Accepting request 1139643 from Java:packages

- Update to Tomcat 10.1.18 * Fixed CVEs: + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to incorrect headers parsing (bsc#1217649) * Catalina + Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs, text/javascript for mjs and audio/ogg for opus. (markt) + Fix: Background processes should not be run concurrently with lifecycle operations of a container. (remm) + Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt) + Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt) + Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt) + Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) + Update: The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm) + Update: Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz) + Fix: 67793: Ensure the original session timeout is restored OBS-URL: https://build.opensuse.org/request/show/1139643 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat10?expand=0&rev=4
2024-01-18 20:53:42 +00:00 · 2024-01-18 20:53:42 +00:00 · 92431e6f44
commit 92431e6f44
parent 4e4474520e 30b2afc48b
7 changed files with 188 additions and 24 deletions
--- a/apache-tomcat-10.1.14-src.tar.gz
+++ b/apache-tomcat-10.1.14-src.tar.gz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:029ef4076e5175a5ec2ce7dda191f2e2d6add0dd6c1366078e6ed7292dace80e
-size 6131823
--- a/apache-tomcat-10.1.14-src.tar.gz.asc
+++ b/apache-tomcat-10.1.14-src.tar.gz.asc
@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmUkebcACgkQHPApP6U8
-pFjGnBAAmA3QdkA/45KMJAHT5QADESvPXomHvHvG+iHJHfcgJJ//iBfY9f7FxLxw
-yrcRZcU8BUhw032DkL+R2UMVxnE+4z4MAFXYS+2X1WP6neGdAYl9Qx+3Q45h78Sj
-6/LYmYGiqFkkt7XM2Zh1Clw0EH93iSi+GAoXnuTtyPdJ4f7iBqG21kMErUu+iRKt
-591imA8NWiYL5q1+PiOMpElWsj142oefjCgM0xttWwLZoAQ5jcyyFYJ5B/kEuDbP
-trQpHUCTBA/0ltImYMaaHvLh//tiEj31EzLvU/+ofH8WoAEuV30kfHTSISLs5PEM
-h5wZel7KMBaOXPeEkHySHTC0hQ0+GbqV1utwkht6kLE2+LaPe/8G9McoEQr9sFFD
-8adgJH9DeDCJUjispTMF4UoJLCsHPL6UgEjcXFll9pEXADndWiX0cvt8t///Ej1+
-qwOzfCz0DJpfd5XAfLx+t8y66nf3EDvFMPuwXBtgaSzonW6TOHFcQu/P1Fzr95s8
-spWomzmETLJ9xos8g7gZYH5OA9zqrdrBhauBibWmdARAND26sQAYJvwbPXnEyre/
-rbtcWcPgvFeuHfjzo0CX02rhBbMKqmk62Nd9hK0O5/pFM9lOJoRwrgImmyIRAJUQ
-hohDjWTlPhtjc9bIlyLjCXEkIpno6YXMtzDoVam1rDsKS2Ggm5s=
-=/3mT
-----END PGP SIGNATURE-----
--- a/apache-tomcat-10.1.18-src.tar.gz
+++ b/apache-tomcat-10.1.18-src.tar.gz
--- a/apache-tomcat-10.1.18-src.tar.gz.asc
+++ b/apache-tomcat-10.1.18-src.tar.gz.asc
@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmWYGCoACgkQHPApP6U8
+pFgFuhAAuP0n+aPDB9AokSY4TQfRNZuJRRof9IjWZENwsCN+/8s0vejBLtuyRrfR
+IFbE8DqdOFWZQTbuAWP4YtvBtXxTkwnNnkldhveABDOV63Fv5GyPtMHj2b2O1lay
+LS6v40oy4816/l9muBY8w0bdUp7QHF/bvftGkvAw3ukqYDpNYs2zjP+Zvf1rNelV
+Y9pXKoxfTe9JXKiggYHU/PuWEYsKvnBTos/lwJeNwr9yHo5lsOE2CQh4ix6O8OSP
+YhmW+XrJTWhpFJiX99iN3lKFBJ0ZkTK//MaYOhvlF8JEAClbl9AMZtwkTu0z/yTN
+jdUOMXB9mcABCHxibbEnSNEC1fTThvChvXFZxRfWlgdQr3PHGH6ncJKc9o3wNN1K
+VKp45dsuvYRWGwwBN+D//U7GaWAkFGH1Tuk5WYgmd42c7fkPEoQ0m8eomWyoOdcN
+OvtzypufTsrGM/Up7szgBOhCM7izy1t3qBQ+Zey5PHYiN8/astYtKbvb7XHaAP6O
+/RrB4JV6euvgRgf4RBLHJmwWkPEzBysL1GEhJez5JjxCQNijS+9zmWwHPmjTcp+v
+HVhG3AftBme3df2LR0AMzgfsQZsIiLdgcSrLqwmhl2N3rxZ2U5cRO/eyaMgia/Kw
+atGk0QMZYwKH/EB41r5EiNtG0BIuRIq4a7Ssb1y0YpJQWvc89wc=
+=pryG
+-----END PGP SIGNATURE-----
--- a/tomcat-10.1-build-with-java-11.patch
+++ b/tomcat-10.1-build-with-java-11.patch
@ -0,0 +1,13 @@
+Index: apache-tomcat-10.1.18-src/build.xml
+===================================================================
+--- apache-tomcat-10.1.18-src.orig/build.xml
+++ apache-tomcat-10.1.18-src/build.xml
+@@ -108,7 +108,7 @@
+   <!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
+   <property name="compile.release" value="11"/>
+   <property name="min.java.version" value="11"/>
+-  <property name="build.java.version" value="17"/>
+  <property name="build.java.version" value="11"/>
+ 
+   <!-- Check Java Build Version -->
+   <fail message="Java version ${build.java.version} or newer is required (${java.version} is installed)">
--- a/tomcat10.changes
+++ b/tomcat10.changes
@ -1,3 +1,152 @@
+-------------------------------------------------------------------
+Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.18
+  * Fixed CVEs:
+    + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
+      incorrect headers parsing (bsc#1217649)
+  * Catalina
+    + Update:  68378: Align extension to MIME type mappings in the
+      global web.xml with those in httpd by adding
+      application/vnd.geogebra.slides for ggs, text/javascript for mjs
+      and audio/ogg for opus. (markt)
+    + Fix:  Background processes should not be run concurrently with
+      lifecycle operations of a container. (remm)
+    + Fix:  Correct unintended escaping of XML in some WebDAV
+      responses. The XML list of support locks when provided in
+      response to a PROPFIND request was incorrectly XML escaped.
+      (markt)
+    + Fix:  68227: Ensure that AsyncListener.onComplete() is called
+      if AsyncListener.onError() calls AsyncContext.dispatch().
+      (markt)
+    + Fix:  68228: Use a 408 status code if a read timeout occurs
+      during HTTP request processing. Includes a test case based on
+      code provided by adwsingh. (markt)
+    + Fix:  67667: TLSCertificateReloadListener prints unreadable
+      rendering of X509Certificate#getNotAfter(). (michaelo)
+    + Update:  The status servlet included in the manager webapp
+      can now output statistics as JSON, using the JSON=true URL
+      parameter. (remm)
+    + Update:  Optionally allow ServiceBindingPropertySource to
+      trim a trailing newline from a file containing a
+      property-value. (schultz)
+    + Fix:  67793: Ensure the original session timeout is restored
+      after FORM authentication if the user refreshes a page during
+      the FORM authentication process. Based on a suggestion by
+      Mircea Butmalai. (markt)
+    + Update:  67926: PEMFile prints unidentifiable string
+      representation of ASN.1 OIDs. (michaelo)
+    + Fix:  66875: Ensure that setting the request attribute
+      jakarta.servlet.error.exception is not sufficient to trigger
+      error handling for the current request and response. (markt)
+    + Fix:  68054: Avoid some file canonicalization calls
+      introduced by the fix for 65433. (remm)
+    + Fix:  68089: Improve performance of request attribute access
+      for ApplicationHttpRequest and ApplicationRequest. (markt)
+    + Fix:  Use a 400 status code to report an error due to a bad
+      request (e.g. an invalid trailer header) rather than a 500
+      status code. (markt)
+    + Fix:  Ensure that an IOException during the reading of the
+      request triggers always error handling, regardless of whether
+      the application swallows the exception. (markt)
+  * Coyote
+    + Fix:  Refactor the VirtualThreadExecutor so that it can be
+      used by the NIO2 connector which was using platform threads
+      even when configured to use virtual threads. (markt)
+    + Fix:  Correct a regression in the fix for 67675 that broke
+      TLS key file parsing for PKCS#8 format keys that do not specify
+      an explicit pseudo-random function and rely on the default.
+      This typically affects keys generated by OpenSSL 1.0.2.
+      (markt)
+    + Fix:  Allow multiple operations with the same name on
+      introspected mbeans, fixing a regression caused by the
+      introduction of a second addSslHostConfig method. (remm)
+    + Fix:  Relax the check that the HTTP Host header is consistent
+      with the host used in the request line, if any, to make the
+      check case insensitive since host names are case insensitive.
+      (markt)
+    + Add:  68348: Add support for the partitioned attribute for
+      cookies. (markt)
+    + Add:  66670: Add SSLHostConfig#certificateKeyPasswordFile and
+      SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
+    + Add:  When calling
+      SSLHostConfigCertificate.setCertificateKeystore(ks),
+      automatically call setCertificateKeystoreType(ks.getType()).
+      (markt)
+    + Fix:  67628: Clarify how the ciphers attribute of the
+      SSLHostConfig is used. (markt)
+    + Fix:  67666: Ensure TLS connectors using PEM files either
+      work with the TLSCertificateReloadListener or, in the rare case
+      that they do not, log a warning on Connector start. (markt)
+    + Fix:  67675: Support a wider range of KDF and ciphers for PEM
+      files than the combinations supported by the JVM by default.
+      Specifically, support the OpenSSL default of HmacSHA256 and
+      DES-EDE3-CBC. (markt)
+    + Fix:  67927: Reloading TLS configuration can cause the
+      Connector to refuse new connections or the JVM to crash.
+      (markt)
+    + Fix:  67934: If both Tomcat Native 1.2.x and 2.0.x are
+      available, prefer 1.2.x since it supports the APR/Native
+      connector whereas 2.0.x does not. (markt)
+    + Fix:  67938: Correct handling of large TLS client hello
+      messages that were causing the TLS handshake to fail. (markt)
+    + Fix:  68026: Convert selected MessageByte values to String
+      when first accessed to speed up subsequent accesses and reduce
+      garbage collection. (markt)
+  * Jasper
+    + Code:  68119: Refactor the CompositeELResolver to improve
+      performance during type conversion operations. (markt)
+    + Fix:  68068: Performance improvement for EL. Based on a
+      suggestion by John Engebretson. (markt)
+  * Web Applications
+    + Fix:  68035: Additional fix to the Manager application to
+      enable the deployment of a web application located in a Host's
+      appBase where the web application is specified by a bare (no
+      path) WAR or directory name as shown in the documentation.
+      (markt)
+    + Fix:  Examples. Improve the error handling so snakes
+      associated with a user that drops from the network are removed
+      from the game. (markt)
+    + Fix:  68035: Correct a regression in the fix for 56248 that
+      prevented deployment via the Manager of a WAR or directory that
+      was already present in the appBase or a context file that was
+      already present in the xmlBase. (markt)
+  * Other
+    + Update:  Update Checkstyle to 10.12.7. (markt)
+    + Update:  Update SpotBugs to 4.8.3. (markt)
+    + Add:  Improvements to French translations. (remm)
+    + Add:  Improvements to Japanese translations by tak7iji.
+      (markt)
+    + Update:  Update UnboundID to 6.0.11. (markt)
+    + Update:  Update Checkstyle to 10.12.5. (markt)
+    + Update:  Update SpotBugs to 4.8.2. (markt)
+    + Update:  Update Derby to 10.17.1. (markt)
+    + Add:  Improvements to French translations. (remm)
+    + Add:  Improvements to Japanese translations by tak7iji.
+      (markt)
+    + Add:  Improvements to Brazilian Portuguese translations by
+      John William Vicente. (markt)
+    + Add:  Improvements to Russian translations by usmazat and
+      remm. (markt)
+    + Add:  67538: Make use of Ant's <javaversion /> task to enfore
+      the mininum Java build version. (michaelo)
+    + Update:  Update Checkstyle to 10.12.4. (markt)
+    + Update:  Update JaCoCo to 0.8.11. (markt)
+    + Update:  Update SpotBugs to 4.8.0. (markt)
+    + Update:  Update BND to 7.0.0. (markt)
+    + Update:  The minimum Java version required to build Tomcat
+      has been raised to Java 17. (markt)
+    + Update:  Update the OWB module to Apache OpenWebBeans 4.0.0. 
+      (remm)
+- Added patches:
+  * tomcat-10.1-build-with-java-11.patch
+
+-------------------------------------------------------------------
+Wed Jan 17 15:35:51 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- change server.xml during %post instead of %posttrans
+- add libxslt-tools requirement 
+
 -------------------------------------------------------------------
 Tue Jan 16 09:05:32 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>

--- a/tomcat10.spec
+++ b/tomcat10.spec
@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 10
 %define minor_version 1
-%define micro_version 14
+%define micro_version 18
 %define java_major 1
 %define java_minor 11
 %define java_version %{java_major}.%{java_minor}
@ -92,6 +92,7 @@ Patch5:         %{app_name}-jdt.patch
 Patch6:         %{app_name}-secretRequired-default.patch
 Patch7:         %{app_name}-fix_catalina.patch
 Patch8:         %{app_name}-logrotate_everything.patch
+Patch9:         tomcat-10.1-build-with-java-11.patch
 BuildRequires:  ant >= 1.10.2
 BuildRequires:  ant-antlr
 BuildRequires:  apache-commons-collections
@ -111,7 +112,6 @@ BuildRequires:  jakarta-taglibs-standard >= 1.1
 BuildRequires:  java-devel >= 11
 BuildRequires:  javapackages-local
 BuildRequires:  junit
-BuildRequires:  libxslt-tools
 BuildRequires:  osgi-annotation
 BuildRequires:  osgi-compendium
 BuildRequires:  osgi-core
@ -132,6 +132,7 @@ Requires:       apache-commons-pool2
 Requires:       jakarta-servlet
 Requires:       java >= %{java_version}
 Requires(post): %fillup_prereq
+Requires(post): libxslt-tools
 Requires(pre):  shadow
 Requires:       libtcnative-1-0 >= 1.2.38
 Requires:       logrotate
@ -150,6 +151,7 @@ ATTENTION: This tomcat is built with java %{java_version}.
 Summary:        The host manager and manager web applications for Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
+Requires(post): libxslt-tools
 Conflicts:      %{app_name}-admin-webapps

 %description admin-webapps
@ -167,6 +169,7 @@ Embeddeding support (various libraries) for Apache Tomcat.
 Summary:        The "docs" web application for Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
+Requires(post): libxslt-tools
 Conflicts:      %{app_name}-docs-webapp

 %description docs-webapp
@ -261,6 +264,7 @@ Summary:        ROOT and examples web applications for Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
 Requires:       jakarta-taglibs-standard >= 1.1
+Requires(post): libxslt-tools
 Conflicts:      %{app_name}-webapps

 %description webapps
@ -587,6 +591,7 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \
 %post
 %service_add_post %{app_name}.service
 %{fillup_only %{app_name}}
+xsltproc  --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml

 %preun
 %service_del_preun %{app_name}.service
@ -696,9 +701,6 @@ if [ ! -e %{_datadir}/%{app_name}/webapps/docs ]; then
    ln -sf %{tomcatappdir}/docs %{_datadir}/%{app_name}/webapps/docs
 fi

-%posttrans
-xsltproc  --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
-
 %files
 %doc {LICENSE,NOTICE,RELEASE*}
 %attr(0755,root,root) %{_bindir}/%{app_name}-digest