import tomcat-9.0.87-1.el8_10.1

7 months ago · 622cf12a81
parent e68edfee65
commit 622cf12a81
6 changed files with 48 additions and 38 deletions
--- a/.gitignore
+++ b/.gitignore
@ -1 +1 @@
-SOURCES/tomcat-9.0.62.redhat-00018-src.zip
+SOURCES/tomcat-9.0.87.redhat-00003-src.zip
--- a/.tomcat.metadata
+++ b/.tomcat.metadata
@ -1 +1 @@
-5becf21ed1eb5c031c31d5f295ce499234e98f82 SOURCES/tomcat-9.0.62.redhat-00018-src.zip
+4e1552026d103c3310c1bd678ac8fe7bab597e4b SOURCES/tomcat-9.0.87.redhat-00003-src.zip
--- a/SOURCES/fix-malformed-dtd.patch
+++ b/SOURCES/fix-malformed-dtd.patch
@ -1,8 +0,0 @@
-diff -up ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd.orig ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd
--- ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd.orig	2023-02-07 14:11:25.294179017 -0500
-+++ ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd	2023-02-07 14:11:28.629196705 -0500
-@@ -1,4 +1,3 @@
-<?xml version="1.0" encoding="UTF-8"?>
- <!--
-   Licensed to the Apache Software Foundation (ASF) under one or more
-   contributor license agreements.  See the NOTICE file distributed with
--- a/SOURCES/remove-bnd-annotation.patch
+++ b/SOURCES/remove-bnd-annotation.patch
@ -1,8 +1,8 @@
 diff --git a/build.xml b/build.xml
-index 5a0be1b..2131211 100644
+index 1a4b255..ea50aeb 100644
 --- a/build.xml
 +++ b/build.xml
-@@ -3062,7 +3062,7 @@ skip.installer property in build.properties" />
+@@ -3296,7 +3296,7 @@ asf.ldap.username=${release.asfusername}
 
   <target name="download-compile"
           description="Download components necessary to compile"
@ -12,10 +12,10 @@ index 5a0be1b..2131211 100644
     <!-- Download Commons Daemon -->
     <antcall target="downloadgz-2">
 diff --git a/java/org/apache/el/ExpressionFactoryImpl.java b/java/org/apache/el/ExpressionFactoryImpl.java
-index a6faeb6..5afbda7 100644
+index 3a6690a..03a2afe 100644
 --- a/java/org/apache/el/ExpressionFactoryImpl.java
 +++ b/java/org/apache/el/ExpressionFactoryImpl.java
-@@ -33,7 +33,7 @@ import org.apache.el.util.MessageFactory;
+@@ -34,7 +34,7 @@ import org.apache.el.util.MessageFactory;
  *
  * @author Jacob Hookom [jacob@hookom.net]
  */
@ -23,9 +23,9 @@ index a6faeb6..5afbda7 100644
 +//@aQute.bnd.annotation.spi.ServiceProvider(value=ExpressionFactory.class)
 public class ExpressionFactoryImpl extends ExpressionFactory {
 
-     @Override
+     static {
 diff --git a/java/org/apache/juli/logging/LogFactory.java b/java/org/apache/juli/logging/LogFactory.java
-index 56c805a..bd6eb0d 100644
+index bfc4238..acf989a 100644
 --- a/java/org/apache/juli/logging/LogFactory.java
 +++ b/java/org/apache/juli/logging/LogFactory.java
@@ -21,7 +21,7 @@ import java.nio.file.FileSystems;
@ -41,34 +41,34 @@ index 56c805a..bd6eb0d 100644
  * @author Costin Manolache
  * @author Richard A. Sitze
  */
-@ServiceConsumer(value=org.apache.juli.logging.Log.class)
-+//@ServiceConsumer(value=org.apache.juli.logging.Log.class)
+-@ServiceConsumer(value=Log.class)
+//@ServiceConsumer(value=Log.class)
 public class LogFactory {
 
     private static final LogFactory singleton = new LogFactory();
 diff --git a/java/org/apache/tomcat/websocket/WsContainerProvider.java b/java/org/apache/tomcat/websocket/WsContainerProvider.java
-index 3cb8873..7bc50f6 100644
+index 4b0577c..e383290 100644
 --- a/java/org/apache/tomcat/websocket/WsContainerProvider.java
 +++ b/java/org/apache/tomcat/websocket/WsContainerProvider.java
@@ -19,7 +19,7 @@ package org.apache.tomcat.websocket;
 import javax.websocket.ContainerProvider;
 import javax.websocket.WebSocketContainer;
 
-@aQute.bnd.annotation.spi.ServiceProvider(value=ContainerProvider.class)
-+//@aQute.bnd.annotation.spi.ServiceProvider(value=ContainerProvider.class)
+-@aQute.bnd.annotation.spi.ServiceProvider(value = ContainerProvider.class)
+//@aQute.bnd.annotation.spi.ServiceProvider(value = ContainerProvider.class)
 public class WsContainerProvider extends ContainerProvider {
 
     @Override
 diff --git a/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java b/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java
-index 5c385ed..2e4e82e 100644
+index 00f492e..fe5c34d 100644
 --- a/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java
 +++ b/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java
@@ -26,7 +26,7 @@ import javax.websocket.HandshakeResponse;
 import javax.websocket.server.HandshakeRequest;
 import javax.websocket.server.ServerEndpointConfig;
 
-@aQute.bnd.annotation.spi.ServiceProvider(value=ServerEndpointConfig.Configurator.class)
-+//@aQute.bnd.annotation.spi.ServiceProvider(value=ServerEndpointConfig.Configurator.class)
- public class DefaultServerEndpointConfigurator
-         extends ServerEndpointConfig.Configurator {
+-@aQute.bnd.annotation.spi.ServiceProvider(value = ServerEndpointConfig.Configurator.class)
+//@aQute.bnd.annotation.spi.ServiceProvider(value = ServerEndpointConfig.Configurator.class)
+ public class DefaultServerEndpointConfigurator extends ServerEndpointConfig.Configurator {
 
+     @Override
--- a/SOURCES/tomcat-build.patch
+++ b/SOURCES/tomcat-build.patch
@ -1,12 +1,11 @@
-diff -up ./res/bnd/build-defaults.bnd.orig ./res/bnd/build-defaults.bnd
--- ./res/bnd/build-defaults.bnd.orig	2020-07-13 13:47:01.229077747 -0400
-+++ ./res/bnd/build-defaults.bnd	2020-07-13 13:47:12.923095618 -0400
+--- ./res/bnd/build-defaults.bnd.orig	2024-05-01 11:07:38.804582327 +0300
+++ ./res/bnd/build-defaults.bnd	2024-05-01 11:17:08.857295279 +0300
@@ -13,7 +13,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
-
+ 
 -Bundle-Version: ${version_cleanup;${version}}
 +Bundle-Version: ${version}
-
+ Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt
+ 
 Specification-Title: Apache Tomcat
- Specification-Version: ${version.major.minor}
--- a/SPECS/tomcat.spec
+++ b/SPECS/tomcat.spec
@ -31,8 +31,8 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 62
-%global packdname  %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00018-src
+%global micro_version 87
+%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00003-src
 %global servletspec 4.0
 %global elspec 3.0
 %global tcuid 53
@ -56,7 +56,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       30%{?dist}
+Release:       1%{?dist}.1
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 License:       ASL 2.0
@ -83,7 +83,6 @@ Patch4:        rhbz-1857043.patch
 # remove bnd dependency which version is too low on rhel8
 Patch6:        remove-bnd-annotation.patch
 Patch7:        JmxRemoteLifecycleListener.patch
-Patch8:        fix-malformed-dtd.patch

 BuildArch:     noarch

@ -198,7 +197,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P4 -p0
 %patch -P6 -p1
 %patch -P7 -p1
-%patch -P8 -p1

 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@ -558,25 +556,42 @@ fi


 %changelog
+* Mon Jun 03 2024 Sokratis Zappis <szappis@redhat.com> - 1:9.0.87-1.el8_10.1
+- Resolves: RHEL-38548 - Amend tomcat package's changelog so that fixed CVEs are mentioned explicitly
+- Resolves: RHEL-35813 - Rebase tomcat to version 9.0.87
+- Resolves: RHEL-29255
+  tomcat: Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)
+- Resolves: RHEL-29250
+  tomcat: Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)
+
 * Fri Jan 19 2024 Hui Wang <huwang@redhat.com> - 1:9.0.62-30
 - Resolves: RHEL-6971

 * Thu Jan 18 2024 Hui Wang <huwang@redhat.com> - 1:9.0.62-29
 - Resolves: RHEL-17602
+  tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
+- tomcat: Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)

 * Thu Nov 23 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-28
 - Resolves: RHEL-13907
+  tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
 - Resolves: RHEL-13904
+  tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
 - Resolves: RHEL-12951
+  tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)
 - Resolves: RHEL-12544
+  tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
 - Resolves: RHEL-2386
+  tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)

 * Fri Oct 13 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-27
 - Related: RHEL-12543
+  tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
 - Bump release number

 * Thu Oct 12 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-16
- Resolves: RHEL-12543 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack)
+- Resolves: RHEL-12543
+  tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
 - Remove JDK subpackges which are unused

 * Fri Sep 08 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-14
@ -594,6 +609,10 @@ fi
 * Fri Aug 18 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-10
 - Resolves: #2210630 CVE-2023-28709 tomcat
 - Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
+- tomcat: Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
+  tomcat: JsonErrorReportValve injection (CVE-2022-45143)
+  tomcat: request smuggling (CVE-2022-42252)
+  tomcat: local privilege escalation vulnerability (CVE-2022-23181)

 * Thu Aug 17 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-9
 - Resolves: #2184135 Add Obsoletes to tomcat package