rpms/tomcat5/devel tomcat5-5.5-acceptlangheader.patch, NONE, 1.1 tomcat5-5.5-webdav.patch, NONE, 1.1 tomcat5-5.5.25-http11-build.patch, NONE, 1.1 tomcat5.spec, 1.101, 1.102
Devrim GÜNDÜZ (devrim)
fedora-extras-commits at redhat.com
Fri Nov 16 02:58:01 UTC 2007
Author: devrim
Update of /cvs/extras/rpms/tomcat5/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5325
Modified Files:
tomcat5.spec
Added Files:
tomcat5-5.5-acceptlangheader.patch tomcat5-5.5-webdav.patch
tomcat5-5.5.25-http11-build.patch
Log Message:
- Updated to 5.5.25, to fix the following issues:
* CVE-2007-1355
* CVE-2007-3386
* CVE-2007-3385
* CVE-2007-3382
* CVE-2007-2450, RH bugzilla #244808, #244810, #244812, #363081
* CVE-2007-2449, RH bugzilla #244810, #244812, #244804, #363081
- Applied patch(20) for RH bugzilla #333791, CVE-2007-5461
- Applied patch(21) for RH bugzilla #244803, #244812, #363081, CVE-2007-1358
tomcat5-5.5-acceptlangheader.patch:
--- NEW FILE tomcat5-5.5-acceptlangheader.patch ---
--- container/catalina/src/share/org/apache/catalina/connector/Request.java.old 2007-11-15 16:40:42.000000000 -0800
+++ container/catalina/src/share/org/apache/catalina/connector/Request.java 2007-11-15 16:46:19.000000000 -0800
@@ -2488,6 +2488,9 @@
String variant = null;
int dash = entry.indexOf('-');
if (dash < 0) {
+ if (!entry.matches(localeRegex)) {
+ continue;
+ }
language = entry;
country = "";
variant = "";
@@ -2501,6 +2504,12 @@
country = cTemp;
} else {
variant = "";
+ }
+ if (!language.matches(localeRegex)) {
+ continue;
+ }
+ if (!country.matches(localeRegex)) {
+ continue;
}
}
if (!isAlpha(language) || !isAlpha(country) || !isAlpha(variant)) {
tomcat5-5.5-webdav.patch:
--- NEW FILE tomcat5-5.5-webdav.patch ---
Index: container/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
===================================================================
--- container/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties (revision 586817)
+++ container/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties (working copy)
@@ -25,6 +25,7 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Index: org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (revision 586817)
+++ container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (working copy)
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -36,6 +37,7 @@
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.UnavailableException;
import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -245,6 +248,8 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(
+ new WebdavResolver(this.getServletContext()));
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@
}
+ // --------------------------------------------- WebdavResolver Inner Class
+ /**
+ * Work around for XML parsers that don't fully respect
+ * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+ * references are filtered out for security reasons. See CVE-2007-5461.
+ */
+ private class WebdavResolver implements EntityResolver {
+ private ServletContext context;
+
+ public WebdavResolver(ServletContext theContext) {
+ context = theContext;
+ }
+
+ public InputSource resolveEntity (String publicId, String systemId) {
+ context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+ publicId, systemId));
+ return new InputSource(
+ new StringReader("Ignored external entity"));
+ }
+ }
};
tomcat5-5.5.25-http11-build.patch:
--- NEW FILE tomcat5-5.5.25-http11-build.patch ---
--- connectors/http11/build.xml.orig 2007-02-26 10:27:04.000000000 -0500
+++ connectors/http11/build.xml 2007-02-26 10:28:11.000000000 -0500
@@ -31,7 +31,7 @@
<!-- The locations of necessary jar files -->
<property name="tomcat-util.jar" value="${util.home}/build/lib/tomcat-util.jar"/>
- <property name="tomcat-jni.jar" value="../jni/dist/tomcat-native-1.0.0.jar" />
+ <property name="tomcat-jni.jar" value="../../build/build/server/lib/tomcat-apr.jar" />
<property name="tomcat-coyote.jar" value="${coyote.home}/build/lib/tomcat-coyote.jar"/>
<property name="tomcat33-coyote.jar"
value="${coyote.home}/build/lib/tomcat33-coyote.jar"/>
@@ -169,7 +169,10 @@
deprecation="${compile.deprecation}"
optimize="${compile.optimize}">
<exclude name="org\apache\coyote\http11\*Apr*" unless="jdk.1.4.present" />
- <classpath refid="compile.classpath"/>
+ <classpath>
+ <path refid="compile.classpath"/>
+ <pathelement location="${build.home}/../../jakarta-tomcat-5/build/classes"/>
+ </classpath>
</javac>
<copy todir="${build.home}/classes" filtering="on">
<fileset dir="${source.home}" excludes="**/*.java"/>
Index: tomcat5.spec
===================================================================
RCS file: /cvs/extras/rpms/tomcat5/devel/tomcat5.spec,v
retrieving revision 1.101
retrieving revision 1.102
diff -u -r1.101 -r1.102
--- tomcat5.spec 9 Aug 2007 20:40:20 -0000 1.101
+++ tomcat5.spec 16 Nov 2007 02:57:27 -0000 1.102
@@ -68,8 +68,8 @@
Name: tomcat5
Epoch: 0
-Version: 5.5.23
-Release: 9jpp.4%{?dist}
+Version: 5.5.25
+Release: 1jpp.1%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet 2.4/JSP 2.0 API
Group: Networking/Daemons
@@ -104,6 +104,9 @@
# Seems to be only needed when building with ECJ for java 1.5 since
# the default source type for ecj is still 1.4
Patch19: %{name}-%{majversion}-connectors-util-build.patch
+Patch20: %{name}-%{majversion}-webdav.patch
+Patch21: %{name}-%{majversion}-acceptlangheader.patch
+
BuildRoot: %{_tmppath}/%{name}-%{epoch}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{gcj_support}
BuildArch: noarch
@@ -448,6 +451,8 @@
%patch18 -b .p18
%endif
%patch19 -b .p19
+%patch20 -b .p20
+%patch21 -b .p21
%if %{without_ecj}
%{__rm} %{jname}/src/share/org/apache/jasper/compiler/JDTCompiler.java
@@ -586,8 +591,8 @@
%if %{with_ecj}
mkdir org.apache.jasper
pushd org.apache.jasper
-unzip -qq ../apache-tomcat-5.5.23-src/build/build/common/lib/jasper-compiler.jar
-unzip -qq ../apache-tomcat-5.5.23-src/build/build/common/lib/jasper-runtime.jar \
+unzip -qq ../apache-tomcat-5.5.25-src/build/build/common/lib/jasper-compiler.jar
+unzip -qq ../apache-tomcat-5.5.25-src/build/build/common/lib/jasper-runtime.jar \
-x META-INF/MANIFEST.MF org/apache/jasper/compiler/Localizer.class
unzip -qq %{_javadir}/jdtcore.jar -x META-INF/MANIFEST.MF
cp %{SOURCE6} META-INF/MANIFEST.MF
@@ -1294,6 +1299,17 @@
%endif
%changelog
+* Thu Nov 15 2007 Devrim GUNDUZ <devrim at commandprompt.com> 0:5.5.25-1jpp.1
+- Updated to 5.5.25, to fix the following issues:
+ * CVE-2007-1355
+ * CVE-2007-3386
+ * CVE-2007-3385
+ * CVE-2007-3382
+ * CVE-2007-2450, RH bugzilla #244808, #244810, #244812, #363081
+ * CVE-2007-2449, RH bugzilla #244810, #244812, #244804, #363081
+- Applied patch(20) for RH bugzilla #333791, CVE-2007-5461
+- Applied patch(21) for RH bugzilla #244803, #244812, #363081, CVE-2007-1358
+
* Mon Aug 06 2007 Ben Konrath <bkonrath at redhat.com> 0:5.5.23-9jpp.4
- Add jasper-eclipse subpackage which is needed for eclipse 3.3.
- Inject OSGi manifest into servlet api jar and jsp api jar.
More information about the scm-commits
mailing list