rpms/tomcat
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fix CVE-2025-31650 and CVE-2024-56337

Browse Source 
Resolves: RHEL-91761 - tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE
Resolves: RHEL-71971 - tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation
This commit is contained in:
Adam Krajcik 2025-06-02 07:07:42 +02:00
parent 5eb69309fe
commit 252c30ce53
4 changed files with 12 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -6,3 +6,4 @@
/tomcat-9.0.87.redhat-00003-src.zip /tomcat-9.0.87.redhat-00003-src.zip
/tomcat-9.0.87.redhat-00005-src.zip /tomcat-9.0.87.redhat-00005-src.zip
/tomcat-9.0.87.redhat-00008-src.zip /tomcat-9.0.87.redhat-00008-src.zip
/tomcat-9.0.87.redhat-00010-src.zip

2
sources
View File

@ -1 +1 @@
SHA512 (tomcat-9.0.87.redhat-00008-src.zip) = 5863c033928427db91d1ecf92485641aa3de8d0bf38dd23293c6d86667da46df77b592342031f7caf915a52ed87a415a1d88937809a0b799a17b5901ceda03c2 SHA512 (tomcat-9.0.87.redhat-00010-src.zip) = fd65e91c2fd11d48396692e0e88fbba8c2025ec35cbefb29b9b192c516af958ad357a1232e21abd262187d14add45b1441c34d3fa76ac40ba0866febbbfb341d

3
tomcat-server
View File

@ -10,7 +10,8 @@ OPTIONS="-Dcatalina.base=$CATALINA_BASE \
-Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \ -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \
-Djava.io.tmpdir=$CATALINA_TMPDIR \ -Djava.io.tmpdir=$CATALINA_TMPDIR \
-Djava.util.logging.config.file=${LOGGING_PROPERTIES} \ -Djava.util.logging.config.file=${LOGGING_PROPERTIES} \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager" -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Dsun.io.useCanonCaches=false"
if [ "$1" = "start" ] ; then if [ "$1" = "start" ] ; then
FLAGS="${FLAGS} $CATALINA_OPTS" FLAGS="${FLAGS} $CATALINA_OPTS"

10
tomcat.spec
View File

@ -32,7 +32,7 @@
%global major_version 9 %global major_version 9
%global minor_version 0 %global minor_version 0
%global micro_version 87 %global micro_version 87
%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00008-src %global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00010-src
%global servletspec 4.0 %global servletspec 4.0
%global elspec 3.0 %global elspec 3.0
%global tcuid 53 %global tcuid 53
@ -56,7 +56,7 @@
Name: tomcat Name: tomcat
Epoch: 1 Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version} Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 1%{?dist}.3 Release: 1%{?dist}.4
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
License: ASL 2.0 License: ASL 2.0
@ -556,6 +556,12 @@ fi
%changelog %changelog
* Mon May 26 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-1.el8_10.4
- Resolves: RHEL-91761
tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
- Resolves: RHEL-71971
tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation (CVE-2024-56337)
* Wed Apr 02 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-1.el8_10.3 * Wed Apr 02 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-1.el8_10.3
- Resolves: RHEL-82934 - Resolves: RHEL-82934
tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813) tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)