diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch index 03207b1..a7f7c49 100644 --- a/change-defaults-for-CVE-2020-1938.patch +++ b/change-defaults-for-CVE-2020-1938.patch @@ -1,6 +1,6 @@ diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java ---- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig 2020-03-12 13:33:31.792406379 -0400 -+++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2020-03-12 13:35:24.222117728 -0400 +--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig 2020-04-22 15:31:12.889587528 -0400 ++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2020-04-22 15:31:37.907534419 -0400 @@ -16,7 +16,6 @@ */ package org.apache.coyote.ajp; @@ -28,9 +28,9 @@ diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/a this.secretRequired = secretRequired; } diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml ---- ./webapps/docs/changelog.xml.orig 2020-03-12 13:33:54.354348454 -0400 -+++ ./webapps/docs/changelog.xml 2020-03-12 13:37:17.041828075 -0400 -@@ -178,14 +178,10 @@ +--- ./webapps/docs/changelog.xml.orig 2020-04-03 08:12:03.000000000 -0400 ++++ ./webapps/docs/changelog.xml 2020-04-22 15:31:37.911534411 -0400 +@@ -526,14 +526,10 @@ Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) @@ -47,26 +47,25 @@ diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml will not start unless the secret attribute is configured to a non-null, non-zero length String. (markt) diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml ---- ./webapps/docs/config/ajp.xml.orig 2020-03-12 13:34:10.383307302 -0400 -+++ ./webapps/docs/config/ajp.xml 2020-03-12 13:36:17.617980639 -0400 -@@ -315,7 +315,10 @@ +--- ./webapps/docs/config/ajp.xml.orig 2020-04-22 15:31:37.913534406 -0400 ++++ ./webapps/docs/config/ajp.xml 2020-04-22 15:35:35.003031090 -0400 +@@ -327,7 +327,9 @@ -

For servers with more than one IP address, this attribute - specifies which address will be used for listening on the specified -- port. By default, the loopback address will be used.

-+ port. By default, this port will be used on all IP addresses -+ associated with the server. A value of 127.0.0.1 -+ indicates that the Connector will only listen on the loopback -+ interface.

+

For servers with more than one IP address, this attribute specifies + which address will be used for listening on the specified port. By +- default, the connector will listen on the loopback address. Unless the JVM ++ default, this port will be used on all IP addresses associated with the ++ server. A value of 127.0.0.1 indicates that the Connector ++ will only listen on the loopback interface.

Unless the JVM + is configured otherwise using system properties, the Java based connectors + (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured + with either 0.0.0.0 or ::. The APR/native +@@ -500,7 +502,7 @@ + the secret attribute is required to be specified for the + AJP Connector to start. It does not control whether + workers are required to provide the secret. The default value is +- true. This attribute should only be set to false ++ false. This attribute should only be set to false + when the Connector is used on a trusted network.

 - -@@ -465,7 +468,7 @@ - -

If this attribute is true, the AJP Connector will only - start if the secret attribute is configured with a -- non-null, non-zero length value. The default value is true. -+ non-null, non-zero length value. The default value is false. - This attributue should only be set to false when the - Connector is used on a trusted network.

-