packages/tomcat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Refix CVE-2021-41079

Browse Source
This commit is contained in:
wk333 2022-04-27 10:50:33 +08:00
parent 30bc121f90
commit 8f55dc4d12
2 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
CVE-2021-41079.patch
View File

@ -4,8 +4,9 @@ Date: Wed, 3 Mar 2021 12:00:46 +0000
Subject: [PATCH] Improve robustness
---
java/org/apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
1 file changed, 1 insertion(+)
.../apache/tomcat/util/net/openssl/LocalStrings.properties | 1 +
java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java | 6 ++++--
2 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 1919159..1ab5f43 100644
@ -19,6 +20,23 @@ index 1919159..1ab5f43 100644
engine.unsupportedProtocol=Protocol [{0}] is not supported
engine.unverifiedPeer=Peer unverified
engine.noSession=SSL session ID not available
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
index 15c6f56..b837fd6 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLEngine.java
@@ -593,8 +593,10 @@ public final class OpenSSLEngine extends SSLEngine implements SSLUtil.ProtocolIn
throw new SSLException(e);
}
- if (bytesRead == 0) {
- break;
+ if (bytesRead <= 0) {
+ // This should not be possible. pendingApp is positive
+ // therefore the read should have read at least one byte.
+ throw new IllegalStateException(sm.getString("engine.failedToReadAvailableBytes"));
}
bytesProduced += bytesRead;
--
2.23.0
2.27.0

7
tomcat.spec
View File

@ -13,12 +13,12 @@
Name: tomcat
Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 25
Release: 26
Summary: Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies
License: ASL 2.0
URL: http://tomcat.apache.org/
Source0: https://github.com/apache/tomcat/archive/%{version}.tar.gz
Source0: https://github.com/apache/tomcat/archive/%{version}.tar.gz
Source1: %{name}-%{major_version}.%{minor_version}.conf
Source3: %{name}-%{major_version}.%{minor_version}.sysconfig
Source4: %{name}-%{major_version}.%{minor_version}.wrapper
@ -502,6 +502,9 @@ fi
%{_javadocdir}/%{name}
%changelog
* Mon Apr 25 2022 wangkai <wangkai@h-partners.com - 1:9.0.10-26
- Refix CVE-2021-41079
* Fri Feb 18 2022 wangkai <wangkai385@huawei.com> - 1:9.0.10-25
- Fix CVE-2022-23181