From eae7642b893472d36b21f7a8c98e5027a6d37cb5ca8bc1de80f54e41d5fa3005 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Sat, 6 Apr 2024 11:50:11 +0000 Subject: [PATCH] Accepting request 1165675 from home:RMestre:branches:Java:packages MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Update to Tomcat 9.0.87 * Fixed CVEs: + CVE-2024-24549: Improved request header validation for HTTP/2 stream (bsc#1221386) + CVE-2024-23672: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection (bsc#1221385) * Catalina + Fix: Minor performance improvement for building filter chains. Based on ideas from #702 by Luke Miao. (remm) + Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt) + Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm) + Fix: 68495: When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. (markt) + Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt) + Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm) + Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm) + Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt) + Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt) + Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) + Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt) + Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt) * Coyote + Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write, it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt) + Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed, further asynchronous processing cannot change that. (markt) + Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container, only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext. + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular, most of the HTTP/2 debug logging has been changed to trace level. (remm) + Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altındağ. (markt) + Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of a JVM crash during Tomcat shutdown. (markt) + Fix: Partial fix for 68558: Cache the result of converting to String for request URI, HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt) + Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt) + Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt) * Jasper + Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt) + Fix: 68546: Generate optimal size and types for JSP imports maps, as suggested by John Engebretson. (remm) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) * Cluster + Fix: Avoid updating request count stats on async. (remm) * WebSocket + Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) + Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt) * Web applications + Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz) * Other + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Update: Update Checkstyle to 10.13.0. (markt) + Update: Update JSign to 6.0. (markt) + Update: Add strings for debug level messages. (remm) + Update: Update Tomcat Native to 1.3.0. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) OBS-URL: https://build.opensuse.org/request/show/1165675 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=310 --- apache-tomcat-9.0.85-src.tar.gz | 3 - apache-tomcat-9.0.85-src.tar.gz.asc | 16 ---- apache-tomcat-9.0.87-src.tar.gz | 3 + apache-tomcat-9.0.87-src.tar.gz.asc | 16 ++++ tomcat.changes | 109 ++++++++++++++++++++++++++++ tomcat.spec | 2 +- 6 files changed, 129 insertions(+), 20 deletions(-) delete mode 100644 apache-tomcat-9.0.85-src.tar.gz delete mode 100644 apache-tomcat-9.0.85-src.tar.gz.asc create mode 100644 apache-tomcat-9.0.87-src.tar.gz create mode 100644 apache-tomcat-9.0.87-src.tar.gz.asc diff --git a/apache-tomcat-9.0.85-src.tar.gz b/apache-tomcat-9.0.85-src.tar.gz deleted file mode 100644 index 7e47d02..0000000 --- a/apache-tomcat-9.0.85-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:bd5f0d636ec6d6a0512079d62137b46396cb3ef89e98c47ce172921386bece86 -size 6315926 diff --git a/apache-tomcat-9.0.85-src.tar.gz.asc b/apache-tomcat-9.0.85-src.tar.gz.asc deleted file mode 100644 index 984252d..0000000 --- a/apache-tomcat-9.0.85-src.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmWXwOIACgkQaCSJWTWe -civPQA//Qy3b3J48H/thEWhTYXy+KlcRP8p10iJu/dtSRbU1kkjP8Cj5jl0j1TXJ -tf/qygoBV2ckJAVyJkul7TXsA5Memj2MoaK32bm/GEXd1Cv1BClBC2qDsSWcca/C -Ua3q/2tg9muVo3JhETash2iQN4AtIbeELrsRTwvV3+w1eeJ0OcE84xytSw0b3FQu -rv1rWBfzTnkGPB4Uipzpq6aXZtfW5B9isEhb1MniAHZYKMWhJ9svS0hWvQzhPHYo -X5sbmkhqht2MwVdUfw9CTwITydcRsJkdz1rMtcGXbfVEhvrZi9jeM0ygqf+RxPhi -nCSea80CeaKv4DFh3h0zYhk9k+Y6j23X4gF15tYz3JxV+tDTPD2nNnDXFyKg3RAH -CddjOXBQONKx1O1C4D1MkBaQdNwm1qS2rooxd61sMsYAuWACUMaIBn9SozwtyJ3K -WQx4nrpXOuLoqFGOv7eiVW5bYnxyg4jiQr6kWMFMXGhZtY9uj3uL1Ojll0EsRx1C -yIJHh0nVKuze2zuqMqp5g40q4f2/fFl3LJoArOkunxDpi8X4HpMP1STY+0dxOSxb -Mm9nF/10YpCyvZkvAdw3ymJEecXUJKAJiG3xCOUzCHtYnsF09kyqQ9Ho01CC5nSB -hCJ6kCqRAhE3jS0sXNh9HLKvHcvJGZ2IT/40AU9oRSVzZncMEUc= -=bszF ------END PGP SIGNATURE----- diff --git a/apache-tomcat-9.0.87-src.tar.gz b/apache-tomcat-9.0.87-src.tar.gz new file mode 100644 index 0000000..05c9438 --- /dev/null +++ b/apache-tomcat-9.0.87-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf9248f068152518445f6e418b5a6a1251ea3b8c7a60f6d35c6d3a79d13d26b1 +size 6332438 diff --git a/apache-tomcat-9.0.87-src.tar.gz.asc b/apache-tomcat-9.0.87-src.tar.gz.asc new file mode 100644 index 0000000..9ace728 --- /dev/null +++ b/apache-tomcat-9.0.87-src.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmXu2nYACgkQaCSJWTWe +cis4lg//VHmtdBX2BrPuE8AV2R3ob9KI4uxrBxfjukb/HfvsXT1Zz00R27HVbKln +h1hx7PCTrVJq+sHLDiDnYF1FDC5M+atvryoXcFIAEgnkqQ4toSgqBTa85NcRxrKY +lBnQrZ5ZF5MJ7h+E8r7PIXwjbKbcvMLnhqvXwIB6TOMgUC3UOwZPN2vvq20XqYHA +tevMCDLdMjcAdiOMqkekmq6y8KaEMoEY2rJG3KHCPXKkVQflQoX1bNs88vSd4t4F +CQTcLauo9oyT+IaaanJWrawnKxlAD6x8QuFkJWNK2SC7145IGWeo1R32xzPvQdau +Lu69YayASXq2nilYCLI3uZQ4tFSjCosi+DZaJVatMi2wbGXheau36vS8WLYkroWt +w9deOo+KYiibckgEGbEncAD54sBVKF5Eun751CzSDZC1yV+08oII16koIl0TQlcd +ZFhpIgQ5fo19VUReLQ9JlR98vbLnVFGg+3GVzHqfIATrVuulaliw6HOK7UT/ixFX +jWNdR+/szFe3gTy+RifMU4C3D0hWEhRQGjnVoUPdck2ANBOm5CPV3R5IL2ej03yj +LYXCJ++r+e/O5tftlax2Tnpmxzo0HFrQCSr+1HTsE4VY7Upy0liiV3btBWPcKKVp +0e3E2wYv9P1PcTJD+XUOLX1yuYZv0xCS5fQ4t/ZlSR2R20+rUu4= +=F+I2 +-----END PGP SIGNATURE----- diff --git a/tomcat.changes b/tomcat.changes index 217521b..e330a9c 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,112 @@ +------------------------------------------------------------------- +Fri Apr 5 14:24:14 UTC 2024 - Ricardo Mestre + +- Update to Tomcat 9.0.87 + * Fixed CVEs: + + CVE-2024-24549: Improved request header validation for HTTP/2 stream + (bsc#1221386) + + CVE-2024-23672: Ensure that WebSocket connection closure completes if + the connection is closed when the server side has used the proprietary + suspend/resume feature to suspend the connection (bsc#1221385) + * Catalina + + Fix: Minor performance improvement for building filter chains. Based + on ideas from #702 by Luke Miao. (remm) + + Fix: Align error handling for Writer and OutputStream. Ensure use of + either once the response has been recycled triggers a + NullPointerException provided that discardFacades is configured with + the default value of true. (markt) + + Fix: 68692: The standard thread pool implementations that are configured + using the Executor element now implement ExecutorService for better + support NIO2. (remm) + + Fix: 68495: When restoring a saved POST request after a successful FORM + authentication, ensure that neither the URI, the query string nor the + protocol are corrupted when restoring the request body. (markt) + + Fix: 68721: Workaround a possible cause of duplicate class definitions + when using ClassFileTransformers and the transformation of a class also + triggers the loading of the same class. (markt) + + Fix: The rewrite valve should not do a rewrite if the output is + identical to the input. (remm) + + Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to + allow skipping over the next valve in the Catalina pipeline. (remm) + + Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by + removing reference to org.apache.catalina.ssi package that is no longer + included in the JAR. Based on pull request #684 by Jendrik Johannes. + (markt) + + Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences + are correctly removed from files containing property values when + configured to do so. Bug identified by Coverity Scan. (markt) + + Add: Add improvements to the CSRF prevention filter including the + ability to skip adding nonces for resource name and subtree URL patterns. + (schultz) + + Fix: Review usage of debug logging and downgrade trace or data dumping + operations from debug level to trace. (remm) + + Fix: 68089: Further improve the performance of request attribute + access for ApplicationHttpRequest and ApplicationRequest. (markt) + + Fix: 68559: Allow asynchronous error handling to write to the + response after an error during asynchronous processing. (markt) + * Coyote + + Fix: Improve the HTTP/2 stream prioritisation process. If a stream + uses all of the connection windows and still has content to write, it + will now be added to the backlog immediately rather than waiting until + the write attempt for the remaining content. (markt) + + Fix: Make asynchronous error handling more robust. Ensure that once + a connection is marked to be closed, further asynchronous processing + cannot change that. (markt) + + Fix: Make asynchronous error handling more robust. Ensure that once + the call to AsyncListener.onError() has returned to the container, only + container threads can access the AsyncContext. This protects against + various race conditions that woudl otherwise occur if application threads + continued to access the AsyncContext. + + Fix: Review usage of debug logging and downgrade trace or data + dumping operations from debug level to trace. In particular, most of the + HTTP/2 debug logging has been changed to trace level. (remm) + + Fix: Add support for user provided SSLContext instances configured + on SSLHostConfigCertificate instances. Based on pull request #673 + provided by Hakan Altındağ. (markt) + + Fix: Improve the Tomcat Native shutdown process to reduce the likelihood + of a JVM crash during Tomcat shutdown. (markt) + + Fix: Partial fix for 68558: Cache the result of converting to String + for request URI, HTTP header names and the request Content-Type value to + improve performance by reducing repeated byte[] to String conversions. + (markt) + + Fix: Improve error reporting to HTTP/2 clients for header processing + errors by reporting problems at the end of the frame where the error was + detected rather than at the end of the headers. (markt) + + Fix: Remove the remaining reference to a stream once the stream has + been recycled. This makes the stream eligible for garbage collection + earlier and thereby improves scalability. (markt) + * Jasper + + Add: Add support for specifying Java 22 (with the value 22) as the + compiler source and/or compiler target for JSP compilation. If used with + an Eclipse JDT compiler version that does not support these values, a + warning will be logged and the default will used. (markt) + + Fix: 68546: Generate optimal size and types for JSP imports maps, as + suggested by John Engebretson. (remm) + + Fix: Review usage of debug logging and downgrade trace or data + dumping operations from debug level to trace. (remm) + * Cluster + + Fix: Avoid updating request count stats on async. (remm) + * WebSocket + + Fix: Correct a regression in the fix for 66508 that could cause an + UpgradeProcessor leak in some circumstances. (markt) + + Fix: Review usage of debug logging and downgrade trace or data dumping + operations from debug level to trace. (remm) + + Fix: Ensure that WebSocket connection closure completes if the + connection is closed when the server side has used the proprietary + suspend/resume feature to suspend the connection. (markt) + * Web applications + + Add: Add support for responses in JSON format from the examples + application RequestHeaderExample. (schultz) + * Other + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (markt) + + Update: Update Checkstyle to 10.13.0. (markt) + + Update: Update JSign to 6.0. (markt) + + Update: Add strings for debug level messages. (remm) + + Update: Update Tomcat Native to 1.3.0. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (markt) + ------------------------------------------------------------------- Wed Mar 6 07:18:06 UTC 2024 - Dan Čermák diff --git a/tomcat.spec b/tomcat.spec index 726de63..11a0a50 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -22,7 +22,7 @@ %define elspec 3.0 %define major_version 9 %define minor_version 0 -%define micro_version 85 +%define micro_version 87 %define packdname apache-tomcat-%{version}-src # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/ %global basedir /srv/%{name}