sts-sponsors team mailing list archive

[Tom Moyer <1903851@xxxxxxxxxxxxxxxxxx>]

Updated debdiff.patch to include DEP-3 headers.

** Description changed:

+ [ Impact ]
+ 
+  * Tomcat version 9.0.31 has a bug that prevents multipart uploads over
+    encrypted connections. This happens with the NIO SSL Connector, which
+    is the one that gets auto-selected in a default configuration
+ 
+  * This patch reverts a change that was made between 9.0.30 and 9.0.31 that
+    causes the multipart upload to fail when using a TLS connection.
+ 
+ [ Test Plan ]
+ 
+  * Deploy focal
+ 
+  * Deploy tomcat9 and use the default configuration
+ 
+  * Enable HTTPS for tomcat9. A self-signed certificate is sufficient
+    
+    * Create a keystore:
+      keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat9/keystore
+ 
+    * Enable the HTTPS listener in the tomcat9 configuration file
+      /etc/tomcat9/server.xml
+ 
+    * Add the following XML snippet at the bottom of the the XML block
+      '<Service name="Catalina">'. Ensure that you specify the same password
+      as when you created the keystore above
+ 
+    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
+               maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
+               clientAuth="want" sslProtocol="TLS"
+               sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
+               keystoreFile="/etc/tomcat9/keystore" keystorePass="*******" />
+ 
+  * Deploy the attached WAR (JerseyDemos.war) file which is a simple test
+    application that exhibits the regression. This is done by placing the WAR
+    file in the following directory: /var/lib/tomcat9/webapps/
+ 
+  * In a browser on a separate machine, navigate to the application:
+    https://<focal instance>/JerseyDemos/fileUpload.html
+ 
+  * Attempt to upload the attached file: qg8dbNp.png
+ 
+ [ Where problems could occur ]
+ 
+  * This patch only addresses the server reading from the encrypted connection.
+    There is the potential that the server writing to this same connection may
+    trigger a similar issue if the client tries a multipart download.
+    However, that use case is less common and the code for that is a seperate
+    codepath entirely.
+ 
+ [ Other Info ]
+ 
+  * This change only applies to focal as releases after focal have a newer
+    version of tomcat9 that includes this patch already.
+ 
+  * Patch source:
+    https://github.com/apache/tomcat/commit/6e60713c75141bc00f03f08f759df993a6416c71
+ 
+  * Contained in upstream tag: 9.0.32
+ 
+ [ Original Bug Description ]
+ 
  Tomcat version 9.0.31 has a bug that prevents multipart uploads over encrypted connections.
  This happens with the NIO SSL Connector, which is the one that gets auto-selected on my system.
  
  FAIL - Deploy Upload Failed, Exception:
  [org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException:
  Processing of multipart/form-data request failed.
  java.net.SocketTimeoutException]
  
  https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
  https://bz.apache.org/bugzilla/show_bug.cgi?id=64202
  
  The bug is not present in the next Tomcat upstream release, but it seems
  the correction has not been ported back to Ubuntu 20.04.1 LTS in the
  tomcat9 package, version 9.0.31-1ubuntu0.1.
  
  On a side note, the bug seems to be present also on the current tomcat9
  package, version 9.0.31-1~deb10u2 for Debian 10.

** Patch added: "debdiff.patch"
   https://bugs.launchpad.net/ubuntu/focal/+source/tomcat9/+bug/1903851/+attachment/5632126/+files/debdiff.patch

-- 
You received this bug notification because you are a member of SE SRU
("STS") Sponsors, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1903851

Title:
  Tomcat9: multipart upload fails over https

Status in tomcat9 package in Ubuntu:
  Invalid
Status in tomcat9 source package in Focal:
  In Progress

Bug description:
  [ Impact ]

   * Tomcat version 9.0.31 has a bug that prevents multipart uploads over
     encrypted connections. This happens with the NIO SSL Connector, which
     is the one that gets auto-selected in a default configuration

   * This patch reverts a change that was made between 9.0.30 and 9.0.31 that
     causes the multipart upload to fail when using a TLS connection.

  [ Test Plan ]

   * Deploy focal

   * Deploy tomcat9 and use the default configuration

   * Enable HTTPS for tomcat9. A self-signed certificate is sufficient
     
     * Create a keystore:
       keytool -genkey -alias tomcat -keyalg RSA -keystore /etc/tomcat9/keystore

     * Enable the HTTPS listener in the tomcat9 configuration file
       /etc/tomcat9/server.xml

     * Add the following XML snippet at the bottom of the the XML block
       '<Service name="Catalina">'. Ensure that you specify the same password
       as when you created the keystore above

     <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
                maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
                clientAuth="want" sslProtocol="TLS"
                sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"
                keystoreFile="/etc/tomcat9/keystore" keystorePass="*******" />

   * Deploy the attached WAR (JerseyDemos.war) file which is a simple test
     application that exhibits the regression. This is done by placing the WAR
     file in the following directory: /var/lib/tomcat9/webapps/

   * In a browser on a separate machine, navigate to the application:
     https://<focal instance>/JerseyDemos/fileUpload.html

   * Attempt to upload the attached file: qg8dbNp.png

  [ Where problems could occur ]

   * This patch only addresses the server reading from the encrypted connection.
     There is the potential that the server writing to this same connection may
     trigger a similar issue if the client tries a multipart download.
     However, that use case is less common and the code for that is a seperate
     codepath entirely.

  [ Other Info ]

   * This change only applies to focal as releases after focal have a newer
     version of tomcat9 that includes this patch already.

   * Patch source:
     https://github.com/apache/tomcat/commit/6e60713c75141bc00f03f08f759df993a6416c71

   * Contained in upstream tag: 9.0.32

  [ Original Bug Description ]

  Tomcat version 9.0.31 has a bug that prevents multipart uploads over encrypted connections.
  This happens with the NIO SSL Connector, which is the one that gets auto-selected on my system.

  FAIL - Deploy Upload Failed, Exception:
  [org.apache.tomcat.util.http.fileupload.impl.IOFileUploadException:
  Processing of multipart/form-data request failed.
  java.net.SocketTimeoutException]

  https://bz.apache.org/bugzilla/show_bug.cgi?id=64195
  https://bz.apache.org/bugzilla/show_bug.cgi?id=64202

  The bug is not present in the next Tomcat upstream release, but it
  seems the correction has not been ported back to Ubuntu 20.04.1 LTS in
  the tomcat9 package, version 9.0.31-1ubuntu0.1.

  On a side note, the bug seems to be present also on the current
  tomcat9 package, version 9.0.31-1~deb10u2 for Debian 10.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/tomcat9/+bug/1903851/+subscriptions