Sync from SUSE:SLFO:Main tomcat10 revision 9a1b91cf4c5733c2a6a896baecd52142

apache-tomcat-10.1.33-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmctQNkACgkQHPApP6U8
-pFh07hAAr5HSdAPPXY6nFxISOaA1EiZ+9x9WXre2b7NOzs7Z0/a8/kbApZ818pq6
-qeIgv9kld/hGigF+mXt8oyvBHe87+UK715/V2bQ0plcJtn2Pya/+OMpty8QqARIP
-MM5eO31PiZw9zV9zQXVospfEW9zUX2X37zAPkJ7YEEFwtITob889SvnI6Nd2alw6
-Qj0ok3ydAGytRbnTBLTXawJpxOKlQMDDiuZ+Wq61uczCX6Pz1klpSxL1Qg/Dhsci
-MJmVz1WLTYkzIXaHsBzBeA/ZshTrPmbgYspv/rfT074tx8fTMYQj96lnBukrZYDv
-7fmqIB+TG8AwSNgiTWU+L0DZNbm8dy7kjEMV3y2o6Wymwkf4cFZCXvLZaQad2/3e
-WuTSoKW0SvFmLtu+RNDtwFSYVraoFgpYaSCdsCgHpHzBs0h3vquFtp38adIJi8+N
-SA10JFPQddloCQ/HBVmSVFacagsxW+fI4m0BGSS2fgbHtM8CrWjoLMjQj3WYt0lQ
-6IDIMAvWxVLQ7ofGkKapebQXA3YOCrt+I66+baaoACbKtrlAg1ts6cpuLIGoxWpd
-/q6BckAOg1+fL6N57DzydeuMf2rCVw9pdNGQAcPcJ6nSg5BcxKcmDBPZ1lit9MgG
-dENk7FhN4/AmGKiL2GsWXa1Z840/3NuSiD9V5Q2vWMce9SmPpGY=
-=ZcO8
------END PGP SIGNATURE-----

apache-tomcat-10.1.34-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmdRzrQACgkQHPApP6U8
+pFhZQxAAnH4jJMx+v+QL24U1Zm7VJCZv+9BPqJa7M5GbHpoOZbtbLYAguPRiQ7eg
+DpmEiotkE/UihXSTSOpPI3u1WLjrfmiRjmrbYwtVbPyca/6xUbj3wbD+W1ody64v
+sfvfiX5T9TtsPYvB9ASyjMMBd4/PQP0EzUswc1W4+moooS+FtS1uvFHq8VYjcWMI
+Qn13+k4JldJCvPfWRl1VDY9nY/+25xYud5wuIzqTQ/QXslO6lbxZFgaIVRhN2PDo
+wCKgP3RKvDRBsPo1Zp+Jk5btur/c2L7WySFQVOpJszKRSs2LpnJwKybRJNaExTAK
+m55tZEPJOx2DshH7g506pc4jtkEY9/9SbxVZNjxCrrnyjQwulUyHDg3yA+fOV0eA
+VO0tnineWkqsybAa4271S+IZq3RqjJFH+g4w6NH4CDy+kcrT10KBv/h9/70AFQF7
+XehD8rvqYXMOVvxnlh045iG0A3qHmq5QVGqRasOnxnSnxYNpkn/zOAZxNUH82c6B
+i3VoFCVkmtqErLRe4zvSc3MLTKbjiIW4DJgDFCyD62Tq+l1xBjMtmpyHfcT1HlRd
+LkkgcgOfLKrZTGWwTJKhBUIaRcCuJ5ja623bry/Fsh9SwHDRGtJy8d9BV3tOmY7l
+geeo5pD8/2WihjjJy9spcwM8G9swdxwlKRHq7aANMvFz2fyOQE4=
+=nSkP
+-----END PGP SIGNATURE-----

tomcat-jdt.patch

@@ -1,15 +1,15 @@
---- apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java	2024-04-06 14:14:17.015180386 +0200
-+++ apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java	2024-04-06 14:14:33.635284982 +0200
-@@ -310,13 +310,13 @@
-             } else if(opt.equals("15")) {
+--- apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java     2025-01-03 18:40:16.470885660 +0000
++++ apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java    2024-12-05 16:01:16.000000000 +0000
+@@ -298,13 +298,13 @@
+             } else if (opt.equals("15")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_Source, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_17);
 +                settings.put(CompilerOptions.OPTION_Source, "17");
-             } else if(opt.equals("18")) {
+             } else if (opt.equals("18")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_18);
 +                settings.put(CompilerOptions.OPTION_Source, "18");
              } else if (opt.equals("19")) {
@@ -18,20 +18,20 @@
              } else if (opt.equals("20")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 11.
-@@ -388,17 +388,17 @@
+@@ -386,17 +386,17 @@
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
 +                settings.put(CompilerOptions.OPTION_Compliance, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_17);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_17);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "17");
 +                settings.put(CompilerOptions.OPTION_Compliance, "17");
-             } else if(opt.equals("18")) {
+             } else if (opt.equals("18")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_18);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_18);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "18");

tomcat10.changes

@@ -1,3 +1,118 @@
+-------------------------------------------------------------------
+Fri Jan  3 18:33:44 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 10.1.34
+  * Fixed CVEs:
+    + CVE-2024-54677: DoS in examples web application (bsc#1233434)
+    + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) 
+  * Catalina
+    + Add: Add option to serve resources from subpath only with WebDAV Servlet
+      like with DefaultServlet. (michaelo)
+    + Fix: Add special handling for the protocols attribute of SSLHostConfig in
+      storeconfig. (remm)
+    + Fix: 69442: Fix case sensitive check on content-type when parsing request
+      parameters. (remm)
+    + Code: Refactor duplicate code for extracting media type and subtype from
+      content-type into a single method. (markt)
+    + Fix: Compatibility of generated embedded code with components where
+      constructors or property related methods throw a checked exception. (remm)
+    + Fix: The previous fix for inconsistent resource metadata during concurrent
+      reads and writes was incomplete. (markt)
+    + Fix: #780: Fix content-range header length. Submitted by Chenjp. (remm)
+    + Fix: 69444: Ensure that the jakarta.servlet.error.message request
+      attribute is set when an application defined error page is called. (markt)
+    + Fix: Avoid quotes for numeric values in the JSON generated by the status
+      servlet. (remm)
+    + Add: Add strong ETag support for the WebDAV and default servlet, which can
+      be enabled by using the useStrongETags init parameter with a value set to
+      true. The ETag generated will be a SHA-1 checksum of the resource content.
+      (remm)
+    + Fix: Use client locale for directory listings. (remm)
+    + Fix: 69439: Improve the handling of multiple Cache-Control headers in the
+      ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
+    + Fix: 69447: Update the support for caching classes the web application
+      class loader cannot find to take account of classes loaded from external
+      repositories. Prior to this fix, these classes could be incorrectly marked
+      as not found. (markt)
+    + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
+      users will not be removed and any header present in a HEAD request will
+      also be present in the equivalent GET request. There may be some headers,
+      as per RFC 9110, section 9.3.2, that are present in a GET request that are
+      not present in the equivalent HEAD request. (markt)
+    + Fix: 69471: Log instances of CloseNowException caught by
+      ApplicationDispatcher.invoke() at debug level rather than error level as
+      they are very likely to have been caused by a client disconnection or
+      similar I/O issue. (markt)
+    + Add: Add a test case for the fix for 69442. Also refactor references to
+      application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
+      (markt)
+    + Fix: 69476: Catch possible ISE when trying to report PUT failure in the
+      DefaultServlet. (remm)
+    + Add: Add support for RateLimit header fields for HTTP (draft) in the
+      RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
+    + Add: #787: Add regression tests for 69478. Pull request provided by Thomas
+      Krisch. (markt)
+    + Fix: The default servlet now rejects HTTP range requests when two or more
+      of the requested ranges overlap. Based on pull request #782 provided by
+      Chenjp. (markt)
+    + Fix: Enhance Content-Range verification for partial PUT requests handled
+      by the default servlet. Provided by Chenjp in pull request #778. (markt)
+    + Fix: Harmonize DataSourceStore lookup in the global resources to
+      optionally avoid the comp/env prefix which is usually not used there.
+      (remm)
+    + Fix: As required by RFC 9110, the HTTP Range header will now only be
+      processed for GET requests. Based on pull request #790 provided by Chenjp.
+      (markt)
+    + Fix: Deprecate the useAcceptRanges initialisation parameter for the
+      default servlet. It will be removed in Tomcat 12 onwards where it will
+      effectively be hard coded to true. (markt)
+    + Add: Add DataSource based property storage for the WebdavServlet. (remm)
+
+  * Coyote
+    + Fix: Align encodedSolidusHandling with the Servlet specification. If the
+      pass-through mode is used, any %25 sequences will now also be passed
+      through to avoid errors and/or corruption when the application decodes the
+      path. (markt)
+
+  * Jasper
+    + Fix: Follow-up to the fix for 69381. Apply the optimisation for method
+      lookup performance in expression language to an additional location.
+      (markt)
+
+  * Web applications
+    + Fix: Documentation. Remove references to the ResourceParams element.
+      Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
+    + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
+      The attribute is internalProxies rather than allowedInternalProxies. Pull
+      request #786 provided by Jorge Díaz. (markt)
+    + Fix: Examples. Fix broken links when Servlet Request Info example is
+      called via a URL that includes a pathInfo component. (markt)
+    + Fix: Examples. Expand the obfuscation of session cookie values in the
+      request header example to JSON responses. (markt)
+    + Add: Examples. Add the ability to delete session attributes in the servlet
+      session example. (markt)
+    + Add: Examples. Add a hard coded limit of 10 attributes per session for the
+      servlet session example. (markt)
+    + Add: Examples. Add the ability to delete session attributes and add a hard
+      coded limit of 10 attributes per session for the JSP form authentication
+      example. (markt)
+    + Add: Examples. Limit the shopping cart example to only allow adding the
+      pre-defined items to the cart. (markt)
+    + Fix: Examples. Remove JSP calendar example. (markt)
+
+  * Other
+    + Fix: 69465: Fix warnings during native image compilation using the Tomcat
+      embedded JARs. (markt)
+    + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
+    + Update: Update EasyMock to 5.5.0. (markt)
+    + Update: Update Checkstyle to 10.20.2. (markt)
+    + Update: Update BND to 7.1.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Korean translations. (markt)
+    + Add: Improvements to Chinese translations. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+
+
 -------------------------------------------------------------------
 Sat Nov 23 00:01:04 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
 

tomcat10.spec

@@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 10
 %define minor_version 1
-%define micro_version 33
+%define micro_version 34
 %define java_major 1
 %define java_minor 11
 %define java_version %{java_major}.%{java_minor}