013233 0ustar Description: fix HTTP request smuggling or denial of service via streaming with malformed chunked transfer encoding Origin: upstream, https://svn.apache.org/viewvc?view=revision&revision=1601333 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1449975 Bug-Debian:https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=785312 Index: tomcat7-7.0.52/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-19 12:23:15.401283332 -0400 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-06-19 12:24:58.510511520 -0400 @@ -14,7 +14,6 @@ * See the License for the specific language governing permissions and * limitations under the License. */ - package org.apache.coyote.http11.filters; import java.io.EOFException; @@ -29,6 +28,7 @@ import org.apache.tomcat.util.buf.HexUtils; import org.apache.tomcat.util.buf.MessageBytes; import org.apache.tomcat.util.http.MimeHeaders; +import org.apache.tomcat.util.res.StringManager; /** * Chunked input filter. Parses chunked data according to @@ -39,9 +39,11 @@ */ public class ChunkedInputFilter implements InputFilter { + private static final StringManager sm = StringManager.getManager( + ChunkedInputFilter.class.getPackage().getName()); - // -------------------------------------------------------------- Constants + // -------------------------------------------------------------- Constants protected static final String ENCODING_NAME = "chunked"; protected static final ByteChunk ENCODING = new ByteChunk(); @@ -49,7 +51,6 @@ // ----------------------------------------------------- Static Initializer - static { ENCODING.setBytes(ENCODING_NAME.getBytes(Charset.defaultCharset()), 0, ENCODING_NAME.length()); @@ -58,7 +59,6 @@ // ----------------------------------------------------- Instance Variables - /** * Next buffer in the pipeline. */ @@ -106,6 +106,7 @@ */ protected ByteChunk trailingHeaders = new ByteChunk(); + /** * Flag set to true if the next call to doRead() must parse a CRLF pair * before doing anything else. @@ -130,21 +131,29 @@ */ private final int maxTrailerSize; + /** * Size of extensions processed for this request. */ private long extensionSize; + /** + * Flag that indicates if an error has occurred. + */ + private boolean error; + + // ----------------------------------------------------------- Constructors + public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) { this.trailingHeaders.setLimit(maxTrailerSize); this.maxExtensionSize = maxExtensionSize; this.maxTrailerSize = maxTrailerSize; } - // ---------------------------------------------------- InputBuffer Methods + // ---------------------------------------------------- InputBuffer Methods /** * Read bytes. @@ -156,11 +165,12 @@ * control, the returned value should be -1. */ @Override - public int doRead(ByteChunk chunk, Request req) - throws IOException { - - if (endChunk) + public int doRead(ByteChunk chunk, Request req) throws IOException { + if (endChunk) { return -1; + } + + checkError(); if(needCRLFParse) { needCRLFParse = false; @@ -169,7 +179,7 @@ if (remaining <= 0) { if (!parseChunkHeader()) { - throw new IOException("Invalid chunk header"); + throwIOException(sm.getString("chunkedInputFilter.invalidHeader")); } if (endChunk) { parseEndChunk(); @@ -181,8 +191,7 @@ if (pos >= lastValid) { if (readBytes() < 0) { - throw new IOException( - "Unexpected end of stream whilst reading request body"); + throwIOException(sm.getString("chunkedInputFilter.eos")); } } @@ -207,13 +216,11 @@ } return result; - } // ---------------------------------------------------- InputFilter Methods - /** * Read the content length from the request. */ @@ -227,17 +234,14 @@ * End the current request. */ @Override - public long end() - throws IOException { - + public long end() throws IOException { // Consume extra bytes : parse the stream until the end chunk is found while (doRead(readChunk, null) >= 0) { // NOOP: Just consume the input } // Return the number of extra bytes which were consumed - return (lastValid - pos); - + return lastValid - pos; } @@ -246,7 +250,7 @@ */ @Override public int available() { - return (lastValid - pos); + return lastValid - pos; } @@ -272,6 +276,7 @@ trailingHeaders.recycle(); trailingHeaders.setLimit(maxTrailerSize); extensionSize = 0; + error = false; } @@ -287,12 +292,10 @@ // ------------------------------------------------------ Protected Methods - /** * Read bytes from the previous buffer. */ - protected int readBytes() - throws IOException { + protected int readBytes() throws IOException { int nRead = buffer.doRead(readChunk, null); pos = readChunk.getStart(); @@ -300,7 +303,6 @@ buf = readChunk.getBytes(); return nRead; - } @@ -315,8 +317,7 @@ * digits. We should not parse F23IAMGONNAMESSTHISUP34CRLF as a valid * header according to the spec. */ - protected boolean parseChunkHeader() - throws IOException { + protected boolean parseChunkHeader() throws IOException { int result = 0; boolean eol = false; @@ -356,7 +357,7 @@ // validated. Currently it is simply ignored. extensionSize++; if (maxExtensionSize > -1 && extensionSize > maxExtensionSize) { - throw new IOException("maxExtensionSize exceeded"); + throwIOException(sm.getString("chunkedInputFilter.maxExtension")); } } @@ -364,21 +365,22 @@ if (!eol) { pos++; } - } - if (readDigit == 0 || result < 0) + if (readDigit == 0 || result < 0) { return false; + } - if (result == 0) + if (result == 0) { endChunk = true; + } remaining = result; - if (remaining < 0) + if (remaining < 0) { return false; + } return true; - } @@ -405,26 +407,27 @@ boolean crfound = false; while (!eol) { - if (pos >= lastValid) { - if (readBytes() <= 0) - throw new IOException("Invalid CRLF"); + if (readBytes() <= 0) { + throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoData")); + } } if (buf[pos] == Constants.CR) { - if (crfound) throw new IOException("Invalid CRLF, two CR characters encountered."); + if (crfound) { + throwIOException(sm.getString("chunkedInputFilter.invalidCrlfCRCR")); + } crfound = true; } else if (buf[pos] == Constants.LF) { if (!tolerant && !crfound) { - throw new IOException("Invalid CRLF, no CR character encountered."); + throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoCR")); } eol = true; } else { - throw new IOException("Invalid CRLF"); + throwIOException(sm.getString("chunkedInputFilter.invalidCrlf")); } pos++; - } } @@ -433,7 +436,6 @@ * Parse end chunk data. */ protected void parseEndChunk() throws IOException { - // Handle optional trailer headers while (parseHeader()) { // Loop until we run out of headers @@ -449,8 +451,9 @@ // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -474,8 +477,9 @@ // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -515,8 +519,9 @@ // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -526,7 +531,7 @@ // limit placed on trailing header size int newlimit = trailingHeaders.getLimit() -1; if (trailingHeaders.getEnd() > newlimit) { - throw new IOException("Exceeded maxTrailerSize"); + throwIOException(sm.getString("chunkedInputFilter.maxTrailer")); } trailingHeaders.setLimit(newlimit); } else { @@ -540,8 +545,9 @@ // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -565,8 +571,9 @@ // Read new bytes if needed if (pos >= lastValid) { - if (readBytes() <0) - throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); + if (readBytes() <0) { + throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); + } } chr = buf[pos]; @@ -587,4 +594,23 @@ return true; } + + + private void throwIOException(String msg) throws IOException { + error = true; + throw new IOException(msg); + } + + + private void throwEOFException(String msg) throws IOException { + error = true; + throw new EOFException(msg); + } + + + private void checkError() throws IOException { + if (error) { + throw new IOException(sm.getString("chunkedInputFilter.error")); + } + } } Index: tomcat7-7.0.52/java/org/apache/coyote/http11/filters/LocalStrings.properties =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/filters/LocalStrings.properties 2015-06-19 12:25:25.274830167 -0400 @@ -0,0 +1,25 @@ +# Licensed to the Apache Software Foundation (ASF) under one or more +# contributor license agreements. See the NOTICE file distributed with +# this work for additional information regarding copyright ownership. +# The ASF licenses this file to You under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with +# the License. You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +chunkedInputFilter.error=No data available due to previous error +chunkedInputFilter.eos=Unexpected end of stream while reading request body +chunkedInputFilter.eosTrailer=Unexpected end of stream while reading trailer headers +chunkedInputFilter.invalidCrlf=Invalid end of line sequence (character other than CR or LF found) +chunkedInputFilter.invalidCrlfCRCR=Invalid end of line sequence (CRCR) +chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF) +chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read) +chunkedInputFilter.invalidHeader=Invalid chunk header +chunkedInputFilter.maxExtension=maxExtensionSize exceeded +chunkedInputFilter.maxTrailer=maxTrailerSize exceeded \ No newline at end of file debian/patches/0015_disable_test_TestCometProcessor.patch0000644000000000000000000000105613067502611020637 0ustar --- a/test/org/apache/catalina/comet/TestCometProcessor.java +++ b/test/org/apache/catalina/comet/TestCometProcessor.java @@ -34,6 +34,7 @@ import static org.junit.Assert.fail; import org.junit.Assert; import org.junit.Test; +import org.junit.Ignore; import org.apache.catalina.Context; import org.apache.catalina.Wrapper; @@ -191,6 +192,7 @@ public class TestCometProcessor extends } @Test + @Ignore("fails consistently on Debian/Linux") public void testConnectionClose() throws Exception { if (!isCometSupported()) { debian/patches/0017-use-jdbc-pool-default.patch0000644000000000000000000000375413067502611016322 0ustar Description: Make jdbc-pool module default Tomcat upstream ships a patched version of Commons DBCP. This is not shipped in the Debian packages. . It also provides an alternative, lightweight pool implementation which is shipped. . This patch makes this implementation the default pool. Author: James Page Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1071817 Forwarded: not-needed --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ --- a/java/org/apache/naming/factory/Constants.java +++ b/java/org/apache/naming/factory/Constants.java @@ -49,7 +49,7 @@ Package + ".HandlerFactory"; public static final String DBCP_DATASOURCE_FACTORY = - "org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory"; + "org.apache.tomcat.jdbc.pool.DataSourceFactory"; public static final String OPENEJB_EJB_FACTORY = Package + ".OpenEjbFactory"; --- a/webapps/docs/config/systemprops.xml +++ b/webapps/docs/config/systemprops.xml @@ -579,7 +579,7 @@

    The class name of the factory to use to create resources of type javax.sql.DataSource. If not specified the default of - org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory is used + org.apache.tomcat.jdbc.pool.DataSourceFactory is used which is a package renamed (to avoid conflictions) copy of Apache Commons DBCP.

    --- a/webapps/docs/jndi-resources-howto.xml +++ b/webapps/docs/jndi-resources-howto.xml @@ -685,7 +685,7 @@ conn.close();

    The configuration properties for Tomcat's standard data source resource factory - (org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory) are + (org.apache.tomcat.jdbc.pool.DataSourceFactory) are as follows:

    • driverClassName - Fully qualified Java class name debian/patches/0010-debianize-build-xml.patch0000644000000000000000000000216213067502611016043 0ustar Description: Disable usage of embedded library copies Author: James Pages Forwarded: no Last-Update: 2011-05-16 --- a/build.xml +++ b/build.xml @@ -595,7 +595,7 @@ + depends="build-prepare,compile-prepare"> + debian/patches/0006-add-JARs-below-var-to-class-loader.patch0000644000000000000000000000312013067502611020426 0ustar From: Debian Java Maintainers Date: Mon, 28 Jun 2010 21:32:57 +0200 Subject: [PATCH] add JARs below /var to class loader --- conf/catalina.properties | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) --- a/conf/catalina.properties +++ b/conf/catalina.properties @@ -44,7 +44,7 @@ # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar +common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,${catalina.home}/common/classes,${catalina.home}/common/*.jar # # List of comma-separated paths defining the contents of the "server" @@ -57,7 +57,7 @@ # "foo/*.jar": Add all the JARs of the specified folder as class # repositories # "foo/bar.jar": Add bar.jar as a class repository -server.loader= +server.loader=${catalina.home}/server/classes,${catalina.home}/server/*.jar # # List of comma-separated paths defining the contents of the "shared" @@ -71,7 +71,7 @@ # "foo/bar.jar": Add bar.jar as a class repository # Please note that for single jars, e.g. bar.jar, you need the URL form # starting with file:. -shared.loader= +shared.loader=${catalina.home}/shared/classes,${catalina.home}/shared/*.jar # List of JAR files that should not be scanned using the JarScanner # functionality. This is typically used to scan JARs for configuration debian/patches/0023-replace-expired-ssl-certificates.patch0000644000000000000000000004316513067502611020545 0ustar Description: Replace expired ssl certificates Author: Miguel Landaeta Bug-Debian: https://bugs.debian.org/780519 Forwarded: no Last-Update: 2015-03-24 --- /dev/null +++ tomcat7-7.0.56/test/org/apache/tomcat/util/net/ca-cert.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFNTCCAx2gAwIBAgIJAP6JFxtmg5GyMA0GCSqGSIb3DQEBCwUAMDExCzAJBgNV +BAYTAlVTMSIwIAYDVQQDDBljYS10ZXN0LnRvbWNhdC5hcGFjaGUub3JnMB4XDTE1 +MDMyNDE5NDQ0M1oXDTI1MDMyMTE5NDQ0M1owMTELMAkGA1UEBhMCVVMxIjAgBgNV +BAMMGWNhLXRlc3QudG9tY2F0LmFwYWNoZS5vcmcwggIiMA0GCSqGSIb3DQEBAQUA +A4ICDwAwggIKAoICAQC1kmB0521enMB1HbDLHV1Scx9LIFktnb/tMTXqt9LldaA0 +cCESvgNIbSerVVzcEQNlxfKc4CkEGYN7dgMIGYYEfsnDwJKExv38zRY5M4aVk5fO +Lq1QQhUx7btKNUeVrXDt4bwE6iwYSwWmsp/UjZe7tjRtbWqJU1j5hkLBvRNoMOPZ +bSUV5U2BrpVjBJTFw0ynfXv8jBzRI/Ag9eP9KREpYUADp1FgIy8JDpPL7gccHaHM +C8Eepy2mwm1cZCQmVcCMoeiDPnLirFE4tWnXRlvE+leqUlrSvFz5OaCB21vE7MjZ +UHNDElPhVrx5UE0DFqFifP8vdFIMBm83chdIL//vLnGnaWFcOtuLEZncb7nvEnm7 +zyKhpATtkh7RiVT9dUlH9cdsVPEd4Y/4Zf+fWon3xU2jT6gaUn6NYgLzAvbfZLj5 +i7h0Zjr9doRZu6zJSeErhF2mJPiAAQQ4lzvM+ieCRNZLLSGE4WfcE9mF2cd27XJ0 ++GbGEvBmcGz3Fi+8sSs06EMB+3Nxwe1Wq/bl84R61xw2rjIjyHn04yzBIlzt0wfo +ONYBBdtE+jlo8ar7JubiOeUuZII3L+Rknr6wglWYQQUkokx6e4LgUovxbNS1EnYA +zL0PZloETWYU5mt4xwuheE+7GtgLdKMF1RvRvwPjOBtbNNEggsali6mm/yawzQID +AQABo1AwTjAdBgNVHQ4EFgQUdt8dWGpR4wH+PNPW622ERdtv8WkwHwYDVR0jBBgw +FoAUdt8dWGpR4wH+PNPW622ERdtv8WkwDAYDVR0TBAUwAwEB/zANBgkqhkiG9w0B +AQsFAAOCAgEAHFBhfOCnaKfsv+qwTBUh18EmX+jFa2Oz5TRBV8N7FJQVFFB6+73v +8NVgWBksGXkdUfi1zYCDqc/9BVHxdMDKUt/IuUcFZhHcI1B2Lfn5M85YU79Uq3DY +kJCj2+Og64lgB2E6Claq883mJYSwM7Cvt1ZNvMzHHBSl2IsllT1mGaCoioOnvkSj +0cKt3OSv6CeyNzSLzfABDLTShMHBsuIW/Idsf7n3zHfNzu33gWe4/dsXPdPu4w+Y +yZBoXmFIzb7ft+hZpBGPVwRS3VTtWgQcqc7b6dlwJvnZMTsX9wG2q/lA/FKbr4ih +/M4mrcyCRe4o7HVZHxEydP3kmuGybvC67FL7RtghYE1XPnpohPv7pSHZwcIrkWHe +OMvn5zk/m9iqwjFI1YvZS09phckSevS5d5LPX0L1XlA4uEXWq5eKkTRqrtCqlkf/ +4PgT3ekYchnC5xHISG54AIbA49GcMw+GM5cc+u8a505BDp7c9ZEYWOeVFg3QNucu +gVCDW8wdn60toHyUUr+kL435QlVaSM6xh1b1TC5yEeGEPNfMMruxSO/Me6CbEyUL +CEE8uhmGkKgaB9+T0fFy0woRO+4gG6Rw7J7q3SUibyXII8kABLyUfKc6o3MubTWs +jUW8qHfiKtJO+1Q6Yn0R6C0/YPG7eMqb3p6tYk7YUFQBxk/8NTElgaM= +-----END CERTIFICATE----- --- /dev/null +++ tomcat7-7.0.56/test/org/apache/tomcat/util/net/ca-key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJJwIBAAKCAgEAtZJgdOdtXpzAdR2wyx1dUnMfSyBZLZ2/7TE16rfS5XWgNHAh +Er4DSG0nq1Vc3BEDZcXynOApBBmDe3YDCBmGBH7Jw8CShMb9/M0WOTOGlZOXzi6t +UEIVMe27SjVHla1w7eG8BOosGEsFprKf1I2Xu7Y0bW1qiVNY+YZCwb0TaDDj2W0l +FeVNga6VYwSUxcNMp317/Iwc0SPwIPXj/SkRKWFAA6dRYCMvCQ6Ty+4HHB2hzAvB +HqctpsJtXGQkJlXAjKHogz5y4qxROLVp10ZbxPpXqlJa0rxc+TmggdtbxOzI2VBz +QxJT4Va8eVBNAxahYnz/L3RSDAZvN3IXSC//7y5xp2lhXDrbixGZ3G+57xJ5u88i +oaQE7ZIe0YlU/XVJR/XHbFTxHeGP+GX/n1qJ98VNo0+oGlJ+jWIC8wL232S4+Yu4 +dGY6/XaEWbusyUnhK4RdpiT4gAEEOJc7zPongkTWSy0hhOFn3BPZhdnHdu1ydPhm +xhLwZnBs9xYvvLErNOhDAftzccHtVqv25fOEetccNq4yI8h59OMswSJc7dMH6DjW +AQXbRPo5aPGq+ybm4jnlLmSCNy/kZJ6+sIJVmEEFJKJMenuC4FKL8WzUtRJ2AMy9 +D2ZaBE1mFOZreMcLoXhPuxrYC3SjBdUb0b8D4zgbWzTRIILGpYuppv8msM0CAwEA +AQKCAgA5eMOfPUGZGPSyHVvAbuMDHf1hwjN4BN6jLVhrmxPeHYVAE93kGNDhM+vC +h5qE7b2tkSJiFXHmIk1D3u7GuY16Dse+dk3qSTJLun62TGDlJ3p9gLjLFp+u1hja +PFMURXnhUfo5dAXRCq4XPaLpnIfSmrGtkVyPaxpWoPCwcjCaYh88yxdZ/uKxkZkn +ZmPQ1SiGO2nrXk4gxMdVJ3+qujz8ZBPnFCblzz0sGLkfa5BEjfyQoYfXNAN3LUOA +YxIuMCZqXTVDlZi3tuNel82QnmydxL/K4ZZt7cFgAaWUdOJvSqOoZZaWPE7gnJu7 +qnc16wvaKMZ9NsxhkgfR/QLxjn/rpIzsZwaHn560rWZ1j6d9daxiLJ1cEE8O0O18 +J4QlkLUOQCMsgnxkiS9URIEFsx/iquJ8x3/UIYVqYuUSK0dn0KlB7Xw4RDgUAo6Z +hbX/eCsqzu0ZGUAHMpuZd6lztkkOVrghpFSX4w0MgW6yCvbDzA5oKftF31suCDtM +WlsByqlyRXLh3TAllk04TTNYeza2RgAB0w2osMlZnqpq/Yt+Dqo96WZJaT0YwpXD +r+dJzPTKIUzXnn3Q3RRuCKNV73x92/orFBkC0o1j4bmpEOK2gA7GroNz/mXZ/Zri +kSX39lCxHYznGoTMk+AqmsYhR6D721JvffLuAZKaLoQ7OPc54QKCAQEA4/w9HguK +ZPDU1CvP7ooy9GOEznO5ztT7qqk36Uud2doTAh5Z+8J1GoaKgT+3BM5q0vLANC7P +wf1Aje1mVqZ9ZYDb5sKa/4VTZ3/mOgQGhJsZ71iHkid5027yIezKf9y6sOdDrXwx +pujMYLRExRsHc5QBS/fDfBLkumuN7gwBFTv9cdsi+INAP2JopVbxddPhCwU771yc +TUvVQTB5V+giD8koZywpqigw8xiuzf7YJngCyLshYXcg+PjOrgmz6vN54ENX6f7C +Dblu7RErraxQQfLu4jwH52AzGe9b175YFvdbRFqdpC/BtPvSkA0ogYQGoRclFTHr +MrTMy/kh2vsZZwKCAQEAy+IaLXu/ZXytNIF2KopNrTf7QqOLKBRpKr0EFxkbbObH +TORyvDHUpG8/pFBqzR+v9fG/JWNtf060F+qjrBjcHzGRXktf9g62qcom10MB+o3O +hTmLGGF06uhadariGS8td54qybaM48C4cY0Sj0hwoD8nDm1uqc7UGy9DLPww08Yv +FZbfs6KoftrqimF9PwIIUE6QrKy1aJgghWdHypLdA2oIu8r6nBaSG0lTS1L3BAEy +sVmG/2wLhCiPjyXAO+6KrRKrRdQAwISM88aoycYRpuH2Z5CyLDg1RJUHsXiXTiIz +qfYLgJSnCaPcv5GfS+K+U4IN1oimTM3gPP5+Q9TfqwKCAQBaDOGfInPRlwaZn4yL +7e5edYiZe0BjH+Ef8aLx9TouOGLVrWNhe9eBWK8QijgiH9414Ehm1C6fswZyiNip +VS2mkBVLuoY6c1EUSoKHW9uvOQwva8pwwkLubp4ZJEx/4JGlGlOzDKEYCk/fypR3 +PkvdLRKuDPkb4uKRd7Yh1n//ASkEdcgEXONdpeMrm4HYRo5XKgQYcX4TUeazzw++ +1yPNFGlvBxSV7zYWbyNsnkKGP1TqMG/o7YMKlEwelhqIrQ7ws+jftg60GRBldyjH +eo5g3jHZDlkY3PiSP+cI+lgVCjL0ds5ZcbuTXvw2hdv//EQaEOhGzObXqm5SCt+C +fTf1AoIBAF5y592aLhg9oZ9pOeyLFWDhRiygxp5SlkWOOo7YurPAVSNx0RUNoIxs +XPcpqdBMlZ9B1mLjpJ4NP7C0qg3XlmF8/PLJyDKcrlIJq+SczhXcC4f8GEu7GgaY +jQ9lkkhIaq+3Pesj/jCj3s37pFVsIYCawOUWHOXdQrU1N9FnItd4P+eodQkqmRPr +Jivk7bh6oI9TVgIoIAHMN4SVS9S0JF6oiFM2vNICQr0RQtzqGjRouase5kL9MniO +sbKGsn8RCn0S4PUAOTj2LrXfmeGfOB4vH47qoR+LCmIzB9VXIAC6J2Tc7ocqVhdJ +KcI1G65z4+ebn/16YE/EL9URsDyMKPECggEAFZzGJaGyVmoxLpp9ESPZwARDqU3C +RFx/bzh0IZ4lI9GhJaKKqG1xBaS+cM1e2fXJWivyy2uu5394gNZVz3L73a8MDucu +qkJc8wK6sFYNkjbf500OvnlWF9fifNdAqW1F9/QpiKmxhP4O+7m24GR07lxRG+Il +jhdtbAJTAHFzIExBJfu5djAqp3+3UWToYn1oauhQBIoVayAuZlu+DXkioEniBkrg +XEvCrFCC5RA8Vz5FJrR9leAcufZgkFlfxmn6SMLPbuP/kaAZRHQlcVIt9/KbIsyF +N8Ej07hMp9lzSTll7qeZjKB3unjOb5Bpyky7/9uEC6v7BLg7wmkguLhAzg== +-----END RSA PRIVATE KEY----- --- tomcat7-7.0.56.orig/test/org/apache/tomcat/util/net/localhost-cert.pem +++ tomcat7-7.0.56/test/org/apache/tomcat/util/net/localhost-cert.pem @@ -1,12 +1,12 @@ Certificate: Data: Version: 3 (0x2) - Serial Number: 4099 (0x1003) - Signature Algorithm: sha1WithRSAEncryption + Serial Number: 1 (0x1) + Signature Algorithm: sha256WithRSAEncryption Issuer: C=US, CN=ca-test.tomcat.apache.org Validity - Not Before: Feb 28 05:28:42 2013 GMT - Not After : Feb 28 05:28:42 2015 GMT + Not Before: Mar 24 19:59:58 2015 GMT + Not After : Mar 21 19:59:58 2025 GMT Subject: C=US, CN=localhost Subject Public Key Info: Public Key Algorithm: rsaEncryption @@ -34,46 +34,68 @@ Certificate: X509v3 extensions: X509v3 Basic Constraints: CA:FALSE + X509v3 Key Usage: + Digital Signature, Non Repudiation, Key Encipherment Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 30:DB:AB:70:94:34:CA:FD:75:46:AB:CE:E2:4A:A9:9E:74:BC:69:BB X509v3 Authority Key Identifier: - keyid:B0:3B:BC:C9:FA:28:5F:3E:04:1F:9B:6C:C7:8B:68:D8:01:B0:F8:3D + keyid:76:DF:1D:58:6A:51:E3:01:FE:3C:D3:D6:EB:6D:84:45:DB:6F:F1:69 - Signature Algorithm: sha1WithRSAEncryption - ab:d3:e7:2b:35:d3:6d:9f:87:2a:64:58:f1:61:cb:56:a8:84: - 22:79:ac:0d:68:1f:55:0d:dd:16:16:72:c4:a9:75:2a:0e:f8: - b1:73:68:c9:ee:43:d8:5c:fa:07:5d:3f:41:fb:14:17:be:64: - 21:d8:1e:25:67:92:b2:c5:bb:43:1d:96:b6:d3:bd:1c:e1:a4: - c7:ee:e3:37:0b:92:14:56:ca:ad:a8:76:5b:80:c9:42:8c:89: - f1:42:6e:8c:fb:a1:d7:98:d5:6d:49:99:fe:b6:f6:c6:f3:cc: - 8f:06:54:6e:02:f5:8f:4b:f1:86:ac:14:93:6c:74:25:26:44: - 7a:5b:82:3c:57:d6:e5:14:6e:b7:29:53:e4:40:7a:2f:10:5d: - ff:28:7f:e5:e5:54:6c:38:fa:b9:27:97:2a:69:60:ba:4a:5a: - 28:65:b1:81:e0:b7:a1:74:d6:e6:07:81:6d:b8:59:c3:45:bd: - 7c:a8:17:67:1f:fc:52:1a:6c:90:87:4d:a1:98:51:8c:29:6a: - 84:d9:0d:24:a8:86:6a:5e:6a:b7:f9:27:9b:52:37:96:b5:fd: - 94:11:ca:c4:d9:6d:69:81:fa:96:34:63:3a:7c:49:2d:06:48: - ae:b1:14:59:12:29:8e:59:3d:03:99:42:90:e6:82:df:08:cf: - d7:77:ec:00 + Signature Algorithm: sha256WithRSAEncryption + 2e:96:3a:0f:19:2d:ad:3d:fb:ac:3e:39:a3:03:5b:76:5a:40: + d5:32:ba:ca:0f:32:c8:60:b6:32:f9:8e:6f:1b:02:d6:75:fd: + fb:57:a3:05:60:93:c7:21:28:66:6c:95:b5:06:9a:3d:ce:d4: + 40:bc:bb:38:8e:6f:6c:e0:5e:4d:e7:e2:80:5f:e1:34:92:c4: + ee:b4:dd:61:ae:9b:da:3a:60:c9:ca:a7:4a:90:d3:ae:98:0c: + 2a:56:22:bd:70:2c:3b:ca:d0:9f:ef:27:3e:fb:a2:fb:50:11: + f4:cc:d3:eb:bc:de:70:78:7e:fb:db:16:58:10:9b:ee:c0:71: + 69:cd:1a:94:2e:d5:2e:ab:d4:9a:e1:dd:99:e4:93:b7:a6:3b: + 50:55:ac:e5:28:58:ea:3c:8c:43:71:37:22:d6:24:f8:ce:05: + a5:4f:4c:38:99:6e:bd:33:02:d6:46:5b:e7:3f:fb:0e:dd:3b: + 9b:f3:16:b0:c1:65:15:5b:47:41:f9:5f:d4:0c:4c:16:8c:06: + f3:e1:a0:ac:18:81:3a:d6:8f:53:72:66:28:1a:6c:19:df:21: + b6:cf:cf:90:a3:bf:68:79:6c:95:08:64:9e:ef:ae:88:b0:09: + 3b:2a:82:e5:47:c0:67:a5:05:d1:1b:9c:f0:cd:94:28:53:54: + 66:0c:fc:74:9c:1a:25:2a:ab:e8:f8:6c:16:49:da:06:13:7c: + 64:60:ec:64:c0:b8:f2:e7:8a:cb:d2:e7:90:c5:23:9e:36:40: + 07:52:35:13:3c:a1:cb:86:40:12:2e:cf:c8:1f:0c:45:e1:e6: + 8c:45:91:7e:d7:f7:52:76:74:d8:9c:6e:84:6f:c2:14:f0:7b: + a0:87:a6:26:3e:56:f6:8d:47:67:51:9b:d7:6e:f1:32:db:dd: + 91:ee:95:dd:c2:28:7c:35:8b:82:9c:2a:56:66:41:c2:26:c0: + 1d:5e:d6:89:53:8b:97:9e:07:bf:dd:76:e5:d8:47:94:ee:54: + 04:ce:ad:92:34:79:7d:90:4a:02:cb:14:27:d9:e8:fc:27:46: + 3f:80:d8:4b:f9:9f:ac:04:35:65:d8:ed:1e:32:23:64:03:fc: + 36:b4:db:6b:ed:eb:1d:50:3c:46:7e:2f:3a:fd:4d:14:4a:30: + 11:61:cc:a4:35:f0:4d:a1:3e:bb:62:49:ac:b3:b5:c2:ce:f5: + 41:44:62:2f:75:c7:c7:96:88:2a:b8:ce:4c:cc:a0:8f:eb:fe: + fa:98:7b:a4:d9:2c:cb:ba:41:30:84:ee:bb:95:7d:61:1e:be: + 39:8b:b6:3a:b3:5c:12:3b:27:e8:02:86:50:57:e0:89:6c:39: + 2e:c7:6f:29:73:1d:54:c9 -----BEGIN CERTIFICATE----- -MIIDSTCCAjGgAwIBAgICEAMwDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCVVMx -IjAgBgNVBAMTGWNhLXRlc3QudG9tY2F0LmFwYWNoZS5vcmcwHhcNMTMwMjI4MDUy -ODQyWhcNMTUwMjI4MDUyODQyWjAhMQswCQYDVQQGEwJVUzESMBAGA1UEAxMJbG9j -YWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5295PxiHkd0n -mDQkeVhH+cJpK9hbwOC7SlfWALW7arBmhFy48BIKJycynIIqLw9pd6bpDd9kMVHA -QR7c1HRRnKO4URNYc+4hnPljghvCLEnDCXD/qfOvogwLYC9q26UBRT40kI5naetF -8zQphds5ipnCD3IVIf1UNaZ7pzDLHk09MiTGS4RPX2D/ZF5oytj63ph9QARgt65Q -7MiMrt2UgUEYWwNjDysCYwqVau1+aOa21VbpTmDqHZVYM76iElXLf5zElwvbwJQJ -KrOf4Wt4DWMaQdVr29hIWQSI0RHV50UoDnwbeHUgff9/4dbq5MVRd0FCMEv/KTM9 -iViUaVtwJwIDAQABo3sweTAJBgNVHRMEAjAAMCwGCWCGSAGG+EIBDQQfFh1PcGVu -U1NMIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUMNurcJQ0yv11RqvO -4kqpnnS8abswHwYDVR0jBBgwFoAUsDu8yfooXz4EH5tsx4to2AGw+D0wDQYJKoZI -hvcNAQEFBQADggEBAKvT5ys1022fhypkWPFhy1aohCJ5rA1oH1UN3RYWcsSpdSoO -+LFzaMnuQ9hc+gddP0H7FBe+ZCHYHiVnkrLFu0MdlrbTvRzhpMfu4zcLkhRWyq2o -dluAyUKMifFCboz7odeY1W1Jmf629sbzzI8GVG4C9Y9L8YasFJNsdCUmRHpbgjxX -1uUUbrcpU+RAei8QXf8of+XlVGw4+rknlyppYLpKWihlsYHgt6F01uYHgW24WcNF -vXyoF2cf/FIabJCHTaGYUYwpaoTZDSSohmpearf5J5tSN5a1/ZQRysTZbWmB+pY0 -Yzp8SS0GSK6xFFkSKY5ZPQOZQpDmgt8Iz9d37AA= +MIIEVzCCAj+gAwIBAgIBATANBgkqhkiG9w0BAQsFADAxMQswCQYDVQQGEwJVUzEi +MCAGA1UEAwwZY2EtdGVzdC50b21jYXQuYXBhY2hlLm9yZzAeFw0xNTAzMjQxOTU5 +NThaFw0yNTAzMjExOTU5NThaMCExCzAJBgNVBAYTAlVTMRIwEAYDVQQDDAlsb2Nh +bGhvc3QwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDnb3k/GIeR3SeY +NCR5WEf5wmkr2FvA4LtKV9YAtbtqsGaEXLjwEgonJzKcgiovD2l3pukN32QxUcBB +HtzUdFGco7hRE1hz7iGc+WOCG8IsScMJcP+p86+iDAtgL2rbpQFFPjSQjmdp60Xz +NCmF2zmKmcIPchUh/VQ1pnunMMseTT0yJMZLhE9fYP9kXmjK2PremH1ABGC3rlDs +yIyu3ZSBQRhbA2MPKwJjCpVq7X5o5rbVVulOYOodlVgzvqISVct/nMSXC9vAlAkq +s5/ha3gNYxpB1Wvb2EhZBIjREdXnRSgOfBt4dSB9/3/h1urkxVF3QUIwS/8pMz2J +WJRpW3AnAgMBAAGjgYkwgYYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYJYIZI +AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW +BBQw26twlDTK/XVGq87iSqmedLxpuzAfBgNVHSMEGDAWgBR23x1YalHjAf4809br +bYRF22/xaTANBgkqhkiG9w0BAQsFAAOCAgEALpY6DxktrT37rD45owNbdlpA1TK6 +yg8yyGC2MvmObxsC1nX9+1ejBWCTxyEoZmyVtQaaPc7UQLy7OI5vbOBeTefigF/h +NJLE7rTdYa6b2jpgycqnSpDTrpgMKlYivXAsO8rQn+8nPvui+1AR9MzT67zecHh+ ++9sWWBCb7sBxac0alC7VLqvUmuHdmeSTt6Y7UFWs5ShY6jyMQ3E3ItYk+M4FpU9M +OJluvTMC1kZb5z/7Dt07m/MWsMFlFVtHQflf1AxMFowG8+GgrBiBOtaPU3JmKBps +Gd8hts/PkKO/aHlslQhknu+uiLAJOyqC5UfAZ6UF0Ruc8M2UKFNUZgz8dJwaJSqr +6PhsFknaBhN8ZGDsZMC48ueKy9LnkMUjnjZAB1I1Ezyhy4ZAEi7PyB8MReHmjEWR +ftf3UnZ02JxuhG/CFPB7oIemJj5W9o1HZ1Gb127xMtvdke6V3cIofDWLgpwqVmZB +wibAHV7WiVOLl54Hv9125dhHlO5UBM6tkjR5fZBKAssUJ9no/CdGP4DYS/mfrAQ1 +ZdjtHjIjZAP8NrTba+3rHVA8Rn4vOv1NFEowEWHMpDXwTaE+u2JJrLO1ws71QURi +L3XHx5aIKrjOTMygj+v++ph7pNksy7pBMITuu5V9YR6+OYu2OrNcEjsn6AKGUFfg +iWw5LsdvKXMdVMk= -----END CERTIFICATE----- --- /dev/null +++ tomcat7-7.0.56/test/org/apache/tomcat/util/net/user1-key.pem @@ -0,0 +1,51 @@ +-----BEGIN RSA PRIVATE KEY----- +MIIJKgIBAAKCAgEA1ZvdXXlITttlkpkSDrQaL0WIBUegQs++vE0yad4JzUW8e0xU +aS1w4OuSYnPmR609AaAJxtwN74oGnZ0I7OD5pWjiE2bVKkOiyY7pomVdzN2HRtE9 +rgJ0o+7zBg8NPFt92JLnmqJkGmYYoYSl+rGNT5p6bBTdzWueOvhhbY8Kmqi4Bf7G +IZ07SQ2tu+lBC4GO1mnMpct7bLvDv6jP2WnPTKL7jl7ABKsH+sm/gHZPjSDhGW1p +xKY9/Xa6sLaQNTMImLyJN/OhGJVHuv+lJ9+D/0+vqncuXNXhSnPXxkw58AGhG/8S +OFc3HQzWwGesI0zKDn2HJUJC2iENuV/3TmJqN+R2Pqlxb9kQdONor5klJANN3PL7 +B2+OWom0XUOJsPVZkzZM78uoxq4sq9L+ExqBa3L71jbMq4DwoRc3C3VcEHXKgaHG +Jao0dDvO07T21WUCCNmkxcMNLIOoRjmINmhlu7zJnxQir14sQ+/qSxC9XTo3eOqE +EQy6P6up2xNu3JHs/yajFia/E7/10SlHr8PKl+U+5+fy7wZ92PhXfcPRGg48oAAP +knYNG9MJRdJHZNyrvRqe7fRMHc/t0bvlU/p4rCykeoiAHCkq79oro8vGSZITzNvp +Dr/0VqX6cQ4idCgJ4PZq07E4/AHxjEAYBBB7kw8ABPKDJxNCzjqGu7g48H8CAwEA +AQKCAgEAiCJAjvznh1ItxqMFLhe8BFp02KCQU2Qgs9MjCPN4HbmO6Kl5tlo+cSnQ +7ivdG9sdYTbEZFcEDqBRnQtij8zFbZSNWD4WJkxap8gLv/KIODMKrqhVfduUyJFV +kovvLINGjcr6DcPmtihRFEb8nOuhGpVh5hXaUbt/aSe4t+EMqgpS1YdMcEnLacBs +87AxQwr7pExjH1qyO1bi5vfIF1Bmy/mnBlH+YDs756nCATXldxT4QINJgAlOwoVz +b4G6IB15IhYuAVmkVo103IlmkSXS8tivJJ22D3ZDkXaIkpkr53iyW6xQyVVUC5CO +IKsxuoGK2HdJtQYooumj3Ht7mhoAhJn/8o8k8K0gKPAT99mGfJkM0sLx8mPNu1oC +9+Hk3Mv0TocFAZBiUmzWTAGB2YPCfSPcn9rFrhM/t7k1JB0pK5KQ9w4+d5T4/2oc +tuMsww9S54xRYR1Bp276Oe4KmRZT7Vm4Qe+7D+P5w8M8IWDo0xqZYTurosW5OKgS +S1cDbK16peBionwLdUC8D/PrdSXrwkdlDczYr1mZqkIAwWVQKvQ+b9X+W/7+7r8m +yn7v+opkjpOMQ8GN/Jwwapna95nxCvU4TfY+zmsoY27gOrU49nq7sZ1WseOGXbmF +63Rnsc7ba2FIp7vMWMkIRazT8Leb5J3GRgSZuOG43eWbyqBvGEkCggEBAPY54AOy +nAlBrloXNjf+EwHPJ2WJVb0aQCjoOSvXi6E9OCLIhjU/djySLnNZn6n80PFf5JtJ +V7CZuXXhBgstoLamdl4brlL8zb71PBkrtUKvCKAqOIDPP9MADDIbbOcip3h8Q+xl +6c/jh/kEKc5q3IdWcOuwmmJFPXqWxnWkRIqmt3EhNOHka6WbPNzVnaiJDZmn5Xzc +w6YnvdVGedbCeaCWCD4tP77zWUseJUm2uLMqLKmd20JZda2PFeN/eSkX8QKPfMWZ +XUP5L1BAZ9PK6TBvYm4nCf9q3JzHeVqd8xHVK4sthOSi2GUhfK3objZii6KzkOA6 +fKTvg3AK8e7Ny60CggEBAN4WiV+yiIHrF5zPUGPnDtnnUwB6wEezJb/alpgAN0H5 +RN/G7GOn5RuGr+d95EmRDwunQpWmcVhOQbGZBJXhkkMTVoe1onzj6Qg9iR6mFcgB +AsRM4uSCQumQJs5aM9XgSK4bhwdFU88iM4ifTxS+do1gmzULzQGaRzSE+9vFjrmN +w2WaejbAR9xE0PdIjQOJUxze6qANckJdQOnct9yYv1qcZj4ihVWfIj0PClwKFv+n +scWHA3JYqJlYNqrg7uj71pp3VXSEErZ/MQI5xuKZWnZh7gLWZyyRx8Fg+tyn+Q0N +tPR0X2/xSJHN5JLkojemmD2bVPXNiFAY9NThckWo8lsCggEBANiBB0L5GE7jXAWH +h3swg1IB7qhPW/6NSIEvwKWWQAalJ+kd3TSQ+sxD1WhEFCqKTMcRBJiuotZ8NSE7 +ne7SThCMymPxfxUliVwxkoincBiUg8chmNFaasqDrjWY++c5B3zf93G0IyVS8kq5 +qHECcarnDR+RCA8Exww164ehy0sHUSG+ixtdmHHj0F51zs1UxYqooRdrnvVI2Jji +AVwfYIcdpV3Wt8iVfZyZgzwP2NRhbygtz4/Fzb2wpRSHD+hcTuVredDeC64rO7kb +CLCoKOcX6brlxNq8AgQxObm+TO8PO9yDR+kqb5BtI45fZBmaCSIlNmyTwOneWPp6 +BUVv23kCggEABYUv4vYQGJKcYqRwjhsnLllmocNrVhzo2kz3o02WEgi9IobSR2Pb ++QQvCSUC8KUvZ42/xPJ/LL+9OEniaEtUFGC9rN/h6xLLLw5Ag0eDkRYdWH3EwgNO +4HlZzZVGZpGNnO5IO/EINUTXXRUApTZawgbdtMLXVKveCzsm+358nrYcXkEpuoSr +BJmdTBg8kRLvwu7zjAjphybEP0viMhSF5R2wGOlIwSkUc8oU6tbBXZdwfsVtW4FC +p5Uevr6akaX43pwKvrutr2WX9UM0Y1uGeRzUCrQDmoMBIRhlA+kU8rMdhVoDKUgp +Ep64iMIwGgwFCrr6sKVsNvl31HbKHVsmswKCAQEAuCdox0kj/QVF18j3zqG33ICS +m07QKTjmBIFkWae8IU/W5woTzAK/0g9W+0ZJ3YiPPqrKF6VjiURb769mzPn5nHWN +qW+enQD5FIdM+/U5t+exMebHinO86n3jZBAt78fVapxU23FAAVyYEWAYffd47VjU +bXRPJ4kweh6yov8vAJYAXp1D3I7LsGngr4v6soO9E63YueVKJyQEUbwXKoA8khxg +XAlFH1f41bkHzpGUPjfIzZY+/6A6Pm5p+At2eoPNwAG0zqcZgSmV6cyfepG5ON7N +1bd9Skf76LrWhZ9zj7ToBZ8oFT23CVWXvNDMggafwVwzard4rjz2GjH9xjEMlA== +-----END RSA PRIVATE KEY----- --- /dev/null +++ tomcat7-7.0.56/test/org/apache/tomcat/util/net/user1-cert.pem @@ -0,0 +1,31 @@ +-----BEGIN CERTIFICATE----- +MIIFUzCCAzugAwIBAgIBAjANBgkqhkiG9w0BAQsFADAxMQswCQYDVQQGEwJVUzEi +MCAGA1UEAwwZY2EtdGVzdC50b21jYXQuYXBhY2hlLm9yZzAeFw0xNTAzMjQyMTM0 +NDlaFw0yNTAzMjEyMTM0NDlaMB0xCzAJBgNVBAYTAlVTMQ4wDAYDVQQDDAV1c2Vy +MTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBANWb3V15SE7bZZKZEg60 +Gi9FiAVHoELPvrxNMmneCc1FvHtMVGktcODrkmJz5ketPQGgCcbcDe+KBp2dCOzg ++aVo4hNm1SpDosmO6aJlXczdh0bRPa4CdKPu8wYPDTxbfdiS55qiZBpmGKGEpfqx +jU+aemwU3c1rnjr4YW2PCpqouAX+xiGdO0kNrbvpQQuBjtZpzKXLe2y7w7+oz9lp +z0yi+45ewASrB/rJv4B2T40g4RltacSmPf12urC2kDUzCJi8iTfzoRiVR7r/pSff +g/9Pr6p3LlzV4Upz18ZMOfABoRv/EjhXNx0M1sBnrCNMyg59hyVCQtohDblf905i +ajfkdj6pcW/ZEHTjaK+ZJSQDTdzy+wdvjlqJtF1DibD1WZM2TO/LqMauLKvS/hMa +gWty+9Y2zKuA8KEXNwt1XBB1yoGhxiWqNHQ7ztO09tVlAgjZpMXDDSyDqEY5iDZo +Zbu8yZ8UIq9eLEPv6ksQvV06N3jqhBEMuj+rqdsTbtyR7P8moxYmvxO/9dEpR6/D +ypflPufn8u8Gfdj4V33D0RoOPKAAD5J2DRvTCUXSR2Tcq70anu30TB3P7dG75VP6 +eKwspHqIgBwpKu/aK6PLxkmSE8zb6Q6/9Fal+nEOInQoCeD2atOxOPwB8YxAGAQQ +e5MPAATygycTQs46hru4OPB/AgMBAAGjgYkwgYYwCQYDVR0TBAIwADALBgNVHQ8E +BAMCBeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmlj +YXRlMB0GA1UdDgQWBBScK5WwJtBUN1SUQXg/qJnsEeyrljAfBgNVHSMEGDAWgBR2 +3x1YalHjAf4809brbYRF22/xaTANBgkqhkiG9w0BAQsFAAOCAgEARD1D2U66pomF +f+gpTIVvRkmODw4UQaFd9aNyrW+7e8Blz7zFbju1Y8x6wsnTmZYWgkpCV3nsB3FH +cvkqbRP0/ixglaxSOOOWF9xgQTO0+mzXrhFKIEHiwR1ww3QmY9c5s3SKSY2JThj1 +yjHt5NhT9NwsUBsK8LHRn/JlGROrSOHqgcTiQpA98B7zK4iSkH8tPZXwIiviBCL3 +S3g6yO3ucAVatfxYjkh7/AeS0MiAJkbfI3MSJTpvFNrWAYQysU+eVqcAD/r28Ohd +0SqT9STQslqNqYd+z3Y4i4GSIoWmh2iDif0k/Sf1RQg8n8XZ/Ng9crxBmUKxbTfS +DRi33odew/SN7Ni7ZABHsKc4gP2+9u99lOLzA+MqDwwNICqJxVySYkVx+MEGNyuS +FbYZt5A9NmC2QjdL/9r423BIM9XoxOjmcLKoYSOg/vr4p+3cBhMK8yyvQhWqYeo3 +lBi4hEBeL9/YCyu9oJ8bildQ/bcHeFAZzNq+5NBddlI83txsQdoRWlcEeLJsCvGS +3z4HBFt+3kZIvEWp93jze5A6q1qbzZ3KtyyOuVexqr8KezCPEAve98gOxF+yMQlI +FSSx8XKeVPzZ9Jjs2m2nc6Qx3p1Y9p7+zJO8UUtebLnvSs6pq0aiZpDzvRWg11Pn +jojyYNZ5CXKnMGm8K8ajQmpWFcW7TEE= +-----END CERTIFICATE----- debian/patches/CVE-2018-11784.patch0000644000000000000000000000160113357144310013324 0ustar Description: fix arbitrary redirect issue Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1840057 Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2018-10-09 11:23:17.000000000 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java 2018-10-09 11:25:26.283430261 -0400 @@ -1077,6 +1077,10 @@ public class DefaultServlet location.append('?'); location.append(request.getQueryString()); } + // Avoid protocol relative redirects + while (location.length() > 1 && location.charAt(1) == '/') { + location.deleteCharAt(0); + } response.sendRedirect(response.encodeRedirectURL(location.toString())); } debian/patches/0003-disable-APR-library-loading.patch0000644000000000000000000000144313067502611017321 0ustar From: Thierry Carrez Date: Mon, 28 Jun 2010 21:32:28 +0200 Subject: [PATCH] disable APR library loading ... until we properly provide it. --- conf/server.xml | 2 ++ 1 files changed, 2 insertions(+), 0 deletions(-) --- a/conf/server.xml +++ b/conf/server.xml @@ -24,7 +24,9 @@ --> + debian/patches/CVE-2014-0119.patch0000644000000000000000000004217413067502611013240 0ustar Description: fix arbitrary file disclosure via XML parser Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1589851 Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1588199 Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1589997 Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1590028 Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1590036 Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/tomcat7/+bug/1449975 Index: tomcat7-7.0.52/java/org/apache/catalina/security/SecurityClassLoad.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/security/SecurityClassLoad.java 2015-06-19 12:55:19.731993007 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/security/SecurityClassLoad.java 2015-06-19 12:55:19.727992960 -0400 @@ -39,6 +39,7 @@ loadCoyotePackage(loader); loadLoaderPackage(loader); loadRealmPackage(loader); + loadServletsPackage(loader); loadSessionPackage(loader); loadUtilPackage(loader); loadValvesPackage(loader); @@ -122,6 +123,18 @@ } + private static final void loadServletsPackage(ClassLoader loader) + throws Exception { + final String basePackage = "org.apache.catalina.servlets."; + // Avoid a possible memory leak in the DefaultServlet when running with + // a security manager. The DefaultServlet needs to load an XML parser + // when running under a security manager. We want this to be loaded by + // the container rather than a web application to prevent a memory leak + // via web application class loader. + loader.loadClass(basePackage + "DefaultServlet"); + } + + private static final void loadSessionPackage(ClassLoader loader) throws Exception { final String basePackage = "org.apache.catalina.session."; Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2015-06-19 12:55:19.731993007 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java 2015-06-19 12:55:19.727992960 -0400 @@ -32,6 +32,7 @@ import java.io.Reader; import java.io.StringReader; import java.io.StringWriter; +import java.security.AccessController; import java.util.ArrayList; import java.util.Iterator; import java.util.Locale; @@ -74,6 +75,8 @@ import org.apache.naming.resources.Resource; import org.apache.naming.resources.ResourceAttributes; import org.apache.tomcat.util.res.StringManager; +import org.apache.tomcat.util.security.PrivilegedGetTccl; +import org.apache.tomcat.util.security.PrivilegedSetTccl; import org.w3c.dom.Document; import org.xml.sax.InputSource; import org.xml.sax.SAXException; @@ -129,8 +132,7 @@ private static final DocumentBuilderFactory factory; - private static final SecureEntityResolver secureEntityResolver = - new SecureEntityResolver(); + private static final SecureEntityResolver secureEntityResolver; // ----------------------------------------------------- Instance Variables @@ -238,9 +240,15 @@ urlEncoder.addSafeCharacter('*'); urlEncoder.addSafeCharacter('/'); - factory = DocumentBuilderFactory.newInstance(); - factory.setNamespaceAware(true); - factory.setValidating(false); + if (Globals.IS_SECURITY_ENABLED) { + factory = DocumentBuilderFactory.newInstance(); + factory.setNamespaceAware(true); + factory.setValidating(false); + secureEntityResolver = new SecureEntityResolver(); + } else { + factory = null; + secureEntityResolver = null; + } } @@ -1362,11 +1370,27 @@ sb.append("]]>"); } - sb.append(""); - + // Prevent possible memory leak. Ensure Transformer and + // TransformerFactory are not loaded from the web application. + ClassLoader original; + if (Globals.IS_SECURITY_ENABLED) { + PrivilegedGetTccl pa = new PrivilegedGetTccl(); + original = AccessController.doPrivileged(pa); + } else { + original = Thread.currentThread().getContextClassLoader(); + } try { + if (Globals.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = + new PrivilegedSetTccl(DefaultServlet.class.getClassLoader()); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader( + DefaultServlet.class.getClassLoader()); + } + TransformerFactory tFactory = TransformerFactory.newInstance(); Source xmlSource = new StreamSource(new StringReader(sb.toString())); Transformer transformer = tFactory.newTransformer(xsltSource); @@ -1379,6 +1403,13 @@ return (new ByteArrayInputStream(stream.toByteArray())); } catch (TransformerException e) { throw new ServletException("XSL transformer error", e); + } finally { + if (Globals.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = new PrivilegedSetTccl(original); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader(original); + } } } Index: tomcat7-7.0.52/java/org/apache/catalina/startup/TldConfig.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/startup/TldConfig.java 2015-06-19 12:55:19.731993007 -0400 +++ tomcat7-7.0.52/java/org/apache/catalina/startup/TldConfig.java 2015-06-19 12:55:19.727992960 -0400 @@ -79,7 +79,7 @@ /** * The Digesters available to process tld files. */ - private static Digester[] tldDigesters = new Digester[2]; + private static Digester[] tldDigesters = new Digester[4]; /** * Create (if necessary) and return a Digester configured to process the @@ -89,20 +89,34 @@ boolean blockExternal) { Digester digester = null; - if (!validation) { + if (!validation && !blockExternal) { if (tldDigesters[0] == null) { tldDigesters[0] = DigesterFactory.newDigester(validation, true, new TldRuleSet(), blockExternal); tldDigesters[0].getParser(); } digester = tldDigesters[0]; - } else { + } else if (!validation && blockExternal) { if (tldDigesters[1] == null) { tldDigesters[1] = DigesterFactory.newDigester(validation, true, new TldRuleSet(), blockExternal); tldDigesters[1].getParser(); } digester = tldDigesters[1]; + } else if (validation && !blockExternal) { + if (tldDigesters[2] == null) { + tldDigesters[2] = DigesterFactory.newDigester(validation, + true, new TldRuleSet(), blockExternal); + tldDigesters[2].getParser(); + } + digester = tldDigesters[2]; + } else { + if (tldDigesters[3] == null) { + tldDigesters[3] = DigesterFactory.newDigester(validation, + true, new TldRuleSet(), blockExternal); + tldDigesters[3].getParser(); + } + digester = tldDigesters[3]; } return digester; } Index: tomcat7-7.0.52/java/org/apache/jasper/compiler/JspDocumentParser.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/compiler/JspDocumentParser.java 2015-06-19 12:55:19.731993007 -0400 +++ tomcat7-7.0.52/java/org/apache/jasper/compiler/JspDocumentParser.java 2015-06-19 12:55:19.727992960 -0400 @@ -20,6 +20,7 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; +import java.security.AccessController; import java.util.Iterator; import java.util.List; import java.util.jar.JarFile; @@ -35,6 +36,8 @@ import org.apache.jasper.JspCompilationContext; import org.apache.tomcat.util.descriptor.DigesterFactory; import org.apache.tomcat.util.descriptor.LocalResolver; +import org.apache.tomcat.util.security.PrivilegedGetTccl; +import org.apache.tomcat.util.security.PrivilegedSetTccl; import org.xml.sax.Attributes; import org.xml.sax.InputSource; import org.xml.sax.Locator; @@ -1464,33 +1467,58 @@ JspDocumentParser jspDocParser) throws Exception { - SAXParserFactory factory = SAXParserFactory.newInstance(); - - factory.setNamespaceAware(true); - // Preserve xmlns attributes - factory.setFeature( - "http://xml.org/sax/features/namespace-prefixes", - true); - - factory.setValidating(validating); - if (validating) { - // Enable DTD validation - factory.setFeature( - "http://xml.org/sax/features/validation", - true); - // Enable schema validation - factory.setFeature( - "http://apache.org/xml/features/validation/schema", - true); + ClassLoader original; + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedGetTccl pa = new PrivilegedGetTccl(); + original = AccessController.doPrivileged(pa); + } else { + original = Thread.currentThread().getContextClassLoader(); } + try { + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = + new PrivilegedSetTccl(JspDocumentParser.class.getClassLoader()); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader( + JspDocumentParser.class.getClassLoader()); + } + + SAXParserFactory factory = SAXParserFactory.newInstance(); - // Configure the parser - SAXParser saxParser = factory.newSAXParser(); - XMLReader xmlReader = saxParser.getXMLReader(); - xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser); - xmlReader.setErrorHandler(jspDocParser); + factory.setNamespaceAware(true); + // Preserve xmlns attributes + factory.setFeature( + "http://xml.org/sax/features/namespace-prefixes", + true); - return saxParser; + factory.setValidating(validating); + if (validating) { + // Enable DTD validation + factory.setFeature( + "http://xml.org/sax/features/validation", + true); + // Enable schema validation + factory.setFeature( + "http://apache.org/xml/features/validation/schema", + true); + } + + // Configure the parser + SAXParser saxParser = factory.newSAXParser(); + XMLReader xmlReader = saxParser.getXMLReader(); + xmlReader.setProperty(LEXICAL_HANDLER_PROPERTY, jspDocParser); + xmlReader.setErrorHandler(jspDocParser); + + return saxParser; + } finally { + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = new PrivilegedSetTccl(original); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader(original); + } + } } /* Index: tomcat7-7.0.52/java/org/apache/jasper/xmlparser/ParserUtils.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/jasper/xmlparser/ParserUtils.java 2015-06-19 12:55:19.731993007 -0400 +++ tomcat7-7.0.52/java/org/apache/jasper/xmlparser/ParserUtils.java 2015-06-19 12:55:19.727992960 -0400 @@ -18,6 +18,7 @@ import java.io.IOException; import java.io.InputStream; +import java.security.AccessController; import javax.xml.parsers.DocumentBuilder; import javax.xml.parsers.DocumentBuilderFactory; @@ -29,6 +30,8 @@ import org.apache.tomcat.util.descriptor.DigesterFactory; import org.apache.tomcat.util.descriptor.LocalResolver; import org.apache.tomcat.util.descriptor.XmlErrorHandler; +import org.apache.tomcat.util.security.PrivilegedGetTccl; +import org.apache.tomcat.util.security.PrivilegedSetTccl; import org.w3c.dom.Comment; import org.w3c.dom.Document; import org.w3c.dom.NamedNodeMap; @@ -92,7 +95,23 @@ Document document = null; // Perform an XML parse of this document, via JAXP + ClassLoader original; + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedGetTccl pa = new PrivilegedGetTccl(); + original = AccessController.doPrivileged(pa); + } else { + original = Thread.currentThread().getContextClassLoader(); + } try { + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = + new PrivilegedSetTccl(ParserUtils.class.getClassLoader()); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader( + ParserUtils.class.getClassLoader()); + } + DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); factory.setNamespaceAware(true); @@ -132,6 +151,13 @@ } catch (IOException io) { throw new JasperException (Localizer.getMessage("jsp.error.parse.xml", location), io); + } finally { + if (Constants.IS_SECURITY_ENABLED) { + PrivilegedSetTccl pa = new PrivilegedSetTccl(original); + AccessController.doPrivileged(pa); + } else { + Thread.currentThread().setContextClassLoader(original); + } } // Convert the resulting document to a graph of TreeNodes Index: tomcat7-7.0.52/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/security/PrivilegedGetTccl.java 2015-06-19 12:55:41.768248901 -0400 @@ -0,0 +1,28 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.security; + +import java.security.PrivilegedAction; + +public class PrivilegedGetTccl implements PrivilegedAction { + @Override + public ClassLoader run() { + return Thread.currentThread().getContextClassLoader(); + } +} + + Index: tomcat7-7.0.52/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/security/PrivilegedSetTccl.java 2015-06-19 12:55:41.768248901 -0400 @@ -0,0 +1,34 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one or more + * contributor license agreements. See the NOTICE file distributed with + * this work for additional information regarding copyright ownership. + * The ASF licenses this file to You under the Apache License, Version 2.0 + * (the "License"); you may not use this file except in compliance with + * the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ +package org.apache.tomcat.util.security; + +import java.security.PrivilegedAction; + +public class PrivilegedSetTccl implements PrivilegedAction { + + private ClassLoader cl; + + public PrivilegedSetTccl(ClassLoader cl) { + this.cl = cl; + } + + @Override + public Void run() { + Thread.currentThread().setContextClassLoader(cl); + return null; + } +} \ No newline at end of file debian/patches/CVE-2016-6816.patch0000644000000000000000000004571613067502611013261 0ustar Description: fix HTTP response injection via invalid characters Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312 Origin: backport, http://svn.apache.org/r1767675 Index: tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractInputBuffer.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/AbstractInputBuffer.java 2017-01-18 13:37:43.367056800 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/AbstractInputBuffer.java 2017-01-18 13:37:43.363056748 -0500 @@ -28,64 +28,10 @@ public abstract class AbstractInputBuffer implements InputBuffer{ - protected static final boolean[] HTTP_TOKEN_CHAR = new boolean[128]; - /** * The string manager for this package. */ - protected static final StringManager sm = - StringManager.getManager(Constants.Package); - - - static { - for (int i = 0; i < 128; i++) { - if (i < 32) { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == 127) { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '(') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == ')') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '<') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '>') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '@') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == ',') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == ';') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == ':') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '\\') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '\"') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '/') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '[') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == ']') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '?') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '=') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '{') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '}') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == ' ') { - HTTP_TOKEN_CHAR[i] = false; - } else if (i == '\t') { - HTTP_TOKEN_CHAR[i] = false; - } else { - HTTP_TOKEN_CHAR[i] = true; - } - } - } + protected static final StringManager sm = StringManager.getManager(Constants.Package); /** Index: tomcat7-7.0.52/java/org/apache/coyote/http11/InternalAprInputBuffer.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/InternalAprInputBuffer.java 2017-01-18 13:37:43.367056800 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/InternalAprInputBuffer.java 2017-01-18 13:37:43.363056748 -0500 @@ -30,6 +30,7 @@ import org.apache.tomcat.jni.Status; import org.apache.tomcat.util.buf.ByteChunk; import org.apache.tomcat.util.buf.MessageBytes; +import org.apache.tomcat.util.http.parser.HttpParser; import org.apache.tomcat.util.net.AbstractEndpoint; import org.apache.tomcat.util.net.SocketWrapper; @@ -176,6 +177,8 @@ if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { space = true; request.method().setBytes(buf, start, pos - start); + } else if (!HttpParser.isToken(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); } pos++; @@ -219,15 +222,16 @@ if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { space = true; end = pos; - } else if ((buf[pos] == Constants.CR) + } else if ((buf[pos] == Constants.CR) || (buf[pos] == Constants.LF)) { // HTTP/0.9 style request eol = true; space = true; end = pos; - } else if ((buf[pos] == Constants.QUESTION) - && (questionPos == -1)) { + } else if ((buf[pos] == Constants.QUESTION) && (questionPos == -1)) { questionPos = pos; + } else if (HttpParser.isNotRequestTarget(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); } pos++; @@ -264,7 +268,7 @@ // // Reading the protocol - // Protocol is always US-ASCII + // Protocol is always "HTTP/" DIGIT "." DIGIT // while (!eol) { @@ -281,6 +285,8 @@ if (end == 0) end = pos; eol = true; + } else if (!HttpParser.isHttpProtocol(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol")); } pos++; @@ -379,7 +385,7 @@ if (buf[pos] == Constants.COLON) { colon = true; headerValue = headers.addValue(buf, start, pos - start); - } else if (!HTTP_TOKEN_CHAR[buf[pos]]) { + } else if (!HttpParser.isToken(buf[pos])) { // If a non-token header is detected, skip the line and // ignore the header skipLine(start); Index: tomcat7-7.0.52/java/org/apache/coyote/http11/InternalInputBuffer.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/InternalInputBuffer.java 2017-01-18 13:37:43.367056800 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/InternalInputBuffer.java 2017-01-18 13:37:43.363056748 -0500 @@ -28,6 +28,7 @@ import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.buf.ByteChunk; import org.apache.tomcat.util.buf.MessageBytes; +import org.apache.tomcat.util.http.parser.HttpParser; import org.apache.tomcat.util.net.AbstractEndpoint; import org.apache.tomcat.util.net.SocketWrapper; @@ -132,6 +133,8 @@ if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { space = true; request.method().setBytes(buf, start, pos - start); + } else if (!HttpParser.isToken(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); } pos++; @@ -176,15 +179,16 @@ if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { space = true; end = pos; - } else if ((buf[pos] == Constants.CR) + } else if ((buf[pos] == Constants.CR) || (buf[pos] == Constants.LF)) { // HTTP/0.9 style request eol = true; space = true; end = pos; - } else if ((buf[pos] == Constants.QUESTION) - && (questionPos == -1)) { + } else if ((buf[pos] == Constants.QUESTION) && (questionPos == -1)) { questionPos = pos; + } else if (HttpParser.isNotRequestTarget(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); } pos++; @@ -220,9 +224,8 @@ // // Reading the protocol - // Protocol is always US-ASCII + // Protocol is always "HTTP/" DIGIT "." DIGIT // - while (!eol) { // Read new bytes if needed @@ -237,6 +240,8 @@ if (end == 0) end = pos; eol = true; + } else if (!HttpParser.isHttpProtocol(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol")); } pos++; @@ -335,7 +340,7 @@ if (buf[pos] == Constants.COLON) { colon = true; headerValue = headers.addValue(buf, start, pos - start); - } else if (!HTTP_TOKEN_CHAR[buf[pos]]) { + } else if (!HttpParser.isToken(buf[pos])) { // If a non-token header is detected, skip the line and // ignore the header skipLine(start); Index: tomcat7-7.0.52/java/org/apache/coyote/http11/InternalNioInputBuffer.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/InternalNioInputBuffer.java 2017-01-18 13:37:43.367056800 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/InternalNioInputBuffer.java 2017-01-18 13:37:43.367056800 -0500 @@ -25,6 +25,7 @@ import org.apache.coyote.Request; import org.apache.tomcat.util.buf.ByteChunk; import org.apache.tomcat.util.buf.MessageBytes; +import org.apache.tomcat.util.http.parser.HttpParser; import org.apache.tomcat.util.net.AbstractEndpoint; import org.apache.tomcat.util.net.NioChannel; import org.apache.tomcat.util.net.NioEndpoint; @@ -260,6 +261,8 @@ if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { space = true; request.method().setBytes(buf, parsingRequestLineStart, pos - parsingRequestLineStart); + } else if (!HttpParser.isToken(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidmethod")); } pos++; } @@ -300,21 +303,22 @@ if (buf[pos] == Constants.SP || buf[pos] == Constants.HT) { space = true; end = pos; - } else if ((buf[pos] == Constants.CR) + } else if ((buf[pos] == Constants.CR) || (buf[pos] == Constants.LF)) { // HTTP/0.9 style request parsingRequestLineEol = true; space = true; end = pos; - } else if ((buf[pos] == Constants.QUESTION) - && (parsingRequestLineQPos == -1)) { + } else if ((buf[pos] == Constants.QUESTION) && (parsingRequestLineQPos == -1)) { parsingRequestLineQPos = pos; + } else if (HttpParser.isNotRequestTarget(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidRequestTarget")); } pos++; } request.unparsedURI().setBytes(buf, parsingRequestLineStart, end - parsingRequestLineStart); if (parsingRequestLineQPos >= 0) { - request.queryString().setBytes(buf, parsingRequestLineQPos + 1, + request.queryString().setBytes(buf, parsingRequestLineQPos + 1, end - parsingRequestLineQPos - 1); request.requestURI().setBytes(buf, parsingRequestLineStart, parsingRequestLineQPos - parsingRequestLineStart); } else { @@ -343,10 +347,10 @@ // Mark the current buffer position end = 0; } - if (parsingRequestLinePhase == 6) { + if (parsingRequestLinePhase == 6) { // // Reading the protocol - // Protocol is always US-ASCII + // Protocol is always "HTTP/" DIGIT "." DIGIT // while (!parsingRequestLineEol) { // Read new bytes if needed @@ -361,10 +365,12 @@ if (end == 0) end = pos; parsingRequestLineEol = true; + } else if (!HttpParser.isHttpProtocol(buf[pos])) { + throw new IllegalArgumentException(sm.getString("iib.invalidHttpProtocol")); } pos++; } - + if ( (end - parsingRequestLineStart) > 0) { request.protocol().setBytes(buf, parsingRequestLineStart, end - parsingRequestLineStart); } else { @@ -553,7 +559,7 @@ headerData.realPos = pos; headerData.lastSignificantChar = pos; break; - } else if (!HTTP_TOKEN_CHAR[chr]) { + } else if (!HttpParser.isToken(chr)) { // If a non-token header is detected, skip the line and // ignore the header headerData.lastSignificantChar = pos; Index: tomcat7-7.0.52/java/org/apache/coyote/http11/LocalStrings.properties =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/LocalStrings.properties 2017-01-18 13:37:43.367056800 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/LocalStrings.properties 2017-01-18 13:37:43.367056800 -0500 @@ -39,8 +39,10 @@ http11processor.sendfile.error=Error sending data using sendfile. May be caused by invalid request attributes for start/end points iib.eof.error=Unexpected EOF read on the socket -iib.invalidheader=The HTTP header line [{0}] does not conform to RFC 2616 and has been ignored. +iib.invalidheader=The HTTP header line [{0}] does not conform to RFC 7230 and has been ignored. iib.invalidmethod=Invalid character (CR or LF) found in method name +iib.invalidRequestTarget=Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986 +iib.invalidHttpProtocol=Invalid character found in the HTTP protocol iib.parseheaders.ise.error=Unexpected state: headers already parsed. Buffer not recycled? iib.requestheadertoolarge.error=Request header is too large Index: tomcat7-7.0.52/java/org/apache/tomcat/util/http/parser/HttpParser.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/http/parser/HttpParser.java 2017-01-18 13:37:43.367056800 -0500 +++ tomcat7-7.0.52/java/org/apache/tomcat/util/http/parser/HttpParser.java 2017-01-18 13:38:39.275756428 -0500 @@ -53,9 +53,14 @@ private static final Map fieldTypes = new HashMap(); - // Arrays used by isToken(), isHex() - private static final boolean isToken[] = new boolean[128]; - private static final boolean isHex[] = new boolean[128]; + private static final int ARRAY_SIZE = 128; + + private static final boolean[] IS_CONTROL = new boolean[ARRAY_SIZE]; + private static final boolean[] IS_SEPARATOR = new boolean[ARRAY_SIZE]; + private static final boolean[] IS_TOKEN = new boolean[ARRAY_SIZE]; + private static final boolean[] IS_HEX = new boolean[ARRAY_SIZE]; + private static final boolean[] IS_NOT_REQUEST_TARGET = new boolean[ARRAY_SIZE]; + private static final boolean[] IS_HTTP_PROTOCOL = new boolean[ARRAY_SIZE]; static { // Digest field types. @@ -77,24 +82,43 @@ // RFC2617 says nc is 8LHEX. <">8LHEX<"> will also be accepted fieldTypes.put("nc", FIELD_TYPE_LHEX); - // Setup the flag arrays - for (int i = 0; i < 128; i++) { - if (i < 32) { - isToken[i] = false; - } else if (i == '(' || i == ')' || i == '<' || i == '>' || i == '@' || - i == ',' || i == ';' || i == ':' || i == '\\' || i == '\"' || - i == '/' || i == '[' || i == ']' || i == '?' || i == '=' || - i == '{' || i == '}' || i == ' ' || i == '\t') { - isToken[i] = false; - } else { - isToken[i] = true; + for (int i = 0; i < ARRAY_SIZE; i++) { + // Control> 0-31, 127 + if (i < 32 || i == 127) { + IS_CONTROL[i] = true; } - if (i >= '0' && i <= '9' || i >= 'A' && i <= 'F' || - i >= 'a' && i <= 'f') { - isHex[i] = true; - } else { - isHex[i] = false; + // Separator + if ( i == '(' || i == ')' || i == '<' || i == '>' || i == '@' || + i == ',' || i == ';' || i == ':' || i == '\\' || i == '\"' || + i == '/' || i == '[' || i == ']' || i == '?' || i == '=' || + i == '{' || i == '}' || i == ' ' || i == '\t') { + IS_SEPARATOR[i] = true; + } + + // Token: Anything 0-127 that is not a control and not a separator + if (!IS_CONTROL[i] && !IS_SEPARATOR[i] && i < 128) { + IS_TOKEN[i] = true; + } + + // Hex: 0-9, a-f, A-F + if ((i >= '0' && i <='9') || (i >= 'a' && i <= 'f') || (i >= 'A' && i <= 'F')) { + IS_HEX[i] = true; + } + + // Not valid for request target. + // Combination of multiple rules from RFC7230 and RFC 3986. Must be + // ASCII, no controls plus a few additional characters excluded + if (IS_CONTROL[i] || i > 127 || + i == ' ' || i == '\"' || i == '#' || i == '<' || i == '>' || i == '\\' || + i == '^' || i == '`' || i == '{' || i == '|' || i == '}') { + IS_NOT_REQUEST_TARGET[i] = true; + } + + // Not valid for HTTP protocol + // "HTTP/" DIGIT "." DIGIT + if (i == 'H' || i == 'T' || i == 'P' || i == '/' || i == '.' || (i >= '0' && i <= '9')) { + IS_HTTP_PROTOCOL[i] = true; } } } @@ -246,24 +270,47 @@ return result.toString(); } - private static boolean isToken(int c) { + public static boolean isToken(int c) { // Fast for correct values, slower for incorrect ones try { - return isToken[c]; + return IS_TOKEN[c]; } catch (ArrayIndexOutOfBoundsException ex) { return false; } } - private static boolean isHex(int c) { - // Fast for correct values, slower for incorrect ones + public static boolean isHex(int c) { + // Fast for correct values, slower for some incorrect ones + try { + return IS_HEX[c]; + } catch (ArrayIndexOutOfBoundsException ex) { + return false; + } + } + + + public static boolean isNotRequestTarget(int c) { + // Fast for valid request target characters, slower for some incorrect + // ones try { - return isHex[c]; + return IS_NOT_REQUEST_TARGET[c]; + } catch (ArrayIndexOutOfBoundsException ex) { + return true; + } + } + + + public static boolean isHttpProtocol(int c) { + // Fast for valid HTTP protocol characters, slower for some incorrect + // ones + try { + return IS_HTTP_PROTOCOL[c]; } catch (ArrayIndexOutOfBoundsException ex) { return false; } } + // Skip any LWS and return the next char private static int skipLws(StringReader input, boolean withReset) throws IOException { debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch0000644000000000000000000000411213067502611022546 0ustar From: Adam Guthrie Date: Mon, 28 Jun 2010 21:53:50 +0200 Subject: [PATCH] Use java.security.policy file in catalina.sh Make sure catalina.sh uses the Debian/Ubuntu java.security.policy file location when Tomcat is started with a security manager. Bug-Ubuntu: https://bugs.launchpad.net/bugs/591802 Bug-Debian: http://bugs.debian.org/585379 Forwarded: not-needed --- bin/catalina.sh | 6 +++--- 1 files changed, 3 insertions(+), 3 deletions(-) --- a/bin/catalina.sh +++ b/bin/catalina.sh @@ -283,7 +283,7 @@ if [ "$1" = "debug" ] ; then -Djava.endorsed.dirs="$JAVA_ENDORSED_DIRS" -classpath "$CLASSPATH" \ -sourcepath "$CATALINA_HOME"/../../java \ -Djava.security.manager \ - -Djava.security.policy=="$CATALINA_BASE"/conf/catalina.policy \ + -Djava.security.policy=="$CATALINA_BASE"/policy/catalina.policy \ -Dcatalina.base="$CATALINA_BASE" \ -Dcatalina.home="$CATALINA_HOME" \ -Djava.io.tmpdir="$CATALINA_TMPDIR" \ @@ -310,7 +310,7 @@ elif [ "$1" = "run" ]; then eval exec "\"$_RUNJAVA\"" "\"$LOGGING_CONFIG\"" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \ -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \ -Djava.security.manager \ - -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \ + -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \ -Dcatalina.base="\"$CATALINA_BASE\"" \ -Dcatalina.home="\"$CATALINA_HOME\"" \ -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \ @@ -374,7 +374,7 @@ elif [ "$1" = "start" ] ; then eval "\"$_RUNJAVA\"" "\"$LOGGING_CONFIG\"" $LOGGING_MANAGER $JAVA_OPTS $CATALINA_OPTS \ -Djava.endorsed.dirs="\"$JAVA_ENDORSED_DIRS\"" -classpath "\"$CLASSPATH\"" \ -Djava.security.manager \ - -Djava.security.policy=="\"$CATALINA_BASE/conf/catalina.policy\"" \ + -Djava.security.policy=="\"$CATALINA_BASE/policy/catalina.policy\"" \ -Dcatalina.base="\"$CATALINA_BASE\"" \ -Dcatalina.home="\"$CATALINA_HOME\"" \ -Djava.io.tmpdir="\"$CATALINA_TMPDIR\"" \ debian/patches/0001-set-UTF-8-as-default-character-encoding.patch0000644000000000000000000000100213067502611021343 0ustar From: Thomas Koch Date: Mon, 28 Jun 2010 21:32:15 +0200 Subject: [PATCH] set UTF-8 as default character encoding --- conf/server.xml | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) --- a/conf/server.xml +++ b/conf/server.xml @@ -69,6 +69,7 @@ --> debian/patches/CVE-2016-6797.patch0000644000000000000000000002304013067502611013253 0ustar Description: fix web application global JNDI resource access Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1757275 Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1763236 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842666 Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=845425 Index: tomcat7-7.0.52/java/org/apache/catalina/core/NamingContextListener.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/catalina/core/NamingContextListener.java 2014-01-27 09:53:14.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/catalina/core/NamingContextListener.java 2017-01-18 09:25:22.003043483 -0500 @@ -41,6 +41,7 @@ import org.apache.catalina.ContainerEvent; import org.apache.catalina.ContainerListener; import org.apache.catalina.Context; +import org.apache.catalina.Engine; import org.apache.catalina.Host; import org.apache.catalina.Lifecycle; import org.apache.catalina.LifecycleEvent; @@ -68,6 +69,7 @@ import org.apache.naming.ResourceRef; import org.apache.naming.ServiceRef; import org.apache.naming.TransactionRef; +import org.apache.naming.factory.ResourceLinkFactory; import org.apache.tomcat.util.modeler.Registry; import org.apache.tomcat.util.res.StringManager; @@ -334,6 +336,11 @@ for (ObjectName objectName : names) { Registry.getRegistry(null, null).unregisterComponent(objectName); } + javax.naming.Context global = getGlobalNamingContext(); + if (global != null) { + ResourceLinkFactory.deregisterGlobalResourceAccess(global); + } + objectNames.clear(); namingContext = null; @@ -1155,6 +1162,17 @@ logger.error(sm.getString("naming.bindFailed", e)); } + ResourceLinkFactory.registerGlobalResourceAccess( + getGlobalNamingContext(), resourceLink.getName(), resourceLink.getGlobal()); + } + + + private javax.naming.Context getGlobalNamingContext() { + if (container instanceof Context) { + Engine e = (Engine) ((Context) container).getParent().getParent(); + return e.getService().getServer().getGlobalNamingContext(); + } + return null; } @@ -1258,6 +1276,7 @@ logger.error(sm.getString("naming.unbindFailed", e)); } + ResourceLinkFactory.deregisterGlobalResourceAccess(getGlobalNamingContext(), name); } Index: tomcat7-7.0.52/java/org/apache/naming/factory/ResourceLinkFactory.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/naming/factory/ResourceLinkFactory.java 2017-01-18 09:17:31.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/naming/factory/ResourceLinkFactory.java 2017-01-18 09:27:10.896585540 -0500 @@ -18,7 +18,10 @@ package org.apache.naming.factory; +import java.util.HashMap; import java.util.Hashtable; +import java.util.Map; +import java.util.concurrent.ConcurrentHashMap; import javax.naming.Context; import javax.naming.Name; @@ -32,7 +35,7 @@ /** *

      Object factory for resource links.

      - * + * * @author Remy Maucherat */ public class ResourceLinkFactory @@ -50,6 +53,8 @@ */ private static Context globalContext = null; + private static Map> globalResourceRegistrations = + new ConcurrentHashMap>(); // --------------------------------------------------------- Public Methods @@ -69,6 +74,59 @@ } + public static void registerGlobalResourceAccess(Context globalContext, String localName, + String globalName) { + validateGlobalContext(globalContext); + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + Map registrations = globalResourceRegistrations.get(cl); + if (registrations == null) { + // Web application initialization is single threaded so this is + // safe. + registrations = new HashMap(); + globalResourceRegistrations.put(cl, registrations); + } + registrations.put(localName, globalName); + } + + + public static void deregisterGlobalResourceAccess(Context globalContext, String localName) { + validateGlobalContext(globalContext); + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + Map registrations = globalResourceRegistrations.get(cl); + if (registrations != null) { + registrations.remove(localName); + } + } + + + public static void deregisterGlobalResourceAccess(Context globalContext) { + validateGlobalContext(globalContext); + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + globalResourceRegistrations.remove(cl); + } + + + private static void validateGlobalContext(Context globalContext) { + if (ResourceLinkFactory.globalContext != null && + ResourceLinkFactory.globalContext != globalContext) { + throw new SecurityException("Caller provided invalid global context"); + } + } + + + private static boolean validateGlobalResourceAccess(String globalName) { + ClassLoader cl = Thread.currentThread().getContextClassLoader(); + while (cl != null) { + Map registrations = globalResourceRegistrations.get(cl); + if (registrations != null && registrations.containsValue(globalName)) { + return true; + } + cl = cl.getParent(); + } + return false; + } + + // -------------------------------------------------- ObjectFactory Methods @@ -93,6 +151,12 @@ RefAddr refAddr = ref.get(ResourceLinkRef.GLOBALNAME); if (refAddr != null) { globalName = refAddr.getContent().toString(); + // When running under a security manager confirm that the current + // web application has really been configured to access the specified + // global resource + if (!validateGlobalResourceAccess(globalName)) { + return null; + } Object result = null; result = globalContext.lookup(globalName); // FIXME: Check type Index: tomcat7-7.0.52/test/org/apache/naming/TestNamingContext.java =================================================================== --- /dev/null 1970-01-01 00:00:00.000000000 +0000 +++ tomcat7-7.0.52/test/org/apache/naming/TestNamingContext.java 2017-01-18 09:22:50.172859691 -0500 @@ -0,0 +1,87 @@ +package org.apache.naming; + +import javax.naming.Context; +import javax.naming.NamingException; + +import org.apache.catalina.deploy.ContextEnvironment; +import org.apache.catalina.deploy.ContextResourceLink; +import org.apache.catalina.startup.Tomcat; +import org.apache.catalina.startup.TomcatBaseTest; +import org.apache.naming.factory.ResourceLinkFactory; +import org.junit.Assert; +import org.junit.Test; + +public class TestNamingContext extends TomcatBaseTest { + + private static final String COMP_ENV = "comp/env"; + private static final String GLOBAL_NAME = "global"; + private static final String LOCAL_NAME = "local"; + private static final String DATA = "Cabbage"; + + + @Test + public void testGlobalNaming() throws Exception { + Tomcat tomcat = getTomcatInstance(); + tomcat.enableNaming(); + + org.apache.catalina.Context ctx = tomcat.addContext("", System.getProperty("java.io.tmpdir")); + + tomcat.start(); + + Context webappInitial = ContextBindings.getContext(ctx); + + // Nothing added at the moment so should be null + Object obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME); + Assert.assertNull(obj); + + ContextEnvironment ce = new ContextEnvironment(); + ce.setName(GLOBAL_NAME); + ce.setValue(DATA); + ce.setType(DATA.getClass().getName()); + + tomcat.getServer().getGlobalNamingResources().addEnvironment(ce); + + // No link so still should be null + obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME); + Assert.assertNull(obj); + + // Now add a resource link to the context + ContextResourceLink crl = new ContextResourceLink(); + crl.setGlobal(GLOBAL_NAME); + crl.setName(LOCAL_NAME); + crl.setType(DATA.getClass().getName()); + ctx.getNamingResources().addResourceLink(crl); + + // Link exists so should be OK now + obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME); + Assert.assertEquals(DATA, obj); + + // Try shortcut + ResourceLinkFactory factory = new ResourceLinkFactory(); + ResourceLinkRef rlr = new ResourceLinkRef(DATA.getClass().getName(), GLOBAL_NAME, null, null); + obj = factory.getObjectInstance(rlr, null, null, null); + Assert.assertEquals(DATA, obj); + + // Remove the link + ctx.getNamingResources().removeResourceLink(LOCAL_NAME); + + // No link so should be null + obj = doLookup(webappInitial, COMP_ENV + "/" + LOCAL_NAME); + Assert.assertNull(obj); + + // Shortcut should fail too + obj = factory.getObjectInstance(rlr, null, null, null); + Assert.assertNull(obj); + } + + + private Object doLookup(Context context, String name) { + Object result = null; + try { + result = context.lookup(name); + } catch (NamingException nnfe) { + // Ignore + } + return result; + } +} debian/patches/CVE-2014-0075.patch0000644000000000000000000002444113067502611013236 0ustar Description: fix denial of service via malformed chunk size Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1578341 Index: tomcat7-7.0.52/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java =================================================================== --- tomcat7-7.0.52.orig/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-01-27 08:45:27.000000000 -0500 +++ tomcat7-7.0.52/java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2014-07-24 13:21:20.683257321 -0400 @@ -320,7 +320,7 @@ int result = 0; boolean eol = false; - boolean readDigit = false; + int readDigit = 0; boolean extension = false; while (!eol) { @@ -342,10 +342,9 @@ } else if (!extension) { //don't read data after the trailer int charValue = HexUtils.getDec(buf[pos]); - if (charValue != -1) { - readDigit = true; - result *= 16; - result += charValue; + if (charValue != -1 && readDigit < 8) { + readDigit++; + result = (result << 4) | charValue; } else { //we shouldn't allow invalid, non hex characters //in the chunked header @@ -368,7 +367,7 @@ } - if (!readDigit) + if (readDigit == 0 || result < 0) return false; if (result == 0) Index: tomcat7-7.0.52/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java =================================================================== --- tomcat7-7.0.52.orig/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java 2013-09-11 10:19:50.000000000 -0400 +++ tomcat7-7.0.52/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java 2014-07-24 13:21:23.655257307 -0400 @@ -105,7 +105,7 @@ Context ctx = tomcat.addContext("", System.getProperty("java.io.tmpdir")); - EchoHeaderServlet servlet = new EchoHeaderServlet(); + EchoHeaderServlet servlet = new EchoHeaderServlet(expectPass); Tomcat.addServlet(ctx, "servlet", servlet); ctx.addServletMapping("/", "servlet"); @@ -169,7 +169,7 @@ Context ctx = tomcat.addContext("", System.getProperty("java.io.tmpdir")); - Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet()); + Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet(false)); ctx.addServletMapping("/", "servlet"); // Limit the size of the trailing header @@ -233,7 +233,7 @@ Context ctx = tomcat.addContext("", System.getProperty("java.io.tmpdir")); - Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet()); + Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet(ok)); ctx.addServletMapping("/", "servlet"); tomcat.start(); @@ -282,7 +282,7 @@ Context ctx = tomcat.addContext("", System.getProperty("java.io.tmpdir")); - Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet()); + Tomcat.addServlet(ctx, "servlet", new EchoHeaderServlet(true)); ctx.addServletMapping("/", "servlet"); tomcat.start(); @@ -311,11 +311,136 @@ assertEquals("nullnull7nullnull", client.getResponseBody()); } + @Test + public void testChunkSizeZero() throws Exception { + doTestChunkSize(true, true, "", 10, 0); + } + + @Test + public void testChunkSizeAbsent() throws Exception { + doTestChunkSize(false, false, SimpleHttpClient.CRLF, 10, 0); + } + + @Test + public void testChunkSizeTwentyFive() throws Exception { + doTestChunkSize(true, true, "19" + SimpleHttpClient.CRLF + + "Hello World!Hello World!!" + SimpleHttpClient.CRLF, 40, 25); + } + + @Test + public void testChunkSizeEightDigit() throws Exception { + doTestChunkSize(true, true, "0000000C" + SimpleHttpClient.CRLF + + "Hello World!" + SimpleHttpClient.CRLF, 20, 12); + } + + @Test + public void testChunkSizeNineDigit() throws Exception { + doTestChunkSize(false, false, "00000000C" + SimpleHttpClient.CRLF + + "Hello World!" + SimpleHttpClient.CRLF, 20, 12); + } + + @Test + public void testChunkSizeLong() throws Exception { + doTestChunkSize(true, false, "7fFFffFF" + SimpleHttpClient.CRLF + + "Hello World!" + SimpleHttpClient.CRLF, 10, 10); + } + + @Test + public void testChunkSizeIntegerMinValue() throws Exception { + doTestChunkSize(false, false, "80000000" + SimpleHttpClient.CRLF + + "Hello World!" + SimpleHttpClient.CRLF, 10, 10); + } + + @Test + public void testChunkSizeMinusOne() throws Exception { + doTestChunkSize(false, false, "ffffffff" + SimpleHttpClient.CRLF + + "Hello World!" + SimpleHttpClient.CRLF, 10, 10); + } + + /** + * @param expectPass + * If the servlet is expected to process the request + * @param expectReadWholeBody + * If the servlet is expected to fully read the body and reliably + * deliver a response + * @param chunks + * Text of chunks + * @param readLimit + * Do not read more than this many bytes + * @param expectReadCount + * Expected count of read bytes + * @throws Exception + * Unexpected + */ + private void doTestChunkSize(boolean expectPass, + boolean expectReadWholeBody, String chunks, int readLimit, + int expectReadCount) throws Exception { + // Setup Tomcat instance + Tomcat tomcat = getTomcatInstance(); + + // Must have a real docBase - just use temp + Context ctx = tomcat.addContext("", + System.getProperty("java.io.tmpdir")); + + BodyReadServlet servlet = new BodyReadServlet(expectPass, readLimit); + Tomcat.addServlet(ctx, "servlet", servlet); + ctx.addServletMapping("/", "servlet"); + + tomcat.start(); + + String request = "POST /echo-params.jsp HTTP/1.1" + + SimpleHttpClient.CRLF + "Host: any" + SimpleHttpClient.CRLF + + "Transfer-encoding: chunked" + SimpleHttpClient.CRLF + + "Content-Type: text/plain" + SimpleHttpClient.CRLF; + if (expectPass) { + request += "Connection: close" + SimpleHttpClient.CRLF; + } + request += SimpleHttpClient.CRLF + chunks + "0" + SimpleHttpClient.CRLF + + SimpleHttpClient.CRLF; + + TrailerClient client = new TrailerClient(tomcat.getConnector() + .getLocalPort()); + client.setRequest(new String[] { request }); + + Exception processException = null; + client.connect(); + try { + client.processRequest(); + } catch (Exception e) { + // Socket was probably closed before client had a chance to read + // response + processException = e; + } + if (expectPass) { + if (expectReadWholeBody) { + assertNull(processException); + } + if (processException == null) { + assertTrue(client.getResponseLine(), client.isResponse200()); + assertEquals(String.valueOf(expectReadCount), + client.getResponseBody()); + } + assertEquals(expectReadCount, servlet.getCountRead()); + } else { + if (processException == null) { + assertTrue(client.getResponseLine(), client.isResponse500()); + } + assertEquals(0, servlet.getCountRead()); + assertTrue(servlet.getExceptionDuringRead()); + } + } + private static class EchoHeaderServlet extends HttpServlet { private static final long serialVersionUID = 1L; private boolean exceptionDuringRead = false; + private final boolean expectPass; + + public EchoHeaderServlet(boolean expectPass) { + this.expectPass = expectPass; + } + @Override protected void doPost(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { @@ -334,6 +459,11 @@ } } catch (IOException ioe) { exceptionDuringRead = true; + if (!expectPass) { // as expected + log(ioe.toString()); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + return; + } throw ioe; } @@ -358,6 +488,53 @@ } } + private static class BodyReadServlet extends HttpServlet { + private static final long serialVersionUID = 1L; + + private boolean exceptionDuringRead = false; + private int countRead = 0; + private final boolean expectPass; + private final int readLimit; + + public BodyReadServlet(boolean expectPass, int readLimit) { + this.expectPass = expectPass; + this.readLimit = readLimit; + } + + @Override + protected void doPost(HttpServletRequest req, HttpServletResponse resp) + throws ServletException, IOException { + resp.setContentType("text/plain"); + PrintWriter pw = resp.getWriter(); + + // Read the body - quick and dirty + InputStream is = req.getInputStream(); + try { + while (is.read() > -1 && countRead < readLimit) { + countRead++; + } + } catch (IOException ioe) { + exceptionDuringRead = true; + if (!expectPass) { // as expected + log(ioe.toString()); + resp.sendError(HttpServletResponse.SC_INTERNAL_SERVER_ERROR); + return; + } + throw ioe; + } + + pw.write(Integer.valueOf(countRead).toString()); + } + + public boolean getExceptionDuringRead() { + return exceptionDuringRead; + } + + public int getCountRead() { + return countRead; + } + } + private static class TrailerClient extends SimpleHttpClient { public TrailerClient(int port) { debian/tomcat7-common.install0000644000000000000000000000012513067502611013421 0ustar output/build/bin/bootstrap.jar /usr/share/tomcat7/bin/ bin/* /usr/share/tomcat7/bin/ debian/libservlet3.0-java-doc.links0000644000000000000000000000012013067437273014313 0ustar /usr/share/doc/libservlet3.0-java/api /usr/share/doc/libservlet3.0-java-doc/api debian/libtomcat7-java.poms0000644000000000000000000000052413067502611013054 0ustar debian/poms/tomcat-annotations-api.pom debian/poms/tomcat-api.pom debian/poms/tomcat-catalina.pom debian/poms/tomcat-catalina-ha.pom debian/poms/tomcat-coyote.pom debian/poms/tomcat-jasper.pom debian/poms/tomcat-jasper-el.pom debian/poms/tomcat-juli.pom debian/poms/tomcat-tribes.pom debian/poms/tomcat-util.pom debian/poms/tomcat-jdbc.pom debian/maven.rules0000644000000000000000000000067513067437273011374 0ustar # Force the version of the javax apis javax.servlet servlet-api jar s/.*/3.0/ javax.servlet.jsp jsp-api jar s/.*/2.2/ javax.el el-api jar s/.*/2.2/ # Convert tomcat version of the standard apis to the javax apis #s/org.apache.tomcat/javax.servlet/ s/tomcat-servlet-api/servlet-api/ jar s/.*/3.0/ #s/org.apache.tomcat/javax.servlet.jsp/ s/tomcat-jsp-api/jsp-api/ jar s/.*/2.2/ #s/org.apache.tomcat/javax.el/ s/tomcat-el-api/el-api/ jar s/.*/2.2/ debian/defaults.template0000644000000000000000000000375613067502611012546 0ustar # Run Tomcat as this user ID. Not setting this or leaving it blank will use the # default of tomcat7. TOMCAT7_USER=tomcat7 # Run Tomcat as this group ID. Not setting this or leaving it blank will use # the default of tomcat7. TOMCAT7_GROUP=tomcat7 # The home directory of the Java development kit (JDK). You need at least # JDK version 1.5. If JAVA_HOME is not set, some common directories for # OpenJDK, the Sun JDK, and various J2SE 1.5 versions are tried. #JAVA_HOME=/usr/lib/jvm/openjdk-6-jdk # You may pass JVM startup parameters to Java here. If unset, the default # options will be: -Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC # # Use "-XX:+UseConcMarkSweepGC" to enable the CMS garbage collector (improved # response time). If you use that option and you run Tomcat on a machine with # exactly one CPU chip that contains one or two cores, you should also add # the "-XX:+CMSIncrementalMode" option. JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" # To enable remote debugging uncomment the following line. # You will then be able to use a java debugger on port 8000. #JAVA_OPTS="${JAVA_OPTS} -Xdebug -Xrunjdwp:transport=dt_socket,address=8000,server=y,suspend=n" # Java compiler to use for translating JavaServer Pages (JSPs). You can use all # compilers that are accepted by Ant's build.compiler property. #JSP_COMPILER=javac # Use the Java security manager? (yes/no, default: no) #TOMCAT7_SECURITY=no # Number of days to keep logfiles in /var/log/tomcat7. Default is 14 days. #LOGFILE_DAYS=14 # Whether to compress logfiles older than today's #LOGFILE_COMPRESS=1 # Location of the JVM temporary directory # WARNING: This directory will be destroyed and recreated at every startup ! #JVM_TMP=/tmp/tomcat7-temp # If you run Tomcat on port numbers that are all higher than 1023, then you # do not need authbind. It is used for binding Tomcat to lower port numbers. # NOTE: authbind works only with IPv4. Do not enable it when using IPv6. # (yes/no, default: no) #AUTHBIND=no debian/defaults.md5sum0000644000000000000000000000004713067437273012146 0ustar 8db3c173dfe0df41b6515d946324d415 lucid debian/libservlet3.0-java-doc.install0000644000000000000000000000005613067437273014651 0ustar output/api /usr/share/doc/libservlet3.0-java/ debian/orig-tar.sh0000755000000000000000000000066013067502611011254 0ustar #!/bin/sh -e VERSION=$2 TAR=../tomcat7_$VERSION.orig.tar.gz DIR=tomcat7-$VERSION TAG=$(echo TOMCAT_$VERSION | sed -e 's/\./_/g') svn export http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/$TAG $DIR tar -c -z -f $TAR --exclude 'standard.jar' --exclude 'jstl.jar' $DIR rm -rf $DIR ../$TAG # move to directory 'tarballs' if [ -r .svn/deb-layout ]; then . .svn/deb-layout mv $TAR $origDir echo "moved $TAR to $origDir" fi debian/compat0000644000000000000000000000000213067502611010365 0ustar 9 debian/tomcat7.postrm.in0000644000000000000000000000561413067502611012426 0ustar #!/bin/sh set -e #DEBHELPER# CONFFILE=/etc/default/tomcat7 LR_CONFFILE=/etc/logrotate.d/tomcat7 # Remove cached files and auto-generated catalina.policy rm -rf /var/cache/tomcat7/* rm -rf /var/lib/tomcat7/policy case "$1" in remove) # Remove ROOT webapp if not modified RWLOC="/var/lib/tomcat7/webapps/ROOT" RWFILES="$RWLOC/index.html $RWLOC/META-INF/context.xml" if [ "`(cat $RWFILES | md5sum -) 2>/dev/null | cut -d ' ' -f 1`" \ = "@ROOT_WEBAPP_MD5SUM@" ] ; then rm $RWFILES rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat7/webapps/ROOT/META-INF \ /var/lib/tomcat7/webapps/ROOT \ /var/lib/tomcat7/webapps \ /var/lib/tomcat7 || true fi if [ -d /var/lib/tomcat7/common ] && [ -z "`(find var/lib/tomcat7/common/classes -type f)`" ] ; then rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat7/common/classes \ /var/lib/tomcat7/common || true fi if [ -d /var/lib/tomcat7/server ] && [ -z "`(find var/lib/tomcat7/server/classes -type f)`" ] ; then rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat7/server/classes \ /var/lib/tomcat7/server || true fi if [ -d /var/lib/tomcat7/shared ] && [ -z "`(find var/lib/tomcat7/shared/classes -type f)`" ] ; then rmdir --ignore-fail-on-non-empty \ /var/lib/tomcat7/shared/classes \ /var/lib/tomcat7/shared || true fi if [ -d "/var/cache/tomcat7" ] ; then rm -rf /var/cache/tomcat7 fi ;; purge) # ignore errors during purge set +e if [ -x "/usr/bin/ucf" ]; then ucf --purge $CONFFILE ucf --purge $LR_CONFFILE fi rm -rf /var/log/tomcat7 /var/lib/tomcat7/temp $CONFFILE $LR_CONFFILE if [ -d "/var/lib/tomcat7" ] ; then rmdir --ignore-fail-on-non-empty /var/lib/tomcat7 fi rmdir --ignore-fail-on-non-empty /etc/tomcat7/policy.d \ /etc/tomcat7/Catalina/localhost /etc/tomcat7/Catalina /etc/tomcat7 # clean up /etc/authbind after conffiles have been removed rmdir --ignore-fail-on-non-empty /etc/authbind/byuid /etc/authbind # Remove user/group and log files (don't remove everything under # /var/lib/tomcat7 because there might be user-installed webapps) db_get tomcat7/username && TOMCAT7_USER="$RET" || TOMCAT7_USER="tomcat7" db_get tomcat7/groupname && TOMCAT7_GROUP="$RET" || TOMCAT7_GROUP="tomcat7" deluser $TOMCAT7_USER delgroup $TOMCAT7_GROUP set -e ;; upgrade|failed-upgrade|abort-install|abort-upgrade|disappear) # Nothing to do here ;; *) echo "$0 called with unknown argument \`$1'" >&2 exit 1 ;; esac debian/tomcat7-docs.doc-base0000644000000000000000000000046313067437273013110 0ustar Document: tomcat7 Title: Apache Tomcat 7.0 Documentation Author: Apache Software Foundation Abstract: Documentation bundle for Apache Tomcat 7.0 Servlet/JSP container. Section: System/Administration Format: HTML Index: /usr/share/doc/tomcat7-docs/docs/index.html Files: /usr/share/doc/tomcat7-docs/docs/* debian/policy/0000755000000000000000000000000013067437273010501 5ustar debian/policy/04webapps.policy0000644000000000000000000000613513067437273013534 0ustar // ========== WEB APPLICATION PERMISSIONS ===================================== // These permissions are granted by default to all web applications // In addition, a web application will be given a read FilePermission // and JndiPermission for all files and directories in its document root. grant { // Required for JNDI lookup of named JDBC DataSource's and // javamail named MimePart DataSource used to send mail permission java.util.PropertyPermission "java.home", "read"; permission java.util.PropertyPermission "java.naming.*", "read"; permission java.util.PropertyPermission "javax.sql.*", "read"; // OS Specific properties to allow read access permission java.util.PropertyPermission "os.name", "read"; permission java.util.PropertyPermission "os.version", "read"; permission java.util.PropertyPermission "os.arch", "read"; permission java.util.PropertyPermission "file.separator", "read"; permission java.util.PropertyPermission "path.separator", "read"; permission java.util.PropertyPermission "line.separator", "read"; // JVM properties to allow read access permission java.util.PropertyPermission "java.version", "read"; permission java.util.PropertyPermission "java.vendor", "read"; permission java.util.PropertyPermission "java.vendor.url", "read"; permission java.util.PropertyPermission "java.class.version", "read"; permission java.util.PropertyPermission "java.specification.version", "read"; permission java.util.PropertyPermission "java.specification.vendor", "read"; permission java.util.PropertyPermission "java.specification.name", "read"; permission java.util.PropertyPermission "java.vm.specification.version", "read"; permission java.util.PropertyPermission "java.vm.specification.vendor", "read"; permission java.util.PropertyPermission "java.vm.specification.name", "read"; permission java.util.PropertyPermission "java.vm.version", "read"; permission java.util.PropertyPermission "java.vm.vendor", "read"; permission java.util.PropertyPermission "java.vm.name", "read"; // Required for OpenJMX permission java.lang.RuntimePermission "getAttribute"; // Allow read of JAXP compliant XML parser debug permission java.util.PropertyPermission "jaxp.debug", "read"; // Precompiled JSPs need access to this package. permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime"; permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.runtime.*"; // Example JSPs need those to work properly permission java.lang.RuntimePermission "accessClassInPackage.org.apache.jasper.el"; permission java.lang.RuntimePermission "accessDeclaredMembers"; // Precompiled JSPs need access to this system property. permission java.util.PropertyPermission "org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER", "read"; // java.io.tmpdir should be usable as a temporary file directory permission java.util.PropertyPermission "java.io.tmpdir", "read"; permission java.io.FilePermission "${java.io.tmpdir}/-", "read,write,delete"; }; debian/policy/01system.policy0000644000000000000000000000421613067437273013412 0ustar // Licensed to the Apache Software Foundation (ASF) under one or more // contributor license agreements. See the NOTICE file distributed with // this work for additional information regarding copyright ownership. // The ASF licenses this file to You under the Apache License, Version 2.0 // (the "License"); you may not use this file except in compliance with // the License. You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. // ============================================================================ // catalina.corepolicy - Security Policy Permissions for Tomcat 6 // // This file contains a default set of security policies to be enforced (by the // JVM) when Catalina is executed with the "-security" option. In addition // to the permissions granted here, the following additional permissions are // granted to the codebase specific to each web application: // // * Read access to the document root directory // // $Id: catalina.policy 609294 2008-01-06 11:43:46Z markt $ // ============================================================================ // ========== SYSTEM CODE PERMISSIONS ========================================= // These permissions apply to javac grant codeBase "file:${java.home}/lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions grant codeBase "file:${java.home}/jre/lib/ext/-" { permission java.security.AllPermission; }; // These permissions apply to javac when ${java.home] points at $JAVA_HOME/jre grant codeBase "file:${java.home}/../lib/-" { permission java.security.AllPermission; }; // These permissions apply to all shared system extensions when // ${java.home} points at $JAVA_HOME/jre grant codeBase "file:${java.home}/lib/ext/-" { permission java.security.AllPermission; }; debian/policy/02debian.policy0000644000000000000000000000051213067437273013304 0ustar // These permissions apply to all JARs from Debian packages grant codeBase "file:/usr/share/java/-" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/maven-repo/-" { permission java.security.AllPermission; }; grant codeBase "file:/usr/share/ant/lib/-" { permission java.security.AllPermission; }; debian/policy/03catalina.policy0000644000000000000000000000355213067437273013646 0ustar // ========== CATALINA CODE PERMISSIONS ======================================= // These permissions apply to the logging API grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.util.PropertyPermission "java.util.logging.config.class", "read"; permission java.util.PropertyPermission "java.util.logging.config.file", "read"; permission java.lang.RuntimePermission "shutdownHooks"; permission java.io.FilePermission "${catalina.base}${file.separator}conf${file.separator}logging.properties", "read"; permission java.util.PropertyPermission "catalina.base", "read"; permission java.util.logging.LoggingPermission "control"; permission java.io.FilePermission "${catalina.base}${file.separator}logs", "read, write"; permission java.io.FilePermission "${catalina.base}${file.separator}logs${file.separator}*", "read, write"; permission java.lang.RuntimePermission "getClassLoader"; permission java.lang.RuntimePermission "setContextClassLoader"; // To enable per context logging configuration, permit read access to the appropriate file. // Be sure that the logging configuration is secure before enabling such access // eg for the examples web application: // permission java.io.FilePermission "${catalina.base}${file.separator}webapps${file.separator}examples${file.separator}WEB-INF${file.separator}classes${file.separator}logging.properties", "read"; }; // These permissions apply to the server startup code grant codeBase "file:${catalina.home}/bin/bootstrap.jar" { permission java.security.AllPermission; }; // These permissions apply to the servlet API classes // and those that are shared across all class loaders // located in the "lib" directory grant codeBase "file:${catalina.home}/lib/-" { permission java.security.AllPermission; }; debian/policy/examples/0000755000000000000000000000000013067437273012317 5ustar debian/policy/examples/10examples.policy0000644000000000000000000000027413067437273015522 0ustar grant codeBase "file:${catalina.home}/bin/tomcat-juli.jar" { permission java.io.FilePermission "/usr/share/tomcat7-examples/examples/WEB-INF/classes/logging.properties", "read"; }; debian/policy/50local.policy0000644000000000000000000000315613067437273013166 0ustar // You can assign additional permissions to particular web applications by // adding additional "grant" entries here, based on the code base for that // application, /WEB-INF/classes/, or /WEB-INF/lib/ jar files. // // Different permissions can be granted to JSP pages, classes loaded from // the /WEB-INF/classes/ directory, all jar files in the /WEB-INF/lib/ // directory, or even to individual jar files in the /WEB-INF/lib/ directory. // // For instance, assume that the standard "examples" application // included a JDBC driver that needed to establish a network connection to the // corresponding database and used the scrape taglib to get the weather from // the NOAA web server. You might create a "grant" entries like this: // // The permissions granted to the context root directory apply to JSP pages. // grant codeBase "file:${catalina.base}/webapps/examples/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; // // The permissions granted to the context WEB-INF/classes directory // grant codeBase "file:${catalina.base}/webapps/examples/WEB-INF/classes/-" { // }; // // The permission granted to your JDBC driver // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/driver.jar!/-" { // permission java.net.SocketPermission "dbhost.mycompany.com:5432", "connect"; // }; // The permission granted to the scrape taglib // grant codeBase "jar:file:${catalina.base}/webapps/examples/WEB-INF/lib/scrape.jar!/-" { // permission java.net.SocketPermission "*.noaa.gov:80", "connect"; // }; debian/tomcat7.prerm0000644000000000000000000000056213067437273011632 0ustar #!/bin/sh set -e case "$1" in remove) [ -f /etc/default/tomcat7 ] && . /etc/default/tomcat7 [ -z "$TOMCAT7_USER" ] && TOMCAT7_USER="tomcat7" # Remove auth for tomcat7 to open privileged ports via authbind. TOMCAT_UID="`id -u $TOMCAT7_USER`" if [ -f "/etc/authbind/byuid/$TOMCAT_UID" ]; then rm -f /etc/authbind/byuid/$TOMCAT_UID fi ;; esac #DEBHELPER# debian/copyright0000644000000000000000000000677513067502611011141 0ustar Format: http://svn.debian.org/wsvn/dep/web/deps/dep5.mdwn?op=file&rev=166 Upstream-Name: Tomcat7 Upstream-Contact: Merten Falk Source: http://tomcat.apache.org/download-70.cgi Upstream-Authors: Alex Chaffee Alex Cruikshank [alex@epitonic.com] Amy Roh Andre de Jesus Andrew R. Jaquith Andy Clark Aner Perez Anil V (akv@eng.sun.com) Anselm Baird-Smith Arnaud Le Hors, IBM Bela Ban (modifications for synchronous replication) Bill Barker Bill Burke Bip Thelin Cedrik LIME Carson McDonald Costin@eng.sun.com Craig R. McClanahan Dan Milstein [danmil@shore.net] Dan Sandberg Daniel Rall Danno Ferrin David Becker Denis Benoit Eric Rescorla Eric Ye, IBM Fabien Carrion Fabrizio Giustina Filip Hanik Gabriele Garuglieri Gal Shachor [shachor@il.ibm.com] Glenn L. Nielsen Glenn Marcy, IBM Greg Murray Gunnar Rjnning Hans Bergsten Harish Prabandham Henri Gomez [hgomez@apache.org] Ignacio J. Ortega Jacek Laskowski Jacob Hookom [jacob@hookom.net] James Duncan Davidson [duncan@eng.sun.com] James Todd [gonzo@sun.com] Jan Luehe Jason Brittain Jason Hunter [jch@eng.sun.com] Jason van Zyl Jayson Falkner Jean-Francois Arcand Jean-Frederic Clere Jeffrey Rodriguez John Holman John McNally Jon S. Stevens Justyna Horwat Keith Wannamaker [Keith@Wannamaker.org] Kevin Seguin Kief Morris (kief@kief.com) Kin-man Chung Larry Cable Larry Isaacs Malcolm Edgar Mandar Raje Mark Roth Mark Thomas Martin Cooper Martin T Dengler [root@martindengler.com] Mel Martinez [mmartinez@g1440.com] Michael Glavassevich, IBM Mladen Turk Neil Graham, IBM Nicola Ken Barozzi Paul Speed Peter Donald Peter Lin Peter Rossbach (pero@apache.org) Pierre Delisle Rafal Krzewski Rafal.Krzewski@e-point.pl Rahul Srivastava, Sun Microsystems Inc. Rainer Jung Rajiv Mordani Remy Maucharat Remy Maucherat Richard A. Sitze Robert Field (inner SDEInstaller class) Rod Waldhoff Scott Sanders Sean C. Sullivan Sean Legassick Sean Legassick Shawn Bayern Stan Bailes Stefan Freyr Stefansson Stefano Mazzocchi TAMURA Kent, IBM Takayuki Kaneko Tim Fennell Tim Funk Tim Tye Vivek Chopra Yoav Shapira Files: * Copyright: 2000-2011 Apache Software Foundation. 2002, International Business Machines Corporation. License: Apache-2.0 Files: debian/* Copyright: 2008,2011, Canonical Ltd. 2008, Paul Cager 2010, Thierry Carrez 2011, Ernesto Hernanez-Novich License: Apache-2.0 License: Apache-2.0 Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at . http://www.apache.org/licenses/LICENSE-2.0 . Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. . On Debian GNU/Linux and Ubuntu systems, the complete text of the Apache 2.0 License can be found in the `/usr/share/common-licenses/Apache-2.0' file. debian/tomcat7-docs.links0000644000000000000000000000007613067437273012553 0ustar /usr/share/tomcat7-docs/docs /usr/share/doc/tomcat7-docs/docs debian/libservlet3.0-java.poms0000644000000000000000000000037713067437273013424 0ustar debian/poms/tomcat-servlet-api.pom --no-parent debian/poms/tomcat-jsp-api.pom --no-parent debian/poms/tomcat-el-api.pom --no-parent debian/javaxpoms/servlet-api.pom --no-rules debian/javaxpoms/jsp-api.pom --no-rules debian/javaxpoms/el-api.pom --no-rules debian/libservlet3.0-java.links0000644000000000000000000000034413067437273013560 0ustar /usr/share/java/servlet-api-3.0.jar /usr/share/java/tomcat-servlet-api-3.0.jar /usr/share/java/jsp-api-2.2.jar /usr/share/java/tomcat-jsp-api-2.2.jar /usr/share/java/el-api-2.2.jar /usr/share/java/tomcat-el-api-2.2.jar debian/tomcat7.config0000644000000000000000000000106613067437273011752 0ustar #!/bin/sh set -e . /usr/share/debconf/confmodule CONFFILE="/etc/default/tomcat7" JAVA_OPTS="-Djava.awt.headless=true -Xmx128m" if [ -e "${CONFFILE}" ] then . ${CONFFILE} || true if [ -n "${TOMCAT7_USER}" ]; then db_set tomcat7/username "${TOMCAT7_USER}" fi if [ -n "${TOMCAT7_GROUP}" ]; then db_set tomcat7/groupname "${TOMCAT7_GROUP}" fi if [ -n "${JAVA_OPTS}" ]; then db_set tomcat7/javaopts "${JAVA_OPTS}" fi fi db_input low tomcat7/username || true db_input low tomcat7/groupname || true db_input low tomcat7/javaopts || true db_go db_stop debian/tomcat7.postinst0000644000000000000000000000704013067502611012353 0ustar #!/bin/sh set -e . /usr/share/debconf/confmodule TEMPLATE="/usr/share/tomcat7/defaults.template" CONFFILE="/etc/default/tomcat7" LR_TEMPLATE="/usr/share/tomcat7/logrotate.template" LR_CONFFILE="/etc/logrotate.d/tomcat7" JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" case "$1" in configure) # Generate $CONFFILE from debconf seetings and $TEMPLATE db_version 2.0 db_get tomcat7/username && TOMCAT7_USER="$RET" || TOMCAT7_USER="tomcat7" db_get tomcat7/groupname && TOMCAT7_GROUP="$RET" || TOMCAT7_GROUP="tomcat7" db_get tomcat7/javaopts && JAVA_OPTS="$RET" || JAVA_OPTS="-Djava.awt.headless=true -Xmx128m -XX:+UseConcMarkSweepGC" tmpfile=`mktemp /tmp/tomcat7.XXXXXXXXXX` chmod 644 $tmpfile DELIM=$(printf '\001') cat $TEMPLATE \ | sed "s%^TOMCAT7_USER=.*$%TOMCAT7_USER=$TOMCAT7_USER%" \ | sed "s%^TOMCAT7_GROUP=.*$%TOMCAT7_GROUP=$TOMCAT7_GROUP%" \ | sed "s${DELIM}^JAVA_OPTS=.*\$${DELIM}JAVA_OPTS=\"$JAVA_OPTS\"${DELIM}" \ >> $tmpfile ucf --debconf-ok --sum-file /usr/share/tomcat7/defaults.md5sum $tmpfile $CONFFILE rm -f $tmpfile if ! getent group "$TOMCAT7_GROUP" > /dev/null 2>&1 ; then addgroup --system "$TOMCAT7_GROUP" --quiet fi if ! id $TOMCAT7_USER > /dev/null 2>&1 ; then adduser --system --home /usr/share/tomcat7 --no-create-home \ --ingroup "$TOMCAT7_GROUP" --disabled-password --shell /bin/false \ "$TOMCAT7_USER" fi chown -R $TOMCAT7_USER:adm /var/log/tomcat7 /var/cache/tomcat7 chmod 750 /var/log/tomcat7 /var/cache/tomcat7 # populate /etc/logrotate.d/tomcat7 tmpfile=`mktemp /tmp/tomcat7.XXXXXXXXXX` chmod 644 $tmpfile cat $LR_TEMPLATE | sed "s%create 640 tomcat7 adm%create 640 $TOMCAT7_USER adm%" >> $tmpfile ucf --debconf-ok --sum-file /usr/share/tomcat7/logrotate.md5sum $tmpfile $LR_CONFFILE rm -f $tmpfile # configuration files should not be modifiable by tomcat7 user, as this can be a security issue # (an attacker may insert code in a webapp and have access to all tomcat configuration) # but those files should be readable by tomcat7, so we set the group to tomcat7 for i in tomcat-users.xml web.xml server.xml logging.properties context.xml catalina.properties; do if [ -f "/etc/tomcat7/$i" ]; then chown root:$TOMCAT7_GROUP /etc/tomcat7/$i chmod 640 /etc/tomcat7/$i fi done # configuration policy files should not be modifiable by the tomcat7 user. Only # diverge from default permissions for known Debian files chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d for i in 01system.policy 02debian.policy 03catalina.policy 04webapps.policy 50local.policy; do if [ -f "/etc/tomcat7/policy.d/$i" ]; then chown root:$TOMCAT7_GROUP /etc/tomcat7/policy.d/$i chmod 640 /etc/tomcat7/policy.d/$i fi done chown -Rh root:$TOMCAT7_GROUP /etc/tomcat7/Catalina chown -Rh $TOMCAT7_USER:$TOMCAT7_GROUP /var/lib/tomcat7/webapps /var/lib/tomcat7/common /var/lib/tomcat7/server /var/lib/tomcat7/shared chmod 775 /var/lib/tomcat7/webapps chmod 775 /etc/tomcat7/Catalina # Authorize user tomcat7 to open privileged ports via authbind. TOMCAT_UID="`id -u $TOMCAT7_USER`" if [ ! -f "/etc/authbind/byuid/$TOMCAT_UID" ]; then if [ ! -d "/etc/authbind/byuid" ]; then mkdir -p /etc/authbind/byuid chmod 755 /etc/authbind chmod 755 /etc/authbind/byuid fi echo '0.0.0.0/0:1,1023' >/etc/authbind/byuid/$TOMCAT_UID chown $TOMCAT7_USER:$TOMCAT7_GROUP /etc/authbind/byuid/$TOMCAT_UID chmod 700 /etc/authbind/byuid/$TOMCAT_UID fi ;; esac if [ ! -d /var/lib/tomcat7/webapps/ROOT ]; then cp -r /usr/share/tomcat7-root/default_root /var/lib/tomcat7/webapps/ROOT fi #DEBHELPER# debian/context/0000755000000000000000000000000013067437273010666 5ustar debian/context/host-manager.xml0000644000000000000000000000167613067437273014007 0ustar debian/context/docs.xml0000644000000000000000000000163213067437273012342 0ustar debian/context/examples.xml0000644000000000000000000000014113067437273013222 0ustar debian/context/manager.xml0000644000000000000000000000166413067437273013031 0ustar debian/source/0000755000000000000000000000000013067502611010467 5ustar debian/source/include-binaries0000644000000000000000000000026313067502611013630 0ustar test/org/apache/tomcat/util/net/ca.jks test/org/apache/tomcat/util/net/localhost-copy1.jks test/org/apache/tomcat/util/net/localhost.jks test/org/apache/tomcat/util/net/user1.jks debian/source/format0000644000000000000000000000001413067437273011710 0ustar 3.0 (quilt) debian/tomcat7-instance-create0000644000000000000000000000657413067437273013562 0ustar #!/bin/sh # Script to create a CATALINA_BASE directory for your own tomcat PROG=`basename $0` TARGET="" HPORT=8080 CPORT=8005 CWORD="SHUTDOWN" warned=0 warnlowport=0 usage() { echo "Usage: $PROG [options] " echo " directoryname: name of the tomcat instance directory to create" echo "Options:" echo " -h, --help Display this help message" echo " -p httpport HTTP port to be used by Tomcat (default is $HPORT)" echo " -c controlport Server shutdown control port (default is $CPORT)" echo " -w magicword Word to send to trigger shutdown (default is $CWORD)" } checkport() { type=$1 port=$2 # Fail if port is non-numeric num=`expr ${port} + 1 2> /dev/null` if [ $? != 0 ] || [ $num -lt 2 ]; then echo "Error: ${type} port '${port}' is not a valid TCP port number." exit 1 fi # Fail if port is above 65535 if [ ${port} -gt 65535 ]; then echo "Error: ${type} port ${port} is above TCP port numbers (> 65535)." exit 1 fi # Warn if port is below 1024 (once) if [ ${warnlowport} -eq 0 ]; then if [ ${port} -lt 1024 ]; then echo "Warning: ports below 1024 are reserved to the super-user." warnlowport=1 warned=1 fi fi # Warn if port appears to be in use if nc localhost "${port}" -z > /dev/null; then echo "Warning: ${type} port ${port} appears to be in use." warned=1 fi } if [ "$#" -lt 1 ]; then usage exit 1 fi if [ "$1" = "-h" ] || [ "$1" = "--help" ]; then usage exit 0 fi while getopts ":p:c:w:h" options; do case $options in p ) HPORT=$OPTARG ;; c ) CPORT=$OPTARG ;; w ) CWORD=$OPTARG ;; h ) usage;; * ) echo "Error: Unknown parameter '$OPTARG'." exit 1;; esac done shift $(($OPTIND - 1)) TARGET=$1 shift echo "You are about to create a Tomcat instance in directory '$TARGET'" # Fail if no target specified if [ -z "${TARGET}" ]; then echo "Error: No target directory specified (use -d)." exit 1 fi # Fail if ports are the same if [ "${HPORT}" = "${CPORT}" ]; then echo "Error: HTTP port and control port must be different." exit 1 fi # Fail if target directory already exists if [ -d "${TARGET}" ]; then echo "Error: Target directory already exists." exit 1 fi # Check ports checkport HTTP "${HPORT}" checkport Control "${CPORT}" # Ask for confirmation if warnings were printed out if [ ${warned} -eq 1 ]; then echo "Type to continue, to abort." read answer fi mkdir -p "${TARGET}" FULLTARGET=`cd "${TARGET}" > /dev/null && pwd` mkdir "${TARGET}/conf" mkdir "${TARGET}/logs" mkdir "${TARGET}/webapps" mkdir "${TARGET}/work" mkdir "${TARGET}/temp" cp -r /usr/share/tomcat7/skel/* "${TARGET}" sed -i -e "s/Connector port=\"8080\"/Connector port=\"${HPORT}\"/;s/Server port=\"8005\" shutdown=\"SHUTDOWN\"/Server port=\"${CPORT}\" shutdown=\"${CWORD}\"/" "${TARGET}/conf/server.xml" cat > "${TARGET}/bin/startup.sh" << EOT #!/bin/sh export CATALINA_BASE="${FULLTARGET}" /usr/share/tomcat7/bin/startup.sh echo "Tomcat started" EOT cat > "${TARGET}/bin/shutdown.sh" << EOT #!/bin/sh export CATALINA_BASE="${FULLTARGET}" /usr/share/tomcat7/bin/shutdown.sh echo "Tomcat stopped" EOT chmod a+x "${TARGET}/bin/startup.sh" "${TARGET}/bin/shutdown.sh" echo "* New Tomcat instance created in ${TARGET}" echo "* You might want to edit default configuration in ${TARGET}/conf" echo "* Run ${TARGET}/bin/startup.sh to start your Tomcat instance" debian/default_root/0000755000000000000000000000000013067502611011656 5ustar debian/default_root/index.html0000644000000000000000000000354713067502611013664 0ustar Apache Tomcat

      It works !

      If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!

      This is the default Tomcat home page. It can be found on the local filesystem at: /var/lib/tomcat7/webapps/ROOT/index.html

      Tomcat7 veterans might be pleased to learn that this system instance of Tomcat is installed with CATALINA_HOME in /usr/share/tomcat7 and CATALINA_BASE in /var/lib/tomcat7, following the rules from /usr/share/doc/tomcat7-common/RUNNING.txt.gz.

      You might consider installing the following packages, if you haven't already done so:

      tomcat7-docs: This package installs a web application that allows to browse the Tomcat 7 documentation locally. Once installed, you can access it by clicking here.

      tomcat7-examples: This package installs a web application that allows to access the Tomcat 7 Servlet and JSP examples. Once installed, you can access it by clicking here.

      tomcat7-admin: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the manager webapp and the host-manager webapp.

      NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui". The host-manager webapp is restricted to users with role "admin-gui". Users are defined in /etc/tomcat7/tomcat-users.xml.

      debian/default_root/META-INF/0000755000000000000000000000000013067437273013031 5ustar debian/default_root/META-INF/context.xml0000644000000000000000000000006313067437273015236 0ustar debian/logrotate.md5sum0000644000000000000000000000006513067437273012337 0ustar 9e56464a7cc25288a994171d0e303ba6 logrotate.template debian/NEWS0000644000000000000000000000041513067437273007701 0ustar tomcat7 (7.0.35-1~exp2) experimental; urgency=low The Tomcat JDBC Pool module is now enabled by default instead of the commons-dbcp implementation used in previous versions of this package. -- James Page Sun, 24 Feb 2013 22:08:22 +0000 debian/libservlet3.0-java.manifest0000644000000000000000000000302113067437273014241 0ustar usr/share/java/el-api-2.2.jar: Bundle-ManifestVersion: 2 Bundle-Vendor: Apache Software Foundation Bundle-Version: 2.2.0 Bundle-Localization: plugin Bundle-RequiredExecutionEnvironment: J2SE-1.5 Bundle-Name: Javax Expression Language Bundle Bundle-SymbolicName: javax.el Export-Package: javax.el;version="2.2.0" Import-Package: javax.servlet;version="2.6.0",javax.servlet.http;version="2.6.0" usr/share/java/jsp-api-2.2.jar: Import-Package: javax.servlet;version="2.6.0",javax.servlet.http;version="2.6.0",javax.servlet.resources;version="2.6.0",javax.el;version="2.2.0" Bundle-ManifestVersion: 2 Export-Package: javax.servlet.jsp; version=2.2,javax.servlet.jsp.el; version=2.2,javax.servlet.jsp.resources; version=2.2,javax.servlet.jsp.tagext; version=2.2 Bundle-Version: 2.2.0.v201103241327 Bundle-SymbolicName: javax.servlet.jsp Bundle-Name: Java Server Pages API Bundle Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0,JavaSE-1.6 Bundle-Localization: plugin Bundle-Vendor: Apache Software Foundation usr/share/java/servlet-api-3.0.jar: Bundle-ManifestVersion: 2 Export-Package: javax.servlet;version="2.6.0",javax.servlet.annotation;version="2.6.0",javax.servlet.descriptor;version="2.6.0",javax.servlet.http;version="2.6.0",javax.servlet.resources;version="2.6.0" Bundle-Version: 3.0.0.v201103241327 Bundle-SymbolicName: javax.servlet Bundle-Name: Servlet API Bundle Bundle-RequiredExecutionEnvironment: CDC-1.0/Foundation-1.0,JavaSE-1.6 Bundle-Localization: plugin Bundle-Vendor: Apache Software Foundation debian/tomcat7.links0000644000000000000000000000030413067437273011617 0ustar /etc/tomcat7 /var/lib/tomcat7/conf /var/cache/tomcat7 /var/lib/tomcat7/work /var/log/tomcat7 /var/lib/tomcat7/logs /usr/share/doc/tomcat7-common/README.Debian /usr/share/doc/tomcat7/README.Debian debian/tomcat7-admin.install0000644000000000000000000000036013067437273013235 0ustar debian/context/manager.xml /etc/tomcat7/Catalina/localhost/ output/build/webapps/manager /usr/share/tomcat7-admin/ debian/context/host-manager.xml /etc/tomcat7/Catalina/localhost/ output/build/webapps/host-manager /usr/share/tomcat7-admin/ debian/tomcat7-instance-create.10000644000000000000000000000225613067437273013712 0ustar .TH "TOMCAT7-INSTANCE-CREATE" "2" "Feb 2010" "" "" .SH "NAME" tomcat7\-instance\-create \- creates a Tomcat7 instance .SH "SYNOPSIS" .B tomcat7\-instance\-create [\fIOPTIONS\fR] \fIDIRECTORYNAME\fR .SH "DESCRIPTION" The .B tomcat7\-instance\-create script creates a directory with all required Tomcat7 CATALINA_BASE elements so that a separate Tomcat 7 instance with its own configuration, libraries or web applications can be run by a user. bin/startup.sh and bin/shutdown.sh scripts are also generated to allow the instance to be started and stopped. .TP .B DIRECTORYNAME The name of the directory where the instance will be created. It should not exist and will be created automatically. .SH "OPTIONS" .TP .B \-p HTTPPORT The TCP port to use for the default HTTP connector in the instance. The default port is 8080. .TP .B \-c CONTROLPORT The TCP port to use for Tomcat shutdown control port. The default port is 8005. .TP .B \-w MAGICWORD The magic word that sent to the control port will trigger the shutdown of the Tomcat instance. The default word is SHUTDOWN. .SH "AUTHOR" This man page was written by Thierry Carrez and is copyright (C) 2008 Canonical Ltd. debian/logging.properties0000644000000000000000000000450213067437273012747 0ustar # Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. handlers = 1catalina.org.apache.juli.FileHandler, 2localhost.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler .handlers = 1catalina.org.apache.juli.FileHandler, java.util.logging.ConsoleHandler ############################################################ # Handler specific properties. # Describes specific configuration info for Handlers. ############################################################ 1catalina.org.apache.juli.FileHandler.level = FINE 1catalina.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 1catalina.org.apache.juli.FileHandler.prefix = catalina. 2localhost.org.apache.juli.FileHandler.level = FINE 2localhost.org.apache.juli.FileHandler.directory = ${catalina.base}/logs 2localhost.org.apache.juli.FileHandler.prefix = localhost. java.util.logging.ConsoleHandler.level = FINE java.util.logging.ConsoleHandler.formatter = java.util.logging.SimpleFormatter ############################################################ # Facility specific properties. # Provides extra control for each logger. ############################################################ org.apache.catalina.core.ContainerBase.[Catalina].[localhost].level = INFO org.apache.catalina.core.ContainerBase.[Catalina].[localhost].handlers = 2localhost.org.apache.juli.FileHandler # For example, set the com.xyz.foo logger to only log SEVERE # messages: #org.apache.catalina.startup.ContextConfig.level = FINE #org.apache.catalina.startup.HostConfig.level = FINE #org.apache.catalina.session.ManagerBase.level = FINE #org.apache.catalina.core.AprLifecycleListener.level=FINE debian/libtomcat7-java.manifest0000644000000000000000000001215413067437273013721 0ustar usr/share/java/tomcat-api.jar: Bundle-Vendor: Apache Software Foundation Bundle-Localization: plugin Bundle-Name: Apache Tomcat API Bundle-SymbolicName: org.apache.tomcat.api Export-Package: org.apache.tomcat;version="7.0.26";uses:="javax.naming,javax.servlet" Bundle-Version: 7.0.26 Bundle-ManifestVersion: 2 Import-Package: javax.naming;version="0",javax.servlet;version="[2.6.0, 4.0.0)" Unversioned-Imports: javax.naming.* usr/share/java/tomcat-jasper.jar: Bundle-ManifestVersion: 2 Bundle-SymbolicName: org.apache.jasper Bundle-Version: 7.0.26 Bundle-Name: Apache Jasper JSP Support Bundle-Vendor: Apache Software Foundation Bundle-Localization: plugin Export-Package: org.apache.jasper;version="7.0.26";uses:="javax.servlet,javax.servlet.jsp.tagext,org.apache.jasper.compiler,org.apache.jasper.servlet,org.apache.tools.ant",org.apache.jasper.compiler;version="7.0.26";uses:="javax.el,javax.servlet,javax.servlet.jsp.tagext,javax.xml.parsers,org.apache.jasper,org.apache.jasper.compiler.tagplugin,org.apache.jasper.servlet,org.apache.jasper.util,org.apache.jasper.xmlparser,org.apache.juli.logging,org.apache.tomcat,org.apache.tools.ant,org.eclipse.jdt.internal.compiler,org.eclipse.jdt.internal.compiler.env,org.xml.sax,org.xml.sax.ext,org.xml.sax.helpers",org.apache.jasper.compiler.tagplugin;version="7.0.26",org.apache.jasper.el;version="7.0.26";uses:="javax.el,javax.servlet.jsp.el",org.apache.jasper.resources;version="7.0.26",org.apache.jasper.runtime;version="7.0.26";uses:="javax.el,javax.servlet,javax.servlet.http,javax.servlet.jsp,javax.servlet.jsp.el,javax.servlet.jsp.tagext,org.apache.jasper,org.apache.jasper.el,org.apache.tomcat",org.apache.jasper.security;version="7.0.26",org.apache.jasper.servlet;version="7.0.26";uses:="javax.servlet,javax.servlet.descriptor,javax.servlet.http,javax.servlet.jsp.tagext,org.apache.jasper,org.apache.jasper.compiler,org.apache.jasper.util,org.apache.tomcat",org.apache.jasper.tagplugins.jstl;version="7.0.26";uses:="javax.servlet,javax.servlet.http,javax.servlet.jsp",org.apache.jasper.tagplugins.jstl.core;version="7.0.26";uses:="org.apache.jasper.compiler.tagplugin",org.apache.jasper.util;version="7.0.26";uses:="org.xml.sax,org.xml.sax.helpers",org.apache.jasper.xmlparser;version="7.0.26";uses:="org.apache.jasper,org.apache.jasper.compiler,org.w3c.dom,org.xml.sax" Import-Package: javax.el;version="[1.0.0, 3.0.0)",javax.servlet;version="[2.6.0, 4.0.0)",javax.servlet.descriptor;version="[2.6.0, 4.0.0)",javax.servlet.http;version="[2.6.0, 4.0.0)",javax.servlet.jsp;version="[2.2.0, 3.0.0)",javax.servlet.jsp.el;version="[2.2.0, 3.0.0)",javax.servlet.jsp.resources;version="[2.2.0, 3.0.0)",javax.servlet.jsp.tagext;version="[2.2.0, 3.0.0)",javax.servlet.resources;version="[2.6.0, 4.0.0)",javax.xml.parsers;version="0",org.apache.el;version="[7.0.26, 7.0.26]",org.apache.el.lang;version="[7.0.26, 7.0.26]",org.apache.juli.logging;version="[7.0.26, 7.0.26]",org.apache.tomcat;version="[7.0.26, 7.0.26]",org.apache.tomcat.util.scan;version="[7.0.26, 7.0.26]",org.apache.tools.ant;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.taskdefs;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.types;version="[1.7.0, 2.0.0)";resolution:="optional",org.apache.tools.ant.util;version="[1.7.0, 2.0.0)";resolution:="optional",org.eclipse.jdt.core.compiler;version="0",org.eclipse.jdt.internal.compiler;version="0",org.eclipse.jdt.internal.compiler.classfmt;version="0",org.eclipse.jdt.internal.compiler.env;version="0",org.eclipse.jdt.internal.compiler.impl;version="0",org.eclipse.jdt.internal.compiler.problem;version="0",org.w3c.dom;version="0",org.xml.sax;version="0",org.xml.sax.ext;version="0",org.xml.sax.helpers;version="0" Unversioned-Imports: javax.xml.parsers.*,org.w3c.dom.*,org.xml.sax.* usr/share/java/tomcat-juli.jar: Bundle-ManifestVersion: 2 Bundle-SymbolicName: org.apache.juli Bundle-Version: 7.0.26 Bundle-Name: Apache Juli Bundle-Vendor: Apache Software Foundation Export-Package: org.apache.juli;version="7.0.26",org.apache.juli.logging;version="7.0.26" usr/share/java/tomcat-jasper-el.jar: Bundle-ManifestVersion: 2 Bundle-Vendor: Apache Software Foundation Bundle-Localization: plugin Bundle-Name: Apache EL Bundle-SymbolicName: org.apache.el Export-Package: org.apache.el;version="7.0.26";uses:="javax.el,org.apache.el.parser",org.apache.el.lang;version="7.0.26";uses:="javax.el,org.apache.el.parser",org.apache.el.parser;version="7.0.26";uses:="javax.el,org.apache.el.lang",org.apache.el.util;version="7.0.26";uses:="javax.el" Bundle-Version: 7.0.26 Import-Package: javax.el;version="[1.0.0, 3.0.0)" usr/share/java/tomcat-util.jar: Bundle-ManifestVersion: 2 Bundle-Vendor: Apache Software Foundation Bundle-Localization: plugin Bundle-Name: Apache Tomcat Util Bundle-SymbolicName: org.apache.tomcat.util Export-Package: org.apache.tomcat.util.file;version="7.0.26",org.apache.tomcat.util.res;version="7.0.26",org.apache.tomcat.util.scan;version="7.0.26";uses:="javax.servlet,org.apache.tomcat" Bundle-Version: 7.0.26 Import-Package: javax.servlet;version="[2.6.0, 4.0.0)",org.apache.juli.logging;version="[7.0.26, 7.0.26]",org.apache.tomcat;version="[7.0.26, 7.0.26]" debian/tomcat7-examples.links0000644000000000000000000000026113067437273013435 0ustar /usr/share/java/jstl1.1.jar /usr/share/tomcat7-examples/examples/WEB-INF/lib/jstl.jar /usr/share/java/standard.jar /usr/share/tomcat7-examples/examples/WEB-INF/lib/standard.jar debian/tomcat7.dirs0000644000000000000000000000030613067437273011442 0ustar var/log/tomcat7 var/lib/tomcat7/webapps var/lib/tomcat7/common/classes var/lib/tomcat7/server/classes var/lib/tomcat7/shared/classes var/cache/tomcat7 etc/tomcat7/Catalina/localhost etc/logrotate.d debian/po/0000755000000000000000000000000013067437273007620 5ustar debian/po/sk.po0000644000000000000000000000514613067437273010603 0ustar # Slovak translation of tomcat7 debconf templates. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat7 package. # Ivan Masár , 2012. # msgid "" msgstr "" "Project-Id-Version: tomcat7\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2012-06-17 20:17+0100\n" "Last-Translator: Ivan Masár \n" "Language-Team: Slovak \n" "Language: sk\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Vyhradený systémový účet pre démona tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "The tomcat7 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "Server tomcat7 musí používať na svoju prevádzku vyhradený účet, aby nebola kompromitovaná bezpečnosť systému, keď sa spúšťa s oprávneniami superpoužívateľa." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Vyhradená systémová skupina pre démona tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "The tomcat7 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "Server tomcat7 musí používať na svoju prevádzku vyhradenú skupinu, aby nebola kompromitovaná bezpečnosť systému, keď sa spúšťa s oprávneniami superpoužívateľa." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Prosím, vyberte voľby JVM Java tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "JVM Tomcatu bude spustený s určenou sadou volieb Javy." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores." msgstr "Pamätajte, že ak použijete -XX:+UseConcMarkSweepGC, mali by ste pridať voľby -XX:+CMSIncrementalMode ak spúšťate Tomcat na počítači s práve jedným CPU, ktorý obsahuje jedno alebo dve jadrá." debian/po/ru.po0000644000000000000000000000611313067437273010607 0ustar # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat7 package. # # Yuri Kozlov , 2010. msgid "" msgstr "" "Project-Id-Version: tomcat7 7.0.12-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-11 19:27+0400\n" "Last-Translator: Yuri Kozlov \n" "Language-Team: Russian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.0\n" "Plural-Forms: nplurals=3; plural=(n%10==1 && n%100!=11 ? 0 : n%10>=2 && " "n%10<=4 && (n%100<10 || n%100>=20) ? 1 : 2);\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Отдельная системная учётная запись для службы tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Для того, чтобы не подвергать риску безопасность системы, " "сервер tomcat7 требуется запускать с правами отдельной " "системной учётной записи." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Отдельная системная группа для службы tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Для того, чтобы не подвергать риску безопасность системы, " "сервер tomcat7 требуется запускать с правами отдельной " "группы." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Параметры Java для JVM tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat JVM будет запущена с определённым набором параметров Java." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Заметим, что если вы используете -XX:+UseConcMarkSweepGC, то добавьте " "параметр -XX:+CMSIncrementalMode, если Tomcat работает на машине " "только с одним процессором, содержащим одно или два ядра." debian/po/ja.po0000644000000000000000000000557213067437273010563 0ustar # Copyright (C) Debian Java Maintainers # This file is distributed under the same license as the tomcat7 package. # Hideki Yamane , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat7 7.0.12-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-10 08:04-0400\n" "Last-Translator: Hideki Yamane \n" "Language-Team: Japanese \n" "Language: Japanese\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "tomcat7 デーモン専用のシステムアカウント:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "tomcat7 サーバは、動作するのに専用アカウントを利用する必要があります。" "これによって、システムのセキュリティは特権ユーザ権限で動作させることによる" "侵害を受けなくなります。" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "tomcat7 デーモン専用のシステムグループ:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "tomcat7 サーバは、動作するのに専用グループを利用する必要があります。" "これによって、システムのセキュリティは特権ユーザ権限で動作させることによる" "侵害を受けなくなります。" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "tomcat7 JVM Java オプションを選択してください:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat の JVM は特定の Java オプションを指定して起動されます。" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Tomcat を 1, 2 コアの CPU が 1 個しかないマシンで動作させる場合、" "-XX:+UseConcMarkSweepGC を使う際には -XX:+CMSIncrementalMode オプションを使う" "必要があることに注意してください。" debian/po/pt.po0000644000000000000000000000540513067437273010607 0ustar # Translation of tomcat7's debconf messages do Portuguese # Copyright (C) 2010 the tomcat7's copyright holder # This file is distributed under the same license as the tomcat7 package. # # Américo Monteiro , 2010. msgid "" msgstr "" "Project-Id-Version: tomcat7 7.0.12-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-11 12:23+0100\n" "Last-Translator: Américo Monteiro \n" "Language-Team: Portuguese \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Generator: Lokalize 1.0\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Conta de sistema dedicada para o daemon do tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "O servidor tomcat7 precisa de usar um conta dedicada para a sua operação " "para que a segurança do sistema não seja comprometida ao corrê-lo com " "privilégios de super utilizador." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Grupo de sistema dedicado para o daemon do tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "O servidor tomcat7 precisa de usar um grupo dedicado para a sua operação " "para que a segurança do sistema não seja comprometida ao corrê-lo com " "privilégios de super utilizador." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Por favor escolha as opções Java JVM do tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "O JVM do Tomcat será lançado com um conjunto específico de opções Java." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Note que se você usar -XX:+UseConcMarkSweepGC deverá adicionar a opção " "+CMSIncrementalMode se correr o Tomcat numa máquina com exactamente um chip " "CPU que contém um ou dois núcleos." debian/po/POTFILES.in0000644000000000000000000000005413067437273011374 0ustar [type: gettext/rfc822deb] tomcat7.templates debian/po/pl.po0000644000000000000000000000537713067437273010607 0ustar # Translation of tomcat7 debconf templates to Polish. # Copyright (C) 2010 # This file is distributed under the same license as the tomcat7 package. # # Michał Kułach , 2012. msgid "" msgstr "" "Project-Id-Version: \n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2012-02-28 21:15+0100\n" "Last-Translator: Michał Kułach \n" "Language-Team: Polish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Language: pl\n" "X-Generator: Lokalize 1.2\n" "Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " "|| n%100>=20) ? 1 : 2);\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Oddzielne konto systemowe dla demona tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Serwer tomcat7 musi używać wydzielonego konta, dzięki czemu bezpieczeństwo " "systemu nie zostanie naruszone przez działanie z uprawnieniami " "superużytkownika." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Oddzielna grupa systemowa dla demona tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Serwer tomcat7 musi używać wydzielonej grupy, dzięki czemu bezpieczeństwo " "systemu nie zostanie naruszone przez działanie z uprawnieniami " "superużytkownika." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Proszę wybrać opcje Java JVM tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "JVM programu Tomcat będzie uruchamiany z podanymi opcjami Java." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Proszę zauważyć, że jeśli używane jest -XX:+UseConcMarkSweepGC, to należy " "dodać opcję -XX:+CMSIncrementalMode, jeśli Tomcat jest uruchamiany na " "komputerze z jednym procesorem, zawierającym jeden lub dwa rdzenie." debian/po/pt_BR.po0000644000000000000000000000535513067437273011176 0ustar # Portuguese/Brazil translation of tomcat7. # Copyright (C) 2010 THE tomcat7'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat7 package. # José de Figueiredo , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat7\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-01-18 09:04-0200\n" "Last-Translator: José de Figueiredo \n" "Language-Team: Brazilian Portuguese \n" "Language: pt_BR\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "pt_BR utf-8\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Conta de sistema dedicada para o daemon tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "O servidor tomcat7 deve usar uma conta dedicada para sua operação, desta " "forma a segurança do sistema não será comprometida por rodar com privilégios " "de superusuário." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Grupo de sistema dedicado para o daemon tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "O servidor tomcat7 deve usar um grupo dedicado para sua operação, desta " "forma a segurança do sistema não será comprometida por rodar com privilégios " "de superusuário." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Por favor, escolha as opções Java da JVM para o tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "A JVM para o tomcat7 iniciará com um conjunto específico de opções Java." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Note que se você usar -XX:+UseConcMarkSweepGC você deverá adicionar a opção -" "XX:+CMSIncrementalMode se você rodar o Tomcat em uma máquina com exatamente " "um chip CPU que contenha um ou dois núcleos." debian/po/es.po0000644000000000000000000000733113067437273010573 0ustar # tomcat7 po-debconf translation to Spanish # Copyright (C) 2010 Software in the Public Interest, SPI Inc. # This file is distributed under the same license as the tomcat7 package. # # Changes: # - Initial translation # Javier Fernández-Sanguino , 2010 # # # Traductores, si no conoce el formato PO, merece la pena leer la # documentación de gettext, especialmente las secciones dedicadas a este # formato, por ejemplo ejecutando: # info -n '(gettext)PO Files' # info -n '(gettext)Header Entry' # # Equipo de traducción al español, por favor lean antes de traducir # los siguientes documentos: # # - El proyecto de traducción de Debian al español # http://www.debian.org/intl/spanish/ # especialmente las notas y normas de traducción en # http://www.debian.org/intl/spanish/notas # # - La guía de traducción de po's de debconf: # /usr/share/doc/po-debconf/README-trans # o http://www.debian.org/intl/l10n/po-debconf/README-trans # # Si tiene dudas o consultas sobre esta traducción consulte con el último # traductor (campo Last-Translator) y ponga en copia a la lista de # traducción de Debian al español () # msgid "" msgstr "" "Project-Id-Version: tomcat7 6.0.28\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-08 02:14+0200\n" "Last-Translator: Javier Fernández-Sanguino \n" "Language-Team: Debian Spanish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "X-POFile-SpellExtra: tomcat Tomcat UseConcMarkSweepGC XX JVM cores\n" "X-POFile-SpellExtra: CMSIncrementalMode\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Cuenta del sistema dedicada para el servicio tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "El servidor tomcat7 debe utilizar una cuenta dedicada para su operación para no comprometer la seguridad del sistema al ejecutarlo con privilegios de superusuario." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Grupo de sistema dedicado para el servicio tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "El servidor tomcat7 debe utilizar un grupo dedicado para su operación para no comprometer la seguridad del sistema por ejecutarlo con los privilegios del superusuario." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Escoja las opciones del JVM Java de tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "La JVM de Tomcat puede ejecutarse con un conjunto específico de opciones de Java." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "Tenga en cuenta que si utiliza -XX:+UseConcMarkSweepGC debería añadir la opción -XX:+CMSIncrementalMode si ejecuta Tomcat en un equipo que tenga exáctamente un chip de CPU y que contenga uno o dos cores." debian/po/da.po0000644000000000000000000000517513067437273010554 0ustar # Danish translation tomcat7. # Copyright (C) 2010 tomcat7 & nedenstående oversættere. # This file is distributed under the same license as the tomcat7 package. # Joe Hansen (joedalton2@yahoo.dk), 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat7\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-11-27 12:42+0000\n" "Last-Translator: Joe Hansen \n" "Language-Team: Danish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Dedikeret systemkonto for tomcat7-dæmonen:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "tomcat7-serveren skal bruge en dedikeret konto for at fungere på en måde, der " "gør, at systemets sikkerhed ikke kompromitteres ved at køre den med " "superbrugerprivilegier." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Dedikeret systemgruppe for tomcat7-dæmonen:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "tomcat7-dæmonen skal bruge en dedikeret gruppe for at fungere på en måde, der " "gør, at systemets sikkerhed ikke kompromitteres ved at køre den med " "superbrugerprivilegier." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Vælg venligst indstillinger for tomcat7 JVM Java:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcats JVM vil blive igangsat med et specifikt sæt af Javaindstillinger." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Bemærkt at hvis du bruger -XX:+UseConcMarkSweepGC, skal du tilføje tilvalget " "-XX:+CMSIncrementalMode, hvis du kører Tomcat på en maskine med præcis " "en CPU-chip, som indeholder en eller to kerner." debian/po/templates.pot0000644000000000000000000000352013067437273012342 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # FIRST AUTHOR , YEAR. # #, fuzzy msgid "" msgstr "" "Project-Id-Version: PACKAGE VERSION\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: YEAR-MO-DA HO:MI+ZONE\n" "Last-Translator: FULL NAME \n" "Language-Team: LANGUAGE \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=CHARSET\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" debian/po/sv.po0000644000000000000000000000515013067437273010611 0ustar # Swedish translation of debconf messages for tomcat7. # Copyright © 2010 Martin Bagge # This file is distributed under the same license as the schroot package. # # Martin Bagge , 2010. # msgid "" msgstr "" "Project-Id-Version: Tomcat 7\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-20 10:08+0100\n" "Last-Translator: Martin Bagge / brother \n" "Language-Team: Swedish \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" "X-Poedit-Language: Swedish\n" "X-Poedit-Country: Sweden\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Systemanvändare för tomcat7-tjänsten:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Tomcat7-servern måste köra som en systemanvändare så att systemets säkerhet " "inte äventyras genom att köra tjänsten med superanvändarens rättigheter." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Systemgrupp för tomcat7-tjänsten:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Tomcat7-servern måste köra ha en systemgrupp så att systemets säkerhet inte " "äventyras genom att köra tjänsten med superanvändarens rättigheter." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Ange Java-flaggor för tomcat7 JVM:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "Tomcats JVM kommer att startas med en särskild uppsättning Java-flaggor." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Om -XX:+UseConcMarkSweepGC används ska flaggan -XX:+CMSIncrementalMode " "användas om Tomcat körs på en maskin med endast en CPU med en eller två " "kärnor." debian/po/it.po0000644000000000000000000000532413067437273010600 0ustar # Italian translation of tomcat7'S PO-DEBCONF FILE. # Copyright (C) 2011 THE tomcat7'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat7 package. # Dario Santamaria , 2011. # Collaboratively translated during an online sprint, thanks to all contributors! # msgid "" msgstr "" "Project-Id-Version: 7.0.14-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-04-14 22:00+0100\n" "Last-Translator: Dario Santamaria \n" "Language-Team: Italian \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Account di sistema dedicato per il demone tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Il server tomcat7 deve utilizzare un account dedicato per le sue funzioni " "affinché la sicurezza del sistema non sia compromessa dall'esecuzione con " "i privilegi del superutente." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Gruppo di sistema dedicato per il demone tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Il server tomcat7 deve utilizzare un gruppo dedicato per le sue funzioni " "affinché la sicurezza del sistema non sia compromessa dall'esecuzione con " "i privilegi di superutente." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Scegliere le opzioni della JVM di tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "La JVM di Tomcat sarà eseguita con un insieme specifico di opzioni Java." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Attenzione che se si usa -XX:+UseConcMarkSweepGC si deve aggiungere l'opzione -XX:" "+CMSIncrementalMode se si esegue Tomcat su una macchina a singola " "CPU con uno o due core." debian/po/cs.po0000644000000000000000000000533113067437273010567 0ustar # Czech PO debconf template translation of tomcat7. # Copyright (C) 2010 Michal Simunek # This file is distributed under the same license as the tomcat7 package. # Michal Simunek , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat7 7.0.12-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-09-23 18:01+0200\n" "Last-Translator: Michal Simunek \n" "Language-Team: Czech \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Vyhrazený systémový účet pro démona tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Server tomcat7 musí ke své činnosti používat vyhrazený účet, jen tak " "není ohrožena bezpečnost systému, jako v případě spouštění s právy " "superuživatele." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Vyhrazená systémová skupina uživatelů pro démona tomcat7:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Server tomcat7 musí ke své činnosti používat vyhrazenou skupinu uživatelů, " "jen tak není ohrožena bezpečnost systému, jako v případě spouštění s právy " "superuživatele." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Zadejte prosím volby Java pro tomcat7 JVM:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "JVM pro Tomcat bude spuštěna se zadanou sadou voleb pro Javu." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Berte na vědomí, že pokud použijete -XX:+UseConcMarkSweepGC, musíte, v případě " "že spouštíte Tomcat na počítači s jedním CPU čipem, který obsahuje jedno či " "dvě jádra, připojit volbu -XX:+CMSIncrementalMode." debian/po/de.po0000644000000000000000000000530113067437273010547 0ustar # Translation of tomcat7 debconf templates to german. # Copyright (C) 2010, Holger Wansing. # This file is distributed under the same license as the tomcat7 package. # Holger Wansing , 2010. # msgid "" msgstr "" "Project-Id-Version: tomcat7 7.0.12-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-15 12:59+0200\n" "Last-Translator: Holger Wansing \n" "Language-Team: German \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Eigenes Systemkonto für den Tomcat6-Daemon:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Der Tomcat6-Server muss ein eigenes Konto für seinen Betrieb verwenden, um " "die Sicherheit des Systems nicht durch die Ausführung mit Superuser-Rechten " "zu kompromittieren." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Eigene Systemgruppe für den Tomcat6-Daemon:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Der Tomcat6-Server muss eine eigene Gruppe für seinen Betrieb verwenden, um " "die Sicherheit des Systems nicht durch die Ausführung mit Superuser-Rechten " "zu kompromittieren." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Bitte wählen Sie die Java-Optionen für die Tomcat6-JVM:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Die Tomcat-JVM wird mit speziellen Java-Optionen gestartet." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Beachten Sie beim Einsatz auf Systemen mit genau einem CPU-Chip, der einen " "oder zwei Prozessorkerne enthält, dass bei Wahl der Option " "»-XX:+UseConcMarkSweepGC« auch die Option -XX:+CMSIncrementalMode zur " "Konfiguration hinzugefügt werden sollte." debian/po/nl.po0000644000000000000000000000527713067437273010604 0ustar # Dutch translation of tomcat7 debconf templates. # Copyright (C) 2011 THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the tomcat7 package. # Jeroen Schot , 2011. # msgid "" msgstr "" "Project-Id-Version: tomcat7 7.0.23-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2011-12-06 12:25+0100\n" "Last-Translator: Jeroen Schot \n" "Language-Team: Debian l10n Dutch \n" "Language: nl\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Speciale systeemaccount voor de tomcat7-achtergronddienst:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "De tomcat7-server moet een speciale account gebruiken voor zijn " "werkzaamheden, want als hij met beheerdersrechten wordt uitgevoerd kan dit " "de beveiliging van het systeem in gevaar brengen." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Speciale systeemgroep voor de tomcat7-achtergronddienst:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "De tomcat7-server moet een speciale groep gebruiken voor zijn werkzaamheden, " "want als hij met beheerdersrechten wordt uitgevoerd kan dit de beveiliging " "van het systeem in gevaar brengen." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Kies de tomcat7 JVM Java-opties:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat's JVM wordt met een specifieke set Java-opties gelanceerd." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "N.B. Als u -XX:+UseConcMarkSweepGC gebruikt moet u de optie -XX:" "+CMSIncrementalMode toevoegen als u Tomcat op een machine met precies één " "CPU-chip met één of twee kernen gebruikt." debian/po/tr.po0000644000000000000000000000534213067437273010611 0ustar # SOME DESCRIPTIVE TITLE. # Copyright (C) YEAR THE PACKAGE'S COPYRIGHT HOLDER # This file is distributed under the same license as the PACKAGE package. # Atila KOÇ , 2012. # msgid "" msgstr "" "Project-Id-Version: tomcat7\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2012-03-15 13:34+0200\n" "Last-Translator: Atila KOÇ \n" "Language-Team: \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "tomcat7 artalan sürecine özgü sistem hesabı:" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "The tomcat7 server must use a dedicated account for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "tomcat7 sunucusu, işlevini gerçekleştirirken, süper kullanıcı hakları ile çalıştırılmasının getireceği güvenlik açıklarını engellemek için kendine özgü bir kullanıcı hesabı kullanmalıdır." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "tomcat7 artalan sürecine özgü sistem grubu:" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "The tomcat7 server must use a dedicated group for its operation so that the system's security is not compromised by running it with superuser privileges." msgstr "tomcat7 sunucusu, işlevini gerçekleştirirken, süper kullanıcı hakları ile çalıştırılmasının getireceği güvenlik açıklarını engellemek için kendine özgü bir grup hesabı kullanmalıdır." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "tomcat7 için Java Sanal Makinesi (JVM) Java seçeneklerini seçiniz:" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "Tomcat'in Java Sanal Makinesi (JVM) özel bir Java seçenekleri kümesi ile başlatılacaktır." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:+CMSIncrementalMode option if you run Tomcat on a machine with exactly one CPU chip that contains one or two cores." msgstr "Eğer Tomcat'i içerisinde bir ya da iki çekirdek barındıran tek işlemcili bir makine üzerinde çalıştırıyor ve -XX:+UseConcMarkSweepGC seçeneğini kullanıyorsanız, -XX:+CMSIncrementalMode seçeneğini de eklemelisiniz." debian/po/fr.po0000644000000000000000000000536313067437273010576 0ustar # Translation of tomcat7 debconf screens to French # Copyright (C) 2010 Debian French l10n team # This file is distributed under the same license as the tomcat7 package. # Translator: # Steve Petruzzello # msgid "" msgstr "" "Project-Id-Version: tomcat7_7.0.12-1\n" "Report-Msgid-Bugs-To: tomcat7@packages.debian.org\n" "POT-Creation-Date: 2010-08-06 04:08+0200\n" "PO-Revision-Date: 2010-08-12 12:08+0200\n" "Last-Translator: Steve Petruzzello \n" "Language-Team: French \n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=utf-8\n" "Content-Transfer-Encoding: 8bit\n" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "Dedicated system account for the tomcat7 daemon:" msgstr "Compte système dédié au démon tomcat7 :" #. Type: string #. Description #: ../tomcat7.templates:1001 msgid "" "The tomcat7 server must use a dedicated account for its operation so that " "the system's security is not compromised by running it with superuser " "privileges." msgstr "" "Le serveur tomcat7 nécessite un compte dédié pour fonctionner afin de ne pas " "compromettre la sécurité du système en s'exécutant avec les privilèges du " "superutilisateur." #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "Dedicated system group for the tomcat7 daemon:" msgstr "Groupe système dédié au démon tomcat7 :" #. Type: string #. Description #: ../tomcat7.templates:2001 msgid "" "The tomcat7 server must use a dedicated group for its operation so that the " "system's security is not compromised by running it with superuser privileges." msgstr "" "Le serveur tomcat7 nécessite un groupe dédié pour fonctionner afin de ne pas " "compromettre la sécurité du système en s'exécutant avec les privilèges du " "superutilisateur." #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Please choose the tomcat7 JVM Java options:" msgstr "Options de la machine virtuelle Java pour tomcat7 :" #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "Tomcat's JVM will be launched with a specific set of Java options." msgstr "" "La machine virtuelle Java (JVM) sera lancée avec un ensemble spécifique " "d'options Java. " #. Type: string #. Description #: ../tomcat7.templates:3001 msgid "" "Note that if you use -XX:+UseConcMarkSweepGC you should add the -XX:" "+CMSIncrementalMode option if you run Tomcat on a machine with exactly one " "CPU chip that contains one or two cores." msgstr "" "Veuillez noter que si l'option -XX:+UseConcMarkSweepGC est utilisée, " "l'option -XX:+CMSIncrementMode devrait être ajoutée si Tomcat s'exécute sur " "une machine avec exactement un processeur contenant un ou deux cœurs." debian/changelog0000644000000000000000000015265113357144265011064 0ustar tomcat7 (7.0.52-1ubuntu0.16) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary redirect issue - debian/patches/CVE-2018-11784.patch: avoid protocol relative redirects in java/org/apache/catalina/servlets/DefaultServlet.java. - CVE-2018-11784 -- Marc Deslauriers Tue, 09 Oct 2018 11:25:36 -0400 tomcat7 (7.0.52-1ubuntu0.15) trusty-security; urgency=medium * SECURITY UPDATE: DoS via issue in UTF-8 decoder - debian/patches/CVE-2018-1336.patch: fix logic in java/org/apache/tomcat/util/buf/Utf8Decoder.java. - CVE-2018-1336 * SECURITY UPDATE: missing hostname verification in WebSocket client - debian/patches/CVE-2018-8034.patch: enable hostname verification by default in webapps/docs/web-socket-howto.xml, java/org/apache/tomcat/websocket/WsWebSocketContainer.java. - CVE-2018-8034 -- Marc Deslauriers Wed, 25 Jul 2018 08:27:25 -0400 tomcat7 (7.0.52-1ubuntu0.14) trusty-security; urgency=medium * SECURITY UPDATE: missing checks when HTTP PUTs enabled (LP: #1721749) - debian/patches/CVE-2017-1261x.patch: add checks to java/org/apache/catalina/servlets/DefaultServlet.java java/org/apache/naming/resources/FileDirContext.java, java/org/apache/naming/resources/JrePlatform.java, java/org/apache/naming/resources/LocalStrings.properties, java/org/apache/naming/resources/VirtualDirContext.java, test/org/apache/naming/resources/TestFileDirContext.java. - CVE-2017-12616 - CVE-2017-12617 * SECURITY UPDATE: security constraints mapped to context root are ignored - debian/patches/CVE-2018-1304.patch: add check to java/org/apache/catalina/realm/RealmBase.java. - CVE-2018-1304 * SECURITY UPDATE: security constraint annotations applied too late - debian/patches/CVE-2018-1305.patch: change ordering in java/org/apache/catalina/Wrapper.java, java/org/apache/catalina/authenticator/AuthenticatorBase.java, java/org/apache/catalina/core/ApplicationContext.java, java/org/apache/catalina/core/ApplicationServletRegistration.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/StandardWrapper.java, java/org/apache/catalina/startup/ContextConfig.java, java/org/apache/catalina/startup/Tomcat.java, java/org/apache/catalina/startup/WebAnnotationSet.java. - CVE-2018-1305 * SECURITY UPDATE: CORS filter has insecure defaults - debian/patches/CVE-2018-8014.patch: change defaults in java/org/apache/catalina/filters/CorsFilter.java, java/org/apache/catalina/filters/LocalStrings.properties, test/org/apache/catalina/filters/TestCorsFilter.java, test/org/apache/catalina/filters/TesterFilterConfigs.java. - CVE-2018-8014 -- Marc Deslauriers Tue, 29 May 2018 10:22:42 -0400 tomcat7 (7.0.52-1ubuntu0.13) trusty-security; urgency=medium * SECURITY UPDATE: loss of pipeline requests - debian/patches/CVE-2017-5647.patch: improve sendfile handling when requests are pipelined in java/org/apache/coyote/AbstractProtocol.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/tomcat/util/net/AprEndpoint.java, java/org/apache/tomcat/util/net/NioEndpoint.java, java/org/apache/tomcat/util/net/SendfileKeepAliveState.java, java/org/apache/tomcat/util/net/SendfileState.java. - CVE-2017-5647 * SECURITY UPDATE: incorrect facade object use - debian/patches/CVE-2017-5648-pre.patch: fix keep-alive with asynchronous servlet in java/org/apache/catalina/core/AsyncContextImpl.java, java/org/apache/coyote/AsyncContextCallback.java, java/org/apache/coyote/AsyncStateMachine.java, test/org/apache/catalina/core/TestAsyncContextImpl.java. - debian/patches/CVE-2017-5648.patch: ensure request and response facades are used when firing application listeners in java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardHostValve.java. - CVE-2017-5648 * SECURITY UPDATE: unexpected and undesirable results for static error pages - debian/patches/CVE-2017-5664.patch: use a more reliable mechanism in java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java. - CVE-2017-5664 * SECURITY UPDATE: client and server side cache poisoning in CORS filter - debian/patches/CVE-2017-7674.patch: set Vary header in response in java/org/apache/catalina/filters/CorsFilter.java. - CVE-2017-7674 -- Marc Deslauriers Wed, 27 Sep 2017 16:28:58 -0400 tomcat7 (7.0.52-1ubuntu0.11) trusty; urgency=medium * Fix an upgrade error when JAVA_OPTS in /etc/default/tomcat7 contains the '%' character (LP: #1666570). * Fix javax.servlet.jsp POM to use servlet-api version 3.0 instead of 2.2 (LP: #1664179). -- Joshua Powers Wed, 22 Mar 2017 13:42:56 -0600 tomcat7 (7.0.52-1ubuntu0.10) trusty-security; urgency=medium * SECURITY UPDATE: DoS via CPU consumption (LP: #1663318) - debian/patches/CVE-2017-6056.patch: fix infinite loop in java/org/apache/coyote/http11/AbstractInputBuffer.java. - CVE-2017-6056 -- Marc Deslauriers Fri, 17 Feb 2017 08:51:12 -0500 tomcat7 (7.0.52-1ubuntu0.9) trusty-security; urgency=medium * SECURITY REGRESSION: security manager startup issue (LP: #1659589) - debian/patches/0009-Use-java.security.policy-file-in-catalina.sh.patch: update to new /var/lib/tomcat7/policy location. - debian/tomcat7.postrm.in: remove policy directory. -- Marc Deslauriers Wed, 01 Feb 2017 10:40:22 -0500 tomcat7 (7.0.52-1ubuntu0.8) trusty-security; urgency=medium * SECURITY UPDATE: SecurityManager bypass via a utility method - debian/patches/CVE-2016-5018.patch: remove unnecessary code in java/org/apache/jasper/compiler/JspRuntimeContext.java, java/org/apache/jasper/runtime/JspRuntimeLibrary.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2016-5018 * SECURITY UPDATE: mitigaton for httpoxy issue - debian/patches/CVE-2016-5388.patch: add envHttpHeaders initialization parameter to conf/web.xml, webapps/docs/cgi-howto.xml, java/org/apache/catalina/servlets/CGIServlet.java. - CVE-2016-5388 * SECURITY UPDATE: system properties read SecurityManager bypass - debian/patches/CVE-2016-6794.patch: extend SecurityManager protection to the system property replacement feature of the digester in java/org/apache/catalina/loader/WebappClassLoader.java, java/org/apache/tomcat/util/digester/Digester.java, java/org/apache/tomcat/util/security/PermissionCheck.java. - CVE-2016-6794 * SECURITY UPDATE: SecurityManager bypass via JSP Servlet configuration parameters - debian/patches/CVE-2016-6796.patch: ignore some JSP options when running under a SecurityManager in conf/web.xml, java/org/apache/jasper/EmbeddedServletOptions.java, java/org/apache/jasper/resources/LocalStrings.properties, java/org/apache/jasper/servlet/JspServlet.java, webapps/docs/jasper-howto.xml. - CVE-2016-6796 * SECURITY UPDATE: web application global JNDI resource access - debian/patches/CVE-2016-6797.patch: ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be in java/org/apache/catalina/core/NamingContextListener.java, java/org/apache/naming/factory/ResourceLinkFactory.java, test/org/apache/naming/TestNamingContext.java. - CVE-2016-6797 * SECURITY UPDATE: HTTP response injection via invalid characters - debian/patches/CVE-2016-6816.patch: add additional checks for valid characters in java/org/apache/coyote/http11/AbstractInputBuffer.java, java/org/apache/coyote/http11/AbstractNioInputBuffer.java, java/org/apache/coyote/http11/InternalAprInputBuffer.java, java/org/apache/coyote/http11/InternalInputBuffer.java, java/org/apache/coyote/http11/LocalStrings.properties, java/org/apache/tomcat/util/http/parser/HttpParser.java. - CVE-2016-6816 * SECURITY UPDATE: remote code execution via JmxRemoteLifecycleListener - debian/patches/CVE-2016-8735-pre.patch: remove the restriction that prevented the use of SSL when specifying a bind address in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java, java/org/apache/catalina/mbeans/LocalStrings.properties, webapps/docs/config/listeners.xml. - debian/patches/CVE-2016-8735.patch: explicitly configure allowed credential types in java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java. - CVE-2016-8735 * SECURITY UPDATE: information leakage between requests - debian/patches/CVE-2016-8745.patch: properly handle cache when unable to complete sendfile request in java/org/apache/tomcat/util/net/NioEndpoint.java. - CVE-2016-8745 * SECURITY UPDATE: privilege escalation during package upgrade - debian/rules, debian/tomcat7.postinst: properly set permissions on /etc/tomcat7/Catalina/localhost. - CVE-2016-9774 * SECURITY UPDATE: privilege escalation during package removal - debian/tomcat7.postrm.in: don't reset permissions before removing user. - CVE-2016-9775 * debian/tomcat7.init: further hardening. -- Marc Deslauriers Thu, 19 Jan 2017 12:38:29 -0500 tomcat7 (7.0.52-1ubuntu0.7) trusty-security; urgency=medium * SECURITY UPDATE: privilege escalation via insecure init script - debian/tomcat7.init: don't follow symlinks when handling the catalina.out file. - CVE-2016-1240 * SECURITY REGRESSION: change in behaviour after security update (LP: #1609819) - debian/patches/CVE-2015-5345-2.patch: fix using the new mapperContextRootRedirectEnabled option in java/org/apache/catalina/connector/MapperListener.java, change mapperContextRootRedirectEnabled default to true in java/org/apache/catalina/core/StandardContext.java, webapps/docs/config/context.xml. This reverts the change in behaviour following the CVE-2015-5345 security update and was also done upstream in later releases. -- Marc Deslauriers Fri, 16 Sep 2016 09:19:37 -0400 tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in java/org/apache/tomcat/util/http/RequestUtil.java, test/org/apache/tomcat/util/http/TestRequestUtil.java. - CVE-2015-5174 * SECURITY UPDATE: information disclosure via redirects by mapper - debian/patches/CVE-2015-5345.patch: fix redirect logic in java/org/apache/catalina/Context.java, java/org/apache/catalina/authenticator/FormAuthenticator.java, java/org/apache/catalina/core/StandardContext.java, java/org/apache/catalina/core/mbeans-descriptors.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/WebdavServlet.java, java/org/apache/catalina/startup/FailedContext.java, java/org/apache/tomcat/util/http/mapper/Mapper.java, test/org/apache/catalina/startup/TomcatBaseTest.java, webapps/docs/config/context.xml, test/org/apache/catalina/core/TesterContext.java. - CVE-2015-5345 * SECURITY UPDATE: session fixation vulnerability - debian/patches/CVE-2015-5346.patch: handle different session settings in java/org/apache/catalina/connector/CoyoteAdapter.java, java/org/apache/catalina/connector/Request.java. - CVE-2015-5346 * SECURITY UPDATE: CSRF protection mechanism bypass - debian/patches/CVE-2015-5351.patch: don't create sessions unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp, webapps/host-manager/WEB-INF/jsp/403.jsp, webapps/host-manager/WEB-INF/jsp/404.jsp, webapps/host-manager/index.jsp, webapps/manager/WEB-INF/web.xml, webapps/manager/index.jsp. - CVE-2015-5351 * SECURITY UPDATE: securityManager restrictions bypass via StatusManagerServlet - debian/patches/CVE-2016-0706.patch: place servlet in restricted list in java/org/apache/catalina/core/RestrictedServlets.properties. - CVE-2016-0706 * SECURITY UPDATE: securityManager restrictions bypass via session-persistence implementation - debian/patches/CVE-2016-0714.patch: extend the session attribute filtering options in java/org/apache/catalina/ha/session/ClusterManagerBase.java java/org/apache/catalina/ha/session/mbeans-descriptors.xml, java/org/apache/catalina/session/LocalStrings.properties, java/org/apache/catalina/session/ManagerBase.java, java/org/apache/catalina/session/StandardManager.java, java/org/apache/catalina/session/mbeans-descriptors.xml, java/org/apache/catalina/util/CustomObjectInputStream.java, java/org/apache/catalina/util/LocalStrings.properties, webapps/docs/config/cluster-manager.xml, webapps/docs/config/manager.xml. - CVE-2016-0714 * SECURITY UPDATE: securityManager restrictions bypass via crafted global context - debian/patches/CVE-2016-0763.patch: protect initialization in java/org/apache/naming/factory/ResourceLinkFactory.java. - CVE-2016-0763 * SECURITY UPDATE: denial of service in FileUpload - debian/patches/CVE-2016-3092.patch: properly handle size in java/org/apache/tomcat/util/http/fileupload/MultipartStream.java. - CVE-2016-3092 * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing colons in cookie names which is illegal in newer java versions in test/org/apache/catalina/authenticator/*.java. -- Marc Deslauriers Wed, 29 Jun 2016 12:50:02 -0400 tomcat7 (7.0.52-1ubuntu0.3) trusty-security; urgency=medium * SECURITY UPDATE: arbitrary file disclosure via XML parser (LP: #1449975) - debian/patches/CVE-2014-0119.patch: add defensive coding and ensure TLD parser obtained from cache has correct value of blockExternal in java/org/apache/catalina/security/SecurityClassLoad.java, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/startup/TldConfig.java, java/org/apache/jasper/compiler/JspDocumentParser.java, java/org/apache/jasper/xmlparser/ParserUtils.java, java/org/apache/tomcat/util/security/PrivilegedGetTccl.java, java/org/apache/tomcat/util/security/PrivilegedSetTccl.java. - CVE-2014-0119 * SECURITY UPDATE: HTTP request smuggling or denial of service via streaming with malformed chunked transfer encoding (LP: #1449975) - debian/patches/CVE-2014-0227.patch: add error flag and improve i18n in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties. - CVE-2014-0227 * SECURITY UPDATE: denial of service via aborted upload attempts (LP: #1449975) - debian/patches/CVE-2014-0230.patch: limit amount of data in java/org/apache/coyote/http11/AbstractHttp11Processor.java, java/org/apache/coyote/http11/AbstractHttp11Protocol.java, java/org/apache/coyote/http11/Http11AprProcessor.java, java/org/apache/coyote/http11/Http11AprProtocol.java, java/org/apache/coyote/http11/Http11NioProcessor.java, java/org/apache/coyote/http11/Http11NioProtocol.java, java/org/apache/coyote/http11/Http11Processor.java, java/org/apache/coyote/http11/Http11Protocol.java, java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, java/org/apache/coyote/http11/filters/IdentityInputFilter.java, java/org/apache/coyote/http11/filters/LocalStrings.properties, test/org/apache/catalina/core/TestSwallowAbortedUploads.java, webapps/docs/config/http.xml. - CVE-2014-0230 * SECURITY UPDATE: SecurityManager bypass via Expression Language - debian/patches/CVE-2014-7810.patch: handle classes that may not be accessible but have accessible interfaces in java/javax/el/BeanELResolver.java, remove unnecessary code in java/org/apache/jasper/runtime/PageContextImpl.java, java/org/apache/jasper/security/SecurityClassLoad.java. - CVE-2014-7810 * Replace expired ssl certs and use TLS to fix tests causing FTBFS: - debian/patches/0022-use-tls-in-ssl-unit-tests.patch - debian/patches/0023-replace-expired-ssl-certificates.patch - debian/source/include-binaries -- Marc Deslauriers Fri, 19 Jun 2015 12:30:21 -0400 tomcat7 (7.0.52-1ubuntu0.1) trusty-security; urgency=medium * SECURITY UPDATE: denial of service via malformed chunk size - debian/patches/CVE-2014-0075.patch: fix overflow and added tests to java/org/apache/coyote/http11/filters/ChunkedInputFilter.java, test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java. - CVE-2014-0075 * SECURITY UPDATE: file disclosure via XXE issue - debian/patches/CVE-2014-0096.patch: change globalXsltFile to be a relative path in conf/web.xml, java/org/apache/catalina/servlets/DefaultServlet.java, java/org/apache/catalina/servlets/LocalStrings.properties, webapps/docs/default-servlet.xml. - CVE-2014-0096 * SECURITY UPDATE: HTTP request smuggling attack via crafted Content-Length HTTP header - debian/patches/CVE-2014-0099.patch: correctly handle long values in java/org/apache/tomcat/util/buf/Ascii.java, added test to test/org/apache/tomcat/util/buf/TestAscii.java. - CVE-2014-0099 -- Marc Deslauriers Thu, 24 Jul 2014 13:24:54 -0400 tomcat7 (7.0.52-1) unstable; urgency=low * Team upload. * New upstream release. - Addresses security issue: CVE-2014-0050 -- Gianfranco Costamagna Wed, 19 Feb 2014 14:09:48 +0100 tomcat7 (7.0.50-1) unstable; urgency=medium * New upstream release. -- James Page Tue, 14 Jan 2014 18:09:28 +0000 tomcat7 (7.0.47-1) unstable; urgency=low [ Gianfranco Costamagna ] * Team upload. * New upstream release, patch refresh. * Renamed patch fix-manager-webapp.path to fix-manager-webapp.patch (extension typo). * Refresh patches for upstream release. * Removed -Djava.net.preferIPv4Stack=true from init script (lp: #1088681), thanks Hendrik Haddorp. * Added webapp manager path patch (lp: #1128067) thanks TJ. [ tony mancill ] * Bump Standards-Version to 3.9.5. * Change copyright year in javadocs to 2013. * Add patch to include the distribution name in error pages. (Closes: #729840) -- tony mancill Tue, 24 Dec 2013 16:46:34 +0000 tomcat7 (7.0.42-1) unstable; urgency=low [ Gianfranco Costamagna ] * Team upload. * New upstream release. * Added libhamcrest-java >= 1.3 as build-dep, tweaked debian/rules. * Bumped compat level to 9. * Removed some version checks, newer releases already in oldstable. * Refresh patches. * debian/control: changed Vcs-Git and Vcs-Browser fields, now they are canonical. * Fixed error message in Tomcat init script, patch by Thijs Kinkhorst (Closes: #714348) -- Gianfranco Costamagna Tue, 16 Jul 2013 17:34:58 +0200 tomcat7 (7.0.41-1) unstable; urgency=low * New upstream release (Closes: #712978). * Refresh patches. * Added version check for libtcnative-1 (Closes: #712638, lp: #1092548) -- Gianfranco Costamagna Wed, 19 Jun 2013 18:06:49 +0200 tomcat7 (7.0.40-2) unstable; urgency=low * Fix deployment of POMs for libservlet-3.0-java JARs into javax coordinates. - JARs were deployed into maven-repo, but not POMs. * Fix servlet-api groupId in d/javaxpoms/jsp-api.pom. -- Jakub Adam Thu, 16 May 2013 17:35:52 +0200 tomcat7 (7.0.40-1) unstable; urgency=low * New upstream release. - Addresses security issue: CVE-2013-2071 * Refresh patches: - 0015_disable_test_TestCometProcessor.patch -- Miguel Landaeta Fri, 10 May 2013 19:10:36 -0300 tomcat7 (7.0.39-1) unstable; urgency=low * Upload to unstable for jessie release cycle. -- tony mancill Mon, 06 May 2013 17:41:19 -0700 tomcat7 (7.0.39-1~exp1) experimental; urgency=low * New upstream release. * Refresh patches: - 0009-Use-java.security.policy-file-in-catalina.sh.patch * Remove patches included in the upstream release: - 0016_upstream_bug_54440.patch * Bump Standards-Version to 3.9.4. No changes were required. * Remove obsolete DM-Upload-Allowed field. -- Miguel Landaeta Sun, 31 Mar 2013 21:15:42 -0300 tomcat7 (7.0.35-1~exp2) experimental; urgency=low * Switch from Commons DBCP to Tomcat JDBC Pool as default connection pool implementation (Closes: #701023). -- James Page Sun, 24 Feb 2013 22:08:22 +0000 tomcat7 (7.0.35-1~exp1) experimental; urgency=low * New upstream version 7.0.35 * Add patch to disable TestCometProcessor.testConnectionClose(). This test fails consistently (although the Comet processor appears to function correctly). * Add patch for upstream bug 54440 (JSP compilation) -- tony mancill Sun, 03 Feb 2013 14:57:15 -0800 tomcat7 (7.0.34-1~exp1) experimental; urgency=low * Upload to experimental (Vcs-Git branch is exp/master.) * New upstream version 7.0.34 * remove patches included in the upstream release - cve-2012-3439.patch - cve-2012-3439-tests.patch - 0016-CVE-2012-4431.patch - 0017-CVE-2012-3546.patch * refresh patches * add /usr/lib/jvm/java-7-oracle to JDK search path - Thanks to Nuno Afonso. (Closes: #679012) * add log compression to logrotate cronjob via defaults file - Thanks to Thijs Kinkhorst. (Closes: #696944) * add distinct javax poms to install JARs using both Tomcat and javax coordinates (Closes: #691773) * update catalina.properties to expand ${catalina.home} instead of referencing /var/lib/tomcat7 explicitly. - Thanks to H.-Dirk Schmidt (Closes: #691865) -- tony mancill Tue, 01 Jan 2013 19:01:12 -0800 tomcat7 (7.0.28-4) unstable; urgency=high * Acknowledge NMU: 7.0.28-3+nmu1 (Closes: #692440) - Thank you to Michael Gilbert. * Add patches for the following security issues: (Closes: #695251) - CVE-2012-4431, CVE-2012-3546 -- tony mancill Thu, 06 Dec 2012 22:25:07 -0800 tomcat7 (7.0.28-3+nmu1) unstable; urgency=high * Non-maintainer upload. * Fix cve-2012-3439: multiple replay attack issues in digest authentication. (closes: #692440) -- Michael Gilbert Sun, 18 Nov 2012 01:40:30 +0000 tomcat7 (7.0.28-3) unstable; urgency=low [ Miguel Landaeta ] * Fix small typo in README.Debian. [ tony mancill ] * Use ucf and a template for /etc/logrotate.d/tomcat6 file to avoid updating the shipped conffile. (Closes: #688936) -- tony mancill Thu, 27 Sep 2012 10:55:35 -0700 tomcat7 (7.0.28-2) unstable; urgency=low [ Jakub Adam ] * Ensure webapps/examples/WEB-INF/lib exists before files are copied there. * Fix FTBFS when user home dir doesn't exist (Closes: #680844). [ tony mancill ] * Fix build to generate postrm from postrm.in (Closes: #681160) -- tony mancill Tue, 10 Jul 2012 17:29:30 -0700 tomcat7 (7.0.28-1) unstable; urgency=low [ Miguel Landaeta ] * Add Slovak debconf translation (Closes: #677913). - Thanks to Ivan Masár. [ James Page ] * New upstream release. * Enable test suite during package build: - d/control: Add junit4, libjstl1.1-java and libjakarta-taglibs-standard-java to BDI's. - d/rules: + Add ant/junit4 jars files to build classpath. + Target java 1.6 to support test suite exection. + Specify location of junit jar file. + Install jstl jar files to example webapp during build. + Conditionally execute test target if required. + Purge jar files from example webapp during clean. * Fix JSTL examples in examples web application: - d/control: Add dependencies on libjstl1.1-java and libjakarta-taglibs-standard-java for tomcat7-examples. - d/tomcat7-examples.links: Add links to jstl and standard jar files for examples web application. - d/context/examples.xml: Allow linking to jar files in examples webapp. * Fix mapping to javax packages for API jar files: - d/maven.[rules,publishedRules]: Ensure all javax.[servlet|el] jar files are published to the correct locations in /usr/share/[maven-repo|java]. - d/libservlet3.0-java.manifest: Update jar file locations for javax remapping. - d/libservlet3.0-java.links: Provide backwards compatible links for deprecated tomcat-*.jar files in /usr/share/java. [ tony mancill ] * Set DMUA flag. -- tony mancill Fri, 22 Jun 2012 07:06:46 -0700 tomcat7 (7.0.27-1) unstable; urgency=low * New upstream release. -- tony mancill Thu, 07 Jun 2012 22:43:21 -0700 tomcat7 (7.0.26-4) unstable; urgency=low * Address regression leaving ROOT webapp files after purge. (Closes: #670440) * Update copyright year in javadoc to 2012. -- tony mancill Mon, 28 May 2012 18:45:07 -0700 tomcat7 (7.0.26-3) unstable; urgency=low * Team upload. * Apply patches provided by James Page (Closes: #671370) - d/patches/0012-java7-compat.patch: Added compatibility patch to support compilation with openjdk-7 as default-jdk (LP: #889002). - d/default_root/index.html: Fixup instructions for enabling manager web application access (LP: #910368). * Fix README.Debian symlink; file is not compressed. (Closes: #674119) -- tony mancill Wed, 23 May 2012 22:13:23 -0700 tomcat7 (7.0.26-2) unstable; urgency=low [ tony mancill ] * Add Turkish debconf translation. (Closes: #664683) - Thanks to Atila KOÇ * Add patch to tomcat7-instance-create to handle paths with spaces. - Thanks to James Page. (Closes: #668362) * Remove /etc/authbind/byuid, /etc/authbind in postrm. Update md5sum for default webapps root files. (Closes: #670440) [ Jakub Adam ] * Update OSGi metadata, use jh_manifest for modifying MANIFEST.MF. -- tony mancill Thu, 26 Apr 2012 20:59:52 -0700 tomcat7 (7.0.26-1) unstable; urgency=low [ Jakub Adam ] * New upstream release. * Add Jakub Adam to Uploaders. * Bump Standards-Version to 3.9.3. * Don't Depend libservlet3.0-java-doc on package it documents, relax to Suggests. [ tony mancill ] * Add Polish debconf translation. (Closes: #661644) - Thanks to Michał Kułach. -- tony mancill Thu, 01 Mar 2012 21:22:50 -0800 tomcat7 (7.0.23-2) unstable; urgency=low * Add nl.po debconf translation (Closes: #651162) - Thanks to Jeroen Schot * Add java6-runtime-headless | java6-runtime to tomcat7-common Depends (Closes: #660757) * Remove java-5-runtime from tomcat7-common Depends; tomcat7 requires Java 1.6 according to http://tomcat.apache.org/whichversion.html. Also remove Java 1.5 paths from JDK path search in init script. * Update init script to locate multiarch OpenJDKs (Closes: #651487) * Apply patch to report build versions as a.b.c.d (Closes: #651492) - Thanks to Jorge Barreiro González * Bump Standards-Version to 3.9.3. -- tony mancill Sun, 26 Feb 2012 22:55:33 -0800 tomcat7 (7.0.23-1) unstable; urgency=low * New upstream release. * Refresh patches. -- Miguel Landaeta Sun, 27 Nov 2011 19:44:37 -0430 tomcat7 (7.0.22-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Fix lintian warning about format specification of copyright file. [ tony mancill ] * Add dependency on JRE to tomcat7-common (Closes: #644340) * Modify init script to look for JVM in /usr/lib/jvm/default-java -- tony mancill Sat, 08 Oct 2011 21:58:41 -0700 tomcat7 (7.0.21-1) unstable; urgency=low * New upstream release. - Includes fix for CVE-2011-3190. * Updated my email address. -- James Page Wed, 07 Sep 2011 09:45:29 +0100 tomcat7 (7.0.19-1) unstable; urgency=high (security) * Team upload. * New upstream release. - Includes fix for CVE-2011-2526 (Closes: #634992) * Remove patch for CVE-2011-2204 (included upstream). -- tony mancill Mon, 25 Jul 2011 22:58:33 -0700 tomcat7 (7.0.16-3) unstable; urgency=low * Team upload. * Correct Suggests: for libtcnative-1 (tomcat-native) * Add patch for CVE-2011-2204 (Closes: #632882) -- tony mancill Wed, 06 Jul 2011 21:55:39 -0700 tomcat7 (7.0.16-2) unstable; urgency=low * Restore tomcat-juli.jar link in /usr/share/tomcat7/bin. Thank you to Kristof Csillag for the bug report. (Closes: #631667) -- tony mancill Sun, 26 Jun 2011 08:13:33 -0700 tomcat7 (7.0.16-1) unstable; urgency=low [ Miguel Landaeta ] * New upstream release. * Add missing deps and symlinks for commons-pool ands commons-dbcp jars. [ tony mancill ] * Add logrotate file for catalina.out. * Add build-arch target to debian/rules. -- tony mancill Thu, 23 Jun 2011 20:26:29 -0700 tomcat7 (7.0.14-1) unstable; urgency=low * Team upload. * New upstream release. Thank you to Ernesto Hernández-Novich for providing the basis of this packaging. -- tony mancill Tue, 17 May 2011 21:10:22 -0700 tomcat6 (6.0.32-4) UNRELEASED; urgency=low * Team upload. * Add Italian debconf translation. Thanks to Dario Santamaria (Closes: #624376) -- tony mancill Thu, 28 Apr 2011 20:17:30 -0700 tomcat6 (6.0.32-3) unstable; urgency=low * Team upload. * Include upstream patch for ASF Bugzilla - Bug 50700 (Context parameters are being overridden with parameters from the web application deployment descriptor) (Closes: #623242) -- tony mancill Mon, 18 Apr 2011 20:38:29 -0700 tomcat6 (6.0.32-2) unstable; urgency=low * Team upload. [ tony mancill ] * Patch debian/tomcat6-instance-create (LP: #707405) tomcat6-instance-create should accept -1 as the value of -c option as per http://tomcat.apache.org/tomcat-6.0-doc/config/server.html Thanks to Dave Walker. (Closes: #617553) * Move tomcat6-instance-create manpage from section 2 to section 8. Thanks to brian m. carlson (Closes: #607682) * Add tomcat6-extras package. Currently includes only catalina-jmx-remote.jar (Closes: #614333) [ Thierry Carrez ] * debian/tomcat6-instance-create: Eclipse can now be configured to use a user instance of tomcat6 using tomcat6-instance-create without any additional work. Patch from Abhinav Upadhyay (Closes: #551091, LP: #297675) -- tony mancill Sun, 03 Apr 2011 21:16:08 -0700 tomcat6 (6.0.32-1) unstable; urgency=low * Team upload. * New upstream release * Remove following patches applied upstream: CVE-2010-4172, CVE-2011-0534, CVE-2010-3718, CVE-2011-0013, 0009-allow-empty-PID-file.patch * Adjust 0004-split-deploy-webapps-target-from-deploy-target.patch -- tony mancill Tue, 15 Feb 2011 22:41:42 -0800 tomcat6 (6.0.28-10) unstable; urgency=medium * Team upload. * Add Portuguese/Brazilian debconf translation. Thanks to José de Figueiredo (Closes: #608527) * Add patches for CVE-2011-0534, CVE-2010-3718, CVE-2011-0013 (Closes: #612257) -- tony mancill Wed, 09 Feb 2011 21:49:33 -0800 tomcat6 (6.0.28-9) unstable; urgency=medium * Team upload. * Update URL for manager application in README.Debian Thanks to Ernesto Ongaro (Closes: #606170) * Add patch for CVE-2010-4172. (Closes: #606388) -- tony mancill Thu, 09 Dec 2010 22:52:08 -0800 tomcat6 (6.0.28-8) unstable; urgency=low * Team upload. [ Thierry Carrez (ttx) ] * Do not fail to purge if /etc/tomcat6 was manually removed (LP: #648619) * Add missing -p option in start-stop-daemon when starting tomcat6 to avoid failing to start due to /bin/bash running (LP: #632554) * Fix build failure (missing TraXLiaison class) by adding ant-nodeps to the classpath. [ tony mancill ] * Use debconf to determine tomcat6 user and group to delete upon purge. Thanks to Misha Koshelev. (Closes: #599458) * Add tomcat-native to Suggests: for tomcat6 binary package. Thanks to Eddy Petrisor (Closes: #600590) * Add Danish debconf template translation. Thanks to Joe Dalton (Closes: #605070) * Actually add the Czech debconf template translation. Thanks this time to Christian PERRIER (Closes: #597863) -- tony mancill Sat, 04 Dec 2010 17:20:11 -0800 tomcat6 (6.0.28-7) unstable; urgency=low * Team upload. * Add Czech debconf template translation. Thanks to Michal Simunek. (Closes: #597863) * Add Spanish debconf template translation. Thanks to Javier Fernández-Sanguino (Closes: #599230) * Modify postinst to handle JAVA_OPTS strings containing the '/' character. This was causing upgrade failures for users. (Closes: #597814) -- tony mancill Wed, 06 Oct 2010 14:40:19 -0700 tomcat6 (6.0.28-6) unstable; urgency=low * Team upload. * Add Japanese debconf template translation. Thanks to Hideki Yamane. (Closes: #595460) * Add Russian debconf template translation. Thanks to Yuri Kozlov. (Closes: #592627) * Add Portuguese debconf template translation. Thanks to Américo Monteiro. (Closes: #592655) * Add Swedish debconf template translation. Thanks to Martin Bagge. (Closes: #593676) * Add German debconf template translation. Thanks to Holger Wansing. (Closes: #593200) -- tony mancill Fri, 17 Sep 2010 21:30:27 -0700 tomcat6 (6.0.28-5) unstable; urgency=low * Team upload. [Thierry Carrez (ttx)] * Check for group existence to avoid postinst failure (LP: #611721) [tony mancill] * Add French debconf template translation. Thanks to Steve Petruzzello. (Closes: #594313) -- tony mancill Thu, 02 Sep 2010 21:49:08 -0700 tomcat6 (6.0.28-4) unstable; urgency=medium * Ignore most errors during purge. (Closes: #591867) * Add po-debconf support. -- Torsten Werner Fri, 06 Aug 2010 04:08:40 +0200 tomcat6 (6.0.28-3) unstable; urgency=low * UNRELEASED * Fix filename of /etc/tomcat6/tomcat-users in README.Debian. Thanks to Olivier Berger. (Closes: #590085) -- Torsten Werner Fri, 23 Jul 2010 23:36:49 +0200 tomcat6 (6.0.28-2) unstable; urgency=low * Add debconf questions for user, group and Java options. * Use ucf to install /etc/default/tomcat6 from a template * Drop CATALINA_BASE and CATALINA_HOME from /etc/default/tomcat6 since we shouldn't encourage users to change those anyway -- Thierry Carrez Tue, 20 Jul 2010 14:36:48 +0200 tomcat6 (6.0.28-1) unstable; urgency=low [ Niels Thykier ] * Removed depends on JREs for the library packages. It is no longer required by the policy. [ Torsten Werner ] * New upstream release (Closes: #588813) - Fixes CVE-2010-2227: DoS and information disclosure * Remove 2 patches that were backports to 6.0.26. -- Torsten Werner Mon, 19 Jul 2010 18:22:52 +0200 tomcat6 (6.0.26-5) unstable; urgency=medium * Convert patches to dep3 format. * Backport security fix from trunk to fix CVE-2010-1157. (Closes: #587447) * Set urgency to medium due to the security fix. -- Torsten Werner Mon, 28 Jun 2010 21:41:31 +0200 tomcat6 (6.0.26-4) unstable; urgency=low [ Thierry Carrez ] * Fix issues preventing from running Tomcat6 with a security manager: - debian/tomcat6.init: Remove duplicate securitymanager options. - debian/patches/catalina-sh-security-manager.patch: Use the right location for the security.policy file in catalina.sh. - Closes: #585379, LP: #591802. Thanks to Jeff Turner for the original patches and to Adam Guthrie for the Lucid debdiff. * Allow binding to any interface when using authbind, rather than only allow binding to all (LP: #594989) * Force backgrounding of catalina.sh in start-stop-daemon, to allow the init script to be started through ssh -t (LP: #588481) [ Torsten Werner ] * Remove Paul from Uploaders list. -- Thierry Carrez Thu, 24 Jun 2010 15:55:10 +0200 tomcat6 (6.0.26-3) unstable; urgency=low [ Marcus Better ] * Apply upstream fix for deadlock in WebappClassLoader. (Closes: #583896) [ Thierry Carrez ] * debian/tomcat6.{install,postinst}: Do not store the default root webapp in /usr/share/tomcat6/webapps as it increases confusion on what this directory contains (and its relation with /var/lib/tomcat6/webapps). Store it inside /usr/share/tomcat6-root instead (LP: #575303). -- Marcus Better Mon, 31 May 2010 15:50:57 +0200 tomcat6 (6.0.26-2) unstable; urgency=low * debian/tomcat6.{postinst,prerm}: Respect TOMCAT6_USER and TOMCAT6_GROUP as defined in /etc/default/tomcat6 when setting directory permissions and authbind configuration (Closes: #581018, LP: #557300) * debian/tomcat6.postinst: Use group "tomcat6" instead of "adm" for permissions in /var/lib/tomcat6, so that group "adm" doesn't get write permissions over /var/lib/tomcat6/webapps (LP: #569118) -- Thierry Carrez Fri, 21 May 2010 13:51:15 +0200 tomcat6 (6.0.26-1) unstable; urgency=low * New upstream version * Apply patch from Mark Scott to fix tomcat6-instance-create which failed when multiple commandline options are provided, fix creation of FULLPATH (Closes: #575580) -- Ludovic Claude Wed, 21 Apr 2010 23:07:09 +0100 tomcat6 (6.0.24-5) unstable; urgency=low * Added optimised garbage collection options to tomcat6's default options. Thanks to Aaron J. Zirbes and Thierry Carrez for research and the patch. (Closes: LP: #541520) * Updated the changelog to mention closed CVE's in the 6.0.24-1 release. * Applied patch from Arto Jantunen fixing an issue with cleaning up the pid-file. (Closes: #574084) -- Niels Thykier Thu, 25 Mar 2010 23:45:32 +0100 tomcat6 (6.0.24-4) unstable; urgency=low * debian/tomcat6.postrm: fix removal of Tomcat (Closes: #567548) * Set UTF-8 as default character encoding - Patch by Thomas Koch (Closes: #573539) -- Ludovic Claude Thu, 11 Mar 2010 23:45:34 +0100 tomcat6 (6.0.24-3) unstable; urgency=medium * Set the major, minor and build versions when calling Ant (Closes: LP: #495505) * Rebuild with a more recent version of maven-repo-helper which puts the javax jars at the correct location in the Maven repository. Fixes several FTBFS in other packages. -- Ludovic Claude Wed, 03 Mar 2010 00:10:15 +0100 tomcat6 (6.0.24-2) unstable; urgency=low * Fix missing symlinks to tomcat-coyote.jar and catalina-tribes.jar causing NoClassDefFoundException at startup (last minute packaging change, sorry) (Closes: #570220) * tomcat6-admin, tomcat6-examples and tomcat6-docs now depend on tomcat6-common instead of tomcat6, this allow users to install those packages without requiring tomcat6 and its automatic startup scripts being present. tomcat-users can be installed instead and allow full control over when Tomcat is started or stopped. -- Ludovic Claude Wed, 17 Feb 2010 22:59:21 +0100 tomcat6 (6.0.24-1) unstable; urgency=low [ Ludovic Claude ] * New upstream version - Fixes Directory traversal vulnerability (CVE-2009-2693,CVE-2009-2902) - Fixes Autodeployment vulnerability (CVE-2009-2901) * Update the POM files for the new version of Tomcat * Bump up Standards-Version to 3.8.4 * Refresh patches deploy-webapps-build-xml.patch and var_loaders.patch * Remove patch fix_context_name.patch as it has been applied upstream * Fix the installation of servlet-api-2.5.jar: the jar goes to /usr/share/java as in older versions (6.0.20-2) and links to the jar are added to /usr/share/maven-repo * Moved NEWS.Debian into README.Debian * Add a link from /usr/share/doc/tomcat6-common/README.Debian to /usr/share/doc/tomcat6/README.Debian to include a minimum of documentation in the tomcat6 package and add some useful notes. (Closes: #563937, #563939) * Remove poms from the Debian packaging, use upstream pom files [ Jason Brittain ] * Fixed a bug in the init script: When a start fails, the PID file was being left in place. Now the init script makes sure it is deleted. * Fixed a packaging bug that results in the ROOT webapp not being properly installed after an uninstall, then a reinstall. * control: Corrected a couple of comments (no functional change). -- Ludovic Claude Tue, 09 Feb 2010 23:06:51 +0100 tomcat6 (6.0.20-dfsg1-2) unstable; urgency=low * JSVC is no longer used by the package. Instead, the init script invokes the stock catalina.sh script. * Authbind is now the standard method for binding Tomcat to ports lower than 1024 (when using IPv4). * The security manager now defaults to the disabled state, and is commented that way in /etc/default/tomcat6. * Reliable restarts are now implemented in the init script. (Closes: #561559) * Tomcat now sends STDOUT and STDERR to its usual, stock log file CATALINA_BASE/logs/catalina.out (/var/log/tomcat6/catalina.out in this package's case. -- Jason Brittain Wed, 27 Jan 2010 01:08:57 +0000 tomcat6 (6.0.20-dfsg1-1) unstable; urgency=low * Fix debian/orig-tar.sh to exclude binary only standard.jar and jstl.jar. (Closes: #528119) * Upload a cleaned tarball. * Add ${misc:Depends} in debian/control. -- Torsten Werner Sat, 23 Jan 2010 19:40:38 +0100 tomcat6 (6.0.20-9) unstable; urgency=low * Fix spelling issues. * Always set JSVC_CLASSPATH to a default value in init. -- Niels Thykier Sat, 19 Dec 2009 19:11:33 +0100 tomcat6 (6.0.20-8) unstable; urgency=low * Corrected some spelling mistakes in debian/control. (Closes: #557377, #557378) * Added patches to install the OSGi metadata in some of the jars. (Closes: #558176) * Updated 03catalina.policy to allow "setContextClassLoader". - Fixes a problem where Sun's JVM would fail to generate log-files. (Closes: LP: #410379) * Updated /etc/default/tomcat6: - Clarified that JAVA_OPTS are passed to jscv and not the JVM. - Updated the JSP_COMPILER to javac (jikes is not in Debian anymore). (Closes: LP: #440685) * Use default-jdk and default-jre-headless instead of openjdk in (Build-)Depends. * Added more alternatives for java implementations to the Depends of libservlet2.5-java. * Exposed JSVC_CLASSPATH to the configuration file. (Closes: LP: #475457) * Updated description so it no longer refers to non-existent package. (Closes: #559475) * Used "set -e" in postinst and postrm instead of passing "-e" to sh in the #!-line. * Changed to 3.0 (quilt) source format. -- Niels Thykier Mon, 07 Dec 2009 21:17:55 +0100 tomcat6 (6.0.20-7) unstable; urgency=low * New patch fix_context_name.patch: - Allow Service name != Engine name. Regression in fix for 42707. Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47316 - This has been fixed in trunk and will be in 6.0.21 * Register libservlet2.5-java-doc API with doc-base * Fix short description of tomcat6-docs by using "documentation" suffix -- Damien Raude-Morvan Sat, 10 Oct 2009 21:41:55 +0200 tomcat6 (6.0.20-6) unstable; urgency=low [ Ludovic Claude ] * tomcat6.postinst: set the ownership of files in /etc/tomcat6/ to root:tomcat6, to prevent an attacker running inside a tomcat6 instance to change the tomcat configuration * debian/policy/02debian.policy: grant access to /usr/share/maven-repo/ as it is a valid source of Debian JARs. (Closes: #545674) * Bump up Standards-Version to 3.8.3 - add debian/README.source that describes the quilt patch system. * debian/control: Add Conflicts on libtomcat6-java with old versions of tomcat6-common (Closes: #542397) [ Michael Koch ] * Replace dh_clean -k by dh_prep. * Added Ludovic and myself to Uploaders. * Build-Depends on debhelper >= 7. -- Michael Koch Fri, 25 Sep 2009 07:14:07 +0200 tomcat6 (6.0.20-5) unstable; urgency=low * Fix jsp-api dependency in the Maven descriptors. * Put tomcat-juli.jar in /usr/share/java instead of juli.jar. This fixes a broken link which prevented tomcat to start when logging is turned on, and restores the file layout defined in 6.0.20-2. * Restore links to the jars in usr/share/tomcat6/lib * Change watch to download fresh sources from SVN. Should fix wrong encoding in tomcat-i18n-fr/es.jar in the next upstream version. (Closes: #522067) * Update ownership for files in /etc/tomcat6 and /var/lib/tomcat6/webapps. The new owner is tomcat6:adm (Closes: #532284) * Add additional directories for the common, server and shared classloader. Directories are also compatible with Alfresco's packaging done for Ubuntu. (Closes: #521318) * Update checksum in postrm script to reflect changes in the new upstream webapp * postrm removes the extra directories created in /var/lib/tomcat6 to hold shared and common classes or jars. * Added commented out default options for enabling debug mode. (Closes: LP: #375493) -- Ludovic Claude Wed, 05 Aug 2009 00:56:59 +0100 tomcat6 (6.0.20-4) experimental; urgency=low * Fix init script: - Change Provides: tomcat6. (Closes: #532286) - Check for /etc/default/rcS before sourcing it. * Update Standards-Version: 3.8.2 (no changes). -- Torsten Werner Thu, 16 Jul 2009 23:36:32 +0200 tomcat6 (6.0.20-3) experimental; urgency=low * Add the Maven POM to the package * Add a Build-Depends-Indep dependency on maven-repo-helper * Use mh_installpom and mh_installjar to install the POM and the jar to the Maven repository -- Ludovic Claude Tue, 14 Jul 2009 14:17:27 +0100 tomcat6 (6.0.20-2) unstable; urgency=low * Expose tomcat-juli.jar as a library in /usr/share/java as it is a dependency of jasper which is used also by jetty -- Ludovic Claude Mon, 15 Jun 2009 13:33:13 +0100 tomcat6 (6.0.20-1) unstable; urgency=low * new upstream release (Closes: #531873) * Remove patch tcnative-ipv6-fix-43327.patch that has been applied upstream. * Refresh other patches. -- Torsten Werner Fri, 05 Jun 2009 23:38:44 +0200 tomcat6 (6.0.18-dfsg1-1) unstable; urgency=low [ Torsten Werner ] * Remove jstl.jar and standard.jar from orig tarball because it comes without source code. (Closes: #528119) [ Marcus Better ] * Let the init script exit silently if the package is uninstalled. (Closes: #529301) -- Torsten Werner Tue, 19 May 2009 21:23:18 +0200 tomcat6 (6.0.18-4) unstable; urgency=low * Add patch tcnative-ipv6-fix-43327.patch provided by Thierry Carrez. (Closes: #527033) * Change Section: java (from web). * Bump up Standards-Version: 3.8.1 (no changes). * Remove redundant Depends: ant because we depend on ant-optional. -- Torsten Werner Sun, 10 May 2009 19:41:40 +0200 tomcat6 (6.0.18-3) unstable; urgency=low * Remove unneeded dirs and symlinks; thanks to Thierry Carrez. (Closes: #517857) * Improve the long description of all binary packages. (Closes: #518140) -- Torsten Werner Wed, 04 Mar 2009 21:58:41 +0100 tomcat6 (6.0.18-2) unstable; urgency=low * upload to unstable -- Torsten Werner Sat, 21 Feb 2009 11:31:20 +0100 tomcat6 (6.0.18-1) experimental; urgency=low * Merge changes from Ubuntu. Thanks to the Ubuntu developers we are shipping a full Tomcat 6.0 server stack now. (Closes: #494674) * Add myself to Uploaders. * Switch to openjdk-6 which is not the default in Debian. -- Torsten Werner Sat, 07 Feb 2009 17:02:57 +0100 tomcat6 (6.0.18-0ubuntu5) jaunty; urgency=low [ Thierry Carrez ] * Removed tomcat6-[admin,docs,examples].post[inst,rm] and let Tomcat webapp autodeployment features handle application load/unload (LP: #302914) * tomcat6-instance-create, tomcat6-instance-create.1, control: Allow to change the HTTP port, control port and shutdown word on the tomcat6-instance-create command line (LP: #300691). [ Mathias Gug] * debian/tomcat6-instance-create: move directoryname from an option to an argument. * debian/tomcat6-instance-create.1: some updates to the man page. * debian/control: update maintainer field to Ubuntu Core Developers now that tomcat6 is in main. -- Mathias Gug Wed, 07 Jan 2009 18:44:39 -0500 tomcat6 (6.0.18-0ubuntu4) jaunty; urgency=low * tomcat6.init, tomcat6.postinst, tomcat6.dirs, tomcat6.default, README.debian: Use /tmp/tomcat6-temp instead of /var/lib/tomcat6/temp as the JVM temporary directory and clean it at each restart (LP: #287452) * policy/04webapps.policy: add rules to allow usage of java.io.tmpdir * tomcat6.init, rules: Do not use TearDown, as this results in LifecycleListener callbacks in webapps being bypassed (LP: #299436) * rules: Compile at Java 1.5 level to allow usage of Java 5 JREs (LP: #286427) * control, rules, libservlet2.5-java-doc.install, libservlet2.5-java-doc.links: New libservlet2.5-java-doc package ships missing Servlet/JSP API documentation (LP: #279645) * patches/use-commons-dbcp.patch: Change default DBCP factory class to org.apache.commons.dbcp.BasicDataSourceFactory (LP: #283852) * tomcat6.dirs, tomcat6.postinst, default_root/index.html: Create Catalina/localhost in /etc/tomcat6 and make it writeable by the tomcat6 group, so that autodeploy and admin webapps work as expected (LP: #294277) * patches/disable-apr-loading.patch: Disable APR library loading until we properly provide it. * patches/disable-ajp-connector: Do not load AJP13 connector by default (LP: #300697) * rules: minor fixes to prevent build being called twice. -- Thierry Carrez Thu, 27 Nov 2008 12:47:42 +0000 tomcat6 (6.0.18-0ubuntu3) intrepid; urgency=low * debian/tomcat6.postinst: - Make /var/lib/tomcat6/temp writeable by the tomcat6 user (LP: #287126) - Make /var/lib/tomcat6/webapps writeable by tomcat6 group (LP: #287447) * debian/tomcat6.init: make status return nonzero if tomcat6 is not running (fixes LP: #288218) -- Thierry Carrez Thu, 23 Oct 2008 18:19:15 +0200 tomcat6 (6.0.18-0ubuntu2) intrepid; urgency=low * debian/rules: call dh_installinit with --error-handler so that install doesn't fail if Tomcat cannot be started during configure (LP: #274365) -- Thierry Carrez Mon, 06 Oct 2008 13:55:21 +0200 tomcat6 (6.0.18-0ubuntu1) intrepid; urgency=low * New upstream version (LP: #260016) - Fixes CVE-2008-2938: Directory traversal vulnerability (LP: #256802) - Fixes CVE-2008-2370: Information disclosure vulnerability (LP: #256922) - Fixes CVE-2008-1232: XSS through sendError vulnerability (LP: #256926) * Dropped CVE-2008-1947.patch (fix is shipped in this upstream release) * control: Improve short descriptions for the binary packages * copyright: Added link to /usr/share/common-licenses/Apache-2.0 * control: To pull the right JRE, libtomcat6-java now depends on default-jre-headless | java6-runtime-headless -- Thierry Carrez Fri, 22 Aug 2008 09:15:11 +0200 tomcat6 (6.0.16-1ubuntu1) intrepid; urgency=low * Adding full Tomcat 6 server stack support (LP: #256052) - tomcat6 handles the system instance (/var/lib/tomcat6) - tomcat6-user allows users to create their own private instances - tomcat6-common installs common files in /usr/share/tomcat6 - libtomcat6-java installs Tomcat 6 java libs in /usr/share/java - tomcat6-docs installs the documentation webapp - tomcat6-examples installs the examples webapp - tomcat6-admin installs the manager and host-manager webapps * Other key differences with the tomcat5.5 packages: - default-jdk build support - OpenJDK-6 JRE runtime support - tomcat6 installs a minimal ROOT webapp - new webapp locations follow Debian webapp policy - webapps restart tomcat6 in postrm rather than in prerm - added a doc-base entry - use standard upstream server.xml - initscript: try to check if Tomcat is really running before returning OK - removed transitional configuration migration code - autogenerate policy in /var/cache/tomcat6 rather than /etc/tomcat6 - logging.properties is customized to remove -webapps-related lines - initscript: implement TearDown spec * CVE-2008-1947 fix (cross-site-scripting issue in host-manager webapp) -- Thierry Carrez Fri, 08 Aug 2008 15:37:48 +0200 tomcat6 (6.0.16-1) unstable; urgency=low * Initial release. (Closes: #480964). -- Paul Cager Mon, 12 May 2008 23:04:49 +0000 debian/libservlet3.0-java-doc.doc-base0000644000000000000000000000045213067437273014660 0ustar Document: servlet30-api Title: Java Servlet 3.0 API Documentation Author: Apache Software Foundation Abstract: Javadoc documentation for Java Servlet 3.0 API. Section: Programming Format: HTML Index: /usr/share/doc/libservlet3.0-java/api/index.html Files: /usr/share/doc/libservlet3.0-java/api/* test/org/apache/tomcat/util/net/ca.jks0000644000000000000000000000740113067502611015064 0ustar caLMe 0 0 +* m9hDndKZJ{M$ј>g(.@ΩO"&(VYy!uж\MTK!r.aЀ= {qeh{7Cx& DF?\dmeoj$P(w|}8%9/r(@I{ q'@B6pZ(%n_nK{wޖbHO#LCvT@x[2ҝ͑K28a96bu'0NzlzҞ7n8]2K67}*mHՠժװSJⰔ<;N }11)5*j>E[\&'I9Ol_tHUV+yubE`/bu}W)5#z4"83uh"Yf:i(;0F J",PyEDŔ̀V;!<ձgnj؞ak wq_SdfPZ^);cXj8"* 2 5I Ekud%J ,اDW9C>})MwǩoAacLi{T΂l^H0S:kieC7+<Y|c7w񇎢Q10+ QC1v* O*O ;}+!Hއݐz&uJsQs`X%eVz2ܒlB0W\O/hpFG1|F/pfӏ(PH~*$+(fuNg0f>| F..\Ö>z?^N.x[@f &jlq,`"$(.e}ʹ*:_ p fM>: `1EPSvj|%"iYm{UnjMJ=8+4'>N=4EƢY6vfzW-5|.VH}^! Â>|&Zah ΰqVÛeԞ(ewL1bQ*[ ku@QE16O'{+ J3u|%P\ E-妿}0+)<>c2UxB:^iX/x}9A@'f6@b|h3&"/`0 S@"|]äDpbB.;Ѭٟq41 sW# x&jV=:'Hbo: @*]PYf!yxD҈]9x/cP O%n"BHMĉ2M3u\>:hq%XvP$XekU QY<ͺ(ZḮ{V[|qZRw݉{zkܨBiP*ؓJd{?F4-.?L Ivuت/7 di7i4K$y5)X(m 6UJ ,-6,[XbXYXlA/ijh Aڭ !]֔ۥ`2sd?h27xxI]tmAȟݖʅ29Р& ,2'{e)~YRLDS+zY;UN@t{-*8&t8Xrl+UMҲӥ((| FVDH^"y*Vn=U^;Qp먻iK"_*YכLKq?.C ̂mcMe2ʾGΓ8\lx2{d#FNԺΛ G`G:)!m wGawuX}U[@-*yPۻǟ M fRZuPq.P_h1L{K#7M^SHur"p|\ i5(^vBN;%[J%cjK%(% TPTA (v9X.5099050 f0  *H  011 0 UUS1"0 U ca-test.tomcat.apache.org0 150324194443Z 250321194443Z011 0 UUS1"0 U ca-test.tomcat.apache.org0"0  *H 0 `tm^u]RsK Y-15u4p!Hm'U\e){v~93.PB1J5Gp,Kԍ4mmjSXBh0m%McL}{# ))a@Q`#/  -m\d$&U>rQ8iF[WRZҼ\9[PsCSVyPMb|/tR o7rH/.qia\:ۋoy"щTuIGlTeZMOR~bdtf:vYI+]$8;'DK-!gمvrtffpl/+4CsqVz62#y,"\8D9h&9.d7/dUA$Lz{RlԵv̽fZMfkx xO tѿ8[4 ƥ&P0N0UvXjQzh!+a89?ت1HՋKOizw_B^P8E֫4jЪGrHnxќ33NAX 6.P[-|R/BUZHαVL.r<2H{% A<ߓr ; p%"o%#|:s.m5Ew*NT:b}-?`xʛޞbNPTO51%QcR< [test/org/apache/tomcat/util/net/localhost-copy1.jks0000644000000000000000000000464313067502611017527 0ustar tomcatLN 00 +*;}[N&[~tcxl[h dNNJ qVKSNwpZ34]|-Bֹ}ԩ3y qZ@sB/\m^B*,-IFn 㪓(4SѪ̀d[TGsB b(d!sTo=n_b;$]L% q ^5[v߱fr(ײ6o@᪕X?8%v[ATi|֍-`l zG2ެIx%UI[8ž'"+?cWRLdXvQ9w5F|%00^cX^f#8;vyVw!R3 ဏhX5: ;>bzL L2.H0*[P_=3&XǑn[Ku,=N898{pO΀J@B4+x[mEEt;ޭ>2ȟj"~32>B 7lNufɕOql^a󥀂Hƥp)G -4h單 #ӑz6hZ>`=:~B3h>Ty˛<)`RVyNqC-baq}ͳ:v@u?4e+-pŸ@@G68Vã%5ΠDuVjs|Py xR(Ņ:xvYFV\Ta,򊚯 0gQ<敌ZT S#,gTSS ֗@YpyvLI1#lY!okjQ[ uI5QHHek< ŽyFE5m-.'/.RUR pGW76 EOĪ&F9$:;ޘTW@*"wr+yƫ&I!10D>F?o/cZH7Xɹ?`V&j/1+%]̽nǾ4"XEJ?S9uChI#py+)Dތ+ L]ބ KynnV0Q` W${x\P(%X.509[0W0?0  *H  011 0 UUS1"0 U ca-test.tomcat.apache.org0 150324195958Z 250321195958Z0!1 0 UUS10U localhost0"0  *H 0 oy?'4$yXGi+[JWjf\ ''2*/iw d1QAtQQXs!c,I p `/jۥE>4giE4)9r!T5{0M=2$KO_`d^hޘ}@`PȌݔA[c+c j~hVN`X3Uė *kx cAkHYE(|xu }QwAB0K)3=Xi[p'00 U00 U0, `HB OpenSSL Generated Certificate0U0۫p4uFJti0U#0vXjQ9[vZ@22`2ouW`!(fl=@8ol^M_4a:`ʧJӮ *V"p,;П'>Ppx~Xqi..Ԛݙ䓷;PU(XVGgQn2ݑ(|5*VfA&^։SvGTέ4y}J''F?K5e2#d6kPbIADb/uǖ*L̠{,˺A0}a9:\;'PWl9.o)sT66‚EVQctest/org/apache/tomcat/util/net/localhost.jks0000644000000000000000000000464313067502611016476 0ustar tomcatLM^00 +* y]cƼ)v1z4h)uݰǣBPr:0nbg-8+mfÔ8l'hpsK gM\Ȃ R؞OvT̒<=trnM)*﮻ M啥gl ImctCLP 8㥍WJuH6vl' p(Pɲ/3Z; YZtc^濇B0k5`2s1EGR0tT~3Yk߁]3.?3%NW ;fI+&٠-Q@/wG8]6Q ߱d삼*4&JA=0\ `UŜ ´iZ{8WhcC=NL$4\@8+rI'%ECU҅I浿 7& pzb^&IJRԚa$k1F!Xv wкLjz*Roު,=u*ض`5_]c8љLL)VO $? fKmɈ$qv/EHKC(beP DjR0ZcEu|z2֗>0Dn}Mz|-ڌlk82B7U^eYE. pm-) n%O(>': c};ٺ ~WRm$FÉ6w~ה LǯhbSǾ :|˗ε~"XB^̄ƖI֖K[n.;R=җ-أ`V`7D?|gYMhd~85ZZ\($ )f^72" G _#sQt utl+m~']ap'IYKƿa9]A3𱰙v7ZǯueS7VzhFz;7&gqA4Rb7@R)Fݤm{o%& mA6.g6P]FؤAp:̺23Ϯ5  T@Y2iJ8Ԉߧ`*6wlMݷSp$\T "ެ%sq~4~,6v^:&cTX.509[0W0?0  *H  011 0 UUS1"0 U ca-test.tomcat.apache.org0 150324195958Z 250321195958Z0!1 0 UUS10U localhost0"0  *H 0 oy?'4$yXGi+[JWjf\ ''2*/iw d1QAtQQXs!c,I p `/jۥE>4giE4)9r!T5{0M=2$KO_`d^hޘ}@`PȌݔA[c+c j~hVN`X3Uė *kx cAkHYE(|xu }QwAB0K)3=Xi[p'00 U00 U0, `HB OpenSSL Generated Certificate0U0۫p4uFJti0U#0vXjQ9[vZ@22`2ouW`!(fl=@8ol^M_4a:`ʧJӮ *V"p,;П'>Ppx~Xqi..Ԛݙ䓷;PU(XVGgQn2ݑ(|5*VfA&^։SvGTέ4y}J''F?K5e2#d6kPbIADb/uǖ*L̠{,˺A0}a9:\;'PWl9.o)sTɔKbRtest/org/apache/tomcat/util/net/user1.jks0000644000000000000000000000744513067502611015550 0ustar user1LM0M 0 0 +* pCϥ7|CϠ  [=߅H?;؆2_ipR7I6qÉ/l39]h3nVVi/TJ?_ԋnd,nf|;w}H/DªȨ;;DUzjYf.ӢhKVMF*xu0 .)A‰_mZiyHeꭷT|3Q(G܌a FmGTCFsڄOLO +A_ìޣ N2wD3=ݢ?-'1/\[P1%*1E0VV` ${QrN=,)8ir`=ྜ(S*{ə2ML I`AV4 =}0Dn:"0(Ky@h5h,tZt{PHOk5[ũ#BUH"1Bh'cq'Ny~i2QG$tI4"} kV8&vC^P W3ҰI45[5HrKɫ47)4V29 &mS֘HfCם{muV\W~kۻB5݈UT;Gz hMΔo~qa{l#d:6difx5uI|&Q:ۇHl:eJPm k|O4 (2[-A}Lx->99 = 8t})`1ipm:3Xxb i9:=hu  ` sx`]{-σk`Mp;"0Kkj("@ L-YͯĦesa[s_P+{OGAw[JL;ĩab t\9vei֊ojBC߀~Rray8ևuX9dg:e(X<2g9̇"RH(nY1:KdOX(|VȊKǻ,z<mi,F#-0nB~Ov8^6u$\ =iS Os+/0I&ȵd/&̽T~RpC*(C^n<:7FTUFY[Qϵ:pxܫ0%'y@MQt'Hާj/8..b6M EjTk6V:cm5X.=âNTN* w /S,+2vBQx9F!^siq1-9I1ijeB -ڝb5~G/Ǽq|rk%3ӡIL+#@aZi mo1xgK`N31U8DɲN&s*i; F/&k,ZZiSXr*dX1f@f5w}_x'ku*q "H7Rے΅VP/S>`9 Q;#D͉| ŋO@"1}%rbt}E DB@FiT<';!ըq@IOI^ TVnT<78'|Fōw3fwod&[^fv]9MP3V_0do<wI5TyNS4tBYZIL^A^κCNS=`4b-:jׁܷD:I.B͢a3>!=t&a}PEߦ*}iejG A0ӢXߣZ5ga/--5@10XU$1Ѓk~=~[rSzV9qoth%$MoZ]CY6L˨Ʈ,kr6̫7 u\uʁ%4t;Ӵe٤ ,F96heɟ"^,CK]:7x ?nܑ&&)Gʗ>}W}<v  EGdܫLѻSx,z)*+IVq"t( jӱ8@{'B:800 U00 U0, `HB OpenSSL Generated Certificate0U+&T7TAx?쫖0U#0vXjQ[~FHEx{:Z͝ʷ,W {0 _1 H$rTms1ޝX̓QK^lJΩFfS玈`y r0i+ƣBjVŻLAXhx]X