rpm/tomcat10
SHA256
1
0
Fork 0
forked from pool/tomcat10
Code Pull Requests Activity

Accepting request 1139521 from home:mbussolotto:branches:Java:packages

Browse Source 
- Update to Tomcat 10.1.18
  * Fixed CVEs:
    + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
      incorrect headers parsing (bsc#1217649)
  * Catalina
    + Update:  68378: Align extension to MIME type mappings in the
      global web.xml with those in httpd by adding
      application/vnd.geogebra.slides for ggs, text/javascript for mjs
      and audio/ogg for opus. (markt)
    + Fix:  Background processes should not be run concurrently with
      lifecycle operations of a container. (remm)
    + Fix:  Correct unintended escaping of XML in some WebDAV
      responses. The XML list of support locks when provided in
      response to a PROPFIND request was incorrectly XML escaped.
      (markt)
    + Fix:  68227: Ensure that AsyncListener.onComplete() is called
      if AsyncListener.onError() calls AsyncContext.dispatch().
      (markt)
    + Fix:  68228: Use a 408 status code if a read timeout occurs
      during HTTP request processing. Includes a test case based on
      code provided by adwsingh. (markt)
    + Fix:  67667: TLSCertificateReloadListener prints unreadable
      rendering of X509Certificate#getNotAfter(). (michaelo)
    + Update:  The status servlet included in the manager webapp
      can now output statistics as JSON, using the JSON=true URL
      parameter. (remm)
    + Update:  Optionally allow ServiceBindingPropertySource to
      trim a trailing newline from a file containing a
      property-value. (schultz)
    + Fix:  67793: Ensure the original session timeout is restored

OBS-URL: https://build.opensuse.org/request/show/1139521
OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=22
This commit is contained in:
Michele Bussolotto 2024-01-17 17:29:08 +00:00 committed by Git OBS Bridge
parent 605c062dcf
commit e91e59ba95
10 changed files with 167 additions and 361 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
apache-tomcat-10.1.14-src.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:029ef4076e5175a5ec2ce7dda191f2e2d6add0dd6c1366078e6ed7292dace80e
size 6131823

16
apache-tomcat-10.1.14-src.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmUkebcACgkQHPApP6U8
pFjGnBAAmA3QdkA/45KMJAHT5QADESvPXomHvHvG+iHJHfcgJJ//iBfY9f7FxLxw
yrcRZcU8BUhw032DkL+R2UMVxnE+4z4MAFXYS+2X1WP6neGdAYl9Qx+3Q45h78Sj
6/LYmYGiqFkkt7XM2Zh1Clw0EH93iSi+GAoXnuTtyPdJ4f7iBqG21kMErUu+iRKt
591imA8NWiYL5q1+PiOMpElWsj142oefjCgM0xttWwLZoAQ5jcyyFYJ5B/kEuDbP
trQpHUCTBA/0ltImYMaaHvLh//tiEj31EzLvU/+ofH8WoAEuV30kfHTSISLs5PEM
h5wZel7KMBaOXPeEkHySHTC0hQ0+GbqV1utwkht6kLE2+LaPe/8G9McoEQr9sFFD
8adgJH9DeDCJUjispTMF4UoJLCsHPL6UgEjcXFll9pEXADndWiX0cvt8t///Ej1+
qwOzfCz0DJpfd5XAfLx+t8y66nf3EDvFMPuwXBtgaSzonW6TOHFcQu/P1Fzr95s8
spWomzmETLJ9xos8g7gZYH5OA9zqrdrBhauBibWmdARAND26sQAYJvwbPXnEyre/
rbtcWcPgvFeuHfjzo0CX02rhBbMKqmk62Nd9hK0O5/pFM9lOJoRwrgImmyIRAJUQ
hohDjWTlPhtjc9bIlyLjCXEkIpno6YXMtzDoVam1rDsKS2Ggm5s=
=/3mT
-----END PGP SIGNATURE-----

3
apache-tomcat-10.1.16-src.tar.gz
View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:e676c0b964d5c27e02c668839940ce6510bebf6797a2d012652990de47a32967
size 6148509

16
apache-tomcat-10.1.16-src.tar.gz.asc
View File

@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmVOWdQACgkQHPApP6U8
pFhGlw//TWZrcrXHUZOR7WEeH3PNJxcqkz1mvyX6dpEILvhoc5F6rWiiVIF+IQWH
COURprtCc2gY9o6HQn+FpB5nkULh99t1RbrmcsC/J0KwZ2JEz9iZTT9XLwUGapMf
Jef9uSMjKoAH+6vT3CzspSKlBb6f4vFLLNM6VtPUAXxw5ssXUZG+WwzEFq9a6zKr
jNCNehQ6BmT/IeV3YXJ+DCoYeb0Yi/ehnX4gB8MlmB111dhQzuBveuzgWBZKr3Rp
oJrP6/P04pY6YtKbjwHSlZyUYvWeGnvjXY4H2NoD9hDEEOFuNHCnAugjiwls/+jB
3PPMoG+BNGoRQ5F5Yo8ZoeNmRLCDDtCdM+oWlpbkDJh9GeEU2ym7puFmDp9GTnH1
ltUKJp9uPOBu624oLSzSYzFWcrdH3h+gHO0uRdoYE15FCpxSlHT6ooy5QRH0yHw0
sBugFplZ4gkT4i/pzsFhPCW46f7Rcu6hv7SOJw54kdAbKuQPc9W7eMIHHCBupFdY
mTJQljPHVwR1JGi7sRc7U4iWezvUVEbW0Hi58a42KSjIoQd6QYPqcMVF87g1bLGT
XFedyhTNBf2yqV4hSstYWd9VlrwCjgUR9zZ/9itihC589ldAdsl68kW5SzmpzKxa
3tbQGPD2pPnS0D1dpZANjhgdQxekqUAkXsOiEJhDn6XSlyv7ibY=
=nadB
-----END PGP SIGNATURE-----

BIN
apache-tomcat-10.1.18-src.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
apache-tomcat-10.1.18-src.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmWYGCoACgkQHPApP6U8
pFgFuhAAuP0n+aPDB9AokSY4TQfRNZuJRRof9IjWZENwsCN+/8s0vejBLtuyRrfR
IFbE8DqdOFWZQTbuAWP4YtvBtXxTkwnNnkldhveABDOV63Fv5GyPtMHj2b2O1lay
LS6v40oy4816/l9muBY8w0bdUp7QHF/bvftGkvAw3ukqYDpNYs2zjP+Zvf1rNelV
Y9pXKoxfTe9JXKiggYHU/PuWEYsKvnBTos/lwJeNwr9yHo5lsOE2CQh4ix6O8OSP
YhmW+XrJTWhpFJiX99iN3lKFBJ0ZkTK//MaYOhvlF8JEAClbl9AMZtwkTu0z/yTN
jdUOMXB9mcABCHxibbEnSNEC1fTThvChvXFZxRfWlgdQr3PHGH6ncJKc9o3wNN1K
VKp45dsuvYRWGwwBN+D//U7GaWAkFGH1Tuk5WYgmd42c7fkPEoQ0m8eomWyoOdcN
OvtzypufTsrGM/Up7szgBOhCM7izy1t3qBQ+Zey5PHYiN8/astYtKbvb7XHaAP6O
/RrB4JV6euvgRgf4RBLHJmwWkPEzBysL1GEhJez5JjxCQNijS+9zmWwHPmjTcp+v
HVhG3AftBme3df2LR0AMzgfsQZsIiLdgcSrLqwmhl2N3rxZ2U5cRO/eyaMgia/Kw
atGk0QMZYwKH/EB41r5EiNtG0BIuRIq4a7Ssb1y0YpJQWvc89wc=
=pryG
-----END PGP SIGNATURE-----

307
tomcat-10-CVE-2023-46589.patch
View File

@ -1,307 +0,0 @@
Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/BadRequestException.java
===================================================================
--- /dev/null
+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/BadRequestException.java
@@ -0,0 +1,68 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.connector;
+
+import java.io.IOException;
+
+/**
+ * Extend IOException to identify it as being caused by a bad request from a remote client.
+ */
+public class BadRequestException extends IOException {
+
+ private static final long serialVersionUID = 1L;
+
+
+ // ------------------------------------------------------------ Constructors
+
+ /**
+ * Construct a new BadRequestException with no other information.
+ */
+ public BadRequestException() {
+ super();
+ }
+
+
+ /**
+ * Construct a new BadRequestException for the specified message.
+ *
+ * @param message Message describing this exception
+ */
+ public BadRequestException(String message) {
+ super(message);
+ }
+
+
+ /**
+ * Construct a new BadRequestException for the specified throwable.
+ *
+ * @param throwable Throwable that caused this exception
+ */
+ public BadRequestException(Throwable throwable) {
+ super(throwable);
+ }
+
+
+ /**
+ * Construct a new BadRequestException for the specified message and throwable.
+ *
+ * @param message Message describing this exception
+ * @param throwable Throwable that caused this exception
+ */
+ public BadRequestException(String message, Throwable throwable) {
+ super(message, throwable);
+ }
+}
Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/ClientAbortException.java
===================================================================
--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/connector/ClientAbortException.java
+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/ClientAbortException.java
@@ -16,14 +16,12 @@
*/
package org.apache.catalina.connector;
-import java.io.IOException;
-
/**
* Extend IOException to identify it as being caused by an abort of a request by a remote client.
*
* @author Glenn L. Nielsen
*/
-public final class ClientAbortException extends IOException {
+public final class ClientAbortException extends BadRequestException {
private static final long serialVersionUID = 1L;
Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/InputBuffer.java
===================================================================
--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/connector/InputBuffer.java
+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/connector/InputBuffer.java
@@ -29,6 +29,7 @@ import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import jakarta.servlet.ReadListener;
+import jakarta.servlet.RequestDispatcher;
import org.apache.catalina.security.SecurityUtil;
import org.apache.coyote.ActionCode;
@@ -307,10 +308,24 @@ public class InputBuffer extends Reader
try {
return coyoteRequest.doRead(this);
+ } catch (BadRequestException bre) {
+ // Set flag used by asynchronous processing to detect errors on non-container threads
+ coyoteRequest.setErrorException(bre);
+ // In synchronous processing, this exception may be swallowed by the application so set error flags here.
+ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, bre);
+ coyoteRequest.getResponse().setStatus(400);
+ coyoteRequest.getResponse().setError();
+ // Make the exception visible to the application
+ throw bre;
} catch (IOException ioe) {
+ // Set flag used by asynchronous processing to detect errors on non-container threads
coyoteRequest.setErrorException(ioe);
- // An IOException on a read is almost always due to
- // the remote client aborting the request.
+ // In synchronous processing, this exception may be swallowed by the application so set error flags here.
+ coyoteRequest.setAttribute(RequestDispatcher.ERROR_EXCEPTION, ioe);
+ coyoteRequest.getResponse().setStatus(400);
+ coyoteRequest.getResponse().setError();
+ // Any other IOException on a read is almost always due to the remote client aborting the request.
+ // Make the exception visible to the application
throw new ClientAbortException(ioe);
}
}
Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/core/ApplicationDispatcher.java
===================================================================
--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/core/ApplicationDispatcher.java
+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/core/ApplicationDispatcher.java
@@ -41,7 +41,7 @@ import org.apache.catalina.AsyncDispatch
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.Wrapper;
-import org.apache.catalina.connector.ClientAbortException;
+import org.apache.catalina.connector.BadRequestException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.RequestFacade;
import org.apache.catalina.connector.Response;
@@ -642,7 +642,7 @@ final class ApplicationDispatcher implem
filterChain.doFilter(request, response);
}
// Servlet Service Method is called by the FilterChain
- } catch (ClientAbortException e) {
+ } catch (BadRequestException e) {
ioException = e;
} catch (IOException e) {
wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()), e);
@@ -653,7 +653,7 @@ final class ApplicationDispatcher implem
wrapper.unavailable(e);
} catch (ServletException e) {
Throwable rootCause = StandardWrapper.getRootCause(e);
- if (!(rootCause instanceof ClientAbortException)) {
+ if (!(rootCause instanceof BadRequestException)) {
wrapper.getLogger().error(sm.getString("applicationDispatcher.serviceException", wrapper.getName()),
rootCause);
}
Index: apache-tomcat-10.1.14-src/java/org/apache/catalina/core/StandardWrapperValve.java
===================================================================
--- apache-tomcat-10.1.14-src.orig/java/org/apache/catalina/core/StandardWrapperValve.java
+++ apache-tomcat-10.1.14-src/java/org/apache/catalina/core/StandardWrapperValve.java
@@ -32,7 +32,7 @@ import org.apache.catalina.Container;
import org.apache.catalina.Context;
import org.apache.catalina.Globals;
import org.apache.catalina.LifecycleException;
-import org.apache.catalina.connector.ClientAbortException;
+import org.apache.catalina.connector.BadRequestException;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
import org.apache.catalina.valves.ValveBase;
@@ -169,7 +169,7 @@ final class StandardWrapperValve extends
}
}
- } catch (ClientAbortException | CloseNowException e) {
+ } catch (BadRequestException | CloseNowException e) {
if (container.getLogger().isDebugEnabled()) {
container.getLogger().debug(
sm.getString("standardWrapper.serviceException", wrapper.getName(), context.getName()), e);
@@ -190,7 +190,7 @@ final class StandardWrapperValve extends
// do not want to do exception(request, response, e) processing
} catch (ServletException e) {
Throwable rootCause = StandardWrapper.getRootCause(e);
- if (!(rootCause instanceof ClientAbortException)) {
+ if (!(rootCause instanceof BadRequestException)) {
container.getLogger().error(sm.getString("standardWrapper.serviceExceptionRoot", wrapper.getName(),
context.getName(), e.getMessage()), rootCause);
}
Index: apache-tomcat-10.1.14-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java
===================================================================
--- apache-tomcat-10.1.14-src.orig/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java
+++ apache-tomcat-10.1.14-src/test/org/apache/coyote/http11/filters/TestChunkedInputFilter.java
@@ -428,6 +428,83 @@ public class TestChunkedInputFilter exte
}
}
+
+ @Test
+ public void testTrailerHeaderNameNotTokenThrowException() throws Exception {
+ doTestTrailerHeaderNameNotToken(false);
+ }
+
+ @Test
+ public void testTrailerHeaderNameNotTokenSwallowException() throws Exception {
+ doTestTrailerHeaderNameNotToken(true);
+ }
+
+ private void doTestTrailerHeaderNameNotToken(boolean swallowException) throws Exception {
+
+ // Setup Tomcat instance
+ Tomcat tomcat = getTomcatInstance();
+
+ // No file system docBase required
+ Context ctx = tomcat.addContext("", null);
+
+ Tomcat.addServlet(ctx, "servlet", new SwallowBodyServlet(swallowException));
+ ctx.addServletMappingDecoded("/", "servlet");
+
+ tomcat.start();
+
+ String[] request = new String[]{
+ "POST / HTTP/1.1" + SimpleHttpClient.CRLF +
+ "Host: localhost" + SimpleHttpClient.CRLF +
+ "Transfer-encoding: chunked" + SimpleHttpClient.CRLF +
+ "Content-Type: application/x-www-form-urlencoded" + SimpleHttpClient.CRLF +
+ "Connection: close" + SimpleHttpClient.CRLF +
+ SimpleHttpClient.CRLF +
+ "3" + SimpleHttpClient.CRLF +
+ "a=0" + SimpleHttpClient.CRLF +
+ "4" + SimpleHttpClient.CRLF +
+ "&b=1" + SimpleHttpClient.CRLF +
+ "0" + SimpleHttpClient.CRLF +
+ "x@trailer: Test" + SimpleHttpClient.CRLF +
+ SimpleHttpClient.CRLF };
+
+ TrailerClient client = new TrailerClient(tomcat.getConnector().getLocalPort());
+ client.setRequest(request);
+
+ client.connect();
+ client.processRequest();
+ // Expected to fail because of invalid trailer header name
+ Assert.assertTrue(client.getResponseLine(), client.isResponse400());
+ }
+
+ private static class SwallowBodyServlet extends HttpServlet {
+ private static final long serialVersionUID = 1L;
+
+ private final boolean swallowException;
+
+ SwallowBodyServlet(boolean swallowException) {
+ this.swallowException = swallowException;
+ }
+
+ @Override
+ protected void doPost(HttpServletRequest req, HttpServletResponse resp)
+ throws ServletException, IOException {
+ resp.setContentType("text/plain");
+ PrintWriter pw = resp.getWriter();
+
+ // Read the body
+ InputStream is = req.getInputStream();
+ try {
+ while (is.read() > -1) {
+ }
+ pw.write("OK");
+ } catch (IOException ioe) {
+ if (!swallowException) {
+ throw ioe;
+ }
+ }
+ }
+ }
+
private static class EchoHeaderServlet extends HttpServlet {
private static final long serialVersionUID = 1L;
Index: apache-tomcat-10.1.14-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-10.1.14-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-10.1.14-src/webapps/docs/changelog.xml
@@ -129,6 +129,11 @@
Improve handling of failures within <code>recycle()</code> methods.
(markt)
</add>
+ <fix>
+ Ensure that an <code>IOException</code> during the reading of the
+ request triggers always error handling, regardless of whether the
+ application swallows the exception. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
@@ -170,7 +175,7 @@
<fix>
Improvements to HTTP/2 overhead protection. (markt)
</fix>
- </changelog>
+d </changelog>
</subsection>
<subsection name="Jasper">
<changelog>

9
java11.patch → tomcat-10.0-build-with-java-11.patch
View File

@ -1,7 +1,8 @@
diff -urEbwB apache-tomcat-10.1.16-src.orig/build.xml apache-tomcat-10.1.16-src/build.xml
--- apache-tomcat-10.1.16-src.orig/build.xml 2024-01-17 17:25:04.525014965 +0100
+++ apache-tomcat-10.1.16-src/build.xml 2024-01-17 17:25:34.891882458 +0100
@@ -107,7 +107,7 @@
Index: apache-tomcat-10.1.18-src/build.xml
===================================================================
--- apache-tomcat-10.1.18-src.orig/build.xml
+++ apache-tomcat-10.1.18-src/build.xml
@@ -108,7 +108,7 @@
<!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
<property name="compile.release" value="11"/>
<property name="min.java.version" value="11"/>

150
tomcat10.changes
View File

@ -1,18 +1,150 @@
-------------------------------------------------------------------
Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- Update to Tomcat 10.1.18
* Fixed CVEs:
+ CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
incorrect headers parsing (bsc#1217649)
* Catalina
+ Update: 68378: Align extension to MIME type mappings in the
global web.xml with those in httpd by adding
application/vnd.geogebra.slides for ggs, text/javascript for mjs
and audio/ogg for opus. (markt)
+ Fix: Background processes should not be run concurrently with
lifecycle operations of a container. (remm)
+ Fix: Correct unintended escaping of XML in some WebDAV
responses. The XML list of support locks when provided in
response to a PROPFIND request was incorrectly XML escaped.
(markt)
+ Fix: 68227: Ensure that AsyncListener.onComplete() is called
if AsyncListener.onError() calls AsyncContext.dispatch().
(markt)
+ Fix: 68228: Use a 408 status code if a read timeout occurs
during HTTP request processing. Includes a test case based on
code provided by adwsingh. (markt)
+ Fix: 67667: TLSCertificateReloadListener prints unreadable
rendering of X509Certificate#getNotAfter(). (michaelo)
+ Update: The status servlet included in the manager webapp
can now output statistics as JSON, using the JSON=true URL
parameter. (remm)
+ Update: Optionally allow ServiceBindingPropertySource to
trim a trailing newline from a file containing a
property-value. (schultz)
+ Fix: 67793: Ensure the original session timeout is restored
after FORM authentication if the user refreshes a page during
the FORM authentication process. Based on a suggestion by
Mircea Butmalai. (markt)
+ Update: 67926: PEMFile prints unidentifiable string
representation of ASN.1 OIDs. (michaelo)
+ Fix: 66875: Ensure that setting the request attribute
jakarta.servlet.error.exception is not sufficient to trigger
error handling for the current request and response. (markt)
+ Fix: 68054: Avoid some file canonicalization calls
introduced by the fix for 65433. (remm)
+ Fix: 68089: Improve performance of request attribute access
for ApplicationHttpRequest and ApplicationRequest. (markt)
+ Fix: Use a 400 status code to report an error due to a bad
request (e.g. an invalid trailer header) rather than a 500
status code. (markt)
+ Fix: Ensure that an IOException during the reading of the
request triggers always error handling, regardless of whether
the application swallows the exception. (markt)
* Coyote
+ Fix: Refactor the VirtualThreadExecutor so that it can be
used by the NIO2 connector which was using platform threads
even when configured to use virtual threads. (markt)
+ Fix: Correct a regression in the fix for 67675 that broke
TLS key file parsing for PKCS#8 format keys that do not specify
an explicit pseudo-random function and rely on the default.
This typically affects keys generated by OpenSSL 1.0.2.
(markt)
+ Fix: Allow multiple operations with the same name on
introspected mbeans, fixing a regression caused by the
introduction of a second addSslHostConfig method. (remm)
+ Fix: Relax the check that the HTTP Host header is consistent
with the host used in the request line, if any, to make the
check case insensitive since host names are case insensitive.
(markt)
+ Add: 68348: Add support for the partitioned attribute for
cookies. (markt)
+ Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and
SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
+ Add: When calling
SSLHostConfigCertificate.setCertificateKeystore(ks),
automatically call setCertificateKeystoreType(ks.getType()).
(markt)
+ Fix: 67628: Clarify how the ciphers attribute of the
SSLHostConfig is used. (markt)
+ Fix: 67666: Ensure TLS connectors using PEM files either
work with the TLSCertificateReloadListener or, in the rare case
that they do not, log a warning on Connector start. (markt)
+ Fix: 67675: Support a wider range of KDF and ciphers for PEM
files than the combinations supported by the JVM by default.
Specifically, support the OpenSSL default of HmacSHA256 and
DES-EDE3-CBC. (markt)
+ Fix: 67927: Reloading TLS configuration can cause the
Connector to refuse new connections or the JVM to crash.
(markt)
+ Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are
available, prefer 1.2.x since it supports the APR/Native
connector whereas 2.0.x does not. (markt)
+ Fix: 67938: Correct handling of large TLS client hello
messages that were causing the TLS handshake to fail. (markt)
+ Fix: 68026: Convert selected MessageByte values to String
when first accessed to speed up subsequent accesses and reduce
garbage collection. (markt)
* Jasper
+ Code: 68119: Refactor the CompositeELResolver to improve
performance during type conversion operations. (markt)
+ Fix: 68068: Performance improvement for EL. Based on a
suggestion by John Engebretson. (markt)
* Web Applications
+ Fix: 68035: Additional fix to the Manager application to
enable the deployment of a web application located in a Host's
appBase where the web application is specified by a bare (no
path) WAR or directory name as shown in the documentation.
(markt)
+ Fix: Examples. Improve the error handling so snakes
associated with a user that drops from the network are removed
from the game. (markt)
+ Fix: 68035: Correct a regression in the fix for 56248 that
prevented deployment via the Manager of a WAR or directory that
was already present in the appBase or a context file that was
already present in the xmlBase. (markt)
* Other
+ Update: Update Checkstyle to 10.12.7. (markt)
+ Update: Update SpotBugs to 4.8.3. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji.
(markt)
+ Update: Update UnboundID to 6.0.11. (markt)
+ Update: Update Checkstyle to 10.12.5. (markt)
+ Update: Update SpotBugs to 4.8.2. (markt)
+ Update: Update Derby to 10.17.1. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji.
(markt)
+ Add: Improvements to Brazilian Portuguese translations by
John William Vicente. (markt)
+ Add: Improvements to Russian translations by usmazat and
remm. (markt)
+ Add: 67538: Make use of Ant's <javaversion /> task to enfore
the mininum Java build version. (michaelo)
+ Update: Update Checkstyle to 10.12.4. (markt)
+ Update: Update JaCoCo to 0.8.11. (markt)
+ Update: Update SpotBugs to 4.8.0. (markt)
+ Update: Update BND to 7.0.0. (markt)
+ Update: The minimum Java version required to build Tomcat
has been raised to Java 17. (markt)
+ Update: Update the OWB module to Apache OpenWebBeans 4.0.0.
(remm)
-------------------------------------------------------------------
Wed Jan 17 15:35:51 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- change server.xml during %post instead of %posttrans
- add libxslt-tools requirement
-------------------------------------------------------------------
Wed Jan 17 15:35:40 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- Fixed CVEs:
* CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
incorrect headers parsing (bsc#1217649)
- Added patches:
* tomcat-10-CVE-2023-46589.patch
-------------------------------------------------------------------
Tue Jan 16 09:05:32 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>

5
tomcat10.spec
View File

@ -29,7 +29,7 @@
%define elspec %{elspec_major}.%{elspec_minor}
%define major_version 10
%define minor_version 1
%define micro_version 16
%define micro_version 18
%define java_major 1
%define java_minor 11
%define java_version %{java_major}.%{java_minor}
@ -71,7 +71,6 @@ Source21: %{app_name}-functions
Source30: %{app_name}-preamble
Source31: %{app_name}-server
Source32: %{app_name}-named.service
Source33: tomcat-10-CVE-2023-46589.patch
Source100: valve.xslt
Source101: allowLinking.xslt
Source1000: %{app_name}-rpmlintrc
@ -93,7 +92,7 @@ Patch5: %{app_name}-jdt.patch
Patch6: %{app_name}-secretRequired-default.patch
Patch7: %{app_name}-fix_catalina.patch
Patch8: %{app_name}-logrotate_everything.patch
Patch9: java11.patch
Patch9: tomcat-10.0-build-with-java-11.patch
BuildRequires: ant >= 1.10.2
BuildRequires: ant-antlr
BuildRequires: apache-commons-collections