From e59c5cabf4de78956a7e3d6f3fcd2d0b337e516ed854a236b4f8dd2a30acf7ac Mon Sep 17 00:00:00 2001 From: Michele Bussolotto Date: Wed, 17 Jan 2024 15:46:22 +0000 Subject: [PATCH 1/5] Accepting request 1139494 from home:mbussolotto:branches:Java:packages - change server.xml during %post instead of %posttrans - add libxslt-tools requirement - Fixed CVEs: * CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to incorrect headers parsing (bsc#1217649) - Added patches: * tomcat-10-CVE-2023-46589.patch OBS-URL: https://build.opensuse.org/request/show/1139494 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=20 --- tomcat-10-CVE-2023-46589.patch | 307 +++++++++++++++++++++++++++++++++ tomcat10.changes | 15 ++ tomcat10.spec | 10 +- 3 files changed, 328 insertions(+), 4 deletions(-) create mode 100644 tomcat-10-CVE-2023-46589.patch diff --git a/tomcat-10-CVE-2023-46589.patch b/tomcat-10-CVE-2023-46589.patch new file mode 100644 index 0000000..04f256b --- /dev/null +++ b/tomcat-10-CVE-2023-46589.patch @@ -0,0 +1,307 @@ +Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/BadRequestException.java +=================================================================== +--- /dev/null ++++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/BadRequestException.java +@@ -0,0 +1,68 @@ ++/* ++ * Licensed to the Apache Software Foundation (ASF) under one or more ++ * contributor license agreements. See the NOTICE file distributed with ++ * this work for additional information regarding copyright ownership. ++ * The ASF licenses this file to You under the Apache License, Version 2.0 ++ * (the "License"); you may not use this file except in compliance with ++ * the License. You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++package org.apache.catalina.connector; ++ ++import java.io.IOException; ++ ++/** ++ * Extend IOException to identify it as being caused by a bad request from a remote client. ++ */ ++public class BadRequestException extends IOException { ++ ++ private static final long serialVersionUID = 1L; ++ ++ ++ // ------------------------------------------------------------ Constructors ++ ++ /** ++ * Construct a new BadRequestException with no other information. ++ */ ++ public BadRequestException() { ++ super(); ++ } ++ ++ ++ /** ++ * Construct a new BadRequestException for the specified message. ++ * ++ * @param message Message describing this exception ++ */ ++ public BadRequestException(String message) { ++ super(message); ++ } ++ ++ ++ /** ++ * Construct a new BadRequestException for the specified throwable. ++ * ++ * @param throwable Throwable that caused this exception ++ */ ++ public BadRequestException(Throwable throwable) { ++ super(throwable); ++ } ++ ++ ++ /** ++ * Construct a new BadRequestException for the specified message and throwable. ++ * ++ * @param message Message describing this exception ++ * @param throwable Throwable that caused this exception ++ */ ++ public BadRequestException(String message, Throwable throwable) { ++ super(message, throwable); ++ } ++} +Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/ClientAbortException.java +=================================================================== +--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/connector/ClientAbortException.java ++++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/ClientAbortException.java +@@ -16,14 +16,12 @@ + */ + package org.apache.catalina.connector; + +-import java.io.IOException; +- + /** + * Extend IOException to identify it as being caused by an abort of a request by a remote client. + * + * @author Glenn L. Nielsen + */ +-public final class ClientAbortException extends IOException { ++public final class ClientAbortException extends BadRequestException { + + private static final long serialVersionUID = 1L; + +Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/InputBuffer.java +=================================================================== +--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/connector/InputBuffer.java ++++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/InputBuffer.java +@@ -29,6 +29,7 @@ import java.util.Map; + import java.util.concurrent.ConcurrentHashMap; + + import jakarta.servlet.ReadListener; ++import jakarta.servlet.RequestDispatcher; + + import org.apache.catalina.security.SecurityUtil; + import org.apache.coyote.ActionCode; +@@ -307,10 +308,24 @@ public class InputBuffer extends Reader + + try { + return coyoteRequest.doRead(this); ++ } catch (BadRequestException bre) { ++ // Set flag used by asynchronous processing to detect errors on non-container threads ++ coyoteRequest.setErrorException(bre); ++ // In synchronous processing, this exception may be swallowed by the application so set error flags here. ++ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre); ++ coyoteRequest.getResponse().setStatus(400); ++ coyoteRequest.getResponse().setError(); ++ // Make the exception visible to the application ++ throw bre; + } catch (IOException ioe) { ++ // Set flag used by asynchronous processing to detect errors on non-container threads + coyoteRequest.setErrorException(ioe); +- // An IOException on a read is almost always due to +- // the remote client aborting the request. ++ // In synchronous processing, this exception may be swallowed by the application so set error flags here. ++ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe); ++ coyoteRequest.getResponse().setStatus(400); ++ coyoteRequest.getResponse().setError(); ++ // Any other IOException on a read is almost always due to the remote client aborting the request. ++ // Make the exception visible to the application + throw new ClientAbortException(ioe); + } + } +Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/core/ApplicationDispatcher.java +=================================================================== +--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/core/ApplicationDispatcher.java ++++ apache-tomcat-10.1.14-src/java/org/apache/catalina/core/ApplicationDispatcher.java +@@ -41,7 +41,7 @@ import org.apache.catalina.AsyncDispatch + import org.apache.catalina.Context; + import org.apache.catalina.Globals; + import org.apache.catalina.Wrapper; +-import org.apache.catalina.connector.ClientAbortException; ++import org.apache.catalina.connector.BadRequestException; + import org.apache.catalina.connector.Request; + import org.apache.catalina.connector.RequestFacade; + import org.apache.catalina.connector.Response; +@@ -642,7 +642,7 @@ final class ApplicationDispatcher implem + filterChain.doFilter(request, response); + } + // Servlet Service Method is called by the FilterChain +- } catch (ClientAbortException e) { ++ } catch (BadRequestException e) { + ioException = e; + } catch (IOException e) { + wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()), e); +@@ -653,7 +653,7 @@ final class ApplicationDispatcher implem + wrapper.unavailable(e); + } catch (ServletException e) { + Throwable rootCause = StandardWrapper.getRootCause(e); +- if (!(rootCause instanceof ClientAbortException)) { ++ if (!(rootCause instanceof BadRequestException)) { + wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()), + rootCause); + } +Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/core/StandardWrapperValve.java +=================================================================== +--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/core/StandardWrapperValve.java ++++ apache-tomcat-10.1.14-src/java/org/apache/catalina/core/StandardWrapperValve.java +@@ -32,7 +32,7 @@ import org.apache.catalina.Container; + import org.apache.catalina.Context; + import org.apache.catalina.Globals; + import org.apache.catalina.LifecycleException; +-import org.apache.catalina.connector.ClientAbortException; ++import org.apache.catalina.connector.BadRequestException; + import org.apache.catalina.connector.Request; + import org.apache.catalina.connector.Response; + import org.apache.catalina.valves.ValveBase; +@@ -169,7 +169,7 @@ final class StandardWrapperValve extends + } + + } +- } catch (ClientAbortException | CloseNowException e) { ++ } catch (BadRequestException | CloseNowException e) { + if (container.getLogger().isDebugEnabled()) { + container.getLogger().debug( + sm.getString("standardWrapper.serviceException", wrapper.getName(), context.getName()), e); +@@ -190,7 +190,7 @@ final class StandardWrapperValve extends + // do not want to do exception(request, response, e) processing + } catch (ServletException e) { + Throwable rootCause = StandardWrapper.getRootCause(e); +- if (!(rootCause instanceof ClientAbortException)) { ++ if (!(rootCause instanceof BadRequestException)) { + container.getLogger().error(sm.getString("standardWrapper.serviceExceptionRoot", wrapper.getName(), + context.getName(), e.getMessage()), rootCause); + } +Index: apache-tomcat-10.1.14-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java +=================================================================== +--- apache-tomcat-10.1.14-src.orig/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java ++++ apache-tomcat-10.1.14-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java +@@ -428,6 +428,83 @@ public class TestChunkedInputFilter exte + } + } + ++ ++ @Test ++ public void testTrailerHeaderNameNotTokenThrowException() throws Exception { ++ doTestTrailerHeaderNameNotToken(false); ++ } ++ ++ @Test ++ public void testTrailerHeaderNameNotTokenSwallowException() throws Exception { ++ doTestTrailerHeaderNameNotToken(true); ++ } ++ ++ private void doTestTrailerHeaderNameNotToken(boolean swallowException) throws Exception { ++ ++ // Setup Tomcat instance ++ Tomcat tomcat = getTomcatInstance(); ++ ++ // No file system docBase required ++ Context ctx = tomcat.addContext("", null); ++ ++ Tomcat.addServlet(ctx, "servlet", new SwallowBodyServlet(swallowException)); ++ ctx.addServletMappingDecoded("/", "servlet"); ++ ++ tomcat.start(); ++ ++ String[] request = new String[]{ ++ "POST / HTTP/1.1" + SimpleHttpClient.CRLF + ++ "Host: localhost" + SimpleHttpClient.CRLF + ++ "Transfer-encoding: chunked" + SimpleHttpClient.CRLF + ++ "Content-Type: application/x-www-form-urlencoded" + SimpleHttpClient.CRLF + ++ "Connection: close" + SimpleHttpClient.CRLF + ++ SimpleHttpClient.CRLF + ++ "3" + SimpleHttpClient.CRLF + ++ "a=0" + SimpleHttpClient.CRLF + ++ "4" + SimpleHttpClient.CRLF + ++ "&b=1" + SimpleHttpClient.CRLF + ++ "0" + SimpleHttpClient.CRLF + ++ "x@trailer: Test" + SimpleHttpClient.CRLF + ++ SimpleHttpClient.CRLF }; ++ ++ TrailerClient client = new TrailerClient(tomcat.getConnector().getLocalPort()); ++ client.setRequest(request); ++ ++ client.connect(); ++ client.processRequest(); ++ // Expected to fail because of invalid trailer header name ++ Assert.assertTrue(client.getResponseLine(), client.isResponse400()); ++ } ++ ++ private static class SwallowBodyServlet extends HttpServlet { ++ private static final long serialVersionUID = 1L; ++ ++ private final boolean swallowException; ++ ++ SwallowBodyServlet(boolean swallowException) { ++ this.swallowException = swallowException; ++ } ++ ++ @Override ++ protected void doPost(HttpServletRequest req, HttpServletResponse resp) ++ throws ServletException, IOException { ++ resp.setContentType("text/plain"); ++ PrintWriter pw = resp.getWriter(); ++ ++ // Read the body ++ InputStream is = req.getInputStream(); ++ try { ++ while (is.read() > -1) { ++ } ++ pw.write("OK"); ++ } catch (IOException ioe) { ++ if (!swallowException) { ++ throw ioe; ++ } ++ } ++ } ++ } ++ + private static class EchoHeaderServlet extends HttpServlet { + private static final long serialVersionUID = 1L; + +Index: apache-tomcat-10.1.14-src/webapps/docs/changelog.xml +=================================================================== +--- apache-tomcat-10.1.14-src.orig/webapps/docs/changelog.xml ++++ apache-tomcat-10.1.14-src/webapps/docs/changelog.xml +@@ -129,6 +129,11 @@ + Improve handling of failures within recycle() methods. + (markt) + ++ ++ Ensure that an IOException during the reading of the ++ request triggers always error handling, regardless of whether the ++ application swallows the exception. (markt) ++ + + + +@@ -170,7 +175,7 @@ + + Improvements to HTTP/2 overhead protection. (markt) + +- ++d + + + diff --git a/tomcat10.changes b/tomcat10.changes index 84c6dee..28d6489 100644 --- a/tomcat10.changes +++ b/tomcat10.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Wed Jan 17 15:35:51 UTC 2024 - Michele Bussolotto + +- change server.xml during %post instead of %posttrans +- add libxslt-tools requirement + +------------------------------------------------------------------- +Wed Jan 17 15:35:40 UTC 2024 - Michele Bussolotto + +- Fixed CVEs: + * CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to + incorrect headers parsing (bsc#1217649) +- Added patches: + * tomcat-10-CVE-2023-46589.patch + ------------------------------------------------------------------- Tue Jan 16 09:05:32 UTC 2024 - Michele Bussolotto diff --git a/tomcat10.spec b/tomcat10.spec index 25831ac..50ab8f6 100644 --- a/tomcat10.spec +++ b/tomcat10.spec @@ -71,6 +71,7 @@ Source21: %{app_name}-functions Source30: %{app_name}-preamble Source31: %{app_name}-server Source32: %{app_name}-named.service +Source33: tomcat-10-CVE-2023-46589.patch Source100: valve.xslt Source101: allowLinking.xslt Source1000: %{app_name}-rpmlintrc @@ -111,7 +112,6 @@ BuildRequires: jakarta-taglibs-standard >= 1.1 BuildRequires: java-devel >= 11 BuildRequires: javapackages-local BuildRequires: junit -BuildRequires: libxslt-tools BuildRequires: osgi-annotation BuildRequires: osgi-compendium BuildRequires: osgi-core @@ -132,6 +132,7 @@ Requires: apache-commons-pool2 Requires: jakarta-servlet Requires: java >= %{java_version} Requires(post): %fillup_prereq +Requires(post): libxslt-tools Requires(pre): shadow Requires: libtcnative-1-0 >= 1.2.38 Requires: logrotate @@ -150,6 +151,7 @@ ATTENTION: This tomcat is built with java %{java_version}. Summary: The host manager and manager web applications for Apache Tomcat Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} +Requires(post): libxslt-tools Conflicts: %{app_name}-admin-webapps %description admin-webapps @@ -167,6 +169,7 @@ Embeddeding support (various libraries) for Apache Tomcat. Summary: The "docs" web application for Apache Tomcat Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} +Requires(post): libxslt-tools Conflicts: %{app_name}-docs-webapp %description docs-webapp @@ -261,6 +264,7 @@ Summary: ROOT and examples web applications for Apache Tomcat Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} Requires: jakarta-taglibs-standard >= 1.1 +Requires(post): libxslt-tools Conflicts: %{app_name}-webapps %description webapps @@ -587,6 +591,7 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \ %post %service_add_post %{app_name}.service %{fillup_only %{app_name}} +xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml %preun %service_del_preun %{app_name}.service @@ -696,9 +701,6 @@ if [ ! -e %{_datadir}/%{app_name}/webapps/docs ]; then ln -sf %{tomcatappdir}/docs %{_datadir}/%{app_name}/webapps/docs fi -%posttrans -xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml - %files %doc {LICENSE,NOTICE,RELEASE*} %attr(0755,root,root) %{_bindir}/%{app_name}-digest From 605c062dcf330b94a548da48d68a2350dcb7bb05cf1972b5151f2b03deb30a10 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Wed, 17 Jan 2024 16:46:07 +0000 Subject: [PATCH 2/5] OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=21 --- apache-tomcat-10.1.16-src.tar.gz | 3 +++ apache-tomcat-10.1.16-src.tar.gz.asc | 16 ++++++++++++++++ java11.patch | 12 ++++++++++++ tomcat10.spec | 3 ++- 4 files changed, 33 insertions(+), 1 deletion(-) create mode 100644 apache-tomcat-10.1.16-src.tar.gz create mode 100644 apache-tomcat-10.1.16-src.tar.gz.asc create mode 100644 java11.patch diff --git a/apache-tomcat-10.1.16-src.tar.gz b/apache-tomcat-10.1.16-src.tar.gz new file mode 100644 index 0000000..6ec2e96 --- /dev/null +++ b/apache-tomcat-10.1.16-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:e676c0b964d5c27e02c668839940ce6510bebf6797a2d012652990de47a32967 +size 6148509 diff --git a/apache-tomcat-10.1.16-src.tar.gz.asc b/apache-tomcat-10.1.16-src.tar.gz.asc new file mode 100644 index 0000000..423185d --- /dev/null +++ b/apache-tomcat-10.1.16-src.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmVOWdQACgkQHPApP6U8 +pFhGlw//TWZrcrXHUZOR7WEeH3PNJxcqkz1mvyX6dpEILvhoc5F6rWiiVIF+IQWH +COURprtCc2gY9o6HQn+FpB5nkULh99t1RbrmcsC/J0KwZ2JEz9iZTT9XLwUGapMf +Jef9uSMjKoAH+6vT3CzspSKlBb6f4vFLLNM6VtPUAXxw5ssXUZG+WwzEFq9a6zKr +jNCNehQ6BmT/IeV3YXJ+DCoYeb0Yi/ehnX4gB8MlmB111dhQzuBveuzgWBZKr3Rp +oJrP6/P04pY6YtKbjwHSlZyUYvWeGnvjXY4H2NoD9hDEEOFuNHCnAugjiwls/+jB +3PPMoG+BNGoRQ5F5Yo8ZoeNmRLCDDtCdM+oWlpbkDJh9GeEU2ym7puFmDp9GTnH1 +ltUKJp9uPOBu624oLSzSYzFWcrdH3h+gHO0uRdoYE15FCpxSlHT6ooy5QRH0yHw0 +sBugFplZ4gkT4i/pzsFhPCW46f7Rcu6hv7SOJw54kdAbKuQPc9W7eMIHHCBupFdY +mTJQljPHVwR1JGi7sRc7U4iWezvUVEbW0Hi58a42KSjIoQd6QYPqcMVF87g1bLGT +XFedyhTNBf2yqV4hSstYWd9VlrwCjgUR9zZ/9itihC589ldAdsl68kW5SzmpzKxa +3tbQGPD2pPnS0D1dpZANjhgdQxekqUAkXsOiEJhDn6XSlyv7ibY= +=nadB +-----END PGP SIGNATURE----- diff --git a/java11.patch b/java11.patch new file mode 100644 index 0000000..28f2061 --- /dev/null +++ b/java11.patch @@ -0,0 +1,12 @@ +diff -urEbwB apache-tomcat-10.1.16-src.orig/build.xml apache-tomcat-10.1.16-src/build.xml +--- apache-tomcat-10.1.16-src.orig/build.xml 2024-01-17 17:25:04.525014965 +0100 ++++ apache-tomcat-10.1.16-src/build.xml 2024-01-17 17:25:34.891882458 +0100 +@@ -107,7 +107,7 @@ + + + +- ++ + + + diff --git a/tomcat10.spec b/tomcat10.spec index 50ab8f6..f041371 100644 --- a/tomcat10.spec +++ b/tomcat10.spec @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 10 %define minor_version 1 -%define micro_version 14 +%define micro_version 16 %define java_major 1 %define java_minor 11 %define java_version %{java_major}.%{java_minor} @@ -93,6 +93,7 @@ Patch5: %{app_name}-jdt.patch Patch6: %{app_name}-secretRequired-default.patch Patch7: %{app_name}-fix_catalina.patch Patch8: %{app_name}-logrotate_everything.patch +Patch9: java11.patch BuildRequires: ant >= 1.10.2 BuildRequires: ant-antlr BuildRequires: apache-commons-collections From e91e59ba95bf3b609850fc5a5b6eafb013dc1f70fc5b669a4619d267727e2139 Mon Sep 17 00:00:00 2001 From: Michele Bussolotto Date: Wed, 17 Jan 2024 17:29:08 +0000 Subject: [PATCH 3/5] Accepting request 1139521 from home:mbussolotto:branches:Java:packages - Update to Tomcat 10.1.18 * Fixed CVEs: + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to incorrect headers parsing (bsc#1217649) * Catalina + Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs, text/javascript for mjs and audio/ogg for opus. (markt) + Fix: Background processes should not be run concurrently with lifecycle operations of a container. (remm) + Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt) + Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt) + Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt) + Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) + Update: The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm) + Update: Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz) + Fix: 67793: Ensure the original session timeout is restored OBS-URL: https://build.opensuse.org/request/show/1139521 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=22 --- apache-tomcat-10.1.14-src.tar.gz | 3 - apache-tomcat-10.1.14-src.tar.gz.asc | 16 - apache-tomcat-10.1.16-src.tar.gz | 3 - apache-tomcat-10.1.16-src.tar.gz.asc | 16 - apache-tomcat-10.1.18-src.tar.gz | 3 + apache-tomcat-10.1.18-src.tar.gz.asc | 16 + tomcat-10-CVE-2023-46589.patch | 307 ------------------ ...ch => tomcat-10.0-build-with-java-11.patch | 9 +- tomcat10.changes | 150 ++++++++- tomcat10.spec | 5 +- 10 files changed, 167 insertions(+), 361 deletions(-) delete mode 100644 apache-tomcat-10.1.14-src.tar.gz delete mode 100644 apache-tomcat-10.1.14-src.tar.gz.asc delete mode 100644 apache-tomcat-10.1.16-src.tar.gz delete mode 100644 apache-tomcat-10.1.16-src.tar.gz.asc create mode 100644 apache-tomcat-10.1.18-src.tar.gz create mode 100644 apache-tomcat-10.1.18-src.tar.gz.asc delete mode 100644 tomcat-10-CVE-2023-46589.patch rename java11.patch => tomcat-10.0-build-with-java-11.patch (60%) diff --git a/apache-tomcat-10.1.14-src.tar.gz b/apache-tomcat-10.1.14-src.tar.gz deleted file mode 100644 index 00309b4..0000000 --- a/apache-tomcat-10.1.14-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:029ef4076e5175a5ec2ce7dda191f2e2d6add0dd6c1366078e6ed7292dace80e -size 6131823 diff --git a/apache-tomcat-10.1.14-src.tar.gz.asc b/apache-tomcat-10.1.14-src.tar.gz.asc deleted file mode 100644 index f122786..0000000 --- a/apache-tomcat-10.1.14-src.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmUkebcACgkQHPApP6U8 -pFjGnBAAmA3QdkA/45KMJAHT5QADESvPXomHvHvG+iHJHfcgJJ//iBfY9f7FxLxw -yrcRZcU8BUhw032DkL+R2UMVxnE+4z4MAFXYS+2X1WP6neGdAYl9Qx+3Q45h78Sj -6/LYmYGiqFkkt7XM2Zh1Clw0EH93iSi+GAoXnuTtyPdJ4f7iBqG21kMErUu+iRKt -591imA8NWiYL5q1+PiOMpElWsj142oefjCgM0xttWwLZoAQ5jcyyFYJ5B/kEuDbP -trQpHUCTBA/0ltImYMaaHvLh//tiEj31EzLvU/+ofH8WoAEuV30kfHTSISLs5PEM -h5wZel7KMBaOXPeEkHySHTC0hQ0+GbqV1utwkht6kLE2+LaPe/8G9McoEQr9sFFD -8adgJH9DeDCJUjispTMF4UoJLCsHPL6UgEjcXFll9pEXADndWiX0cvt8t///Ej1+ -qwOzfCz0DJpfd5XAfLx+t8y66nf3EDvFMPuwXBtgaSzonW6TOHFcQu/P1Fzr95s8 -spWomzmETLJ9xos8g7gZYH5OA9zqrdrBhauBibWmdARAND26sQAYJvwbPXnEyre/ -rbtcWcPgvFeuHfjzo0CX02rhBbMKqmk62Nd9hK0O5/pFM9lOJoRwrgImmyIRAJUQ -hohDjWTlPhtjc9bIlyLjCXEkIpno6YXMtzDoVam1rDsKS2Ggm5s= -=/3mT ------END PGP SIGNATURE----- diff --git a/apache-tomcat-10.1.16-src.tar.gz b/apache-tomcat-10.1.16-src.tar.gz deleted file mode 100644 index 6ec2e96..0000000 --- a/apache-tomcat-10.1.16-src.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:e676c0b964d5c27e02c668839940ce6510bebf6797a2d012652990de47a32967 -size 6148509 diff --git a/apache-tomcat-10.1.16-src.tar.gz.asc b/apache-tomcat-10.1.16-src.tar.gz.asc deleted file mode 100644 index 423185d..0000000 --- a/apache-tomcat-10.1.16-src.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmVOWdQACgkQHPApP6U8 -pFhGlw//TWZrcrXHUZOR7WEeH3PNJxcqkz1mvyX6dpEILvhoc5F6rWiiVIF+IQWH -COURprtCc2gY9o6HQn+FpB5nkULh99t1RbrmcsC/J0KwZ2JEz9iZTT9XLwUGapMf -Jef9uSMjKoAH+6vT3CzspSKlBb6f4vFLLNM6VtPUAXxw5ssXUZG+WwzEFq9a6zKr -jNCNehQ6BmT/IeV3YXJ+DCoYeb0Yi/ehnX4gB8MlmB111dhQzuBveuzgWBZKr3Rp -oJrP6/P04pY6YtKbjwHSlZyUYvWeGnvjXY4H2NoD9hDEEOFuNHCnAugjiwls/+jB -3PPMoG+BNGoRQ5F5Yo8ZoeNmRLCDDtCdM+oWlpbkDJh9GeEU2ym7puFmDp9GTnH1 -ltUKJp9uPOBu624oLSzSYzFWcrdH3h+gHO0uRdoYE15FCpxSlHT6ooy5QRH0yHw0 -sBugFplZ4gkT4i/pzsFhPCW46f7Rcu6hv7SOJw54kdAbKuQPc9W7eMIHHCBupFdY -mTJQljPHVwR1JGi7sRc7U4iWezvUVEbW0Hi58a42KSjIoQd6QYPqcMVF87g1bLGT -XFedyhTNBf2yqV4hSstYWd9VlrwCjgUR9zZ/9itihC589ldAdsl68kW5SzmpzKxa -3tbQGPD2pPnS0D1dpZANjhgdQxekqUAkXsOiEJhDn6XSlyv7ibY= -=nadB ------END PGP SIGNATURE----- diff --git a/apache-tomcat-10.1.18-src.tar.gz b/apache-tomcat-10.1.18-src.tar.gz new file mode 100644 index 0000000..19dba99 --- /dev/null +++ b/apache-tomcat-10.1.18-src.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cd7cdd2ae143271893e486d6b809c69e4615c556bc9f9e2ebf186c409685545e +size 6166424 diff --git a/apache-tomcat-10.1.18-src.tar.gz.asc b/apache-tomcat-10.1.18-src.tar.gz.asc new file mode 100644 index 0000000..c54ad21 --- /dev/null +++ b/apache-tomcat-10.1.18-src.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmWYGCoACgkQHPApP6U8 +pFgFuhAAuP0n+aPDB9AokSY4TQfRNZuJRRof9IjWZENwsCN+/8s0vejBLtuyRrfR +IFbE8DqdOFWZQTbuAWP4YtvBtXxTkwnNnkldhveABDOV63Fv5GyPtMHj2b2O1lay +LS6v40oy4816/l9muBY8w0bdUp7QHF/bvftGkvAw3ukqYDpNYs2zjP+Zvf1rNelV +Y9pXKoxfTe9JXKiggYHU/PuWEYsKvnBTos/lwJeNwr9yHo5lsOE2CQh4ix6O8OSP +YhmW+XrJTWhpFJiX99iN3lKFBJ0ZkTK//MaYOhvlF8JEAClbl9AMZtwkTu0z/yTN +jdUOMXB9mcABCHxibbEnSNEC1fTThvChvXFZxRfWlgdQr3PHGH6ncJKc9o3wNN1K +VKp45dsuvYRWGwwBN+D//U7GaWAkFGH1Tuk5WYgmd42c7fkPEoQ0m8eomWyoOdcN +OvtzypufTsrGM/Up7szgBOhCM7izy1t3qBQ+Zey5PHYiN8/astYtKbvb7XHaAP6O +/RrB4JV6euvgRgf4RBLHJmwWkPEzBysL1GEhJez5JjxCQNijS+9zmWwHPmjTcp+v +HVhG3AftBme3df2LR0AMzgfsQZsIiLdgcSrLqwmhl2N3rxZ2U5cRO/eyaMgia/Kw +atGk0QMZYwKH/EB41r5EiNtG0BIuRIq4a7Ssb1y0YpJQWvc89wc= +=pryG +-----END PGP SIGNATURE----- diff --git a/tomcat-10-CVE-2023-46589.patch b/tomcat-10-CVE-2023-46589.patch deleted file mode 100644 index 04f256b..0000000 --- a/tomcat-10-CVE-2023-46589.patch +++ /dev/null @@ -1,307 +0,0 @@ -Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/BadRequestException.java -=================================================================== ---- /dev/null -+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/BadRequestException.java -@@ -0,0 +1,68 @@ -+/* -+ * Licensed to the Apache Software Foundation (ASF) under one or more -+ * contributor license agreements. See the NOTICE file distributed with -+ * this work for additional information regarding copyright ownership. -+ * The ASF licenses this file to You under the Apache License, Version 2.0 -+ * (the "License"); you may not use this file except in compliance with -+ * the License. You may obtain a copy of the License at -+ * -+ * http://www.apache.org/licenses/LICENSE-2.0 -+ * -+ * Unless required by applicable law or agreed to in writing, software -+ * distributed under the License is distributed on an "AS IS" BASIS, -+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+ * See the License for the specific language governing permissions and -+ * limitations under the License. -+ */ -+package org.apache.catalina.connector; -+ -+import java.io.IOException; -+ -+/** -+ * Extend IOException to identify it as being caused by a bad request from a remote client. -+ */ -+public class BadRequestException extends IOException { -+ -+ private static final long serialVersionUID = 1L; -+ -+ -+ // ------------------------------------------------------------ Constructors -+ -+ /** -+ * Construct a new BadRequestException with no other information. -+ */ -+ public BadRequestException() { -+ super(); -+ } -+ -+ -+ /** -+ * Construct a new BadRequestException for the specified message. -+ * -+ * @param message Message describing this exception -+ */ -+ public BadRequestException(String message) { -+ super(message); -+ } -+ -+ -+ /** -+ * Construct a new BadRequestException for the specified throwable. -+ * -+ * @param throwable Throwable that caused this exception -+ */ -+ public BadRequestException(Throwable throwable) { -+ super(throwable); -+ } -+ -+ -+ /** -+ * Construct a new BadRequestException for the specified message and throwable. -+ * -+ * @param message Message describing this exception -+ * @param throwable Throwable that caused this exception -+ */ -+ public BadRequestException(String message, Throwable throwable) { -+ super(message, throwable); -+ } -+} -Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/ClientAbortException.java -=================================================================== ---- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/connector/ClientAbortException.java -+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/ClientAbortException.java -@@ -16,14 +16,12 @@ - */ - package org.apache.catalina.connector; - --import java.io.IOException; -- - /** - * Extend IOException to identify it as being caused by an abort of a request by a remote client. - * - * @author Glenn L. Nielsen - */ --public final class ClientAbortException extends IOException { -+public final class ClientAbortException extends BadRequestException { - - private static final long serialVersionUID = 1L; - -Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/InputBuffer.java -=================================================================== ---- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/connector/InputBuffer.java -+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/InputBuffer.java -@@ -29,6 +29,7 @@ import java.util.Map; - import java.util.concurrent.ConcurrentHashMap; - - import jakarta.servlet.ReadListener; -+import jakarta.servlet.RequestDispatcher; - - import org.apache.catalina.security.SecurityUtil; - import org.apache.coyote.ActionCode; -@@ -307,10 +308,24 @@ public class InputBuffer extends Reader - - try { - return coyoteRequest.doRead(this); -+ } catch (BadRequestException bre) { -+ // Set flag used by asynchronous processing to detect errors on non-container threads -+ coyoteRequest.setErrorException(bre); -+ // In synchronous processing, this exception may be swallowed by the application so set error flags here. -+ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre); -+ coyoteRequest.getResponse().setStatus(400); -+ coyoteRequest.getResponse().setError(); -+ // Make the exception visible to the application -+ throw bre; - } catch (IOException ioe) { -+ // Set flag used by asynchronous processing to detect errors on non-container threads - coyoteRequest.setErrorException(ioe); -- // An IOException on a read is almost always due to -- // the remote client aborting the request. -+ // In synchronous processing, this exception may be swallowed by the application so set error flags here. -+ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe); -+ coyoteRequest.getResponse().setStatus(400); -+ coyoteRequest.getResponse().setError(); -+ // Any other IOException on a read is almost always due to the remote client aborting the request. -+ // Make the exception visible to the application - throw new ClientAbortException(ioe); - } - } -Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/core/ApplicationDispatcher.java -=================================================================== ---- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/core/ApplicationDispatcher.java -+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/core/ApplicationDispatcher.java -@@ -41,7 +41,7 @@ import org.apache.catalina.AsyncDispatch - import org.apache.catalina.Context; - import org.apache.catalina.Globals; - import org.apache.catalina.Wrapper; --import org.apache.catalina.connector.ClientAbortException; -+import org.apache.catalina.connector.BadRequestException; - import org.apache.catalina.connector.Request; - import org.apache.catalina.connector.RequestFacade; - import org.apache.catalina.connector.Response; -@@ -642,7 +642,7 @@ final class ApplicationDispatcher implem - filterChain.doFilter(request, response); - } - // Servlet Service Method is called by the FilterChain -- } catch (ClientAbortException e) { -+ } catch (BadRequestException e) { - ioException = e; - } catch (IOException e) { - wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()), e); -@@ -653,7 +653,7 @@ final class ApplicationDispatcher implem - wrapper.unavailable(e); - } catch (ServletException e) { - Throwable rootCause = StandardWrapper.getRootCause(e); -- if (!(rootCause instanceof ClientAbortException)) { -+ if (!(rootCause instanceof BadRequestException)) { - wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()), - rootCause); - } -Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/core/StandardWrapperValve.java -=================================================================== ---- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/core/StandardWrapperValve.java -+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/core/StandardWrapperValve.java -@@ -32,7 +32,7 @@ import org.apache.catalina.Container; - import org.apache.catalina.Context; - import org.apache.catalina.Globals; - import org.apache.catalina.LifecycleException; --import org.apache.catalina.connector.ClientAbortException; -+import org.apache.catalina.connector.BadRequestException; - import org.apache.catalina.connector.Request; - import org.apache.catalina.connector.Response; - import org.apache.catalina.valves.ValveBase; -@@ -169,7 +169,7 @@ final class StandardWrapperValve extends - } - - } -- } catch (ClientAbortException | CloseNowException e) { -+ } catch (BadRequestException | CloseNowException e) { - if (container.getLogger().isDebugEnabled()) { - container.getLogger().debug( - sm.getString("standardWrapper.serviceException", wrapper.getName(), context.getName()), e); -@@ -190,7 +190,7 @@ final class StandardWrapperValve extends - // do not want to do exception(request, response, e) processing - } catch (ServletException e) { - Throwable rootCause = StandardWrapper.getRootCause(e); -- if (!(rootCause instanceof ClientAbortException)) { -+ if (!(rootCause instanceof BadRequestException)) { - container.getLogger().error(sm.getString("standardWrapper.serviceExceptionRoot", wrapper.getName(), - context.getName(), e.getMessage()), rootCause); - } -Index: apache-tomcat-10.1.14-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java -=================================================================== ---- apache-tomcat-10.1.14-src.orig/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java -+++ apache-tomcat-10.1.14-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java -@@ -428,6 +428,83 @@ public class TestChunkedInputFilter exte - } - } - -+ -+ @Test -+ public void testTrailerHeaderNameNotTokenThrowException() throws Exception { -+ doTestTrailerHeaderNameNotToken(false); -+ } -+ -+ @Test -+ public void testTrailerHeaderNameNotTokenSwallowException() throws Exception { -+ doTestTrailerHeaderNameNotToken(true); -+ } -+ -+ private void doTestTrailerHeaderNameNotToken(boolean swallowException) throws Exception { -+ -+ // Setup Tomcat instance -+ Tomcat tomcat = getTomcatInstance(); -+ -+ // No file system docBase required -+ Context ctx = tomcat.addContext("", null); -+ -+ Tomcat.addServlet(ctx, "servlet", new SwallowBodyServlet(swallowException)); -+ ctx.addServletMappingDecoded("/", "servlet"); -+ -+ tomcat.start(); -+ -+ String[] request = new String[]{ -+ "POST / HTTP/1.1" + SimpleHttpClient.CRLF + -+ "Host: localhost" + SimpleHttpClient.CRLF + -+ "Transfer-encoding: chunked" + SimpleHttpClient.CRLF + -+ "Content-Type: application/x-www-form-urlencoded" + SimpleHttpClient.CRLF + -+ "Connection: close" + SimpleHttpClient.CRLF + -+ SimpleHttpClient.CRLF + -+ "3" + SimpleHttpClient.CRLF + -+ "a=0" + SimpleHttpClient.CRLF + -+ "4" + SimpleHttpClient.CRLF + -+ "&b=1" + SimpleHttpClient.CRLF + -+ "0" + SimpleHttpClient.CRLF + -+ "x@trailer: Test" + SimpleHttpClient.CRLF + -+ SimpleHttpClient.CRLF }; -+ -+ TrailerClient client = new TrailerClient(tomcat.getConnector().getLocalPort()); -+ client.setRequest(request); -+ -+ client.connect(); -+ client.processRequest(); -+ // Expected to fail because of invalid trailer header name -+ Assert.assertTrue(client.getResponseLine(), client.isResponse400()); -+ } -+ -+ private static class SwallowBodyServlet extends HttpServlet { -+ private static final long serialVersionUID = 1L; -+ -+ private final boolean swallowException; -+ -+ SwallowBodyServlet(boolean swallowException) { -+ this.swallowException = swallowException; -+ } -+ -+ @Override -+ protected void doPost(HttpServletRequest req, HttpServletResponse resp) -+ throws ServletException, IOException { -+ resp.setContentType("text/plain"); -+ PrintWriter pw = resp.getWriter(); -+ -+ // Read the body -+ InputStream is = req.getInputStream(); -+ try { -+ while (is.read() > -1) { -+ } -+ pw.write("OK"); -+ } catch (IOException ioe) { -+ if (!swallowException) { -+ throw ioe; -+ } -+ } -+ } -+ } -+ - private static class EchoHeaderServlet extends HttpServlet { - private static final long serialVersionUID = 1L; - -Index: apache-tomcat-10.1.14-src/webapps/docs/changelog.xml -=================================================================== ---- apache-tomcat-10.1.14-src.orig/webapps/docs/changelog.xml -+++ apache-tomcat-10.1.14-src/webapps/docs/changelog.xml -@@ -129,6 +129,11 @@ - Improve handling of failures within recycle() methods. - (markt) - -+ -+ Ensure that an IOException during the reading of the -+ request triggers always error handling, regardless of whether the -+ application swallows the exception. (markt) -+ - - - -@@ -170,7 +175,7 @@ - - Improvements to HTTP/2 overhead protection. (markt) - -- -+d - - - diff --git a/java11.patch b/tomcat-10.0-build-with-java-11.patch similarity index 60% rename from java11.patch rename to tomcat-10.0-build-with-java-11.patch index 28f2061..0f07d99 100644 --- a/java11.patch +++ b/tomcat-10.0-build-with-java-11.patch @@ -1,7 +1,8 @@ -diff -urEbwB apache-tomcat-10.1.16-src.orig/build.xml apache-tomcat-10.1.16-src/build.xml ---- apache-tomcat-10.1.16-src.orig/build.xml 2024-01-17 17:25:04.525014965 +0100 -+++ apache-tomcat-10.1.16-src/build.xml 2024-01-17 17:25:34.891882458 +0100 -@@ -107,7 +107,7 @@ +Index: apache-tomcat-10.1.18-src/build.xml +=================================================================== +--- apache-tomcat-10.1.18-src.orig/build.xml ++++ apache-tomcat-10.1.18-src/build.xml +@@ -108,7 +108,7 @@ diff --git a/tomcat10.changes b/tomcat10.changes index 28d6489..73ef7ac 100644 --- a/tomcat10.changes +++ b/tomcat10.changes @@ -1,18 +1,150 @@ +------------------------------------------------------------------- +Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto + +- Update to Tomcat 10.1.18 + * Fixed CVEs: + + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to + incorrect headers parsing (bsc#1217649) + * Catalina + + Update: 68378: Align extension to MIME type mappings in the + global web.xml with those in httpd by adding + application/vnd.geogebra.slides for ggs, text/javascript for mjs + and audio/ogg for opus. (markt) + + Fix: Background processes should not be run concurrently with + lifecycle operations of a container. (remm) + + Fix: Correct unintended escaping of XML in some WebDAV + responses. The XML list of support locks when provided in + response to a PROPFIND request was incorrectly XML escaped. + (markt) + + Fix: 68227: Ensure that AsyncListener.onComplete() is called + if AsyncListener.onError() calls AsyncContext.dispatch(). + (markt) + + Fix: 68228: Use a 408 status code if a read timeout occurs + during HTTP request processing. Includes a test case based on + code provided by adwsingh. (markt) + + Fix: 67667: TLSCertificateReloadListener prints unreadable + rendering of X509Certificate#getNotAfter(). (michaelo) + + Update: The status servlet included in the manager webapp + can now output statistics as JSON, using the JSON=true URL + parameter. (remm) + + Update: Optionally allow ServiceBindingPropertySource to + trim a trailing newline from a file containing a + property-value. (schultz) + + Fix: 67793: Ensure the original session timeout is restored + after FORM authentication if the user refreshes a page during + the FORM authentication process. Based on a suggestion by + Mircea Butmalai. (markt) + + Update: 67926: PEMFile prints unidentifiable string + representation of ASN.1 OIDs. (michaelo) + + Fix: 66875: Ensure that setting the request attribute + jakarta.servlet.error.exception is not sufficient to trigger + error handling for the current request and response. (markt) + + Fix: 68054: Avoid some file canonicalization calls + introduced by the fix for 65433. (remm) + + Fix: 68089: Improve performance of request attribute access + for ApplicationHttpRequest and ApplicationRequest. (markt) + + Fix: Use a 400 status code to report an error due to a bad + request (e.g. an invalid trailer header) rather than a 500 + status code. (markt) + + Fix: Ensure that an IOException during the reading of the + request triggers always error handling, regardless of whether + the application swallows the exception. (markt) + * Coyote + + Fix: Refactor the VirtualThreadExecutor so that it can be + used by the NIO2 connector which was using platform threads + even when configured to use virtual threads. (markt) + + Fix: Correct a regression in the fix for 67675 that broke + TLS key file parsing for PKCS#8 format keys that do not specify + an explicit pseudo-random function and rely on the default. + This typically affects keys generated by OpenSSL 1.0.2. + (markt) + + Fix: Allow multiple operations with the same name on + introspected mbeans, fixing a regression caused by the + introduction of a second addSslHostConfig method. (remm) + + Fix: Relax the check that the HTTP Host header is consistent + with the host used in the request line, if any, to make the + check case insensitive since host names are case insensitive. + (markt) + + Add: 68348: Add support for the partitioned attribute for + cookies. (markt) + + Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and + SSLHostConfig#certificateKeystorePasswordFile. (michaelo) + + Add: When calling + SSLHostConfigCertificate.setCertificateKeystore(ks), + automatically call setCertificateKeystoreType(ks.getType()). + (markt) + + Fix: 67628: Clarify how the ciphers attribute of the + SSLHostConfig is used. (markt) + + Fix: 67666: Ensure TLS connectors using PEM files either + work with the TLSCertificateReloadListener or, in the rare case + that they do not, log a warning on Connector start. (markt) + + Fix: 67675: Support a wider range of KDF and ciphers for PEM + files than the combinations supported by the JVM by default. + Specifically, support the OpenSSL default of HmacSHA256 and + DES-EDE3-CBC. (markt) + + Fix: 67927: Reloading TLS configuration can cause the + Connector to refuse new connections or the JVM to crash. + (markt) + + Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are + available, prefer 1.2.x since it supports the APR/Native + connector whereas 2.0.x does not. (markt) + + Fix: 67938: Correct handling of large TLS client hello + messages that were causing the TLS handshake to fail. (markt) + + Fix: 68026: Convert selected MessageByte values to String + when first accessed to speed up subsequent accesses and reduce + garbage collection. (markt) + * Jasper + + Code: 68119: Refactor the CompositeELResolver to improve + performance during type conversion operations. (markt) + + Fix: 68068: Performance improvement for EL. Based on a + suggestion by John Engebretson. (markt) + * Web Applications + + Fix: 68035: Additional fix to the Manager application to + enable the deployment of a web application located in a Host's + appBase where the web application is specified by a bare (no + path) WAR or directory name as shown in the documentation. + (markt) + + Fix: Examples. Improve the error handling so snakes + associated with a user that drops from the network are removed + from the game. (markt) + + Fix: 68035: Correct a regression in the fix for 56248 that + prevented deployment via the Manager of a WAR or directory that + was already present in the appBase or a context file that was + already present in the xmlBase. (markt) + * Other + + Update: Update Checkstyle to 10.12.7. (markt) + + Update: Update SpotBugs to 4.8.3. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. + (markt) + + Update: Update UnboundID to 6.0.11. (markt) + + Update: Update Checkstyle to 10.12.5. (markt) + + Update: Update SpotBugs to 4.8.2. (markt) + + Update: Update Derby to 10.17.1. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. + (markt) + + Add: Improvements to Brazilian Portuguese translations by + John William Vicente. (markt) + + Add: Improvements to Russian translations by usmazat and + remm. (markt) + + Add: 67538: Make use of Ant's task to enfore + the mininum Java build version. (michaelo) + + Update: Update Checkstyle to 10.12.4. (markt) + + Update: Update JaCoCo to 0.8.11. (markt) + + Update: Update SpotBugs to 4.8.0. (markt) + + Update: Update BND to 7.0.0. (markt) + + Update: The minimum Java version required to build Tomcat + has been raised to Java 17. (markt) + + Update: Update the OWB module to Apache OpenWebBeans 4.0.0. + (remm) + ------------------------------------------------------------------- Wed Jan 17 15:35:51 UTC 2024 - Michele Bussolotto - change server.xml during %post instead of %posttrans - add libxslt-tools requirement -------------------------------------------------------------------- -Wed Jan 17 15:35:40 UTC 2024 - Michele Bussolotto - -- Fixed CVEs: - * CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to - incorrect headers parsing (bsc#1217649) -- Added patches: - * tomcat-10-CVE-2023-46589.patch - ------------------------------------------------------------------- Tue Jan 16 09:05:32 UTC 2024 - Michele Bussolotto diff --git a/tomcat10.spec b/tomcat10.spec index f041371..40349fc 100644 --- a/tomcat10.spec +++ b/tomcat10.spec @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 10 %define minor_version 1 -%define micro_version 16 +%define micro_version 18 %define java_major 1 %define java_minor 11 %define java_version %{java_major}.%{java_minor} @@ -71,7 +71,6 @@ Source21: %{app_name}-functions Source30: %{app_name}-preamble Source31: %{app_name}-server Source32: %{app_name}-named.service -Source33: tomcat-10-CVE-2023-46589.patch Source100: valve.xslt Source101: allowLinking.xslt Source1000: %{app_name}-rpmlintrc @@ -93,7 +92,7 @@ Patch5: %{app_name}-jdt.patch Patch6: %{app_name}-secretRequired-default.patch Patch7: %{app_name}-fix_catalina.patch Patch8: %{app_name}-logrotate_everything.patch -Patch9: java11.patch +Patch9: tomcat-10.0-build-with-java-11.patch BuildRequires: ant >= 1.10.2 BuildRequires: ant-antlr BuildRequires: apache-commons-collections From 6514bf5e965f7fdf14d13b54b3777ed8bd46f2703c473aff319ce814e705cfc8 Mon Sep 17 00:00:00 2001 From: Michele Bussolotto Date: Wed, 17 Jan 2024 18:21:02 +0000 Subject: [PATCH 4/5] OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=23 --- tomcat10.changes | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tomcat10.changes b/tomcat10.changes index 73ef7ac..cf0f5e8 100644 --- a/tomcat10.changes +++ b/tomcat10.changes @@ -138,6 +138,8 @@ Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto has been raised to Java 17. (markt) + Update: Update the OWB module to Apache OpenWebBeans 4.0.0. (remm) +- Added patches: + * tomcat-10.1-build-with-java-11.patch ------------------------------------------------------------------- Wed Jan 17 15:35:51 UTC 2024 - Michele Bussolotto From 30b2afc48b01d63a3644b5a43dfa3d025b3cd7aa4c17c3b6c9ddc4c588019168 Mon Sep 17 00:00:00 2001 From: Michele Bussolotto Date: Thu, 18 Jan 2024 08:35:54 +0000 Subject: [PATCH 5/5] OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=24 --- ...d-with-java-11.patch => tomcat-10.1-build-with-java-11.patch | 0 tomcat10.spec | 2 +- 2 files changed, 1 insertion(+), 1 deletion(-) rename tomcat-10.0-build-with-java-11.patch => tomcat-10.1-build-with-java-11.patch (100%) diff --git a/tomcat-10.0-build-with-java-11.patch b/tomcat-10.1-build-with-java-11.patch similarity index 100% rename from tomcat-10.0-build-with-java-11.patch rename to tomcat-10.1-build-with-java-11.patch diff --git a/tomcat10.spec b/tomcat10.spec index 40349fc..bf0a2bf 100644 --- a/tomcat10.spec +++ b/tomcat10.spec @@ -92,7 +92,7 @@ Patch5: %{app_name}-jdt.patch Patch6: %{app_name}-secretRequired-default.patch Patch7: %{app_name}-fix_catalina.patch Patch8: %{app_name}-logrotate_everything.patch -Patch9: tomcat-10.0-build-with-java-11.patch +Patch9: tomcat-10.1-build-with-java-11.patch BuildRequires: ant >= 1.10.2 BuildRequires: ant-antlr BuildRequires: apache-commons-collections