From 2fb58ed40766d45edf3dd7fe56b9c9f929640bd98281275a6fb4245acbf27c0f Mon Sep 17 00:00:00 2001 From: Matei Albu Date: Thu, 16 Aug 2018 13:14:11 +0000 Subject: [PATCH] Accepting request 629579 from home:mateialbu:branches:Java:packages - Update to Tomcat 9.0.10. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.10_(markt) - Fixed CVEs: - CVE-2018-1336 (bsc#1102400) - CVE-2018-8014 (bsc#1093697) - CVE-2018-8034 (bsc#1102379) - CVE-2018-8037 (bsc#1102410) - Rebased patch tomcat-9.0-JDTCompiler-java.patch - Added patch tomcat-9.0-disable-osgi-build.patch to disable adding OSGi metadata to JAR files OBS-URL: https://build.opensuse.org/request/show/629579 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=126 --- apache-tomcat-9.0.10-src.tar.gz | 3 ++ apache-tomcat-9.0.10-src.tar.gz.asc | 16 ++++++++++ apache-tomcat-9.0.5-src.tar.gz | 3 -- apache-tomcat-9.0.5-src.tar.gz.asc | 7 ----- tomcat-9.0-JDTCompiler-java.patch | 45 +++++++++++++++++++---------- tomcat-9.0-disable-osgi-build.patch | 44 ++++++++++++++++++++++++++++ tomcat.changes | 14 +++++++++ tomcat.spec | 7 ++++- 8 files changed, 112 insertions(+), 27 deletions(-) create mode 100644 apache-tomcat-9.0.10-src.tar.gz create mode 100644 apache-tomcat-9.0.10-src.tar.gz.asc delete mode 100644 apache-tomcat-9.0.5-src.tar.gz delete mode 100644 apache-tomcat-9.0.5-src.tar.gz.asc create mode 100644 tomcat-9.0-disable-osgi-build.patch diff --git a/apache-tomcat-9.0.10-src.tar.gz b/apache-tomcat-9.0.10-src.tar.gz new file mode 100644 index 0000000..98485e0 --- /dev/null +++ b/apache-tomcat-9.0.10-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:5d6a2ff9715c1624d9e99e0b02e1811d2772a3291c8641269cfc0884d5942c34 +size 5147367 diff --git a/apache-tomcat-9.0.10-src.tar.gz.asc b/apache-tomcat-9.0.10-src.tar.gz.asc new file mode 100644 index 0000000..cb0d0bd --- /dev/null +++ b/apache-tomcat-9.0.10-src.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAlstN0UACgkQEMAcWi9g +Wec65Q/+JAVi3ft4q5R7rcF5cA1Qh2vK1Jh2PaWrIQbk5PxFb8uG0IdbZXn2DlIL +9F7Pa20pGti84/CgN19OqYxFOvxr6g0lxyG+0FqGxKAsEG/LhznLTl7a7a0Mios4 +PyiYdpdFGNp7eCpavckYGIqtqGeCfY1dZiVtA7ZmV1OiACVSuwdRowb6xCcwuz2H +ZgqSybLLDQVknOpoJHtPrqr8spy+P1IULUdrZb3aMeXaQ9R+UdNb/zmX967N/gd6 +S0fQKuoJp35kQ9PWwYhWrgsxX6/ZNuLo1DvIL1KLoFnEEqPVy1mVXdFunb99kaIZ +phhRv4tIV9DNqMg3Gy4u2axjAOKE5lJ+HwrcQt2GlyWXEwbC2cqUmJ1whzv+C9H0 +5tM49fUDFlFm2WBKzcgGH8piofH2bkaA5wCQUwW23rlU/GisDQvTXk/K3U5itpIS +7xPzeap2McNPURn1zjmFeqyoMkujnf8qkValITVpDo0c84o9/5+ywheTE7/VIzXF +0LYelM0UuW0BqWFy8GY6iRk3EycfK6DcxejbNpB8TEXq+am5y7y1lNa7xz56WfDY +KcVoSG9kionCdgJeivCaDK/PdVEWb5vqs0XjOryrInB5C1R5t4jbwxJCU0FSo7in +7cHSeh4HxBC6bAQfsrhy4uoWkdz9Y8DvEOaC5sN205sLr7kMe3E= +=WeRG +-----END PGP SIGNATURE----- diff --git a/apache-tomcat-9.0.5-src.tar.gz b/apache-tomcat-9.0.5-src.tar.gz deleted file mode 100644 index 5b6b5a5..0000000 --- a/apache-tomcat-9.0.5-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:8d402beb64d38c360923b2c15fcc3a32fc6d602e4e6b590ecab143832a94811d -size 5077379 diff --git a/apache-tomcat-9.0.5-src.tar.gz.asc b/apache-tomcat-9.0.5-src.tar.gz.asc deleted file mode 100644 index 52b22d6..0000000 --- a/apache-tomcat-9.0.5-src.tar.gz.asc +++ /dev/null @@ -1,7 +0,0 @@ ------BEGIN PGP SIGNATURE----- -Version: GnuPG v2 - -iEYEABECAAYFAlp6IhEACgkQb7IeiTPGAkNOogCfdEvtPdOmOWNTPiu3qzE95hOH -ugAAni6jvLd1ASKs9wMvEaYUHKtbsHGM -=1Qrs ------END PGP SIGNATURE----- diff --git a/tomcat-9.0-JDTCompiler-java.patch b/tomcat-9.0-JDTCompiler-java.patch index def5e80..89ec32f 100644 --- a/tomcat-9.0-JDTCompiler-java.patch +++ b/tomcat-9.0-JDTCompiler-java.patch @@ -3,37 +3,50 @@ IDEA additional info: Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP <+>UTF-8 =================================================================== ---- java/org/apache/jasper/compiler/JDTCompiler.java (date 1506521372000) -+++ java/org/apache/jasper/compiler/JDTCompiler.java (revision ) -@@ -312,10 +312,10 @@ +--- java/org/apache/jasper/compiler/JDTCompiler.java (revision 6bbf738a0e56d1793022b15e9aca9b690699216b) ++++ java/org/apache/jasper/compiler/JDTCompiler.java (date 1534261527000) +@@ -312,15 +312,16 @@ CompilerOptions.VERSION_1_7); } else if(opt.equals("1.8")) { settings.put(CompilerOptions.OPTION_Source, - CompilerOptions.VERSION_1_8); + "1.8"); // CompilerOptions.VERSION_1_8 - } else if(opt.equals("1.9")) { + // Version format changed from Java 9 onwards. + // Support old format that was used in EA implementation as well + } else if(opt.equals("9") || opt.equals("1.9")) { settings.put(CompilerOptions.OPTION_Source, -- CompilerOptions.VERSION_1_9); -+ "1.9"); // CompilerOptions.VERSION_1_9 +- CompilerOptions.VERSION_9); ++ "9"); + } else if(opt.equals("10")) { + settings.put(CompilerOptions.OPTION_Source, +- CompilerOptions.VERSION_10); ++ "10"); ++ } else { log.warn("Unknown source VM " + opt + " ignored."); settings.put(CompilerOptions.OPTION_Source, -@@ -359,14 +359,14 @@ - CompilerOptions.VERSION_1_7); - } else if(opt.equals("1.8")) { +@@ -366,19 +367,19 @@ settings.put(CompilerOptions.OPTION_TargetPlatform, -- CompilerOptions.VERSION_1_8); -+ "1.8"); // CompilerOptions.VERSION_1_8 + CompilerOptions.VERSION_1_8); settings.put(CompilerOptions.OPTION_Compliance, - CompilerOptions.VERSION_1_8); + "1.8"); // CompilerOptions.VERSION_1_8 - } else if(opt.equals("1.9")) { + // Version format changed from Java 9 onwards. + // Support old format that was used in EA implementation as well + } else if(opt.equals("9") || opt.equals("1.9")) { settings.put(CompilerOptions.OPTION_TargetPlatform, -- CompilerOptions.VERSION_1_9); -+ "1.9"); // CompilerOptions.VERSION_1_9 +- CompilerOptions.VERSION_9); ++ "9"); // CompilerOptions.VERSION_1_9 settings.put(CompilerOptions.OPTION_Compliance, -- CompilerOptions.VERSION_1_9); -+ "1.9"); // CompilerOptions.VERSION_1_9 +- CompilerOptions.VERSION_9); ++ "9"); // CompilerOptions.VERSION_1_9 + } else if(opt.equals("10")) { + settings.put(CompilerOptions.OPTION_TargetPlatform, +- CompilerOptions.VERSION_10); ++ "10"); + settings.put(CompilerOptions.OPTION_Compliance, +- CompilerOptions.VERSION_10); ++ "10"); } else { log.warn("Unknown target VM " + opt + " ignored."); settings.put(CompilerOptions.OPTION_TargetPlatform, diff --git a/tomcat-9.0-disable-osgi-build.patch b/tomcat-9.0-disable-osgi-build.patch new file mode 100644 index 0000000..f663891 --- /dev/null +++ b/tomcat-9.0-disable-osgi-build.patch @@ -0,0 +1,44 @@ +Index: build.xml +IDEA additional info: +Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP +<+>UTF-8 +=================================================================== +--- build.xml (date 1529515764000) ++++ build.xml (date 1534335916000) +@@ -15,7 +15,8 @@ + See the License for the specific language governing permissions and + limitations under the License. + --> +- ++ + + + +@@ -728,7 +729,7 @@ + + + ++ depends="setup-bnd,build-prepare" if="add.osgi.jar.metadata"> + + + + +- ++ + + + +@@ -3025,7 +3026,7 @@ + + + +- ++ + + + diff --git a/tomcat.changes b/tomcat.changes index c1313ef..bd7c670 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,17 @@ +------------------------------------------------------------------- +Tue Aug 16 14:13:23 UTC 2018 - malbu@suse.com + +- Update to Tomcat 9.0.10. See changelog at + http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.10_(markt) +- Fixed CVEs: + - CVE-2018-1336 (bsc#1102400) + - CVE-2018-8014 (bsc#1093697) + - CVE-2018-8034 (bsc#1102379) + - CVE-2018-8037 (bsc#1102410) +- Rebased patch tomcat-9.0-JDTCompiler-java.patch +- Added patch tomcat-9.0-disable-osgi-build.patch to disable adding + OSGi metadata to JAR files + ------------------------------------------------------------------- Wed Feb 16 16:38:14 UTC 2018 - malbu@suse.de diff --git a/tomcat.spec b/tomcat.spec index 71e710c..7f96de2 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -22,7 +22,7 @@ %define elspec 3.0 %define major_version 9 %define minor_version 0 -%define micro_version 5 +%define micro_version 10 %define packdname apache-tomcat-%{version}-src # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/ %global basedir /srv/%{name} @@ -83,6 +83,9 @@ Patch2: %{name}-%{major_version}.%{minor_version}-JDTCompiler-java.patch Patch3: %{name}-%{major_version}.%{minor_version}-sle.catalina.policy.patch # PATCH-FIX-OPENSUSE: build javadoc with the same java source level as the class files Patch4: %{name}-%{major_version}.%{minor_version}-javadoc.patch +# PATCH-FIX-OPENSUSE: disable adding OSGi metadata to JAR files because bndtools is not avalable in SLES/OpenSUSE +Patch5: tomcat-9.0-disable-osgi-build.patch + BuildRequires: ant >= 1.8.1 BuildRequires: ant-antlr BuildRequires: apache-commons-collections @@ -252,6 +255,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch2 %patch3 %patch4 +%patch5 # remove date from docs sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl @@ -285,6 +289,7 @@ ant -Dbase.path="." \ -Dnsis.exe="HACK" \ -Djaxrpc-lib.jar="$(build-classpath jaxrpc)" \ -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \ + -Dsaaj-api.jar="$(build-classpath geronimo-saaj-1_1-api)" \ -Dcommons-pool.home="$(build-classpath commons-pool2)" \ -Dcommons-dbcp.home="$(build-classpath commons-dbcp2)" \ -Dno.build.dbcp=true \