pool/tomcat
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 926588 from Java:packages

Browse Source 
9.0.43

OBS-URL: https://build.opensuse.org/request/show/926588
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=77
This commit is contained in:
Dominique Leuenberger 2021-10-21 21:55:15 +00:00 committed by Git OBS Bridge
commit 7013b89342
13 changed files with 401 additions and 825 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apache-tomcat-9.0.36-src.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:3444bfabf7a4f88b3276d121541129593ac1f871b6d4eaa31104cee098fd9394
size 5890912

16
apache-tomcat-9.0.36-src.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAl7X294ACgkQEMAcWi9g
Wedinw/+IaqN35TbauWtNswTV9nwYk76PPphvnnYu87upE9ZwD1xT/qcmT5PD1sM
08t34laxrawOHJThigK5pmbIcP+P2gWnSwKwS6NH0eT9JQWNJZ92fX4hhR6TFpcE
TKqzAHPlnqwqijNPNmS8hg58sSxni/ScB7e/Dk8JhGnv4YXSdrjdOcWEC2Igfipo
sK8cnBuP8nPdB4GnGFYdz34SG9WqNSXIv/4kkMDvP00bm4jvrPcf6dnuAosrtq3l
ipTIFH7LIfOcC9rSjeOAfvtqDD5hyV1plJdwVE1FYOm0BvCDixvRfKDBbf6Ka9U5
Y6QGKzfQwrWZMv/COVnoBpKmXTTQNAl0lX97fZP2bhgLvKJB4SClAChrZuOIrMhq
U4hMFvVd51+YscHXR4idgtIL3sI16XiAoBGStsVLXWstYAmud/EqaQVNwwAdCY13
YcMjZEHaqyMLMb6rJe305tE0a2pMqErXUKqPuHiNIvaLQN4qa5tw3g/czOQaeJpq
A3cQeGQQCd4N2clUhgFfr+RGVmA7TUo23/w1zQMjmnjVvn2QFtBOybcKE5kGdGCF
YmMQ0zD+SuYUR0V0a//xdA24XriG3PfkqJ/x3+eja+P1FlJ5DzJtX2kpk8BotETT
jVR8IKMQ/mGMkgBmvVVvrVx76qZaCuI/2RG/4SNh/hhBXzPEeQE=
=Sr54
-----END PGP SIGNATURE-----

3
apache-tomcat-9.0.43-src.tar.gz Normal file
View File

@ -0,0 +1,3 @@
version https://git-lfs.github.com/spec/v1
oid sha256:28db36e1f1440c8517513a282f71383d825fe1383d8e5317e22e5122803c40ca
size 6042010

16
apache-tomcat-9.0.43-src.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmATIH8ACgkQEMAcWi9g
Wecu9hAAhNGHtILVHGLWoqGJPVC29l2kgXiDshkFbgHKxeR6K5kooaxIB0N9QGGb
9H/BEwM92Kdl2VwQwtZBrW+x+worRQWIAHLCS9KF/UaVMLSIO54E5+aeJ6+vgBPC
AQdIn2mZ4o4RtUfYWsGgtPrQvGR/M+VSLKALn6SeB9O60zHrDvgpdVp0coFw0aIY
mi0HWsfoZltGTqscsgVEsSvolkvo7Au0c9DAGVGSLzhavlHT3Wnvsg8RuQ+oV2G+
aX1R1J7xuPyDxrvLHShOu9ERxxHmEIgJ5/wrWgGUEwJJQmSAqFQHW7q1kswOmL5a
mfWYSsqrqcsc+8QI6oYnVfN6Yu/Podcb1Tbs0elYdn+rEU0j73j6gGITSzSFokkZ
2tueXJ/U5rHthWMiL8xLZXp9RpOzGgpo91TY3qSHsvpVi7HSX9kLsUq4gHFPDehF
s+5ycfYy+fzsRUs6Fsa/2FfRIy9zEatzcjX2yvFCjBaeKbv8cRixeVCqsERopIwW
5hwh1hmqQNn4FuOS/Ei03QkRHGPHWhrBU5GS0ZEruhUNfc4kfogBBsaUBQkfv94C
EScu+rTeOSEv4exWAH/IiaOHPPYQTH9RXJ+aPbZpZ+7BOzpYU30hFGZwhRli1hqa
Ib7wuGMQXfNJQ8ndAlzPIMjp12dLOYeOeoRqHK5duaXfK9e+WN8=
=KHse
-----END PGP SIGNATURE-----

115
tomcat-9.0-CVE-2020-13943.patch
View File

@ -1,115 +0,0 @@
From 55911430df13f8c9998fbdee1f9716994d2db59b Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Thu, 23 Jul 2020 17:43:45 +0100
Subject: [PATCH] Move check for current streams to end of header parsing.
---
java/org/apache/coyote/http2/Http2Parser.java | 2 +-
.../coyote/http2/Http2UpgradeHandler.java | 24 ++++++++++---------
.../coyote/http2/TestHttp2Section_5_1.java | 20 ++++++++++------
3 files changed, 27 insertions(+), 19 deletions(-)
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2Parser.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/Http2Parser.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2Parser.java
@@ -738,7 +738,7 @@ class Http2Parser {
HeaderEmitter headersStart(int streamId, boolean headersEndStream)
throws Http2Exception, IOException;
void headersContinue(int payloadSize, boolean endOfHeaders);
- void headersEnd(int streamId) throws ConnectionException;
+ void headersEnd(int streamId) throws Http2Exception;
// Priority frames (also headers)
void reprioritise(int streamId, int parentStreamId, boolean exclusive, int weight)
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/Http2UpgradeHandler.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/Http2UpgradeHandler.java
@@ -1451,16 +1451,6 @@ class Http2UpgradeHandler extends Abstra
stream.checkState(FrameType.HEADERS);
stream.receivedStartOfHeaders(headersEndStream);
closeIdleStreams(streamId);
- if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) {
- setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet());
- // Ignoring maxConcurrentStreams increases the overhead count
- increaseOverheadCount();
- throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams",
- Long.toString(localSettings.getMaxConcurrentStreams())),
- Http2Error.REFUSED_STREAM, streamId);
- }
- // Valid new stream reduces the overhead count
- reduceOverheadCount();
return stream;
} else {
if (log.isDebugEnabled()) {
@@ -1528,12 +1518,24 @@ class Http2UpgradeHandler extends Abstra
@Override
- public void headersEnd(int streamId) throws ConnectionException {
+ public void headersEnd(int streamId) throws Http2Exception {
Stream stream = getStream(streamId, connectionState.get().isNewStreamAllowed());
if (stream != null) {
setMaxProcessedStream(streamId);
if (stream.isActive()) {
if (stream.receivedEndOfHeaders()) {
+
+ if (localSettings.getMaxConcurrentStreams() < activeRemoteStreamCount.incrementAndGet()) {
+ setConnectionTimeoutForStreamCount(activeRemoteStreamCount.decrementAndGet());
+ // Ignoring maxConcurrentStreams increases the overhead count
+ increaseOverheadCount();
+ throw new StreamException(sm.getString("upgradeHandler.tooManyRemoteStreams",
+ Long.toString(localSettings.getMaxConcurrentStreams())),
+ Http2Error.REFUSED_STREAM, streamId);
+ }
+ // Valid new stream reduces the overhead count
+ reduceOverheadCount();
+
processStreamOnContainerThread(stream);
}
}
Index: apache-tomcat-9.0.36-src/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
+++ apache-tomcat-9.0.36-src/test/org/apache/coyote/http2/TestHttp2Section_5_1.java
@@ -222,11 +222,11 @@ public class TestHttp2Section_5_1 extend
// Expecting
// 1 * headers
// 56k-1 of body (7 * ~8k)
- // 1 * error (could be in any order)
- for (int i = 0; i < 8; i++) {
+ // 1 * error
+ // for a total of 9 frames (could be in any order)
+ for (int i = 0; i < 9; i++) {
parser.readFrame(true);
}
- parser.readFrame(true);
Assert.assertTrue(output.getTrace(),
output.getTrace().contains("5-RST-[" +
@@ -238,14 +238,20 @@ public class TestHttp2Section_5_1 extend
// Release the remaining body
sendWindowUpdate(0, (1 << 31) - 2);
- // Allow for the 8k still in the stream window
+ // Allow for the ~8k still in the stream window
sendWindowUpdate(3, (1 << 31) - 8193);
- // 192k of body (24 * 8k)
- // 1 * error (could be in any order)
- for (int i = 0; i < 24; i++) {
+ // Read until the end of stream 3
+ while (!output.getTrace().contains("3-EndOfStream")) {
parser.readFrame(true);
}
+ output.clearTrace();
+
+ // Confirm another request can be sent once concurrency falls back below limit
+ sendSimpleGetRequest(7);
+ parser.readFrame(true);
+ parser.readFrame(true);
+ Assert.assertEquals(getSimpleResponseTrace(7), output.getTrace());
}

62
tomcat-9.0-CVE-2020-17527.patch
View File

@ -1,62 +0,0 @@
From d56293f816d6dc9e2b47107f208fa9e95db58c65 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Mon, 9 Nov 2020 19:23:12 +0000
Subject: [PATCH] Fix BZ 64830 - concurrency issue in HPACK decoder
https://bz.apache.org/bugzilla/show_bug.cgi?id=64830
---
java/org/apache/coyote/http2/HpackDecoder.java | 12 ++++--------
webapps/docs/changelog.xml | 3 +++
2 files changed, 7 insertions(+), 8 deletions(-)
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/http2/HpackDecoder.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/http2/HpackDecoder.java
@@ -73,8 +73,6 @@ public class HpackDecoder {
private volatile boolean countedCookie;
private volatile int headerSize = 0;
- private final StringBuilder stringBuilder = new StringBuilder();
-
HpackDecoder(int maxMemorySize) {
this.maxMemorySizeHard = maxMemorySize;
this.maxMemorySizeSoft = maxMemorySize;
@@ -223,19 +221,17 @@ public class HpackDecoder {
if (huffman) {
return readHuffmanString(length, buffer);
}
+ StringBuilder stringBuilder = new StringBuilder(length);
for (int i = 0; i < length; ++i) {
stringBuilder.append((char) buffer.get());
}
- String ret = stringBuilder.toString();
- stringBuilder.setLength(0);
- return ret;
+ return stringBuilder.toString();
}
private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
+ StringBuilder stringBuilder = new StringBuilder(length);
HPackHuffman.decode(buffer, length, stringBuilder);
- String ret = stringBuilder.toString();
- stringBuilder.setLength(0);
- return ret;
+ return stringBuilder.toString();
}
private String handleIndexedHeaderName(int index) throws HpackException {
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -126,6 +126,9 @@
Include the target URL in the log message when a WebSocket connection
fails. (markt)
</add>
+ <fix>
+ <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Other">

77
tomcat-9.0-CVE-2021-24122.patch
View File

@ -1,77 +0,0 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
import java.net.URL;
import org.apache.catalina.LifecycleException;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.http.RequestUtil;
public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+ private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
+
protected static final String[] EMPTY_STRING_ARRAY = new String[0];
private File fileBase;
@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
canPath = normalize(canPath);
}
if (!canPath.equals(absPath)) {
+ if (!canPath.equalsIgnoreCase(absPath)) {
+ // Typically means symlinks are in use but being ignored. Given
+ // the symlink was likely created for a reason, log a warning
+ // that it was ignored.
+ String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
+ getRoot().getContext().getName(), absPath, canPath);
+ // Log issues with configuration files at a higher level
+ if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
+ log.error(msg);
+ } else {
+ log.warn(msg);
+ }
+ }
return null;
}
@@ -144,7 +161,7 @@ public abstract class AbstractFileResour
// expression irrespective of input length.
for (int i = 0; i < len; i++) {
char c = name.charAt(i);
- if (c == '\"' || c == '<' || c == '>') {
+ if (c == '\"' || c == '<' || c == '>' || c == ':') {
// These characters are disallowed in Windows file names and
// there are known problems for file names with these characters
// when using File#getCanonicalPath().
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/LocalStrings.properties
@@ -15,6 +15,8 @@
abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
+
abstractResource.getContentFail=Unable to return [{0}] as a byte array
abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -81,6 +81,10 @@
<bug>64493</bug>: Revert possible change of returned protocol
attribute value on the <code>Connector</code>. (remm)
</fix>
+ <add>
+ <bug>64871</bug>: Log a warning if Tomcat blocks access to a file
+ because it uses symlinks. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">

31
tomcat-9.0-CVE-2021-25122.patch
View File

@ -1,31 +0,0 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.36-src/java/org/apache/coyote/AbstractProtocol.java
@@ -870,8 +870,10 @@ public abstract class AbstractProtocol<S
if (state == SocketState.UPGRADING) {
// Get the HTTP upgrade handler
UpgradeToken upgradeToken = processor.getUpgradeToken();
- // Retrieve leftover input
+ // Restore leftover input to the wrapper so the upgrade
+ // processor can process it.
ByteBuffer leftOverInput = processor.getLeftoverInput();
+ wrapper.unRead(leftOverInput);
if (upgradeToken == null) {
// Assume direct HTTP/2 connection
UpgradeProtocol upgradeProtocol = getProtocol().getUpgradeProtocol("h2c");
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -170,6 +170,10 @@
<subsection name="Catalina">
<changelog>
<fix>
+ Additional fix for <bug>64830</bug> to address an edge case that could
+ trigger request corruption with h2c connections. (markt)
+ </fix>
+ <fix>
Reduce reflection use and remove AJP specific code in the Connector.
(remm/markt/fhanik)
</fix>

139
tomcat-9.0-CVE-2021-25329.patch
View File

@ -1,139 +0,0 @@
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/servlets/DefaultServlet.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -2131,7 +2131,7 @@ public class DefaultServlet extends Http
// First check that the resulting path is under the provided base
try {
- if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+ if (!candidate.getCanonicalFile().toPath().startsWith(base.getCanonicalFile().toPath())) {
return null;
}
} catch (IOException ioe) {
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/session/FileStore.java
@@ -351,7 +351,7 @@ public final class FileStore extends Sto
File file = new File(storageDir, filename);
// Check the file is within the storage directory
- if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+ if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
return null;
}
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ContextConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ContextConfig.java
@@ -653,7 +653,8 @@ public class ContextConfig implements Li
String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath();
// Re-calculate now docBase is a canonical path
- boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar);
+ boolean docBaseCanonicalInAppBase =
+ docBaseAbsoluteFile.getCanonicalFile().toPath().startsWith(appBase.toPath());
String docBase;
if (docBaseCanonicalInAppBase) {
docBase = docBaseCanonical.substring(appBase.getPath().length());
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/ExpandWar.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/ExpandWar.java
@@ -26,6 +26,7 @@ import java.net.JarURLConnection;
import java.net.URL;
import java.net.URLConnection;
import java.nio.channels.FileChannel;
+import java.nio.file.Path;
import java.util.Enumeration;
import java.util.jar.JarEntry;
import java.util.jar.JarFile;
@@ -116,10 +117,7 @@ public class ExpandWar {
}
// Expand the WAR into the new document base directory
- String canonicalDocBasePrefix = docBase.getCanonicalPath();
- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
- canonicalDocBasePrefix += File.separator;
- }
+ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
// Creating war tracker parent (normally META-INF)
File warTrackerParent = warTracker.getParentFile();
@@ -134,14 +132,13 @@ public class ExpandWar {
JarEntry jarEntry = jarEntries.nextElement();
String name = jarEntry.getName();
File expandedFile = new File(docBase, name);
- if (!expandedFile.getCanonicalPath().startsWith(
- canonicalDocBasePrefix)) {
+ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
// Trying to expand outside the docBase
// Throw an exception to stop the deployment
throw new IllegalArgumentException(
sm.getString("expandWar.illegalPath",war, name,
expandedFile.getCanonicalPath(),
- canonicalDocBasePrefix));
+ canonicalDocBasePath));
}
int last = name.lastIndexOf('/');
if (last >= 0) {
@@ -217,10 +214,7 @@ public class ExpandWar {
File docBase = new File(host.getAppBaseFile(), pathname);
// Calculate the document base directory
- String canonicalDocBasePrefix = docBase.getCanonicalPath();
- if (!canonicalDocBasePrefix.endsWith(File.separator)) {
- canonicalDocBasePrefix += File.separator;
- }
+ Path canonicalDocBasePath = docBase.getCanonicalFile().toPath();
JarURLConnection juc = (JarURLConnection) war.openConnection();
juc.setUseCaches(false);
try (JarFile jarFile = juc.getJarFile()) {
@@ -229,14 +223,13 @@ public class ExpandWar {
JarEntry jarEntry = jarEntries.nextElement();
String name = jarEntry.getName();
File expandedFile = new File(docBase, name);
- if (!expandedFile.getCanonicalPath().startsWith(
- canonicalDocBasePrefix)) {
+ if (!expandedFile.getCanonicalFile().toPath().startsWith(canonicalDocBasePath)) {
// Entry located outside the docBase
// Throw an exception to stop the deployment
throw new IllegalArgumentException(
sm.getString("expandWar.illegalPath",war, name,
expandedFile.getCanonicalPath(),
- canonicalDocBasePrefix));
+ canonicalDocBasePath));
}
}
} catch (IOException e) {
Index: apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
===================================================================
--- apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/startup/HostConfig.java
+++ apache-tomcat-9.0.36-src/java/org/apache/catalina/startup/HostConfig.java
@@ -598,8 +598,7 @@ public class HostConfig implements Lifec
docBase = new File(host.getAppBaseFile(), context.getDocBase());
}
// If external docBase, register .xml as redeploy first
- if (!docBase.getCanonicalPath().startsWith(
- host.getAppBaseFile().getAbsolutePath() + File.separator)) {
+ if (!docBase.getCanonicalFile().toPath().startsWith(host.getAppBaseFile().toPath())) {
isExternal = true;
deployedApp.redeployResources.put(
contextXml.getAbsolutePath(),
Index: apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.36-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.36-src/webapps/docs/changelog.xml
@@ -159,6 +159,10 @@
<update>
Update dependency on bnd to 5.1.0. (markt)
</update>
+ <scode>
+ Use <code>java.nio.file.Path</code> to test for one directory being a
+ sub-directory of another in a consistent way. (markt)
+ </scode>
</changelog>
</subsection>
</section>

17
tomcat-9.0-osgi-build.patch
View File

@ -1,14 +1,17 @@
Index: apache-tomcat-9.0.35-src/build.xml
Index: apache-tomcat-9.0.37-src/build.xml
===================================================================
--- apache-tomcat-9.0.35-src.orig/build.xml
+++ apache-tomcat-9.0.35-src/build.xml
@@ -3327,6 +3327,9 @@ Read the Building page on the Apache Tom
<path id="bndlib.classpath">
--- apache-tomcat-9.0.37-src.orig/build.xml
+++ apache-tomcat-9.0.37-src/build.xml
@@ -3307,6 +3307,12 @@ Read the Building page on the Apache Tom
<!-- Add bnd tasks to project -->
<path id="bnd.classpath">
<fileset file="${bnd.jar}" />
<fileset file="${bndlib.jar}" />
+ <fileset file="${bndlib.jar}" />
+ <fileset file="${bndlibg.jar}" />
+ <fileset file="${bndannotation.jar}" />
+ <fileset file="${osgiannotation.jar}" />
+ <fileset file="${osgicmpn.jar}" />
+ <fileset file="${slf4j-api.jar}" />
</path>
<taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bndlib.classpath" />
<taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bnd.classpath" />

672
tomcat-9.0.31-java8compat.patch → tomcat-9.0.43-java8compat.patch
View File

File diff suppressed because it is too large Load Diff

52
tomcat.changes
View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Mon Oct 18 21:42:48 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.43. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.43_(markt)
- Removed Patches because fixed upstream now:
* tomcat-9.0-CVE-2021-25122.patch
* tomcat-9.0-CVE-2021-25329.patch
- Rebased patch:
tomcat-9.0.39-java8compat.patch -> tomcat-9.0.43-java8compat.patch
-------------------------------------------------------------------
Mon Oct 18 18:26:39 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.41. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)
-------------------------------------------------------------------
Mon Oct 18 13:05:17 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.40. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.40_(markt)
- Removed Patches because fixed upstream now:
* tomcat-9.0-CVE-2020-17527.patch
* tomcat-9.0-CVE-2021-24122.patch
-------------------------------------------------------------------
Mon Mar 22 13:11:34 UTC 2021 - Abid Mehmood <amehmood@suse.com>
@ -15,6 +41,32 @@ Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood <amehmood@suse.com>
- Added patch:
* tomcat-9.0-CVE-2021-24122.patch
-------------------------------------------------------------------
Mon Mar 15 21:42:07 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.39. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.39_(markt)
- Rebased patches:
* tomcat-9.0.38-java8compat.patch -> tomcat-9.0.39-java8compat.patch
-------------------------------------------------------------------
Mon Mar 15 14:57:39 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.38. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.38_(markt)
- Rebased patches:
* tomcat-9.0.37-java8compat.patch -> tomcat-9.0.38-java8compat.patch
- Removed tomcat-9.0-CVE-2020-13943.patch because that fix is upstream now
-------------------------------------------------------------------
Mon Feb 22 08:56:03 UTC 2021 - Marcel Witte <wittemar@googlemail.com>
- Update to Tomcat 9.0.37. See changelog at
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.37_(markt)
- Rebased patches:
* tomcat-9.0-osgi-build.patch
* tomcat-9.0.31-java8compat.patch -> tomcat-9.0.37-java8compat.patch
-------------------------------------------------------------------
Wed Dec 16 12:17:22 UTC 2020 - Abid Mehmood <amehmood@suse.com>

23
tomcat.spec
View File

@ -1,7 +1,7 @@
#
# spec file for package tomcat
#
# Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2021 SUSE LLC
# Copyright (c) 2000-2009, JPackage Project
#
# All modifications and additions to the file contributed by third parties
@ -22,7 +22,7 @@
%define elspec 3.0
%define major_version 9
%define minor_version 0
%define micro_version 36
%define micro_version 43
%define packdname apache-tomcat-%{version}-src
%define serverxmltool_version 1.0
# FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
@ -80,14 +80,9 @@ Patch3: %{name}-%{major_version}.%{minor_version}-javadoc.patch
# PATCH-FIX-OPENSUSE: include all necessary aqute-bnd jars
Patch4: tomcat-9.0-osgi-build.patch
# PATCH-FIX-OPENSUSE: cast ByteBuffer to Buffer in cases where there is a risk of using Java 9+ apis
Patch5: tomcat-9.0.31-java8compat.patch
Patch5: tomcat-9.0.43-java8compat.patch
# PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to avoid tomcat not starting
Patch6: tomcat-9.0.31-secretRequired-default.patch
Patch7: tomcat-9.0-CVE-2020-13943.patch
Patch8: tomcat-9.0-CVE-2020-17527.patch
Patch9: tomcat-9.0-CVE-2021-24122.patch
Patch10: tomcat-9.0-CVE-2021-25122.patch
Patch11: tomcat-9.0-CVE-2021-25329.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
@ -95,8 +90,8 @@ BuildRequires: apache-commons-collections
BuildRequires: apache-commons-daemon
BuildRequires: apache-commons-dbcp >= 2.0
BuildRequires: apache-commons-pool2
BuildRequires: aqute-bnd
BuildRequires: aqute-bndlib
BuildRequires: aqute-bnd >= 5.1.1
BuildRequires: aqute-bndlib >= 5.1.1
BuildRequires: ecj >= 4.4.0
BuildRequires: fdupes
BuildRequires: findutils
@ -262,11 +257,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch4 -p1
%patch5 -p1
%patch6 -p1
%patch7 -p1
%patch8 -p1
%patch9 -p1
%patch10 -p1
%patch11 -p1
# remove date from docs
sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@ -306,6 +296,9 @@ ant -Dbase.path="." \
-Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \
-Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \
-Dbndannotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
-Dosgiannotation.jar="$(build-classpath osgi-annotation/osgi.annotation)" \
-Dosgi-annotations.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
-Dosgicmpn.jar="$(build-classpath osgi-compendium/osgi.cmpn)" \
-Dslf4j-api.jar="$(build-classpath slf4j/slf4j-api)" \
-Dcommons-pool.home="$(build-classpath commons-pool2)" \
-Dcommons-dbcp.home="$(build-classpath commons-dbcp2)" \