ALP-pool/tomcat10
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Sync from SUSE:ALP:Source:Standard:1.0 tomcat10 revision 2dd7519b456bf3227264893c333a174c

Browse Source
This commit is contained in:
Adrian Schröter 2024-09-25 15:54:42 +02:00
parent c5278e049f
commit 45c73a24aa
8 changed files with 344 additions and 34 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
apache-tomcat-10.1.18-src.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

16
apache-tomcat-10.1.18-src.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmWYGCoACgkQHPApP6U8
pFgFuhAAuP0n+aPDB9AokSY4TQfRNZuJRRof9IjWZENwsCN+/8s0vejBLtuyRrfR
IFbE8DqdOFWZQTbuAWP4YtvBtXxTkwnNnkldhveABDOV63Fv5GyPtMHj2b2O1lay
LS6v40oy4816/l9muBY8w0bdUp7QHF/bvftGkvAw3ukqYDpNYs2zjP+Zvf1rNelV
Y9pXKoxfTe9JXKiggYHU/PuWEYsKvnBTos/lwJeNwr9yHo5lsOE2CQh4ix6O8OSP
YhmW+XrJTWhpFJiX99iN3lKFBJ0ZkTK//MaYOhvlF8JEAClbl9AMZtwkTu0z/yTN
jdUOMXB9mcABCHxibbEnSNEC1fTThvChvXFZxRfWlgdQr3PHGH6ncJKc9o3wNN1K
VKp45dsuvYRWGwwBN+D//U7GaWAkFGH1Tuk5WYgmd42c7fkPEoQ0m8eomWyoOdcN
OvtzypufTsrGM/Up7szgBOhCM7izy1t3qBQ+Zey5PHYiN8/astYtKbvb7XHaAP6O
/RrB4JV6euvgRgf4RBLHJmwWkPEzBysL1GEhJez5JjxCQNijS+9zmWwHPmjTcp+v
HVhG3AftBme3df2LR0AMzgfsQZsIiLdgcSrLqwmhl2N3rxZ2U5cRO/eyaMgia/Kw
atGk0QMZYwKH/EB41r5EiNtG0BIuRIq4a7Ssb1y0YpJQWvc89wc=
=pryG
-----END PGP SIGNATURE-----

BIN
apache-tomcat-10.1.25-src.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

17
apache-tomcat-10.1.25-src.tar.gz.asc Normal file
View File

@ -0,0 +1,17 @@
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmZsrB0ACgkQHPApP6U8
pFgWehAAsL94Pf+o5NqhdP9RXxOLfGkAjwC6UdWEGbi/UUhJz/tEx3A66P3eyKJx
KZw+0oqnwI9dXNry9TH3zZHk1Qj93HzOQRPolomCZWnwAcq964IutIc0PQMvga8+
kaNfCloaOo9+VPeOAQ5rSn2jbdui+lYuTvHUuMiJ2+/U33Dn45JtTY+sQZxGFI0D
OM9Bu7j64Vxp6tLMtYwcO33vsKnlT6WmC7NekkbyWlkLIDTKfaNp6PstKI1cxOvY
8Cc1G276iGjPsyf06ooPZ6yunXYOXXT5SSsyvsKdWyacdFQ9BxlC5asOIwr+OKjp
6tDIWK2RZQPs5fVGAeW4+6YN4jpTDrjjJvvC2M/Quyn7eRME0yB7qa6QAFM7mpqk
oATHa+np0X3a5iNHW6w61En1F8yG2DtMyxIApkS25SGyA3XCRmZy2v14WPEaJURb
PTrXY4+p18ae7cB6R5eoQZlBMxN+yqmwr7+RLcU3bTvMb65g19RPUcZ78/aKWteF
G0wHn/QQy1yjDg4zJ0RQZzF0GhChux/G8Is423PiAskQJjQMB2O39PJV3D+hbrwk
VXkH1JNwl5O18S76o0/t7eMF1Z1LViyS3Ldr/M9vpxtGmtX5VdfzmZ+Z6+JvAaZI
+Ae7aA9B3BLWGiAjJNsu2FBY94jx2FZJgedg3pvPIyFSP6+W1Hg=
=l6Tt
-----END PGP SIGNATURE-----

8
tomcat-10.1-build-with-java-11.patch
View File

@ -1,13 +1,13 @@
Index: apache-tomcat-10.1.18-src/build.xml
Index: apache-tomcat-10.1.25-src/build.xml
===================================================================
--- apache-tomcat-10.1.18-src.orig/build.xml
+++ apache-tomcat-10.1.18-src/build.xml
--- apache-tomcat-10.1.25-src.orig/build.xml
+++ apache-tomcat-10.1.25-src/build.xml
@@ -108,7 +108,7 @@
<!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
<property name="compile.release" value="11"/>
<property name="min.java.version" value="11"/>
- <property name="build.java.version" value="17"/>
+ <property name="build.java.version" value="11"/>
<property name="release.java.version" value="22"/>
<!-- Check Java Build Version -->
<fail message="Java version ${build.java.version} or newer is required (${java.version} is installed)">

18
tomcat-jdt.patch
View File

@ -1,8 +1,6 @@
Index: apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.java
===================================================================
--- apache-tomcat-10.1.14-src.orig/java/org/apache/jasper/compiler/JDTCompiler.java
+++ apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.java
@@ -310,13 +310,13 @@ public class JDTCompiler extends org.apa
--- apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:17.015180386 +0200
+++ apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:33.635284982 +0200
@@ -310,13 +310,13 @@
} else if(opt.equals("15")) {
settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
@ -18,9 +16,9 @@ Index: apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.jav
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_19);
+ settings.put(CompilerOptions.OPTION_Source, "19");
} else if (opt.equals("20")) {
// Constant not available in latest ECJ version shipped with
// Tomcat. May be supported in a snapshot build.
@@ -383,17 +383,17 @@ public class JDTCompiler extends org.apa
// Constant not available in latest ECJ version that runs on
// Java 11.
@@ -388,17 +388,17 @@
settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
@ -44,5 +42,5 @@ Index: apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.jav
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "19");
+ settings.put(CompilerOptions.OPTION_Compliance, "19");
} else if (opt.equals("20")) {
// Constant not available in latest ECJ version shipped with
// Tomcat. May be supported in a snapshot build.
// Constant not available in latest ECJ version that runs on
// Java 11.

311
tomcat10.changes
View File

@ -1,3 +1,314 @@
-------------------------------------------------------------------
Tue Jul 9 12:52:37 UTC 2024 - Ricardo Mestre <ricardo.mestre@suse.com>
- Update to Tomcat 10.1.25
* Fixed CVEs:
+ CVE-2024-34750: Improper handling of exceptional conditions
(bsc#1227399)
* Catalina
+ Add: Add support for shallow copies when using WebDAV. (markt)
+ Code: Deprecate the WebdavFixFilter as it is no longer required. (markt)
+ Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64.
Submitted by Daniel Lyko. (remm)
+ Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for
retrieving extended/additional information from an established GSS
context. (michaelo)
+ Fix: Correct a regression in the fix for 68721 that caused some instances
of LinkageError to be reported as ClassNotFoundException. (markt)
+ Fix: Ensure that static resources deployed via a JAR file remain
accessible when the context is configured to use a bloom filter. Based on
pull request #730 provided by bergander. (markt)
+ Add: Introduce reference counting so the AprLifecycleListener is more
robust. This particularly targets more complex embedded configurations
with multiple server instances with independent lifecycles where more than
one server instance requires the AprLifecycleListener. (markt)
+ Add: Small performance optimization when logging cookies with no values.
(schultz)
+ Fix: Correct error handling for asynchronous requests. If the application
performs an dispatch during AsyncListener.onError() the dispatch is now
performed rather than completing the request using the error page
mechanism. (markt)
+ Add: Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a
customizable style. (schultz)
+ Add: Add more timescale options to AccessLogValve and
ExtendedAccessLogValve. Allow timescales to apply to "time-taken" token in
ExtendedAccessLogValve. (schultz)
+ Fix: Fix WebDAV lock null (locks for non existing resources) thread safety
and removal. (remm)
+ Fix: Add periodic checking for WebDAV locks expiration. (remm)
+ Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo)
+ Fix: Remove MBean metadata for attibutes that have been removed. Based on
pull request #719 by Shawn Q. (markt)
+ Update: Deprecate and remove sessionCounter (replaced by the addition of
the active session count and the expired session count, as a reasonable
approximation) and duplicates (which does not represent a possible event
in current implementations) statistics from the session manager. (remm)
+ Fix: 68890 Align output encoding of JSPs in the Manager webapp with the
XML declarations in those same files. (schultz)
+ Fix: Update Basic authentication to implement the requirements of RFC 7617
including the changing of the trimCredentials setting which is now
defaults to false. Note that the trimCredentials setting will be removed
in Tomcat 11. (markt)
+ Fix: Change the thread-safety mechanism for protecting
StandardServer.services from a simple synchronized lock to a
ReentrantReadWriteLock to allow multiple readers to operate
simultaneously. Based upon a suggestion by Markus Wolfe. (schultz)
+ Fix: Improve Service connectors, Container children and Service executors
access sync using a ReentrantReadWriteLock. (remm)
+ Fix: Improve handling of integer overflow if an attempt is made to upload
a file via the Servlet API and the file is larger than
Integer.MAX_VALUE. (markt)
+ Fix: 68862: Handle possible response commit when processing read errors.
(remm)
* Jasper
+ Fix: 68546: Small additional optimisation for initial loading of Servlet
code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt)
+ Add: Add support for specifying Java 23 (with the value 23) as the
compiler source and/or compiler target for JSP compilation. If used with
an Eclipse JDT compiler version that does not support these values, a
warning will be logged and the default will used. (markt)
* Web applications
+ Add: Add the ability to set a sub-title for the Manager web application
main page. This is intended to allow users with lots of instances to
easily distinguish them. Based on pull request #724 by Simon Arame.
(markt)
+ Fix: Examples: Improve performance of WebSocket chat application when
multiple clients disconnect at the same time. (markt)
+ Update: Examples: Increase the number of previous messages displayed when
using the WebSocket chat application. (markt)
+ Fix: Examples: Improve performance of WebSocket snake application when
multiple clients disconnect at the same time. (markt)
* Coyote
+ Fix: Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer, and
use ERR_error_string_n instead. (remm)
+ Fix: Fix a crash on Windows setting CA certificate on null path. (remm)
+ Fix: 69068: Ensure read timouts are triggered for asynchronous,
non-blocking reads when using HTTP/2. (markt)
+ Update: 69133: Add task queue size configuration on the Connector element,
similar to the Executor element, for consistency. (remm)
+ Fix: Make counting of active HTTP/2 streams per connection more robust.
(markt)
+ Add: Add support for TLS 1.3 client initiated re-keying. (markt)
+ Fix: Improve the algorithm used to identify the IP address to use to
unlock the acceptor thread when a Connector is listening on all local
addresses. Interfaces that are configured for point to point connections
or are not currently up are now skipped. (markt)
+ Fix: Align non-secure and secure writes with NIO and skip the write
attempt when there are no bytes to be written. (markt)
+ Fix: Allow any positive value for socket.unlockTimeout. If a negative or
zero value is configured, the default of 250ms will be used. (mark)
+ Fix: Reduce the time spent waiting for the connector to unlock. The
previous default of 10s was noticeably too long for cases where the unlock
has failed. The wait time is now 100ms plus twice socket.unlockTimeout.
(markt)
+ Fix: Ensure that the onAllDataRead() event is triggered when the request
body uses chunked encoding and is read using non-blocking IO. (markt)
+ Fix: 68934: Add debug logging in the latch object when exceeding
maxConnections. (remm)
+ Fix: Refactor trailer field handling to use a MimeHeaders instance to
store trailer fields. (markt)
+ Fix: Ensure that multiple instances of the same trailer field are handled
correctly. (markt)
+ Fix: Fix non-blocking reads of chunked request bodies. (markt)
+ Fix: When an invalid HTTP response header was dropped, an off-by-one error
meant that the first header in the response was also dropped. Fix based on
pull request #710 by foremans. (markt)
+ Fix: Fix bnd jar descriptor to include the OpenSSL FFM support. (remm)
+ Fix: Add OpenSSL FFM classes to tomcat-embed-core.jar. (remm)
+ Add: Add OpenSSL integration using the FFM API rather than Tomcat Native.
OpenSSL support may be enabled by adding the
org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server
element when using Java 22 or later. (remm)
* WebSocket
+ Fix: 68884: Reduce the write timeout when writing WebSocket close messages
for abnormal closes. The timeout defaults to 50 milliseconds and may be
controlled using the
org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property
in the user properties collection associated with the WebSocket session.
(markt)
* Other
+ Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby
that runs on Java 17. (markt)
+ Update: Update to Commons Daemon 1.4.0. (markt)
+ Update: Update to Objenesis 3.4. (markt)
+ Update: Update to Checkstyle 10.17.0. (markt)
+ Update: Update to SpotBugs 4.8.5. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Update: Switch to using the Base64 encoder and decoder provided by the JRE
rather than the version provided by Commons Codec. The internal fork of
Commons Codec has been deprecated and will be removed in Tomcat 11.
(markt)
+ Update: Update NSIS to 3.10. (mark0t)
+ Update: Update UnboundID to 7.0.0. (markt)
+ Update: Update Checkstyle to 10.16.0. (markt)
+ Update: Update JaCoCo to 0.8.12. (markt)
+ Update: Update SpotBugs to 4.8.4. (markt)
+ Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
+ Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: Release re-built using correct JDK version.
+ Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
+ Update: Update the internal fork of Apache Commons Codec to 1.16.1.
(markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (remm)
+ Add: Improvements to Chinese translations by leeyazhou. (remm)
- Modified patch:
* tomcat-10.1-build-with-java-11.patch
+ rediff to changed context
-------------------------------------------------------------------
Fri Apr 5 16:00:06 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- Update to Tomcat 10.1.20
* Fixed CVEs:
+ CVE-2024-24549: Improved request header validation for HTTP/2 stream
(bsc#1221386)
+ CVE-2024-23672: Ensure that WebSocket connection closure completes if
the connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection (bsc#1221385)
* Catalina
+ Fix: Minor performance improvement for building filter chains.
Based on ideas from #702 by Luke Miao. (remm)
+ Fix: Align error handling for Writer and OutputStream. Ensure
use of either once the response has been recycled triggers a
NullPointerException provided that discardFacades is configured with
the default value of true. (markt)
+ Fix: 68692: The standard thread pool implementations that are
configured using the Executor element now implement ExecutorService
for better support NIO2. (remm)
+ Fix: 68495: When restoring a saved POST request after a
successful FORM authentication, ensure that neither the URI, the
query string nor the protocol are corrupted when restoring the
request body. (markt)
+ Fix: After forwarding a request, attempt to unwrap the
response in order to suspend it, instead of simply closing it if it
was wrapped. Add a new suspendWrappedResponseAfterForward boolean
attribute on Context to control the bahavior, defaulting to false.
(remm)
+ Fix: 68721: Workaround a possible cause of duplicate class
definitions when using ClassFileTransformers and the transformation
of a class also triggers the loading of the same class. (markt)
+ Fix: The rewrite valve should not do a rewrite if the output
is identical to the input. (remm)
+ Update: Add a new valveSkip (or VS) rule flag to the rewrite
valve to allow skipping over the next valve in the Catalina pipeline.
(remm)
+ Update: Add highConcurrencyStatus attribute to the
SemaphoreValve to optionally allow the valve to return an error
status code to the client when a permit cannot be acquired from the
semaphore. (remm)
+ Add: Add checking of the "age" of the running Tomcat instance
since its build-date to the SecurityListener, and log a warning if
the server is old. (schultz)
+ Fix: When using the AsyncContext, throw an
IllegalStateException, rather than allowing an NullPointerException,
if an attempt is made to use the AsyncContext after it has been
recycled. (markt)
+ Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar
by removing reference to org.apache.catalina.ssi package that is no
longer included in the JAR. Based on pull request #684 by Jendrik
Johannes. (markt)
+ Fix: Fix ServiceBindingPropertySource so that trailing \r\n
sequences are correctly removed from files containing property values
when configured to do so. Bug identified by Coverity Scan. (markt)
+ Add: Add improvements to the CSRF prevention filter including
the ability to skip adding nonces for resource name and subtree URL
patterns. (schultz)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: 68089: Further improve the performance of request
attribute access for ApplicationHttpRequest and ApplicationRequest.
(markt)
+ Fix: 68559: Allow asynchronous error handling to write to the
response after an error during asynchronous processing. (markt)
* Coyote
+ Fix: Improve the HTTP/2 stream prioritisation process. If a
stream uses all of the connection windows and still has content to
write, it will now be added to the backlog immediately rather than
waiting until the write attempt for the remaining content. (markt)
+ Fix: Add threadsMaxIdleTime attribute to the endpoint, to
allow configuring the amount of time before an internal executor will
scale back to the configured minSpareThreads size. (remm)
+ Fix: Correct a regression in the support for user provided
SSLContext instances that broke the
org.apache.catalina.security.TLSCertificateReloadListener. (markt)
+ Fix: Setting a null value for a cookie attribute should remove
the attribute. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once a connection is marked to be closed, further asynchronous
processing cannot change that. (markt)
+ Fix: Make asynchronous error handling more robust. Ensure that
once the call to AsyncListener.onError() has returned to the
container, only container threads can access the AsyncContext. This
protects against various race conditions that woudl otherwise occur
if application threads continued to access the AsyncContext.
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. In particular, most of
the HTTP/2 debug logging has been changed to trace level. (remm)
+ Fix: Add support for user provided SSLContext instances
configured on SSLHostConfigCertificate instances. Based on pull
request #673 provided by Hakan Altındağ. (markt)
+ Fix: Partial fix for 68558: Cache the result of converting to
String for request URI, HTTP header names and the request
Content-Type value to improve performance by reducing repeated byte[]
to String conversions. (markt)
+ Fix: Improve error reporting to HTTP/2 clients for header
processing errors by reporting problems at the end of the frame where
the error was detected rather than at the end of the headers. (markt)
+ Fix: Remove the remaining reference to a stream once the
stream has been recycled. This makes the stream eligible for garbage
collection earlier and thereby improves scalability. (markt)
* Jasper
+ Add: Add support for specifying Java 22 (with the value 22) as
the compiler source and/or compiler target for JSP compilation. If
used with an Eclipse JDT compiler version that does not support these
values, a warning will be logged and the default will used. (markt)
+ Fix: Handle the case where the JSP engine forwards a
request/response to a Servlet that uses an OutputStream rather than a
Writer. This was triggering an IllegalStateException on code paths
where there was a subsequent attempt to obtain a Writer. (markt)
+ Fix: Correctly handle the case where a tag library is packaged
in a JAR file and the web application is deployed as a WAR file
rather than an unpacked directory. (markt)
+ Fix: 68546: Generate optimal size and types for JSP imports
maps, as suggested by John Engebretson. (remm)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
* Cluster
+ Fix: Avoid updating request count stats on async. (remm)
* WebSocket
+ Fix: Correct a regression in the fix for 66508 that could
cause an UpgradeProcessor leak in some circumstances. (markt)
+ Fix: Review usage of debug logging and downgrade trace or data
dumping operations from debug level to trace. (remm)
+ Fix: Ensure that WebSocket connection closure completes if the
connection is closed when the server side has used the proprietary
suspend/resume feature to suspend the connection. (markt)
* Web applications
Add: Add support for responses in JSON format from the examples
application RequestHeaderExample. (schultz)
* Other
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: 57130: Allow digest.(sh|bat) to accept password from a
file or stdin. (csutherl/schultz)
+ Update: Update Checkstyle to 10.14.1. (markt)
+ Fix: Correct the remaining OSGi contract references in the
manifest files to refer to the Jakarta EE contract names rather than
the Java EE contract names. Based on pull request #685 provided by
Paul A. Nicolucci. (markt)
+ Update: Update Checkstyle to 10.13.0. (markt)
+ Update: Update JSign to 6.0. (markt)
+ Update: Update the packaged version of the Tomcat Migration
Tool for Jakarta EE to 1.0.7. (markt)
+ Update: Update Tomcat Native to 2.0.7. (markt)
+ Update: Add strings for debug level messages. (remm)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
- Regenerated patch: tomcat-jdt.patch
-------------------------------------------------------------------
Wed Mar 6 07:18:06 UTC 2024 - Dan Čermák <dcermak@suse.com>

2
tomcat10.spec
View File

@ -29,7 +29,7 @@
%define elspec %{elspec_major}.%{elspec_minor}
%define major_version 10
%define minor_version 1
%define micro_version 18
%define micro_version 25
%define java_major 1
%define java_minor 11
%define java_version %{java_major}.%{java_minor}