# HG changeset patch # User Petr Sumbera # Date 1327321050 28800 # Node ID b4a4c4d7fb32ea7e186ab1418f935075a7cb9866 # Parent c52ed55c4e7d115eb70cea77569a27de5a0d3d22 7131403 Upgrade Apache Tomcat to version 6.0.35 7127216 Problem with utility/tomcat 7131401 Problem with utility/tomcat diff -r c52ed55c4e7d -r b4a4c4d7fb32 components/tomcat/Makefile --- a/components/tomcat/Makefile Mon Jan 23 04:11:24 2012 -0800 +++ b/components/tomcat/Makefile Mon Jan 23 04:17:30 2012 -0800 @@ -20,16 +20,17 @@ # # -# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved. # include ../../make-rules/shared-macros.mk COMPONENT_NAME= apache-tomcat -COMPONENT_VERSION= 6.0.33 +COMPONENT_VERSION= 6.0.35 +COMPONENT_PROJECT_URL= http://tomcat.apache.org/ COMPONENT_SRC= $(COMPONENT_NAME)-$(COMPONENT_VERSION)-src COMPONENT_ARCHIVE= $(COMPONENT_SRC).tar.gz -COMPONENT_ARCHIVE_HASH= sha1:437db0ba55c6e398fe3af73c4fa5eed3c4666842 +COMPONENT_ARCHIVE_HASH= sha1:1a47ad41d52a27757cfeddf7fa1627688ed4027a COMPONENT_ARCHIVE_URL= http://www.apache.org/dist/tomcat/tomcat-6/v$(COMPONENT_VERSION)/src/$(COMPONENT_ARCHIVE) # Tomcat subcomponents @@ -39,9 +40,9 @@ COMPONENT_ARCHIVE_2= commons-pool-1.5.6-src.tar.gz COMPONENT_ARCHIVE_HASH_2= sha1:d97caa6670d7683f97749defb96aee6a7bcdbdf9 COMPONENT_ARCHIVE_URL_2= http://archive.apache.org/dist/commons/pool/source/$(COMPONENT_ARCHIVE_2) -COMPONENT_ARCHIVE_3= ecj.jar -COMPONENT_ARCHIVE_HASH_3= sha1:f4ddfbb80cb97b0bdfa8730102db9fec1630a983 -COMPONENT_ARCHIVE_URL_3= http://archive.eclipse.org/eclipse/downloads/drops/R-3.3.1-200709211145/$(COMPONENT_ARCHIVE_3) +COMPONENT_ARCHIVE_3= ecj-3.7.jar +COMPONENT_ARCHIVE_HASH_3= sha1:2377a3e1d3e89f342e1d7abe2bbfbfcc25b185ec +COMPONENT_ARCHIVE_URL_3= http://download.eclipse.org/eclipse/downloads/drops/R-3.7-201106131736/$(COMPONENT_ARCHIVE_3) include ../../make-rules/prep.mk include ../../make-rules/ant.mk diff -r c52ed55c4e7d -r b4a4c4d7fb32 components/tomcat/patches/CVE-2011-3190.patch --- a/components/tomcat/patches/CVE-2011-3190.patch Mon Jan 23 04:11:24 2012 -0800 +++ /dev/null Thu Jan 01 00:00:00 1970 +0000 @@ -1,81 +0,0 @@ ---- trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011/08/29 19:45:13 1162958 -+++ trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2011/08/29 19:45:42 1162959 -@@ -405,11 +405,13 @@ - } - continue; - } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { -- // Usually the servlet didn't read the previous request body -- if(log.isDebugEnabled()) { -- log.debug("Unexpected message: "+type); -+ // Unexpected packet type. Unread body packets should have -+ // been swallowed in finish(). -+ if (log.isDebugEnabled()) { -+ log.debug("Unexpected message: " + type); - } -- continue; -+ error = true; -+ break; - } - - keptAlive = true; -@@ -1056,6 +1058,11 @@ - - finished = true; - -+ // Swallow the unread body packet if present -+ if (first && request.getContentLengthLong() > 0) { -+ receive(); -+ } -+ - // Add the end message - if (outputBuffer.position() + endMessageArray.length > outputBuffer.capacity()) { - flush(); ---- trunk/java/org/apache/coyote/ajp/AjpProcessor.java 2011/08/29 19:45:13 1162958 -+++ trunk/java/org/apache/coyote/ajp/AjpProcessor.java 2011/08/29 19:45:42 1162959 -@@ -423,11 +423,13 @@ - } - continue; - } else if(type != Constants.JK_AJP13_FORWARD_REQUEST) { -- // Usually the servlet didn't read the previous request body -- if(log.isDebugEnabled()) { -- log.debug("Unexpected message: "+type); -+ // Unexpected packet type. Unread body packets should have -+ // been swallowed in finish(). -+ if (log.isDebugEnabled()) { -+ log.debug("Unexpected message: " + type); - } -- continue; -+ error = true; -+ break; - } - - request.setStartTime(System.currentTimeMillis()); -@@ -1061,6 +1063,11 @@ - - finished = true; - -+ // Swallow the unread body packet if present -+ if (first && request.getContentLengthLong() > 0) { -+ receive(); -+ } -+ - // Add the end message - output.write(endMessageArray); - ---- trunk/webapps/docs/changelog.xml 2011/08/29 19:45:13 1162958 -+++ trunk/webapps/docs/changelog.xml 2011/08/29 19:45:42 1162959 -@@ -52,6 +52,14 @@ - - - -+ -+ -+ -+ 51698: Fix CVE-2011-3190. Prevent AJP message injection. -+ (markt) -+ -+ -+ - -
- diff -r c52ed55c4e7d -r b4a4c4d7fb32 components/tomcat/patches/build.properties.patch --- a/components/tomcat/patches/build.properties.patch Mon Jan 23 04:11:24 2012 -0800 +++ b/components/tomcat/patches/build.properties.patch Mon Jan 23 04:17:30 2012 -0800 @@ -1,5 +1,5 @@ ---- apache-tomcat-6.0.33-src/build.properties.default Tue Aug 16 06:34:59 2011 -+++ apache-tomcat-6.0.33-src/build.properties.default Tue Aug 16 06:39:29 2011 +--- apache-tomcat-6.0.35-src/build.properties.default Thu Jan 12 06:48:46 2012 ++++ apache-tomcat-6.0.35-src/build.properties.default Thu Jan 12 06:51:47 2012 @@ -54,6 +54,12 @@ base-sf.loc=http://downloads.sourceforge.net base-maven.loc=http://repo2.maven.org/maven2 @@ -17,9 +17,9 @@ jdt.jar=${jdt.home}/ecj-${jdt.version}.jar # The download will be moved to the archive area eventually. We are taking care of that in advance. # Note older JARs were called ecj.jar. Newer JARs are called ecj-${jdt.version}.jar --jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj.jar -+jdt.loc.1=${userland-files.loc}/ecj.jar - jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj.jar +-jdt.loc.1=http://archive.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj-${jdt.version}.jar ++jdt.loc.1=${userland-files.loc}/ecj-${jdt.version}.jar + jdt.loc.2=http://download.eclipse.org/eclipse/downloads/drops/${jdt.release}/ecj-${jdt.version}.jar # ----- Tomcat native library ----- @@ -129,16 +135,16 @@ diff -r c52ed55c4e7d -r b4a4c4d7fb32 components/tomcat/tomcat.p5m --- a/components/tomcat/tomcat.p5m Mon Jan 23 04:11:24 2012 -0800 +++ b/components/tomcat/tomcat.p5m Mon Jan 23 04:17:30 2012 -0800 @@ -20,7 +20,7 @@ # # -# Copyright (c) 2011, Oracle and/or its affiliates. All rights reserved. +# Copyright (c) 2011, 2012, Oracle and/or its affiliates. All rights reserved. # \ @@ -42,7 +42,7 @@ set name=info.classification \ value="org.opensolaris.category.2008:Web Services/Application and Web Servers" set name=info.source-url value=$(COMPONENT_ARCHIVE_URL) -set name=info.upstream-url value=http://tomcat.apache.org +set name=info.upstream-url value=$(COMPONENT_PROJECT_URL) set name=org.opensolaris.arc-caseid \ value=PSARC/2008/711 set name=org.opensolaris.consolidation value=$(CONSOLIDATION) @@ -231,7 +231,7 @@ file path=usr/tomcat6/lib/catalina-ha.jar file path=usr/tomcat6/lib/catalina-tribes.jar file path=usr/tomcat6/lib/catalina.jar -file path=usr/tomcat6/lib/ecj-3.3.1.jar +file path=usr/tomcat6/lib/ecj-3.7.jar file path=usr/tomcat6/lib/el-api.jar file path=usr/tomcat6/lib/jasper-el.jar file path=usr/tomcat6/lib/jasper.jar @@ -291,9 +291,9 @@ file path=var/tomcat6/webapps/manager/images/void.gif file path=var/tomcat6/webapps/manager/status.xsd file path=var/tomcat6/webapps/manager/xform.xsl -legacy pkg=SUNWtcat desc="Tomcat Servlet/JSP Container" \ - name="Tomcat Servlet/JSP Container" +depend fmri=__TBD pkg.debug.depend.file=usr/jdk/instances/jdk1.6.0/bin/java \ + type=require license tomcat.license license="Apache v2.0" link path=etc/tomcat6 target=../var/tomcat6/conf