From 9b523e3add40fbf57cad86a11093113af0d2c5f9 Mon Sep 17 00:00:00 2001
From: Sokratis Zappis <szappis@redhat.com>
Date: Tue, 7 May 2024 17:46:46 +0300
Subject: [PATCH] Resolves: RHEL-35812 - Rebase tomcat to version 9.0.87
 Resolves: RHEL-29257 - tomcat: Apache Tomcat: WebSocket DoS with incomplete
 closing handshake Resolves: RHEL-29252 - tomcat: Apache Tomcat: HTTP/2 header
 handling DoS Resolves: RHEL-53001 - Amend tomcat's changelog so that fixed
 CVEs are mentioned explicitely Remove unneeded patch file

---
 .gitignore              |  1 +
 fix-malformed-dtd.patch |  8 --------
 sources                 |  2 +-
 tomcat-build.patch      | 11 +++++------
 tomcat.spec             | 24 +++++++++++++++++++-----
 5 files changed, 26 insertions(+), 20 deletions(-)
 delete mode 100644 fix-malformed-dtd.patch

diff --git a/.gitignore b/.gitignore
index fb61664..3f0456a 100644
--- a/.gitignore
+++ b/.gitignore
@@ -7,3 +7,4 @@ apache-tomcat-*-src/
 /tomcat-9.0.62.redhat-00014-src.zip
 /tomcat-9.0.62.redhat-00017-src.zip
 /tomcat-9.0.62.redhat-00018-src.zip
+/tomcat-9.0.87.redhat-00003-src.zip
diff --git a/fix-malformed-dtd.patch b/fix-malformed-dtd.patch
deleted file mode 100644
index f5f7546..0000000
--- a/fix-malformed-dtd.patch
+++ /dev/null
@@ -1,8 +0,0 @@
-diff -up ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd.orig ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd
---- ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd.orig	2023-02-07 14:11:25.294179017 -0500
-+++ ./java/org/apache/tomcat/util/modeler/mbeans-descriptors.dtd	2023-02-07 14:11:28.629196705 -0500
-@@ -1,4 +1,3 @@
--<?xml version="1.0" encoding="UTF-8"?>
- <!--
-   Licensed to the Apache Software Foundation (ASF) under one or more
-   contributor license agreements.  See the NOTICE file distributed with
diff --git a/sources b/sources
index a86fcea..ad39319 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (tomcat-9.0.62.redhat-00018-src.zip) = 926ae35bbecb0aa83efd685f0dd88a53129fab2618eed93721db5cc43d85de339e35e898a4aa52afa8c1d30c1b352ba951236b8022ea9aa1a6f3f06015a62239
+SHA512 (tomcat-9.0.87.redhat-00003-src.zip) = 5064b32f5a572c7333524471a21b4781819eefbaff2449ddef9238bc09792b615b36812e499d7d7ded06b4150360396b49f1da872faad9df341451b13c45f26e
diff --git a/tomcat-build.patch b/tomcat-build.patch
index 49c63ff..608a785 100644
--- a/tomcat-build.patch
+++ b/tomcat-build.patch
@@ -1,12 +1,11 @@
-diff -up ./res/bnd/build-defaults.bnd.orig ./res/bnd/build-defaults.bnd
---- ./res/bnd/build-defaults.bnd.orig	2020-07-13 13:47:01.229077747 -0400
-+++ ./res/bnd/build-defaults.bnd	2020-07-13 13:47:12.923095618 -0400
+--- ./res/bnd/build-defaults.bnd.orig	2024-05-01 11:07:38.804582327 +0300
++++ ./res/bnd/build-defaults.bnd	2024-05-01 11:17:08.857295279 +0300
 @@ -13,7 +13,7 @@
  # See the License for the specific language governing permissions and
  # limitations under the License.
-
+ 
 -Bundle-Version: ${version_cleanup;${version}}
 +Bundle-Version: ${version}
-
+ Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt
+ 
  Specification-Title: Apache Tomcat
- Specification-Version: ${version.major.minor}
diff --git a/tomcat.spec b/tomcat.spec
index 5fefa18..2a2cd14 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,8 +31,8 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 62
-%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00018-src
+%global micro_version 87
+%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00003-src
 %global servletspec 4.0
 %global elspec 3.0
 %global tcuid 53
@@ -56,7 +56,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       39%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -82,7 +82,6 @@ Patch3:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch
 Patch7:        JmxRemoteLifecycleListener.patch
-Patch8:        fix-malformed-dtd.patch
 
 BuildArch:     noarch
 
@@ -199,7 +198,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P4 -p0
 %patch -P6 -p0
 %patch -P7 -p1
-%patch -P8 -p1
 
 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@@ -559,18 +557,34 @@ fi
 
 
 %changelog
+* Fri May 03 2024 Sokratis Zappis <szappis@redhat.com> - 1:9.0.87-1
+- Resolves: RHEL-35812 - Rebase tomcat to version 9.0.87
+- Resolves: RHEL-29257
+  tomcat: Apache Tomcat: WebSocket DoS with incomplete closing handshake (CVE-2024-23672)
+- Resolves: RHEL-29252
+  tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)
+- Resolves: RHEL-53001 - Amend tomcat's changelog
+  (CVE-2023-46589, CVE-2023-45648, CVE-2023-42795, CVE-2023-42794, CVE-2023-44487, CVE-2023-41080)
+
 * Thu Jan 18 2024 Hui Wang <huwang@redhat.com> - 1:9.0.62-39
 - Resolves: RHEL-17605
+  tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
 
 * Thu Nov 23 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-38
 - Resolves: RHEL-13908
+  tomcat: incorrectly parsed http trailer headers can cause request smuggling (CVE-2023-45648)
 - Resolves: RHEL-13905
+  tomcat: improper cleaning of recycled objects could lead to information leak (CVE-2023-42795)
 - Resolves: RHEL-12952
+  tomcat: FileUpload: DoS due to accumulation of temporary files on Windows (CVE-2023-42794)
 - Resolves: RHEL-12552
+  tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
 - Resolves: RHEL-2388
+  tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)
 
 * Fri Oct 13 2023 Hui Wang <huwang@redhat.com> - 1:9.0.62-37
 - Resolves: RHEL-12551
+  tomcat: HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)
 - Remove JDK subpackges which are unused
 
 * Fri Aug 25 2023 Coty Sutherland <csutherl@redhat.com> - 1:9.0.62-16