Accepting request 1299337 from Java:packages

OBS-URL: https://build.opensuse.org/request/show/1299337
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat11?expand=0&rev=5

apache-tomcat-11.0.6-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmfr/o8ACgkQEMAcWi9g
-WecdvxAA9qQwEx53mR0rlzpXAVc5ORdDmyC/rGY59oxyCsq22sWpLPRi5NBpohv7
-xRqnnFJVi+YC8c1J+M4g+d1hJWRwC0S6auydofL2EbkKx3t6WbD+ku0syXfz+5ia
-D4rOo55HZKEFXiMJexBLadC8VCTmKjT3Jng66/XLrAtlPHhcdyzaI+umbqTi2yNu
-VoWVB6IDAxW6YoubouhHt35EXQTTYL8EqE6iLKsNgxHOula/Yj/L2lAgiiIU/aPV
-gtJfP7WiR34Gdug/ppAdE0aatxkp+lANd5s1TPMGhmDvkI+n8tMpAeA91Q2cBoOT
-KpVJvKnSID5xxiJVHRSNPgGUxR5s0USAEkLkJpKIgjwnEaIsJZwPJXepdSRaNURt
-MP1/mYO9/5Fi93oUx+1RrJCmrTUlF4nA/zfSFOt49fovhU20l42zEHjFsNKVmqet
-8eaBOwfjpiurr0vPklziJ3kdyV2AiiX+n9prNzAh5tZ3I9bripSWPYFG1gBw0Ln6
-As3X5EjaQto1YkLOQ9oKNzzNVKoQ5wh/dfGxr4VY0FFuXBIWRiy5IFXEZH55ssGZ
-7m5jqIDUmyQ+M+J+WvdVSHJfzGO9O8Ms9DIKrEoMV9gXcz9eMtFvbECFeCDFJQit
-CD3T8rL5AlbDoU+GV111a94RMiUnvZUe2EtQockfMOHP1o/LhLk=
-=+ON7
------END PGP SIGNATURE-----

apache-tomcat-11.0.9-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmhkURgACgkQEMAcWi9g
+WeckXQ//fn7jwCs78FjdqvF65OV3hTkhWcmd7JHBc0at/9ol/FofUE2s4VanpqKc
+ykjQuxbHMA/gajpgvUNeW0CuJjlFAfRPl0pibCw3rdkUHH5i/JO65zvNpN0wQjWj
+8Jxb8KZfgn0LtQnYSa4h7hFN3D17GiAJkmWgdpJY/fJpeQep3zBvEX0WZx6bSQfn
+zEBmbXVC+oLd+M60j/q9K2cwpl8QVqy2kKejvIS0pz4Nugg9jm/MifwMAAfzqhoO
+L2xstI3sTxpAQfuD3tHuqjuUKIcX+QnyfeBdTNAizP7nuwy4jb262HoWO42reJCz
+MTe3kzeev0BvemdCVBvT6ZURgoYfpVtGlzRu79/8kxmyayvqAFSVBOZEz0G9IkXL
+L9MdLCIwIZqEU7gM2k7Ayi2jrnBDj1edAX/C+/qFCwU8juXCpxLMGEwwld1ns14n
+XZ8NsFjKSZ01a2bowLtGXrj0yWGyGTt1lhj6vMNQl1v7c3/e+kuwBQkB0yZVjrZu
+lbA2WHZT5B0RFG3QgFucvRRJwHxdFZ8ZApYpNcdkwT58Lz1ZF1t7ovg5lWBdB9MN
+izN925A0zAbt8is3++d0J7QRcVopCHd+551f4pZID0upiBb5IBOB7GPF0/6ucRac
+LiGm74GGISa1OLu545N6g8m3r1CzhfAktcd+no/25WgoaeN04ro=
+=TW1e
+-----END PGP SIGNATURE-----

tomcat-jdt.patch

@@ -1,8 +1,8 @@
-Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
+Index: apache-tomcat-11.0.9-src/java/org/apache/jasper/compiler/JDTCompiler.java
 ===================================================================
---- apache-tomcat-11.0.6-src.orig/java/org/apache/jasper/compiler/JDTCompiler.java
-+++ apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
-@@ -310,21 +310,21 @@ public class JDTCompiler extends org.apa
+--- apache-tomcat-11.0.9-src.orig/java/org/apache/jasper/compiler/JDTCompiler.java
++++ apache-tomcat-11.0.9-src/java/org/apache/jasper/compiler/JDTCompiler.java
+@@ -318,23 +318,23 @@ public class JDTCompiler extends org.apa
              } else if (opt.equals("15")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
              } else if (opt.equals("16")) {
@@ -30,9 +30,12 @@ Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_23);
 +                settings.put(CompilerOptions.OPTION_Source, "23");
              } else if (opt.equals("24")) {
+-                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_24);
++                settings.put(CompilerOptions.OPTION_Source, "24");
+             } else if (opt.equals("25")) {
                  // Constant not available in latest ECJ version shipped with
                  // Tomcat. May be supported in a snapshot build.
-@@ -337,11 +337,11 @@ public class JDTCompiler extends org.apa
+@@ -342,11 +342,11 @@ public class JDTCompiler extends org.apa
                  settings.put(CompilerOptions.OPTION_Source, "25");
              } else {
                  log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt));
@@ -46,7 +49,7 @@ Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
          }
  
          // Target JVM
-@@ -391,29 +391,29 @@ public class JDTCompiler extends org.apa
+@@ -396,32 +396,32 @@ public class JDTCompiler extends org.apa
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
              } else if (opt.equals("16")) {
@@ -90,9 +93,14 @@ Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "23");
 +                settings.put(CompilerOptions.OPTION_Compliance, "23");
              } else if (opt.equals("24")) {
+-                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_24);
+-                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_24);
++                settings.put(CompilerOptions.OPTION_TargetPlatform, "24");
++                settings.put(CompilerOptions.OPTION_Compliance, "24");
+             } else if (opt.equals("25")) {
                  // Constant not available in latest ECJ version shipped with
                  // Tomcat. May be supported in a snapshot build.
-@@ -428,12 +428,12 @@ public class JDTCompiler extends org.apa
+@@ -430,12 +430,12 @@ public class JDTCompiler extends org.apa
                  settings.put(CompilerOptions.OPTION_Compliance, "25");
              } else {
                  log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt));

tomcat11.changes

@@ -1,3 +1,169 @@
+-------------------------------------------------------------------
+Wed Aug  6 13:07:07 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 11.0.9
+  - adapt tomcat-jdt.patch
+  * Fixed CVEs:
+    + CVE-2025-52520: Align size tracking for multipart requests with
+      FileUpload's use of long. (bsc#1246388)
+    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
+      (bsc#1246318)
+  * Catalina
+    + Fix: Ensure application configured welcome files override the defaults
+      when configuring an embedded web application programmatically. (markt)
+    + Update: Optimize Request#getCharsetHolder to avoid repeated parsing when
+      charset is null. Patch provided by morning-gu. (schultz)
+    + Fix: Allow the default servlet to set the content length when the content
+      length is known, no content has been written and a Writer is being used.
+      (markt)
+    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
+      prevented access to PreResources and PostResources when mounted below the
+      web application root with a path that was terminated with a file
+      separator. (remm/markt)
+    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
+      applied was smaller than intended for multipart uploads with non-file
+      parts when the parts were processed before query string parameters.
+      (markt)
+    + Fix: Align size tracking for multipart requests with FileUpload's use of
+      long. (schultz)
+  * Coyote
+    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
+      the documentation to provide more details on the memory requirements to
+      support multi-part uploads while avoiding a denial of service risk.
+      (markt)
+    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
+      when the headers include a content-length. (remm/markt)
+    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
+      one request multiple times. Based on pull request #868 by qingdaoheze.
+      (markt)
+    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
+      of useVirtualThreads in JMX. (remm)
+    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
+      certificate verification and improve the warnings when a web application
+      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
+      TLS 1.3. (markt)
+    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
+      earlier. (markt)
+  * Jasper
+    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
+    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
+      grammar as both are unused. (markt)
+  * Web applications
+    + Add: Documentation. Provide more explicit guidance regarding the security
+      considerations for enabling write access to the web application via
+      WebDAV, HTTP PUT requests or similar. (markt)
+    + Add: Documentation. Add a section on reverse proxies to the security
+      considerations page. (markt)
+  * Other
+    + Update: Update to the Eclipse JDT compiler 4.36. (markt)
+    + Update: Update UnboundID to 7.0.3. (markt)
+    + Update: Update Checkstyle to 10.25.1. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt) 
+
+-------------------------------------------------------------------
+Tue Jun 24 10:09:09 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 11.0.8
+ * Fixed CVEs:
+    + CVE-2025-46701: refactor CGI servlet to access resources via
+      WebResources (bsc#1243815)
+    + CVE-2025-48988: limits the total number of parts in a
+      multi-part request and limits the size of
+      the headers provided with each part (bsc#1244656)
+    + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
+  * Catalina
+    + Add: Support for the java:module namespace which mirrors the
+      java:comp namespace.
+    + Fix: 69690: Calling HttpServletRequest.getParameter() and related
+      methods for a request with content type multipart/form-data when
+      the mapped servlet does not have a @MultipartConfig or equivalent
+      should not trigger an exception. Note that calling getPart() or
+      getParts() is these circumstances will trigger an exception.
+    + Add: Support parsing of multiple path parameters separated by ; in a
+      single URL segment. Based on pull request #860 by Chenjp.
+    + Fix: 69699: Encode redirect URL used by the rewrite valve with the
+      session id if appropriate, and handle cross context with different
+      session configuration when using rewrite.
+    + Add: #863: Support for comments at the end of lines in text rewrite
+      map files to align behaviour with Apache httpd. Pull request
+      provided by Chenjp.
+    + Fix: 69706: Saved request serialization issue in FORM introduced
+      when allowing infinite session timeouts.
+    + Fix: Expand the path checks for Pre-Resources and Post-Resources
+      mounted at a path within the web application.
+    + Fix: Process possible path parameters rewrite production in the
+      rewrite valve.
+    + Fix: 69588: Enable allowLinking to be set on PreResources,
+      JarResources and PostResources. If not set explicitly, the setting
+      will be inherited from the Resources.
+    + Add: 69633: Support for Filters using context root mappings.
+    + Fix: 69643: Optimize directory listing for large amount of files.
+      Patch submitted by Loic de l'Eprevier.
+    + Fix: #843: Off by one validation logic for partial PUT ranges and
+      associated test case. Submitted by Chenjp.
+    + Refactor: GCI servlet to access resources via the WebResource API.
+    + Fix: 69662: Report name in exception message when a naming lookup
+      failure occurs. Based on code submitted by Donald Smith.
+    + Fix: Ensure that the FORM authentication attribute
+      authenticationSessionTimeout works correctly when sessions have an
+      infinite timeout when authentication starts.
+    + Add: Provide a content type based on file extension when web
+      application resources are accessed via a URL.
+  * Coyote
+    + Refactor: #861: TaskQueue to use the new interface RetryableQueue
+      which enables better integration of custom Executors which provide
+      their own BlockingQueue implementation. Pull request provided by
+      Paulo Almeida.
+    + Add: Finer grained control of multi-part request processing via two
+      new attributes on the Connector element. maxPartCount limits the
+      total number of parts in a multi-part request and maxPartHeaderSize
+      limits the size of the headers provided with each part. Add support
+      for these new attributes to the ParameterLimitValve.
+  * Jasper
+    + Fix: 69696: Mark the JSP wrapper for reload after a failed
+      compilation.
+    + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving
+      inner classes.
+    + Add: #842: Support for optimized execution of c:set and c:remove
+      tags, when activated via JSP servlet param
+      useNonstandardTagOptimizations.
+    + Fix: An edge case compilation bug for JSP and tag files on case
+      insensitive file systems that was exposed by the test case for
+      69635.
+  * Web applications
+    + Fix: 69694: Improve error reporting of deployment tasks done using
+      the manager webapp when a copy operation fails.
+    + Add: 68876: Documentation. Update the UML diagrams for server
+      start-up, request processing and authentication using PlantUML and
+      include the source files for each diagram.
+  * Other
+    + Add: Thread name to webappClassLoader.stackTraceRequestThread
+      message. Patch provided by Felix Zhang.
+    + Update: Tomcat Native to 2.0.9.
+    + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
+      (2025-06-05).
+    + Update: EasyMock to 5.6.0.
+    + Update: Checkstyle to 10.25.0.
+    + Fix: Use the full path when the installer for Windows sets calls
+      icacls.exe to set file permissions.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+    + Update: Jacoco to 0.8.13.
+    + Code: Explicitly set the locale to be used for Javadoc. For
+      official releases, this locale will be English (US) to support
+      reproducible builds.
+    + Update: Byte Buddy to 1.17.5.
+    + Update: Checkstyle to 10.23.1.
+    + Update: File extension to media type mappings to align with the
+      current list used by the Apache Web Server (httpd).
+    + Update: Improvements to French translations.
+    + Update: Improvements to Japanese translations provided by tak7iji. 
+
+-------------------------------------------------------------------
+Tue Jun 10 13:09:57 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Hardening permissions (bsc#1242722)
+
 -------------------------------------------------------------------
 Fri May  9 07:06:53 UTC 2025 - Fridrich Strba <fstrba@suse.com>
 

tomcat11.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat11
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 11
 %define minor_version 0
-%define micro_version 6
+%define micro_version 9
 %define java_major 1
 %define java_minor 17
 %define java_version %{java_major}.%{java_minor}
@@ -727,22 +727,22 @@ fi
 
 %files
 %doc {LICENSE,NOTICE,RELEASE*}
-%attr(0755,root,root) %{_bindir}/%{app_name}-digest
-%attr(0755,root,root) %{_bindir}/%{app_name}-tool-wrapper
-%attr(0755,root,root) %{_sbindir}/%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}.service
+%{_bindir}/%{app_name}-digest
+%{_bindir}/%{app_name}-tool-wrapper
+%{_sbindir}/%{app_name}
+%{_unitdir}/%{app_name}.service
 %{_sbindir}/rc%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}@.service
-%attr(0755,root,root) %dir %{_libexecdir}/%{app_name}
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{app_name}s
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/functions
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/preamble
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/server
+%{_unitdir}/%{app_name}@.service
+%dir %{_libexecdir}/%{app_name}
+%dir %{_localstatedir}/lib/%{app_name}s
+%{_libexecdir}/%{app_name}/functions
+%{_libexecdir}/%{app_name}/preamble
+%{_libexecdir}/%{app_name}/server
 #bnc#565901
 %{bindir}/catalina.sh
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
-%attr(0755,root,tomcat) %dir %{basedir}
-%attr(0755,root,tomcat) %dir %{confdir}
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
+%dir %{basedir}
+%dir %{confdir}
 %attr(0775,root,tomcat) %dir %{appdir}
 %attr(0770,tomcat,tomcat) %dir %{logdir}
 %attr(0660,tomcat,tomcat) %{logdir}/catalina.out
@@ -755,28 +755,28 @@ fi
 %attr(0775,root,tomcat) %dir %{tomcatappdir}
 
 %{confdir}/Catalina
-%attr(0755,root,tomcat) %dir %{confdir}/conf.d
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/conf.d/README
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{app_name}.conf
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml
+%dir %{confdir}/conf.d
+%config(noreplace) %{confdir}/conf.d/README
+%config(noreplace) %{confdir}/%{app_name}.conf
+%config(noreplace) %{confdir}/*.properties
+%config(noreplace) %{confdir}/context.xml
+%config(noreplace) %{confdir}/server.xml
 # keep tomcat-users.xml readable only by root and tomcat group
 %attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
-%attr(0755,root,tomcat) %dir %{homedir}
-%attr(0644,root,tomcat) %{bindir}/bootstrap.jar
-%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml
+%config(noreplace) %{confdir}/web.xml
+%config(noreplace) %{confdir}/jaspic-providers.xml
+%dir %{homedir}
+%{bindir}/bootstrap.jar
+%{bindir}/catalina-tasks.xml
 %{homedir}/lib
 %{homedir}/temp
 %{homedir}/webapps
 %{homedir}/work
 %{homedir}/logs
 %{homedir}/conf
-%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{app_name}
-%attr(0644,root,tomcat) %{confdir}/allowLinking.xslt
-%attr(0644,root,tomcat) %{confdir}/valve.xslt
+%{_fillupdir}/sysconfig.%{app_name}
+%{confdir}/allowLinking.xslt
+%{confdir}/valve.xslt
 
 %files admin-webapps
 %defattr(0644,root,tomcat,0755)
@@ -841,7 +841,7 @@ fi
 
 %files jsvc
 %defattr(755,root,root,0755)
-%attr(0644,root,root) %{_unitdir}/%{app_name}-jsvc.service
+%{_unitdir}/%{app_name}-jsvc.service
 %{_sbindir}/rc%{app_name}-jsvc
 
 %changelog