packages/undertow
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix CVE-2023-1108

Browse Source 
(cherry picked from commit c5b24f21b91099ae8ce406eed9aa12986c5df06c)
This commit is contained in:
mayp 2023-04-03 18:50:35 +08:00 committed by openeuler-sync-bot
parent 25983d3345
commit 34879cee8e
2 changed files with 31 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
CVE-2023-1108.patch Normal file
View File

@ -0,0 +1,25 @@
From b98b55c993e3163e22121935f826adc8c4025c86 Mon Sep 17 00:00:00 2001
From: mayp <mayanping@ncti-gba.cn>
Date: Mon, 3 Apr 2023 18:02:05 +0800
Subject: [PATCH] Fix CVE-2023-1108
---
core/src/main/java/io/undertow/protocols/ssl/SslConduit.java | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
index 3084915..dde0e0c 100644
--- a/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
+++ b/core/src/main/java/io/undertow/protocols/ssl/SslConduit.java
@@ -852,7 +852,7 @@ public class SslConduit implements StreamSourceConduit, StreamSinkConduit {
}
try {
SSLEngineResult result = null;
- while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW)) {
+ while (result == null || (result.getHandshakeStatus() == SSLEngineResult.HandshakeStatus.NEED_WRAP && result.getStatus() != SSLEngineResult.Status.BUFFER_OVERFLOW && !engine.isInboundDone())) {
if (userBuffers == null) {
result = engine.wrap(EMPTY_BUFFER, wrappedData.getBuffer());
} else {
--
2.36.1

7
undertow.spec
View File

@ -2,7 +2,7 @@
%global namedversion %{version}%{?namedreltag}
Name: undertow
Version: 1.4.0
Release: 4
Release: 5
Summary: Java web server using non-blocking IO
License: ASL 2.0
URL: http://undertow.io/
@ -12,6 +12,7 @@ Patch0: undertow-1.4.0-jetty-alpn-api-1.1.0.patch
Patch1: CVE-2020-10705.patch
Patch2: CVE-2019-3888.patch
Patch3: CVE-2020-10719.patch
Patch4: CVE-2023-1108.patch
BuildArch: noarch
Epoch: 1
BuildRequires: maven-local mvn(junit:junit) mvn(org.eclipse.jetty.alpn:alpn-api)
@ -38,6 +39,7 @@ This package contains the API documentation for %{name}.
%patch1 -p1
%patch2 -p1
%patch3 -p1
%patch4 -p1
rm -rf mac-jdk-fix
%pom_disable_module examples
%pom_remove_plugin -r :maven-checkstyle-plugin
@ -66,6 +68,9 @@ done
%license LICENSE.txt
%changelog
* Mon Apr 3 2023 mayp <mayanping@ncti-gba.cn> - 1:1.4.0-5
- Fix CVE-2023-1108
* Wed Oct 29 2021 wangkai <wangkai385@huawei.com> - 1.4.0-4
- Fix CVE-2020-10719