rpms/jetty/devel jetty-CERT438616-CERT237888-CERT21284.patch, NONE, 1.1 .cvsignore, 1.2, 1.3 jetty.spec, 1.3, 1.4 sources, 1.2, 1.3
Jeff Johnston (jjohnstn)
fedora-extras-commits at redhat.com
Fri Jul 4 17:03:43 UTC 2008
Author: jjohnstn
Update of /cvs/pkgs/rpms/jetty/devel
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv17229
Modified Files:
.cvsignore jetty.spec sources
Added Files:
jetty-CERT438616-CERT237888-CERT21284.patch
Log Message:
* Fri Jul 04 2008 Jeff Johnston <jjohnstn at redhat.com> 5.1.14-1jpp.2
- Security patch
- Resolves #417401, #417411, #417391
jetty-CERT438616-CERT237888-CERT21284.patch:
--- NEW FILE jetty-CERT438616-CERT237888-CERT21284.patch ---
Index: src/org/mortbay/http/HttpFields.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/http/HttpFields.java,v
retrieving revision 1.77
diff -r1.77 HttpFields.java
1461a1462
> value=StringUtil.noCRLF(value);
Index: src/org/mortbay/http/HttpResponse.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/http/HttpResponse.java,v
retrieving revision 1.62
diff -r1.62 HttpResponse.java
21a22
> import java.util.Date;
22a24
> import java.util.List;
462a465,519
> public void addDateField(String name, Date date)
> {
> super.addDateField(sanitize(name),date);
> }
>
> public void addDateField(String name, long date)
> {
> super.addDateField(sanitize(name),date);
> }
>
> public void addField(String name, String value) throws IllegalStateException
> {
> super.addField(sanitize(name),sanitize(value));
> }
>
> public void addIntField(String name, int value)
> {
> super.addIntField(sanitize(name),value);
> }
>
> public void setContentType(String contentType)
> {
> super.setContentType(sanitize(contentType));
> }
>
> public void setDateField(String name, Date date)
> {
> super.setDateField(sanitize(name),date);
> }
>
> public void setDateField(String name, long date)
> {
> super.setDateField(sanitize(name),date);
> }
>
> public void setField(String name, List value)
> {
> super.setField(sanitize(name),value);
> }
>
> public String setField(String name, String value)
> {
> return super.setField(sanitize(name),sanitize(value));
> }
>
> public void setIntField(String name, int value)
> {
> super.setIntField(sanitize(name),value);
> }
>
> private String sanitize(String s)
> {
> return StringUtil.noCRLF(s);
> }
>
Index: src/org/mortbay/servlet/Dump.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/servlet/Dump.java,v
retrieving revision 1.42
diff -r1.42 Dump.java
46a47
> import org.mortbay.util.StringUtil;
169a171,173
> response.setHeader("Ok","value");
> response.setHeader("ztu\r\n\r\npid","val\r\n\r\nue");
> response.addCookie(new Cookie("Stu'pid","val\r\n\r\nue"));
177c181,198
< Table table= new Table(0).cellPadding(0).cellSpacing(0);
---
> Table table= new Table(0)
> {
> public Table addCell(Object o)
> {
> if (o!=null && o instanceof String)
> {
> String s = (String)o;
> s=StringUtil.replace(s,"\r\n","<br/>");
> s=StringUtil.replace(s,"\n","<br/>");
> s=StringUtil.replace(s,"<","<");
> s=StringUtil.replace(s,">",">");
> o=s;
> }
> return super.addCell(o);
> }
> };
>
> table.cellPadding(0).cellSpacing(0);
360c381
< table.addCell("<pre>" + toString(request.getAttribute(name)) + "</pre>");
---
> table.addCell(toString(request.getAttribute(name)));
378c399
< table.addCell("<pre>" + toString(getInitParameter(name)) + "</pre>");
---
> table.addCell(toString(getInitParameter(name)));
395c416
< table.addCell("<pre>" + toString(getServletContext().getInitParameter(name)) + "</pre>");
---
> table.addCell(toString(getServletContext().getInitParameter(name)));
412c433
< table.addCell("<pre>" + toString(getServletContext().getAttribute(name)) + "</pre>");
---
> table.addCell(toString(getServletContext().getAttribute(name)));
435c456
< table.addCell("<pre>" + multi.getString(parts[p]) + "</pre>");
---
> table.addCell(multi.getString(parts[p]));
Index: src/org/mortbay/util/StringUtil.java
===================================================================
RCS file: /cvsroot/jetty/Jetty/src/org/mortbay/util/StringUtil.java,v
retrieving revision 1.16
diff -r1.16 StringUtil.java
286a287,292
>
> /* ------------------------------------------------------------ */
> public static String noCRLF(String s)
> {
> if (s==null || s.length()==0)
> return s;
287a294,334
> StringBuffer buf = null;
> int i=0;
> loop:
> for (;i<s.length();i++)
> {
> char c = s.charAt(i);
> switch(c)
> {
> case 0:
> case '\n':
> case '\r':
> {
> buf=new StringBuffer(s.length());
> buf.append(s,0,i);
> buf.append('.');
> break loop;
> }
> default:
> }
> }
>
> if (buf==null)
> return s;
>
> for (;i<s.length();i++)
> {
> char c = s.charAt(i);
> switch(c)
> {
> case 0:
> case '\n':
> case '\r':
> buf.append('.');
> break;
> default:
> buf.append(c);
> }
> }
>
> return buf.toString();
> }
Index: .cvsignore
===================================================================
RCS file: /cvs/pkgs/rpms/jetty/devel/.cvsignore,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- .cvsignore 28 Aug 2007 21:44:54 -0000 1.2
+++ .cvsignore 4 Jul 2008 17:02:53 -0000 1.3
@@ -1 +1,2 @@
jetty-5.1.12.fedora.zip
+jetty-5.1.14.fedora.tgz
Index: jetty.spec
===================================================================
RCS file: /cvs/pkgs/rpms/jetty/devel/jetty.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- jetty.spec 31 Aug 2007 21:42:26 -0000 1.3
+++ jetty.spec 4 Jul 2008 17:02:53 -0000 1.4
@@ -53,23 +53,23 @@
%define demodir %{_localstatedir}/lib/%{name}/demo
Name: jetty
-Version: 5.1.12
-Release: 1jpp.7%{?dist}
+Version: 5.1.14
+Release: 1jpp.2%{?dist}
Summary: The Jetty Webserver and Servlet Container
Group: Applications/Internet
License: ASL 2.0
URL: http://jetty.mortbay.org/jetty/
-# Following source zip was originally taken from the following location:
-# http://mirrors.ibiblio.org/pub/mirrors/maven/jetty/jetty-5.1.12.zip
-# The zip file was modified by removing all jars and BCLA licenses.
-# unzip jetty-5.1.12.zip
-# pushd jetty-5.1.12
+# Following source tarball was originally taken from the following location:
+# http://www.ibiblio.org/maven/jetty/jetty-5.1.x/jetty-5.1.14.tgz
+# The tarball was modified by removing all jars and BCLA licenses.
+# tar -xzf jetty-5.1.14.tgz
+# pushd jetty-5.1.14
# find . -name *.jar -exec rm {} \;
# rm ./etc/LICENSE.javax.xml.html ./etc/LICENSE.jsse.txt
# popd
-# zip jetty-5.1.12.fedora.zip jetty-5.1.12/*
-Source0: %{jettyname}-%{version}.fedora.zip
+# tar -czf jetty-5.1.14.fedora.tgz jetty-5.1.14/*
+Source0: %{jettyname}-%{version}.fedora.tgz
Source1: jetty.script
Source2: jetty.init
Source3: jetty.logrotate
@@ -78,6 +78,7 @@
Patch1: jetty-PostFileFilter.patch
Patch2: jetty-libgcj-bad-serialization.patch
Patch3: jetty-TestRFC2616-libgcj-bad-date-parser.patch
+Patch4: jetty-CERT438616-CERT237888-CERT21284.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{gcj_support}
@@ -252,6 +253,8 @@
%patch2 -b .sav
%patch3 -b .sav
+%patch4
+
# Delete this Sun specific file.
rm src/org/mortbay/http/SunJsseListener.java
@@ -596,6 +599,13 @@
%endif
%changelog
+* Fri Jul 04 2008 Jeff Johnston <jjohnstn at redhat.com> 5.1.14-1jpp.2
+- Security patch
+- Resolves #417401, #417411, #417391
+
+* Wed Jun 25 2008 Jeff Johnston <jjohnstn at redhat.com> 5.1.14-1jpp.1
+- Upgrade to 5.1.14 source tarball for Fedora
+
* Fri Aug 31 2007 Jeff Johnston <jjohnstn at redhat.com> 5.1.12-1jpp.7
- Resolves #262221
- Use /bin/sh instead of /sbin/nologin so init will work
Index: sources
===================================================================
RCS file: /cvs/pkgs/rpms/jetty/devel/sources,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- sources 28 Aug 2007 21:44:54 -0000 1.2
+++ sources 4 Jul 2008 17:02:53 -0000 1.3
@@ -1 +1 @@
-7c6af7ed3365b136b55e752df8dead6f jetty-5.1.12.fedora.zip
+04dcaaa5407462cea9c514b7f7aabff7 jetty-5.1.14.fedora.tgz
More information about the fedora-extras-commits
mailing list