diff --git a/CVE-2019-3888.patch b/CVE-2019-3888.patch deleted file mode 100644 index cef7214e091f6987bbb857fa3e1db8b85d06b459..0000000000000000000000000000000000000000 --- a/CVE-2019-3888.patch +++ /dev/null @@ -1,22 +0,0 @@ -From ac72df4e61b73d205c6cc5ad08226fa4c889ccc2 Mon Sep 17 00:00:00 2001 -From: Michael Bolz -Date: Tue, 1 Oct 2019 06:45:17 +0200 -Subject: [PATCH] [UNDERTOW-1515] HttpServerExchange.toString does not include - headers - ---- - core/src/main/java/io/undertow/server/HttpServerExchange.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/core/src/main/java/io/undertow/server/HttpServerExchange.java b/core/src/main/java/io/undertow/server/HttpServerExchange.java -index d933eb7811..a2763ed6ab 100644 ---- a/core/src/main/java/io/undertow/server/HttpServerExchange.java -+++ b/core/src/main/java/io/undertow/server/HttpServerExchange.java -@@ -2443,6 +2443,6 @@ public T create() { - - @Override - public String toString() { -- return "HttpServerExchange{ " + getRequestMethod().toString() + " " + getRequestURI() + " request " + requestHeaders + " response " + responseHeaders + '}'; -+ return "HttpServerExchange{ " + getRequestMethod().toString() + " " + getRequestURI() + '}'; - } - } diff --git a/CVE-2020-10705.patch b/CVE-2020-10705.patch deleted file mode 100644 index 7dc0fdb79f86661274c6703c4fcec15ae6c02dd7..0000000000000000000000000000000000000000 --- a/CVE-2020-10705.patch +++ /dev/null @@ -1,97 +0,0 @@ -From b53d4589c586e8bbdcc89ed60f32cd7977e9a4f4 Mon Sep 17 00:00:00 2001 -From: Stuart Douglas -Date: Wed, 15 Apr 2020 15:39:02 +1000 -Subject: [PATCH] [UNDERTOW-1657] Fix issue with 100-continue and h2 - ---- - .../server/handlers/HttpContinueReadHandler.java | 12 +++++++----- - .../server/protocol/ajp/AjpServerConnection.java | 6 +++++- - .../server/protocol/http/HttpServerConnection.java | 6 +++++- - 3 files changed, 17 insertions(+), 7 deletions(-) - -diff --git a/core/src/main/java/io/undertow/server/handlers/HttpContinueReadHandler.java b/core/src/main/java/io/undertow/server/handlers/HttpContinueReadHandler.java -index 33c5c25..4a905f3 100644 ---- a/core/src/main/java/io/undertow/server/handlers/HttpContinueReadHandler.java -+++ b/core/src/main/java/io/undertow/server/handlers/HttpContinueReadHandler.java -@@ -23,15 +23,17 @@ import java.nio.ByteBuffer; - import java.nio.channels.FileChannel; - import java.util.concurrent.TimeUnit; - -+import org.xnio.channels.StreamSinkChannel; -+import org.xnio.conduits.AbstractStreamSourceConduit; -+import org.xnio.conduits.StreamSourceConduit; -+ - import io.undertow.server.ConduitWrapper; --import io.undertow.server.protocol.http.HttpContinue; - import io.undertow.server.HttpHandler; - import io.undertow.server.HttpServerExchange; -+import io.undertow.server.ResponseCommitListener; -+import io.undertow.server.protocol.http.HttpContinue; - import io.undertow.util.ConduitFactory; - import io.undertow.util.StatusCodes; --import org.xnio.channels.StreamSinkChannel; --import org.xnio.conduits.AbstractStreamSourceConduit; --import org.xnio.conduits.StreamSourceConduit; - - /** - * Handler for requests that require 100-continue responses. If an attempt is made to read from the source -@@ -44,7 +46,7 @@ public class HttpContinueReadHandler implements HttpHandler { - private static final ConduitWrapper WRAPPER = new ConduitWrapper() { - @Override - public StreamSourceConduit wrap(final ConduitFactory factory, final HttpServerExchange exchange) { -- if(exchange.isRequestChannelAvailable() && !exchange.isResponseStarted()) { -+ if (exchange.isRequestChannelAvailable() && !exchange.isResponseStarted()) { - return new ContinueConduit(factory.create(), exchange); - } - return factory.create(); -diff --git a/core/src/main/java/io/undertow/server/protocol/ajp/AjpServerConnection.java b/core/src/main/java/io/undertow/server/protocol/ajp/AjpServerConnection.java -index e5e3031..d9cae2d 100644 ---- a/core/src/main/java/io/undertow/server/protocol/ajp/AjpServerConnection.java -+++ b/core/src/main/java/io/undertow/server/protocol/ajp/AjpServerConnection.java -@@ -26,6 +26,8 @@ import io.undertow.server.HttpHandler; - import io.undertow.server.HttpServerExchange; - import io.undertow.server.SSLSessionInfo; - import io.undertow.util.DateUtils; -+ -+import org.xnio.IoUtils; - import org.xnio.OptionMap; - import io.undertow.connector.ByteBufferPool; - import org.xnio.StreamConnection; -@@ -61,7 +63,9 @@ public final class AjpServerConnection extends AbstractServerConnection { - - @Override - public void terminateRequestChannel(HttpServerExchange exchange) { -- //todo: terminate -+ if (!exchange.isPersistent()) { -+ IoUtils.safeClose(getChannel().getSourceChannel()); -+ } - } - - @Override -diff --git a/core/src/main/java/io/undertow/server/protocol/http/HttpServerConnection.java b/core/src/main/java/io/undertow/server/protocol/http/HttpServerConnection.java -index 0128e9b..63bcdd6 100644 ---- a/core/src/main/java/io/undertow/server/protocol/http/HttpServerConnection.java -+++ b/core/src/main/java/io/undertow/server/protocol/http/HttpServerConnection.java -@@ -36,6 +36,8 @@ import io.undertow.util.Headers; - import io.undertow.util.HttpString; - import io.undertow.util.ImmediatePooledByteBuffer; - import io.undertow.util.Methods; -+ -+import org.xnio.IoUtils; - import org.xnio.OptionMap; - import io.undertow.connector.ByteBufferPool; - import io.undertow.connector.PooledByteBuffer; -@@ -135,7 +137,9 @@ public final class HttpServerConnection extends AbstractServerConnection { - - @Override - public void terminateRequestChannel(HttpServerExchange exchange) { -- -+ if (!exchange.isPersistent()) { -+ IoUtils.safeClose(getChannel().getSourceChannel()); -+ } - } - - /** --- -2.23.0 - diff --git a/CVE-2020-10719.patch b/CVE-2020-10719.patch deleted file mode 100644 index bce0b2984a891acdf46dddd0acded2d1ac328615..0000000000000000000000000000000000000000 --- a/CVE-2020-10719.patch +++ /dev/null @@ -1,48 +0,0 @@ -From bfc8fbd67f6b3dd96702b363f61cf805baf3c6cf Mon Sep 17 00:00:00 2001 -From: Bartosz Spyrko-Smietanko -Date: Tue, 25 Feb 2020 13:26:20 +0000 -Subject: [PATCH] [UNDERTOW-1708][JBEAP-18537] Fix overflow of chunk size - ---- - core/src/main/java/io/undertow/UndertowMessages.java | 3 +++ - core/src/main/java/io/undertow/conduits/ChunkReader.java | 5 +++++ - 2 files changed, 8 insertions(+) - -diff --git a/core/src/main/java/io/undertow/UndertowMessages.java b/core/src/main/java/io/undertow/UndertowMessages.java -index fbde7d1..3aa4ad8 100644 ---- a/core/src/main/java/io/undertow/UndertowMessages.java -+++ b/core/src/main/java/io/undertow/UndertowMessages.java -@@ -471,4 +471,7 @@ public interface UndertowMessages { - - @Message(id = 147, value = "No host header in a HTTP/1.1 request") - IOException noHostInHttp11Request(); -+ -+ @Message(id = 195, value = "Chunk size too large") -+ IOException chunkSizeTooLarge(); - } -diff --git a/core/src/main/java/io/undertow/conduits/ChunkReader.java b/core/src/main/java/io/undertow/conduits/ChunkReader.java -index 21ef002..e064f71 100644 ---- a/core/src/main/java/io/undertow/conduits/ChunkReader.java -+++ b/core/src/main/java/io/undertow/conduits/ChunkReader.java -@@ -48,6 +48,8 @@ class ChunkReader { - - private static final long MASK_COUNT = longBitMask(0, 56); - -+ private static final long LIMIT = Long.MAX_VALUE >> 4; -+ - private long state; - private final Attachable attachable; - private final AttachmentKey trailerAttachmentKey; -@@ -103,6 +105,9 @@ class ChunkReader { - while (buf.hasRemaining()) { - byte b = buf.get(); - if ((b >= '0' && b <= '9') || (b >= 'a' && b <= 'f') || (b >= 'A' && b <= 'F')) { -+ if (chunkRemaining > LIMIT) { -+ throw UndertowMessages.MESSAGES.chunkSizeTooLarge(); -+ } - chunkRemaining <<= 4; //shift it 4 bytes and then add the next value to the end - chunkRemaining += Character.digit((char) b, 16); - } else { --- -2.23.0 - diff --git a/CVE-2023-1108.patch b/CVE-2023-1108.patch deleted file mode 100644 index 2928d53e7ac8b3a009fe321b4140e723a1ff5779..0000000000000000000000000000000000000000 --- a/CVE-2023-1108.patch +++ /dev/null @@ -1,25 +0,0 @@ -From b98b55c993e3163e22121935f826adc8c4025c86 Mon Sep 17 00:00:00 2001 -From: mayp -Date: Mon, 3 Apr 2023 18:02:05 +0800 -Subject: [PATCH] Fix CVE-2023-1108 - ---- - core/src/main/java/io/undertow/protocols/ssl/SslConduit.java | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java -index 3084915..dde0e0c 100644 ---- a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java -+++ b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java -@@ -852,7 +852,7 @@ public class SslConduit implements StreamSourceConduit, StreamSinkConduit { - } - try { - SSLEngineResult result = null; -- while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) { -+ while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) { - if (userBuffers == null) { - result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer()); - } else { --- -2.36.1 - diff --git a/undertow-1.4.0-jetty-alpn-api-1.1.0.patch b/undertow-1.4.0-jetty-alpn-api-1.1.0.patch deleted file mode 100644 index 96b35219509686e8b7c448af11625eb8cadd6e0c..0000000000000000000000000000000000000000 --- a/undertow-1.4.0-jetty-alpn-api-1.1.0.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff -Nru undertow-1.4.0.Final/core/src/main/java/io/undertow/client/JettyALPNClientProvider.java undertow-1.4.0.Final.alpn-api/core/src/main/java/io/undertow/client/JettyALPNClientProvider.java ---- undertow-1.4.0.Final/core/src/main/java/io/undertow/client/JettyALPNClientProvider.java 2016-08-03 01:26:17.000000000 +0200 -+++ undertow-1.4.0.Final.alpn-api/core/src/main/java/io/undertow/client/JettyALPNClientProvider.java 2016-08-20 23:10:53.879207573 +0200 -@@ -161,11 +161,6 @@ - } - - @Override -- public boolean supports() { -- return true; -- } -- -- @Override - public List protocols() { - return protocols; - } diff --git a/undertow.spec b/undertow.spec index 9cd92c93f19c566675ea04f596f891b6f6c6c574..ad5388a6ea90a7ce060de31c59fc408b1d14ec3b 100644 --- a/undertow.spec +++ b/undertow.spec @@ -1,18 +1,13 @@ %global namedreltag .Final %global namedversion %{version}%{?namedreltag} Name: undertow -Version: 1.4.0 -Release: 7 +Version: 2.3.15 +Release: 1 Summary: Java web server using non-blocking IO License: ASL 2.0 URL: http://undertow.io/ Source0: https://github.com/undertow-io/undertow/archive/%{namedversion}/%{name}-%{namedversion}.tar.gz -# Remove unavailable methods in jetty-alpn-api-1.1.0 -Patch0: undertow-1.4.0-jetty-alpn-api-1.1.0.patch -Patch1: CVE-2020-10705.patch -Patch2: CVE-2019-3888.patch -Patch3: CVE-2020-10719.patch -Patch4: CVE-2023-1108.patch + BuildArch: noarch Epoch: 1 BuildRequires: maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api) @@ -79,6 +74,9 @@ export CXXFLAGS="${RPM_OPT_FLAGS}" %license LICENSE.txt %changelog +* Wed Aug 14 2024 yueyaoqiang - 1:2.3.15-1 +- update to 2.3.15 + * Mon Aug 21 2023 yaoxin - 1:1.4.0-7 - Fix build failure caused by jboss-classfilewriter upgrade to 1.3.0