diff --git a/CVE-2025-55668.patch b/CVE-2025-55668.patch new file mode 100644 index 0000000000000000000000000000000000000000..c5517c8283ad588f6c2ab805c0344d34b4bbbca6 --- /dev/null +++ b/CVE-2025-55668.patch @@ -0,0 +1,67 @@ +commit 9c3673ba04009377cb0c81ccb6cf5078aec1aa95 +Author: remm +Date: Tue Jun 3 13:53:01 2025 +0200 + + Encode redirect URL used by the rewrite valve with session id + + Handle different cross context session configuration. + BZ69699 +Origin: https://github.com/apache/tomcat/commit/9c3673ba04009377cb0c81ccb6cf5078aec1aa95 + +diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java +index c717371a5a..6bc8d80964 100644 +--- a/java/org/apache/catalina/connector/Request.java ++++ b/java/org/apache/catalina/connector/Request.java +@@ -547,7 +547,7 @@ public class Request implements HttpServletRequest { + } + + +- protected void recycleSessionInfo() { ++ public void recycleSessionInfo() { + if (session != null) { + try { + session.endAccess(); +diff --git a/java/org/apache/catalina/valves/rewrite/RewriteValve.java b/java/org/apache/catalina/valves/rewrite/RewriteValve.java +index 660c9c8fa9..a3f95b2cdc 100644 +--- a/java/org/apache/catalina/valves/rewrite/RewriteValve.java ++++ b/java/org/apache/catalina/valves/rewrite/RewriteValve.java +@@ -462,11 +462,13 @@ public class RewriteValve extends ValveBase { + if (context && urlStringEncoded.charAt(0) == '/' && !UriUtil.hasScheme(urlStringEncoded)) { + urlStringEncoded.insert(0, request.getContext().getEncodedPath()); + } ++ String redirectPath; + if (rule.isNoescape()) { +- response.sendRedirect(UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset)); ++ redirectPath = UDecoder.URLDecode(urlStringEncoded.toString(), uriCharset); + } else { +- response.sendRedirect(urlStringEncoded.toString()); ++ redirectPath = urlStringEncoded.toString(); + } ++ response.sendRedirect(response.encodeRedirectURL(redirectPath)); + response.setStatus(rule.getRedirectCode()); + done = true; + break; +@@ -578,6 +580,7 @@ public class RewriteValve extends ValveBase { + chunk.append(host.toString()); + } + request.getMappingData().recycle(); ++ request.recycleSessionInfo(); + // Reinvoke the whole request recursively + Connector connector = request.getConnector(); + try { +diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml +index 05a0ca4fc6..bf3dc0f87d 100644 +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -120,6 +120,11 @@ + Add org.apache.juli.JsonFormatter to format log as one + line JSON documents. (remm) + ++ ++ 69699: Encode redirect URL used by the rewrite valve with ++ the session id if appropriate, and handle cross context with different ++ session configuration when using rewrite. (remm) ++ + + + diff --git a/tomcat.spec b/tomcat.spec index d906607e3a4ed7190d4dc5080f56e836b380f757..9de5fd5eb45897873f96bd863bf065458843cd0b 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -23,7 +23,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 6 +Release: 7 Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: Apache-2.0 @@ -64,6 +64,7 @@ Patch17: CVE-2025-49125.patch Patch18: CVE-2025-52434.patch Patch19: CVE-2025-52520.patch Patch20: CVE-2025-53506.patch +Patch21: CVE-2025-55668.patch BuildArch: noarch @@ -430,6 +431,9 @@ fi %{appdir}/docs %changelog +* Thu Aug 14 2025 Yu Peng - 1:9.0.100-7 +- Fix CVE-2025-55668 + * Fri Jul 11 2025 wangkai <13474090681@163.com> - 1:9.0.100-6 - Fix CVE-2025-52434 CVE-2025-53506 CVE-2025-52520