import CS git tomcat-9.0.117-1.el9_8
This commit is contained in:
parent
0a74dde96c
commit
6a06a8714a
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
SOURCES/apache-tomcat-9.0.110-src.tar.gz
|
||||
SOURCES/apache-tomcat-9.0.117-src.tar.gz
|
||||
|
||||
@ -1 +1 @@
|
||||
8c9f0f1e544993d3ff75fc08017643159ccf05be SOURCES/apache-tomcat-9.0.110-src.tar.gz
|
||||
0dd5e6286a035d8d3e0027ad795d284c09ec3968 SOURCES/apache-tomcat-9.0.117-src.tar.gz
|
||||
|
||||
@ -1,54 +0,0 @@
|
||||
diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java
|
||||
--- ./java/org/apache/coyote/ajp/Constants.java 2025-10-01 04:36:05.000000000 -0400
|
||||
+++ ./java/org/apache/coyote/ajp/Constants.java 2026-04-14 15:27:50.820988961 -0400
|
||||
@@ -105,7 +105,7 @@
|
||||
|
||||
// Translates integer codes to names of HTTP methods
|
||||
private static final String[] methodTransArray =
|
||||
- { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
|
||||
+ { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
|
||||
Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT",
|
||||
"SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" };
|
||||
|
||||
diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java
|
||||
--- ./test/org/apache/catalina/realm/TestRealmBase.java 2025-10-01 04:36:05.000000000 -0400
|
||||
+++ ./test/org/apache/catalina/realm/TestRealmBase.java 2026-04-14 15:27:50.821211035 -0400
|
||||
@@ -660,7 +660,7 @@
|
||||
SecurityConstraint deleteConstraint = new SecurityConstraint();
|
||||
deleteConstraint.addAuthRole(ROLE1);
|
||||
SecurityCollection deleteCollection = new SecurityCollection();
|
||||
- deleteCollection.addMethod(Method.OPTIONS);
|
||||
+ deleteCollection.addMethod(Method.DELETE);
|
||||
deleteCollection.addPatternDecoded("/*");
|
||||
deleteConstraint.addCollection(deleteCollection);
|
||||
|
||||
@@ -772,7 +772,7 @@
|
||||
|
||||
// Only user1 should be able to perform a DELETE as only that user has
|
||||
// role1.
|
||||
- request.setMethod(Method.OPTIONS);
|
||||
+ request.setMethod(Method.DELETE);
|
||||
|
||||
SecurityConstraint[] constraintsDelete =
|
||||
mapRealm.findSecurityConstraints(request, context);
|
||||
diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
|
||||
--- ./webapps/docs/changelog.xml.orig 2026-04-14 15:48:53.192243701 -0400
|
||||
+++ ./webapps/docs/changelog.xml 2026-04-14 15:49:48.893470762 -0400
|
||||
@@ -104,6 +104,17 @@
|
||||
They eventually become mixed with the numbered issues (i.e., numbered
|
||||
issues do not "pop up" wrt. others).
|
||||
-->
|
||||
+<section name="Tomcat 9.0.110-redhat (csutherl)" rtext="">
|
||||
+ <subsection name="Coyote">
|
||||
+ <changelog>
|
||||
+ <fix>
|
||||
+ <bug>69848</bug>: Fix copy/paste error that meant DELETE
|
||||
+ requests received via the AJP connector were processed as OPTIONS
|
||||
+ requests. (markt)
|
||||
+ </fix>
|
||||
+ </changelog>
|
||||
+ </subsection>
|
||||
+</section>
|
||||
<section name="Tomcat 9.0.110 (remm)" rtext="">
|
||||
<subsection name="Catalina">
|
||||
<changelog>
|
||||
@ -31,7 +31,7 @@
|
||||
%global jspspec 2.3
|
||||
%global major_version 9
|
||||
%global minor_version 0
|
||||
%global micro_version 110
|
||||
%global micro_version 117
|
||||
%global packdname apache-%{name}-%{major_version}.%{minor_version}.%{micro_version}-src
|
||||
%global servletspec 4.0
|
||||
%global elspec 3.0
|
||||
@ -56,7 +56,7 @@
|
||||
Name: tomcat
|
||||
Epoch: 1
|
||||
Version: %{major_version}.%{minor_version}.%{micro_version}
|
||||
Release: 3%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
|
||||
|
||||
License: ASL 2.0
|
||||
@ -81,7 +81,6 @@ Patch2: %{name}-build.patch
|
||||
Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
|
||||
Patch4: rhbz-1857043.patch
|
||||
Patch6: %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch
|
||||
Patch7: rhel-168081.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -198,7 +197,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
|
||||
%patch -P3 -p0
|
||||
%patch -P4 -p0
|
||||
%patch -P6 -p0
|
||||
%patch -P7 -p1
|
||||
|
||||
# Remove webservices naming resources as it's generally unused
|
||||
%{__rm} -rf java/org/apache/naming/factory/webservices
|
||||
@ -563,8 +561,36 @@ fi
|
||||
%defattr(0644,tomcat,tomcat,0755)
|
||||
%{appdir}/ROOT
|
||||
|
||||
|
||||
%changelog
|
||||
* Wed May 26 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.117-1
|
||||
- Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation
|
||||
- Resolves:
|
||||
Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
|
||||
- Resolves:
|
||||
Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
|
||||
- Resolves:
|
||||
Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
|
||||
- Resolves:
|
||||
Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
|
||||
- Resolves:
|
||||
Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
|
||||
- Resolves:
|
||||
Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
|
||||
- Resolves:
|
||||
Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
|
||||
- Resolves:
|
||||
Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
|
||||
- Resolves:
|
||||
Tomcat: Occasionally open redirect (CVE-2026-25854)
|
||||
- Resolves:
|
||||
Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
|
||||
- Resolves:
|
||||
Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
|
||||
- Resolves:
|
||||
Tomcat: Security constraint bypass (CVE-2026-24733)
|
||||
- Resolves:
|
||||
Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)
|
||||
|
||||
* Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
|
||||
- Resolves: RHEL-168081 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user