rpms/tomcat
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Rebase to version 10.1.36

Browse Source 
Resolves: RHEL-82927 - tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Resolves: RHEL-87272 - tomcat: DoS in examples web application
Resolves: RHEL-87273 - tomcat: Authentication bypass when using Jakarta Authentication API
This commit is contained in:
Adam Krajcik 2025-04-10 11:24:15 +02:00
parent bd1bc8d61b
commit 483be6105f
5 changed files with 44 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

28
rhbz-1857043.patch
View File

@ -1,6 +1,6 @@
--- build.xml.orig 2025-02-04 18:48:03.291725907 +0100
+++ build.xml 2025-02-04 18:56:28.876849900 +0100
@@ -1071,7 +1071,7 @@
--- build.xml.orig
+++ build.xml
@@ -1124,7 +1124,7 @@
filesDir="${tomcat.classes}"
filesId="files.annotations-api"
manifest="${tomcat.manifests}/annotations-api.jar.manifest"
@ -9,7 +9,7 @@
<!-- Servlet Implementation JAR File -->
<jarIt jarfile="${servlet-api.jar}"
@@ -1080,48 +1080,48 @@
@@ -1133,48 +1133,48 @@
manifest="${tomcat.manifests}/servlet-api.jar.manifest"
notice="${tomcat.manifests}/servlet-api.jar.notice"
license="${tomcat.manifests}/servlet-api.jar.license"
@ -65,7 +65,7 @@
<!-- Bootstrap JAR File -->
<jarIt jarfile="${bootstrap.jar}"
@@ -1133,61 +1133,61 @@
@@ -1186,68 +1186,68 @@
<jarIt jarfile="${tomcat-util.jar}"
filesDir="${tomcat.classes}"
filesId="files.tomcat-util"
@ -97,6 +97,14 @@
filesDir="${tomcat.classes}"
filesId="files.tomcat-coyote"
- addOSGi="true" />
+ addOSGi="false" />
<!-- OpenSSL FFM - Coyote -->
<jarIt jarfile="${tomcat-coyote-ffm.jar}"
filesDir="${tomcat.classes}"
filesId="files.tomcat-coyote-ffm"
manifest="${tomcat.manifests}/tomcat-coyote-ffm.jar.manifest"
- addOSGi="true" />
+ addOSGi="false" />
<!-- WebSocket implementation JAR File -->
@ -137,7 +145,7 @@
<!-- Catalina Ant Tasks JAR File -->
<jarIt jarfile="${catalina-ant.jar}"
@@ -1198,27 +1198,27 @@
@@ -1258,27 +1258,27 @@
<jarIt jarfile="${catalina-storeconfig.jar}"
filesDir="${tomcat.classes}"
filesId="files.catalina-storeconfig"
@ -169,7 +177,7 @@
<!-- i18n JARs -->
<jar jarfile="${tomcat.build}/lib/tomcat-i18n-cs.jar"
@@ -1704,7 +1704,7 @@
@@ -1742,7 +1742,7 @@
filesId="files.tomcat-embed-core"
notice="${tomcat.manifests}/servlet-api.jar.notice"
license="${tomcat.manifests}/servlet-api.jar.license"
@ -178,7 +186,7 @@
addGraal="true"
graalPrefix="org.apache.tomcat.embed/tomcat-embed-core"
graalFiles="res/graal/tomcat-embed-core/native-image"
@@ -1712,7 +1712,7 @@
@@ -1750,7 +1750,7 @@
<jarIt jarfile="${tomcat-embed-el.jar}"
filesDir="${tomcat.classes}"
filesId="files.tomcat-embed-el"
@ -187,7 +195,7 @@
addGraal="true"
graalPrefix="org.apache.tomcat.embed/tomcat-embed-el"
graalFiles="res/graal/tomcat-embed-el/native-image"
@@ -1721,7 +1721,7 @@
@@ -1759,7 +1759,7 @@
filesDir="${tomcat.classes}"
filesId="files.tomcat-embed-jasper"
meta-inf="${tomcat.manifests}/jasper.jar"
@ -196,7 +204,7 @@
addGraal="true"
graalPrefix="org.apache.tomcat.embed/tomcat-embed-jasper"
graalFiles="res/graal/tomcat-embed-jasper/native-image"
@@ -1730,7 +1730,7 @@
@@ -1768,7 +1768,7 @@
filesDir="${tomcat.classes}"
filesId="files.tomcat-embed-websocket"
meta-inf="${tomcat.manifests}/tomcat-websocket.jar"

2
sources
View File

@ -1 +1 @@
SHA512 (tomcat-10.1.8.redhat-00022-src.zip) = 78c9fadb1cbe42047860acb3894a6e9c47d07ec05229e0a31813737a9ebdc7c7f8ce72077951741535c7ac5e083ab8bd852897f6f6901fd19fbee5f6ca833be9
SHA512 (tomcat-10.1.36.redhat-00007-src.zip) = 2b40fad4c984278a4fa4e25e2ff9ac16866edf49f8b026531f491af1392f3e9315fde24c4fc07d4f4fe12f2ae8d1fa402bf3b4f02ce2a14f448d7076f4cdaa33

22
tomcat-10.1-JDTCompiler.patch
View File

@ -1,21 +1,21 @@
--- java/org/apache/jasper/compiler/JDTCompiler.java.orig 2025-02-04 19:19:35.610448198 +0100
+++ java/org/apache/jasper/compiler/JDTCompiler.java 2025-02-04 19:22:46.320745556 +0100
@@ -314,9 +314,9 @@ public class JDTCompiler extends org.apa
} else if(opt.equals("17")) {
--- java/org/apache/jasper/compiler/JDTCompiler.java
+++ java/org/apache/jasper/compiler/JDTCompiler.java
@@ -302,9 +302,9 @@
} else if (opt.equals("17")) {
settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_17);
} else if(opt.equals("18")) {
} else if (opt.equals("18")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_18);
+ settings.put(CompilerOptions.OPTION_Source, "18");
} else if (opt.equals("19")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_19);
+ settings.put(CompilerOptions.OPTION_Source, "19");
} else if (opt.equals("20")) {
// Constant not available in latest ECJ version shipped with
// Tomcat. May be supported in a snapshot build.
@@ -389,11 +389,11 @@ public class JDTCompiler extends org.apa
// Constant not available in latest ECJ version that runs on
// Java 11.
@@ -392,11 +392,11 @@
settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_17);
settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_17);
} else if(opt.equals("18")) {
} else if (opt.equals("18")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_18);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_18);
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "18");
@ -26,5 +26,5 @@
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "19");
+ settings.put(CompilerOptions.OPTION_Compliance, "19");
} else if (opt.equals("20")) {
// Constant not available in latest ECJ version shipped with
// Tomcat. May be supported in a snapshot build.
// Constant not available in latest ECJ version that runs on
// Java 11.

3
tomcat-server
View File

@ -10,7 +10,8 @@ OPTIONS="-Dcatalina.base=$CATALINA_BASE \
-Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \
-Djava.io.tmpdir=$CATALINA_TMPDIR \
-Djava.util.logging.config.file=${LOGGING_PROPERTIES} \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Dsun.io.useCanonCaches=false"
if [ "$1" = "start" ] ; then
FLAGS="${FLAGS} $CATALINA_OPTS"

15
tomcat.spec
View File

@ -31,8 +31,8 @@
%global jspspec 3.1
%global major_version 10
%global minor_version 1
%global micro_version 8
%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00022-src
%global micro_version 36
%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00007-src
%global servletspec 6.0
%global elspec 5.0
%global tcuid 53
@ -53,7 +53,7 @@
Name: tomcat
Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 2%{?dist}
Release: 1%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
License: Apache-2.0
@ -534,6 +534,15 @@ exit 0
%{appdir}/ROOT
%changelog
* Mon Apr 14 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.36-1
- Rebase tomcat to 10.1.36
- Resolves: RHEL-82925
tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)
- Resolves: RHEL-87272
tomcat: DoS in examples web application (CVE-2024-54677)
- Resolves: RHEL-87273
tomcat: Authentication bypass when using Jakarta Authentication API (CVE-2024-52316)
* Tue Feb 11 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.8-2
- Resolves: RHEL-78899 Add missing Obsoletes