diff --git a/apache-tomcat-10.1.33-src.tar.gz b/apache-tomcat-10.1.33-src.tar.gz deleted file mode 100644 index a77c6d0..0000000 --- a/apache-tomcat-10.1.33-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e54a6892606e41c9712d870a344accd9901f1bcc33fb6335a7617ae105e0ccbc -size 6926625 diff --git a/apache-tomcat-10.1.33-src.tar.gz.asc b/apache-tomcat-10.1.33-src.tar.gz.asc deleted file mode 100644 index c8741da..0000000 --- a/apache-tomcat-10.1.33-src.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmctQNkACgkQHPApP6U8 -pFh07hAAr5HSdAPPXY6nFxISOaA1EiZ+9x9WXre2b7NOzs7Z0/a8/kbApZ818pq6 -qeIgv9kld/hGigF+mXt8oyvBHe87+UK715/V2bQ0plcJtn2Pya/+OMpty8QqARIP -MM5eO31PiZw9zV9zQXVospfEW9zUX2X37zAPkJ7YEEFwtITob889SvnI6Nd2alw6 -Qj0ok3ydAGytRbnTBLTXawJpxOKlQMDDiuZ+Wq61uczCX6Pz1klpSxL1Qg/Dhsci -MJmVz1WLTYkzIXaHsBzBeA/ZshTrPmbgYspv/rfT074tx8fTMYQj96lnBukrZYDv -7fmqIB+TG8AwSNgiTWU+L0DZNbm8dy7kjEMV3y2o6Wymwkf4cFZCXvLZaQad2/3e -WuTSoKW0SvFmLtu+RNDtwFSYVraoFgpYaSCdsCgHpHzBs0h3vquFtp38adIJi8+N -SA10JFPQddloCQ/HBVmSVFacagsxW+fI4m0BGSS2fgbHtM8CrWjoLMjQj3WYt0lQ -6IDIMAvWxVLQ7ofGkKapebQXA3YOCrt+I66+baaoACbKtrlAg1ts6cpuLIGoxWpd -/q6BckAOg1+fL6N57DzydeuMf2rCVw9pdNGQAcPcJ6nSg5BcxKcmDBPZ1lit9MgG -dENk7FhN4/AmGKiL2GsWXa1Z840/3NuSiD9V5Q2vWMce9SmPpGY= -=ZcO8 ------END PGP SIGNATURE----- diff --git a/apache-tomcat-10.1.34-src.tar.gz b/apache-tomcat-10.1.34-src.tar.gz new file mode 100644 index 0000000..a058c92 --- /dev/null +++ b/apache-tomcat-10.1.34-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:bfffd0b96c732ea73d96d03e4f5cba3a9c0467273cf9c783fe0fe1036c7a2181 +size 6946871 diff --git a/apache-tomcat-10.1.34-src.tar.gz.asc b/apache-tomcat-10.1.34-src.tar.gz.asc new file mode 100644 index 0000000..8d5b912 --- /dev/null +++ b/apache-tomcat-10.1.34-src.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmdRzrQACgkQHPApP6U8 +pFhZQxAAnH4jJMx+v+QL24U1Zm7VJCZv+9BPqJa7M5GbHpoOZbtbLYAguPRiQ7eg +DpmEiotkE/UihXSTSOpPI3u1WLjrfmiRjmrbYwtVbPyca/6xUbj3wbD+W1ody64v +sfvfiX5T9TtsPYvB9ASyjMMBd4/PQP0EzUswc1W4+moooS+FtS1uvFHq8VYjcWMI +Qn13+k4JldJCvPfWRl1VDY9nY/+25xYud5wuIzqTQ/QXslO6lbxZFgaIVRhN2PDo +wCKgP3RKvDRBsPo1Zp+Jk5btur/c2L7WySFQVOpJszKRSs2LpnJwKybRJNaExTAK +m55tZEPJOx2DshH7g506pc4jtkEY9/9SbxVZNjxCrrnyjQwulUyHDg3yA+fOV0eA +VO0tnineWkqsybAa4271S+IZq3RqjJFH+g4w6NH4CDy+kcrT10KBv/h9/70AFQF7 +XehD8rvqYXMOVvxnlh045iG0A3qHmq5QVGqRasOnxnSnxYNpkn/zOAZxNUH82c6B +i3VoFCVkmtqErLRe4zvSc3MLTKbjiIW4DJgDFCyD62Tq+l1xBjMtmpyHfcT1HlRd +LkkgcgOfLKrZTGWwTJKhBUIaRcCuJ5ja623bry/Fsh9SwHDRGtJy8d9BV3tOmY7l +geeo5pD8/2WihjjJy9spcwM8G9swdxwlKRHq7aANMvFz2fyOQE4= +=nSkP +-----END PGP SIGNATURE----- diff --git a/tomcat-jdt.patch b/tomcat-jdt.patch index a15596f..e9f8623 100644 --- a/tomcat-jdt.patch +++ b/tomcat-jdt.patch @@ -1,15 +1,15 @@ ---- apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:17.015180386 +0200 -+++ apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:33.635284982 +0200 -@@ -310,13 +310,13 @@ - } else if(opt.equals("15")) { +--- apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java 2025-01-03 18:40:16.470885660 +0000 ++++ apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-12-05 16:01:16.000000000 +0000 +@@ -298,13 +298,13 @@ + } else if (opt.equals("15")) { settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15); - } else if(opt.equals("16")) { + } else if (opt.equals("16")) { - settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16); + settings.put(CompilerOptions.OPTION_Source, "16"); - } else if(opt.equals("17")) { + } else if (opt.equals("17")) { - settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_17); + settings.put(CompilerOptions.OPTION_Source, "17"); - } else if(opt.equals("18")) { + } else if (opt.equals("18")) { - settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_18); + settings.put(CompilerOptions.OPTION_Source, "18"); } else if (opt.equals("19")) { @@ -18,20 +18,20 @@ } else if (opt.equals("20")) { // Constant not available in latest ECJ version that runs on // Java 11. -@@ -388,17 +388,17 @@ +@@ -386,17 +386,17 @@ settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15); settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15); - } else if(opt.equals("16")) { + } else if (opt.equals("16")) { - settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16); - settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16); + settings.put(CompilerOptions.OPTION_TargetPlatform, "16"); + settings.put(CompilerOptions.OPTION_Compliance, "16"); - } else if(opt.equals("17")) { + } else if (opt.equals("17")) { - settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_17); - settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_17); + settings.put(CompilerOptions.OPTION_TargetPlatform, "17"); + settings.put(CompilerOptions.OPTION_Compliance, "17"); - } else if(opt.equals("18")) { + } else if (opt.equals("18")) { - settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_18); - settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_18); + settings.put(CompilerOptions.OPTION_TargetPlatform, "18"); diff --git a/tomcat10.changes b/tomcat10.changes index de1a00f..2eb06c4 100644 --- a/tomcat10.changes +++ b/tomcat10.changes @@ -1,3 +1,118 @@ +------------------------------------------------------------------- +Fri Jan 3 18:33:44 UTC 2025 - Ricardo Mestre + +- Update to Tomcat 10.1.34 + * Fixed CVEs: + + CVE-2024-54677: DoS in examples web application (bsc#1233434) + + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) + * Catalina + + Add: Add option to serve resources from subpath only with WebDAV Servlet + like with DefaultServlet. (michaelo) + + Fix: Add special handling for the protocols attribute of SSLHostConfig in + storeconfig. (remm) + + Fix: 69442: Fix case sensitive check on content-type when parsing request + parameters. (remm) + + Code: Refactor duplicate code for extracting media type and subtype from + content-type into a single method. (markt) + + Fix: Compatibility of generated embedded code with components where + constructors or property related methods throw a checked exception. (remm) + + Fix: The previous fix for inconsistent resource metadata during concurrent + reads and writes was incomplete. (markt) + + Fix: #780: Fix content-range header length. Submitted by Chenjp. (remm) + + Fix: 69444: Ensure that the jakarta.servlet.error.message request + attribute is set when an application defined error page is called. (markt) + + Fix: Avoid quotes for numeric values in the JSON generated by the status + servlet. (remm) + + Add: Add strong ETag support for the WebDAV and default servlet, which can + be enabled by using the useStrongETags init parameter with a value set to + true. The ETag generated will be a SHA-1 checksum of the resource content. + (remm) + + Fix: Use client locale for directory listings. (remm) + + Fix: 69439: Improve the handling of multiple Cache-Control headers in the + ExpiresFilter. Based on pull request #777 by Chenjp. (markt) + + Fix: 69447: Update the support for caching classes the web application + class loader cannot find to take account of classes loaded from external + repositories. Prior to this fix, these classes could be incorrectly marked + as not found. (markt) + + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by + users will not be removed and any header present in a HEAD request will + also be present in the equivalent GET request. There may be some headers, + as per RFC 9110, section 9.3.2, that are present in a GET request that are + not present in the equivalent HEAD request. (markt) + + Fix: 69471: Log instances of CloseNowException caught by + ApplicationDispatcher.invoke() at debug level rather than error level as + they are very likely to have been caused by a client disconnection or + similar I/O issue. (markt) + + Add: Add a test case for the fix for 69442. Also refactor references to + application/x-www-form-urlencoded. Based on pull request #779 by Chenjp. + (markt) + + Fix: 69476: Catch possible ISE when trying to report PUT failure in the + DefaultServlet. (remm) + + Add: Add support for RateLimit header fields for HTTP (draft) in the + RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt) + + Add: #787: Add regression tests for 69478. Pull request provided by Thomas + Krisch. (markt) + + Fix: The default servlet now rejects HTTP range requests when two or more + of the requested ranges overlap. Based on pull request #782 provided by + Chenjp. (markt) + + Fix: Enhance Content-Range verification for partial PUT requests handled + by the default servlet. Provided by Chenjp in pull request #778. (markt) + + Fix: Harmonize DataSourceStore lookup in the global resources to + optionally avoid the comp/env prefix which is usually not used there. + (remm) + + Fix: As required by RFC 9110, the HTTP Range header will now only be + processed for GET requests. Based on pull request #790 provided by Chenjp. + (markt) + + Fix: Deprecate the useAcceptRanges initialisation parameter for the + default servlet. It will be removed in Tomcat 12 onwards where it will + effectively be hard coded to true. (markt) + + Add: Add DataSource based property storage for the WebdavServlet. (remm) + + * Coyote + + Fix: Align encodedSolidusHandling with the Servlet specification. If the + pass-through mode is used, any %25 sequences will now also be passed + through to avoid errors and/or corruption when the application decodes the + path. (markt) + + * Jasper + + Fix: Follow-up to the fix for 69381. Apply the optimisation for method + lookup performance in expression language to an additional location. + (markt) + + * Web applications + + Fix: Documentation. Remove references to the ResourceParams element. + Support for ResourceParams was removed in Tomcat 5.5.x. (markt) + + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter. + The attribute is internalProxies rather than allowedInternalProxies. Pull + request #786 provided by Jorge Díaz. (markt) + + Fix: Examples. Fix broken links when Servlet Request Info example is + called via a URL that includes a pathInfo component. (markt) + + Fix: Examples. Expand the obfuscation of session cookie values in the + request header example to JSON responses. (markt) + + Add: Examples. Add the ability to delete session attributes in the servlet + session example. (markt) + + Add: Examples. Add a hard coded limit of 10 attributes per session for the + servlet session example. (markt) + + Add: Examples. Add the ability to delete session attributes and add a hard + coded limit of 10 attributes per session for the JSP form authentication + example. (markt) + + Add: Examples. Limit the shopping cart example to only allow adding the + pre-defined items to the cart. (markt) + + Fix: Examples. Remove JSP calendar example. (markt) + + * Other + + Fix: 69465: Fix warnings during native image compilation using the Tomcat + embedded JARs. (markt) + + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt) + + Update: Update EasyMock to 5.5.0. (markt) + + Update: Update Checkstyle to 10.20.2. (markt) + + Update: Update BND to 7.1.0. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Korean translations. (markt) + + Add: Improvements to Chinese translations. (markt) + + Add: Improvements to Japanese translations by tak7iji. (markt) + + ------------------------------------------------------------------- Sat Nov 23 00:01:04 UTC 2024 - Michele Bussolotto diff --git a/tomcat10.spec b/tomcat10.spec index f3c5a97..a7b7f0b 100644 --- a/tomcat10.spec +++ b/tomcat10.spec @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 10 %define minor_version 1 -%define micro_version 33 +%define micro_version 34 %define java_major 1 %define java_minor 11 %define java_version %{java_major}.%{java_minor}