Accepting request 1252935 from Java:packages

9.0.99 OBS-URL: https://build.opensuse.org/request/show/1252935 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=113
2025-03-14 22:51:22 +00:00
parent 545eefb931 ac023ed8e5
commit 83dbcc5d2a
6 changed files with 122 additions and 21 deletions
--- a/apache-tomcat-9.0.98-src.tar.gz
+++ b/apache-tomcat-9.0.98-src.tar.gz
--- a/apache-tomcat-9.0.98-src.tar.gz.asc
+++ b/apache-tomcat-9.0.98-src.tar.gz.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmdSBNoACgkQaCSJWTWe
-citlcw//UyA6O47D4cYTkgLaBMzNATMfYll9VLYaZFt3zipCKQ0Z1uIKVuXSYlty
-UQBrOIo3pbhgrDR2ndRF3IPv4+c5IN2q8lyo/PMbhaF1Jx6Qi+w07MBX58EBO88Q
-+2ZXOQ5KTY7YSl4uhKJHA14iH1hevJHt9ELO8D7npbsDDVz4OIJfeRGyp97lrlmE
-4jbE6VnF13kAEzvQdcTGcbxRHlCBWd3g+tJK3/0xfW3y9fWws/hOn5A0PM/Wb2yB
-nsm824VYOvwcYgSolKkgqEM/02lGbvcMtoF3pAzlHqE3WcZBL1SQh7BRVvj6MMB5
-zI21ThTqg+prSNK4ZQ6kdM+UHnJpQNwmiEvZh4E/sJuEzbouMhxCv/IydLM3j2Ck
-9Fa0fF26yA3bcwQHzjG5pB7IP6YVeR4t95hnvclMHYrTOvHttxnnb5NwSF4EpE5b
-JaufFixcUEjlb/9dWfOd4MQmf9yqupTiJh98ovqR6qjuBOfTXKDUmk1I8qIBne7Y
-OJExU/YdjZrgKgAQQLGB6G+u/T/ytvWlFNe2N+wCrunhlIPaFuK/3zj1/cM7ZwpA
-qtMFh+30IzPOBJSGDf4fvQsWIv490l+OMqlkv6arO7RFHkqWqq5gum/I2pF91OVt
-GL3AAjOuSkyLJwe2gW+aMeCyPegyTkNBp4gpslKXbtQtOIF1Lc8=
-=EWT+
-----END PGP SIGNATURE-----
--- a/apache-tomcat-9.0.99-src.tar.gz
+++ b/apache-tomcat-9.0.99-src.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:9fbe452992872687b0283303a8587c9fa782e7a3dbf164a9e2541a7e820ef6be
+size 7124431
--- a/apache-tomcat-9.0.99-src.tar.gz.asc
+++ b/apache-tomcat-9.0.99-src.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmeidH8ACgkQaCSJWTWe
+ciuMWw//cUnP6qSRnEwrwt5Kjhv0RBTk7cDnehF7yODxQ90QVFO8rHb7abfAvnEy
+RLn2pMwbweKUbyoRAdogL1nhBscwrlDjAxYZPLc+IAxWX3ln1Jmb327G/XHGbwnh
+NBickaG7dmWsMs7giJcCYEAD5vDGSIdN6TEePN5D+rVB+VyWnSjPznHwyBAjtSeU
+7MPQ18SkcIAAhO2DxkWkRgA7i76wOOta4e4xr6d0pR5FQ2zZlym1AW6YImqTZRpX
+JB2rCaZ+OxgeiCY6US2LdB+lGP5vFb10vZCzfIFqY55IyvppNeeRNRSWBGyo6Nyh
+z6BfprD/8iOeTvicZ1y5zuPLhKOoADrZkfoN7bKn71+NjfiFsVr7qx0ZdpzJDJKW
+ITT6EjuH2tFtTN3x41/MdhN8QqS3Orx8OHwze0HNIX6dtkAoEIxx9xaKF35OFJrU
+ogzBJ1TxHKiKLBSs7lRsnop4un09HHMOrSCMa0Q6R0BeXv8vZuq0uD3eyP2vmWpy
+uOi4rh49Tq9CgF1tffTyCqduqF8NyMzKNPxRjlQ9PPUFMKZ/xLS/7WeDmkR01I/G
+RLt9eCF95gHJndxxkHbJmotx0R1eTofQqH6Q5ot29AZDDaZ18ry0TunwaxDhyxl
+NgC8PTPnJmDm3KKQwxDboWhlJNzWh5yFpXaR5eeO0BKddnJlCrI=
+=0ta0
+-----END PGP SIGNATURE-----
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,104 @@
+-------------------------------------------------------------------
+Wed Mar 12 16:21:08 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.99
+  * Fixed CVE:
+    + CVE-2025-24813: potential RCE and/or information disclosure/corruption with
+      partial PUT (bsc#1239302)    
+  * Catalina
+    + Update: Add tableName configuration on the DataSourcePropertyStore that
+      may be used by the WebDAV Servlet. (remm)
+    + Update: Improve HTTP If headers processing according to RFC 9110. Based on
+      pull request #796 by Chenjp. (remm/markt)
+    + Update: Allow readOnly attribute configuration on the Resources element
+      and allow configure the readOnly attribute value of the main resources.
+      The attribute value will also be used by the default and WebDAV Servlets.
+      (remm)
+    + Fix: 69285: Optimise the creation of the parameter map for included
+      requests. Based on sample code and test cases provided by John
+      Engebretson. (markt)
+    + Fix: 69527: Avoid rare cases where a cached resource could be set with 0
+      content length, or could be evicted immediately. (remm)
+    + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect
+      requests without body for WebDAV LOCK and PROPFIND. (remm)
+    + Fix: 69528: Add multi-release JAR support for the bloom
+      archiveIndexStrategy of the Resources. (remm)
+    + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based
+      on a patch submitted by Chenjp. (remm)
+    + Add: Add a check to ensure that, if one or more web applications are
+      potentially vulnerable to CVE-2024-56337, the JVM has been configured to
+      protect against the vulnerability and to configure the JVM correctly if
+      not. Where one or more web applications are potentially vulnerable to
+      CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be
+      confirmed that the JVM has been correctly configured, prevent the impacted
+      web applications from starting. (markt)
+    + Fix: Remove unused session to client map from CrawlerSessionManagerValve.
+      Submitted by Brian Matzon. (remm)
+    + Fix: When using the WebDAV servlet with serveSubpathOnly set to true,
+      ensure that the destination for any requested WebDAV operation is also
+      restricted to the sub-path. (markt)
+    + Fix: Generate an appropriate Allow HTTP header when the Default servlet
+      returns a 405 (method not allowed) response in response to a DELETE
+      request because the target resource cannot be deleted. Pull request #802
+      provided by Chenjp. (markt)
+    + Code: Refactor creation of RequestDispatcher instances so that the
+      processing of the provided path is consistent with normal request
+      processing. (markt)
+    + Add: Add encodedReverseSolidusHandling and encodedSolidusHandling
+      attributes to Context to provide control over the handling of the path
+      used to created a RequestDispatcher. (markt)
+    + Fix: Handle a potential NullPointerException after an IOException occurs
+      on a non-container thread during asynchronous processing. (markt)
+    + Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)
+  * Coyote
+    + Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does
+      not support. These settings are now silently ignored. (markt)
+    + Fix: Avoid a rare NullPointerException when recycling the
+      Http11InputBuffer. (markt)
+    + Fix: Lower the log level to debug for logging an invalid socket channel
+      when processing poller events for the NIO Connector as this may occur in
+      normal usage. (markt)
+    + Code: Clean-up references to the HTTP/2 stream once request processing has
+      completed to aid GC and reduce the size of the HTTP/2 recycled request and
+      response cache. (markt)
+    + Add: Add a new Connector configuration attribute,
+      encodedReverseSolidusHandling, to control how %5c sequences in URLs are
+      handled. The default behaviour is unchanged (decode) keeping in mind that
+      the allowBackslash attribute determines how the decoded URI is processed.
+      (markt)
+    + Fix: 69545: Improve CRLF skipping for the available method of the
+      ChunkedInputFilter. (remm)
+    + Fix: Improve the performance of repeated calls to getHeader(). Pull
+      request #813 provided by Adwait Kumar Singh. (markt)
+    + Fix: 69559: Ensure that the Java 24 warning regarding the use of
+      sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code
+      will be used. (markt)
+  * Jasper
+    + Fix: 69508: Correct a regression in the fix for 69382 that broke JSP
+      include actions if both the page attribute and the body contained
+      parameters. Pull request #803 provided by Chenjp. (markt)
+    + Fix: 69521: Update the EL Parser to allow the full range of valid
+      characters in an EL identifier as defined by the Java Language
+      Specification. (markt)
+    + Fix: 69532: Optimise the creation of ExpressionFactory instances. Patch
+      provided by John Engebretson. (markt)
+  * Web applications
+    + Add: Documentation. Expand the description of the security implications of
+      setting mapperContextRootRedirectEnabled and/or
+      mapperDirectoryRedirectEnabled to true. (markt)
+    + Fix: Documentation. Better document the default for the truststoreProvider
+      attribute of a SSLHostConfig element. (markt)
+  * Other
+    + Update: Update to Commons Daemon 1.4.1. (markt)
+    + Update: Update the internal fork of Commons Pool to 2.12.1. (markt)
+    + Update: Update Byte Buddy to 1.16.1. (markt)
+    + Update: Update UnboundID to 7.0.2. (markt)
+    + Update: Update Checkstyle to 10.21.2. (markt)
+    + Update: Update SpotBugs to 4.9.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Chinese translations by leeyazhou. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+  
 -------------------------------------------------------------------
 Fri Jan  3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>

--- a/tomcat.spec
+++ b/tomcat.spec
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 98
+%define micro_version 99
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
@@ -120,12 +120,12 @@ Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
 Requires(pre):  shadow
-%systemd_ordering
 Recommends:     libtcnative-1-0 >= 1.1.24
 Recommends:     logrotate
 Provides:       group(tomcat)
 Provides:       user(tomcat)
 BuildArch:      noarch
+%systemd_ordering

 %description
 Tomcat is the servlet container that is used in the official Reference