RESOLVES: RHEL-150714: CVE-2026-24734 Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation

2026-05-18 17:33:32 +02:00 · 2026-05-18 17:33:32 +02:00 · 5fd51df351
commit 5fd51df351
parent 13fac161c7
4 changed files with 30 additions and 3996 deletions
--- a/rhel-150714.patch
+++ b/rhel-150714.patch
--- a/rhel-168081.patch
+++ b/rhel-168081.patch
@ -1,34 +0,0 @@
-diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java
--- ./java/org/apache/coyote/ajp/Constants.java	2025-10-01 04:36:05.000000000 -0400
-+++ ./java/org/apache/coyote/ajp/Constants.java	2026-04-14 15:27:50.820988961 -0400
-@@ -105,7 +105,7 @@
-
-     // Translates integer codes to names of HTTP methods
-     private static final String[] methodTransArray =
-            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
-+            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
-                     Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT",
-                     "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" };
-
-diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java
--- ./test/org/apache/catalina/realm/TestRealmBase.java	2025-10-01 04:36:05.000000000 -0400
-+++ ./test/org/apache/catalina/realm/TestRealmBase.java	2026-04-14 15:27:50.821211035 -0400
-@@ -660,7 +660,7 @@
-         SecurityConstraint deleteConstraint = new SecurityConstraint();
-         deleteConstraint.addAuthRole(ROLE1);
-         SecurityCollection deleteCollection = new SecurityCollection();
-        deleteCollection.addMethod(Method.OPTIONS);
-+        deleteCollection.addMethod(Method.DELETE);
-         deleteCollection.addPatternDecoded("/*");
-         deleteConstraint.addCollection(deleteCollection);
-
-@@ -772,7 +772,7 @@
-
-         // Only user1 should be able to perform a DELETE as only that user has
-         // role1.
-        request.setMethod(Method.OPTIONS);
-+        request.setMethod(Method.DELETE);
-
-         SecurityConstraint[] constraintsDelete =
-                 mapRealm.findSecurityConstraints(request, context);
-
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.110-src.tar.gz) = a8fe2c59a801d6fb16ea74019c6fc58c34543d4d25a16d64e929e67c7736f6e16d08ec2061b37f1783ebfa0b1dacfff991e46ed5d24d89300a140cb94449f570
+SHA512 (apache-tomcat-9.0.117-src.tar.gz) = f40854a6ed1f208ccdd3da82527fc806eb9231aebaee86d6987e9699d1d31bb548765241424368708b89bdce01d4558a638532a35932f686d3edabd26951041d
--- a/tomcat.spec
+++ b/tomcat.spec
@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 110
+%global micro_version 117
 %global packdname apache-%{name}-%{major_version}.%{minor_version}.%{micro_version}-src
 %global servletspec 4.0
 %global elspec 3.0
@ -56,7 +56,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       4%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 License:       ASL 2.0
@ -81,8 +81,6 @@ Patch2:        %{name}-build.patch
 Patch3:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch
-Patch7:        rhel-168081.patch
-Patch8:        rhel-150714.patch

 BuildArch:     noarch

@ -199,8 +197,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P3 -p0
 %patch -P4 -p0
 %patch -P6 -p0
-%patch -P7 -p1
-%patch -P8 -p1

 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@ -566,8 +562,34 @@ fi
 %{appdir}/ROOT

 %changelog
-* Tue Apr 20 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.110-4
+* Wed May 26 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.117-1
 - Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation
+- Resolves:
+  Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
+- Resolves:
+  Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
+- Resolves:
+  Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
+- Resolves:
+  Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
+- Resolves:
+  Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
+- Resolves:
+  Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
+- Resolves:
+  Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
+- Resolves:
+  Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
+- Resolves:
+  Tomcat: Occasionally open redirect (CVE-2026-25854)
+- Resolves:
+  Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
+- Resolves:
+  Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
+- Resolves:
+  Tomcat: Security constraint bypass (CVE-2026-24733)
+- Resolves:
+  Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)

 * Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
 - Resolves: RHEL-168081 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)