diff --git a/apache-tomcat-9.0.97-src.tar.gz b/apache-tomcat-9.0.97-src.tar.gz deleted file mode 100644 index 17d9a11..0000000 --- a/apache-tomcat-9.0.97-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:1b46490fce5292305b8794a54b38c1e927409e907c9186a06ae8fa29ba0a2f1d -size 7072346 diff --git a/apache-tomcat-9.0.97-src.tar.gz.asc b/apache-tomcat-9.0.97-src.tar.gz.asc deleted file mode 100644 index 6d99829..0000000 --- a/apache-tomcat-9.0.97-src.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmcrypMACgkQaCSJWTWe -civQ2A//TWn1UwcPCT0oeSK8C+exGw1tyNRq2zB6enSLf1WwBZ7BpgIl9EzyNMX9 -Uu0pwR2dVhkgCmBL7nM0BZZSs1ST1uFeAV5vM0LeKO/Rq7w1B+8xFu1BmpBX5NBT -jjkQvpQwBUaKkhGsk+6MI0zHynVgbrlYOw/meVNm2xUu9ADY/WxW0yjMcXVJ747N -YlWT9TpEJ15tsrRDuGD+JJyFeozNpDqgQ12Ej47E6AQH9zJtp+UPh6XxuqADmCCN -DUE5wGNwYhz0Vx1bDknuqRvIQ/EtQ9VYND6sv8Cby0iSmj8DB1dcvl7Tr/DJv+BO -lLTEROBGWR8qE281n7Yab/42Tr86TiDXst1ALjpKQDByB3jDuMPh55YjCK4kaiT0 -0h5MiFN22irfmdMGTO+Ovo9dnu6wWLSCHjUds/ilQGd8uxTtzgIcUh1AutIVX5qL -1Q5tWK2DBXGrkCZJWBMtpNBOfkxTafa4dsb4XBA8iC84xS3BtIbCAg9vLciqIkLc -a1nL1GfoNdRaQbrwVLBhaEqxpRgGr8Q01PDsK9j9Vl8YqhtO2heMjGJaGC/pv/Rf -qjFmXJKUYKlMS8n1VRnzuTgO5DIKKw0VyUQtcSag7DGuCT2Lbz0IpsY3JH6/G8s3 -5gAzGG5ZzbTq8FhTkmd8hL3Se7Gx8R61yxL5D/IGYx+GOpWxjuA= -=J1sF ------END PGP SIGNATURE----- diff --git a/apache-tomcat-9.0.98-src.tar.gz b/apache-tomcat-9.0.98-src.tar.gz new file mode 100644 index 0000000..2844c86 --- /dev/null +++ b/apache-tomcat-9.0.98-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:9c048d75ea3cc62c780edbe884845c54c4c515c346f2f062485e36d4e96856f0 +size 7091158 diff --git a/apache-tomcat-9.0.98-src.tar.gz.asc b/apache-tomcat-9.0.98-src.tar.gz.asc new file mode 100644 index 0000000..ad7bbd8 --- /dev/null +++ b/apache-tomcat-9.0.98-src.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmdSBNoACgkQaCSJWTWe +citlcw//UyA6O47D4cYTkgLaBMzNATMfYll9VLYaZFt3zipCKQ0Z1uIKVuXSYlty +UQBrOIo3pbhgrDR2ndRF3IPv4+c5IN2q8lyo/PMbhaF1Jx6Qi+w07MBX58EBO88Q ++2ZXOQ5KTY7YSl4uhKJHA14iH1hevJHt9ELO8D7npbsDDVz4OIJfeRGyp97lrlmE +4jbE6VnF13kAEzvQdcTGcbxRHlCBWd3g+tJK3/0xfW3y9fWws/hOn5A0PM/Wb2yB +nsm824VYOvwcYgSolKkgqEM/02lGbvcMtoF3pAzlHqE3WcZBL1SQh7BRVvj6MMB5 +zI21ThTqg+prSNK4ZQ6kdM+UHnJpQNwmiEvZh4E/sJuEzbouMhxCv/IydLM3j2Ck +9Fa0fF26yA3bcwQHzjG5pB7IP6YVeR4t95hnvclMHYrTOvHttxnnb5NwSF4EpE5b +JaufFixcUEjlb/9dWfOd4MQmf9yqupTiJh98ovqR6qjuBOfTXKDUmk1I8qIBne7Y +OJExU/YdjZrgKgAQQLGB6G+u/T/ytvWlFNe2N+wCrunhlIPaFuK/3zj1/cM7ZwpA +qtMFh+30IzPOBJSGDf4fvQsWIv490l+OMqlkv6arO7RFHkqWqq5gum/I2pF91OVt +GL3AAjOuSkyLJwe2gW+aMeCyPegyTkNBp4gpslKXbtQtOIF1Lc8= +=EWT+ +-----END PGP SIGNATURE----- diff --git a/tomcat-9.0-jdt.patch b/tomcat-9.0-jdt.patch index be1cdcc..7a817a8 100644 --- a/tomcat-9.0-jdt.patch +++ b/tomcat-9.0-jdt.patch @@ -1,22 +1,22 @@ ---- apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java 2023-05-22 18:12:16.915658492 +0200 -+++ apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java 2023-05-22 19:45:14.491706823 +0200 -@@ -310,7 +310,7 @@ - } else if(opt.equals("15")) { +--- apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java 2025-01-06 17:29:55.096709905 +0100 ++++ apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java 2025-01-06 17:32:39.494486072 +0100 +@@ -298,7 +298,7 @@ + } else if (opt.equals("15")) { settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15); - } else if(opt.equals("16")) { + } else if (opt.equals("16")) { - settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16); + settings.put(CompilerOptions.OPTION_Source, "16"); - } else if(opt.equals("17")) { + } else if (opt.equals("17")) { // Constant not available in latest ECJ version that runs on // Java 8. -@@ -392,8 +392,8 @@ +@@ -395,8 +395,8 @@ settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15); settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15); - } else if(opt.equals("16")) { + } else if (opt.equals("16")) { - settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16); - settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16); + settings.put(CompilerOptions.OPTION_TargetPlatform, "16"); + settings.put(CompilerOptions.OPTION_Compliance, "16"); - } else if(opt.equals("17")) { + } else if (opt.equals("17")) { // Constant not available in latest ECJ version that runs on // Java 8. diff --git a/tomcat.changes b/tomcat.changes index 698abd2..d02c932 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,117 @@ +------------------------------------------------------------------- +Fri Jan 3 16:03:11 UTC 2025 - Ricardo Mestre + +- Update to Tomcat 9.0.98 + * Fixed CVEs: + + CVE-2024-54677: DoS in examples web application (bsc#1233434) + + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) + * Catalina + + Add: Add option to serve resources from subpath only with WebDAV Servlet + like with DefaultServlet. (michaelo) + + Fix: Add special handling for the protocols attribute of SSLHostConfig in + storeconfig. (remm) + + Fix: 69442: Fix case sensitive check on content-type when parsing request + parameters. (remm) + + Code: Refactor duplicate code for extracting media type and subtype from + content-type into a single method. (markt) + + Fix: Compatibility of generated embedded code with components where + constructors or property related methods throw a checked exception. (remm) + + Fix: The previous fix for inconsistent resource metadata during concurrent + reads and writes was incomplete. (markt) + + Fix: 69444: Ensure that the javax.servlet.error.message request attribute + is set when an application defined error page is called. (markt) + + Fix: Avoid quotes for numeric values in the JSON generated by the status + servlet. (remm) + + Add: Add strong ETag support for the WebDAV and default servlet, which can + be enabled by using the useStrongETags init parameter with a value set to + true. The ETag generated will be a SHA-1 checksum of the resource content. + (remm) + + Fix: Use client locale for directory listings. (remm) + + Fix: 69439: Improve the handling of multiple Cache-Control headers in the + ExpiresFilter. Based on pull request #777 by Chenjp. (markt) + + Fix: 69447: Update the support for caching classes the web application + class loader cannot find to take account of classes loaded from external + repositories. Prior to this fix, these classes could be incorrectly marked + as not found. (markt) + + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by + users will not be removed and any header present in a HEAD request will + also be present in the equivalent GET request. There may be some headers, + as per RFC 9110, section 9.3.2, that are present in a GET request that are + not present in the equivalent HEAD request. (markt) + + Fix: 69471: Log instances of CloseNowException caught by + ApplicationDispatcher.invoke() at debug level rather than error level as + they are very likely to have been caused by a client disconnection or + similar I/O issue. (markt) + + Add: Add a test case for the fix for 69442. Also refactor references to + application/x-www-form-urlencoded. Based on pull request #779 by Chenjp. + (markt) + + Fix: 69476: Catch possible ISE when trying to report PUT failure in the + DefaultServlet. (remm) + + Add: Add support for RateLimit header fields for HTTP (draft) in the + RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt) + + Add: #787: Add regression tests for 69478. Pull request provided by Thomas + Krisch. (markt) + + Fix: The default servlet now rejects HTTP range requests when two or more + of the requested ranges overlap. Based on pull request #782 provided by + Chenjp. (markt) + + Fix: Enhance Content-Range verification for partial PUT requests handled + by the default servlet. Provided by Chenjp in pull request #778. (markt) + + Fix: Harmonize DataSourceStore lookup in the global resources to + optionally avoid the comp/env prefix which is usually not used there. + (remm) + + Fix: As required by RFC 9110, the HTTP Range header will now only be + processed for GET requests. Based on pull request #790 provided by Chenjp. + (markt) + + Fix: Deprecate the useAcceptRanges initialisation parameter for the + default servlet. It will be removed in Tomcat 12 onwards where it will + effectively be hard coded to true. (markt) + + Add: Add DataSource based property storage for the WebdavServlet. (remm) + * Coyote + + Fix: Align encodedSolidusHandling with the Servlet specification. If the + pass-through mode is used, any %25 sequences will now also be passed + through to avoid errors and/or corruption when the application decodes the + path. (markt) + * Jasper + + Fix: Further optimise EL evaluation of method parameters. Patch provided + by Paolo B. (markt) + + Fix: Follow-up to the fix for 69381. Apply the optimisation for method + lookup performance in expression language to an additional location. + (markt) + * Web applications + + Fix: Documentation. Remove references to the ResourceParams element. + Support for ResourceParams was removed in Tomcat 5.5.x. (markt) + + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter. + The attribute is internalProxies rather than allowedInternalProxies. Pull + request #786 provided by Jorge Díaz. (markt) + + Fix: Examples. Fix broken links when Servlet Request Info example is + called via a URL that includes a pathInfo component. (markt) + + Fix: Examples. Expand the obfuscation of session cookie values in the + request header example to JSON responses. (markt) + + Add: Examples. Add the ability to delete session attributes in the servlet + session example. (markt) + + Add: Examples. Add a hard coded limit of 10 attributes per session for the + servlet session example. (markt) + + Add: Examples. Add the ability to delete session attributes and add a hard + coded limit of 10 attributes per session for the JSP form authentication + example. (markt) + + Add: Examples. Limit the shopping cart example to only allow adding the + pre-defined items to the cart. (markt) + + Fix: Examples. Remove JSP calendar example. (markt) + * Other + + Fix: 69465: Fix warnings during native image compilation using the Tomcat + embedded JARs. (markt) + + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt) + + Update: Update EasyMock to 5.5.0. (markt) + + Update: Update Checkstyle to 10.20.2. (markt) + + Update: Update BND to 7.1.0. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Korean translations. (markt) + + Add: Improvements to Chinese translations. (markt) + + Add: Improvements to Japanese translations by tak7iji. (markt) +- Modified patch: + * tomcat-9.0-jdt.patch + + rediff + ------------------------------------------------------------------- Fri Nov 22 19:51:47 UTC 2024 - Michele Bussolotto diff --git a/tomcat.spec b/tomcat.spec index 40ed0a7..41a7d04 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -1,7 +1,7 @@ # # spec file for package tomcat # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # Copyright (c) 2000-2009, JPackage Project # # All modifications and additions to the file contributed by third parties @@ -22,7 +22,7 @@ %define elspec 3.0 %define major_version 9 %define minor_version 0 -%define micro_version 97 +%define micro_version 98 %define packdname apache-tomcat-%{version}-src # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/ %global basedir /srv/%{name}