diff --git a/.gitignore b/.gitignore index d099beb..83c6b65 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/apache-tomcat-9.0.110-src.tar.gz +SOURCES/apache-tomcat-9.0.117-src.tar.gz diff --git a/.tomcat.metadata b/.tomcat.metadata index 28d53a0..b76d967 100644 --- a/.tomcat.metadata +++ b/.tomcat.metadata @@ -1 +1 @@ -8c9f0f1e544993d3ff75fc08017643159ccf05be SOURCES/apache-tomcat-9.0.110-src.tar.gz +0dd5e6286a035d8d3e0027ad795d284c09ec3968 SOURCES/apache-tomcat-9.0.117-src.tar.gz diff --git a/SOURCES/rhel-168081.patch b/SOURCES/rhel-168081.patch deleted file mode 100644 index cc65185..0000000 --- a/SOURCES/rhel-168081.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java ---- ./java/org/apache/coyote/ajp/Constants.java 2025-10-01 04:36:05.000000000 -0400 -+++ ./java/org/apache/coyote/ajp/Constants.java 2026-04-14 15:27:50.820988961 -0400 -@@ -105,7 +105,7 @@ - - // Translates integer codes to names of HTTP methods - private static final String[] methodTransArray = -- { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, -+ { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, - Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT", - "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" }; - -diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java ---- ./test/org/apache/catalina/realm/TestRealmBase.java 2025-10-01 04:36:05.000000000 -0400 -+++ ./test/org/apache/catalina/realm/TestRealmBase.java 2026-04-14 15:27:50.821211035 -0400 -@@ -660,7 +660,7 @@ - SecurityConstraint deleteConstraint = new SecurityConstraint(); - deleteConstraint.addAuthRole(ROLE1); - SecurityCollection deleteCollection = new SecurityCollection(); -- deleteCollection.addMethod(Method.OPTIONS); -+ deleteCollection.addMethod(Method.DELETE); - deleteCollection.addPatternDecoded("/*"); - deleteConstraint.addCollection(deleteCollection); - -@@ -772,7 +772,7 @@ - - // Only user1 should be able to perform a DELETE as only that user has - // role1. -- request.setMethod(Method.OPTIONS); -+ request.setMethod(Method.DELETE); - - SecurityConstraint[] constraintsDelete = - mapRealm.findSecurityConstraints(request, context); -diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml ---- ./webapps/docs/changelog.xml.orig 2026-04-14 15:48:53.192243701 -0400 -+++ ./webapps/docs/changelog.xml 2026-04-14 15:49:48.893470762 -0400 -@@ -104,6 +104,17 @@ - They eventually become mixed with the numbered issues (i.e., numbered - issues do not "pop up" wrt. others). - --> -+
-+ -+ -+ -+ 69848: Fix copy/paste error that meant DELETE -+ requests received via the AJP connector were processed as OPTIONS -+ requests. (markt) -+ -+ -+ -+
-
- - diff --git a/SPECS/tomcat.spec b/SPECS/tomcat.spec index 6146ece..0252713 100644 --- a/SPECS/tomcat.spec +++ b/SPECS/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 110 +%global micro_version 117 %global packdname apache-%{name}-%{major_version}.%{minor_version}.%{micro_version}-src %global servletspec 4.0 %global elspec 3.0 @@ -56,7 +56,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 3%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -81,7 +81,6 @@ Patch2: %{name}-build.patch Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch Patch4: rhbz-1857043.patch Patch6: %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch -Patch7: rhel-168081.patch BuildArch: noarch @@ -198,7 +197,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch -P3 -p0 %patch -P4 -p0 %patch -P6 -p0 -%patch -P7 -p1 # Remove webservices naming resources as it's generally unused %{__rm} -rf java/org/apache/naming/factory/webservices @@ -563,8 +561,36 @@ fi %defattr(0644,tomcat,tomcat,0755) %{appdir}/ROOT - %changelog +* Wed May 26 2026 Pietro Meloni - 1:9.0.117-1 +- Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation +- Resolves: + Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500) +- Resolves: + Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487) +- Resolves: + Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486) +- Resolves: + Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483) +- Resolves: + Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990) +- Resolves: + Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146) +- Resolves: + Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145) +- Resolves: + Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129) +- Resolves: + Tomcat: Occasionally open redirect (CVE-2026-25854) +- Resolves: + Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880) +- Resolves: + Tomcat: Incomplete OCSP verification checks (CVE-2026-24734) +- Resolves: + Tomcat: Security constraint bypass (CVE-2026-24733) +- Resolves: + Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614) + * Tue Apr 14 2026 Coty Sutherland - 1:9.0.110-3 - Resolves: RHEL-168081 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)