pool/tomcat
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1139519 from home:mbussolotto:branches:Java:packages

Browse Source 
- Update to Tomcat 9.0.85
  * Fixed CVEs:
    + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
      incorrect headers parsing (bsc#1217649)
  * Catalina
    + Update:  68378: Align extension to MIME type mappings in the
      global web.xml with those in httpd by adding
      application/vnd.geogebra.slides for ggs, text/javascript for mjs
      and audio/ogg for opus. (markt)
    + Fix:  Background processes should not be run concurrently with
      lifecycle operations of a container. (remm)
    + Fix:  Correct unintended escaping of XML in some WebDAV
      responses. The XML list of support locks when provided in
      response to a PROPFIND request was incorrectly XML escaped.
      (markt)
    + Fix:  68227: Ensure that AsyncListener.onComplete() is called
      if AsyncListener.onError() calls AsyncContext.dispatch().
      (markt)
    + Fix:  68228: Use a 408 status code if a read timeout occurs
      during HTTP request processing. Includes a test case based on
      code provided by adwsingh. (markt)
    + Fix:  67667: TLSCertificateReloadListener prints unreadable
      rendering of X509Certificate#getNotAfter(). (michaelo)
    + Update:  The status servlet included in the manager webapp
      can now output statistics as JSON, using the JSON=true URL
      parameter. (remm)
    + Update:  Optionally allow ServiceBindingPropertySource to
      trim a trailing newline from a file containing a
      property-value. (schultz)
    + Fix:  67793: Ensure the original session timeout is restored

OBS-URL: https://build.opensuse.org/request/show/1139519
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=289
This commit is contained in:
Michele Bussolotto 2024-01-17 17:29:04 +00:00 committed by Git OBS Bridge
parent eec71fc139
commit 7984f6fd19
7 changed files with 153 additions and 365 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apache-tomcat-9.0.82-src.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:064cffa1cdc2087439aaff13e8918fbf85b309ebdc8b7bc6ca7d8da28572d660
size 6285653

16
apache-tomcat-9.0.82-src.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmUmo7MACgkQaCSJWTWe
ciuclQ//TVgfBHVgphmkiSxW7SFAkLvKbGPYXrVMeHhpgc3A9Gq+XeGTp29uZ8TH
sZ4BVCQmzgbsSaDsDDsC3/N0TPEdFlWS2w7a667iYWekNErhzsyf7PlD2cFn11T7
FmQ8FerXAgtl4NwY5lt2eX748H5sR9sUpTPHZgM9WEW0CXCEqBswx+tcWT+SgYAP
YyGvFWVCr/I4QS5HigNvmH0QjSO4xTisYUyRYcU4w677tO6STLGON30pRe4ki6GL
F8I3W98uJKrx+H00zqdTvv0TlG56oQyI5sZBPymQykhts4FW1iXKdH47DrM+FXfW
wgCUJjt3mQ/+2lzA4QHpRFoaa1FrCJYByeM22rPBhWLSR9UFBN9yrZb0SbnQkf9j
3klubBBJIad0FN/gD8M/FdfjwmEKsJyAHJLWdJZVpif+xV4aUtEX/FWRv6B0B67t
6FC8mi3J8DS4sqLtfn/M901MCO6j1XjR78TD02jNzgjD/emxoSfNDst/SRXTyeoc
mRid8UgLF8+ecTz0GqDJen3jWmOuKmrzX6I0z9jCSJq3PUkaIS9uM91X0sqHOoqb
HH1dE61b1VO5lbEnjnhCVirS+bKCyiJIQRNWtc8Pe0joszqysYKoOY7TssZUpziO
w/ekZwRBndDtEtxg2zzjXRMb7Tx8tK7xZE15oLpRXw/WfREJxzI=
=T082
-----END PGP SIGNATURE-----

21
java8.patch
View File

@ -1,21 +0,0 @@
diff -urEbwB apache-tomcat-9.0.85-src.orig/build.xml apache-tomcat-9.0.85-src/build.xml
--- apache-tomcat-9.0.85-src.orig/build.xml 2024-01-17 16:38:45.550245596 +0100
+++ apache-tomcat-9.0.85-src/build.xml 2024-01-17 16:39:27.487195879 +0100
@@ -107,17 +107,6 @@
<!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
<property name="compile.release" value="8"/>
<property name="min.java.version" value="8"/>
- <property name="build.java.version" value="17"/>
-
- <!-- Check Java Build Version -->
- <fail message="Java version ${build.java.version} or newer is required (${java.version} is installed)">
- <condition>
- <and>
- <not><javaversion atleast="${build.java.version}" /></not>
- <not><isset property="skip.build.java.version"/></not>
- </and>
- </condition>
- </fail>
<!-- Locations to create the JAR artifacts -->
<!-- Standard JARs -->

315
tomcat-9-CVE-2023-46589.patch
View File

@ -1,315 +0,0 @@
Index: apache-tomcat-9.0.82-src/java/org/apache/catalina/connector/InputBuffer.java
===================================================================
--- apache-tomcat-9.0.82-src.orig/java/org/apache/catalina/connector/InputBuffer.java
+++ apache-tomcat-9.0.82-src/java/org/apache/catalina/connector/InputBuffer.java
@@ -29,6 +29,7 @@ import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import javax.servlet.ReadListener;
+import javax.servlet.RequestDispatcher;
import org.apache.catalina.security.SecurityUtil;
import org.apache.coyote.ActionCode;
@@ -295,6 +296,7 @@ public class InputBuffer extends Reader
*
* @throws IOException An underlying IOException occurred
*/
+ @SuppressWarnings("deprecation")
@Override
public int realReadBytes() throws IOException {
if (closed) {
@@ -307,10 +309,24 @@ public class InputBuffer extends Reader
try {
return coyoteRequest.doRead(this);
+ } catch (BadRequestException bre) {
+ // Set flag used by asynchronous processing to detect errors on non-container threads
+ coyoteRequest.setErrorException(bre);
+ // In synchronous processing, this exception may be swallowed by the application so set error flags here.
+ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre);
+ coyoteRequest.getResponse().setStatus(400);
+ coyoteRequest.getResponse().setError();
+ // Make the exception visible to the application
+ throw bre;
} catch (IOException ioe) {
+ // Set flag used by asynchronous processing to detect errors on non-container threads
coyoteRequest.setErrorException(ioe);
- // An IOException on a read is almost always due to
- // the remote client aborting the request.
+ // In synchronous processing, this exception may be swallowed by the application so set error flags here.
+ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe);
+ coyoteRequest.getResponse().setStatus(400);
+ coyoteRequest.getResponse().setError();
+ // Any other IOException on a read is almost always due to the remote client aborting the request.
+ // Make the exception visible to the application
throw new ClientAbortException(ioe);
}
}
Index: apache-tomcat-9.0.82-src/java/org/apache/catalina/connector/ClientAbortException.java
===================================================================
--- apache-tomcat-9.0.82-src.orig/java/org/apache/catalina/connector/ClientAbortException.java
+++ apache-tomcat-9.0.82-src/java/org/apache/catalina/connector/ClientAbortException.java
@@ -16,14 +16,12 @@
*/
package org.apache.catalina.connector;
-import java.io.IOException;
-
/**
* Extend IOException to identify it as being caused by an abort of a request by a remote client.
*
* @author Glenn L. Nielsen
*/
-public final class ClientAbortException extends IOException {
+public final class ClientAbortException extends BadRequestException {
private static final long serialVersionUID = 1L;
Index: apache-tomcat-9.0.82-src/java/org/apache/catalina/core/ApplicationDispatcher.java
===================================================================
--- apache-tomcat-9.0.82-src.orig/java/org/apache/catalina/core/ApplicationDispatcher.java
+++ apache-tomcat-9.0.82-src/java/org/apache/catalina/core/ApplicationDispatcher.java
@@ -41,7 +41,7 @@ import org.apache.catalina.AsyncDispatch
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.Wrapper;
-import org.apache.catalina.connector.ClientAbortException;
+import org.apache.catalina.connector.BadRequestException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.connector.Response;
@@ -661,7 +661,7 @@ final class ApplicationDispatcher implem
filterChain.doFilter(request, response);
}
// Servlet Service Method is called by the FilterChain
- } catch (ClientAbortException e) {
+ } catch (BadRequestException e) {
ioException = e;
} catch (IOException e) {
wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()), e);
@@ -672,7 +672,7 @@ final class ApplicationDispatcher implem
wrapper.unavailable(e);
} catch (ServletException e) {
Throwable rootCause = StandardWrapper.getRootCause(e);
- if (!(rootCause instanceof ClientAbortException)) {
+ if (!(rootCause instanceof BadRequestException)) {
wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()),
rootCause);
}
Index: apache-tomcat-9.0.82-src/java/org/apache/catalina/core/StandardWrapperValve.java
===================================================================
--- apache-tomcat-9.0.82-src.orig/java/org/apache/catalina/core/StandardWrapperValve.java
+++ apache-tomcat-9.0.82-src/java/org/apache/catalina/core/StandardWrapperValve.java
@@ -32,7 +32,7 @@ import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.connector.ClientAbortException;
+import org.apache.catalina.connector.BadRequestException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
@@ -170,7 +170,7 @@ final class StandardWrapperValve extends
}
}
- } catch (ClientAbortException | CloseNowException e) {
+ } catch (BadRequestException | CloseNowException e) {
if (container.getLogger().isDebugEnabled()) {
container.getLogger().debug(
sm.getString("standardWrapper.serviceException", wrapper.getName(), context.getName()), e);
@@ -191,7 +191,7 @@ final class StandardWrapperValve extends
// do not want to do exception(request, response, e) processing
} catch (ServletException e) {
Throwable rootCause = StandardWrapper.getRootCause(e);
- if (!(rootCause instanceof ClientAbortException)) {
+ if (!(rootCause instanceof BadRequestException)) {
container.getLogger().error(sm.getString("standardWrapper.serviceExceptionRoot", wrapper.getName(),
context.getName(), e.getMessage()), rootCause);
}
Index: apache-tomcat-9.0.82-src/java/org/apache/catalina/connector/BadRequestException.java
===================================================================
--- /dev/null
+++ apache-tomcat-9.0.82-src/java/org/apache/catalina/connector/BadRequestException.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.connector;
+
+import java.io.IOException;
+
+/**
+ * Extend IOException to identify it as being caused by a bad request from a remote client.
+ */
+public class BadRequestException extends IOException {
+
+ private static final long serialVersionUID = 1L;
+
+
+ // ------------------------------------------------------------ Constructors
+
+ /**
+ * Construct a new BadRequestException with no other information.
+ */
+ public BadRequestException() {
+ super();
+ }
+
+
+ /**
+ * Construct a new BadRequestException for the specified message.
+ *
+ * @param message Message describing this exception
+ */
+ public BadRequestException(String message) {
+ super(message);
+ }
+
+
+ /**
+ * Construct a new BadRequestException for the specified throwable.
+ *
+ * @param throwable Throwable that caused this exception
+ */
+ public BadRequestException(Throwable throwable) {
+ super(throwable);
+ }
+
+
+ /**
+ * Construct a new BadRequestException for the specified message and throwable.
+ *
+ * @param message Message describing this exception
+ * @param throwable Throwable that caused this exception
+ */
+ public BadRequestException(String message, Throwable throwable) {
+ super(message, throwable);
+ }
+}
Index: apache-tomcat-9.0.82-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java
===================================================================
--- apache-tomcat-9.0.82-src.orig/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java
+++ apache-tomcat-9.0.82-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java
@@ -428,6 +428,83 @@ public class TestChunkedInputFilter exte
}
}
+
+ @Test
+ public void testTrailerHeaderNameNotTokenThrowException() throws Exception {
+ doTestTrailerHeaderNameNotToken(false);
+ }
+
+ @Test
+ public void testTrailerHeaderNameNotTokenSwallowException() throws Exception {
+ doTestTrailerHeaderNameNotToken(true);
+ }
+
+ private void doTestTrailerHeaderNameNotToken(boolean swallowException) throws Exception {
+
+ // Setup Tomcat instance
+ Tomcat tomcat = getTomcatInstance();
+
+ // No file system docBase required
+ Context ctx = tomcat.addContext("", null);
+
+ Tomcat.addServlet(ctx, "servlet", new SwallowBodyServlet(swallowException));
+ ctx.addServletMappingDecoded("/", "servlet");
+
+ tomcat.start();
+
+ String[] request = new String[]{
+ "POST / HTTP/1.1" + SimpleHttpClient.CRLF +
+ "Host: localhost" + SimpleHttpClient.CRLF +
+ "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+ "Content-Type: application/x-www-form-urlencoded" + SimpleHttpClient.CRLF +
+ "Connection: close" + SimpleHttpClient.CRLF +
+ SimpleHttpClient.CRLF +
+ "3" + SimpleHttpClient.CRLF +
+ "a=0" + SimpleHttpClient.CRLF +
+ "4" + SimpleHttpClient.CRLF +
+ "&b=1" + SimpleHttpClient.CRLF +
+ "0" + SimpleHttpClient.CRLF +
+ "x@trailer: Test" + SimpleHttpClient.CRLF +
+ SimpleHttpClient.CRLF };
+
+ TrailerClient client = new TrailerClient(tomcat.getConnector().getLocalPort());
+ client.setRequest(request);
+
+ client.connect();
+ client.processRequest();
+ // Expected to fail because of invalid trailer header name
+ Assert.assertTrue(client.getResponseLine(), client.isResponse400());
+ }
+
+ private static class SwallowBodyServlet extends HttpServlet {
+ private static final long serialVersionUID = 1L;
+
+ private final boolean swallowException;
+
+ SwallowBodyServlet(boolean swallowException) {
+ this.swallowException = swallowException;
+ }
+
+ @Override
+ protected void doPost(HttpServletRequest req, HttpServletResponse resp)
+ throws ServletException, IOException {
+ resp.setContentType("text/plain");
+ PrintWriter pw = resp.getWriter();
+
+ // Read the body
+ InputStream is = req.getInputStream();
+ try {
+ while (is.read() > -1) {
+ }
+ pw.write("OK");
+ } catch (IOException ioe) {
+ if (!swallowException) {
+ throw ioe;
+ }
+ }
+ }
+ }
+
private static class EchoHeaderServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
Index: apache-tomcat-9.0.82-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.82-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.82-src/webapps/docs/changelog.xml
@@ -120,7 +120,7 @@
use of fully qualified class names in 9.0.81 that broke the jdbc-pool.
(markt)
</fix>
- </changelog>
+ </changelog>
</subsection>
</section>
<section name="Tomcat 9.0.81 (remm)" rtext="2023-10-10">
@@ -148,6 +148,11 @@
Improve handling of failures within <code>recycle()</code> methods.
(markt)
</add>
+ <fix>
+ Ensure that an <code>IOException</code> during the reading of the
+ request triggers always error handling, regardless of whether the
+ application swallows the exception. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">

13
tomcat-9.0-build-with-java-11.patch Normal file
View File

@ -0,0 +1,13 @@
Index: apache-tomcat-9.0.85-src/build.xml
===================================================================
--- apache-tomcat-9.0.85-src.orig/build.xml
+++ apache-tomcat-9.0.85-src/build.xml
@@ -107,7 +107,7 @@
<!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
<property name="compile.release" value="8"/>
<property name="min.java.version" value="8"/>
- <property name="build.java.version" value="17"/>
+ <property name="build.java.version" value="11"/>
<!-- Check Java Build Version -->
<fail message="Java version ${build.java.version} or newer is required (${java.version} is installed)">

148
tomcat.changes
View File

@ -1,17 +1,147 @@
-------------------------------------------------------------------
Wed Jan 17 16:57:21 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- Update to Tomcat 9.0.85
* Fixed CVEs:
+ CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
incorrect headers parsing (bsc#1217649)
* Catalina
+ Update: 68378: Align extension to MIME type mappings in the
global web.xml with those in httpd by adding
application/vnd.geogebra.slides for ggs, text/javascript for mjs
and audio/ogg for opus. (markt)
+ Fix: Background processes should not be run concurrently with
lifecycle operations of a container. (remm)
+ Fix: Correct unintended escaping of XML in some WebDAV
responses. The XML list of support locks when provided in
response to a PROPFIND request was incorrectly XML escaped.
(markt)
+ Fix: 68227: Ensure that AsyncListener.onComplete() is called
if AsyncListener.onError() calls AsyncContext.dispatch().
(markt)
+ Fix: 68228: Use a 408 status code if a read timeout occurs
during HTTP request processing. Includes a test case based on
code provided by adwsingh. (markt)
+ Fix: 67667: TLSCertificateReloadListener prints unreadable
rendering of X509Certificate#getNotAfter(). (michaelo)
+ Update: The status servlet included in the manager webapp
can now output statistics as JSON, using the JSON=true URL
parameter. (remm)
+ Update: Optionally allow ServiceBindingPropertySource to
trim a trailing newline from a file containing a
property-value. (schultz)
+ Fix: 67793: Ensure the original session timeout is restored
after FORM authentication if the user refreshes a page during
the FORM authentication process. Based on a suggestion by
Mircea Butmalai. (markt)
+ Update: 67926: PEMFile prints unidentifiable string
representation of ASN.1 OIDs. (michaelo)
+ Fix: 66875: Ensure that setting the request attribute
jakarta.servlet.error.exception is not sufficient to trigger
error handling for the current request and response. (markt)
+ Fix: 68054: Avoid some file canonicalization calls
introduced by the fix for 65433. (remm)
+ Fix: 68089: Improve performance of request attribute access
for ApplicationHttpRequest and ApplicationRequest. (markt)
+ Fix: Use a 400 status code to report an error due to a bad
request (e.g. an invalid trailer header) rather than a 500
status code. (markt)
+ Fix: Ensure that an IOException during the reading of the
request triggers always error handling, regardless of whether
the application swallows the exception. (markt)
* Coyote
+ Fix: Refactor the VirtualThreadExecutor so that it can be
used by the NIO2 connector which was using platform threads
even when configured to use virtual threads. (markt)
+ Fix: Correct a regression in the fix for 67675 that broke
TLS key file parsing for PKCS#8 format keys that do not specify
an explicit pseudo-random function and rely on the default.
This typically affects keys generated by OpenSSL 1.0.2.
(markt)
+ Fix: Allow multiple operations with the same name on
introspected mbeans, fixing a regression caused by the
introduction of a second addSslHostConfig method. (remm)
+ Fix: Relax the check that the HTTP Host header is consistent
with the host used in the request line, if any, to make the
check case insensitive since host names are case insensitive.
(markt)
+ Add: 68348: Add support for the partitioned attribute for
cookies. (markt)
+ Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and
SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
+ Add: When calling
SSLHostConfigCertificate.setCertificateKeystore(ks),
automatically call setCertificateKeystoreType(ks.getType()).
(markt)
+ Fix: 67628: Clarify how the ciphers attribute of the
SSLHostConfig is used. (markt)
+ Fix: 67666: Ensure TLS connectors using PEM files either
work with the TLSCertificateReloadListener or, in the rare case
that they do not, log a warning on Connector start. (markt)
+ Fix: 67675: Support a wider range of KDF and ciphers for PEM
files than the combinations supported by the JVM by default.
Specifically, support the OpenSSL default of HmacSHA256 and
DES-EDE3-CBC. (markt)
+ Fix: 67927: Reloading TLS configuration can cause the
Connector to refuse new connections or the JVM to crash.
(markt)
+ Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are
available, prefer 1.2.x since it supports the APR/Native
connector whereas 2.0.x does not. (markt)
+ Fix: 67938: Correct handling of large TLS client hello
messages that were causing the TLS handshake to fail. (markt)
+ Fix: 68026: Convert selected MessageByte values to String
when first accessed to speed up subsequent accesses and reduce
garbage collection. (markt)
* Jasper
+ Code: 68119: Refactor the CompositeELResolver to improve
performance during type conversion operations. (markt)
+ Fix: 68068: Performance improvement for EL. Based on a
suggestion by John Engebretson. (markt)
* Web Applications
+ Fix: 68035: Additional fix to the Manager application to
enable the deployment of a web application located in a Host's
appBase where the web application is specified by a bare (no
path) WAR or directory name as shown in the documentation.
(markt)
+ Fix: Examples. Improve the error handling so snakes
associated with a user that drops from the network are removed
from the game. (markt)
+ Fix: 68035: Correct a regression in the fix for 56248 that
prevented deployment via the Manager of a WAR or directory that
was already present in the appBase or a context file that was
already present in the xmlBase. (markt)
* Other
+ Update: Update Checkstyle to 10.12.7. (markt)
+ Update: Update SpotBugs to 4.8.3. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji.
(markt)
+ Update: Update UnboundID to 6.0.11. (markt)
+ Update: Update Checkstyle to 10.12.5. (markt)
+ Update: Update SpotBugs to 4.8.2. (markt)
+ Update: Update Derby to 10.17.1. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji.
(markt)
+ Add: Improvements to Brazilian Portuguese translations by
John William Vicente. (markt)
+ Add: Improvements to Russian translations by usmazat and
remm. (markt)
+ Add: 67538: Make use of Ant's <javaversion /> task to enfore
the mininum Java build version. (michaelo)
+ Update: Update Checkstyle to 10.12.4. (markt)
+ Update: Update JaCoCo to 0.8.11. (markt)
+ Update: Update SpotBugs to 4.8.0. (markt)
+ Update: Update BND to 7.0.0. (markt)
+ Update: The minimum Java version required to build Tomcat
has been raised to Java 17. (markt)
-------------------------------------------------------------------
Wed Jan 17 14:53:08 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- change server.xml during %post instead of %posttrans
-------------------------------------------------------------------
Wed Jan 17 14:20:25 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- Fixed CVEs:
* CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
incorrect headers parsing (bsc#1217649)
- Added patches:
* tomcat-9-CVE-2023-46589.patch
-------------------------------------------------------------------
Fri Jan 12 13:18:52 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>

2
tomcat.spec
View File

@ -82,7 +82,7 @@ Patch5: %{name}-%{major_version}.%{minor_version}-jdt.patch
Patch6: tomcat-9.0.75-secretRequired-default.patch
Patch7: tomcat-9.0-fix_catalina.patch
Patch8: tomcat-9.0-logrotate_everything.patch
Patch9: java8.patch
Patch9: tomcat-9.0-build-with-java-11.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
BuildRequires: apache-commons-collections