@ -56,7 +56,7 @@
Name: tomcat
Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 2%{?dist}
Release: 1%{?dist}.2
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
License: ASL 2.0
@ -80,20 +80,21 @@ Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
Patch2: %{name}-build.patch
Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
Patch4: rhbz-1857043.patch
Patch6: %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch
# remove bnd dependency which version is too low on rhel8
Patch6: remove-bnd-annotation.patch
Patch7: JmxRemoteLifecycleListener.patch
BuildArch: noarch
BuildRequires: ant
BuildRequires: ecj >= 1:4.10
BuildRequires: ecj
BuildRequires: findutils
BuildRequires: javapackages-local
BuildRequires: aqute-bnd
BuildRequires: aqute-bndlib
BuildRequires: systemd
Requires: (java-headless >= 1:1.8 or java-1.8.0-headless or java-11-headless or java-17-headless or java-21-headless or java >= 1:1.8)
Requires: (java-headless >= 1:1.8 or java-1.8.0-headless or java-11-headless or java-17-headless or java >= 1:1.8)
Requires: javapackages-tools
Requires: %{name}-lib = %{epoch}:%{version}-%{release}
%if 0%{?fedora} || 0%{?rhel} > 7
@ -104,8 +105,7 @@ Requires(post): systemd
Requires(preun): systemd
Requires(postun): systemd
Provides: pki-servlet-engine
Obsoletes: pki-servlet-engine
Obsoletes: pki-servlet-engine <= 1:9.0.50
# added after log4j sub-package was removed
Provides: %{name}-log4j = %{epoch}:%{version}-%{release}
@ -140,7 +140,7 @@ Provides: jsp = %{jspspec}
Obsoletes: %{name}-jsp-2.2-api
Requires: %{name}-servlet-%{servletspec}-api = %{epoch}:%{version}-%{release}
Requires: %{name}-el-%{elspec}-api = %{epoch}:%{version}-%{release}
Obsoletes: pki-servlet-engine
Obsoletes: pki-servlet-engine <= 1:9.0.50
%description jsp-%{jspspec}-api
Apache Tomcat JSP API Implementation Classes.
@ -152,7 +152,7 @@ Requires: %{name}-servlet-%{servletspec}-api = %{epoch}:%{version}-%{release}
Requires: %{name}-el-%{elspec}-api = %{epoch}:%{version}-%{release}
Requires: ecj >= 1:4.10
Requires(preun): coreutils
Obsoletes: pki-servlet-engine
Obsoletes: pki-servlet-engine <= 1:9.0.50
%description lib
Libraries needed to run the Tomcat Web container.
@ -163,8 +163,7 @@ Provides: servlet = %{servletspec}
Provides: servlet6
Provides: servlet3
Obsoletes: %{name}-servlet-3.1-api
Provides: pki-servlet-4.0-api
Obsoletes: pki-servlet-4.0-api
Obsoletes: pki-servlet-4.0-api <= 1:9.0.50
%description servlet-%{servletspec}-api
Apache Tomcat Servlet API Implementation Classes.
@ -173,7 +172,7 @@ Apache Tomcat Servlet API Implementation Classes.
Summary: Apache Tomcat Expression Language v%{elspec} API Implementation Classes
Provides: el_api = %{elspec}
Obsoletes: %{name}-el-2.2-api
Obsoletes: pki-servlet-engine
Obsoletes: pki-servlet-engine <= 1:9.0.50
%description el-%{elspec}-api
Apache Tomcat EL API Implementation Classes.
@ -196,7 +195,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch -P2 -p0
%patch -P3 -p0
%patch -P4 -p0
%patch -P6 -p0
%patch -P6 -p1
%patch -P7 -p1
# Remove webservices naming resources as it's generally unused
@ -229,8 +228,7 @@ touch HACK
-Dnsis.exe="HACK" \
-Djaxrpc-lib.jar="HACK" \
-Dwsdl4j-lib.jar="HACK" \
-Dbnd.jar="$(build-classpath aqute-bnd/biz.aQute.bnd)" \
-Dbnd-annotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
-Dbnd.jar="HACK" \
-Dversion="%{version}" \
-Dversion.build="%{micro_version}" \
deploy
@ -402,6 +400,7 @@ popd
%mvn_artifact res/maven/tomcat-websocket-api.pom ${RPM_BUILD_ROOT}%{libdir}/websocket-api.jar
%mvn_artifact res/maven/tomcat-websocket.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-websocket.jar
%mvn_artifact res/maven/tomcat.pom
%mvn_install
%pre
@ -557,560 +556,84 @@ fi
%changelog
* Thu Aug 08 2024 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-2
- Resolves: RHEL-46163
* Thu Aug 08 2024 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-1.el8_10. 2
- Resolves: RHEL-46167
tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)
- Resolves: RHEL-18245 - OpenJDK 21 support for RHEL Tomcat
* Fri May 03 2024 Sokratis Zappis <szappis@redhat.com> - 1:9.0.87-1
- Resolves: RHEL-35812 - Rebase tomcat to version 9.0.87
- Resolves: RHEL-29257
* Mon Jun 03 2024 Sokratis Zappis <szappis@redhat.com> - 1:9.0.87-1.el8_10.1
- Resolves: RHEL-38548 - Amend tomcat package's changelog so that fixed CVEs are mentioned explicitly
- Resolves: RHEL-35813 - Rebase tomcat to version 9.0.87
- Resolves: RHEL-29255
tomcat: Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)
- Resolves: RHEL-29252
tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)
- Resolves: RHEL-53001 - Amend tomcat's changelog
(CVE-2023-46589, CVE-2023-45648, CVE-2023-42795, CVE-2023-42794, CVE-2023-44487, CVE-2023-41080)
- Resolves: RHEL-29250
tomcat: Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)
* Fri Jan 19 2024 Hui Wang <huwang@redhat.com> - 1:9.0.62-30
- Resolves: RHEL-6971
* Thu Jan 18 2024 Hui Wang <huwang@redhat.com> - 1:9.0.62-3 9
- Resolves: RHEL-17605
* Thu Jan 18 2024 Hui Wang <huwang@redhat.com> - 1:9.0.62-2 9
- Resolves: RHEL-17602
tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
- tomcat: Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)
* Thu Nov 23 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-3 8
- Resolves: RHEL-13908
* Thu Nov 23 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-2 8
- Resolves: RHEL-13907
tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
- Resolves: RHEL-13905
- Resolves: RHEL-13904
tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
- Resolves: RHEL-12952
- Resolves: RHEL-12951
tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)
- Resolves: RHEL-12552
- Resolves: RHEL-12544
tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
- Resolves: RHEL-2388
- Resolves: RHEL-2386
tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)
* Fri Oct 13 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-3 7
- Resolves: RHEL-12551
* Fri Oct 13 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-2 7
- Related: RHEL-12543
tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
- Remove JDK subpackges which are unused
* Fri Aug 25 2023 Coty Sutherland <csutherl@redhat.com> - 1:9.0.62-16
- Related: #2184133 Declare file conflicts
* Fri Aug 25 2023 Coty Sutherland <csutherl@redhat.com> - 1:9.0.62-15
- Resolves: #2184133 Fix bug in Obsoletes
* Tue Aug 01 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-14
- Resolves: #2210632 CVE-2023-28709 tomcat
* Wed Jul 26 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-13
- Resolves: #2189675 Missing Tomcat POM files in RHEL 9.3
* Wed Jun 21 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-12
- Resolves: #2189675 Missing Tomcat POM files in RHEL 9.3
- Resolves: #2173872 Remove java-11-openjdk-headles as a tomcat dependency
- Resolves: #2181461 CVE-2023-28708 tomcat: not including the secure attribute causes information
- Resolves: #2210632 CVE-2023-28709
- Resolves: #2184133 Add Obsoletes to tomcat package
- Update patch command
- Update source to include the CVE fixes
* Thu Feb 23 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-11
- Bump release so that the NVR on RHEL-9 is higher than RHEL-8
* Wed Feb 15 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-4
- Bump release to run the tier1 test
* Tue Feb 07 2023 Coty Sutherland <csutherl@redhat.com> - 1:9.0.62-3
- Add conflicts declaration to the appropriate subpackages
- Fix malformed DTD file that caused problems with rpminspect
* Fri Feb 03 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-2
- Add conflicts with the pki-servlet-engine package
* Mon Jan 16 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-1
- Update to 9.0.62. Related: rhbz#2160511
- Remove examples webapps from subpackage
- Remove maven artifacts from build as they aren't very useful
- Drop JSVC support as it's not very useful these days
- Drop geronimo-saaj as it's no longer required
- Drop geronimo-jaxrpc, which provided the webservices naming factory resources that are generally unused
- Cleaning up some unused deps and system properties
- Add Java 9 start-up parameters to allow reflection
- Add bnd-annotation which is in bndlib
- Add fixes for memory leak which have been fixed in 9.0.64
* Fri Apr 16 2021 Mohan Boddu <mboddu@redhat.com> - 1:9.0.44-2
- Rebuilt for RHEL 9 BETA on Apr 15th 2021. Related: rhbz#1947937
* Thu Mar 18 2021 Hui Wang <huwang@redhat.com> - 1:9.0.44-1
- Update to 9.0.44
* Wed Feb 03 2021 Hui Wang <huwang@redhat.com> - 1:9.0.43-1
- Update to 9.0.43
* Wed Jan 27 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1:9.0.41-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_34_Mass_Rebuild
* Wed Dec 09 2020 Hui Wang <huwang@redhat.com> - 1:9.0.41-1
- Update to 9.0.41
* Wed Nov 18 2020 Hui Wang <huwang@redhat.com> - 1:9.0.40-1
- Update to 9.0.40
* Mon Oct 12 2020 Hui Wang <huwang@redhat.com> - 1:9.0.39-1
- Update to 9.0.39
* Wed Sep 16 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-1
- Update to 9.0.38
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:9.0.37-4
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild
* Fri Jul 24 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.37-3
- Related: rhbz#1857043 Temporarily remove OSGi metadata from tomcat jars
* Mon Jul 20 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.37-2
- Resolves: rhbz#1857043 Add patch to reinclude o.a.t.util.net.jsse and o.a.t.util.moduler.modules in tomcat-coyote.jar
* Mon Jul 13 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.37-1
- Update to 9.0.37
* Sat Jul 11 2020 Jiri Vanek <jvanek@redhat.com> - 1:9.0.36-2
- Rebuilt for JDK-11, see https://fedoraproject.org/wiki/Changes/Java11
* Wed Jun 10 2020 Hui Wang <huwang@redhat.com> - 1:9.0.36-1
- Upgrade to 9.0.36
* Sun May 31 2020 Hui Wang <huwang@redhat.com> - 1:9.0.35-2
- Upgrade to 9.0.35
* Wed Apr 22 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-2
- Add updated catalina.policy patch to allow ECJ usage under the Security Manager
* Tue Apr 21 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-1
- Update to 9.0.34
* Thu Mar 05 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-1
- Update to 9.0.31
- Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
* Fri Jan 31 2020 Fedora Release Engineering <releng@fedoraproject.org> - 1:9.0.30-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild
* Fri Dec 20 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.30-1
- Update to 9.0.30
* Thu Sep 26 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.26-2
- Resolves: rhbz#1510522 man page uid and gid mismatch for service accounts
* Thu Sep 26 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.26-1
- Update to 9.0.26
- Resolves: rhbz#1523112 tomcat systemd does not cope with - in service names
- Resolves: rhbz#1510896 Problem to start tomcat with a user whose group has a name different to the user
* Sat Jul 27 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:9.0.21-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_31_Mass_Rebuild
* Wed Jul 17 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.21-2
- Update build-classpath calls to ECJ to specify the JAR we want to use
* Tue Jun 18 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.21-1
- Update to 9.0.21
* Tue Apr 02 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.13-4
- Remove javadoc subpackage to drop the jpackage-utils dependency
* Wed Feb 20 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.13-3
- Remove OSGi MANIFEST files, these are now included in the upstream Tomcat distribution (as of 9.0.10)
- Remove unused dependencies, apache-commons-collections, apache-commons-daemon, apache-commons-pool, junit
* Sun Feb 03 2019 Fedora Release Engineering <releng@fedoraproject.org> - 1:9.0.13-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_30_Mass_Rebuild
* Thu Dec 13 2018 Coty Sutherland <csutherl@redhat.com> - 1:9.0.13-1
- Update to 9.0.13
- Resolves: rhbz#1636513 - CVE-2018-11784 tomcat: Open redirect in default servlet
* Sun Oct 14 2018 Peter Robinson <pbrobinson@fedoraproject.org> 1:9.0.10-2
- Drop legcy sys-v bits
* Tue Jul 31 2018 Coty Sutherland <csutherl@redhat.com> - 1:9.0.10-1
- Update to 9.0.10
- Resolves: rhbz#1624929 - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
- Resolves: rhbz#1579612 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
- Resolves: rhbz#1607586 - CVE-2018-8034 tomcat: host name verification missing in WebSocket client
- Resolves: rhbz#1607584 - CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up
* Sat Jul 14 2018 Fedora Release Engineering <releng@fedoraproject.org> - 1:9.0.7-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_29_Mass_Rebuild
* Tue May 01 2018 Coty Sutherland <csutherl@redhat.com> - 1:9.0.7-1
- Update to 9.0.7
* Thu Mar 15 2018 Coty Sutherland <csutherl@redhat.com> - 1:8.5.29-1
- Update to 8.5.29
- Resolves: rhbz#1548290 CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unitended exposure of resources
- Resolves: rhbz#1548284 CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
* Fri Feb 09 2018 Igor Gnatenko <ignatenkobrain@fedoraproject.org> - 1:8.0.49-2
- Escape macros in %%changelog
* Thu Feb 01 2018 Coty Sutherland <csutherl@redhat.com> - 1:8.0.49-1
- Update to 8.0.49
* Tue Dec 12 2017 Merlin Mathesius <mmathesi@redhat.com> - 1:8.0.47-3
- Cleanup spec file conditionals
* Tue Oct 24 2017 Troy Dawson <tdawson@redhat.com> - 1:8.0.47-2
- Change "zip -u" to "zip"
- Resolves: rhbz#1495241 [tomcat] zip -u in spec file causes race condition
* Wed Oct 04 2017 Coty Sutherland <csutherl@redhat.com> - 1:8.0.47-1
- Update to 8.0.47
- Resolves: rhbz#1497682 CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615
* Mon Aug 21 2017 Coty Sutherland <csutherl@redhat.com> - 1:8.0.46-1
- Update to 8.0.46
- Resolves: rhbz#1480620 CVE-2017-7674 tomcat: Cache Poisoning
* Thu Jul 27 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:8.0.44-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_27_Mass_Rebuild
* Fri Jun 09 2017 Coty Sutherland <csutherl@redhat.com> - 1:8.0.44-1
- Resolves: rhbz#1459160 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
* Tue Apr 11 2017 Coty Sutherland <csutherl@redhat.com> - 1:8.0.43-1
- Update to 8.0.43
* Fri Mar 31 2017 Coty Sutherland <csutherl@redhat.com> - 1:8.0.42-1
- Update to 8.0.42
* Thu Feb 16 2017 Coty Sutherland <csutherl@redhat.com> - 1:8.0.41-1
- Update to 8.0.41
- Resolves: rhbz#1403825 CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing
* Sat Feb 11 2017 Fedora Release Engineering <releng@fedoraproject.org> - 1:8.0.39-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_26_Mass_Rebuild
* Tue Nov 29 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.39-1
- Update to 8.0.39
- Resolves: rhbz#1397493 CVE-2016-6816 CVE-2016-6817 CVE-2016-8735 tomcat: various flaws
- Bump release number
* Tue Oct 25 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.38-1
- Update to 8.0.38
* Sun Oct 23 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.37-3
- Resolves: rhbz#1383216 CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
- Resolves: rhbz#1382310 CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
* Tue Sep 13 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.37-1
- Rebase to 8.0.37
- Resolves: rhbz#1375581 CVE-2016-5388 CGI sets environmental variable based on user supplied Proxy request header
- Resolves: rhbz#1370262 catalina.out is no longer in use in the main package, but still gets rotated
* Thu Aug 11 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.36-2
- Related: rhbz#1349469 Correct typo in changelog entry
* Mon Aug 08 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.36-1
- Resolves: rhbz#1349469 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service (updates to 8.0.36)
- Resolves: rhbz#1364056 The command tomcat-digest doesn't work
- Resolves: rhbz#1363884 The tomcat-tool-wrapper script is broken
- Resolves: rhbz#1347864 The systemd service unit does not allow tomcat to shut down gracefully
- Resolves: rhbz#1347835 The security manager doesn't work correctly (JSPs cannot be compiled)
- Resolves: rhbz#1341853 rpm -V tomcat fails on /var/log/tomcat/catalina.out
- Resolves: rhbz#1341850 tomcat-jsvc.service has TOMCAT_USER value hard-coded
- Resolves: rhbz#1359737 Missing maven depmap for the following artifacts: org.apache.tomcat:tomcat-websocket, org.apache.tomcat:tomcat-websocket-api
- Resolves: asfbz#59960 Building javadocs with java8 fails
* Wed Mar 2 2016 Ivan Afonichev <ivan.afonichev@gmail.com> - 1:8.0.32-4
- Revert sysconfig migration changes, resolves: rhbz#1311771, rhbz#1311905
- Add /etc/tomcat/conf.d/ with shell expansion support, resolves rhbz#1293636
* Sat Feb 27 2016 Ivan Afonichev <ivan.afonichev@gmail.com> - 1:8.0.32-3
- Load sysconfig from tomcat.conf, resolves: rhbz#1311771, rhbz#1311905
- Set default javax.sql.DataSource factory to apache commons one, resolves rhbz#1214381
* Sun Feb 21 2016 Ivan Afonichev <ivan.afonichev@gmail.com> - 1:8.0.32-2
- Fix symlinks from $CATALINA_HOME/lib perspective, resolves: rhbz#1308685
* Thu Feb 11 2016 Ivan Afonichev <ivan.afonichev@gmail.com> - 1:8.0.32-1
- Updated to 8.0.32
- Remove log4j support. It has never been working actually. See rhbz#1236297
- Move shipped config to /etc/sysconfig/tomcat. /etc/tomcat/tomcat.conf can now be used to override it with shell expansion, resolves rhbz#1293636
- Recommend tomcat-native, resolves: rhbz#1243132
* Wed Feb 10 2016 Coty Sutherland <csutherl@redhat.com> 1:8.0.26-4
- Resolves: rhbz#1286800 Failed to start component due to wrong allowLinking="true" in context.xml
- Program /bin/nologin does not exist (#1302718)
* Fri Feb 05 2016 Fedora Release Engineering <releng@fedoraproject.org> - 1:8.0.26-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_24_Mass_Rebuild
* Wed Nov 11 2015 Robert Scheck <robert@fedoraproject.org> 1:8.0.26-2
- CATALINA_OPTS are only read when SECURITY_MANAGER is true (#1147105)
* Thu Aug 27 2015 Alexander Kurtakov <akurtako@redhat.com> 1:8.0.26-1
- Update to 8.0.26.
* Fri Jul 10 2015 Alexander Kurtakov <akurtako@redhat.com> 1:8.0.24-2
- Update to 8.0.24.
* Fri Jun 19 2015 Alexander Kurtakov <akurtako@redhat.com> 1:8.0.23-2
- Drop javax.el:el-api alias.
* Thu Jun 18 2015 Alexander Kurtakov <akurtako@redhat.com> 1:8.0.23-1
- Update to 8.0.23.
* Thu Jun 18 2015 Alexander Kurtakov <akurtako@redhat.com> 1:8.0.20-3
- Drop jetty alias for servlet.
* Tue Jun 09 2015 Michal Srb <msrb@redhat.com> - 1:8.0.20-2
- Fix metadata for org.apache.tomcat:{tomcat-jni,tomcat-util-scan}
* Thu Mar 5 2015 Alexander Kurtakov <akurtako@redhat.com> 1:8.0.18-5
- Rebuild against tomcat-taglibs-standard.
* Wed Mar 4 2015 Alexander Kurtakov <akurtako@redhat.com> 1:8.0.18-4
- Fix epoch bumped el_1_0_api that would override all other glassfish/jboss/etc. due to wrong epoch.
- Drop old provides.
* Tue Mar 03 2015 Stephen Gallagher <sgallagh@redhat.com> 1:8.0.18-3
- Bump epoch to maintain upgrade path from Fedora 22
* Mon Feb 16 2015 Michal Srb <msrb@redhat.com> - 0:8.0.18-2
- Install POM files for org.apache.tomcat:{tomcat-jni,tomcat-util-scan}
* Sun Feb 15 2015 Ivan Afonichev <ivan.afonichev@gmail.com> 0:8.0.18-1
- Updated to 8.0.18
* Sat Sep 20 2014 Ivan Afonichev <ivan.afonichev@gmail.com> 0:8.0.12-1
- Updated to 8.0.12
- Substitute libnames in catalina-tasks.xml, resolves: rhbz#1126439
- Use CATALINA_OPTS only on start, resolves: rhbz#1051194
* Mon Jun 16 2014 Michal Srb <msrb@redhat.com> - 0:7.0.54-3
- jsp-api requires el-api
* Sun Jun 08 2014 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0:7.0.54-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild
* Thu Jun 5 2014 Alexander Kurtakov <akurtako@redhat.com> 0:7.0.54-1
- Update to upstream 7.0.54 - fixes compile with Java 8.
* Wed May 21 2014 Alexander Kurtakov <akurtako@redhat.com> 0:7.0.52-3
- Drop servlet/el api provides to reduce user machines ending with both.
* Sun Mar 30 2014 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.52-2
- Don't provide maven javax.jsp:jsp-api and javax.servlet.jsp:javax.servlet.jsp-api resolves: rhbz#1076949
- Move log4j support into subpackage, resolves: rhbz#1027716
* Wed Mar 26 2014 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.52-1
- Updated to 7.0.52
- Rewrite jsvc implementation, resolves: rhbz#1051743
- Switch to java-headless R, resolves: rhbz#1068566
- Create and own %%{_localstatedir}/lib/tomcats, resolves: rhbz#1026741
- Add pom for tomcat-jdbc, resolves: rhbz#1011003
* Tue Jan 21 2014 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:7.0.47-3
- Fix installation of Maven metadata for tomcat-juli.jar
- Resolves: rhbz#1033664
* Wed Jan 15 2014 Stanislav Ochotnicky <sochotnicky@redhat.com> - 0:7.0.47-2
- Rebuild for bug #1033664
* Sun Nov 03 2013 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.47-1
- Updated to 7.0.47
- Fix java.security.policy
* Sun Aug 04 2013 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0:7.0.42-3
- Rebuilt for https://fedoraproject.org/wiki/Fedora_20_Mass_Rebuild
* Fri Jul 12 2013 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.42-2
- Remove jpackage-utils R
* Thu Jul 11 2013 Dmitry Tikhonov <squall.sama@gmail.com> 0:7.0.42-1
- Updated to 7.0.42
* Tue Jun 11 2013 Paul Komkoff <i@stingr.net> 0:7.0.40-3
- Dropped systemv inits. Bye-bye.
- Updated the systemd wrappers to allow running multiple instances.
Added wrapper scripts to do that, ported the original non-named
service file to work with the same wrappers, updated
/usr/sbin/tomcat to call systemctl.
* Sat May 11 2013 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.40-1
- Updated to 7.0.40
- Resolves: rhbz 956569 added missing commons-pool link
- Remove ant-nodeps BR
* Mon Mar 4 2013 Mikolaj Izdebski <mizdebsk@redhat.com> - 0:7.0.37-2
- Add depmaps for org.eclipse.jetty.orbit
- Resolves: rhbz#917626
* Wed Feb 20 2013 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.39-1
- Updated to 7.0.39
* Wed Feb 20 2013 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.37-1
- Updated to 7.0.37
* Mon Feb 4 2013 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.35-1
- Updated to 7.0.35
- systemd SuccessExitStatus=143 for proper stop exit code processing
* Mon Dec 24 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.34-1
- Updated to 7.0.34
- ecj >= 4.2.1 now required
- Resolves: rhbz 889395 concat classpath correctly; chdir to $CATALINA_HOME
* Fri Dec 7 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.33-2
- Resolves: rhbz 883806 refix logdir ownership
* Sun Dec 2 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.33-1
- Updated to 7.0.33
- Resolves: rhbz 873620 need chkconfig for update-alternatives
* Wed Oct 17 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.32-1
- Updated to 7.0.32
- Resolves: rhbz 842620 symlinks to taglibs
* Fri Aug 24 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.29-1
- Updated to 7.0.29
- Add pidfile as tmpfile
- Use systemd for running as unprivileged user
- Resolves: rhbz 847751 upgrade path was broken
- Resolves: rhbz 850343 use new systemd-rpm macros
* Sat Jul 21 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 0:7.0.28-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
* Mon Jul 2 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.28-1
- Updated to 7.0.28
- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp
- Resolves: rhbz 814900 Added tomcat-coyote POM
- Resolves: rhbz 810775 Remove systemv stuff from %%post scriptlet
- Remove redhat-lsb R
* Mon Apr 9 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.27-2
- Fixed native download hack
* Sat Apr 7 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.27-1
- Updated to 7.0.27
- Fixed jakarta-taglibs-standard BR and R
* Wed Mar 21 2012 Stanislav Ochotnicky <sochotnicky@redhat.com> - 0:7.0.26-2
- Add more depmaps to J2EE apis to help jetty/glassfish updates
* Wed Mar 14 2012 Juan Hernandez <juan.hernandez@redhat.com> 0:7.0.26-2
- Added the POM files for tomcat-api and tomcat-util (#803495)
* Wed Feb 22 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.26-1
- Updated to 7.0.26
- Bug 790334: Change ownership of logdir for logrotate
* Thu Feb 16 2012 Krzysztof Daniel <kdaniel@redhat.com> 0:7.0.25-4
- Bug 790694: Priorities of jsp, servlet and el packages updated.
* Wed Feb 8 2012 Krzysztof Daniel <kdaniel@redhat.com> 0:7.0.25-3
- Dropped indirect dependecy to tomcat 5
* Sun Jan 22 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.25-2
- Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly
* Sat Jan 21 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.25-1
- Updated to 7.0.25
- Removed EntityResolver patch (changes already in upstream sources)
- Place poms and depmaps in the same package as jars
- Added javax.servlet.descriptor to export-package of servlet-api
- Move several chkconfig actions and reqs to systemv subpackage
- New maven depmaps generation method
- Add patch to support java7. (patch sent upstream).
- Require java >= 1:1.6.0
* Fri Jan 13 2012 Krzysztof Daniel <kdaniel@redhat.com> 0:7.0.23-5
- Exported javax.servlet.* packages in version 3.0 as 2.6 to make
servlet-api compatible with Eclipse.
* Thu Jan 12 2012 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-4
- Move jsvc support to subpackage
* Wed Jan 11 2012 Alexander Kurtakov <akurtako@redhat.com> 0:7.0.23-2
- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream).
* Mon Dec 12 2011 Joseph D. Wagner <joe@josephdwagner.info> 0:7.0.23-3
- Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for
starting tomcat with jsvc, which allows tomcat to perform some
privileged operations (e.g. bind to a port < 1024) and then switch
identity to a non-privileged user. Must add USE_JSVC="true" to
/etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.
* Mon Nov 28 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.23-1
- Updated to 7.0.23
* Thu Oct 12 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-16
- Resolves: RHEL-12543
tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
- Remove JDK subpackges which are unused
* Fri Nov 11 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.22-2
- Move tomcat-juli.jar to lib package
- Drop %%update_maven_depmap as in tomcat6
- Provide native systemd unit file ported from tomcat6
* Thu Oct 6 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.22-1
- Updated to 7.0.22
* Mon Oct 03 2011 Rex Dieter <rdieter@fedoraproject.org> - 0:7.0.21-3.1
- rebuild (java), rel-eng#4932
* Fri Sep 08 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-14
- Related: RHEL-2330 Bump release number
* Mon Sep 26 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.21-3
- Fix basedir mode
* Tue Sep 20 2011 Roland Grunberg <rgrunber@redhat.com> 0:7.0.21-2
- Add manifests for el-api, jasper-el, jasper, tomcat, and tomcat-juli.
* Thu Sep 8 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.21-1
- Updated to 7.0.21
* Mon Aug 15 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.20-3
- Require java = 1:1.6.0
* Thu Sep 07 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-13
- Resolves: RHEL-2330 Revert the fix for pki-servlet-engine
* Mon Aug 15 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.20-2
- Require java < 1.7.0
* Mon Aug 15 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.20-1
- Updated to 7.0.20
* Tue Jul 26 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.19-1
- Updated to 7.0.19
* Fri Aug 25 2023 Coty Sutherland <csutherl@redhat.com> - 1:9.0.62-12
- Related: #2184135 Declare file conflicts
* Tue Jun 21 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.16- 1
- Updated to 7.0.16
* Fri Aug 25 2023 Coty Sutherland <csutherl@redhat.com> - 1:9.0.62-11
- Resolves: #2184135 Fix bug introduced in initial commit
* Mon Jun 6 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.14-3
- Added initial systemd service
- Fix some paths
* Fri Aug 18 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-10
- Resolves: #2210630 CVE-2023-28709 tomcat
- Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
- tomcat: Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998)
tomcat: JsonErrorReportValve injection (CVE-2022-45143)
tomcat: request smuggling (CVE-2022-42252)
tomcat: local privilege escalation vulnerability (CVE-2022-23181)
* Sat May 21 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.14-2
- Fixed http source link
- Securify some permissions
- Added licenses for el-api and servlet-api
- Added dependency on jpackage-utils for the javadoc subpackage
* Thu Aug 17 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-9
- Resolves: #2184135 Add Obsoletes to tomcat package
* Sat May 14 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.14-1
- Updated to 7.0.14
* Thu Aug 17 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-8
- Resolves: #2189676 Missing Tomcat POM files in RHEL 8.9
* Thu May 5 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.12-4
- Provided local paths for libs
- Fixed dependencies
- Fixed update temp/work cleanup
* Tue Aug 15 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-7
- Related: #2173874 Tomcat installs older java even though newer java is installed
- Bump release number
* Mon May 2 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.12-3
- Fixed package groups
- Fixed some permissions
- Fixed some links
- Removed old tomcat6 crap
* Fri Aug 11 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-6
- Resolves: #2173874 Tomcat installs older java even though newer java is installed
- Sync with rhel-8.8.0 branch
* Thu Apr 28 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.12-2
- Package now named just tomcat instead of tomcat7
- Removed Provides: %%{name}-log4j
- Switched to apache-commons-* names instead of jakarta-commons-* .
- Remove the old changelog
- BR/R java >= 1:1.6.0 , same for java-devel
- Removed old tomcat6 crap
* Thu Feb 16 2023 Coty Sutherland <csutherl@redhat.com> - 1:9.0.62-5
- Related: #2160455 Add conflicts to subpackage
* Wed Apr 27 2011 Ivan Afonichev <ivan.afonichev@gmail.com> 0:7.0.12-1
- Tomcat7
* Wed Feb 15 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-4
- Resolves: #2160455 Add Tomcat 9 to RHEL8
