Accepting request 1235267 from Java:packages

9.0.98

OBS-URL: https://build.opensuse.org/request/show/1235267
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=112

apache-tomcat-9.0.97-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmcrypMACgkQaCSJWTWe
-civQ2A//TWn1UwcPCT0oeSK8C+exGw1tyNRq2zB6enSLf1WwBZ7BpgIl9EzyNMX9
-Uu0pwR2dVhkgCmBL7nM0BZZSs1ST1uFeAV5vM0LeKO/Rq7w1B+8xFu1BmpBX5NBT
-jjkQvpQwBUaKkhGsk+6MI0zHynVgbrlYOw/meVNm2xUu9ADY/WxW0yjMcXVJ747N
-YlWT9TpEJ15tsrRDuGD+JJyFeozNpDqgQ12Ej47E6AQH9zJtp+UPh6XxuqADmCCN
-DUE5wGNwYhz0Vx1bDknuqRvIQ/EtQ9VYND6sv8Cby0iSmj8DB1dcvl7Tr/DJv+BO
-lLTEROBGWR8qE281n7Yab/42Tr86TiDXst1ALjpKQDByB3jDuMPh55YjCK4kaiT0
-0h5MiFN22irfmdMGTO+Ovo9dnu6wWLSCHjUds/ilQGd8uxTtzgIcUh1AutIVX5qL
-1Q5tWK2DBXGrkCZJWBMtpNBOfkxTafa4dsb4XBA8iC84xS3BtIbCAg9vLciqIkLc
-a1nL1GfoNdRaQbrwVLBhaEqxpRgGr8Q01PDsK9j9Vl8YqhtO2heMjGJaGC/pv/Rf
-qjFmXJKUYKlMS8n1VRnzuTgO5DIKKw0VyUQtcSag7DGuCT2Lbz0IpsY3JH6/G8s3
-5gAzGG5ZzbTq8FhTkmd8hL3Se7Gx8R61yxL5D/IGYx+GOpWxjuA=
-=J1sF
------END PGP SIGNATURE-----

apache-tomcat-9.0.98-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmdSBNoACgkQaCSJWTWe
+citlcw//UyA6O47D4cYTkgLaBMzNATMfYll9VLYaZFt3zipCKQ0Z1uIKVuXSYlty
+UQBrOIo3pbhgrDR2ndRF3IPv4+c5IN2q8lyo/PMbhaF1Jx6Qi+w07MBX58EBO88Q
++2ZXOQ5KTY7YSl4uhKJHA14iH1hevJHt9ELO8D7npbsDDVz4OIJfeRGyp97lrlmE
+4jbE6VnF13kAEzvQdcTGcbxRHlCBWd3g+tJK3/0xfW3y9fWws/hOn5A0PM/Wb2yB
+nsm824VYOvwcYgSolKkgqEM/02lGbvcMtoF3pAzlHqE3WcZBL1SQh7BRVvj6MMB5
+zI21ThTqg+prSNK4ZQ6kdM+UHnJpQNwmiEvZh4E/sJuEzbouMhxCv/IydLM3j2Ck
+9Fa0fF26yA3bcwQHzjG5pB7IP6YVeR4t95hnvclMHYrTOvHttxnnb5NwSF4EpE5b
+JaufFixcUEjlb/9dWfOd4MQmf9yqupTiJh98ovqR6qjuBOfTXKDUmk1I8qIBne7Y
+OJExU/YdjZrgKgAQQLGB6G+u/T/ytvWlFNe2N+wCrunhlIPaFuK/3zj1/cM7ZwpA
+qtMFh+30IzPOBJSGDf4fvQsWIv490l+OMqlkv6arO7RFHkqWqq5gum/I2pF91OVt
+GL3AAjOuSkyLJwe2gW+aMeCyPegyTkNBp4gpslKXbtQtOIF1Lc8=
+=EWT+
+-----END PGP SIGNATURE-----

tomcat-9.0-jdt.patch

@@ -1,22 +1,22 @@
---- apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java	2023-05-22 18:12:16.915658492 +0200
-+++ apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java	2023-05-22 19:45:14.491706823 +0200
-@@ -310,7 +310,7 @@
-             } else if(opt.equals("15")) {
+--- apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java	2025-01-06 17:29:55.096709905 +0100
++++ apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java	2025-01-06 17:32:39.494486072 +0100
+@@ -298,7 +298,7 @@
+             } else if (opt.equals("15")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_Source, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 8.
-@@ -392,8 +392,8 @@
+@@ -395,8 +395,8 @@
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
 +                settings.put(CompilerOptions.OPTION_Compliance, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 8.

tomcat.changes

@@ -1,3 +1,117 @@
+-------------------------------------------------------------------
+Fri Jan  3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.98
+  * Fixed CVEs:
+    + CVE-2024-54677: DoS in examples web application (bsc#1233434)
+    + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
+  * Catalina
+    + Add: Add option to serve resources from subpath only with WebDAV Servlet
+      like with DefaultServlet. (michaelo)
+    + Fix: Add special handling for the protocols attribute of SSLHostConfig in
+      storeconfig. (remm)
+    + Fix: 69442: Fix case sensitive check on content-type when parsing request
+      parameters. (remm)
+    + Code: Refactor duplicate code for extracting media type and subtype from
+      content-type into a single method. (markt)
+    + Fix: Compatibility of generated embedded code with components where
+      constructors or property related methods throw a checked exception. (remm)
+    + Fix: The previous fix for inconsistent resource metadata during concurrent
+      reads and writes was incomplete. (markt)
+    + Fix: 69444: Ensure that the javax.servlet.error.message request attribute
+      is set when an application defined error page is called. (markt)
+    + Fix: Avoid quotes for numeric values in the JSON generated by the status
+      servlet. (remm)
+    + Add: Add strong ETag support for the WebDAV and default servlet, which can
+      be enabled by using the useStrongETags init parameter with a value set to
+      true. The ETag generated will be a SHA-1 checksum of the resource content.
+      (remm)
+    + Fix: Use client locale for directory listings. (remm)
+    + Fix: 69439: Improve the handling of multiple Cache-Control headers in the
+      ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
+    + Fix: 69447: Update the support for caching classes the web application
+      class loader cannot find to take account of classes loaded from external
+      repositories. Prior to this fix, these classes could be incorrectly marked
+      as not found. (markt)
+    + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
+      users will not be removed and any header present in a HEAD request will
+      also be present in the equivalent GET request. There may be some headers,
+      as per RFC 9110, section 9.3.2, that are present in a GET request that are
+      not present in the equivalent HEAD request. (markt)
+    + Fix: 69471: Log instances of CloseNowException caught by
+      ApplicationDispatcher.invoke() at debug level rather than error level as
+      they are very likely to have been caused by a client disconnection or
+      similar I/O issue. (markt)
+    + Add: Add a test case for the fix for 69442. Also refactor references to
+      application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
+      (markt)
+    + Fix: 69476: Catch possible ISE when trying to report PUT failure in the
+      DefaultServlet. (remm)
+    + Add: Add support for RateLimit header fields for HTTP (draft) in the
+      RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
+    + Add: #787: Add regression tests for 69478. Pull request provided by Thomas
+      Krisch. (markt)
+    + Fix: The default servlet now rejects HTTP range requests when two or more
+      of the requested ranges overlap. Based on pull request #782 provided by
+      Chenjp. (markt)
+    + Fix: Enhance Content-Range verification for partial PUT requests handled
+      by the default servlet. Provided by Chenjp in pull request #778. (markt)
+    + Fix: Harmonize DataSourceStore lookup in the global resources to
+      optionally avoid the comp/env prefix which is usually not used there.
+      (remm)
+    + Fix: As required by RFC 9110, the HTTP Range header will now only be
+      processed for GET requests. Based on pull request #790 provided by Chenjp.
+      (markt)
+    + Fix: Deprecate the useAcceptRanges initialisation parameter for the
+      default servlet. It will be removed in Tomcat 12 onwards where it will
+      effectively be hard coded to true. (markt)
+    + Add: Add DataSource based property storage for the WebdavServlet. (remm)
+  * Coyote
+    + Fix: Align encodedSolidusHandling with the Servlet specification. If the
+      pass-through mode is used, any %25 sequences will now also be passed
+      through to avoid errors and/or corruption when the application decodes the
+      path. (markt)
+  * Jasper
+    + Fix: Further optimise EL evaluation of method parameters. Patch provided
+      by Paolo B. (markt)
+    + Fix: Follow-up to the fix for 69381. Apply the optimisation for method
+      lookup performance in expression language to an additional location.
+      (markt)
+  * Web applications
+    + Fix: Documentation. Remove references to the ResourceParams element.
+      Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
+    + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
+      The attribute is internalProxies rather than allowedInternalProxies. Pull
+      request #786 provided by Jorge Díaz. (markt)
+    + Fix: Examples. Fix broken links when Servlet Request Info example is
+      called via a URL that includes a pathInfo component. (markt)
+    + Fix: Examples. Expand the obfuscation of session cookie values in the
+      request header example to JSON responses. (markt)
+    + Add: Examples. Add the ability to delete session attributes in the servlet
+      session example. (markt)
+    + Add: Examples. Add a hard coded limit of 10 attributes per session for the
+      servlet session example. (markt)
+    + Add: Examples. Add the ability to delete session attributes and add a hard
+      coded limit of 10 attributes per session for the JSP form authentication
+      example. (markt)
+    + Add: Examples. Limit the shopping cart example to only allow adding the
+      pre-defined items to the cart. (markt)
+    + Fix: Examples. Remove JSP calendar example. (markt)
+  * Other
+    + Fix: 69465: Fix warnings during native image compilation using the Tomcat
+      embedded JARs. (markt)
+    + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
+    + Update: Update EasyMock to 5.5.0. (markt)
+    + Update: Update Checkstyle to 10.20.2. (markt)
+    + Update: Update BND to 7.1.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Korean translations. (markt)
+    + Add: Improvements to Chinese translations. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+- Modified patch:
+  * tomcat-9.0-jdt.patch
+    + rediff
+
 -------------------------------------------------------------------
 Fri Nov 22 19:51:47 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
 

tomcat.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 97
+%define micro_version 98
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}