From fe6d560133c35f3e7fcf1ca0a55ff1a4f13cbe0d Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Tue, 13 Sep 2016 13:03:04 -0400 Subject: [PATCH] Resolves: rhbz#1375581 CVE-2016-5388 CGI sets environmental variable based on user supplied Proxy request header --- sources | 2 +- tomcat-8.0.36-asfbz-59960.patch | 13 ------------- tomcat-8.0.37-javadoc-fix.patch | 13 +++++++++++++ tomcat.spec | 10 +++++++--- 4 files changed, 21 insertions(+), 17 deletions(-) delete mode 100644 tomcat-8.0.36-asfbz-59960.patch create mode 100644 tomcat-8.0.37-javadoc-fix.patch diff --git a/sources b/sources index 525648d..739ef6e 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -be048e9ffa26957892933c9fa6bca0d8 apache-tomcat-8.0.36-src.tar.gz +8723324d35eed02a4aa979066d810d86 apache-tomcat-8.0.37-src.tar.gz diff --git a/tomcat-8.0.36-asfbz-59960.patch b/tomcat-8.0.36-asfbz-59960.patch deleted file mode 100644 index 20de181..0000000 --- a/tomcat-8.0.36-asfbz-59960.patch +++ /dev/null @@ -1,13 +0,0 @@ -Index: java/org/apache/catalina/tribes/group/interceptors/MessageDispatch15Interceptor.java -=================================================================== ---- java/org/apache/catalina/tribes/group/interceptors/MessageDispatch15Interceptor.java (revision 1755541) -+++ java/org/apache/catalina/tribes/group/interceptors/MessageDispatch15Interceptor.java (working copy) -@@ -18,7 +18,7 @@ - - /** - * @deprecated Originally provided an optional implementation that used Java 5+ -- * features. Now the minimum Java version is >=5, those features -+ * features. Now the minimum Java version is >=5, those features - * have been added to {@link MessageDispatchInterceptor} which - * should be used instead. This class will be removed in Tomcat - * 8.5.x onwards. diff --git a/tomcat-8.0.37-javadoc-fix.patch b/tomcat-8.0.37-javadoc-fix.patch new file mode 100644 index 0000000..502f373 --- /dev/null +++ b/tomcat-8.0.37-javadoc-fix.patch @@ -0,0 +1,13 @@ +Index: java/org/apache/catalina/servlets/CGIServlet.java +=================================================================== +--- java/org/apache/catalina/servlets/CGIServlet.java (revision 1759564) ++++ java/org/apache/catalina/servlets/CGIServlet.java (revision 1759565) +@@ -358,7 +358,7 @@ + * + * @exception IOException if a write operation exception occurs + * +- * @deprecated Use {@link #printServletEnvironment(HttpServletRequest). ++ * @deprecated Use {@link #printServletEnvironment(HttpServletRequest)}. + * This will be removed in Tomcat 8.5.X onwards + */ + @Deprecated diff --git a/tomcat.spec b/tomcat.spec index c0dfcd3..4c02fed 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 8 %global minor_version 0 -%global micro_version 36 +%global micro_version 37 %global packdname apache-tomcat-%{version}-src %global servletspec 3.1 %global elspec 3.0 @@ -57,7 +57,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 2%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Group: System Environment/Daemons @@ -87,7 +87,7 @@ Source32: tomcat-named.service Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch Patch2: %{name}-8.0.36-CompilerOptionsV9.patch -Patch3: %{name}-8.0.36-asfbz-59960.patch +Patch3: %{name}-8.0.37-javadoc-fix.patch BuildArch: noarch @@ -694,6 +694,10 @@ fi %attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service %changelog +* Tue Sep 13 2016 Coty Sutherland - 1:8.0.37-1 +- Rebase to 8.0.37 +- Resolves: rhbz#1375581 CVE-2016-5388 CGI sets environmental variable based on user supplied Proxy request header + * Thu Aug 11 2016 Coty Sutherland - 1:8.0.36-2 - Related: rhbz#1349469 Correct typo in changelog entry