pool/tomcat
SHA256
4
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
tomcat/tomcat-9.0-osgi-build.patch
Michele Bussolotto 8ef7eb2a60 - Update to Tomcat 9.0.97 
* Fixed CVEs:
    + CVE-2024-52316: If the Jakarta Authentication fails with an exception,
      set a 500 status (bsc#1233434)
  * Catalina
    + Add: Add support for the new Servlet API method 
      HttpServletResponse.sendEarlyHints(). (markt)
    + Add: 55470: Add debug logging that reports the class path when a 
      ClassNotFoundException occurs in the digester or the web application 
      class loader. Based on a patch by Ralf Hauser. (markt)
    + Update: 69374: Properly separate between table header and body in 
      DefaultServlet's listing. (michaelo)
    + Update: 69373: Make DefaultServlet's HTML listing file last modified 
      rendering better (flexible). (michaelo)
    + Update: Improve HTML output of DefaultServlet. (michaelo)
    + Code: Refactor RateLimitFilter to use FilterBase as the base class. The 
      primary advantage for doing this is less code to process init-param 
      values. (markt)
    + Update: 69370: DefaultServlet's HTML listing uses incorrect labels. 
      (michaelo)
    + Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped 
      requests. (remm)
    + Fix: Add missing WebDAV Lock-Token header in the response when locking 
      a folder. (remm)
    + Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
    + Fix: Fix regression in WebDAV when attempting to unlock a collection. 
      (remm)
    + Fix: Verify that destination is not locked for a WebDAV copy operation. 
      (remm)
    + Fix: Send 415 response to WebDAV MKCOL operations that include a 
      request body since this is optional and unsupported. (remm)
    + Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
    + Fix: Do not allow a new WebDAV lock on a child resource if a parent 
      collection is locked (RFC 4918 section 6.1). (remm)
    + Fix: WebDAV Delete should remove any existing lock on successfully 
      deleted resources. (remm)
    + Update: Remove WebDAV lock null support in accordance with RFC 4918 
      section 7.3 and annex D. Instead, a lock on a non-existing resource 
      will create an empty file locked with a regular lock. (remm)
    + Update: Rewrite implementation of WebDAV shared locks to comply with 
      RFC 4918. (remm)
    + Update: Implement WebDAV If header using code from the Apache Jackrabbit 
      project. (remm)
    + Add: Add PropertyStore interface in the WebDAV Servlet, to allow 
      implementation of dead properties storage. The store used can be 
      configured using the 'propertyStore' init parameter of the WebDAV 
      servlet. A simple non-persistent implementation is used if no custom 
      store is configured. (remm)
    + Update: Implement WebDAV PROPPATCH method using the newly added 
      PropertyStore. (remm)
    + Fix: Cache not found results when searching for web application class 
      loader resources. This addresses performance problems caused by 
      components such as java.sql.DriverManager which, in some circumstances, 
      will search for the same class repeatedly. In a large web application 
      this can cause performance problems. The size of the cache can be 
      controlled via the new notFoundClassResourceCacheSize on the 
      StandardContext. (markt)
    + Fix: Stop after INITIALIZED state should be a noop since it is possible 
      for subcomponents to be in FAILED after init. (remm)
    + Fix: Fix incorrect web resource cache size calculations when there are 
      concurrent PUT and DELETE requests for the same resource. (markt)
    + Add: Add debug logging for the web resource cache so the current size 
      can be tracked as resources are added and removed. (markt)
    + Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens 
      with urn:uuid: as recommended by RFC 4918, and remove secret init 
      parameter. (remm)
    + Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the 
      same path caused corruption of the FileResource where some of the 
      fields were set as if the file exists and some as set as if it does 
      not. This resulted in inconsistent metadata. (markt)
    + Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on 
      GET and HEAD requests. Also skip requests where the application has set 
      Cache-Control: no-store. (markt)
    + Fix: 69419: Improve the performance of ServletRequest.getAttribute() 
      when there are multiple levels of nested includes. Based on a patch 
      provided by John Engebretson. (markt)
    + Add: All applications to send an early hints informational response by 
      calling HttpServletResponse.sendError() with a status code of 103. 
      (schultz)
    + Fix: Ensure that the Jakarta Authentication CallbackHandler only 
      creates one GenericPrincipal in the Subject. (markt)
    + Fix: If the Jakarta Authentication process fails with an Exception, 
      explicitly set the HTTP response status to 500 as the ServerAuthContext 
      may not have set it. (markt)
    + Fix: When persisting the Jakarta Authentication provider configuration, 
      create any necessary parent directories that don't already exist. 
      (markt)
    + Fix: Correct the logic used to detect errors when deleting temporary 
      files associated with persisting the Jakarta Authentication provider 
      configuration. (markt)
    + Fix: When processing Jakarta Authentication callbacks, don't overwrite 
      a Principal obtained from the PasswordValidationCallback with null if 
      the CallerPrincipalCallback does not provide a Principal. (markt)
    + Fix: Avoid store config backup loss when storing one configuration more 
      than once per second. (remm)
    + Fix: 69359: WebdavServlet duplicates getRelativePath() method from 
      super class with incorrect Javadoc. (michaelo)
    + Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and 
      DefaultServlet. (michaelo)
    + Fix: Make WebdavServlet properly return the Allow header when deletion 
      of a resource is not allowed. (michaelo)
    + Fix: Add log warning if non wildcard mappings are used with the 
      WebdavServlet. (remm)
    + Fix: 69361: Ensure that the order of entries in a multi-status response 
      to a WebDAV is consistent with the order in which resources were 
      processed. (markt)
    + Fix: 69362: Provide a better multi-status response when deleting a 
      collection via WebDAV fails. Empty directories that cannot be deleted 
      will now be included in the response. (markt)
    + Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to 
      ensure that the correct path is used when the WebDAV servlet is mounted 
      at a sub-path within the web application. (markt)
    + Fix: Improve performance of ApplicationHttpRequest.parseParameters(). 
      Based on sample code and test cases provided by John Engebretson. 
      (markt)
    + Add: Add support for RFC 8297 (Early Hints). Applications can use 
      this feature by casting the HttpServletResponse to 
      org.apache.catalina.connector.Reponse and then calling the method 
      void sendEarlyHints(). This method will be added to the Servlet API 
      (removing the need for the cast) in Servlet 6.2 onwards. (markt)
    + Fix: 69214: Do not reject a CORS request that uses POST but does not 
      include a content-type header. Tomcat now correctly processes this as 
      a simple CORS request. Based on a patch suggested by thebluemountain. 
      (markt)
    + Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather 
      than Subject.doAs() when available. (markt)
  * Coyote
    + Fix: Return null SSL session id on zero length byte array returned from 
      the SSL implementation. (remm)
    + Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
    + Fix: Create the HttpParser in Http11Processor if it is not present on 
      the AbstractHttp11Protocol to provide better lifecycle robustness for 
      regular HTTP/1.1. The new behavior was introduced on a previous 
      refactoring to improve HTTP/2 performance. (remm)
    + Fix: OpenSSLContext will now throw a KeyManagementException if something 
      is known to have gone wrong in the init method, which is the behavior 
      documented by javax.net.ssl.SSLContext.init. This makes error handling 
      more consistent. (remm)
    + Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to 
      generate Date headers for HTTP responses) generates the correct string 
      for the given input. Prior to this change, the output may have been 
      wrong by one second in some cases. Pull request #751 provided by Chenjp. 
      (markt)
    + Add: Add server and serverRemoveAppProvidedValues to the list of 
      attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector 
      it is nested within. (markt)
    + Fix: Avoid possible crashes when using Apache Tomcat Native, caused by 
      destroying SSLContext objects through GC after APR has been terminated. 
      (remm)
    + Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer 
      fields no longer need to be received before the headers of the 
      subsequent stream nor are trailer fields for an in-progress stream 
      swallowed if the Connector is paused before the trailer fields are 
      received. (markt)
    + Fix: Ensure the request and response are not recycled too soon for an 
      HTTP/2 stream when a stream level error is detected during the processing 
      of incoming HTTP/2 frames. This could lead to incorrect processing times 
      appearing in the access log. (markt)
    + Fix: Fix 69320, a regression in the fix for 69302 that meant the 
      HTTP/2 processing was likely to be broken for all clients once any 
      client sent an HTTP/2 reset frame. (markt)
    + Fix: Correct a regression in the fix for non-blocking reads of chunked 
      request bodies that caused InputStream.available() to return a non-zero 
      value when there was no data to read. In some circumstances this could 
      cause a blocking read to block waiting for more data rather than return 
      the data it had already received. (markt)
    + Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. 
      The default behaviour is unchanged. (markt)
    + Fix: Ensure that Tomcat sends a TLS close_notify message after receiving 
      one from the client when using the OpenSSLImplementation. (markt)
    + Fix: 69301: Fix trailer headers replacing non-trailer headers when writing 
      response headers to the access log. Based on a patch and test case 
      provided by hypnoce. (markt)
    + Fix: 69302: If an HTTP/2 client resets a stream before the request body is 
      fully written, ensure that any ReadListener is notified via a call to 
      ReadListener.onErrror(). (markt)
    + Fix: Correct regressions in the refactoring that added recycling of the 
      coyote request and response to the HTTP/2 processing. (markt)
    + Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. 
      OpenSSL support may be enabled by adding the 
      org.apache.catalina.core.OpenSSLLifecycleListener listener on the 
      Server element when using Java 22 or later. (remm)
    + Fix: Ensure that HTTP/2 stream input buffers are only created when there 
      is a request body to be read. (markt)
    + Code: Refactor creation of HttpParser instances from the Processor level 
      to the Protocol level since the parser configuration depends on the 
      protocol and the parser is, otherwise, stateless. (markt)
    + Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal 
      request and response processing objects by default. This behaviour can 
      be controlled via the new discardRequestsAndResponses attribute on the 
      HTTP/2 upgrade protocol. (markt)
  * Jasper
    + Fix: Add back tag release method as deprecated in the runtime for 
      compatibility with old generated code. (remm)
    + Fix: 69399: Fix regression caused by the improvement 69333 which caused 
      the tag release to be called when using tag pooling, and to be skipped 
      when not using it. Patch submitted by Michal Sobkiewicz. (remm)
    + Fix: 69381: Improve method lookup performance in expression language. 
      When the required method has no arguments there is no need to consider 
      casting or coercion and the method lookup process can be simplified. 
      Based on pull request #770 by John Engebretson.
    + Fix: 69382: Improve the performance of the JSP include action by 
      re-using results of relatively expensive method calls in the generated 
      code rather than repeating them. Patch provided by John Engebretson. 
      (markt)
    + Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. 
      Based on a suggestion by John Engebretson. (markt)
    + Fix: 69406: When using StringInterpreterEnum, do not throw an 
      IllegalArgumentException when an invalid Enum is encountered. Instead, 
      resolve the value at runtime. Patch provided by John Engebretson. 
      (markt)
    + Fix: 69429: Optimise EL evaluation of method parameters for methods 
      that do not accept any parameters. Patch provided by John Engebretson. 
      (markt)
    + Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
    + Fix: 69338: Improve the performance of processing expressions that 
      include AND or OR operations with more than two operands and expressions 
      that use not empty. (markt)
    + Fix: 69348: Reduce memory consumption in ELContext by using lazy 
      initialization for the data structure used to track lambda arguments. 
      (markt)
    + Fix: Switch the TldScanner back to logging detailed scan results at debug 
      level rather than trace level. (markt)
  * Web applications
    + Fix: The manager webapp will now be able to access certificates again 
      when OpenSSL is used. (remm)
    + Fix: Documentation. Align the logging configuration documentation with 
      the current defaults. (markt)
  * WebSocket
    + Fix: If a blocking message write exceeds the timeout, don't attempt the 
      write again before throwing the exception. (markt)
    + Fix: An EncodeException being thrown during a message write should not 
      automatically cause the connection to close. The application should 
      handle the exception and make the decision whether or not to close the 
      connection. (markt)
  * jdbc-pool
    + Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions 
      executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException 
      rather than the application seeing the original SQLException. Fixed by 
      pull request #744 provided by Michael Clarke. (markt)
    + Fix: 69279: Correct a regression in the fix for 69206 that meant that 
      methods that previously returned a null ResultSet were returning a proxy 
      with a null delegate. Fixed by pull request #745 provided by Huub de Beer. 
      (markt)
    + Fix: 69206: Ensure statements returned from Statement methods 
      executeQuery(), getResultSet() and getGeneratedKeys() are correctly 
      wrapped before being returned to the caller. Based on pull request 
      #742 provided by Michael Clarke.
  * Other
    + Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. 
      (markt)
    + Update: Update Byte Buddy to 1.15.10. (markt)
    + Update: Update CheckStyle to 10.20.0. (markt)
    + Add: Improvements to German translations. (remm)
    + Add: Improvements to French translations. (remm)
    + Add: Improvements to Japanese translations by tak7iji. (markt)
    + Add: Improvements to Chinese translations by Ch_jp. (markt)
    + Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. 
      (markt)
    + Fix: Change the default log handler level to ALL so log messages are 
      not dropped by default if a logger is configured to use trace (FINEST) 
      level logging. (markt)
    + Update: Update Hamcrest to 3.0. (markt)
    + Update: Update EasyMock to 5.4.0. (markt)
    + Update: Update Byte Buddy to 1.15.0. (markt)
    + Update: Update CheckStyle to 10.18.0. (markt)
    + Update: Update the internal fork of Apache Commons BCEL to 6.10.0. 
      (markt)
    + Add: Improvements to Spanish translations by Fernando. (markt)
    + Add: Improvements to French translations. (remm)
    + Add: Improvements to Japanese translations by tak7iji. (markt)
    + Fix: Fix packaging regression with missing osgi information following 
      addition of the test-only build target. (remm)
    + Update: Update Tomcat Native to 1.3.1. (markt)
    + Update: Update Byte Buddy to 1.14.18. (markt)
    + Add: Improvements to French translations. (remm)
    + Add: Improvements to Japanese translations by tak7iji. (markt)

OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=323
2024-11-25 14:54:00 +00:00

39 lines
1.2 KiB
Diff
Raw Blame History

Index: apache-tomcat-9.0.97-src/build.xml
===================================================================
--- apache-tomcat-9.0.97-src.orig/build.xml
+++ apache-tomcat-9.0.97-src/build.xml
@@ -228,11 +228,21 @@
<!--<defaultexcludes echo="true" />-->
<!-- Classpaths -->
+ <path id="bnd.classpath">
+ <fileset file="${bnd.jar}" />
+ <fileset dir="${bnd.dir}">
+ <include name="**/*.jar"/>
+ </fileset>
+ <fileset file="${osgiannotation.jar}" />
+ <fileset file="${osgicmpn.jar}" />
+ <fileset file="${slf4j-api.jar}" />
+ </path>
+
<path id="compile.classpath">
- <pathelement location="${bnd.jar}"/>
<pathelement location="${jdt.jar}"/>
<pathelement location="${jaxrpc-lib.jar}"/>
<pathelement location="${wsdl4j-lib.jar}"/>
+ <path refid="bnd.classpath"/>
</path>
<path id="tomcat.classpath">
@@ -4034,10 +4044,6 @@ Read the Building page on the Apache Tom
<target name="setup-bnd" depends="download-bnd" unless="${skip.build.java.version}">
<!-- Add bnd tasks to project -->
- <path id="bnd.classpath">
- <fileset file="${bnd.jar}" />
- </path>
-
<taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bnd.classpath" />
</target>
Reference in New Issue View Git Blame Copy Permalink