Resolves: rhbz#1349469 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service (updates to 8.0.36)

2016-07-01 14:45:28 -04:00 · 2016-07-01 14:45:28 -04:00 · 50c91f3fe2
commit 50c91f3fe2
parent 43760819ea
4 changed files with 35 additions and 7 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-f8a1a0f811f6ffe0a4ccc1132c442d8b  apache-tomcat-8.0.32-src.tar.gz
+be048e9ffa26957892933c9fa6bca0d8  apache-tomcat-8.0.36-src.tar.gz
--- a/tomcat-8.0-tomcat-users-webapp.patch
+++ b/tomcat-8.0-tomcat-users-webapp.patch
@ -1,8 +1,8 @@
 --- conf/tomcat-users.xml~	2008-01-28 17:41:06.000000000 -0500
 +++ conf/tomcat-users.xml	2008-03-07 19:40:07.000000000 -0500
@@ -23,4 +23,14 @@
-   <user username="both" password="tomcat" roles="tomcat,role1"/>
-   <user username="role1" password="tomcat" roles="role1"/>
+   <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
+   <user username="role1" password="<must-be-changed>" roles="role1"/>
 -->
 +
 +<!-- <role rolename="admin"/> -->
@ -13,5 +13,5 @@
 +<!-- <role rolename="manager-script"/> -->
 +<!-- <role rolename="manager-jmx"/> -->
 +<!-- <role rolename="manager-status"/> -->
-+<!-- <user name="admin" password="adminadmin" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
+<!-- <user name="admin" password="<must-be-changed>" roles="admin,manager,admin-gui,admin-script,manager-gui,manager-script,manager-jmx,manager-status" /> -->
 </tomcat-users>
--- a/tomcat-8.0.36-CompilerOptionsV9.patch
+++ b/tomcat-8.0.36-CompilerOptionsV9.patch
@ -0,0 +1,24 @@
+--- java/org/apache/jasper/compiler/JDTCompiler.java~	2016-07-01 14:39:19.728255958 -0400
+++ java/org/apache/jasper/compiler/JDTCompiler.java	2016-07-01 14:39:37.191311760 -0400
+@@ -312,9 +312,6 @@
+             } else if(opt.equals("1.8")) {
+                 settings.put(CompilerOptions.OPTION_Source,
+                              CompilerOptions.VERSION_1_8);
+-            } else if(opt.equals("1.9")) {
+-                settings.put(CompilerOptions.OPTION_Source,
+-                             CompilerOptions.VERSION_1_9);
+             } else {
+                 log.warn("Unknown source VM " + opt + " ignored.");
+                 settings.put(CompilerOptions.OPTION_Source,
+@@ -361,11 +358,6 @@
+                              CompilerOptions.VERSION_1_8);
+                 settings.put(CompilerOptions.OPTION_Compliance,
+                         CompilerOptions.VERSION_1_8);
+-            } else if(opt.equals("1.9")) {
+-                settings.put(CompilerOptions.OPTION_TargetPlatform,
+-                             CompilerOptions.VERSION_1_9);
+-                settings.put(CompilerOptions.OPTION_Compliance,
+-                        CompilerOptions.VERSION_1_9);
+             } else {
+                 log.warn("Unknown target VM " + opt + " ignored.");
+                 settings.put(CompilerOptions.OPTION_TargetPlatform,
--- a/tomcat.spec
+++ b/tomcat.spec
@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 8
 %global minor_version 0
-%global micro_version 32
+%global micro_version 36
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 3.1
 %global elspec 3.0
@ -57,7 +57,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       5%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 Group:         System Environment/Daemons
@ -86,6 +86,7 @@ Source32:      tomcat-named.service

 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
+Patch2:        %{name}-8.0.36-CompilerOptionsV9.patch

 BuildArch:     noarch

@ -237,6 +238,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "

 %patch0 -p0
 %patch1 -p0
+%patch2 -p0
+
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar

@ -679,7 +682,8 @@ fi
 %attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service

 %changelog
-* Mon Aug 08 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.32-5
+* Mon Aug 08 2016 Coty Sutherland <csutherl@redhat.com> - 1:8.0.36-1
+- Resolves: rhbz#1349463 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service (updates to 8.0.36)
 - Resolves: rhbz#1364056 The command tomcat-digest doesn't work
 - Resolves: rhbz#1363884 The tomcat-tool-wrapper script is broken