diff --git a/.gitignore b/.gitignore index 36661cc..5596185 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/tomcat-9.0.62.redhat-00018-src.zip +SOURCES/tomcat-9.0.87.redhat-00005-src.zip diff --git a/.tomcat.metadata b/.tomcat.metadata index d04ed8b..2c0fd0d 100644 --- a/.tomcat.metadata +++ b/.tomcat.metadata @@ -1 +1 @@ -5becf21ed1eb5c031c31d5f295ce499234e98f82 SOURCES/tomcat-9.0.62.redhat-00018-src.zip +3aeb163e738a5f2a4d2fc20f72d978813a459d5c SOURCES/tomcat-9.0.87.redhat-00005-src.zip diff --git a/SOURCES/fix-malformed-dtd.patch b/SOURCES/fix-malformed-dtd.patch deleted file mode 100644 index f5f7546..0000000 --- a/SOURCES/fix-malformed-dtd.patch +++ /dev/null @@ -1,8 +0,0 @@ -diff -up ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd.orig ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd ---- ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd.orig 2023-02-07 14:11:25.294179017 -0500 -+++ ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd 2023-02-07 14:11:28.629196705 -0500 -@@ -1,4 +1,3 @@ -- - diff --git a/java/org/apache/el/ExpressionFactoryImpl.java b/java/org/apache/el/ExpressionFactoryImpl.java -index a6faeb6..5afbda7 100644 +index 3a6690a..03a2afe 100644 --- a/java/org/apache/el/ExpressionFactoryImpl.java +++ b/java/org/apache/el/ExpressionFactoryImpl.java -@@ -33,7 +33,7 @@ import org.apache.el.util.MessageFactory; +@@ -34,7 +34,7 @@ import org.apache.el.util.MessageFactory; * * @author Jacob Hookom [jacob@hookom.net] */ @@ -23,9 +23,9 @@ index a6faeb6..5afbda7 100644 +//@aQute.bnd.annotation.spi.ServiceProvider(value=ExpressionFactory.class) public class ExpressionFactoryImpl extends ExpressionFactory { - @Override + static { diff --git a/java/org/apache/juli/logging/LogFactory.java b/java/org/apache/juli/logging/LogFactory.java -index 56c805a..bd6eb0d 100644 +index bfc4238..acf989a 100644 --- a/java/org/apache/juli/logging/LogFactory.java +++ b/java/org/apache/juli/logging/LogFactory.java @@ -21,7 +21,7 @@ import java.nio.file.FileSystems; @@ -41,34 +41,34 @@ index 56c805a..bd6eb0d 100644 * @author Costin Manolache * @author Richard A. Sitze */ --@ServiceConsumer(value=org.apache.juli.logging.Log.class) -+//@ServiceConsumer(value=org.apache.juli.logging.Log.class) +-@ServiceConsumer(value=Log.class) ++//@ServiceConsumer(value=Log.class) public class LogFactory { private static final LogFactory singleton = new LogFactory(); diff --git a/java/org/apache/tomcat/websocket/WsContainerProvider.java b/java/org/apache/tomcat/websocket/WsContainerProvider.java -index 3cb8873..7bc50f6 100644 +index 4b0577c..e383290 100644 --- a/java/org/apache/tomcat/websocket/WsContainerProvider.java +++ b/java/org/apache/tomcat/websocket/WsContainerProvider.java @@ -19,7 +19,7 @@ package org.apache.tomcat.websocket; import javax.websocket.ContainerProvider; import javax.websocket.WebSocketContainer; --@aQute.bnd.annotation.spi.ServiceProvider(value=ContainerProvider.class) -+//@aQute.bnd.annotation.spi.ServiceProvider(value=ContainerProvider.class) +-@aQute.bnd.annotation.spi.ServiceProvider(value = ContainerProvider.class) ++//@aQute.bnd.annotation.spi.ServiceProvider(value = ContainerProvider.class) public class WsContainerProvider extends ContainerProvider { @Override diff --git a/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java b/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java -index 5c385ed..2e4e82e 100644 +index 00f492e..fe5c34d 100644 --- a/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java +++ b/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java @@ -26,7 +26,7 @@ import javax.websocket.HandshakeResponse; import javax.websocket.server.HandshakeRequest; import javax.websocket.server.ServerEndpointConfig; --@aQute.bnd.annotation.spi.ServiceProvider(value=ServerEndpointConfig.Configurator.class) -+//@aQute.bnd.annotation.spi.ServiceProvider(value=ServerEndpointConfig.Configurator.class) - public class DefaultServerEndpointConfigurator - extends ServerEndpointConfig.Configurator { +-@aQute.bnd.annotation.spi.ServiceProvider(value = ServerEndpointConfig.Configurator.class) ++//@aQute.bnd.annotation.spi.ServiceProvider(value = ServerEndpointConfig.Configurator.class) + public class DefaultServerEndpointConfigurator extends ServerEndpointConfig.Configurator { + @Override diff --git a/SOURCES/tomcat-build.patch b/SOURCES/tomcat-build.patch index 49c63ff..608a785 100644 --- a/SOURCES/tomcat-build.patch +++ b/SOURCES/tomcat-build.patch @@ -1,12 +1,11 @@ -diff -up ./res/bnd/build-defaults.bnd.orig ./res/bnd/build-defaults.bnd ---- ./res/bnd/build-defaults.bnd.orig 2020-07-13 13:47:01.229077747 -0400 -+++ ./res/bnd/build-defaults.bnd 2020-07-13 13:47:12.923095618 -0400 +--- ./res/bnd/build-defaults.bnd.orig 2024-05-01 11:07:38.804582327 +0300 ++++ ./res/bnd/build-defaults.bnd 2024-05-01 11:17:08.857295279 +0300 @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. - + -Bundle-Version: ${version_cleanup;${version}} +Bundle-Version: ${version} - + Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt + Specification-Title: Apache Tomcat - Specification-Version: ${version.major.minor} diff --git a/SPECS/tomcat.spec b/SPECS/tomcat.spec index 07c436c..3e34334 100644 --- a/SPECS/tomcat.spec +++ b/SPECS/tomcat.spec @@ -31,8 +31,8 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 62 -%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00018-src +%global micro_version 87 +%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00005-src %global servletspec 4.0 %global elspec 3.0 %global tcuid 53 @@ -56,7 +56,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 30%{?dist} +Release: 1%{?dist}.2 Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -83,7 +83,6 @@ Patch4: rhbz-1857043.patch # remove bnd dependency which version is too low on rhel8 Patch6: remove-bnd-annotation.patch Patch7: JmxRemoteLifecycleListener.patch -Patch8: fix-malformed-dtd.patch BuildArch: noarch @@ -198,7 +197,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch -P4 -p0 %patch -P6 -p1 %patch -P7 -p1 -%patch -P8 -p1 # Remove webservices naming resources as it's generally unused %{__rm} -rf java/org/apache/naming/factory/webservices @@ -558,25 +556,46 @@ fi %changelog +* Thu Aug 08 2024 Adam Krajcik - 1:9.0.87-1.el8_10.2 +- Resolves: RHEL-46167 + tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750) + +* Mon Jun 03 2024 Sokratis Zappis - 1:9.0.87-1.el8_10.1 +- Resolves: RHEL-38548 - Amend tomcat package's changelog so that fixed CVEs are mentioned explicitly +- Resolves: RHEL-35813 - Rebase tomcat to version 9.0.87 +- Resolves: RHEL-29255 + tomcat: Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672) +- Resolves: RHEL-29250 + tomcat: Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549) + * Fri Jan 19 2024 Hui Wang - 1:9.0.62-30 - Resolves: RHEL-6971 * Thu Jan 18 2024 Hui Wang - 1:9.0.62-29 - Resolves: RHEL-17602 + tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589) +- tomcat: Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549) * Thu Nov 23 2023 Hui Wang - 1:9.0.62-28 - Resolves: RHEL-13907 + tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648) - Resolves: RHEL-13904 + tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795) - Resolves: RHEL-12951 + tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794) - Resolves: RHEL-12544 + tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) - Resolves: RHEL-2386 + tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080) * Fri Oct 13 2023 Hui Wang - 1:9.0.62-27 - Related: RHEL-12543 + tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) - Bump release number * Thu Oct 12 2023 Hui Wang - 1:9.0.62-16 -- Resolves: RHEL-12543 HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) +- Resolves: RHEL-12543 + tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487) - Remove JDK subpackges which are unused * Fri Sep 08 2023 Hui Wang - 1:9.0.62-14 @@ -594,6 +613,10 @@ fi * Fri Aug 18 2023 Hui Wang - 1:9.0.62-10 - Resolves: #2210630 CVE-2023-28709 tomcat - Resolves: #2181448 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure +- tomcat: Apache Commons FileUpload: FileUpload DoS with excessive parts (CVE-2023-24998) + tomcat: JsonErrorReportValve injection (CVE-2022-45143) + tomcat: request smuggling (CVE-2022-42252) + tomcat: local privilege escalation vulnerability (CVE-2022-23181) * Thu Aug 17 2023 Hui Wang - 1:9.0.62-9 - Resolves: #2184135 Add Obsoletes to tomcat package