From 50c91f3fe283a1b0f8744cd2541da3e45d736e98 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 1 Jul 2016 14:45:28 -0400 Subject: [PATCH] Resolves: rhbz#1349469 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service (updates to 8.0.36) --- sources | 2 +- tomcat-8.0-tomcat-users-webapp.patch | 6 +++--- tomcat-8.0.36-CompilerOptionsV9.patch | 24 ++++++++++++++++++++++++ tomcat.spec | 10 +++++++--- 4 files changed, 35 insertions(+), 7 deletions(-) create mode 100644 tomcat-8.0.36-CompilerOptionsV9.patch diff --git a/sources b/sources index c2a102c..525648d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -f8a1a0f811f6ffe0a4ccc1132c442d8b apache-tomcat-8.0.32-src.tar.gz +be048e9ffa26957892933c9fa6bca0d8 apache-tomcat-8.0.36-src.tar.gz diff --git a/tomcat-8.0-tomcat-users-webapp.patch b/tomcat-8.0-tomcat-users-webapp.patch index 9f05e37..860c4cf 100644 --- a/tomcat-8.0-tomcat-users-webapp.patch +++ b/tomcat-8.0-tomcat-users-webapp.patch @@ -1,8 +1,8 @@ --- conf/tomcat-users.xml~ 2008-01-28 17:41:06.000000000 -0500 +++ conf/tomcat-users.xml 2008-03-07 19:40:07.000000000 -0500 @@ -23,4 +23,14 @@ - - + + --> + + @@ -13,5 +13,5 @@ + + + -+ ++ diff --git a/tomcat-8.0.36-CompilerOptionsV9.patch b/tomcat-8.0.36-CompilerOptionsV9.patch new file mode 100644 index 0000000..0b44236 --- /dev/null +++ b/tomcat-8.0.36-CompilerOptionsV9.patch @@ -0,0 +1,24 @@ +--- java/org/apache/jasper/compiler/JDTCompiler.java~ 2016-07-01 14:39:19.728255958 -0400 ++++ java/org/apache/jasper/compiler/JDTCompiler.java 2016-07-01 14:39:37.191311760 -0400 +@@ -312,9 +312,6 @@ + } else if(opt.equals("1.8")) { + settings.put(CompilerOptions.OPTION_Source, + CompilerOptions.VERSION_1_8); +- } else if(opt.equals("1.9")) { +- settings.put(CompilerOptions.OPTION_Source, +- CompilerOptions.VERSION_1_9); + } else { + log.warn("Unknown source VM " + opt + " ignored."); + settings.put(CompilerOptions.OPTION_Source, +@@ -361,11 +358,6 @@ + CompilerOptions.VERSION_1_8); + settings.put(CompilerOptions.OPTION_Compliance, + CompilerOptions.VERSION_1_8); +- } else if(opt.equals("1.9")) { +- settings.put(CompilerOptions.OPTION_TargetPlatform, +- CompilerOptions.VERSION_1_9); +- settings.put(CompilerOptions.OPTION_Compliance, +- CompilerOptions.VERSION_1_9); + } else { + log.warn("Unknown target VM " + opt + " ignored."); + settings.put(CompilerOptions.OPTION_TargetPlatform, diff --git a/tomcat.spec b/tomcat.spec index f429dc3..be5d53b 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 8 %global minor_version 0 -%global micro_version 32 +%global micro_version 36 %global packdname apache-tomcat-%{version}-src %global servletspec 3.1 %global elspec 3.0 @@ -57,7 +57,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 5%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Group: System Environment/Daemons @@ -86,6 +86,7 @@ Source32: tomcat-named.service Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch +Patch2: %{name}-8.0.36-CompilerOptionsV9.patch BuildArch: noarch @@ -237,6 +238,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch0 -p0 %patch1 -p0 +%patch2 -p0 + %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar @@ -679,7 +682,8 @@ fi %attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service %changelog -* Mon Aug 08 2016 Coty Sutherland - 1:8.0.32-5 +* Mon Aug 08 2016 Coty Sutherland - 1:8.0.36-1 +- Resolves: rhbz#1349463 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service (updates to 8.0.36) - Resolves: rhbz#1364056 The command tomcat-digest doesn't work - Resolves: rhbz#1363884 The tomcat-tool-wrapper script is broken