From 1db706e1394172a9ab0035b44b25189c3b781bd6 Mon Sep 17 00:00:00 2001 From: jialei Date: Wed, 2 Dec 2020 18:25:28 +0800 Subject: [PATCH] fix cve --- CVE-2020-13943-1.patch | 97 ++++++++++++++++++ CVE-2020-13943-2.patch | 82 +++++++++++++++ CVE-2020-13943-3.patch | 220 +++++++++++++++++++++++++++++++++++++++++ CVE-2020-13943-4.patch | 114 +++++++++++++++++++++ tomcat.spec | 12 ++- 5 files changed, 524 insertions(+), 1 deletion(-) create mode 100644 CVE-2020-13943-1.patch create mode 100644 CVE-2020-13943-2.patch create mode 100644 CVE-2020-13943-3.patch create mode 100644 CVE-2020-13943-4.patch diff --git a/CVE-2020-13943-1.patch b/CVE-2020-13943-1.patch new file mode 100644 index 0000000..e2aa440 --- /dev/null +++ b/CVE-2020-13943-1.patch @@ -0,0 +1,97 @@ +From 863b18e34f12085820ad02e86ca0ef7e961bb471 Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Wed, 7 Aug 2019 18:59:07 +0100 +Subject: [PATCH 1/5] Extend the timeout functionality to internal upgrade + processors + +--- + .../coyote/http11/upgrade/InternalHttpUpgradeHandler.java | 2 ++ + .../coyote/http11/upgrade/UpgradeProcessorInternal.java | 6 ++++++ + java/org/apache/coyote/http2/Http2UpgradeHandler.java | 6 ++++++ + .../tomcat/websocket/server/WsHttpUpgradeHandler.java | 6 ++++++ + .../coyote/http11/upgrade/TestUpgradeInternalHandler.java | 5 +++++ + 5 files changed, 25 insertions(+) + +diff --git a/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java b/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java +index 936784e20c..426b1bdb89 100644 +--- a/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java ++++ b/java/org/apache/coyote/http11/upgrade/InternalHttpUpgradeHandler.java +@@ -32,6 +32,8 @@ public interface InternalHttpUpgradeHandler extends HttpUpgradeHandler { + + SocketState upgradeDispatch(SocketEvent status); + ++ void timeoutAsync(long now); ++ + void setSocketWrapper(SocketWrapperBase wrapper); + + void setSslSupport(SSLSupport sslSupport); +diff --git a/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java b/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java +index 6397a72a53..f0f546072d 100644 +--- a/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java ++++ b/java/org/apache/coyote/http11/upgrade/UpgradeProcessorInternal.java +@@ -73,6 +73,12 @@ public class UpgradeProcessorInternal extends UpgradeProcessorBase { + } + + ++ @Override ++ public void timeoutAsync(long now) { ++ internalHttpUpgradeHandler.timeoutAsync(now); ++ } ++ ++ + // --------------------------------------------------- AutoCloseable methods + + @Override +diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +index 6206f5f5f2..da724652aa 100644 +--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java ++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +@@ -388,6 +388,12 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + } + + ++ @Override ++ public void timeoutAsync(long now) { ++ // TODO: Implement improved connection timeouts ++ } ++ ++ + ConnectionSettingsRemote getRemoteSettings() { + return remoteSettings; + } +diff --git a/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java b/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java +index 0cde0e3672..5dd1c5a68c 100644 +--- a/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java ++++ b/java/org/apache/tomcat/websocket/server/WsHttpUpgradeHandler.java +@@ -189,6 +189,12 @@ public class WsHttpUpgradeHandler implements InternalHttpUpgradeHandler { + } + + ++ @Override ++ public void timeoutAsync(long now) { ++ // NO-OP ++ } ++ ++ + @Override + public void pause() { + // NO-OP +diff --git a/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java b/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java +index 367f06f5b3..183a8dac7f 100644 +--- a/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java ++++ b/test/org/apache/coyote/http11/upgrade/TestUpgradeInternalHandler.java +@@ -256,6 +256,11 @@ public class TestUpgradeInternalHandler extends TomcatBaseTest { + return SocketState.UPGRADED; + } + ++ @Override ++ public void timeoutAsync(long now) { ++ // NO-OP ++ } ++ + @Override + public void setSocketWrapper(SocketWrapperBase wrapper) { + this.wrapper = wrapper; +-- +2.23.0 + diff --git a/CVE-2020-13943-2.patch b/CVE-2020-13943-2.patch new file mode 100644 index 0000000..d29bf38 --- /dev/null +++ b/CVE-2020-13943-2.patch @@ -0,0 +1,82 @@ +From 38ef1f624aaf045458b6fe055742fa680a96a9e1 Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Thu, 7 Mar 2019 10:50:05 +0000 +Subject: [PATCH 2/5] Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63223 + +--- + java/org/apache/coyote/http2/Http2UpgradeHandler.java | 8 ++++++++ + java/org/apache/coyote/http2/Stream.java | 5 +++++ + java/org/apache/coyote/http2/StreamStateMachine.java | 8 +++++++- + 3 files changed, 20 insertions(+), 1 deletion(-) + +diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +index da724652aa..2330d12e09 100644 +--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java ++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +@@ -555,6 +555,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + synchronized (socketWrapper) { + doWriteHeaders(stream, pushedStreamId, mimeHeaders, endOfStream, payloadSize); + } ++ stream.sentHeaders(); + if (endOfStream) { + stream.sentEndOfStream(); + } +@@ -1178,6 +1179,13 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + + + void push(Request request, Stream associatedStream) throws IOException { ++ if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) { ++ // If there are too many open streams, simply ignore the push ++ // request. ++ activeRemoteStreamCount.decrementAndGet(); ++ return; ++ } ++ + Stream pushStream; + + // Synchronized since PUSH_PROMISE frames have to be sent in order. Once +diff --git a/java/org/apache/coyote/http2/Stream.java b/java/org/apache/coyote/http2/Stream.java +index 43aee9d656..629d0210b4 100644 +--- a/java/org/apache/coyote/http2/Stream.java ++++ b/java/org/apache/coyote/http2/Stream.java +@@ -561,6 +561,11 @@ class Stream extends AbstractStream implements HeaderEmitter { + } + + ++ final void sentHeaders() { ++ state.sentHeaders(); ++ } ++ ++ + final void sentEndOfStream() { + streamOutputBuffer.endOfStreamSent = true; + state.sentEndOfStream(); +diff --git a/java/org/apache/coyote/http2/StreamStateMachine.java b/java/org/apache/coyote/http2/StreamStateMachine.java +index 3b67f865d3..d19bb0a255 100644 +--- a/java/org/apache/coyote/http2/StreamStateMachine.java ++++ b/java/org/apache/coyote/http2/StreamStateMachine.java +@@ -53,6 +53,12 @@ class StreamStateMachine { + } + + ++ final synchronized void sentHeaders() { ++ // No change if currently OPEN ++ stateChange(State.RESERVED_LOCAL, State.HALF_CLOSED_REMOTE); ++ } ++ ++ + final synchronized void receivedStartOfHeaders() { + stateChange(State.IDLE, State.OPEN); + stateChange(State.RESERVED_REMOTE, State.HALF_CLOSED_LOCAL); +@@ -170,7 +176,7 @@ class StreamStateMachine { + Http2Error.PROTOCOL_ERROR, FrameType.PRIORITY, + FrameType.RST, + FrameType.WINDOW_UPDATE), +- RESERVED_REMOTE (false, false, true, true, ++ RESERVED_REMOTE (false, true, true, true, + Http2Error.PROTOCOL_ERROR, FrameType.HEADERS, + FrameType.PRIORITY, + FrameType.RST), +-- +2.23.0 + diff --git a/CVE-2020-13943-3.patch b/CVE-2020-13943-3.patch new file mode 100644 index 0000000..a52ab3c --- /dev/null +++ b/CVE-2020-13943-3.patch @@ -0,0 +1,220 @@ +From 5d7f2eac857cc75757cfc58d003fbf17a23c2720 Mon Sep 17 00:00:00 2001 +From: Mark Thomas +Date: Wed, 7 Aug 2019 17:02:37 +0100 +Subject: [PATCH 3/5] Improve HTTP/2 connection timeout handling + +--- + .../http2/Http2AsyncUpgradeHandler.java | 6 +- + .../coyote/http2/Http2UpgradeHandler.java | 93 ++++++++++++++----- + 2 files changed, 73 insertions(+), 26 deletions(-) + +diff --git a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java +index ba49986b5b..107d4bedd2 100644 +--- a/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java ++++ b/java/org/apache/coyote/http2/Http2AsyncUpgradeHandler.java +@@ -191,7 +191,7 @@ public class Http2AsyncUpgradeHandler extends Http2UpgradeHandler { + header[4] = FLAG_END_OF_STREAM; + stream.sentEndOfStream(); + if (!stream.isActive()) { +- activeRemoteStreamCount.decrementAndGet(); ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); + } + } + if (writeable) { +@@ -297,7 +297,7 @@ public class Http2AsyncUpgradeHandler extends Http2UpgradeHandler { + header[4] = FLAG_END_OF_STREAM; + sendfile.stream.sentEndOfStream(); + if (!sendfile.stream.isActive()) { +- activeRemoteStreamCount.decrementAndGet(); ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); + } + } + if (writeable) { +@@ -358,7 +358,7 @@ public class Http2AsyncUpgradeHandler extends Http2UpgradeHandler { + header[4] = FLAG_END_OF_STREAM; + sendfile.stream.sentEndOfStream(); + if (!sendfile.stream.isActive()) { +- activeRemoteStreamCount.decrementAndGet(); ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); + } + } + if (writeable) { +diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +index 2330d12e09..9c18bf0ca8 100644 +--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java ++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +@@ -133,6 +133,9 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + // Tracking for when the connection is blocked (windowSize < 1) + private final Map backLogStreams = new ConcurrentHashMap<>(); + private long backLogSize = 0; ++ // The time at which the connection will timeout unless data arrives before ++ // then. -1 means no timeout. ++ private volatile long connectionTimeout = -1; + + // Stream concurrency control + private AtomicInteger streamConcurrency = null; +@@ -313,8 +316,10 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + case OPEN_READ: + try { + // There is data to read so use the read timeout while +- // reading frames. ++ // reading frames ... + socketWrapper.setReadTimeout(protocol.getReadTimeout()); ++ // ... and disable the connection timeout ++ setConnectionTimeout(-1); + while (true) { + try { + if (!parser.readFrame(false)) { +@@ -330,23 +335,22 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + stream.close(se); + } + } ++ if (overheadCount.get() > 0) { ++ throw new ConnectionException( ++ sm.getString("upgradeHandler.tooMuchOverhead", connectionId), ++ Http2Error.ENHANCE_YOUR_CALM); ++ } + } + +- if (overheadCount.get() > 0) { +- throw new ConnectionException( +- sm.getString("upgradeHandler.tooMuchOverhead", connectionId), +- Http2Error.ENHANCE_YOUR_CALM); +- } ++ // Need to know the correct timeout before starting the read ++ // but that may not be known at this time if one or more ++ // requests are currently being processed so don't set a ++ // timeout for the socket... ++ socketWrapper.setReadTimeout(-1); ++ ++ // ...set a timeout on the connection ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.get()); + +- if (activeRemoteStreamCount.get() == 0) { +- // No streams currently active. Use the keep-alive +- // timeout for the connection. +- socketWrapper.setReadTimeout(protocol.getKeepAliveTimeout()); +- } else { +- // Streams currently active. Individual streams have +- // timeouts so keep the connection open. +- socketWrapper.setReadTimeout(-1); +- } + } catch (Http2Exception ce) { + // Really ConnectionException + if (log.isDebugEnabled()) { +@@ -367,9 +371,12 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + result = SocketState.UPGRADED; + break; + ++ case TIMEOUT: ++ closeConnection(null); ++ break; ++ + case DISCONNECT: + case ERROR: +- case TIMEOUT: + case STOP: + close(); + break; +@@ -388,9 +395,41 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + } + + ++ /* ++ * Sets the connection timeout based on the current number of active ++ * streams. ++ */ ++ protected void setConnectionTimeoutForStreamCount(int streamCount) { ++ if (streamCount == 0) { ++ // No streams currently active. Use the keep-alive ++ // timeout for the connection. ++ long keepAliveTimeout = protocol.getKeepAliveTimeout(); ++ if (keepAliveTimeout == -1) { ++ setConnectionTimeout(-1); ++ } else { ++ setConnectionTimeout(System.currentTimeMillis() + keepAliveTimeout); ++ } ++ } else { ++ // Streams currently active. Individual streams have ++ // timeouts so keep the connection open. ++ setConnectionTimeout(-1); ++ } ++ } ++ ++ ++ private void setConnectionTimeout(long connectionTimeout) { ++ this.connectionTimeout = connectionTimeout; ++ } ++ ++ + @Override + public void timeoutAsync(long now) { +- // TODO: Implement improved connection timeouts ++ long connectionTimeout = this.connectionTimeout; ++ if (now == -1 || connectionTimeout > -1 && now > connectionTimeout) { ++ // Have to dispatch as this will be executed from a non-container ++ // thread. ++ socketWrapper.processSocket(SocketEvent.TIMEOUT, true); ++ } + } + + +@@ -499,9 +538,17 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + + + void closeConnection(Http2Exception ce) { ++ long code; ++ byte[] msg; ++ if (ce == null) { ++ code = Http2Error.NO_ERROR.getCode(); ++ msg = null; ++ } else { ++ code = ce.getError().getCode(); ++ msg = ce.getMessage().getBytes(StandardCharsets.UTF_8); ++ } + try { +- writeGoAwayFrame(maxProcessedStreamId, ce.getError().getCode(), +- ce.getMessage().getBytes(StandardCharsets.UTF_8)); ++ writeGoAwayFrame(maxProcessedStreamId, code, msg); + } catch (IOException ioe) { + // Ignore. GOAWAY is sent on a best efforts basis and the original + // error has already been logged. +@@ -665,7 +712,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + header[4] = FLAG_END_OF_STREAM; + stream.sentEndOfStream(); + if (!stream.isActive()) { +- activeRemoteStreamCount.decrementAndGet(); ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); + } + } + if (writeable) { +@@ -1182,7 +1229,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) { + // If there are too many open streams, simply ignore the push + // request. +- activeRemoteStreamCount.decrementAndGet(); ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); + return; + } + +@@ -1301,7 +1348,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + if (stream != null) { + stream.receivedEndOfStream(); + if (!stream.isActive()) { +- activeRemoteStreamCount.decrementAndGet(); ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); + } + } + } +@@ -1340,7 +1387,7 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + stream.receivedStartOfHeaders(headersEndStream); + closeIdleStreams(streamId); + if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) { +- activeRemoteStreamCount.decrementAndGet(); ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); + throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams", + Long.toString(localSettings.getMaxConcurrentStreams())), + Http2Error.REFUSED_STREAM, streamId); +-- +2.23.0 + diff --git a/CVE-2020-13943-4.patch b/CVE-2020-13943-4.patch new file mode 100644 index 0000000..b10cb40 --- /dev/null +++ b/CVE-2020-13943-4.patch @@ -0,0 +1,114 @@ +From 902356dc34097b50eb6ca3a74443be466e991a77 Mon Sep 17 00:00:00 2001 +From: wangxiao65 <287608437@qq.com> +Date: Wed, 2 Dec 2020 11:07:21 +0800 +Subject: [PATCH] CVE-2020-13943 + +--- + java/org/apache/coyote/http2/Http2Parser.java | 2 +- + .../coyote/http2/Http2UpgradeHandler.java | 20 ++++++++++++------- + .../coyote/http2/TestHttp2Section_5_1.java | 20 ++++++++++++------- + 3 files changed, 27 insertions(+), 15 deletions(-) + +diff --git a/java/org/apache/coyote/http2/Http2Parser.java b/java/org/apache/coyote/http2/Http2Parser.java +index f5e19865b2..6ec659d1e0 100644 +--- a/java/org/apache/coyote/http2/Http2Parser.java ++++ b/java/org/apache/coyote/http2/Http2Parser.java +@@ -721,7 +721,7 @@ class Http2Parser { + // Header frames + HeaderEmitter headersStart(int streamId, boolean headersEndStream) + throws Http2Exception, IOException; +- void headersEnd(int streamId) throws ConnectionException; ++ void headersEnd(int streamId) throws Http2Exception; + + // Priority frames (also headers) + void reprioritise(int streamId, int parentStreamId, boolean exclusive, int weight) +diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +index 9c18bf0ca8..af10cd0838 100644 +--- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java ++++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java +@@ -1386,12 +1386,6 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + stream.checkState(FrameType.HEADERS); + stream.receivedStartOfHeaders(headersEndStream); + closeIdleStreams(streamId); +- if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) { +- setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); +- throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams", +- Long.toString(localSettings.getMaxConcurrentStreams())), +- Http2Error.REFUSED_STREAM, streamId); +- } + return stream; + } else { + if (log.isDebugEnabled()) { +@@ -1439,12 +1433,24 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH + + + @Override +- public void headersEnd(int streamId) throws ConnectionException { ++ public void headersEnd(int streamId) throws Http2Exception { + Stream stream = getStream(streamId, connectionState.get().isNewStreamAllowed()); + if (stream != null) { + setMaxProcessedStream(streamId); + if (stream.isActive()) { + if (stream.receivedEndOfHeaders()) { ++ ++ if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) { ++ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet()); ++ // Ignoring maxConcurrentStreams increases the overhead count ++ increaseOverheadCount(); ++ throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams", ++ Long.toString(localSettings.getMaxConcurrentStreams())), ++ Http2Error.REFUSED_STREAM, streamId); ++ } ++ // Valid new stream reduces the overhead count ++ reduceOverheadCount(); ++ + processStreamOnContainerThread(stream); + } + } +diff --git a/test/org/apache/coyote/http2/TestHttp2Section_5_1.java b/test/org/apache/coyote/http2/TestHttp2Section_5_1.java +index f878653ecf..0b937a9fb9 100644 +--- a/test/org/apache/coyote/http2/TestHttp2Section_5_1.java ++++ b/test/org/apache/coyote/http2/TestHttp2Section_5_1.java +@@ -222,11 +222,11 @@ public class TestHttp2Section_5_1 extends Http2TestBase { + // Expecting + // 1 * headers + // 56k-1 of body (7 * ~8k) +- // 1 * error (could be in any order) +- for (int i = 0; i < 8; i++) { ++ // 1 * error ++ // for a total of 9 frames (could be in any order) ++ for (int i = 0; i < 9; i++) { + parser.readFrame(true); + } +- parser.readFrame(true); + + Assert.assertTrue(output.getTrace(), + output.getTrace().contains("5-RST-[" + +@@ -238,14 +238,20 @@ public class TestHttp2Section_5_1 extends Http2TestBase { + + // Release the remaining body + sendWindowUpdate(0, (1 << 31) - 2); +- // Allow for the 8k still in the stream window ++ // Allow for the ~8k still in the stream window + sendWindowUpdate(3, (1 << 31) - 8193); + +- // 192k of body (24 * 8k) +- // 1 * error (could be in any order) +- for (int i = 0; i < 24; i++) { ++ // Read until the end of stream 3 ++ while (!output.getTrace().contains("3-EndOfStream")) { + parser.readFrame(true); + } ++ output.clearTrace(); ++ ++ // Confirm another request can be sent once concurrency falls back below limit ++ sendSimpleGetRequest(7); ++ parser.readFrame(true); ++ parser.readFrame(true); ++ Assert.assertEquals(getSimpleResponseTrace(7), output.getTrace()); + } + + +-- +2.23.0 + diff --git a/tomcat.spec b/tomcat.spec index 2b04e12..7764221 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -13,7 +13,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 14 +Release: 15 Summary: Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies License: ASL 2.0 URL: http://tomcat.apache.org/ @@ -70,6 +70,10 @@ Patch6024: CVE-2020-9484.patch Patch6025: CVE-2020-11996.patch Patch6026: CVE-2020-13934.patch Patch6027: CVE-2020-13935.patch +Patch6028: CVE-2020-13943-1.patch +Patch6029: CVE-2020-13943-2.patch +Patch6030: CVE-2020-13943-3.patch +Patch6031: CVE-2020-13943-4.patch BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant @@ -471,6 +475,12 @@ fi %{_javadocdir}/%{name} %changelog +* Wed Dec 2 2020 jialei - 1:9.0.10-15 +- Type:cves +- ID: CVE-2020-13943 +- SUG:restart +- DESC: fix CVE-2020-13943 + * Wed Sep 9 2020 wangxiao - 1:9.0.10-14 - Type:cves - ID: CVE-2020-9484 CVE-2020-11996 CVE-2020-13934 CVE-2020-13935 -- Gitee