Sync from SUSE:SLFO:Main tomcat revision d68f6fd9d7bd5158d59aa392ec48e91f

2024-05-31 15:01:27 +02:00 · 2024-05-31 15:01:27 +02:00 · ef0b4fbb59
commit ef0b4fbb59
parent f5715fa1a7
6 changed files with 129 additions and 20 deletions
--- a/apache-tomcat-9.0.85-src.tar.gz
+++ b/apache-tomcat-9.0.85-src.tar.gz
--- a/apache-tomcat-9.0.85-src.tar.gz.asc
+++ b/apache-tomcat-9.0.85-src.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmWXwOIACgkQaCSJWTWe
-civPQA//Qy3b3J48H/thEWhTYXy+KlcRP8p10iJu/dtSRbU1kkjP8Cj5jl0j1TXJ
-tf/qygoBV2ckJAVyJkul7TXsA5Memj2MoaK32bm/GEXd1Cv1BClBC2qDsSWcca/C
-Ua3q/2tg9muVo3JhETash2iQN4AtIbeELrsRTwvV3+w1eeJ0OcE84xytSw0b3FQu
-rv1rWBfzTnkGPB4Uipzpq6aXZtfW5B9isEhb1MniAHZYKMWhJ9svS0hWvQzhPHYo
-X5sbmkhqht2MwVdUfw9CTwITydcRsJkdz1rMtcGXbfVEhvrZi9jeM0ygqf+RxPhi
-nCSea80CeaKv4DFh3h0zYhk9k+Y6j23X4gF15tYz3JxV+tDTPD2nNnDXFyKg3RAH
-CddjOXBQONKx1O1C4D1MkBaQdNwm1qS2rooxd61sMsYAuWACUMaIBn9SozwtyJ3K
-WQx4nrpXOuLoqFGOv7eiVW5bYnxyg4jiQr6kWMFMXGhZtY9uj3uL1Ojll0EsRx1C
-yIJHh0nVKuze2zuqMqp5g40q4f2/fFl3LJoArOkunxDpi8X4HpMP1STY+0dxOSxb
-Mm9nF/10YpCyvZkvAdw3ymJEecXUJKAJiG3xCOUzCHtYnsF09kyqQ9Ho01CC5nSB
-hCJ6kCqRAhE3jS0sXNh9HLKvHcvJGZ2IT/40AU9oRSVzZncMEUc=
-=bszF
-----END PGP SIGNATURE-----
--- a/apache-tomcat-9.0.87-src.tar.gz
+++ b/apache-tomcat-9.0.87-src.tar.gz
--- a/apache-tomcat-9.0.87-src.tar.gz.asc
+++ b/apache-tomcat-9.0.87-src.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmXu2nYACgkQaCSJWTWe
+cis4lg//VHmtdBX2BrPuE8AV2R3ob9KI4uxrBxfjukb/HfvsXT1Zz00R27HVbKln
+h1hx7PCTrVJq+sHLDiDnYF1FDC5M+atvryoXcFIAEgnkqQ4toSgqBTa85NcRxrKY
+lBnQrZ5ZF5MJ7h+E8r7PIXwjbKbcvMLnhqvXwIB6TOMgUC3UOwZPN2vvq20XqYHA
+tevMCDLdMjcAdiOMqkekmq6y8KaEMoEY2rJG3KHCPXKkVQflQoX1bNs88vSd4t4F
+CQTcLauo9oyT+IaaanJWrawnKxlAD6x8QuFkJWNK2SC7145IGWeo1R32xzPvQdau
+Lu69YayASXq2nilYCLI3uZQ4tFSjCosi+DZaJVatMi2wbGXheau36vS8WLYkroWt
+w9deOo+KYiibckgEGbEncAD54sBVKF5Eun751CzSDZC1yV+08oII16koIl0TQlcd
+ZFhpIgQ5fo19VUReLQ9JlR98vbLnVFGg+3GVzHqfIATrVuulaliw6HOK7UT/ixFX
+jWNdR+/szFe3gTy+RifMU4C3D0hWEhRQGjnVoUPdck2ANBOm5CPV3R5IL2ej03yj
+LYXCJ++r+e/O5tftlax2Tnpmxzo0HFrQCSr+1HTsE4VY7Upy0liiV3btBWPcKKVp
+0e3E2wYv9P1PcTJD+XUOLX1yuYZv0xCS5fQ4t/ZlSR2R20+rUu4=
+=F+I2
+-----END PGP SIGNATURE-----
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,112 @@
+-------------------------------------------------------------------
+Fri Apr  5 14:24:14 UTC 2024 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.87
+  * Fixed CVEs:
+    + CVE-2024-24549: Improved request header validation for HTTP/2 stream 
+      (bsc#1221386)
+    + CVE-2024-23672: Ensure that WebSocket connection closure completes if 
+      the connection is closed when the server side has used the proprietary 
+      suspend/resume feature to suspend the connection (bsc#1221385)
+  * Catalina
+    + Fix:  Minor performance improvement for building filter chains. Based 
+      on ideas from #702 by Luke Miao. (remm)
+    + Fix:  Align error handling for Writer and OutputStream. Ensure use of 
+      either once the response has been recycled triggers a 
+      NullPointerException provided that discardFacades is configured with 
+      the default value of true. (markt)
+    + Fix:  68692: The standard thread pool implementations that are configured
+      using the Executor element now implement ExecutorService for better 
+      support NIO2. (remm)
+    + Fix:  68495: When restoring a saved POST request after a successful FORM 
+      authentication, ensure that neither the URI, the query string nor the 
+      protocol are corrupted when restoring the request body. (markt)
+    + Fix:  68721: Workaround a possible cause of duplicate class definitions 
+      when using ClassFileTransformers and the transformation of a class also
+      triggers the loading of the same class. (markt)
+    + Fix:  The rewrite valve should not do a rewrite if the output is 
+      identical to the input. (remm)
+    + Update:  Add a new valveSkip (or VS) rule flag to the rewrite valve to 
+      allow skipping over the next valve in the Catalina pipeline. (remm)
+    + Fix:  Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by 
+      removing reference to org.apache.catalina.ssi package that is no longer 
+      included in the JAR. Based on pull request #684 by Jendrik Johannes. 
+      (markt)
+    + Fix:  Fix ServiceBindingPropertySource so that trailing \r\n sequences 
+      are correctly removed from files containing property values when 
+      configured to do so. Bug identified by Coverity Scan. (markt)
+    + Add:  Add improvements to the CSRF prevention filter including the 
+      ability to skip adding nonces for resource name and subtree URL patterns.
+      (schultz)
+    + Fix:  Review usage of debug logging and downgrade trace or data dumping 
+      operations from debug level to trace. (remm)
+    + Fix:  68089: Further improve the performance of request attribute 
+      access for ApplicationHttpRequest and ApplicationRequest. (markt)
+    + Fix:  68559: Allow asynchronous error handling to write to the 
+      response after an error during asynchronous processing. (markt)
+  * Coyote
+    + Fix:  Improve the HTTP/2 stream prioritisation process. If a stream 
+      uses all of the connection windows and still has content to write, it 
+      will now be added to the backlog immediately rather than waiting until 
+      the write  attempt for the remaining content. (markt)
+    + Fix:  Make asynchronous error handling more robust. Ensure that once 
+      a connection is marked to be closed, further asynchronous processing 
+      cannot change that. (markt)
+    + Fix:  Make asynchronous error handling more robust. Ensure that once 
+      the call to AsyncListener.onError() has returned to the container, only 
+      container threads can access the AsyncContext. This protects against 
+      various race conditions that woudl otherwise occur if application threads
+      continued to access the AsyncContext.
+    + Fix:  Review usage of debug logging and downgrade trace or data 
+      dumping operations from debug level to trace. In particular, most of the 
+      HTTP/2 debug logging has been changed to trace level. (remm)
+    + Fix:  Add support for user provided SSLContext instances configured 
+      on SSLHostConfigCertificate instances. Based on pull request #673 
+      provided by Hakan Altındağ. (markt)
+    + Fix:  Improve the Tomcat Native shutdown process to reduce the likelihood
+      of a JVM crash during Tomcat shutdown. (markt)
+    + Fix:  Partial fix for 68558: Cache the result of converting to String 
+      for request URI, HTTP header names and the request Content-Type value to 
+      improve performance by reducing repeated byte[] to String conversions. 
+      (markt)
+    + Fix:  Improve error reporting to HTTP/2 clients for header processing 
+      errors by reporting problems at the end of the frame where the error was 
+      detected rather than at the end of the headers. (markt)
+    + Fix:  Remove the remaining reference to a stream once the stream has 
+      been recycled. This makes the stream eligible for garbage collection 
+      earlier and thereby improves scalability. (markt)
+  * Jasper
+    + Add:  Add support for specifying Java 22 (with the value 22) as the 
+      compiler source and/or compiler target for JSP compilation. If used with 
+      an  Eclipse JDT compiler version that does not support these values, a 
+      warning will be logged and the default will used. (markt)
+    + Fix:  68546: Generate optimal size and types for JSP imports maps, as 
+      suggested by John Engebretson. (remm)
+    + Fix:  Review usage of debug logging and downgrade trace or data 
+      dumping operations from debug level to trace. (remm)
+  * Cluster
+    + Fix:  Avoid updating request count stats on async. (remm)
+  * WebSocket
+    + Fix:  Correct a regression in the fix for 66508 that could cause an 
+      UpgradeProcessor leak in some circumstances. (markt)
+    + Fix:  Review usage of debug logging and downgrade trace or data dumping
+      operations from debug level to trace. (remm)
+    + Fix:  Ensure that WebSocket connection closure completes if the 
+      connection is closed when the server side has used the proprietary 
+      suspend/resume feature to suspend the connection. (markt)
+  * Web applications
+    + Add:  Add support for responses in JSON format from the examples 
+      application RequestHeaderExample. (schultz)
+  * Other
+    + Add:  Improvements to French translations. (remm)
+    + Add:  Improvements to Japanese translations by tak7iji. (markt)
+    + Update:  Update Checkstyle to 10.13.0. (markt)
+    + Update:  Update JSign to 6.0. (markt)
+    + Update:  Add strings for debug level messages. (remm)
+    + Update:  Update Tomcat Native to 1.3.0. (markt)
+    + Add:  Improvements to French translations. (remm)
+    + Add:  Improvements to Japanese translations by tak7iji. (markt)
+
 -------------------------------------------------------------------
 Wed Mar  6 07:18:06 UTC 2024 - Dan Čermák <dcermak@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 85
+%define micro_version 87
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}