From 650eabebe8bbb3e23a0bd925c4b503e1952751d7b5dfaeb1861ce89649aba3f3 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 15 Feb 2024 08:20:13 +0000 Subject: [PATCH 1/3] OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=297 --- tomcat.changes | 5 +++-- tomcat.spec | 31 +++++++++++++++++++------------ 2 files changed, 22 insertions(+), 14 deletions(-) diff --git a/tomcat.changes b/tomcat.changes index e30749c..d997dfb 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,7 +1,8 @@ ------------------------------------------------------------------- -Tue Feb 6 09:55:04 UTC 2024 - Michele Bussolotto +Fri Jan 26 12:33:23 UTC 2024 - Michele Bussolotto -- rpm 4.19 requires dependencies on tomcat user and group (bsc#1219530) +- Fixed CVEs: + * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208) ------------------------------------------------------------------- Wed Jan 17 16:57:21 UTC 2024 - Michele Bussolotto diff --git a/tomcat.spec b/tomcat.spec index d64f51e..6edd041 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -121,8 +121,6 @@ Requires(pre): shadow Recommends: libtcnative-1-0 >= 1.1.24 Recommends: logrotate BuildArch: noarch -Provides: group(tomcat) -Provides: user(tomcat) %description Tomcat is the servlet container that is used in the official Reference @@ -562,7 +560,8 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \ %post %service_add_post %{name}.service %{fillup_only %{name}} -xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml +chown -R tomcat:tomcat %{confdir}/server.xml +runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml %preun %service_del_preun %{name}.service @@ -636,17 +635,22 @@ rm -f \ %{libdir}/\[ecj\].jar >/dev/null 2>&1 %post webapps -xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml -if [ ! -e %{_datadir}/%{name}/webapps/ROOT ]; then - ln -sf %{tomcatappdir}/ROOT %{_datadir}/%{name}/webapps/ROOT -fi -xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/examples/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml if [ ! -e %{_datadir}/%{name}/webapps/examples ]; then ln -sf %{tomcatappdir}/examples %{_datadir}/%{name}/webapps/examples fi #use the same context.xml for sample war +mkdir -p %{tomcatappdir}/ROOT/META-INF +chown -R tomcat:tomcat %{tomcatappdir}/ROOT/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml +if [ ! -e %{_datadir}/%{name}/webapps/ROOT ]; then + ln -sf %{tomcatappdir}/ROOT %{_datadir}/%{name}/webapps/ROOT +fi +#use the same context.xml for sample war mkdir -p %{tomcatappdir}/webapps/sample/META-INF -xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/sample/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml if [ ! -e %{_datadir}/%{name}/webapps/sample ]; then ln -sf %{tomcatappdir}/sample %{_datadir}/%{name}/webapps/sample fi @@ -658,18 +662,21 @@ if [ $1 -eq 0 ]; then # uninstall only fi %post admin-webapps -xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/manager/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml if [ ! -e %{_datadir}/%{name}/webapps/manager ]; then ln -sf %{tomcatappdir}/manager %{_datadir}/%{name}/webapps/manager fi -xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/host-manager/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml if [ ! -e %{_datadir}/%{name}/webapps/host-manager ]; then ln -sf %{tomcatappdir}/host-manager %{_datadir}/%{name}/webapps/host-manager fi %post docs-webapp -xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/docs/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml if [ ! -e %{_datadir}/%{name}/webapps/docs ]; then ln -sf %{tomcatappdir}/docs %{_datadir}/%{name}/webapps/docs fi From b825d69ad9296d6bdd4cddac16b630a07b821d5bea3e073b656629715b440df3 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 15 Feb 2024 12:39:16 +0000 Subject: [PATCH 2/3] OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=298 --- tomcat.spec | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tomcat.spec b/tomcat.spec index 6edd041..90ebd94 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -121,6 +121,8 @@ Requires(pre): shadow Recommends: libtcnative-1-0 >= 1.1.24 Recommends: logrotate BuildArch: noarch +Provides: group(tomcat) +Provides: user(tomcat) %description Tomcat is the servlet container that is used in the official Reference From c9076a2e844575de40a370820991aa354f522386a8fa06c6b871e31e4e38e580 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Thu, 15 Feb 2024 12:43:17 +0000 Subject: [PATCH 3/3] OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=299 --- tomcat.changes | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tomcat.changes b/tomcat.changes index d997dfb..bc1fedf 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Feb 6 09:55:04 UTC 2024 - Michele Bussolotto + +- rpm 4.19 requires dependencies on tomcat user and group (bsc#1219530) + ------------------------------------------------------------------- Fri Jan 26 12:33:23 UTC 2024 - Michele Bussolotto