File _patchinfo of Package patchinfo.30729
<patchinfo incident="30729">
<issue tracker="cve" id="2023-41080"/>
<issue tracker="cve" id="CVE-2023-44487"/>
<issue tracker="bnc" id="1214666">VUL-0: CVE-2023-41080: tomcat: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in FORM authentication feature</issue>
<issue tracker="bnc" id="1216182">VUL-0: tomcat: Rapid reset attack impact (CVE-2023-44487)</issue>
<issue tracker="jsc" id="PED-6376"/>
<issue tracker="jsc" id="PED-6377"/>
<packager>fstrba</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for tomcat</summary>
<description>This update for tomcat fixes the following issues:
Tomcat was updated to version 9.0.82 (jsc#PED-6376, jsc#PED-6377):
- Security issues fixed:
* CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
* CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. (bsc#1216182)
- Update to Tomcat 9.0.82:
* Catalina
+ Add: 65770: Provide a lifecycle listener that will
automatically reload TLS configurations a set time before the
certificate is due to expire. This is intended to be used with
third-party tools that regularly renew TLS certificates.
+ Fix: Fix handling of an error reading a context descriptor on
deployment.
+ Fix: Fix rewrite rule qsd (query string discard) being ignored
if qsa was also use, while it should instead take precedence.
+ Fix: 67472: Send fewer CORS-related headers when CORS is not
actually being engaged.
+ Add: Improve handling of failures within recycle() methods.
* Coyote
+ Fix: 67670: Fix regression with HTTP compression after code
refactoring.
+ Fix: 67198: Ensure that the AJP connector attribute
tomcatAuthorization takes precedence over the
tomcatAuthentication attribute when processing an auth_type
attribute received from a proxy server.
+ Fix: 67235: Fix a NullPointerException when an AsyncListener
handles an error with a dispatch rather than a complete.
+ Fix: When an error occurs during asynchronous processing,
ensure that the error handling process is only triggered once
per asynchronous cycle.
+ Fix: Fix logic issue trying to match no argument method in
IntropectionUtil.
+ Fix: Improve thread safety around readNotify and writeNotify
in the NIO2 endpoint.
+ Fix: Avoid rare thread safety issue accessing message digest
map.
+ Fix: Improve statistics collection for upgraded connections
under load.
+ Fix: Align validation of HTTP trailer fields with standard
fields.
+ Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
CVE-2023-44487)
* jdbc-pool
+ Fix: 67664: Correct a regression in the clean-up of
unnecessary use of fully qualified class names in 9.0.81
that broke the jdbc-pool.
* Jasper
+ Fix: 67080: Improve performance of EL expressions in JSPs that
use implicit objects
- Update to Tomcat 9.0.80 (jsc#PED-6376, jsc#PED-6377):
* Catalina:
+ Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks
+ Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop()
methods.
+ Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with
one or more Connectors to process requests received by those Connectors using virtual threads. This Executor
requires a minimum Java version of Java 21.
+ Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no
more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses
the Valve and the reason if a request fails to obtain the per session Semaphore.
+ Ensure that the default servlet correctly escapes file names in directory listings when using XML output.
+ Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting
in the XSLT.
+ Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock.
+ Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false
as support for the associated HTTP header has been removed from all major browsers.
+ Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information
environment entries.
+ Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping
from a properties file.
+ Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately
crafted to allow it even when allowLinking was set to false.
+ Add utility config file resource lookup on Context to allow looking up resources from the webapp
(prefixed with webapp:) and make the resource lookup API more visible.
+ Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.
+ Make parsing of ExtendedAccessLogValve patterns more robust.
+ Fix failure trying to persist configuration for an internal credential handler.
+ When serializing a session during the session presistence process, do not log a warning that null Principals are
not serializable.
+ Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections.
+ Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance.
+ The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed
first.
+ If an application or library sets both a non-500 error code and the javax.servlet.error.exception request
attribute, use the provided error code during error page processing rather than assuming an error code of 500.
+ Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and
kB.
* Coyote:
+ Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined
in RFC 7540.
+ Fix not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload.
+ Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather
than reflecting the most recent conversion.
+ Correct certificate logging on start-up so it differentiates between keystore based keys/certificates:
PEM file based keys/certificates and logs the relevant information for each.
+ Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from
the Poller to be missed resuting in a timeout rather than the expected read or write.
+ Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.
+ Correct a regression introduced in 9.0.78 and use the correct constant when constructing the default value for the
certificateKeystoreFile attribute of an SSLHostConfigCertificate instance.
+ Refactor HTTP/2 implementation to reduce pinning when using virtual threads.
+ Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying
to parse it.
+ Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2.
+ When using asynchronous I/O (the default for NIO and NIO2), include DATA frames when calculating the HTTP/2
overhead count to ensure that connections are not prematurely terminated.
+ Correct a race condition that could cause spurious RST messages to be sent after the response had been written to
an HTTP/2 stream.
* WebSocket:
+ Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a
WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid
characters from the base64 alphabet are used.
+ Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.
+ Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before
the onClose() event had been completed.
+ Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate.
* Web applications:
+ Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks attribute in the configuration
section for the Digest authentication value.
+ Documentation: Expand the security guidance to cover the embedded use case and add notes on the uses made of the
java.io.tmpdir system property.
+ Documentation: Fix a typo in the name of the algorithms
+ Documentation: Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.
* jdbc-pool:
+ Fix the releaseIdleCounter does not increment when testAllIdle releases them.
+ Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs
while writing.
* Other:
+ Update to Commons Daemon 1.3.4.
+ Improvements to French translations.
+ Update Checkstyle to 10.12.0.
+ Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built
with with OpenSSL 1.1.1u.
+ Include the Windows specific binary distributions in the files uploaded to Maven Central.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ Update UnboundID to 6.0.9.
+ Update Checkstyle to 10.12.1.
+ Update BND to 6.4.1.66665:
+ Update JSign to 5.0.
+ Correct properties for JSign dependency.
+ Align documentation for maxParameterCount to match hard-coded defaults.
+ Update NSIS to 3.0.9.
+ Update Checkstyle to 10.12.2.
+ Improvements to French translations.
+ Improvements to Japanese translations.
+ Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java
executable contains spaces.
+ Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v.
+ Improvements to Chinese translations.
+ Improvements to French translations.
+ Improvements to Japanese translations
</description>
</patchinfo>
