Accepting request 1139530 from Java:packages

- Update to Tomcat 9.0.85 * Fixed CVEs: + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to incorrect headers parsing (bsc#1217649) * Catalina + Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs, text/javascript for mjs and audio/ogg for opus. (markt) + Fix: Background processes should not be run concurrently with lifecycle operations of a container. (remm) + Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt) + Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt) + Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt) + Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) + Update: The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm) + Update: Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz) + Fix: 67793: Ensure the original session timeout is restored OBS-URL: https://build.opensuse.org/request/show/1139530 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=101
2024-01-17 21:19:11 +00:00 · 2024-01-17 21:19:11 +00:00 · 80495d02d1
commit 80495d02d1
parent 72df8709f0 57fd502003
7 changed files with 185 additions and 24 deletions
--- a/apache-tomcat-9.0.82-src.tar.gz
+++ b/apache-tomcat-9.0.82-src.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:064cffa1cdc2087439aaff13e8918fbf85b309ebdc8b7bc6ca7d8da28572d660
-size 6285653
--- a/apache-tomcat-9.0.82-src.tar.gz.asc
+++ b/apache-tomcat-9.0.82-src.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmUmo7MACgkQaCSJWTWe
-ciuclQ//TVgfBHVgphmkiSxW7SFAkLvKbGPYXrVMeHhpgc3A9Gq+XeGTp29uZ8TH
-sZ4BVCQmzgbsSaDsDDsC3/N0TPEdFlWS2w7a667iYWekNErhzsyf7PlD2cFn11T7
-FmQ8FerXAgtl4NwY5lt2eX748H5sR9sUpTPHZgM9WEW0CXCEqBswx+tcWT+SgYAP
-YyGvFWVCr/I4QS5HigNvmH0QjSO4xTisYUyRYcU4w677tO6STLGON30pRe4ki6GL
-F8I3W98uJKrx+H00zqdTvv0TlG56oQyI5sZBPymQykhts4FW1iXKdH47DrM+FXfW
-wgCUJjt3mQ/+2lzA4QHpRFoaa1FrCJYByeM22rPBhWLSR9UFBN9yrZb0SbnQkf9j
-3klubBBJIad0FN/gD8M/FdfjwmEKsJyAHJLWdJZVpif+xV4aUtEX/FWRv6B0B67t
-6FC8mi3J8DS4sqLtfn/M901MCO6j1XjR78TD02jNzgjD/emxoSfNDst/SRXTyeoc
-mRid8UgLF8+ecTz0GqDJen3jWmOuKmrzX6I0z9jCSJq3PUkaIS9uM91X0sqHOoqb
-HH1dE61b1VO5lbEnjnhCVirS+bKCyiJIQRNWtc8Pe0joszqysYKoOY7TssZUpziO
-w/ekZwRBndDtEtxg2zzjXRMb7Tx8tK7xZE15oLpRXw/WfREJxzI=
-=T082
-----END PGP SIGNATURE-----
--- a/apache-tomcat-9.0.85-src.tar.gz
+++ b/apache-tomcat-9.0.85-src.tar.gz
--- a/apache-tomcat-9.0.85-src.tar.gz.asc
+++ b/apache-tomcat-9.0.85-src.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmWXwOIACgkQaCSJWTWe
+civPQA//Qy3b3J48H/thEWhTYXy+KlcRP8p10iJu/dtSRbU1kkjP8Cj5jl0j1TXJ
+tf/qygoBV2ckJAVyJkul7TXsA5Memj2MoaK32bm/GEXd1Cv1BClBC2qDsSWcca/C
+Ua3q/2tg9muVo3JhETash2iQN4AtIbeELrsRTwvV3+w1eeJ0OcE84xytSw0b3FQu
+rv1rWBfzTnkGPB4Uipzpq6aXZtfW5B9isEhb1MniAHZYKMWhJ9svS0hWvQzhPHYo
+X5sbmkhqht2MwVdUfw9CTwITydcRsJkdz1rMtcGXbfVEhvrZi9jeM0ygqf+RxPhi
+nCSea80CeaKv4DFh3h0zYhk9k+Y6j23X4gF15tYz3JxV+tDTPD2nNnDXFyKg3RAH
+CddjOXBQONKx1O1C4D1MkBaQdNwm1qS2rooxd61sMsYAuWACUMaIBn9SozwtyJ3K
+WQx4nrpXOuLoqFGOv7eiVW5bYnxyg4jiQr6kWMFMXGhZtY9uj3uL1Ojll0EsRx1C
+yIJHh0nVKuze2zuqMqp5g40q4f2/fFl3LJoArOkunxDpi8X4HpMP1STY+0dxOSxb
+Mm9nF/10YpCyvZkvAdw3ymJEecXUJKAJiG3xCOUzCHtYnsF09kyqQ9Ho01CC5nSB
+hCJ6kCqRAhE3jS0sXNh9HLKvHcvJGZ2IT/40AU9oRSVzZncMEUc=
+=bszF
+-----END PGP SIGNATURE-----
--- a/tomcat-9.0-build-with-java-11.patch
+++ b/tomcat-9.0-build-with-java-11.patch
@ -0,0 +1,13 @@
+Index: apache-tomcat-9.0.85-src/build.xml
+===================================================================
+--- apache-tomcat-9.0.85-src.orig/build.xml
+++ apache-tomcat-9.0.85-src/build.xml
+@@ -107,7 +107,7 @@
+   <!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
+   <property name="compile.release" value="8"/>
+   <property name="min.java.version" value="8"/>
+-  <property name="build.java.version" value="17"/>
+  <property name="build.java.version" value="11"/>
+ 
+   <!-- Check Java Build Version -->
+   <fail message="Java version ${build.java.version} or newer is required (${java.version} is installed)">
--- a/tomcat.changes
+++ b/tomcat.changes
@ -1,3 +1,149 @@
+-------------------------------------------------------------------
+Wed Jan 17 16:57:21 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 9.0.85
+  * Fixed CVEs:
+    + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
+      incorrect headers parsing (bsc#1217649)
+  * Catalina
+    + Update:  68378: Align extension to MIME type mappings in the
+      global web.xml with those in httpd by adding
+      application/vnd.geogebra.slides for ggs, text/javascript for mjs
+      and audio/ogg for opus. (markt)
+    + Fix:  Background processes should not be run concurrently with
+      lifecycle operations of a container. (remm)
+    + Fix:  Correct unintended escaping of XML in some WebDAV
+      responses. The XML list of support locks when provided in
+      response to a PROPFIND request was incorrectly XML escaped.
+      (markt)
+    + Fix:  68227: Ensure that AsyncListener.onComplete() is called
+      if AsyncListener.onError() calls AsyncContext.dispatch().
+      (markt)
+    + Fix:  68228: Use a 408 status code if a read timeout occurs
+      during HTTP request processing. Includes a test case based on
+      code provided by adwsingh. (markt)
+    + Fix:  67667: TLSCertificateReloadListener prints unreadable
+      rendering of X509Certificate#getNotAfter(). (michaelo)
+    + Update:  The status servlet included in the manager webapp
+      can now output statistics as JSON, using the JSON=true URL
+      parameter. (remm)
+    + Update:  Optionally allow ServiceBindingPropertySource to
+      trim a trailing newline from a file containing a
+      property-value. (schultz)
+    + Fix:  67793: Ensure the original session timeout is restored
+      after FORM authentication if the user refreshes a page during
+      the FORM authentication process. Based on a suggestion by
+      Mircea Butmalai. (markt)
+    + Update:  67926: PEMFile prints unidentifiable string
+      representation of ASN.1 OIDs. (michaelo)
+    + Fix:  66875: Ensure that setting the request attribute
+      jakarta.servlet.error.exception is not sufficient to trigger
+      error handling for the current request and response. (markt)
+    + Fix:  68054: Avoid some file canonicalization calls
+      introduced by the fix for 65433. (remm)
+    + Fix:  68089: Improve performance of request attribute access
+      for ApplicationHttpRequest and ApplicationRequest. (markt)
+    + Fix:  Use a 400 status code to report an error due to a bad
+      request (e.g. an invalid trailer header) rather than a 500
+      status code. (markt)
+    + Fix:  Ensure that an IOException during the reading of the
+      request triggers always error handling, regardless of whether
+      the application swallows the exception. (markt)
+  * Coyote
+    + Fix:  Refactor the VirtualThreadExecutor so that it can be
+      used by the NIO2 connector which was using platform threads
+      even when configured to use virtual threads. (markt)
+    + Fix:  Correct a regression in the fix for 67675 that broke
+      TLS key file parsing for PKCS#8 format keys that do not specify
+      an explicit pseudo-random function and rely on the default.
+      This typically affects keys generated by OpenSSL 1.0.2.
+      (markt)
+    + Fix:  Allow multiple operations with the same name on
+      introspected mbeans, fixing a regression caused by the
+      introduction of a second addSslHostConfig method. (remm)
+    + Fix:  Relax the check that the HTTP Host header is consistent
+      with the host used in the request line, if any, to make the
+      check case insensitive since host names are case insensitive.
+      (markt)
+    + Add:  68348: Add support for the partitioned attribute for
+      cookies. (markt)
+    + Add:  66670: Add SSLHostConfig#certificateKeyPasswordFile and
+      SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
+    + Add:  When calling
+      SSLHostConfigCertificate.setCertificateKeystore(ks),
+      automatically call setCertificateKeystoreType(ks.getType()).
+      (markt)
+    + Fix:  67628: Clarify how the ciphers attribute of the
+      SSLHostConfig is used. (markt)
+    + Fix:  67666: Ensure TLS connectors using PEM files either
+      work with the TLSCertificateReloadListener or, in the rare case
+      that they do not, log a warning on Connector start. (markt)
+    + Fix:  67675: Support a wider range of KDF and ciphers for PEM
+      files than the combinations supported by the JVM by default.
+      Specifically, support the OpenSSL default of HmacSHA256 and
+      DES-EDE3-CBC. (markt)
+    + Fix:  67927: Reloading TLS configuration can cause the
+      Connector to refuse new connections or the JVM to crash.
+      (markt)
+    + Fix:  67934: If both Tomcat Native 1.2.x and 2.0.x are
+      available, prefer 1.2.x since it supports the APR/Native
+      connector whereas 2.0.x does not. (markt)
+    + Fix:  67938: Correct handling of large TLS client hello
+      messages that were causing the TLS handshake to fail. (markt)
+    + Fix:  68026: Convert selected MessageByte values to String
+      when first accessed to speed up subsequent accesses and reduce
+      garbage collection. (markt)
+  * Jasper
+    + Code:  68119: Refactor the CompositeELResolver to improve
+      performance during type conversion operations. (markt)
+    + Fix:  68068: Performance improvement for EL. Based on a
+      suggestion by John Engebretson. (markt)
+  * Web Applications
+    + Fix:  68035: Additional fix to the Manager application to
+      enable the deployment of a web application located in a Host's
+      appBase where the web application is specified by a bare (no
+      path) WAR or directory name as shown in the documentation.
+      (markt)
+    + Fix:  Examples. Improve the error handling so snakes
+      associated with a user that drops from the network are removed
+      from the game. (markt)
+    + Fix:  68035: Correct a regression in the fix for 56248 that
+      prevented deployment via the Manager of a WAR or directory that
+      was already present in the appBase or a context file that was
+      already present in the xmlBase. (markt)
+  * Other
+    + Update:  Update Checkstyle to 10.12.7. (markt)
+    + Update:  Update SpotBugs to 4.8.3. (markt)
+    + Add:  Improvements to French translations. (remm)
+    + Add:  Improvements to Japanese translations by tak7iji.
+      (markt)
+    + Update:  Update UnboundID to 6.0.11. (markt)
+    + Update:  Update Checkstyle to 10.12.5. (markt)
+    + Update:  Update SpotBugs to 4.8.2. (markt)
+    + Update:  Update Derby to 10.17.1. (markt)
+    + Add:  Improvements to French translations. (remm)
+    + Add:  Improvements to Japanese translations by tak7iji.
+      (markt)
+    + Add:  Improvements to Brazilian Portuguese translations by
+      John William Vicente. (markt)
+    + Add:  Improvements to Russian translations by usmazat and
+      remm. (markt)
+    + Add:  67538: Make use of Ant's <javaversion /> task to enfore
+      the mininum Java build version. (michaelo)
+    + Update:  Update Checkstyle to 10.12.4. (markt)
+    + Update:  Update JaCoCo to 0.8.11. (markt)
+    + Update:  Update SpotBugs to 4.8.0. (markt)
+    + Update:  Update BND to 7.0.0. (markt)
+    + Update:  The minimum Java version required to build Tomcat
+      has been raised to Java 17. (markt)
+- Added patches:
+  * tomcat-9.0-build-with-java-11.patch
+
+-------------------------------------------------------------------
+Wed Jan 17 14:53:08 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- change server.xml during %post instead of %posttrans
+
 -------------------------------------------------------------------
 Fri Jan 12 13:18:52 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 82
+%define micro_version 85
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
@ -82,6 +82,7 @@ Patch5:         %{name}-%{major_version}.%{minor_version}-jdt.patch
 Patch6:         tomcat-9.0.75-secretRequired-default.patch
 Patch7:         tomcat-9.0-fix_catalina.patch
 Patch8:         tomcat-9.0-logrotate_everything.patch
+Patch9:         tomcat-9.0-build-with-java-11.patch
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
 BuildRequires:  apache-commons-collections
@ -101,7 +102,6 @@ BuildRequires:  jakarta-taglibs-standard >= 1.1
 BuildRequires:  java-devel >= 1.8
 BuildRequires:  javapackages-local
 BuildRequires:  junit
-BuildRequires:  libxslt-tools
 BuildRequires:  pkgconfig
 BuildRequires:  sed
 BuildRequires:  systemd-rpm-macros
@ -116,6 +116,7 @@ Requires:       apache-commons-logging
 Requires:       apache-commons-pool2
 Requires:       java >= 1.8
 Requires(post): %fillup_prereq
+Requires(post): libxslt-tools
 Requires(pre):  shadow
 Recommends:     libtcnative-1-0 >= 1.1.24
 Recommends:     logrotate
@ -133,6 +134,7 @@ ATTENTION: This tomcat is built with java 1.8.0.
 Summary:        The host manager and manager web applications for Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
+Requires(post): libxslt-tools

 %description admin-webapps
 The host manager and manager web-based applications for Apache Tomcat.
@ -148,6 +150,7 @@ Embeddeding support (various libraries) for Apache Tomcat.
 Summary:        The "docs" web application for Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
+Requires(post): libxslt-tools

 %description docs-webapp
 The documentation of web application for Apache Tomcat.
@ -236,6 +239,7 @@ Summary:        ROOT and examples web applications for Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
 Requires:       jakarta-taglibs-standard >= 1.1
+Requires(post): libxslt-tools

 %description webapps
 The ROOT and examples web applications for Apache Tomcat
@ -556,6 +560,7 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \
 %post
 %service_add_post %{name}.service
 %{fillup_only %{name}}
+xsltproc  --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml

 %preun
 %service_del_preun %{name}.service
@ -667,9 +672,6 @@ if [ ! -e %{_datadir}/%{name}/webapps/docs ]; then
    ln -sf %{tomcatappdir}/docs %{_datadir}/%{name}/webapps/docs
 fi

-%posttrans
-xsltproc  --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
-
 %files
 %doc {LICENSE,NOTICE,RELEASE*}
 %attr(0755,root,root) %{_bindir}/%{name}-digest