rpm/tomcat10
SHA256
1
0
Fork 0
forked from pool/tomcat10
Code Pull Requests Activity

Compare commits

base: rpm:factory
Branches Tags
rpm:factory
rpm:devel
pool:factory
pool:devel
..
compare: pool:factory
Branches Tags
pool:factory
pool:devel
rpm:factory
rpm:devel

9 Commits
factory ... factory

Author SHA256 Message Date
Ana Guerrero
40ea26340f Accepting request 1235237 from Java:packages 
OBS-URL: https://build.opensuse.org/request/show/1235237
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat10?expand=0&rev=15
 2025-01-07 19:52:29 +00:00
Fridrich Strba
8f4e31f092 - Update to Tomcat 10.1.34 
* Fixed CVEs:
    + CVE-2024-54677: DoS in examples web application (bsc#1233434)
    + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) 
  * Catalina
    + Add: Add option to serve resources from subpath only with WebDAV Servlet
      like with DefaultServlet. (michaelo)
    + Fix: Add special handling for the protocols attribute of SSLHostConfig in
      storeconfig. (remm)
    + Fix: 69442: Fix case sensitive check on content-type when parsing request
      parameters. (remm)
    + Code: Refactor duplicate code for extracting media type and subtype from
      content-type into a single method. (markt)
    + Fix: Compatibility of generated embedded code with components where
      constructors or property related methods throw a checked exception. (remm)
    + Fix: The previous fix for inconsistent resource metadata during concurrent
      reads and writes was incomplete. (markt)
    + Fix: #780: Fix content-range header length. Submitted by Chenjp. (remm)
    + Fix: 69444: Ensure that the jakarta.servlet.error.message request
      attribute is set when an application defined error page is called. (markt)
    + Fix: Avoid quotes for numeric values in the JSON generated by the status
      servlet. (remm)
    + Add: Add strong ETag support for the WebDAV and default servlet, which can
      be enabled by using the useStrongETags init parameter with a value set to
      true. The ETag generated will be a SHA-1 checksum of the resource content.
      (remm)
    + Fix: Use client locale for directory listings. (remm)
    + Fix: 69439: Improve the handling of multiple Cache-Control headers in the
      ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
    + Fix: 69447: Update the support for caching classes the web application

OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=53
 2025-01-06 16:19:58 +00:00
Ana Guerrero
4d415b44f6 Accepting request 1226303 from Java:packages 
OBS-URL: https://build.opensuse.org/request/show/1226303
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat10?expand=0&rev=14
 2024-11-25 22:23:32 +00:00
Michele Bussolotto
8d5b773846 - Update to Tomcat 10.1.33 
* Fixed CVEs:
    + CVE-2024-52316: If the Jakarta Authentication fails with an exception,
      set a 500 status (bsc#1233434)
  * Catalina
    + Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
    + Add: 55470: Add debug logging that reports the class path when a 
      ClassNotFoundException occurs in the digester or the web application class loader. 
      Based on a patch by Ralf Hauser. (markt)
    + Update: 69374: Properly separate between table header and body in 
      DefaultServlet's listing. (michaelo)
    + Update: 69373: Make DefaultServlet's HTML listing file last modified 
      rendering better (flexible). (michaelo)
    + Update: Improve HTML output of DefaultServlet. (michaelo)
    + Code: Refactor RateLimitFilter to use FilterBase as the base class. 
      The primary advantage is less code to process init-param values. (markt)
    + Update: 69370: DefaultServlet's HTML listing uses incorrect labels. 
      (michaelo)
    + Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
    + Fix: Add missing WebDAV Lock-Token header in the response when locking 
      a folder. (remm)
    + Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
    + Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
    + Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
    + Fix: Send 415 response to WebDAV MKCOL operations that include a request 
      body since this is optional and unsupported. (remm)
    + Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
    + Fix: Do not allow a new WebDAV lock on a child resource if a parent 
      collection is locked (RFC 4918 section 6.1). (remm)
    + Fix: WebDAV DELETE should remove any existing lock on successfully 
      deleted resources. (remm)
    + Update: Remove WebDAV lock null support in accordance with RFC 4918 
      section 7.3 and annex D. Instead, a lock on a non-existing resource will 
      create an empty file locked with a regular lock. (remm)
    + Update: Rewrite implementation of WebDAV shared locks to comply with 
      RFC 4918. (remm)
    + Update: Implement WebDAV If header using code from the Apache Jackrabbit 
      project. (remm)
    + Add: Add PropertyStore interface in the WebDAV Servlet, to allow 
      implementation of dead properties storage. The store used can be configured 
      using the propertyStore init parameter of the WebDAV servlet by specifying 
      the class name of the store. A simple non-persistent implementation is 
      used if no custom store is configured. (remm)
    + Update: Implement WebDAV PROPPATCH method using the newly added 
      PropertyStore, and update PROPFIND to support it. (remm)
    + Fix: Cache not found results when searching for web application class 
      loader resources. This addresses performance problems caused by components 
      such as java.sql.DriverManager, which in some circumstances will search 
      for the same class repeatedly. The size of the cache can be controlled 
      via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
    + Fix: Stop after INITIALIZED state should be a noop since it is possible 
      for subcomponents to be in FAILED after init. (remm)
    + Fix: Fix incorrect web resource cache size calculations when there are 
      concurrent PUT and DELETE requests for the same resource. (markt)
    + Add: Add debug logging for the web resource cache so the current size 
      can be tracked as resources are added and removed. (markt)
    + Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens 
      with urn:uuid: as recommended by RFC 4918, and remove secret init 
      parameter. (remm)
    + Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the 
      same path caused corruption of the FileResource where some of the fields 
      were set as if the file exists and some as set as if it does not. This 
      resulted in inconsistent metadata. (markt)
    + Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on 
      GET and HEAD requests. Also, skip requests where the application has 
      set Cache-Control: no-store. (markt)
    + Fix: 69419: Improve the performance of ServletRequest.getAttribute() 
      when there are multiple levels of nested includes. Based on a patch 
      provided by John Engebretson. (markt)
    + Add: All applications to send an early hints informational response 
      by calling HttpServletResponse.sendError() with a status code of 103. 
      (schultz)
    + Fix: Ensure that ServerAuthModule.initialize() is called when a 
      Jakarta Authentication module is configured via registerServerAuthModule(). 
      (markt)
    + Fix: Ensure that the Jakarta Authentication CallbackHandler only creates 
      one GenericPrincipal in the Subject. (markt)
    + Fix: If the Jakarta Authentication process fails with an Exception, 
      explicitly set the HTTP response status to 500 as the ServerAuthContext 
      may not have set it. (markt)
    + Fix: When persisting the Jakarta Authentication provider configuration, 
      create any necessary parent directories that don't already exist. (markt)
    + Fix: Correct the logic used to detect errors when deleting temporary files 
      associated with persisting the Jakarta Authentication provider 
      configuration. (markt)
    + Fix: When processing Jakarta Authentication callbacks, don't overwrite 
      a Principal obtained from the PasswordValidationCallback with null if the 
      CallerPrincipalCallback does not provide a Principal. (markt)
    + Fix: Avoid store config backup loss when storing one configuration more 
      than once per second. (remm)
    + Fix: 69359: WebdavServlet duplicates getRelativePath() method from 
      super class with incorrect Javadoc. (michaelo)
    + Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and 
      DefaultServlet. (michaelo)
    + Fix: Make WebdavServlet properly return the Allow header when deletion 
      of a resource is not allowed. (michaelo)
    + Fix: Add log warning if non-wildcard mappings are used with the WebdavServlet. 
      (remm)
    + Fix: 69361: Ensure that the order of entries in a multi-status response 
      to a WebDAV is consistent with the order in which resources were processed. 
      (markt)
    + Fix: 69362: Provide a better multi-status response when deleting a 
      collection via WebDAV fails. Empty directories that cannot be deleted 
      will now be included in the response. (markt)
    + Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to 
      ensure that the correct path is used when the WebDAV servlet is mounted 
      at a sub-path within the web application. (markt)
    + Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing
      was likely to be broken for all clients once any client sent an HTTP/2
      reset frame. (markt)
    + Fix: Improve performance of ApplicationHttpRequest.parseParameters(). 
      Based on sample code and test cases provided by John Engebretson. (markt)
    + Fix:  Correct regressions in the refactoring that added recycling of the coyote
      request and response to the HTTP/2 processing. (markt)
    + Add: Add support for RFC 8297 (Early Hints). Applications can use this 
      feature by casting the HttpServletResponse to org.apache.catalina.connector. 
      Response and then calling the method void sendEarlyHints(). This method 
      will be added to the Servlet API (removing the need for the cast) in Servlet 
      6.2 onwards. (markt)
    + Fix: 69214: Do not reject a CORS request that uses POST but does not include 
      a content-type header. Tomcat now correctly processes this as a simple CORS 
      request. Based on a patch suggested by thebluemountain. (markt)
    + Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than 
      Subject.doAs() when available. (markt)
    + Fix: Allow JAASRealm to use the configuration source to load a configured 
      configFile, for easier use with testing. (remm)
    + Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
    + Fix: Add the OpenSSL version number on the APR and OpenSSL status classes. 
      (remm)
    + Fix: 69131: Expand the implementation of the filter value of the Authenticator 
      attribute allowCorsPreflight, so that it applies to all requests that match 
      the configured URL patterns for the CORS filter, rather than only applying 
      if the CORS filter is mapped to /*. (markt)
    + Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL 
      if available. (remm)
  * Coyote
    + Fix: Return null SSL session id on zero-length byte array returned 
      from the SSL implementation. (remm)
    + Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
    + Fix: Create the HttpParser in Http11Processor if it is not present on 
      the AbstractHttp11Protocol to provide better lifecycle robustness for 
      regular HTTP/1.1. The new behavior was introduced in a previous refactoring 
      to improve HTTP/2 performance. (remm)
    + Fix: OpenSSLContext will now throw a KeyManagementException if something 
      is known to have gone wrong in the init method, which is the behavior 
      documented by javax.net.ssl.SSLContext.init. This makes error handling 
      more consistent. (remm)
    + Fix: 69379: The default HEAD response no longer includes the payload 
      HTTP header fields as per section 9.3.2 of RFC 9110. (markt)
    + Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to 
      generate Date headers for HTTP responses) generates the correct string 
      for the given input. Prior to this change, the output may have been 
      wrong by one second in some cases. Pull request #751 provided by Chenjp. 
      (markt)
    + Fix: Request start time may not have been accurately recorded for HTTP/1.1 
      requests preceded by a large number of blank lines. (markt)
    + Add: Add server and serverRemoveAppProvidedValues to the list of attributes 
      the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested 
      within. (markt)
    + Fix: Avoid possible crashes when using Apache Tomcat Native, caused by 
      destroying SSLContext objects through GC after APR has been terminated. 
      (remm)
    + Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields 
      no longer need to be received before the headers of the subsequent stream, 
      nor are trailer fields for an in-progress stream swallowed if the Connector 
      is paused before the trailer fields are received. (markt)
    + Fix: Ensure the request and response are not recycled too soon for an 
      HTTP/2 stream when a stream-level error is detected during the processing 
      of incoming HTTP/2 frames. This could lead to incorrect processing times 
      appearing in the access log. (markt)
    + Fix: Correct a regression in the fix for non-blocking reads of chunked 
      request bodies that caused InputStream.available() to return a non-zero 
      value when there was no data to read. In some circumstances this could 
      cause a blocking read to block waiting for more data rather than return 
      the data it had already received. (markt)
    + Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. 
      The default behaviour is unchanged. (markt)
    + Fix: Ensure that Tomcat sends a TLS close_notify message after receiving 
      one from the client when using the OpenSSLImplementation. (markt)
    + Fix: 69301: Fix trailer headers replacing non-trailer headers when writing 
      response headers to the access log. Based on a patch and test case 
      provided by hypnoce. (markt)
    + Fix: 69302: If an HTTP/2 client resets a stream before the request body 
      is fully written, ensure that any ReadListener is notified via a call 
      to ReadListener.onError(). (markt)
    + Fix: Ensure that HTTP/2 stream input buffers are only created when there is 
      a request body to be read. (markt)
    + Code: Refactor creation of HttpParser instances from the Processor level to 
      the Protocol level since the parser configuration depends on the protocol 
      and the parser is, otherwise, stateless. (markt)
    + Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request 
      and response processing objects by default. This behaviour can be controlled 
      via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. 
      (markt)
    + Fix: Clean and log OpenSSL errors before processing of OpenSSL conf commands 
      in the FFM code. (remm)
    + Fix: 69121: Ensure that the onComplete() event is triggered if AsyncListener.
      onError() dispatches to a target that throws an exception. (markt)
    + Fix: Following the trailer header field refactoring, -1 is no longer an allowed 
      value for maxTrailerSize. Adjust documentation accordingly. (remm)
    + Update: Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm.
      jar that advertises Java 22 in its manifest. (remm)
    + Fix: Fix search for OpenSSL library for FFM on Mac OS so that java.library.path 
      is searched. (markt)
    + Update: Add FFM compatibility methods for LibreSSL support. Renegotiation is 
      not supported at the moment. (remm)
    + Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name 
      of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY 
      (set to true to use System.loadLibrary rather than the FFM library loading code) 
      to configure the OpenSSL library loading using FFM. (remm)
    + Update: Add FFM compatibility methods for BoringSSL support. Renegotiation is 
      not supported in many cases. (remm)
  * Jasper
    + Fix: Add back tag release method as deprecated in the runtime for 
      compatibility with old generated code. (remm)
    + Fix: 69399: Fix regression caused by improvement 69333, which caused 
      the tag release to be called when using tag pooling, and to be skipped 
      when not using it. Patch submitted by Michal Sobkiewicz. (remm)
    + Fix: 69381: Improve method lookup performance in expression language. 
      When the required method has no arguments, there is no need to consider 
      casting or coercion, and the method lookup process can be simplified. 
      Based on a pull request by John Engebretson. (markt)
    + Fix: 69382: Improve the performance of the JSP include action by re-using 
      results of relatively expensive method calls in the generated code rather 
      than repeating them. Patch provided by John Engebretson. (markt)
    + Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. 
      Based on a suggestion by John Engebretson. (markt)
    + Fix: 69406: When using StringInterpreterEnum, do not throw an 
      IllegalArgumentException when an invalid Enum is encountered. Instead, 
      resolve the value at runtime. Patch provided by John Engebretson. (markt)
    + Fix: 69429: Optimize EL evaluation of method parameters for methods 
      that do not accept any parameters. Patch provided by John Engebretson. (markt)
    + Fix: Further optimize EL evaluation of method parameters. Patch provided 
      by Paolo B. (markt)
    + Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
    + Fix: 69338: Improve the performance of processing expressions that include 
      AND or OR operations with more than two operands and expressions that use 
      not empty. (markt)
    + Fix: 69348: Reduce memory consumption in ELContext by using lazy 
      initialization for the data structure used to track lambda arguments. (markt)
    + Fix: Switch the TldScanner back to logging detailed scan results at debug 
      level rather than trace level. (markt)
    + Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of 
      new classes added to the java.lang package in Java 23. (markt)
    + Fix: Ensure that an exception in toString() still results in an ELException 
      when an object is coerced to a String using ExpressionFactory.coerceToType(). 
      (markt)
    + Add: Add support for specifying Java 24 (with the value 24) as the compiler 
      source and/or compiler target for JSP compilation. If used with an Eclipse JDT 
      compiler version that does not support these values, a warning will be logged 
      and the default will be used. (markt)
    + Fix: 69135: When using include directives in a tag file packaged in a JAR file, 
      ensure that context relative includes are processed correctly. (markt)
    + Fix: 69135: When using include directives in a tag file packaged in a JAR file, 
      ensure that file relative includes are processed correctly. (markt)
    + Fix: 69135: When using include directives in a tag file packaged in a JAR file, 
      ensure that file relative includes are not permitted to access files outside 
      of the /META_INF/tags/ directory nor outside of the JAR file. (markt)
  * WebSocket
    + Fix: If a blocking message write exceeds the timeout, don't attempt the 
      write again before throwing the exception. (markt)
    + Fix: An EncodeException being thrown during a message write should not 
      automatically cause the connection to close. The application should handle 
      the exception and make the decision whether or not to close the connection. 
      (markt)
  * Web applications
    + Fix: The manager webapp will now be able to access certificates again 
      when OpenSSL is used. (remm)
    + Fix: Documentation. Align the logging configuration documentation with 
      the current defaults. (markt)
    + Fix: Fix status servlet detailed view of the connectors when using automatic 
      port. (remm)
  * jdbc-pool
    + Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions 
      executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException 
      rather than the application seeing the original SQLException. Fixed by pull 
      request #744 provided by Michael Clarke. (markt)
    + Fix: 69279: Correct a regression in the fix for 69206 that meant that methods 
      that previously returned a null ResultSet were returning a proxy with a 
      null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)
    + Fix: 69206: Ensure statements returned from Statement methods executeQuery(), 
      getResultSet() and getGeneratedKeys() are correctly wrapped before being returned 
      to the caller. Based on pull request #742 provided by Michael Clarke. (markt)
  * Other
    + Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
    + Update: Update Byte Buddy to 1.15.10. (markt)
    + Update: Update CheckStyle to 10.20.0. (markt)
    + Add: Improvements to German translations. (remm)
    + Update: Update Byte Buddy to 1.15.3. (markt)
    + Update: Update CheckStyle to 10.18.2. (markt)
    + Add: Improvements to French translations. (remm)
    + Add: Improvements to Japanese translations by tak7iji. (markt)
    + Add: Improvements to Chinese translations by Ch_jp. (markt)
    + Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
    + Fix: Change the default log handler level to ALL so log messages are not 
      dropped by default if a logger is configured to use trace (FINEST) level 
      logging. (markt)
    + Update: Update Hamcrest to 3.0. (markt)
    + Update: Update EasyMock to 5.4.0. (markt)
    + Update: Update Byte Buddy to 1.15.0. (markt)
    + Update: Update CheckStyle to 10.18.0. (markt)
    + Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
    + Add: Improvements to Spanish translations by Fernando. (markt)
    + Add: Improvements to French translations. (remm)
    + Add: Improvements to Japanese translations by tak7iji. (markt)
    + Fix: Fix packaging regression with missing osgi information following addition 
      of the test-only build target. (remm)
    + Update: Update Tomcat Native to 2.0.8. (markt)
    + Update: Update Byte Buddy to 1.14.18. (markt)
    + Add: Improvements to French translations. (remm)
    + Add: Improvements to Japanese translations by tak7iji. (markt)
    + Update: Add test-only build target to allow running only the testsuite, 
      supporting Java versions down to the minimum supported to run Tomcat. (rjung)
    + Update: Update UnboundID to 7.0.1. (markt)
    + Update: Update to SpotBugs 4.8.6. (markt)
    + Update: Remove cglib dependency as it is not required by the version of EasyMock 
      used by the unit tests. (markt)
    + Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy 
      1.14.17. (markt)
    + Add: Improvements to Czech translations by Vladimír Chlup. (markt)
    + Add: Improvements to French translations. (remm)
    + Add: Improvements to Japanese translations by tak7iji. (markt)
    + Add: Improvements to Chinese translations by fangzheng. (markt)

OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=51
 2024-11-25 14:53:55 +00:00
Ana Guerrero
0e17987e4a Accepting request 1205528 from Java:packages 
Adapt the scripts to run also with javapackages-tools >= 6.3

OBS-URL: https://build.opensuse.org/request/show/1205528
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat10?expand=0&rev=13
 2024-10-03 15:40:55 +00:00
Fridrich Strba
7d0005b465 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=49 2024-10-03 13:18:03 +00:00
Ana Guerrero
c6edbf740e Accepting request 1204559 from Java:packages 
Fix build after removal of the default %%{java_home} define

OBS-URL: https://build.opensuse.org/request/show/1204559
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat10?expand=0&rev=12
 2024-09-30 13:39:52 +00:00
Fridrich Strba
3af59d4873 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=47 2024-09-29 19:42:34 +00:00
Fridrich Strba
b5d5c37d96 OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=46 2024-09-29 05:25:59 +00:00
9 changed files with 496 additions and 33 deletions
Show Stats Expand all files Collapse all files

BIN
apache-tomcat-10.1.25-src.tar.gz (Stored with Git LFS)
View File

Binary file not shown.

17
apache-tomcat-10.1.25-src.tar.gz.asc
View File

@ -1,17 +0,0 @@
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmZsrB0ACgkQHPApP6U8
pFgWehAAsL94Pf+o5NqhdP9RXxOLfGkAjwC6UdWEGbi/UUhJz/tEx3A66P3eyKJx
KZw+0oqnwI9dXNry9TH3zZHk1Qj93HzOQRPolomCZWnwAcq964IutIc0PQMvga8+
kaNfCloaOo9+VPeOAQ5rSn2jbdui+lYuTvHUuMiJ2+/U33Dn45JtTY+sQZxGFI0D
OM9Bu7j64Vxp6tLMtYwcO33vsKnlT6WmC7NekkbyWlkLIDTKfaNp6PstKI1cxOvY
8Cc1G276iGjPsyf06ooPZ6yunXYOXXT5SSsyvsKdWyacdFQ9BxlC5asOIwr+OKjp
6tDIWK2RZQPs5fVGAeW4+6YN4jpTDrjjJvvC2M/Quyn7eRME0yB7qa6QAFM7mpqk
oATHa+np0X3a5iNHW6w61En1F8yG2DtMyxIApkS25SGyA3XCRmZy2v14WPEaJURb
PTrXY4+p18ae7cB6R5eoQZlBMxN+yqmwr7+RLcU3bTvMb65g19RPUcZ78/aKWteF
G0wHn/QQy1yjDg4zJ0RQZzF0GhChux/G8Is423PiAskQJjQMB2O39PJV3D+hbrwk
VXkH1JNwl5O18S76o0/t7eMF1Z1LViyS3Ldr/M9vpxtGmtX5VdfzmZ+Z6+JvAaZI
+Ae7aA9B3BLWGiAjJNsu2FBY94jx2FZJgedg3pvPIyFSP6+W1Hg=
=l6Tt
-----END PGP SIGNATURE-----

BIN
apache-tomcat-10.1.34-src.tar.gz (Stored with Git LFS) Normal file
View File

Binary file not shown.

16
apache-tomcat-10.1.34-src.tar.gz.asc Normal file
View File

@ -0,0 +1,16 @@
-----BEGIN PGP SIGNATURE-----
iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmdRzrQACgkQHPApP6U8
pFhZQxAAnH4jJMx+v+QL24U1Zm7VJCZv+9BPqJa7M5GbHpoOZbtbLYAguPRiQ7eg
DpmEiotkE/UihXSTSOpPI3u1WLjrfmiRjmrbYwtVbPyca/6xUbj3wbD+W1ody64v
sfvfiX5T9TtsPYvB9ASyjMMBd4/PQP0EzUswc1W4+moooS+FtS1uvFHq8VYjcWMI
Qn13+k4JldJCvPfWRl1VDY9nY/+25xYud5wuIzqTQ/QXslO6lbxZFgaIVRhN2PDo
wCKgP3RKvDRBsPo1Zp+Jk5btur/c2L7WySFQVOpJszKRSs2LpnJwKybRJNaExTAK
m55tZEPJOx2DshH7g506pc4jtkEY9/9SbxVZNjxCrrnyjQwulUyHDg3yA+fOV0eA
VO0tnineWkqsybAa4271S+IZq3RqjJFH+g4w6NH4CDy+kcrT10KBv/h9/70AFQF7
XehD8rvqYXMOVvxnlh045iG0A3qHmq5QVGqRasOnxnSnxYNpkn/zOAZxNUH82c6B
i3VoFCVkmtqErLRe4zvSc3MLTKbjiIW4DJgDFCyD62Tq+l1xBjMtmpyHfcT1HlRd
LkkgcgOfLKrZTGWwTJKhBUIaRcCuJ5ja623bry/Fsh9SwHDRGtJy8d9BV3tOmY7l
geeo5pD8/2WihjjJy9spcwM8G9swdxwlKRHq7aANMvFz2fyOQE4=
=nSkP
-----END PGP SIGNATURE-----

3
tomcat-digest.script
View File

@ -3,6 +3,9 @@
# tomcat-digest script
# JPackage Project <http://www.jpackage.org/>
# Set default JAVA_HOME
export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
# Source functions library
if [ -f /usr/share/java-utils/java-functions ] ; then
. /usr/share/java-utils/java-functions

22
tomcat-jdt.patch
View File

@ -1,15 +1,15 @@
--- apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:17.015180386 +0200
+++ apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:33.635284982 +0200
@@ -310,13 +310,13 @@
} else if(opt.equals("15")) {
--- apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java 2025-01-03 18:40:16.470885660 +0000
+++ apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-12-05 16:01:16.000000000 +0000
@@ -298,13 +298,13 @@
} else if (opt.equals("15")) {
settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
} else if (opt.equals("16")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
+ settings.put(CompilerOptions.OPTION_Source, "16");
} else if(opt.equals("17")) {
} else if (opt.equals("17")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_17);
+ settings.put(CompilerOptions.OPTION_Source, "17");
} else if(opt.equals("18")) {
} else if (opt.equals("18")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_18);
+ settings.put(CompilerOptions.OPTION_Source, "18");
} else if (opt.equals("19")) {
@ -18,20 +18,20 @@
} else if (opt.equals("20")) {
// Constant not available in latest ECJ version that runs on
// Java 11.
@@ -388,17 +388,17 @@
@@ -386,17 +386,17 @@
settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
} else if (opt.equals("16")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
+ settings.put(CompilerOptions.OPTION_Compliance, "16");
} else if(opt.equals("17")) {
} else if (opt.equals("17")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_17);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_17);
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "17");
+ settings.put(CompilerOptions.OPTION_Compliance, "17");
} else if(opt.equals("18")) {
} else if (opt.equals("18")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_18);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_18);
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "18");

3
tomcat-tool-wrapper.script
View File

@ -3,6 +3,9 @@
# tomcat-digest script
# JPackage Project <http://www.jpackage.org/>
# Set default JAVA_HOME
export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
# Source functions library
if [ -f /usr/share/java-utils/java-functions ] ; then
. /usr/share/java-utils/java-functions

458
tomcat10.changes
View File

@ -1,3 +1,461 @@
-------------------------------------------------------------------
Fri Jan 3 18:33:44 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
- Update to Tomcat 10.1.34
* Fixed CVEs:
+ CVE-2024-54677: DoS in examples web application (bsc#1233434)
+ CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
* Catalina
+ Add: Add option to serve resources from subpath only with WebDAV Servlet
like with DefaultServlet. (michaelo)
+ Fix: Add special handling for the protocols attribute of SSLHostConfig in
storeconfig. (remm)
+ Fix: 69442: Fix case sensitive check on content-type when parsing request
parameters. (remm)
+ Code: Refactor duplicate code for extracting media type and subtype from
content-type into a single method. (markt)
+ Fix: Compatibility of generated embedded code with components where
constructors or property related methods throw a checked exception. (remm)
+ Fix: The previous fix for inconsistent resource metadata during concurrent
reads and writes was incomplete. (markt)
+ Fix: #780: Fix content-range header length. Submitted by Chenjp. (remm)
+ Fix: 69444: Ensure that the jakarta.servlet.error.message request
attribute is set when an application defined error page is called. (markt)
+ Fix: Avoid quotes for numeric values in the JSON generated by the status
servlet. (remm)
+ Add: Add strong ETag support for the WebDAV and default servlet, which can
be enabled by using the useStrongETags init parameter with a value set to
true. The ETag generated will be a SHA-1 checksum of the resource content.
(remm)
+ Fix: Use client locale for directory listings. (remm)
+ Fix: 69439: Improve the handling of multiple Cache-Control headers in the
ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
+ Fix: 69447: Update the support for caching classes the web application
class loader cannot find to take account of classes loaded from external
repositories. Prior to this fix, these classes could be incorrectly marked
as not found. (markt)
+ Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
users will not be removed and any header present in a HEAD request will
also be present in the equivalent GET request. There may be some headers,
as per RFC 9110, section 9.3.2, that are present in a GET request that are
not present in the equivalent HEAD request. (markt)
+ Fix: 69471: Log instances of CloseNowException caught by
ApplicationDispatcher.invoke() at debug level rather than error level as
they are very likely to have been caused by a client disconnection or
similar I/O issue. (markt)
+ Add: Add a test case for the fix for 69442. Also refactor references to
application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
(markt)
+ Fix: 69476: Catch possible ISE when trying to report PUT failure in the
DefaultServlet. (remm)
+ Add: Add support for RateLimit header fields for HTTP (draft) in the
RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
+ Add: #787: Add regression tests for 69478. Pull request provided by Thomas
Krisch. (markt)
+ Fix: The default servlet now rejects HTTP range requests when two or more
of the requested ranges overlap. Based on pull request #782 provided by
Chenjp. (markt)
+ Fix: Enhance Content-Range verification for partial PUT requests handled
by the default servlet. Provided by Chenjp in pull request #778. (markt)
+ Fix: Harmonize DataSourceStore lookup in the global resources to
optionally avoid the comp/env prefix which is usually not used there.
(remm)
+ Fix: As required by RFC 9110, the HTTP Range header will now only be
processed for GET requests. Based on pull request #790 provided by Chenjp.
(markt)
+ Fix: Deprecate the useAcceptRanges initialisation parameter for the
default servlet. It will be removed in Tomcat 12 onwards where it will
effectively be hard coded to true. (markt)
+ Add: Add DataSource based property storage for the WebdavServlet. (remm)
* Coyote
+ Fix: Align encodedSolidusHandling with the Servlet specification. If the
pass-through mode is used, any %25 sequences will now also be passed
through to avoid errors and/or corruption when the application decodes the
path. (markt)
* Jasper
+ Fix: Follow-up to the fix for 69381. Apply the optimisation for method
lookup performance in expression language to an additional location.
(markt)
* Web applications
+ Fix: Documentation. Remove references to the ResourceParams element.
Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
+ Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
The attribute is internalProxies rather than allowedInternalProxies. Pull
request #786 provided by Jorge Díaz. (markt)
+ Fix: Examples. Fix broken links when Servlet Request Info example is
called via a URL that includes a pathInfo component. (markt)
+ Fix: Examples. Expand the obfuscation of session cookie values in the
request header example to JSON responses. (markt)
+ Add: Examples. Add the ability to delete session attributes in the servlet
session example. (markt)
+ Add: Examples. Add a hard coded limit of 10 attributes per session for the
servlet session example. (markt)
+ Add: Examples. Add the ability to delete session attributes and add a hard
coded limit of 10 attributes per session for the JSP form authentication
example. (markt)
+ Add: Examples. Limit the shopping cart example to only allow adding the
pre-defined items to the cart. (markt)
+ Fix: Examples. Remove JSP calendar example. (markt)
* Other
+ Fix: 69465: Fix warnings during native image compilation using the Tomcat
embedded JARs. (markt)
+ Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
+ Update: Update EasyMock to 5.5.0. (markt)
+ Update: Update Checkstyle to 10.20.2. (markt)
+ Update: Update BND to 7.1.0. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Korean translations. (markt)
+ Add: Improvements to Chinese translations. (markt)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
-------------------------------------------------------------------
Sat Nov 23 00:01:04 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
- Update to Tomcat 10.1.33
* Fixed CVEs:
+ CVE-2024-52316: If the Jakarta Authentication fails with an exception,
set a 500 status (bsc#1233434)
* Catalina
+ Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
+ Add: 55470: Add debug logging that reports the class path when a
ClassNotFoundException occurs in the digester or the web application class loader.
Based on a patch by Ralf Hauser. (markt)
+ Update: 69374: Properly separate between table header and body in
DefaultServlet's listing. (michaelo)
+ Update: 69373: Make DefaultServlet's HTML listing file last modified
rendering better (flexible). (michaelo)
+ Update: Improve HTML output of DefaultServlet. (michaelo)
+ Code: Refactor RateLimitFilter to use FilterBase as the base class.
The primary advantage is less code to process init-param values. (markt)
+ Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
(michaelo)
+ Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
+ Fix: Add missing WebDAV Lock-Token header in the response when locking
a folder. (remm)
+ Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
+ Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
+ Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
+ Fix: Send 415 response to WebDAV MKCOL operations that include a request
body since this is optional and unsupported. (remm)
+ Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
+ Fix: Do not allow a new WebDAV lock on a child resource if a parent
collection is locked (RFC 4918 section 6.1). (remm)
+ Fix: WebDAV DELETE should remove any existing lock on successfully
deleted resources. (remm)
+ Update: Remove WebDAV lock null support in accordance with RFC 4918
section 7.3 and annex D. Instead, a lock on a non-existing resource will
create an empty file locked with a regular lock. (remm)
+ Update: Rewrite implementation of WebDAV shared locks to comply with
RFC 4918. (remm)
+ Update: Implement WebDAV If header using code from the Apache Jackrabbit
project. (remm)
+ Add: Add PropertyStore interface in the WebDAV Servlet, to allow
implementation of dead properties storage. The store used can be configured
using the propertyStore init parameter of the WebDAV servlet by specifying
the class name of the store. A simple non-persistent implementation is
used if no custom store is configured. (remm)
+ Update: Implement WebDAV PROPPATCH method using the newly added
PropertyStore, and update PROPFIND to support it. (remm)
+ Fix: Cache not found results when searching for web application class
loader resources. This addresses performance problems caused by components
such as java.sql.DriverManager, which in some circumstances will search
for the same class repeatedly. The size of the cache can be controlled
via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
+ Fix: Stop after INITIALIZED state should be a noop since it is possible
for subcomponents to be in FAILED after init. (remm)
+ Fix: Fix incorrect web resource cache size calculations when there are
concurrent PUT and DELETE requests for the same resource. (markt)
+ Add: Add debug logging for the web resource cache so the current size
can be tracked as resources are added and removed. (markt)
+ Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens
with urn:uuid: as recommended by RFC 4918, and remove secret init
parameter. (remm)
+ Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the
same path caused corruption of the FileResource where some of the fields
were set as if the file exists and some as set as if it does not. This
resulted in inconsistent metadata. (markt)
+ Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on
GET and HEAD requests. Also, skip requests where the application has
set Cache-Control: no-store. (markt)
+ Fix: 69419: Improve the performance of ServletRequest.getAttribute()
when there are multiple levels of nested includes. Based on a patch
provided by John Engebretson. (markt)
+ Add: All applications to send an early hints informational response
by calling HttpServletResponse.sendError() with a status code of 103.
(schultz)
+ Fix: Ensure that ServerAuthModule.initialize() is called when a
Jakarta Authentication module is configured via registerServerAuthModule().
(markt)
+ Fix: Ensure that the Jakarta Authentication CallbackHandler only creates
one GenericPrincipal in the Subject. (markt)
+ Fix: If the Jakarta Authentication process fails with an Exception,
explicitly set the HTTP response status to 500 as the ServerAuthContext
may not have set it. (markt)
+ Fix: When persisting the Jakarta Authentication provider configuration,
create any necessary parent directories that don't already exist. (markt)
+ Fix: Correct the logic used to detect errors when deleting temporary files
associated with persisting the Jakarta Authentication provider
configuration. (markt)
+ Fix: When processing Jakarta Authentication callbacks, don't overwrite
a Principal obtained from the PasswordValidationCallback with null if the
CallerPrincipalCallback does not provide a Principal. (markt)
+ Fix: Avoid store config backup loss when storing one configuration more
than once per second. (remm)
+ Fix: 69359: WebdavServlet duplicates getRelativePath() method from
super class with incorrect Javadoc. (michaelo)
+ Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and
DefaultServlet. (michaelo)
+ Fix: Make WebdavServlet properly return the Allow header when deletion
of a resource is not allowed. (michaelo)
+ Fix: Add log warning if non-wildcard mappings are used with the WebdavServlet.
(remm)
+ Fix: 69361: Ensure that the order of entries in a multi-status response
to a WebDAV is consistent with the order in which resources were processed.
(markt)
+ Fix: 69362: Provide a better multi-status response when deleting a
collection via WebDAV fails. Empty directories that cannot be deleted
will now be included in the response. (markt)
+ Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to
ensure that the correct path is used when the WebDAV servlet is mounted
at a sub-path within the web application. (markt)
+ Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing
was likely to be broken for all clients once any client sent an HTTP/2
reset frame. (markt)
+ Fix: Improve performance of ApplicationHttpRequest.parseParameters().
Based on sample code and test cases provided by John Engebretson. (markt)
+ Fix: Correct regressions in the refactoring that added recycling of the coyote
request and response to the HTTP/2 processing. (markt)
+ Add: Add support for RFC 8297 (Early Hints). Applications can use this
feature by casting the HttpServletResponse to org.apache.catalina.connector.
Response and then calling the method void sendEarlyHints(). This method
will be added to the Servlet API (removing the need for the cast) in Servlet
6.2 onwards. (markt)
+ Fix: 69214: Do not reject a CORS request that uses POST but does not include
a content-type header. Tomcat now correctly processes this as a simple CORS
request. Based on a patch suggested by thebluemountain. (markt)
+ Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than
Subject.doAs() when available. (markt)
+ Fix: Allow JAASRealm to use the configuration source to load a configured
configFile, for easier use with testing. (remm)
+ Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
+ Fix: Add the OpenSSL version number on the APR and OpenSSL status classes.
(remm)
+ Fix: 69131: Expand the implementation of the filter value of the Authenticator
attribute allowCorsPreflight, so that it applies to all requests that match
the configured URL patterns for the CORS filter, rather than only applying
if the CORS filter is mapped to /*. (markt)
+ Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL
if available. (remm)
* Coyote
+ Fix: Return null SSL session id on zero-length byte array returned
from the SSL implementation. (remm)
+ Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
+ Fix: Create the HttpParser in Http11Processor if it is not present on
the AbstractHttp11Protocol to provide better lifecycle robustness for
regular HTTP/1.1. The new behavior was introduced in a previous refactoring
to improve HTTP/2 performance. (remm)
+ Fix: OpenSSLContext will now throw a KeyManagementException if something
is known to have gone wrong in the init method, which is the behavior
documented by javax.net.ssl.SSLContext.init. This makes error handling
more consistent. (remm)
+ Fix: 69379: The default HEAD response no longer includes the payload
HTTP header fields as per section 9.3.2 of RFC 9110. (markt)
+ Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to
generate Date headers for HTTP responses) generates the correct string
for the given input. Prior to this change, the output may have been
wrong by one second in some cases. Pull request #751 provided by Chenjp.
(markt)
+ Fix: Request start time may not have been accurately recorded for HTTP/1.1
requests preceded by a large number of blank lines. (markt)
+ Add: Add server and serverRemoveAppProvidedValues to the list of attributes
the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested
within. (markt)
+ Fix: Avoid possible crashes when using Apache Tomcat Native, caused by
destroying SSLContext objects through GC after APR has been terminated.
(remm)
+ Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields
no longer need to be received before the headers of the subsequent stream,
nor are trailer fields for an in-progress stream swallowed if the Connector
is paused before the trailer fields are received. (markt)
+ Fix: Ensure the request and response are not recycled too soon for an
HTTP/2 stream when a stream-level error is detected during the processing
of incoming HTTP/2 frames. This could lead to incorrect processing times
appearing in the access log. (markt)
+ Fix: Correct a regression in the fix for non-blocking reads of chunked
request bodies that caused InputStream.available() to return a non-zero
value when there was no data to read. In some circumstances this could
cause a blocking read to block waiting for more data rather than return
the data it had already received. (markt)
+ Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor.
The default behaviour is unchanged. (markt)
+ Fix: Ensure that Tomcat sends a TLS close_notify message after receiving
one from the client when using the OpenSSLImplementation. (markt)
+ Fix: 69301: Fix trailer headers replacing non-trailer headers when writing
response headers to the access log. Based on a patch and test case
provided by hypnoce. (markt)
+ Fix: 69302: If an HTTP/2 client resets a stream before the request body
is fully written, ensure that any ReadListener is notified via a call
to ReadListener.onError(). (markt)
+ Fix: Ensure that HTTP/2 stream input buffers are only created when there is
a request body to be read. (markt)
+ Code: Refactor creation of HttpParser instances from the Processor level to
the Protocol level since the parser configuration depends on the protocol
and the parser is, otherwise, stateless. (markt)
+ Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request
and response processing objects by default. This behaviour can be controlled
via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol.
(markt)
+ Fix: Clean and log OpenSSL errors before processing of OpenSSL conf commands
in the FFM code. (remm)
+ Fix: 69121: Ensure that the onComplete() event is triggered if AsyncListener.
onError() dispatches to a target that throws an exception. (markt)
+ Fix: Following the trailer header field refactoring, -1 is no longer an allowed
value for maxTrailerSize. Adjust documentation accordingly. (remm)
+ Update: Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm.
jar that advertises Java 22 in its manifest. (remm)
+ Fix: Fix search for OpenSSL library for FFM on Mac OS so that java.library.path
is searched. (markt)
+ Update: Add FFM compatibility methods for LibreSSL support. Renegotiation is
not supported at the moment. (remm)
+ Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name
of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY
(set to true to use System.loadLibrary rather than the FFM library loading code)
to configure the OpenSSL library loading using FFM. (remm)
+ Update: Add FFM compatibility methods for BoringSSL support. Renegotiation is
not supported in many cases. (remm)
* Jasper
+ Fix: Add back tag release method as deprecated in the runtime for
compatibility with old generated code. (remm)
+ Fix: 69399: Fix regression caused by improvement 69333, which caused
the tag release to be called when using tag pooling, and to be skipped
when not using it. Patch submitted by Michal Sobkiewicz. (remm)
+ Fix: 69381: Improve method lookup performance in expression language.
When the required method has no arguments, there is no need to consider
casting or coercion, and the method lookup process can be simplified.
Based on a pull request by John Engebretson. (markt)
+ Fix: 69382: Improve the performance of the JSP include action by re-using
results of relatively expensive method calls in the generated code rather
than repeating them. Patch provided by John Engebretson. (markt)
+ Fix: 69398: Avoid unnecessary object allocation in PageContextImpl.
Based on a suggestion by John Engebretson. (markt)
+ Fix: 69406: When using StringInterpreterEnum, do not throw an
IllegalArgumentException when an invalid Enum is encountered. Instead,
resolve the value at runtime. Patch provided by John Engebretson. (markt)
+ Fix: 69429: Optimize EL evaluation of method parameters for methods
that do not accept any parameters. Patch provided by John Engebretson. (markt)
+ Fix: Further optimize EL evaluation of method parameters. Patch provided
by Paolo B. (markt)
+ Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
+ Fix: 69338: Improve the performance of processing expressions that include
AND or OR operations with more than two operands and expressions that use
not empty. (markt)
+ Fix: 69348: Reduce memory consumption in ELContext by using lazy
initialization for the data structure used to track lambda arguments. (markt)
+ Fix: Switch the TldScanner back to logging detailed scan results at debug
level rather than trace level. (markt)
+ Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of
new classes added to the java.lang package in Java 23. (markt)
+ Fix: Ensure that an exception in toString() still results in an ELException
when an object is coerced to a String using ExpressionFactory.coerceToType().
(markt)
+ Add: Add support for specifying Java 24 (with the value 24) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse JDT
compiler version that does not support these values, a warning will be logged
and the default will be used. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that context relative includes are processed correctly. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that file relative includes are processed correctly. (markt)
+ Fix: 69135: When using include directives in a tag file packaged in a JAR file,
ensure that file relative includes are not permitted to access files outside
of the /META_INF/tags/ directory nor outside of the JAR file. (markt)
* WebSocket
+ Fix: If a blocking message write exceeds the timeout, don't attempt the
write again before throwing the exception. (markt)
+ Fix: An EncodeException being thrown during a message write should not
automatically cause the connection to close. The application should handle
the exception and make the decision whether or not to close the connection.
(markt)
* Web applications
+ Fix: The manager webapp will now be able to access certificates again
when OpenSSL is used. (remm)
+ Fix: Documentation. Align the logging configuration documentation with
the current defaults. (markt)
+ Fix: Fix status servlet detailed view of the connectors when using automatic
port. (remm)
* jdbc-pool
+ Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions
executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException
rather than the application seeing the original SQLException. Fixed by pull
request #744 provided by Michael Clarke. (markt)
+ Fix: 69279: Correct a regression in the fix for 69206 that meant that methods
that previously returned a null ResultSet were returning a proxy with a
null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)
+ Fix: 69206: Ensure statements returned from Statement methods executeQuery(),
getResultSet() and getGeneratedKeys() are correctly wrapped before being returned
to the caller. Based on pull request #742 provided by Michael Clarke. (markt)
* Other
+ Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
+ Update: Update Byte Buddy to 1.15.10. (markt)
+ Update: Update CheckStyle to 10.20.0. (markt)
+ Add: Improvements to German translations. (remm)
+ Update: Update Byte Buddy to 1.15.3. (markt)
+ Update: Update CheckStyle to 10.18.2. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Improvements to Chinese translations by Ch_jp. (markt)
+ Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
+ Fix: Change the default log handler level to ALL so log messages are not
dropped by default if a logger is configured to use trace (FINEST) level
logging. (markt)
+ Update: Update Hamcrest to 3.0. (markt)
+ Update: Update EasyMock to 5.4.0. (markt)
+ Update: Update Byte Buddy to 1.15.0. (markt)
+ Update: Update CheckStyle to 10.18.0. (markt)
+ Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
+ Add: Improvements to Spanish translations by Fernando. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Fix: Fix packaging regression with missing osgi information following addition
of the test-only build target. (remm)
+ Update: Update Tomcat Native to 2.0.8. (markt)
+ Update: Update Byte Buddy to 1.14.18. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Update: Add test-only build target to allow running only the testsuite,
supporting Java versions down to the minimum supported to run Tomcat. (rjung)
+ Update: Update UnboundID to 7.0.1. (markt)
+ Update: Update to SpotBugs 4.8.6. (markt)
+ Update: Remove cglib dependency as it is not required by the version of EasyMock
used by the unit tests. (markt)
+ Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy
1.14.17. (markt)
+ Add: Improvements to Czech translations by Vladimír Chlup. (markt)
+ Add: Improvements to French translations. (remm)
+ Add: Improvements to Japanese translations by tak7iji. (markt)
+ Add: Improvements to Chinese translations by fangzheng. (markt)
-------------------------------------------------------------------
Thu Oct 3 13:17:40 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Adapt the scripts to run also with javapackages-tools >= 6.3
-------------------------------------------------------------------
Sun Sep 29 19:42:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
- Fix build after removal of the default %%{java_home} define
-------------------------------------------------------------------
Tue Jul 9 12:52:37 UTC 2024 - Ricardo Mestre <ricardo.mestre@suse.com>

4
tomcat10.spec
View File

@ -29,7 +29,7 @@
%define elspec %{elspec_major}.%{elspec_minor}
%define major_version 10
%define minor_version 1
%define micro_version 25
%define micro_version 34
%define java_major 1
%define java_minor 11
%define java_version %{java_major}.%{java_minor}
@ -486,7 +486,7 @@ popd
# install sample webapp
mkdir -p %{buildroot}%{tomcatappdir}/sample
pushd %{buildroot}%{tomcatappdir}/sample
%jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
popd
pushd %{buildroot}%{tomcatappdir}/examples/WEB-INF/lib