Merge pull request #46 from cesarhernandezgt/tomcat-10.0.x-TT.x-patch

Backport 7532f9d to mitigate CVE-2024-52316 and updated version to 10.0.28-TT.11
tomitribe · Nov 22, 2024 · 25ec088 · 25ec088
2 parents b551bd2 + a8441ce
commit 25ec088
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/build.properties.default b/build.properties.default
@@ -33,7 +33,7 @@ version.major=10
 version.minor=0
 version.build=28
 version.patch=0
-version.suffix=-TT.10
+version.suffix=-TT.11
 version.dev=
 
 # ----- Build tools -----

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -884,6 +884,8 @@ private boolean authenticateJaspic(Request request, Response response, JaspicSta
             authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);
         } catch (AuthException e) {
             log.debug(sm.getString("authenticator.loginFail"), e);
+            // Need to explicitly set the return code as the ServerAuthContext may not have done.
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
             return false;
         }
 

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -178,6 +178,11 @@
         <code>JsonErrorReportValve</code> to ensure that it always outputs valid
         JSON. (markt)
       </fix>
+      <fix>
+        If the Jakarta Authentication process fails with an Exception,
+        explicitly set the HTTP response status to 500 as the
+        <code>ServerAuthContext</code> may not have set it. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">