Accepting request 629579 from home:mateialbu:branches:Java:packages

- Update to Tomcat 9.0.10. See changelog at 
  http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.10_(markt)
- Fixed CVEs:
  - CVE-2018-1336 (bsc#1102400)
  - CVE-2018-8014 (bsc#1093697)
  - CVE-2018-8034 (bsc#1102379)
  - CVE-2018-8037 (bsc#1102410)
- Rebased patch tomcat-9.0-JDTCompiler-java.patch
- Added patch tomcat-9.0-disable-osgi-build.patch to disable adding 
  OSGi metadata to JAR files

OBS-URL: https://build.opensuse.org/request/show/629579
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=126

apache-tomcat-9.0.10-src.tar.gz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:5d6a2ff9715c1624d9e99e0b02e1811d2772a3291c8641269cfc0884d5942c34
+size 5147367

apache-tomcat-9.0.10-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAlstN0UACgkQEMAcWi9g
+Wec65Q/+JAVi3ft4q5R7rcF5cA1Qh2vK1Jh2PaWrIQbk5PxFb8uG0IdbZXn2DlIL
+9F7Pa20pGti84/CgN19OqYxFOvxr6g0lxyG+0FqGxKAsEG/LhznLTl7a7a0Mios4
+PyiYdpdFGNp7eCpavckYGIqtqGeCfY1dZiVtA7ZmV1OiACVSuwdRowb6xCcwuz2H
+ZgqSybLLDQVknOpoJHtPrqr8spy+P1IULUdrZb3aMeXaQ9R+UdNb/zmX967N/gd6
+S0fQKuoJp35kQ9PWwYhWrgsxX6/ZNuLo1DvIL1KLoFnEEqPVy1mVXdFunb99kaIZ
+phhRv4tIV9DNqMg3Gy4u2axjAOKE5lJ+HwrcQt2GlyWXEwbC2cqUmJ1whzv+C9H0
+5tM49fUDFlFm2WBKzcgGH8piofH2bkaA5wCQUwW23rlU/GisDQvTXk/K3U5itpIS
+7xPzeap2McNPURn1zjmFeqyoMkujnf8qkValITVpDo0c84o9/5+ywheTE7/VIzXF
+0LYelM0UuW0BqWFy8GY6iRk3EycfK6DcxejbNpB8TEXq+am5y7y1lNa7xz56WfDY
+KcVoSG9kionCdgJeivCaDK/PdVEWb5vqs0XjOryrInB5C1R5t4jbwxJCU0FSo7in
+7cHSeh4HxBC6bAQfsrhy4uoWkdz9Y8DvEOaC5sN205sLr7kMe3E=
+=WeRG
+-----END PGP SIGNATURE-----

apache-tomcat-9.0.5-src.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:8d402beb64d38c360923b2c15fcc3a32fc6d602e4e6b590ecab143832a94811d
-size 5077379

apache-tomcat-9.0.5-src.tar.gz.asc

@@ -1,7 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Version: GnuPG v2
-
-iEYEABECAAYFAlp6IhEACgkQb7IeiTPGAkNOogCfdEvtPdOmOWNTPiu3qzE95hOH
-ugAAni6jvLd1ASKs9wMvEaYUHKtbsHGM
-=1Qrs
------END PGP SIGNATURE-----

tomcat-9.0-JDTCompiler-java.patch

@@ -3,37 +3,50 @@ IDEA additional info:
 Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
 <+>UTF-8
 ===================================================================
---- java/org/apache/jasper/compiler/JDTCompiler.java	(date 1506521372000)
+--- java/org/apache/jasper/compiler/JDTCompiler.java	(revision 6bbf738a0e56d1793022b15e9aca9b690699216b)
-+++ java/org/apache/jasper/compiler/JDTCompiler.java	(revision )
++++ java/org/apache/jasper/compiler/JDTCompiler.java	(date 1534261527000)
-@@ -312,10 +312,10 @@
+@@ -312,15 +312,16 @@
                               CompilerOptions.VERSION_1_7);
              } else if(opt.equals("1.8")) {
                  settings.put(CompilerOptions.OPTION_Source,
 -                             CompilerOptions.VERSION_1_8);
 +                             "1.8"); // CompilerOptions.VERSION_1_8
-             } else if(opt.equals("1.9")) {
+             // Version format changed from Java 9 onwards.
+             // Support old format that was used in EA implementation as well
+             } else if(opt.equals("9") || opt.equals("1.9")) {
                  settings.put(CompilerOptions.OPTION_Source,
--                             CompilerOptions.VERSION_1_9);
+-                             CompilerOptions.VERSION_9);
-+                             "1.9"); // CompilerOptions.VERSION_1_9
++                        "9");
+             } else if(opt.equals("10")) {
+                 settings.put(CompilerOptions.OPTION_Source,
+-                             CompilerOptions.VERSION_10);
++                        "10");
++
              } else {
                  log.warn("Unknown source VM " + opt + " ignored.");
                  settings.put(CompilerOptions.OPTION_Source,
-@@ -359,14 +359,14 @@
+@@ -366,19 +367,19 @@
-                         CompilerOptions.VERSION_1_7);
-             } else if(opt.equals("1.8")) {
                  settings.put(CompilerOptions.OPTION_TargetPlatform,
--                             CompilerOptions.VERSION_1_8);
+                              CompilerOptions.VERSION_1_8);
-+                             "1.8"); // CompilerOptions.VERSION_1_8
                  settings.put(CompilerOptions.OPTION_Compliance,
 -                        CompilerOptions.VERSION_1_8);
 +                        "1.8"); // CompilerOptions.VERSION_1_8
-             } else if(opt.equals("1.9")) {
+             // Version format changed from Java 9 onwards.
+             // Support old format that was used in EA implementation as well
+             } else if(opt.equals("9") || opt.equals("1.9")) {
                  settings.put(CompilerOptions.OPTION_TargetPlatform,
--                             CompilerOptions.VERSION_1_9);
+-                             CompilerOptions.VERSION_9);
-+                             "1.9"); // CompilerOptions.VERSION_1_9
++                            "9"); // CompilerOptions.VERSION_1_9
                  settings.put(CompilerOptions.OPTION_Compliance,
--                        CompilerOptions.VERSION_1_9);
+-                        CompilerOptions.VERSION_9);
-+                        "1.9"); // CompilerOptions.VERSION_1_9
++                        "9"); // CompilerOptions.VERSION_1_9
+             } else if(opt.equals("10")) {
+                 settings.put(CompilerOptions.OPTION_TargetPlatform,
+-                        CompilerOptions.VERSION_10);
++                        "10");
+                 settings.put(CompilerOptions.OPTION_Compliance,
+-                        CompilerOptions.VERSION_10);
++                        "10");
              } else {
                  log.warn("Unknown target VM " + opt + " ignored.");
                  settings.put(CompilerOptions.OPTION_TargetPlatform,

tomcat-9.0-disable-osgi-build.patch

@@ -0,0 +1,44 @@
+Index: build.xml
+IDEA additional info:
+Subsystem: com.intellij.openapi.diff.impl.patch.CharsetEP
+<+>UTF-8
+===================================================================
+--- build.xml	(date 1529515764000)
++++ build.xml	(date 1534335916000)
+@@ -15,7 +15,8 @@
+   See the License for the specific language governing permissions and
+   limitations under the License.
+ -->
+-<project name="Tomcat 9.0" default="deploy" basedir=".">
++<project name="Tomcat 9.0" default="deploy" basedir="."
++  xmlns:if="ant:if" xmlns:unless="ant:unless">
+ 
+   <!-- ===================== Initialize Property Values ==================== -->
+ 
+@@ -728,7 +729,7 @@
+   </target>
+ 
+   <target name="build-bnd" unless="bnd.uptodate"
+-          depends="setup-bnd,build-prepare">
++          depends="setup-bnd,build-prepare" if="add.osgi.jar.metadata">
+ 
+     <mkdir dir="${tomcat.bnd}" />
+     <copy todir="${tomcat.bnd}" overwrite="yes" filtering="yes"
+@@ -2970,7 +2971,7 @@
+ 
+   <!-- ======================= Macros, Taskdefs etc ======================== -->
+ 
+-  <target name="setup-bnd" >
++  <target name="setup-bnd" if="add.osgi.jar.metadata"> 
+     <!-- Download bnd -->
+     <antcall target="downloadfile">
+       <param name="sourcefile" value="${bnd.loc}"/>
+@@ -3025,7 +3026,7 @@
+         <zipfileset file="@{notice}" fullpath="META-INF/NOTICE" />
+         <zipfileset file="@{license}" fullpath="META-INF/LICENSE" />
+       </jar>
+-      <antcall target="add-osgi" >
++      <antcall target="add-osgi" if:set="add.osgi.jar.metadata">
+         <param name="jarfile" value="@{jarfile}" />
+         <param name="addOSGi" value="@{addOSGi}" />
+       </antcall>

tomcat.changes

@@ -1,3 +1,17 @@
+-------------------------------------------------------------------
+Tue Aug 16 14:13:23 UTC 2018 - malbu@suse.com
+
+- Update to Tomcat 9.0.10. See changelog at 
+  http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.10_(markt)
+- Fixed CVEs:
+  - CVE-2018-1336 (bsc#1102400)
+  - CVE-2018-8014 (bsc#1093697)
+  - CVE-2018-8034 (bsc#1102379)
+  - CVE-2018-8037 (bsc#1102410)
+- Rebased patch tomcat-9.0-JDTCompiler-java.patch
+- Added patch tomcat-9.0-disable-osgi-build.patch to disable adding 
+  OSGi metadata to JAR files
+
 -------------------------------------------------------------------
 Wed Feb 16 16:38:14 UTC 2018 - malbu@suse.de
 

tomcat.spec

@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 5
+%define micro_version 10
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
@@ -83,6 +83,9 @@ Patch2:         %{name}-%{major_version}.%{minor_version}-JDTCompiler-java.patch
 Patch3:         %{name}-%{major_version}.%{minor_version}-sle.catalina.policy.patch
 # PATCH-FIX-OPENSUSE: build javadoc with the same java source level as the class files
 Patch4:         %{name}-%{major_version}.%{minor_version}-javadoc.patch
+# PATCH-FIX-OPENSUSE: disable adding OSGi metadata to JAR files because bndtools is not avalable in SLES/OpenSUSE
+Patch5:         tomcat-9.0-disable-osgi-build.patch
+
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
 BuildRequires:  apache-commons-collections
@@ -252,6 +255,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch2
 %patch3
 %patch4
+%patch5
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@@ -285,6 +289,7 @@ ant -Dbase.path="." \
     -Dnsis.exe="HACK" \
     -Djaxrpc-lib.jar="$(build-classpath jaxrpc)" \
     -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \
+    -Dsaaj-api.jar="$(build-classpath geronimo-saaj-1_1-api)" \
     -Dcommons-pool.home="$(build-classpath commons-pool2)" \
     -Dcommons-dbcp.home="$(build-classpath commons-dbcp2)" \
     -Dno.build.dbcp=true \