diff -Nru tomcat7-7.0.52/debian/changelog tomcat7-7.0.52/debian/changelog
--- tomcat7-7.0.52/debian/changelog 2015-06-19 20:14:50.000000000 +0000
+++ tomcat7-7.0.52/debian/changelog 2016-06-29 16:51:02.000000000 +0000
@@ -1,3 +1,73 @@
+tomcat7 (7.0.52-1ubuntu0.6) trusty-security; urgency=medium
+
+ * SECURITY UPDATE: directory traversal vulnerability in RequestUtil.java
+ - debian/patches/CVE-2015-5174.patch: fix normalization edge cases in
+ java/org/apache/tomcat/util/http/RequestUtil.java,
+ test/org/apache/tomcat/util/http/TestRequestUtil.java.
+ - CVE-2015-5174
+ * SECURITY UPDATE: information disclosure via redirects by mapper
+ - debian/patches/CVE-2015-5345.patch: fix redirect logic in
+ java/org/apache/catalina/Context.java,
+ java/org/apache/catalina/authenticator/FormAuthenticator.java,
+ java/org/apache/catalina/core/StandardContext.java,
+ java/org/apache/catalina/core/mbeans-descriptors.xml,
+ java/org/apache/catalina/servlets/DefaultServlet.java,
+ java/org/apache/catalina/servlets/WebdavServlet.java,
+ java/org/apache/catalina/startup/FailedContext.java,
+ java/org/apache/tomcat/util/http/mapper/Mapper.java,
+ test/org/apache/catalina/startup/TomcatBaseTest.java,
+ webapps/docs/config/context.xml,
+ test/org/apache/catalina/core/TesterContext.java.
+ - CVE-2015-5345
+ * SECURITY UPDATE: session fixation vulnerability
+ - debian/patches/CVE-2015-5346.patch: handle different session settings
+ in java/org/apache/catalina/connector/CoyoteAdapter.java,
+ java/org/apache/catalina/connector/Request.java.
+ - CVE-2015-5346
+ * SECURITY UPDATE: CSRF protection mechanism bypass
+ - debian/patches/CVE-2015-5351.patch: don't create sessions
+ unnecessarily in webapps/host-manager/WEB-INF/jsp/401.jsp,
+ webapps/host-manager/WEB-INF/jsp/403.jsp,
+ webapps/host-manager/WEB-INF/jsp/404.jsp,
+ webapps/host-manager/index.jsp,
+ webapps/manager/WEB-INF/web.xml,
+ webapps/manager/index.jsp.
+ - CVE-2015-5351
+ * SECURITY UPDATE: securityManager restrictions bypass via
+ StatusManagerServlet
+ - debian/patches/CVE-2016-0706.patch: place servlet in restricted list
+ in java/org/apache/catalina/core/RestrictedServlets.properties.
+ - CVE-2016-0706
+ * SECURITY UPDATE: securityManager restrictions bypass via
+ session-persistence implementation
+ - debian/patches/CVE-2016-0714.patch: extend the session attribute
+ filtering options in
+ java/org/apache/catalina/ha/session/ClusterManagerBase.java
+ java/org/apache/catalina/ha/session/mbeans-descriptors.xml,
+ java/org/apache/catalina/session/LocalStrings.properties,
+ java/org/apache/catalina/session/ManagerBase.java,
+ java/org/apache/catalina/session/StandardManager.java,
+ java/org/apache/catalina/session/mbeans-descriptors.xml,
+ java/org/apache/catalina/util/CustomObjectInputStream.java,
+ java/org/apache/catalina/util/LocalStrings.properties,
+ webapps/docs/config/cluster-manager.xml,
+ webapps/docs/config/manager.xml.
+ - CVE-2016-0714
+ * SECURITY UPDATE: securityManager restrictions bypass via crafted global
+ context
+ - debian/patches/CVE-2016-0763.patch: protect initialization in
+ java/org/apache/naming/factory/ResourceLinkFactory.java.
+ - CVE-2016-0763
+ * SECURITY UPDATE: denial of service in FileUpload
+ - debian/patches/CVE-2016-3092.patch: properly handle size in
+ java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.
+ - CVE-2016-3092
+ * debian/patches/fix_cookie_names_in_tests.patch: fix FTBFS by removing
+ colons in cookie names which is illegal in newer java versions in
+ test/org/apache/catalina/authenticator/*.java.
+
+ -- Marc Deslauriers Wed, 29 Jun 2016 12:50:02 -0400
+
tomcat7 (7.0.52-1ubuntu0.3) trusty-security; urgency=medium
* SECURITY UPDATE: arbitrary file disclosure via XML parser
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2015-5174.patch tomcat7-7.0.52/debian/patches/CVE-2015-5174.patch
--- tomcat7-7.0.52/debian/patches/CVE-2015-5174.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2015-5174.patch 2016-06-21 17:12:14.000000000 +0000
@@ -0,0 +1,212 @@
+Description: fix directory traversal vulnerability in RequestUtil.java
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1696284
+Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1700898
+
+Index: tomcat7-7.0.52/java/org/apache/tomcat/util/http/RequestUtil.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/http/RequestUtil.java 2012-02-01 05:52:00.000000000 -0500
++++ tomcat7-7.0.52/java/org/apache/tomcat/util/http/RequestUtil.java 2016-06-21 13:03:30.575220112 -0400
+@@ -30,6 +30,9 @@
+ * try to perform security checks for malicious input.
+ *
+ * @param path Relative path to be normalized
++ *
++ * @return The normalized path or null
of the path cannot be
++ * normalized
+ */
+ public static String normalize(String path) {
+ return normalize(path, true);
+@@ -44,11 +47,15 @@
+ *
+ * @param path Relative path to be normalized
+ * @param replaceBackSlash Should '\\' be replaced with '/'
++ *
++ * @return The normalized path or null
of the path cannot be
++ * normalized
+ */
+ public static String normalize(String path, boolean replaceBackSlash) {
+
+- if (path == null)
++ if (path == null) {
+ return null;
++ }
+
+ // Create a place for the normalized path
+ String normalized = path;
+@@ -56,9 +63,6 @@
+ if (replaceBackSlash && normalized.indexOf('\\') >= 0)
+ normalized = normalized.replace('\\', '/');
+
+- if (normalized.equals("/."))
+- return "/";
+-
+ // Add a leading "/" if necessary
+ if (!normalized.startsWith("/"))
+ normalized = "/" + normalized;
+@@ -66,34 +70,43 @@
+ // Resolve occurrences of "//" in the normalized path
+ while (true) {
+ int index = normalized.indexOf("//");
+- if (index < 0)
++ if (index < 0) {
+ break;
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 1);
++ }
++ normalized = normalized.substring(0, index) + normalized.substring(index + 1);
+ }
+
+ // Resolve occurrences of "/./" in the normalized path
+ while (true) {
+ int index = normalized.indexOf("/./");
+- if (index < 0)
++ if (index < 0) {
+ break;
+- normalized = normalized.substring(0, index) +
+- normalized.substring(index + 2);
++ }
++ normalized = normalized.substring(0, index) + normalized.substring(index + 2);
+ }
+
+ // Resolve occurrences of "/../" in the normalized path
+ while (true) {
+ int index = normalized.indexOf("/../");
+- if (index < 0)
++ if (index < 0) {
+ break;
+- if (index == 0)
+- return (null); // Trying to go outside our context
++ }
++ if (index == 0) {
++ return null; // Trying to go outside our context
++ }
+ int index2 = normalized.lastIndexOf('/', index - 1);
+- normalized = normalized.substring(0, index2) +
+- normalized.substring(index + 3);
++ normalized = normalized.substring(0, index2) + normalized.substring(index + 3);
++ }
++
++ if (normalized.equals("/.")) {
++ return "/";
++ }
++
++ if (normalized.equals("/..")) {
++ return null; // Trying to go outside our context
+ }
+
+ // Return the normalized path that we have completed
+- return (normalized);
++ return normalized;
+ }
+ }
+Index: tomcat7-7.0.52/test/org/apache/tomcat/util/http/TestRequestUtil.java
+===================================================================
+--- tomcat7-7.0.52.orig/test/org/apache/tomcat/util/http/TestRequestUtil.java 2012-02-01 05:52:00.000000000 -0500
++++ tomcat7-7.0.52/test/org/apache/tomcat/util/http/TestRequestUtil.java 2016-06-21 13:03:32.787241711 -0400
+@@ -23,11 +23,101 @@
+ public class TestRequestUtil {
+
+ @Test
+- public void testNormalizeString() {
+- assertEquals("/something",RequestUtil.normalize("//something"));
+- assertEquals("/some/thing",RequestUtil.normalize("some//thing"));
+- assertEquals("/something/",RequestUtil.normalize("something//"));
+- assertEquals("/",RequestUtil.normalize("//"));
++ public void testNormalize01() {
++ doTestNormalize("//something", "/something");
+ }
+
++ @Test
++ public void testNormalize02() {
++ doTestNormalize("some//thing", "/some/thing");
++ }
++
++ @Test
++ public void testNormalize03() {
++ doTestNormalize("something//", "/something/");
++ }
++
++ @Test
++ public void testNormalize04() {
++ doTestNormalize("//", "/");
++ }
++
++ @Test
++ public void testNormalize05() {
++ doTestNormalize("//", "/");
++ }
++
++ @Test
++ public void testNormalize06() {
++ doTestNormalize("///", "/");
++ }
++
++ @Test
++ public void testNormalize07() {
++ doTestNormalize("////", "/");
++ }
++
++ @Test
++ public void testNormalize08() {
++ doTestNormalize("/.", "/");
++ }
++
++ @Test
++ public void testNormalize09() {
++ doTestNormalize("/./", "/");
++ }
++
++ @Test
++ public void testNormalize10() {
++ doTestNormalize(".", "/");
++ }
++
++ @Test
++ public void testNormalize11() {
++ doTestNormalize("/..", null);
++ }
++
++ @Test
++ public void testNormalize12() {
++ doTestNormalize("/../", null);
++ }
++
++ @Test
++ public void testNormalize13() {
++ doTestNormalize("..", null);
++ }
++
++ @Test
++ public void testNormalize14() {
++ doTestNormalize("//..", null);
++ }
++
++ @Test
++ public void testNormalize15() {
++ doTestNormalize("//../", null);
++ }
++
++ @Test
++ public void testNormalize16() {
++ doTestNormalize("/./..", null);
++ }
++
++ @Test
++ public void testNormalize17() {
++ doTestNormalize("/./../", null);
++ }
++
++ @Test
++ public void testNormalize18() {
++ doTestNormalize("/a/../..", null);
++ }
++
++ @Test
++ public void testNormalize19() {
++ doTestNormalize("/a/../../", null);
++ }
++
++ private void doTestNormalize(String input, String expected) {
++ assertEquals(expected,RequestUtil.normalize(input));
++ }
+ }
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2015-5345.patch tomcat7-7.0.52/debian/patches/CVE-2015-5345.patch
--- tomcat7-7.0.52/debian/patches/CVE-2015-5345.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2015-5345.patch 2016-06-29 16:40:03.000000000 +0000
@@ -0,0 +1,478 @@
+Description: fix information disclosure via redirects by mapper
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1715213
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1717212
+
+Index: tomcat7-7.0.52/java/org/apache/catalina/Context.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/Context.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/Context.java 2016-06-29 12:31:54.800360921 -0400
+@@ -1603,4 +1603,44 @@
+ * method names.
+ */
+ public Map findPreDestroyMethods();
++
++ /**
++ * If enabled, requests for a web application context root will be
++ * redirected (adding a trailing slash) by the Mapper. This is more
++ * efficient but has the side effect of confirming that the context path is
++ * valid.
++ *
++ * @param mapperContextRootRedirectEnabled Should the redirects be enabled?
++ */
++ public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled);
++
++ /**
++ * Determines if requests for a web application context root will be
++ * redirected (adding a trailing slash) by the Mapper. This is more
++ * efficient but has the side effect of confirming that the context path is
++ * valid.
++ *
++ * @return {@code true} if the Mapper level redirect is enabled for this
++ * Context.
++ */
++ public boolean getMapperContextRootRedirectEnabled();
++
++ /**
++ * If enabled, requests for a directory will be redirected (adding a
++ * trailing slash) by the Mapper. This is more efficient but has the
++ * side effect of confirming that the directory is valid.
++ *
++ * @param mapperDirectoryRedirectEnabled Should the redirects be enabled?
++ */
++ public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled);
++
++ /**
++ * Determines if requests for a directory will be redirected (adding a
++ * trailing slash) by the Mapper. This is more efficient but has the
++ * side effect of confirming that the directory is valid.
++ *
++ * @return {@code true} if the Mapper level redirect is enabled for this
++ * Context.
++ */
++ public boolean getMapperDirectoryRedirectEnabled();
+ }
+Index: tomcat7-7.0.52/java/org/apache/catalina/authenticator/FormAuthenticator.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/authenticator/FormAuthenticator.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/authenticator/FormAuthenticator.java 2016-06-29 12:31:54.800360921 -0400
+@@ -263,6 +263,20 @@
+
+ // No -- Save this request and redirect to the form login page
+ if (!loginAction) {
++ // If this request was to the root of the context without a trailing
++ // '/', need to redirect to add it else the submit of the login form
++ // may not go to the correct web application
++ if (request.getServletPath().length() == 0 && request.getPathInfo() == null) {
++ StringBuilder location = new StringBuilder(requestURI);
++ location.append('/');
++ if (request.getQueryString() != null) {
++ location.append('?');
++ location.append(request.getQueryString());
++ }
++ response.sendRedirect(response.encodeRedirectURL(location.toString()));
++ return false;
++ }
++
+ session = request.getSessionInternal(true);
+ if (log.isDebugEnabled()) {
+ log.debug("Save request in session '" + session.getIdInternal() + "'");
+Index: tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/core/StandardContext.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/core/StandardContext.java 2016-06-29 12:31:54.804360969 -0400
+@@ -894,8 +894,45 @@
+ private String containerSciFilter;
+
+
++ boolean mapperContextRootRedirectEnabled = false;
++
++ boolean mapperDirectoryRedirectEnabled = false;
++
+ // ----------------------------------------------------- Context Properties
+-
++
++ @Override
++ public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
++ this.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
++ }
++
++
++ /**
++ * {@inheritDoc}
++ *
++ * The default value for this implementation is {@code false}.
++ */
++ @Override
++ public boolean getMapperContextRootRedirectEnabled() {
++ return mapperContextRootRedirectEnabled;
++ }
++
++
++ @Override
++ public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
++ this.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
++ }
++
++
++ /**
++ * {@inheritDoc}
++ *
++ * The default value for this implementation is {@code false}.
++ */
++ @Override
++ public boolean getMapperDirectoryRedirectEnabled() {
++ return mapperDirectoryRedirectEnabled;
++ }
++
+ @Override
+ public void setContainerSciFilter(String containerSciFilter) {
+ this.containerSciFilter = containerSciFilter;
+@@ -1087,7 +1124,7 @@
+ this.instanceManager = instanceManager;
+ }
+
+-
++
+ @Override
+ public String getEncodedPath() {
+ return encodedPath;
+Index: tomcat7-7.0.52/java/org/apache/catalina/core/mbeans-descriptors.xml
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/core/mbeans-descriptors.xml 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/core/mbeans-descriptors.xml 2016-06-29 12:31:54.804360969 -0400
+@@ -221,6 +221,14 @@
+ description="The object used for mapping"
+ type="java.lang.Object"/>
+
++
++
++
++
+
+Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/servlets/DefaultServlet.java 2016-06-29 12:31:54.804360969 -0400
+@@ -364,6 +364,10 @@
+ * @param request The servlet request we are processing
+ */
+ protected String getRelativePath(HttpServletRequest request) {
++ return getRelativePath(request, false);
++ }
++
++ protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
+ // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
+ // serves resources from the web app root with context rooted paths.
+ // i.e. it can not be used to mount the web app root under a sub-path
+@@ -395,7 +399,7 @@
+ } else {
+ result = request.getServletPath() + result;
+ }
+- if ((result == null) || (result.equals(""))) {
++ if (((result == null) || (result.equals(""))) && !allowEmptyPath) {
+ result = "/";
+ }
+ return (result);
+@@ -773,7 +777,8 @@
+ boolean serveContent = content;
+
+ // Identify the requested resource path
+- String path = getRelativePath(request);
++ String path = getRelativePath(request, true);
++
+ if (debug > 0) {
+ if (serveContent)
+ log("DefaultServlet.serveResource: Serving resource '" +
+@@ -783,6 +788,12 @@
+ path + "' headers only");
+ }
+
++ if (path.length() == 0) {
++ // Context root redirect
++ doDirectoryRedirect(request, response);
++ return;
++ }
++
+ CacheEntry cacheEntry = resources.lookupCache(path);
+
+ if (!cacheEntry.exists) {
+@@ -851,6 +862,11 @@
+
+ if (cacheEntry.context != null) {
+
++ if (!path.endsWith("/")) {
++ doDirectoryRedirect(request, response);
++ return;
++ }
++
+ // Skip directory listings if we have been configured to
+ // suppress them
+ if (!listings) {
+@@ -1058,6 +1074,16 @@
+
+ }
+
++ private void doDirectoryRedirect(HttpServletRequest request, HttpServletResponse response)
++ throws IOException {
++ StringBuilder location = new StringBuilder(request.getRequestURI());
++ location.append('/');
++ if (request.getQueryString() != null) {
++ location.append('?');
++ location.append(request.getQueryString());
++ }
++ response.sendRedirect(response.encodeRedirectURL(location.toString()));
++ }
+
+ /**
+ * Parse the content-range header.
+Index: tomcat7-7.0.52/java/org/apache/catalina/servlets/WebdavServlet.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/servlets/WebdavServlet.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/servlets/WebdavServlet.java 2016-06-29 12:31:54.804360969 -0400
+@@ -430,6 +430,11 @@
+ */
+ @Override
+ protected String getRelativePath(HttpServletRequest request) {
++ return getRelativePath(request, false);
++ }
++
++ @Override
++ protected String getRelativePath(HttpServletRequest request, boolean allowEmptyPath) {
+ // Are we being processed by a RequestDispatcher.include()?
+ if (request.getAttribute(
+ RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
+Index: tomcat7-7.0.52/java/org/apache/catalina/startup/FailedContext.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/startup/FailedContext.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/startup/FailedContext.java 2016-06-29 12:31:54.804360969 -0400
+@@ -703,4 +703,21 @@
+
+ @Override
+ public String getContainerSciFilter() { return null; }
+-}
+\ No newline at end of file
++
++ @Override
++ public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
++ // NO-OP
++ }
++
++ @Override
++ public boolean getMapperContextRootRedirectEnabled() { return false; }
++
++ @Override
++ public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
++ // NO-OP
++ }
++
++ @Override
++ public boolean getMapperDirectoryRedirectEnabled() { return false; }
++
++}
+Index: tomcat7-7.0.52/java/org/apache/tomcat/util/http/mapper/Mapper.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/tomcat/util/http/mapper/Mapper.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/java/org/apache/tomcat/util/http/mapper/Mapper.java 2016-06-29 12:39:48.354060095 -0400
+@@ -195,11 +195,36 @@
+ * @param context Context object
+ * @param welcomeResources Welcome files defined for this context
+ * @param resources Static resources of the context
++ * @deprecated Use {@link #addContextVersion(String, Object, String, String, Object, String[],
++ * javax.naming.Context, boolean, boolean)}
+ */
++ @Deprecated
+ public void addContextVersion(String hostName, Object host, String path,
+ String version, Object context, String[] welcomeResources,
+ javax.naming.Context resources) {
+-
++ addContextVersion(hostName, host, path, version, context, welcomeResources, resources,
++ false, false);
++ }
++
++
++ /**
++ * Add a new Context to an existing Host.
++ *
++ * @param hostName Virtual host name this context belongs to
++ * @param host Host object
++ * @param path Context path
++ * @param version Context version
++ * @param context Context object
++ * @param welcomeResources Welcome files defined for this context
++ * @param resources Static resources of the context
++ * @param mapperContextRootRedirectEnabled Mapper does context root redirects
++ * @param mapperDirectoryRedirectEnabled Mapper does directory redirects
++ */
++ public void addContextVersion(String hostName, Object host, String path,
++ String version, Object context, String[] welcomeResources,
++ javax.naming.Context resources,
++ boolean mapperContextRootRedirectEnabled, boolean mapperDirectoryRedirectEnabled) {
++
+ Host[] hosts = this.hosts;
+ int pos = find(hosts, hostName);
+ if( pos <0 ) {
+@@ -241,6 +266,9 @@
+ newContextVersion.object = context;
+ newContextVersion.welcomeResources = welcomeResources;
+ newContextVersion.resources = resources;
++ newContextVersion.mapperContextRootRedirectEnabled = mapperContextRootRedirectEnabled;
++ newContextVersion.mapperDirectoryRedirectEnabled = mapperDirectoryRedirectEnabled;
++
+ if (insertMap(contextVersions, newContextVersions, newContextVersion)) {
+ mappedContext.versions = newContextVersions;
+ }
+@@ -250,6 +278,7 @@
+ }
+
+
++
+ /**
+ * Remove a context from an existing host.
+ *
+@@ -834,20 +863,13 @@
+
+ int pathOffset = path.getOffset();
+ int pathEnd = path.getEnd();
+- int servletPath = pathOffset;
+ boolean noServletPath = false;
+
+ int length = contextVersion.path.length();
+- if (length != (pathEnd - pathOffset)) {
+- servletPath = pathOffset + length;
+- } else {
++ if (length == (pathEnd - pathOffset)) {
+ noServletPath = true;
+- path.append('/');
+- pathOffset = path.getOffset();
+- pathEnd = path.getEnd();
+- servletPath = pathOffset+length;
+ }
+-
++ int servletPath = pathOffset + length;
+ path.setOffset(servletPath);
+
+ // Rule 1 -- Exact Match
+@@ -882,10 +904,13 @@
+ }
+ }
+
+- if(mappingData.wrapper == null && noServletPath) {
++ if(mappingData.wrapper == null && noServletPath &&
++ contextVersion.mapperContextRootRedirectEnabled) {
+ // The path is empty, redirect to "/"
++ path.append('/');
++ pathEnd = path.getEnd();
+ mappingData.redirectPath.setChars
+- (path.getBuffer(), pathOffset, pathEnd-pathOffset);
++ (path.getBuffer(), pathOffset, pathEnd - pathOffset);
+ path.setEnd(pathEnd - 1);
+ return;
+ }
+@@ -1006,11 +1031,16 @@
+ Object file = null;
+ String pathStr = path.toString();
+ try {
+- file = contextVersion.resources.lookup(pathStr);
++ if (pathStr.length() == 0) {
++ file = contextVersion.resources.lookup("/");
++ } else {
++ file = contextVersion.resources.lookup(pathStr);
++ }
+ } catch(NamingException nex) {
+ // Swallow, since someone else handles the 404
+ }
+- if (file != null && file instanceof DirContext) {
++ if (file != null && file instanceof DirContext &&
++ contextVersion.mapperDirectoryRedirectEnabled) {
+ // Note: this mutates the path: do not do any processing
+ // after this (since we set the redirectPath, there
+ // shouldn't be any)
+@@ -1027,7 +1057,6 @@
+
+ path.setOffset(pathOffset);
+ path.setEnd(pathEnd);
+-
+ }
+
+
+@@ -1510,6 +1539,8 @@
+ public Wrapper[] wildcardWrappers = new Wrapper[0];
+ public Wrapper[] extensionWrappers = new Wrapper[0];
+ public int nesting = 0;
++ public boolean mapperContextRootRedirectEnabled = false;
++ public boolean mapperDirectoryRedirectEnabled = false;
+
+ }
+
+Index: tomcat7-7.0.52/test/org/apache/catalina/startup/TomcatBaseTest.java
+===================================================================
+--- tomcat7-7.0.52.orig/test/org/apache/catalina/startup/TomcatBaseTest.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/test/org/apache/catalina/startup/TomcatBaseTest.java 2016-06-29 12:31:54.804360969 -0400
+@@ -223,8 +223,7 @@
+ String method) throws IOException {
+
+ URL url = new URL(path);
+- HttpURLConnection connection =
+- (HttpURLConnection) url.openConnection();
++ HttpURLConnection connection = (HttpURLConnection) url.openConnection();
+ connection.setUseCaches(false);
+ connection.setReadTimeout(readTimeout);
+ connection.setRequestMethod(method);
+Index: tomcat7-7.0.52/webapps/docs/config/context.xml
+===================================================================
+--- tomcat7-7.0.52.orig/webapps/docs/config/context.xml 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/webapps/docs/config/context.xml 2016-06-29 12:31:54.808361018 -0400
+@@ -352,6 +352,22 @@
+ default value of false
is used.
+
+
++
++ If enabled, requests for a web application context root will be
++ redirected (adding a trailing slash) if necessary by the Mapper rather
++ than the default Servlet. This is more efficient but has the side effect
++ of confirming that the context path exists. If not specified, the
++ default value of false
is used.
++
++
++
++ If enabled, requests for a web application directory will be
++ redirected (adding a trailing slash) if necessary by the Mapper rather
++ than the default Servlet. This is more efficient but has the side effect
++ of confirming that the directory is exists. If not specified, the
++ default value of false
is used.
++
++
+
+ Set to true
to ignore any settings in both the global
+ or Host default contexts. By default, settings
+Index: tomcat7-7.0.52/test/org/apache/catalina/core/TesterContext.java
+===================================================================
+--- tomcat7-7.0.52.orig/test/org/apache/catalina/core/TesterContext.java 2016-06-29 12:31:54.808361018 -0400
++++ tomcat7-7.0.52/test/org/apache/catalina/core/TesterContext.java 2016-06-29 12:31:54.808361018 -0400
+@@ -1219,4 +1219,20 @@
+
+ @Override
+ public String getContainerSciFilter() { return null; }
++
++ @Override
++ public void setMapperContextRootRedirectEnabled(boolean mapperContextRootRedirectEnabled) {
++ // NO-OP
++ }
++
++ @Override
++ public boolean getMapperContextRootRedirectEnabled() { return false; }
++
++ @Override
++ public void setMapperDirectoryRedirectEnabled(boolean mapperDirectoryRedirectEnabled) {
++ // NO-OP
++ }
++
++ @Override
++ public boolean getMapperDirectoryRedirectEnabled() { return false; }
+ }
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2015-5346.patch tomcat7-7.0.52/debian/patches/CVE-2015-5346.patch
--- tomcat7-7.0.52/debian/patches/CVE-2015-5346.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2015-5346.patch 2016-06-29 16:42:13.000000000 +0000
@@ -0,0 +1,71 @@
+Description: fix session fixation vulnerability
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1713187
+
+Index: tomcat7-7.0.52/java/org/apache/catalina/connector/CoyoteAdapter.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/connector/CoyoteAdapter.java 2016-06-29 12:41:19.823161652 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/connector/CoyoteAdapter.java 2016-06-29 12:41:57.651617285 -0400
+@@ -712,6 +712,9 @@
+ version = ctxt.getWebappVersion();
+ // Reset mapping
+ request.getMappingData().recycle();
++ // Recycle session info in case the correct
++ // context is configured with different settings
++ request.recycleSessionInfo();
+ break;
+ }
+ }
+Index: tomcat7-7.0.52/java/org/apache/catalina/connector/Request.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/connector/Request.java 2016-06-29 12:41:19.823161652 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/connector/Request.java 2016-06-29 12:41:19.819161605 -0400
+@@ -494,18 +494,7 @@
+ notes.clear();
+ cookies = null;
+
+- if (session != null) {
+- try {
+- session.endAccess();
+- } catch (Throwable t) {
+- ExceptionUtils.handleThrowable(t);
+- log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t);
+- }
+- }
+- session = null;
+- requestedSessionCookie = false;
+- requestedSessionId = null;
+- requestedSessionURL = false;
++ recycleSessionInfo();
+
+ if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) {
+ parameterMap = new ParameterMap();
+@@ -553,11 +542,24 @@
+ }
+
+
+- /**
+- * Clear cached encoders (to save memory for Comet requests).
+- */
+- public boolean read()
+- throws IOException {
++ protected void recycleSessionInfo() {
++ if (session != null) {
++ try {
++ session.endAccess();
++ } catch (Throwable t) {
++ ExceptionUtils.handleThrowable(t);
++ log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t);
++ }
++ }
++ session = null;
++ requestedSessionCookie = false;
++ requestedSessionId = null;
++ requestedSessionURL = false;
++ requestedSessionSSL = false;
++ }
++
++
++ public boolean read() throws IOException {
+ return (inputBuffer.realReadBytes(null, 0, 0) > 0);
+ }
+
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2015-5351.patch tomcat7-7.0.52/debian/patches/CVE-2015-5351.patch
--- tomcat7-7.0.52/debian/patches/CVE-2015-5351.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2015-5351.patch 2016-06-29 14:18:31.000000000 +0000
@@ -0,0 +1,82 @@
+Description: fix CSRF protection mechanism bypass
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1720661
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1720663
+
+Index: tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/401.jsp
+===================================================================
+--- tomcat7-7.0.64.orig/webapps/host-manager/WEB-INF/jsp/401.jsp 2016-06-17 12:02:00.280256721 +0300
++++ tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/401.jsp 2016-06-17 12:02:00.276256670 +0300
+@@ -14,6 +14,7 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
++<%@ page session="false" trimDirectiveWhitespaces="true" %>
+
+
+
+Index: tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/403.jsp
+===================================================================
+--- tomcat7-7.0.64.orig/webapps/host-manager/WEB-INF/jsp/403.jsp 2016-06-17 12:02:00.280256721 +0300
++++ tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/403.jsp 2016-06-17 12:02:00.276256670 +0300
+@@ -14,6 +14,7 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
++<%@ page session="false" trimDirectiveWhitespaces="true" %>
+
+
+
+Index: tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/404.jsp
+===================================================================
+--- tomcat7-7.0.64.orig/webapps/host-manager/WEB-INF/jsp/404.jsp 2016-06-17 12:02:00.280256721 +0300
++++ tomcat7-7.0.64/webapps/host-manager/WEB-INF/jsp/404.jsp 2016-06-17 12:02:00.276256670 +0300
+@@ -14,7 +14,8 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
+-<%@ page import="org.apache.catalina.util.RequestUtil" %>
++<%@ page import="org.apache.catalina.util.RequestUtil" session="false"
++ trimDirectiveWhitespaces="true" %>
+
+
+
+Index: tomcat7-7.0.64/webapps/host-manager/index.jsp
+===================================================================
+--- tomcat7-7.0.64.orig/webapps/host-manager/index.jsp 2016-06-17 12:02:00.280256721 +0300
++++ tomcat7-7.0.64/webapps/host-manager/index.jsp 2016-06-17 12:02:00.276256670 +0300
+@@ -14,5 +14,5 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
+-<% response.sendRedirect(response.encodeRedirectURL(request.getContextPath() +
+- "/html")); %>
+\ No newline at end of file
++<%@ page session="false" trimDirectiveWhitespaces="true" %>
++<% response.sendRedirect(request.getContextPath() + "/html"); %>
+\ No newline at end of file
+Index: tomcat7-7.0.64/webapps/manager/WEB-INF/web.xml
+===================================================================
+--- tomcat7-7.0.64.orig/webapps/manager/WEB-INF/web.xml 2016-06-17 12:02:00.280256721 +0300
++++ tomcat7-7.0.64/webapps/manager/WEB-INF/web.xml 2016-06-17 12:02:00.276256670 +0300
+@@ -116,7 +116,6 @@
+
+ CSRF
+ HTMLManager
+- jsp
+
+
+
+Index: tomcat7-7.0.64/webapps/manager/index.jsp
+===================================================================
+--- tomcat7-7.0.64.orig/webapps/manager/index.jsp 2016-06-17 12:02:00.280256721 +0300
++++ tomcat7-7.0.64/webapps/manager/index.jsp 2016-06-17 12:02:00.276256670 +0300
+@@ -14,5 +14,5 @@
+ See the License for the specific language governing permissions and
+ limitations under the License.
+ --%>
+-<% response.sendRedirect(response.encodeRedirectURL(request.getContextPath() +
+- "/html")); %>
+\ No newline at end of file
++<%@ page session="false" %>
++<% response.sendRedirect(request.getContextPath() + "/html"); %>
+\ No newline at end of file
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2016-0706.patch tomcat7-7.0.52/debian/patches/CVE-2016-0706.patch
--- tomcat7-7.0.52/debian/patches/CVE-2016-0706.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2016-0706.patch 2016-06-29 14:18:43.000000000 +0000
@@ -0,0 +1,12 @@
+Description: fix securityManager restrictions bypass via StatusManagerServlet
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1722801
+
+Index: tomcat7-7.0.64/java/org/apache/catalina/core/RestrictedServlets.properties
+===================================================================
+--- tomcat7-7.0.64.orig/java/org/apache/catalina/core/RestrictedServlets.properties 2016-06-17 12:02:12.924419556 +0300
++++ tomcat7-7.0.64/java/org/apache/catalina/core/RestrictedServlets.properties 2016-06-17 12:02:12.920419504 +0300
+@@ -16,3 +16,4 @@
+ org.apache.catalina.ssi.SSIServlet=restricted
+ org.apache.catalina.servlets.CGIServlet=restricted
+ org.apache.catalina.manager.JMXProxyServlet=restricted
++org.apache.catalina.manager.StatusManagerServlet=restricted
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2016-0714.patch tomcat7-7.0.52/debian/patches/CVE-2016-0714.patch
--- tomcat7-7.0.52/debian/patches/CVE-2016-0714.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2016-0714.patch 2016-06-29 16:49:44.000000000 +0000
@@ -0,0 +1,640 @@
+Description: fix securityManager restrictions bypass via session-persistence implementation
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1726923
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1727034
+
+Index: tomcat7-7.0.52/java/org/apache/catalina/ha/session/ClusterManagerBase.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/ha/session/ClusterManagerBase.java 2016-06-29 12:47:39.531736819 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/ha/session/ClusterManagerBase.java 2016-06-29 12:47:39.527736771 -0400
+@@ -187,6 +187,8 @@
+ copy.setProcessExpiresFrequency(getProcessExpiresFrequency());
+ copy.setNotifyListenersOnReplication(isNotifyListenersOnReplication());
+ copy.setSessionAttributeFilter(getSessionAttributeFilter());
++ copy.setSessionAttributeValueClassNameFilter(getSessionAttributeValueClassNameFilter());
++ copy.setWarnOnSessionAttributeFilterFailure(getWarnOnSessionAttributeFilterFailure());
+ copy.setSecureRandomClass(getSecureRandomClass());
+ copy.setSecureRandomProvider(getSecureRandomProvider());
+ copy.setSecureRandomAlgorithm(getSecureRandomAlgorithm());
+Index: tomcat7-7.0.52/java/org/apache/catalina/ha/session/mbeans-descriptors.xml
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/ha/session/mbeans-descriptors.xml 2016-06-29 12:47:39.531736819 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/ha/session/mbeans-descriptors.xml 2016-06-29 12:49:05.924778289 -0400
+@@ -336,6 +336,14 @@
+ is="true"
+ description="All session messages before state transfer message creation are dropped."
+ type="boolean"/>
++
++
+
++
++
+
++ * This implementation excludes session attributes from distribution if the:
++ *
++ * - attribute name matches {@link #getSessionAttributeNameFilter()}
++ *
++ */
++ public boolean willAttributeDistribute(String name, Object value) {
++ Pattern sessionAttributeNamePattern = getSessionAttributeNamePattern();
++ if (sessionAttributeNamePattern != null) {
++ if (!sessionAttributeNamePattern.matcher(name).matches()) {
++ if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
++ String msg = sm.getString("managerBase.sessionAttributeNameFilter",
++ name, sessionAttributeNamePattern);
++ if (getWarnOnSessionAttributeFilterFailure()) {
++ log.warn(msg);
++ } else {
++ log.debug(msg);
++ }
++ }
++ return false;
++ }
++ }
++
++ Pattern sessionAttributeValueClassNamePattern = getSessionAttributeValueClassNamePattern();
++ if (value != null && sessionAttributeValueClassNamePattern != null) {
++ if (!sessionAttributeValueClassNamePattern.matcher(
++ value.getClass().getName()).matches()) {
++ if (getWarnOnSessionAttributeFilterFailure() || log.isDebugEnabled()) {
++ String msg = sm.getString("managerBase.sessionAttributeValueClassNameFilter",
++ name, value.getClass().getName(), sessionAttributeNamePattern);
++ if (getWarnOnSessionAttributeFilterFailure()) {
++ log.warn(msg);
++ } else {
++ log.debug(msg);
++ }
++ }
++ return false;
++ }
++ }
++
++ return true;
++ }
++
+ // ------------------------------------------------------ Protected Methods
+
+
+Index: tomcat7-7.0.52/java/org/apache/catalina/session/StandardManager.java
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/session/StandardManager.java 2016-06-29 12:47:39.531736819 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/session/StandardManager.java 2016-06-29 12:47:39.527736771 -0400
+@@ -231,17 +231,20 @@
+ ObjectInputStream ois = null;
+ Loader loader = null;
+ ClassLoader classLoader = null;
++ Log logger = null;
+ try {
+ fis = new FileInputStream(file.getAbsolutePath());
+ bis = new BufferedInputStream(fis);
+ if (container != null)
+- loader = container.getLoader();
++ logger = container.getLogger();
+ if (loader != null)
+ classLoader = loader.getClassLoader();
+ if (classLoader != null) {
+ if (log.isDebugEnabled())
+ log.debug("Creating custom object input stream for class loader ");
+- ois = new CustomObjectInputStream(bis, classLoader);
++ ois = new CustomObjectInputStream(bis, classLoader, logger,
++ getSessionAttributeValueClassNamePattern(),
++ getWarnOnSessionAttributeFilterFailure());
+ } else {
+ if (log.isDebugEnabled())
+ log.debug("Creating standard object input stream");
+Index: tomcat7-7.0.52/java/org/apache/catalina/session/mbeans-descriptors.xml
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/session/mbeans-descriptors.xml 2016-06-29 12:47:39.531736819 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/session/mbeans-descriptors.xml 2016-06-29 12:47:39.527736771 -0400
+@@ -132,6 +132,18 @@
+ description="Number of sessions we rejected due to maxActive beeing reached"
+ type="int"
+ writeable="false"/>
++
++
++
++
++
++
+
+
+
++
++
++
++
++
++
+ ObjectInputStream that loads from the
+@@ -35,14 +44,26 @@
+ extends ObjectInputStream {
+
+
++ private static final StringManager sm = StringManager.getManager("org.apache.catalina.util");
++
++ private static final WeakHashMap> reportedClassCache =
++ new WeakHashMap>();
++
+ /**
+ * The class loader we will use to resolve classes.
+ */
+ private ClassLoader classLoader = null;
++ private final Set reportedClasses;
++ private final Log log;
++
++ private final Pattern allowedClassNamePattern;
++ private final String allowedClassNameFilter;
++ private final boolean warnOnFailure;
+
+
+ /**
+- * Construct a new instance of CustomObjectInputStream
++ * Construct a new instance of CustomObjectInputStream without any filtering
++ * of deserialized classes.
+ *
+ * @param stream The input stream we will read from
+ * @param classLoader The class loader used to instantiate objects
+@@ -52,9 +73,53 @@
+ public CustomObjectInputStream(InputStream stream,
+ ClassLoader classLoader)
+ throws IOException {
++ this(stream, classLoader, null, null, false);
++ }
+
++ /**
++ * Construct a new instance of CustomObjectInputStream with filtering of
++ * deserialized classes.
++ *
++ * @param stream The input stream we will read from
++ * @param classLoader The class loader used to instantiate objects
++ * @param log The logger to use to report any issues. It may only be null if
++ * the filterMode does not require logging
++ * @param allowedClassNamePattern The regular expression to use to filter
++ * deserialized classes. The fully qualified
++ * class name must match this pattern for
++ * deserialization to be allowed if filtering
++ * is enabled.
++ * @param warnOnFailure Should any failures be logged?
++ *
++ * @exception IOException if an input/output error occurs
++ */
++ public CustomObjectInputStream(InputStream stream, ClassLoader classLoader,
++ Log log, Pattern allowedClassNamePattern, boolean warnOnFailure)
++ throws IOException {
+ super(stream);
++ if (log == null && allowedClassNamePattern != null && warnOnFailure) {
++ throw new IllegalArgumentException(
++ sm.getString("customObjectInputStream.logRequired"));
++ }
+ this.classLoader = classLoader;
++ this.log = log;
++ this.allowedClassNamePattern = allowedClassNamePattern;
++ if (allowedClassNamePattern == null) {
++ this.allowedClassNameFilter = null;
++ } else {
++ this.allowedClassNameFilter = allowedClassNamePattern.toString();
++ }
++ this.warnOnFailure = warnOnFailure;
++
++ Set reportedClasses;
++ synchronized (reportedClassCache) {
++ reportedClasses = reportedClassCache.get(classLoader);
++ if (reportedClasses == null) {
++ reportedClasses = Collections.newSetFromMap(new ConcurrentHashMap());
++ reportedClassCache.put(classLoader, reportedClasses);
++ }
++ }
++ this.reportedClasses = reportedClasses;
+ }
+
+
+@@ -70,8 +135,24 @@
+ @Override
+ public Class> resolveClass(ObjectStreamClass classDesc)
+ throws ClassNotFoundException, IOException {
++
++ String name = classDesc.getName();
++ if (allowedClassNamePattern != null) {
++ boolean allowed = allowedClassNamePattern.matcher(name).matches();
++ if (!allowed) {
++ boolean doLog = warnOnFailure && reportedClasses.add(name);
++ String msg = sm.getString("customObjectInputStream.nomatch", name, allowedClassNameFilter);
++ if (doLog) {
++ log.warn(msg);
++ } else if (log.isDebugEnabled()) {
++ log.debug(msg);
++ }
++ throw new InvalidClassException(msg);
++ }
++ }
++
+ try {
+- return Class.forName(classDesc.getName(), false, classLoader);
++ return Class.forName(name, false, classLoader);
+ } catch (ClassNotFoundException e) {
+ try {
+ // Try also the superclass because of primitive types
+Index: tomcat7-7.0.52/java/org/apache/catalina/util/LocalStrings.properties
+===================================================================
+--- tomcat7-7.0.52.orig/java/org/apache/catalina/util/LocalStrings.properties 2016-06-29 12:47:39.531736819 -0400
++++ tomcat7-7.0.52/java/org/apache/catalina/util/LocalStrings.properties 2016-06-29 12:47:39.531736819 -0400
+@@ -17,6 +17,8 @@
+ resourceSet.locked=No modifications are allowed to a locked ResourceSet
+ hexUtil.bad=Bad hexadecimal digit
+ hexUtil.odd=Odd number of hexadecimal digits
++customObjectInputStream.logRequired=A valid logger is required for class name filtering with logging
++customObjectInputStream.nomatch=The class [{0}] did not match the regular expression [{1}] for classes allowed to be deserialized
+ #Default Messages Utilized by the ExtensionValidator
+ extensionValidator.web-application-manifest=Web Application Manifest
+ extensionValidator.extension-not-found-error=ExtensionValidator[{0}][{1}]: Required extension [{2}] not found.
+Index: tomcat7-7.0.52/webapps/docs/config/cluster-manager.xml
+===================================================================
+--- tomcat7-7.0.52.orig/webapps/docs/config/cluster-manager.xml 2016-06-29 12:47:39.531736819 -0400
++++ tomcat7-7.0.52/webapps/docs/config/cluster-manager.xml 2016-06-29 12:47:39.531736819 -0400
+@@ -165,6 +165,37 @@
+ Set to true
if you wish to have container listeners notified
+ across Tomcat nodes in the cluster.
+
++
++ A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if its name matches
++ this pattern. If the pattern is zero length or null
, all
++ attributes are eligible for replication. The pattern is anchored so the
++ session attribute name must fully match the pattern. As an example, the
++ value (userName|sessionHistory)
will only replicate the
++ two session attributes named userName
and
++ sessionHistory
. If not specified, the default value of
++ null
will be used unless a SecurityManager
is
++ enabled in which case the default will be
++ java\\.lang\\.(?:Boolean|Integer|Long|Number|String)
.
++
++
++ A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if the implementation
++ class name of the value matches this pattern. If the pattern is zero
++ length or null
, all attributes are eligible for
++ replication. The pattern is anchored so the fully qualified class name
++ must fully match the pattern. If not specified, the default value of
++ null
will be used.
++
++
++ If sessionAttributeNameFilter or
++ sessionAttributeValueClassNameFilter blocks an
++ attribute, should this be logged at WARN
level? If
++ WARN
level logging is disabled then it will be logged at
++ DEBUG
. The default value of this attribute is
++ false
unless a SecurityManager
is enabled in
++ which case the default will be true
.
++
+
+ The time in seconds to wait for a session state transfer to complete
+ from another node when a node is starting up.
+@@ -220,6 +251,37 @@
+ another map.
+ Default value is 15000
milliseconds.
+
++
++ A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if its name matches
++ this pattern. If the pattern is zero length or null
, all
++ attributes are eligible for replication. The pattern is anchored so the
++ session attribute name must fully match the pattern. As an example, the
++ value (userName|sessionHistory)
will only replicate the
++ two session attributes named userName
and
++ sessionHistory
. If not specified, the default value of
++ null
will be used.
++
++
++ A regular expression used to filter which session attributes will be
++ replicated. An attribute will only be replicated if the implementation
++ class name of the value matches this pattern. If the pattern is zero
++ length or null
, all attributes are eligible for
++ replication. The pattern is anchored so the fully qualified class name
++ must fully match the pattern. If not specified, the default value of
++ null
will be used unless a SecurityManager
is
++ enabled in which case the default will be
++ java\\.lang\\.(?:Boolean|Integer|Long|Number|String)
.
++
++
++ If sessionAttributeNameFilter or
++ sessionAttributeValueClassNameFilter blocks an
++ attribute, should this be logged at WARN
level? If
++ WARN
level logging is disabled then it will be logged at
++ DEBUG
. The default value of this attribute is
++ false
unless a SecurityManager
is enabled in
++ which case the default will be true
.
++
+
+ Set to true if you wish to terminate replication map when replication
+ map fails to start. If replication map is terminated, associated context
+Index: tomcat7-7.0.52/webapps/docs/config/manager.xml
+===================================================================
+--- tomcat7-7.0.52.orig/webapps/docs/config/manager.xml 2016-06-29 12:47:39.531736819 -0400
++++ tomcat7-7.0.52/webapps/docs/config/manager.xml 2016-06-29 12:47:39.531736819 -0400
+@@ -174,6 +174,39 @@
+ string.
+
+
++
++ A regular expression used to filter which session attributes will be
++ distributed. An attribute will only be distributed if its name matches
++ this pattern. If the pattern is zero length or null
, all
++ attributes are eligible for distribution. The pattern is anchored so the
++ session attribute name must fully match the pattern. As an example, the
++ value (userName|sessionHistory)
will only distribute the
++ two session attributes named userName
and
++ sessionHistory
. If not specified, the default value of
++ null
will be used.
++
++
++
++ A regular expression used to filter which session attributes will be
++ distributed. An attribute will only be distributed if the implementation
++ class name of the value matches this pattern. If the pattern is zero
++ length or null
, all attributes are eligible for
++ distribution. The pattern is anchored so the fully qualified class name
++ must fully match the pattern. If not specified, the default value of
++ null
will be used unless a SecurityManager
is
++ enabled in which case the default will be
++ java\\.lang\\.(?:Boolean|Integer|Long|Number|String)
.
++
++
++
++ If sessionAttributeNameFilter or
++ sessionAttributeValueClassNameFilter blocks an
++ attribute, should this be logged at WARN
level? If
++ WARN
level logging is disabled then it will be logged at
++ DEBUG
. The default value of this attribute is
++ false
unless a SecurityManager
is enabled in
++ which case the default will be true
.
++
+
+
+ Persistent Manager Implementation
+@@ -263,6 +296,40 @@
+ org.apache.catalina.session.StandardManager
class.
+
+
++
++
++ A regular expression used to filter which session attributes will be
++ distributed. An attribute will only be distributed if its name matches
++ this pattern. If the pattern is zero length or null
, all
++ attributes are eligible for distribution. The pattern is anchored so the
++ session attribute name must fully match the pattern. As an example, the
++ value (userName|sessionHistory)
will only distribute the
++ two session attributes named userName
and
++ sessionHistory
. If not specified, the default value of
++ null
will be used.
++
++
++
++ A regular expression used to filter which session attributes will be
++ distributed. An attribute will only be distributed if the implementation
++ class name of the value matches this pattern. If the pattern is zero
++ length or null
, all attributes are eligible for
++ distribution. The pattern is anchored so the fully qualified class name
++ must fully match the pattern. If not specified, the default value of
++ null
will be used unless a SecurityManager
is
++ enabled in which case the default will be
++ java\\.lang\\.(?:Boolean|Integer|Long|Number|String)
.
++
++
++
++ If sessionAttributeNameFilter or
++ sessionAttributeValueClassNameFilter blocks an
++ attribute, should this be logged at WARN
level? If
++ WARN
level logging is disabled then it will be logged at
++ DEBUG
. The default value of this attribute is
++ false
unless a SecurityManager
is enabled in
++ which case the default will be true
.
++
+
+
+ In order to successfully use a PersistentManager, you must nest inside
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2016-0763.patch tomcat7-7.0.52/debian/patches/CVE-2016-0763.patch
--- tomcat7-7.0.52/debian/patches/CVE-2016-0763.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2016-0763.patch 2016-06-29 15:33:47.000000000 +0000
@@ -0,0 +1,19 @@
+Description: fix securityManager restrictions bypass via crafted global context
+Origin: backport, https://svn.apache.org/viewvc?view=revision&revision=1725931
+
+Index: tomcat7-7.0.64/java/org/apache/naming/factory/ResourceLinkFactory.java
+===================================================================
+--- tomcat7-7.0.64.orig/java/org/apache/naming/factory/ResourceLinkFactory.java 2016-06-17 12:04:45.074390009 +0300
++++ tomcat7-7.0.64/java/org/apache/naming/factory/ResourceLinkFactory.java 2016-06-17 12:04:45.070389958 +0300
+@@ -60,6 +60,11 @@
+ * @param newGlobalContext new global context value
+ */
+ public static void setGlobalContext(Context newGlobalContext) {
++ SecurityManager sm = System.getSecurityManager();
++ if (sm != null) {
++ sm.checkPermission(new RuntimePermission(
++ ResourceLinkFactory.class.getName() + ".setGlobalContext"));
++ }
+ globalContext = newGlobalContext;
+ }
+
diff -Nru tomcat7-7.0.52/debian/patches/CVE-2016-3092.patch tomcat7-7.0.52/debian/patches/CVE-2016-3092.patch
--- tomcat7-7.0.52/debian/patches/CVE-2016-3092.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/CVE-2016-3092.patch 2016-06-27 18:17:55.000000000 +0000
@@ -0,0 +1,50 @@
+From: Markus Koschany
+Date: Sun, 26 Jun 2016 19:14:54 +0200
+Subject: CVE-2016-3092
+
+A denial of service vulnerability was identified in Commons FileUpload that
+occurred when the length of the multipart boundary was just below the size of
+the buffer (4096 bytes) used to read the uploaded file. This caused the file
+upload process to take several orders of magnitude longer than if the boundary
+was the typical tens of bytes long.
+
+Upstream advisory:
+http://markmail.org/message/oyxfv73jb2g7rjg3
+
+Origin: https://svn.apache.org/r1743480
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1743742
+---
+ .../apache/tomcat/util/http/fileupload/MultipartStream.java | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+Index: tomcat7-7.0.68/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java
+===================================================================
+--- tomcat7-7.0.68.orig/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2016-06-27 14:12:36.278176085 -0400
++++ tomcat7-7.0.68/java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2016-06-27 14:12:36.274176038 -0400
+@@ -282,11 +282,10 @@
+ byte[] boundary,
+ int bufSize,
+ ProgressNotifier pNotifier) {
+- this.input = input;
+- this.bufSize = bufSize;
+- this.buffer = new byte[bufSize];
+- this.notifier = pNotifier;
+
++ if (boundary == null) {
++ throw new IllegalArgumentException("boundary may not be null");
++ }
+ // We prepend CR/LF to the boundary to chop trailing CR/LF from
+ // body-data tokens.
+ this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length;
+@@ -294,6 +293,11 @@
+ throw new IllegalArgumentException(
+ "The buffer size specified for the MultipartStream is too small");
+ }
++ this.input = input;
++ this.bufSize = Math.max(bufSize, boundaryLength*2);
++ this.buffer = new byte[this.bufSize];
++ this.notifier = pNotifier;
++
+ this.boundary = new byte[this.boundaryLength];
+ this.keepRegion = this.boundary.length;
+
diff -Nru tomcat7-7.0.52/debian/patches/fix_cookie_names_in_tests.patch tomcat7-7.0.52/debian/patches/fix_cookie_names_in_tests.patch
--- tomcat7-7.0.52/debian/patches/fix_cookie_names_in_tests.patch 1970-01-01 00:00:00.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/fix_cookie_names_in_tests.patch 2016-06-27 15:41:55.000000000 +0000
@@ -0,0 +1,87 @@
+Description: fix FTBFS by removing colons in cookie names which is illegal
+ in newer java versions
+Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1715547
+Origin: backport, http://svn.apache.org/viewvc?view=revision&revision=1715550
+
+Index: tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java
+===================================================================
+--- tomcat7-7.0.52.orig/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.053815019 -0400
++++ tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestNonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.049814992 -0400
+@@ -412,7 +412,7 @@
+ new HashMap>();
+
+ if (useCookie && (cookies != null)) {
+- reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
++ reqHeaders.put(CLIENT_COOKIE_HEADER, cookies);
+ }
+
+ ByteChunk bc = new ByteChunk();
+@@ -437,7 +437,7 @@
+ new HashMap>();
+
+ if (useCookie && (cookies != null)) {
+- reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
++ reqHeaders.put(CLIENT_COOKIE_HEADER, cookies);
+ }
+ else {
+ if (credentials != null) {
+@@ -625,4 +625,4 @@
+ return credentials;
+ }
+ }
+-}
+\ No newline at end of file
++}
+Index: tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java
+===================================================================
+--- tomcat7-7.0.52.orig/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.053815019 -0400
++++ tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndBasicAuthenticator.java 2016-06-27 10:50:06.053815019 -0400
+@@ -358,7 +358,7 @@
+ new HashMap>();
+
+ if (useCookie && (cookies != null)) {
+- reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
++ reqHeaders.put(CLIENT_COOKIE_HEADER, cookies);
+ }
+
+ ByteChunk bc = new ByteChunk();
+@@ -382,7 +382,7 @@
+ Map> respHeaders = new HashMap>();
+
+ if (useCookie && (cookies != null)) {
+- reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
++ reqHeaders.put(CLIENT_COOKIE_HEADER, cookies);
+ }
+ else {
+ if (credentials != null) {
+@@ -568,7 +568,7 @@
+ protected void addCookies(Map> reqHeaders) {
+
+ if ((cookies != null) && (cookies.size() > 0)) {
+- reqHeaders.put(CLIENT_COOKIE_HEADER + ":", cookies);
++ reqHeaders.put(CLIENT_COOKIE_HEADER, cookies);
+ }
+ }
+
+@@ -655,4 +655,4 @@
+ return credentials;
+ }
+ }
+-}
+\ No newline at end of file
++}
+Index: tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndDigestAuthenticator.java
+===================================================================
+--- tomcat7-7.0.52.orig/test/org/apache/catalina/authenticator/TestSSOnonLoginAndDigestAuthenticator.java 2016-06-27 10:50:06.053815019 -0400
++++ tomcat7-7.0.52/test/org/apache/catalina/authenticator/TestSSOnonLoginAndDigestAuthenticator.java 2016-06-27 10:50:06.053815019 -0400
+@@ -485,7 +485,7 @@
+ protected void addCookies(Map> reqHeaders) {
+
+ if ((cookies != null) && (cookies.size() > 0)) {
+- reqHeaders.put(BROWSER_COOKIES + ":", cookies);
++ reqHeaders.put(BROWSER_COOKIES, cookies);
+ }
+ }
+-}
+\ No newline at end of file
++}
diff -Nru tomcat7-7.0.52/debian/patches/series tomcat7-7.0.52/debian/patches/series
--- tomcat7-7.0.52/debian/patches/series 2015-06-19 20:13:36.000000000 +0000
+++ tomcat7-7.0.52/debian/patches/series 2016-06-27 18:17:55.000000000 +0000
@@ -22,3 +22,12 @@
CVE-2014-7810.patch
0022-use-tls-in-ssl-unit-tests.patch
0023-replace-expired-ssl-certificates.patch
+CVE-2015-5174.patch
+CVE-2015-5345.patch
+CVE-2015-5346.patch
+CVE-2015-5351.patch
+CVE-2016-0706.patch
+CVE-2016-0714.patch
+CVE-2016-0763.patch
+fix_cookie_names_in_tests.patch
+CVE-2016-3092.patch