File tomcat-8.0.36-CVE-2016-0762.patch of Package tomcat.openSUSE_Leap_42.2_Update
Index: java/org/apache/catalina/realm/JDBCRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/JDBCRealm.java	(date 1465480394000)
+++ java/org/apache/catalina/realm/JDBCRealm.java	(revision )
@@ -381,6 +381,9 @@
         String dbCredentials = getPassword(username);
 
         if (dbCredentials == null) {
+            // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
             if (containerLog.isTraceEnabled())
                 containerLog.trace(sm.getString("jdbcRealm.authenticateFailure",
                                                 username));
Index: java/org/apache/catalina/realm/MemoryRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/MemoryRealm.java	(date 1465480394000)
+++ java/org/apache/catalina/realm/MemoryRealm.java	(revision )
@@ -121,6 +121,10 @@
             validated = false;
         } else {
             if (credentials == null || principal.getPassword() == null) {
+                // User was not found in the database or the password was null
+                // Waste a bit of time as not to reveal that the user does not exist.
+                getCredentialHandler().mutate(credentials);
+
                 if (log.isDebugEnabled())
                     log.debug(sm.getString("memoryRealm.authenticateFailure", username));
                 return (null);
Index: java/org/apache/catalina/realm/DataSourceRealm.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/DataSourceRealm.java	(date 1465480394000)
+++ java/org/apache/catalina/realm/DataSourceRealm.java	(revision )
@@ -289,10 +289,22 @@
     protected Principal authenticate(Connection dbConnection,
                                                String username,
                                                String credentials) {
+        // No user or no credentials
+        // Can't possibly authenticate, don't bother the database then
+        if (username == null || credentials == null) {
+            if (containerLog.isTraceEnabled())
+                containerLog.trace(sm.getString("dataSourceRealm.authenticateFailure",
+                        username));
+            return null;
+        }
 
         String dbCredentials = getPassword(dbConnection, username);
 
-        if (credentials == null || dbCredentials == null) {
+        if (dbCredentials == null) {
+            // User was not found in the database.
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
+
             if (containerLog.isTraceEnabled())
                 containerLog.trace(
                     sm.getString("dataSourceRealm.authenticateFailure",
Index: java/org/apache/catalina/realm/RealmBase.java
IDEA additional info:
Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
<+>UTF-8
===================================================================
--- java/org/apache/catalina/realm/RealmBase.java	(date 1465480394000)
+++ java/org/apache/catalina/realm/RealmBase.java	(revision )
@@ -450,6 +450,18 @@
 
         String serverCredentials = getPassword(username);
 
+        if (serverCredentials == null) {
+            // User was not found
+            // Waste a bit of time as not to reveal that the user does not exist.
+            getCredentialHandler().mutate(credentials);
+
+            if (containerLog.isTraceEnabled()) {
+                containerLog.trace(sm.getString("realmBase.authenticateFailure",
+                        username));
+            }
+            return null;
+        }
+
         boolean validated = getCredentialHandler().matches(credentials, serverCredentials);
         if (!validated) {
             if (containerLog.isTraceEnabled()) {