Rebase to version 10.1.36

Resolves: RHEL-82927 - tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT
Resolves: RHEL-87272 - tomcat: DoS in examples web application
Resolves: RHEL-87273 - tomcat: Authentication bypass when using Jakarta Authentication API

rhbz-1857043.patch

@@ -1,6 +1,6 @@
---- build.xml.orig	2025-02-04 18:48:03.291725907 +0100
+--- build.xml.orig
-+++ build.xml	2025-02-04 18:56:28.876849900 +0100
++++ build.xml
-@@ -1071,7 +1071,7 @@
+@@ -1124,7 +1124,7 @@
        filesDir="${tomcat.classes}"
        filesId="files.annotations-api"
        manifest="${tomcat.manifests}/annotations-api.jar.manifest"
@@ -9,7 +9,7 @@
  
      <!-- Servlet Implementation JAR File -->
      <jarIt jarfile="${servlet-api.jar}"
-@@ -1080,48 +1080,48 @@
+@@ -1133,48 +1133,48 @@
        manifest="${tomcat.manifests}/servlet-api.jar.manifest"
        notice="${tomcat.manifests}/servlet-api.jar.notice"
        license="${tomcat.manifests}/servlet-api.jar.license"
@@ -65,7 +65,7 @@
  
      <!-- Bootstrap JAR File -->
      <jarIt jarfile="${bootstrap.jar}"
-@@ -1133,61 +1133,61 @@
+@@ -1186,68 +1186,68 @@
      <jarIt jarfile="${tomcat-util.jar}"
        filesDir="${tomcat.classes}"
        filesId="files.tomcat-util"
@@ -97,6 +97,14 @@
        filesDir="${tomcat.classes}"
        filesId="files.tomcat-coyote"
 -      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- OpenSSL FFM - Coyote -->
+     <jarIt jarfile="${tomcat-coyote-ffm.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-coyote-ffm"
+       manifest="${tomcat.manifests}/tomcat-coyote-ffm.jar.manifest"
+-      addOSGi="true" />
 +      addOSGi="false" />
  
      <!-- WebSocket implementation JAR File -->
@@ -137,7 +145,7 @@
  
      <!-- Catalina Ant Tasks JAR File -->
      <jarIt jarfile="${catalina-ant.jar}"
-@@ -1198,27 +1198,27 @@
+@@ -1258,27 +1258,27 @@
      <jarIt jarfile="${catalina-storeconfig.jar}"
        filesDir="${tomcat.classes}"
        filesId="files.catalina-storeconfig"
@@ -169,7 +177,7 @@
  
      <!-- i18n JARs -->
      <jar jarfile="${tomcat.build}/lib/tomcat-i18n-cs.jar"
-@@ -1704,7 +1704,7 @@
+@@ -1742,7 +1742,7 @@
             filesId="files.tomcat-embed-core"
             notice="${tomcat.manifests}/servlet-api.jar.notice"
             license="${tomcat.manifests}/servlet-api.jar.license"
@@ -178,7 +186,7 @@
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-core"
             graalFiles="res/graal/tomcat-embed-core/native-image"
-@@ -1712,7 +1712,7 @@
+@@ -1750,7 +1750,7 @@
      <jarIt jarfile="${tomcat-embed-el.jar}"
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-el"
@@ -187,7 +195,7 @@
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-el"
             graalFiles="res/graal/tomcat-embed-el/native-image"
-@@ -1721,7 +1721,7 @@
+@@ -1759,7 +1759,7 @@
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-jasper"
             meta-inf="${tomcat.manifests}/jasper.jar"
@@ -196,7 +204,7 @@
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-jasper"
             graalFiles="res/graal/tomcat-embed-jasper/native-image"
-@@ -1730,7 +1730,7 @@
+@@ -1768,7 +1768,7 @@
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-websocket"
             meta-inf="${tomcat.manifests}/tomcat-websocket.jar"

sources

@@ -1 +1 @@
-SHA512 (tomcat-10.1.8.redhat-00022-src.zip) = 78c9fadb1cbe42047860acb3894a6e9c47d07ec05229e0a31813737a9ebdc7c7f8ce72077951741535c7ac5e083ab8bd852897f6f6901fd19fbee5f6ca833be9
+SHA512 (tomcat-10.1.36.redhat-00007-src.zip) = 2b40fad4c984278a4fa4e25e2ff9ac16866edf49f8b026531f491af1392f3e9315fde24c4fc07d4f4fe12f2ae8d1fa402bf3b4f02ce2a14f448d7076f4cdaa33

tomcat-10.1-JDTCompiler.patch

@@ -1,21 +1,21 @@
---- java/org/apache/jasper/compiler/JDTCompiler.java.orig	2025-02-04 19:19:35.610448198 +0100
+--- java/org/apache/jasper/compiler/JDTCompiler.java
-+++ java/org/apache/jasper/compiler/JDTCompiler.java	2025-02-04 19:22:46.320745556 +0100
++++ java/org/apache/jasper/compiler/JDTCompiler.java
-@@ -314,9 +314,9 @@ public class JDTCompiler extends org.apa
+@@ -302,9 +302,9 @@
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_17);
-             } else if(opt.equals("18")) {
+             } else if (opt.equals("18")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_18);
 +                settings.put(CompilerOptions.OPTION_Source, "18");
              } else if (opt.equals("19")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_19);
 +                settings.put(CompilerOptions.OPTION_Source, "19");
              } else if (opt.equals("20")) {
-                 // Constant not available in latest ECJ version shipped with
+                 // Constant not available in latest ECJ version that runs on
-                 // Tomcat. May be supported in a snapshot build.
+                 // Java 11.
-@@ -389,11 +389,11 @@ public class JDTCompiler extends org.apa
+@@ -392,11 +392,11 @@
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_17);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_17);
-             } else if(opt.equals("18")) {
+             } else if (opt.equals("18")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_18);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_18);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "18");
@@ -26,5 +26,5 @@
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "19");
 +                settings.put(CompilerOptions.OPTION_Compliance, "19");
              } else if (opt.equals("20")) {
-                 // Constant not available in latest ECJ version shipped with
+                 // Constant not available in latest ECJ version that runs on
-                 // Tomcat. May be supported in a snapshot build.
+                 // Java 11.

tomcat-server

@@ -10,7 +10,8 @@ OPTIONS="-Dcatalina.base=$CATALINA_BASE \
 -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \
 -Djava.io.tmpdir=$CATALINA_TMPDIR \
 -Djava.util.logging.config.file=${LOGGING_PROPERTIES} \
--Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
+-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
+-Dsun.io.useCanonCaches=false"
 
 if [ "$1" = "start" ] ; then
   FLAGS="${FLAGS} $CATALINA_OPTS"

tomcat.spec

@@ -31,8 +31,8 @@
 %global jspspec 3.1
 %global major_version 10
 %global minor_version 1
-%global micro_version 8
+%global micro_version 36
-%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00022-src
+%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00007-src
 %global servletspec 6.0
 %global elspec 5.0
 %global tcuid 53
@@ -53,7 +53,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       2%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -534,6 +534,15 @@ exit 0
 %{appdir}/ROOT
 
 %changelog
+* Mon Apr 14 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.36-1
+- Rebase tomcat to 10.1.36
+- Resolves: RHEL-82925
+  tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)
+- Resolves: RHEL-87272
+  tomcat: DoS in examples web application (CVE-2024-54677)
+- Resolves: RHEL-87273
+  tomcat: Authentication bypass when using Jakarta Authentication API (CVE-2024-52316)
+
 * Tue Feb 11 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.8-2
 - Resolves: RHEL-78899 Add missing Obsoletes