Skip to content

Commit

Permalink
Merge pull request #45 from cesarhernandezgt/8.5.x-TT.x-patch
Browse files Browse the repository at this point in the history
Backport 7532f9d to mitigate CVE-2024-52316 and updated version to 8.5.100-TT.4
  • Loading branch information
cesarhernandezgt authored Nov 22, 2024
2 parents 012653d + 558d020 commit 09abe36
Show file tree
Hide file tree
Showing 3 changed files with 8 additions and 1 deletion.
2 changes: 1 addition & 1 deletion build.properties.default
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@ version.major=8
version.minor=5
version.build=100
version.patch=0
version.suffix=-TT.3
version.suffix=-TT.4
version.dev=

# ----- Build tools -----
Expand Down
2 changes: 2 additions & 0 deletions java/org/apache/catalina/authenticator/AuthenticatorBase.java
Original file line number Diff line number Diff line change
Expand Up @@ -806,6 +806,8 @@ private boolean authenticateJaspic(Request request, Response response, JaspicSta
authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);
} catch (AuthException e) {
log.debug(sm.getString("authenticator.loginFail"), e);
// Need to explicitly set the return code as the ServerAuthContext may not have done.
response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
return false;
}

Expand Down
5 changes: 5 additions & 0 deletions webapps/docs/changelog.xml
Original file line number Diff line number Diff line change
Expand Up @@ -145,6 +145,11 @@
<code>NullPointerException</code>, if an attempt is made to use the
<code>AsyncContext</code> after it has been recycled. (markt)
</fix>
<fix>
If the Jakarta Authentication process fails with an Exception,
explicitly set the HTTP response status to 500 as the
<code>ServerAuthContext</code> may not have set it. (markt)
</fix>
</changelog>
</subsection>
<subsection name="Coyote">
Expand Down

0 comments on commit 09abe36

Please sign in to comment.