Resolves: rhbz#1349469 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service (updates to 8.0.36)

This commit is contained in:
Coty Sutherland 2016-07-01 14:45:28 -04:00
parent 43760819ea
commit 50c91f3fe2
4 changed files with 35 additions and 7 deletions

View File

@ -1 +1 @@
f8a1a0f811f6ffe0a4ccc1132c442d8b apache-tomcat-8.0.32-src.tar.gz be048e9ffa26957892933c9fa6bca0d8 apache-tomcat-8.0.36-src.tar.gz

View File

@ -1,8 +1,8 @@
--- conf/tomcat-users.xml~ 2008-01-28 17:41:06.000000000 -0500 --- conf/tomcat-users.xml~ 2008-01-28 17:41:06.000000000 -0500
+++ conf/tomcat-users.xml 2008-03-07 19:40:07.000000000 -0500 +++ conf/tomcat-users.xml 2008-03-07 19:40:07.000000000 -0500
@@ -23,4 +23,14 @@ @@ -23,4 +23,14 @@
<user username="both" password="tomcat" roles="tomcat,role1"/> <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="tomcat" roles="role1"/> <user username="role1" password="<must-be-changed>" roles="role1"/>
--> -->
+ +
+<!-- <role rolename="admin"/> --> +<!-- <role rolename="admin"/> -->
@ -13,5 +13,5 @@
+<!-- <role rolename="manager-script"/> --> +<!-- <role rolename="manager-script"/> -->
+<!-- <role rolename="manager-jmx"/> --> +<!-- <role rolename="manager-jmx"/> -->
+<!-- <role rolename="manager-status"/> --> +<!-- <role rolename="manager-status"/> -->
+<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> --> +<!-- <user name="admin" password="<must-be-changed>" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
</tomcat-users> </tomcat-users>

View File

@ -0,0 +1,24 @@
--- java/org/apache/jasper/compiler/JDTCompiler.java~ 2016-07-01 14:39:19.728255958 -0400
+++ java/org/apache/jasper/compiler/JDTCompiler.java 2016-07-01 14:39:37.191311760 -0400
@@ -312,9 +312,6 @@
} else if(opt.equals("1.8")) {
settings.put(CompilerOptions.OPTION_Source,
CompilerOptions.VERSION_1_8);
- } else if(opt.equals("1.9")) {
- settings.put(CompilerOptions.OPTION_Source,
- CompilerOptions.VERSION_1_9);
} else {
log.warn("Unknown source VM " + opt + " ignored.");
settings.put(CompilerOptions.OPTION_Source,
@@ -361,11 +358,6 @@
CompilerOptions.VERSION_1_8);
settings.put(CompilerOptions.OPTION_Compliance,
CompilerOptions.VERSION_1_8);
- } else if(opt.equals("1.9")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform,
- CompilerOptions.VERSION_1_9);
- settings.put(CompilerOptions.OPTION_Compliance,
- CompilerOptions.VERSION_1_9);
} else {
log.warn("Unknown target VM " + opt + " ignored.");
settings.put(CompilerOptions.OPTION_TargetPlatform,

View File

@ -31,7 +31,7 @@
%global jspspec 2.3 %global jspspec 2.3
%global major_version 8 %global major_version 8
%global minor_version 0 %global minor_version 0
%global micro_version 32 %global micro_version 36
%global packdname apache-tomcat-%{version}-src %global packdname apache-tomcat-%{version}-src
%global servletspec 3.1 %global servletspec 3.1
%global elspec 3.0 %global elspec 3.0
@ -57,7 +57,7 @@
Name: tomcat Name: tomcat
Epoch: 1 Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version} Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 5%{?dist} Release: 1%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
Group: System Environment/Daemons Group: System Environment/Daemons
@ -86,6 +86,7 @@ Source32: tomcat-named.service
Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
Patch2: %{name}-8.0.36-CompilerOptionsV9.patch
BuildArch: noarch BuildArch: noarch
@ -237,6 +238,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%patch0 -p0 %patch0 -p0
%patch1 -p0 %patch1 -p0
%patch2 -p0
%{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
%{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@ -679,7 +682,8 @@ fi
%attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service %attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service
%changelog %changelog
* Mon Aug 08 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.32-5 * Mon Aug 08 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.36-1
- Resolves: rhbz#1349463 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service (updates to 8.0.36)
- Resolves: rhbz#1364056 The command tomcat-digest doesn't work - Resolves: rhbz#1364056 The command tomcat-digest doesn't work
- Resolves: rhbz#1363884 The tomcat-tool-wrapper script is broken - Resolves: rhbz#1363884 The tomcat-tool-wrapper script is broken