diff --git a/SOURCES/tomcat-7.0.76-CVE-2018-11784.patch b/SOURCES/tomcat-7.0.76-CVE-2018-11784.patch new file mode 100644 index 0000000..fedf214 --- /dev/null +++ b/SOURCES/tomcat-7.0.76-CVE-2018-11784.patch @@ -0,0 +1,34 @@ +diff -up java/org/apache/catalina/servlets/DefaultServlet.java.orig java/org/apache/catalina/servlets/DefaultServlet.java +--- java/org/apache/catalina/servlets/DefaultServlet.java.orig 2019-02-12 09:16:19.144563964 -0500 ++++ java/org/apache/catalina/servlets/DefaultServlet.java 2019-02-12 09:16:52.516485998 -0500 +@@ -1103,6 +1103,10 @@ public class DefaultServlet + location.append('?'); + location.append(request.getQueryString()); + } ++ // Avoid protocol relative redirects ++ while (location.length() > 1 && location.charAt(1) == '/') { ++ location.deleteCharAt(0); ++ } + response.sendRedirect(response.encodeRedirectURL(location.toString())); + } + +diff -up webapps/docs/changelog.xml.orig webapps/docs/changelog.xml +--- webapps/docs/changelog.xml.orig 2019-02-12 09:18:01.155325629 -0500 ++++ webapps/docs/changelog.xml 2019-02-12 09:18:36.354243382 -0500 +@@ -57,6 +57,16 @@ + They eventually become mixed with the numbered issues. (I.e., numbered + issues do not "pop up" wrt. others). + --> ++
++ ++ ++ ++ When generating a redirect to a directory in the Default Servlet, avoid ++ generating a protocol relative redirect. (markt) ++ ++ ++ ++
+
+ + diff --git a/SPECS/tomcat.spec b/SPECS/tomcat.spec index f3ac654..2f01f9e 100644 --- a/SPECS/tomcat.spec +++ b/SPECS/tomcat.spec @@ -54,7 +54,7 @@ Name: tomcat Epoch: 0 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 8%{?dist} +Release: 9%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Group: System Environment/Daemons @@ -94,6 +94,7 @@ Patch6: %{name}-7.0.76-CVE-2017-7674.patch Patch7: %{name}-7.0.76-CVE-2017-12617.patch Patch8: patch.rhbz1602060 Patch9: %{name}-7.0.76-CVE-2018-1336.patch +Patch10: %{name}-7.0.76-CVE-2018-11784.patch BuildArch: noarch @@ -248,6 +249,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch7 -p0 %patch8 -p0 %patch9 -p0 +%patch10 -p0 %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar @@ -692,11 +694,14 @@ fi %attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service %changelog -* Mon Oct 01 2018 Coty Sutherland 0:7.0.76-8 -- Resolves: rhbz#1608608 CVE-2018-1336 tomcat: A bug in the UTF 8 decoder can lead to DoS +* Tue Feb 12 2019 Coty Sutherland 0:7.0.76-9 +- Resolves: rhbz#1641873 CVE-2018-11784 tomcat: Open redirect in default servlet -* Wed Jul 18 2018 Jean-Frederic Clere 0:7.0.76-7 -- Resolves: rhbz#1607893 Deadlock occurs while sending to a closing session. +* Fri Oct 12 2018 Coty Sutherland 0:7.0.76-8 +- Resolves: rhbz#1608607 CVE-2018-1336 tomcat: A bug in the UTF 8 decoder can lead to DoS + +* Tue Jul 24 2018 Jean-Frederic Clere 0:7.0.76-7 +- Resolves: rhbz#1602060 Deadlock occurs while sending to a closing session * Wed Nov 08 2017 Coty Sutherland 0:7.0.76-6 - Related: rhbz#1505762 Remove erroneous useradd