diff -Nru tomcat6-6.0.35/debian/changelog tomcat6-6.0.35/debian/changelog --- tomcat6-6.0.35/debian/changelog 2012-09-25 09:40:54.000000000 +0700 +++ tomcat6-6.0.35/debian/changelog 2013-05-20 21:49:36.000000000 +0700 @@ -1,3 +1,25 @@ +tomcat6 (6.0.35-5ubuntu0.1) quantal-security; urgency=low + + * SECURITY UPDATE: Fix multiple vulnerabilities in Tomcat6 + (LP: #1166649) + - debian/patches/0012-CVE-2012-2733.patch: Fix for Apache Tomcat Denial of + Service. Based on upstream patch. + - CVE-2012-2733 + - debian/patches/0013-CVE-2012-3546.patch: Fix for bypass of security + constraints. Based on upstream patch. + - CVE-2012-3546 + - debian/patches/0014-CVE-2012-4431.patch: Fix for bypass of CSRF + prevention filter. Based on upstream patch. + - CVE-2012-4431 + - debian/patches/0015-CVE-2012-4534.patch: Fix for CVE-2012-4534 Denial of + Service Vulnerability. Based on upstream patch. + - CVE-2012-4534 + - debian/patches/0016-CVE-2012-3439.patch: Fix for DIGEST authentication + weaknesses. Based on upstream patch. + - CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887 + + -- Christian Kuersteiner Mon, 20 May 2013 21:49:23 +0700 + tomcat6 (6.0.35-5) unstable; urgency=low * Apply patch to README.Debian to explain setting the HTTPOnly flag diff -Nru tomcat6-6.0.35/debian/control tomcat6-6.0.35/debian/control --- tomcat6-6.0.35/debian/control 2012-09-25 09:40:54.000000000 +0700 +++ tomcat6-6.0.35/debian/control 2013-05-15 13:24:31.000000000 +0700 @@ -1,7 +1,8 @@ Source: tomcat6 Section: java Priority: optional -Maintainer: Debian Java Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Java Maintainers Uploaders: Torsten Werner , Ludovic Claude , Damien Raude-Morvan , diff -Nru tomcat6-6.0.35/debian/patches/0012-CVE-2012-2733.patch tomcat6-6.0.35/debian/patches/0012-CVE-2012-2733.patch --- tomcat6-6.0.35/debian/patches/0012-CVE-2012-2733.patch 1970-01-01 07:00:00.000000000 +0700 +++ tomcat6-6.0.35/debian/patches/0012-CVE-2012-2733.patch 2013-05-15 13:24:31.000000000 +0700 @@ -0,0 +1,37 @@ +Description: Improve InternalNioInputBuffer#parseHeaders() +(see http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36) +Changes applied as from upstream patch. +Origin: backport, http://svn.apache.org/viewvc?view=rev&rev=1356208 +Author: ckuerste@gmx.ch +Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649 +--- a/java/org/apache/coyote/http11/InternalNioInputBuffer.java ++++ b/java/org/apache/coyote/http11/InternalNioInputBuffer.java +@@ -673,10 +673,6 @@ + + do { + status = parseHeader(); +- } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS ); +- if (status == HeaderParseStatus.DONE) { +- parsingHeader = false; +- end = pos; + // Checking that + // (1) Headers plus request line size does not exceed its limit + // (2) There are enough bytes to avoid expanding the buffer when +@@ -685,11 +681,15 @@ + // limitation to enforce the meaning of headerBufferSize + // From the way how buf is allocated and how blank lines are being + // read, it should be enough to check (1) only. +- if (end - skipBlankLinesBytes > headerBufferSize +- || buf.length - end < socketReadBufferSize) { ++ if (pos - skipBlankLinesBytes > headerBufferSize ++ || buf.length - pos < socketReadBufferSize) { + throw new IllegalArgumentException( + sm.getString("iib.requestheadertoolarge.error")); + } ++ } while ( status == HeaderParseStatus.HAVE_MORE_HEADERS ); ++ if (status == HeaderParseStatus.DONE) { ++ parsingHeader = false; ++ end = pos; + return true; + } else { + return false; diff -Nru tomcat6-6.0.35/debian/patches/0013-CVE-2012-3546.patch tomcat6-6.0.35/debian/patches/0013-CVE-2012-3546.patch --- tomcat6-6.0.35/debian/patches/0013-CVE-2012-3546.patch 1970-01-01 07:00:00.000000000 +0700 +++ tomcat6-6.0.35/debian/patches/0013-CVE-2012-3546.patch 2013-05-15 13:24:31.000000000 +0700 @@ -0,0 +1,48 @@ +Description: Remove unneeded handling of FORM authentication in RealmBase. +(see http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36) +Changes applied as from upstream patch. +Origin: backport, http://svn.apache.org/viewvc?view=rev&rev=1381035 +Author: ckuerste@gmx.ch +Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649 +--- a/java/org/apache/catalina/realm/RealmBase.java ++++ b/java/org/apache/catalina/realm/RealmBase.java +@@ -45,7 +45,6 @@ + import org.apache.catalina.connector.Request; + import org.apache.catalina.connector.Response; + import org.apache.catalina.core.ContainerBase; +-import org.apache.catalina.deploy.LoginConfig; + import org.apache.catalina.deploy.SecurityConstraint; + import org.apache.catalina.deploy.SecurityCollection; + import org.apache.catalina.util.HexUtils; +@@ -734,31 +733,6 @@ + if (constraints == null || constraints.length == 0) + return (true); + +- // Specifically allow access to the form login and form error pages +- // and the "j_security_check" action +- LoginConfig config = context.getLoginConfig(); +- if ((config != null) && +- (Constants.FORM_METHOD.equals(config.getAuthMethod()))) { +- String requestURI = request.getRequestPathMB().toString(); +- String loginPage = config.getLoginPage(); +- if (loginPage.equals(requestURI)) { +- if (log.isDebugEnabled()) +- log.debug(" Allow access to login page " + loginPage); +- return (true); +- } +- String errorPage = config.getErrorPage(); +- if (errorPage.equals(requestURI)) { +- if (log.isDebugEnabled()) +- log.debug(" Allow access to error page " + errorPage); +- return (true); +- } +- if (requestURI.endsWith(Constants.FORM_ACTION)) { +- if (log.isDebugEnabled()) +- log.debug(" Allow access to username/password submission"); +- return (true); +- } +- } +- + // Which user principal have we already authenticated? + Principal principal = request.getPrincipal(); + boolean status = false; diff -Nru tomcat6-6.0.35/debian/patches/0014-CVE-2012-4431.patch tomcat6-6.0.35/debian/patches/0014-CVE-2012-4431.patch --- tomcat6-6.0.35/debian/patches/0014-CVE-2012-4431.patch 1970-01-01 07:00:00.000000000 +0700 +++ tomcat6-6.0.35/debian/patches/0014-CVE-2012-4431.patch 2013-05-15 13:24:31.000000000 +0700 @@ -0,0 +1,52 @@ +Description: Improve session management in CsrfPreventionFilter +(see http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36) +Changes applied as from upstream patch. +Origin: backport, http://svn.apache.org/viewvc?view=rev&rev=1394456 +Author: ckuerste@gmx.ch +Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649 +--- a/java/org/apache/catalina/filters/CsrfPreventionFilter.java ++++ b/java/org/apache/catalina/filters/CsrfPreventionFilter.java +@@ -33,6 +33,7 @@ + import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + import javax.servlet.http.HttpServletResponseWrapper; ++import javax.servlet.http.HttpSession; + + import org.apache.juli.logging.Log; + import org.apache.juli.logging.LogFactory; +@@ -153,16 +154,19 @@ + } + } + ++ HttpSession session = req.getSession(false); ++ + @SuppressWarnings("unchecked") +- LruCache nonceCache = +- (LruCache) req.getSession(true).getAttribute( +- Constants.CSRF_NONCE_SESSION_ATTR_NAME); ++ LruCache nonceCache = (session == null) ? null ++ :(LruCache) session.getAttribute( ++ Constants.CSRF_NONCE_SESSION_ATTR_NAME); + + if (!skipNonceCheck) { + String previousNonce = + req.getParameter(Constants.CSRF_NONCE_REQUEST_PARAM); + +- if (nonceCache != null && !nonceCache.contains(previousNonce)) { ++ if (nonceCache == null || previousNonce == null || ++ !nonceCache.contains(previousNonce)) { + res.sendError(HttpServletResponse.SC_FORBIDDEN); + return; + } +@@ -170,7 +174,10 @@ + + if (nonceCache == null) { + nonceCache = new LruCache(nonceCacheSize); +- req.getSession().setAttribute( ++ if (session == null) { ++ session = req.getSession(true); ++ } ++ session.setAttribute( + Constants.CSRF_NONCE_SESSION_ATTR_NAME, nonceCache); + } + diff -Nru tomcat6-6.0.35/debian/patches/0015-CVE-2012-4534.patch tomcat6-6.0.35/debian/patches/0015-CVE-2012-4534.patch --- tomcat6-6.0.35/debian/patches/0015-CVE-2012-4534.patch 1970-01-01 07:00:00.000000000 +0700 +++ tomcat6-6.0.35/debian/patches/0015-CVE-2012-4534.patch 2013-05-15 13:24:31.000000000 +0700 @@ -0,0 +1,75 @@ +Description: Fix for CVE-2012-4534 Denial of Service Vulnerability +(see http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36) +Changes applied as from upstream patch. +Origin: backport, http://svn.apache.org/viewvc?view=rev&rev=1372035 +Author: ckuerste@gmx.ch +Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=52858 +Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649 +--- a/java/org/apache/tomcat/util/net/NioEndpoint.java ++++ b/java/org/apache/tomcat/util/net/NioEndpoint.java +@@ -1713,8 +1713,14 @@ + public boolean processSendfile(SelectionKey sk, KeyAttachment attachment, boolean reg, boolean event) { + NioChannel sc = null; + try { +- //unreg(sk,attachment);//only do this if we do process send file on a separate thread ++ unreg(sk, attachment, sk.readyOps()); + SendfileData sd = attachment.getSendfileData(); ++ ++ if (log.isTraceEnabled()) { ++ log.trace("Processing send file for: " + sd.fileName); ++ } ++ ++ //setup the file channel + if ( sd.fchannel == null ) { + File f = new File(sd.fileName); + if ( !f.exists() ) { +@@ -1723,10 +1729,14 @@ + } + sd.fchannel = new FileInputStream(f).getChannel(); + } ++ ++ //configure output channel + sc = attachment.getChannel(); + sc.setSendFile(true); ++ //ssl channel is slightly different + WritableByteChannel wc =(WritableByteChannel) ((sc instanceof SecureNioChannel)?sc:sc.getIOChannel()); + ++ //we still have data in the buffer + if (sc.getOutboundRemaining()>0) { + if (sc.flushOutbound()) { + attachment.access(); +@@ -1753,15 +1763,13 @@ + attachment.setSendfileData(null); + try {sd.fchannel.close();}catch(Exception ignore){} + if ( sd.keepAlive ) { +- if (reg) { +- if (log.isDebugEnabled()) { +- log.debug("Connection is keep alive, registering back for OP_READ"); +- } +- if (event) { +- this.add(attachment.getChannel(),SelectionKey.OP_READ); +- } else { +- reg(sk,attachment,SelectionKey.OP_READ); +- } ++ if (log.isDebugEnabled()) { ++ log.debug("Connection is keep-alive, registering back for OP_READ"); ++ } ++ if (event) { ++ this.add(attachment.getChannel(), SelectionKey.OP_READ); ++ } else { ++ reg(sk, attachment, SelectionKey.OP_READ); + } + } else { + if (log.isDebugEnabled()) { +@@ -1770,9 +1778,9 @@ + cancelledKey(sk,SocketStatus.STOP,false); + return false; + } +- } else if ( attachment.interestOps() == 0 && reg ) { ++ } else { + if (log.isDebugEnabled()) { +- log.debug("OP_WRITE for sendilfe:"+sd.fileName); ++ log.debug("OP_WRITE for sendilfe:" + sd.fileName); + } + if (event) { + add(attachment.getChannel(),SelectionKey.OP_WRITE); diff -Nru tomcat6-6.0.35/debian/patches/0016-CVE-2012-3439.patch tomcat6-6.0.35/debian/patches/0016-CVE-2012-3439.patch --- tomcat6-6.0.35/debian/patches/0016-CVE-2012-3439.patch 1970-01-01 07:00:00.000000000 +0700 +++ tomcat6-6.0.35/debian/patches/0016-CVE-2012-3439.patch 2013-05-15 13:24:31.000000000 +0700 @@ -0,0 +1,371 @@ +Description: Various improvements to the DIGEST authenticator, the disabling +caching of an authenticated user in the session by default, tracking server rather +than client nonces and better handling of stale nonce values. +(see http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36) +Changes applied as from upstream patch. +Origin: backport, http://svn.apache.org/viewvc?view=rev&rev=1356208 +Author: ckuerste@gmx.ch +Ubuntu-Bug: https://bugs.launchpad.net/ubuntu/+source/tomcat6/+bug/1166649 +--- a/java/org/apache/catalina/authenticator/DigestAuthenticator.java ++++ b/java/org/apache/catalina/authenticator/DigestAuthenticator.java +@@ -27,9 +27,9 @@ + import java.util.Map; + import java.util.StringTokenizer; + ++import javax.servlet.http.HttpServletRequest; + import javax.servlet.http.HttpServletResponse; + +- + import org.apache.catalina.LifecycleException; + import org.apache.catalina.Realm; + import org.apache.catalina.connector.Request; +@@ -80,6 +80,7 @@ + + public DigestAuthenticator() { + super(); ++ setCache(false); + try { + if (md5Helper == null) + md5Helper = MessageDigest.getInstance("MD5"); +@@ -100,16 +101,16 @@ + + + /** +- * List of client nonce values currently being tracked ++ * List of server nonce values currently being tracked + */ +- protected Map cnonces; ++ protected Map nonces; + + + /** + * Maximum number of client nonces to keep in the cache. If not specified, + * the default value of 1000 is used. + */ +- protected int cnonceCacheSize = 1000; ++ protected int nonceCacheSize = 1000; + + + /** +@@ -150,13 +151,13 @@ + } + + +- public int getCnonceCacheSize() { +- return cnonceCacheSize; ++ public int getNonceCacheSize() { ++ return nonceCacheSize; + } + + +- public void setCnonceCacheSize(int cnonceCacheSize) { +- this.cnonceCacheSize = cnonceCacheSize; ++ public void setNonceCacheSize(int nonceCacheSize) { ++ this.nonceCacheSize = nonceCacheSize; + } + + +@@ -263,18 +264,19 @@ + // Validate any credentials already included with this request + String authorization = request.getHeader("authorization"); + DigestInfo digestInfo = new DigestInfo(getOpaque(), getNonceValidity(), +- getKey(), cnonces, isValidateUri()); ++ getKey(), nonces, isValidateUri()); + if (authorization != null) { +- if (digestInfo.validate(request, authorization, config)) { +- principal = digestInfo.authenticate(context.getRealm()); +- } +- +- if (principal != null) { +- String username = parseUsername(authorization); +- register(request, response, principal, +- Constants.DIGEST_METHOD, +- username, null); +- return (true); ++ if (digestInfo.parse(request, authorization)) { ++ if (digestInfo.validate(request, config)) { ++ principal = digestInfo.authenticate(context.getRealm()); ++ } ++ ++ if (principal != null && !digestInfo.isNonceStale()) { ++ register(request, response, principal, ++ HttpServletRequest.DIGEST_AUTH, ++ digestInfo.getUsername(), null); ++ return true; ++ } + } + } + +@@ -285,10 +287,9 @@ + String nonce = generateNonce(request); + + setAuthenticateHeader(request, response, config, nonce, +- digestInfo.isNonceStale()); ++ principal != null && digestInfo.isNonceStale()); + response.sendError(HttpServletResponse.SC_UNAUTHORIZED); +- // hres.flushBuffer(); +- return (false); ++ return false; + + } + +@@ -301,7 +302,10 @@ + * can be identified, return null + * + * @param authorization Authorization string to be parsed ++ * ++ * @deprecated Unused. Will be removed in Tomcat 8.0.x + */ ++ @Deprecated + protected String parseUsername(String authorization) { + + // Validate the authorization credentials format +@@ -345,7 +349,7 @@ + } else if (quotedString.length() > 2) { + return quotedString.substring(1, quotedString.length() - 1); + } else { +- return new String(); ++ return ""; + } + } + +@@ -376,7 +380,14 @@ + buffer = md5Helper.digest(ipTimeKey.getBytes()); + } + +- return currentTime + ":" + md5Encoder.encode(buffer); ++ String nonce = currentTime + ":" + md5Encoder.encode(buffer); ++ ++ NonceInfo info = new NonceInfo(currentTime, 100); ++ synchronized (nonces) { ++ nonces.put(nonce, info); ++ } ++ ++ return nonce; + } + + +@@ -450,7 +461,7 @@ + setOpaque(generateSessionId()); + } + +- cnonces = new LinkedHashMap() { ++ nonces = new LinkedHashMap() { + + private static final long serialVersionUID = 1L; + private static final long LOG_SUPPRESS_TIME = 5 * 60 * 1000; +@@ -462,7 +473,7 @@ + Map.Entry eldest) { + // This is called from a sync so keep it simple + long currentTime = System.currentTimeMillis(); +- if (size() > getCnonceCacheSize()) { ++ if (size() > getNonceCacheSize()) { + if (lastLog < currentTime && + currentTime - eldest.getValue().getTimestamp() < + getNonceValidity()) { +@@ -480,10 +491,10 @@ + + private static class DigestInfo { + +- private String opaque; +- private long nonceValidity; +- private String key; +- private Map cnonces; ++ private final String opaque; ++ private final long nonceValidity; ++ private final String key; ++ private final Map nonces; + private boolean validateUri = true; + + private String userName = null; +@@ -495,21 +506,27 @@ + private String cnonce = null; + private String realmName = null; + private String qop = null; ++ private String opaqueReceived = null; + + private boolean nonceStale = false; + + + public DigestInfo(String opaque, long nonceValidity, String key, +- Map cnonces, boolean validateUri) { ++ Map nonces, boolean validateUri) { + this.opaque = opaque; + this.nonceValidity = nonceValidity; + this.key = key; +- this.cnonces = cnonces; ++ this.nonces = nonces; + this.validateUri = validateUri; + } + +- public boolean validate(Request request, String authorization, +- LoginConfig config) { ++ ++ public String getUsername() { ++ return userName; ++ } ++ ++ ++ public boolean parse(Request request, String authorization) { + // Validate the authorization credentials format + if (authorization == null) { + return false; +@@ -523,7 +540,6 @@ + String[] tokens = authorization.split(",(?=(?:[^\"]*\"[^\"]*\")+$)"); + + method = request.getMethod(); +- String opaque = null; + + for (int i = 0; i < tokens.length; i++) { + String currentToken = tokens[i]; +@@ -555,9 +571,13 @@ + if ("response".equals(currentTokenName)) + response = removeQuotes(currentTokenValue); + if ("opaque".equals(currentTokenName)) +- opaque = removeQuotes(currentTokenValue); ++ opaqueReceived = removeQuotes(currentTokenValue); + } + ++ return true; ++ } ++ ++ public boolean validate(Request request, LoginConfig config) { + if ( (userName == null) || (realmName == null) || (nonce == null) + || (uri == null) || (response == null) ) { + return false; +@@ -573,7 +593,23 @@ + uriQuery = request.getRequestURI() + "?" + query; + } + if (!uri.equals(uriQuery)) { +- return false; ++ // Some clients (older Android) use an absolute URI for ++ // DIGEST but a relative URI in the request line. ++ // request. 2.3.5 < fixed Android version <= 4.0.3 ++ String host = request.getHeader("host"); ++ String scheme = request.getScheme(); ++ if (host != null && !uriQuery.startsWith(scheme)) { ++ StringBuilder absolute = new StringBuilder(); ++ absolute.append(scheme); ++ absolute.append("://"); ++ absolute.append(host); ++ absolute.append(uriQuery); ++ if (!uri.equals(absolute.toString())) { ++ return false; ++ } ++ } else { ++ return false; ++ } + } + } + +@@ -587,7 +623,7 @@ + } + + // Validate the opaque string +- if (!this.opaque.equals(opaque)) { ++ if (!this.opaque.equals(opaqueReceived)) { + return false; + } + +@@ -606,7 +642,9 @@ + long currentTime = System.currentTimeMillis(); + if ((currentTime - nonceTime) > nonceValidity) { + nonceStale = true; +- return false; ++ synchronized (nonces) { ++ nonces.remove(nonce); ++ } + } + String serverIpTimeKey = + request.getRemoteAddr() + ":" + nonceTime + ":" + key; +@@ -625,7 +663,7 @@ + } + + // Validate cnonce and nc +- // Check if presence of nc and nonce is consistent with presence of qop ++ // Check if presence of nc and Cnonce is consistent with presence of qop + if (qop == null) { + if (cnonce != null || nc != null) { + return false; +@@ -634,7 +672,9 @@ + if (cnonce == null || nc == null) { + return false; + } +- if (nc.length() != 8) { ++ // RFC 2617 says nc must be 8 digits long. Older Android clients ++ // use 6. 2.3.5 < fixed Android version <= 4.0.3 ++ if (nc.length() < 6 || nc.length() > 8) { + return false; + } + long count; +@@ -644,21 +684,18 @@ + return false; + } + NonceInfo info; +- synchronized (cnonces) { +- info = cnonces.get(cnonce); ++ synchronized (nonces) { ++ info = nonces.get(nonce); + } + if (info == null) { +- info = new NonceInfo(); ++ // Nonce is valid but not in cache. It must have dropped out ++ // of the cache - force a re-authentication ++ nonceStale = true; + } else { +- if (count <= info.getCount()) { ++ if (!info.nonceCountValid(count)) { + return false; + } + } +- info.setCount(count); +- info.setTimestamp(currentTime); +- synchronized (cnonces) { +- cnonces.put(cnonce, info); +- } + } + return true; + } +@@ -685,19 +722,31 @@ + } + + private static class NonceInfo { +- private volatile long count; + private volatile long timestamp; +- +- public void setCount(long l) { +- count = l; +- } +- +- public long getCount() { +- return count; ++ private volatile boolean seen[]; ++ private volatile int offset; ++ private volatile int count = 0; ++ ++ public NonceInfo(long currentTime, int seenWindowSize) { ++ this.timestamp = currentTime; ++ seen = new boolean[seenWindowSize]; ++ offset = seenWindowSize / 2; + } +- +- public void setTimestamp(long l) { +- timestamp = l; ++ ++ public synchronized boolean nonceCountValid(long nonceCount) { ++ if ((count - offset) >= nonceCount || ++ (nonceCount > count - offset + seen.length)) { ++ return false; ++ } ++ int checkIndex = (int) ((nonceCount + offset) % seen.length); ++ if (seen[checkIndex]) { ++ return false; ++ } else { ++ seen[checkIndex] = true; ++ seen[count % seen.length] = false; ++ count++; ++ return true; ++ } + } + + public long getTimestamp() { diff -Nru tomcat6-6.0.35/debian/patches/series tomcat6-6.0.35/debian/patches/series --- tomcat6-6.0.35/debian/patches/series 2012-09-25 09:40:54.000000000 +0700 +++ tomcat6-6.0.35/debian/patches/series 2013-05-15 13:24:31.000000000 +0700 @@ -8,3 +8,8 @@ 0008-add-OSGI-headers-to-jsp-api.patch 0010-Use-java.security.policy-file-in-catalina.sh.patch 0011-CVE-2012-0022-regression-fix.patch +0012-CVE-2012-2733.patch +0013-CVE-2012-3546.patch +0014-CVE-2012-4431.patch +0015-CVE-2012-4534.patch +0016-CVE-2012-3439.patch