diff --git a/.gitignore b/.gitignore index d347a63..ad2b66c 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -tomcat-10.1.49.redhat-00007-src.zip +tomcat-10.1.49.redhat-00011-src.zip diff --git a/rhbz-1857043.patch b/rhbz-1857043.patch index 31ca1df..055d918 100644 --- a/rhbz-1857043.patch +++ b/rhbz-1857043.patch @@ -1,21 +1,21 @@ --- build.xml.orig +++ build.xml -@@ -1124,7 +1124,7 @@ +@@ -1138,7 +1138,7 @@ filesDir="${tomcat.classes}" filesId="files.annotations-api" manifest="${tomcat.manifests}/annotations-api.jar.manifest" - addOSGi="true" /> + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - - - -+ addOSGi="false" /> - - + + + +@@ -1258,7 +1258,7 @@ + addOSGi="false" /> - - - -+ addOSGi="false" /> - - + + + +@@ -1279,7 +1279,7 @@ + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + + addOSGi="false" /> - + = 1.10.2 BuildRequires: ecj >= 4.20 @@ -220,6 +221,9 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %mvn_alias "org.apache.tomcat:tomcat-jsp-api" "jakarta.servlet:jakarta.servlet.jsp" %mvn_package ":tomcat-servlet-api" tomcat-servlet-api +%pom_remove_dep org.apache.tomcat:tomcat-tribes res/maven/tomcat-storeconfig.pom +%pom_remove_dep org.apache.tomcat:tomcat-catalina-ha res/maven/tomcat-storeconfig.pom + %build # we don't care about the tarballs and we're going to replace jars @@ -287,6 +291,10 @@ pushd output/build %{__cp} -a webapps/* ${RPM_BUILD_ROOT}%{appdir} popd +# Clustering is unsupported in RHEL +rm -f ${RPM_BUILD_ROOT}%{libdir}/catalina-ha.jar +rm -f ${RPM_BUILD_ROOT}%{libdir}/catalina-tribes.jar + %{__sed} -e "s|\@\@\@TCHOME\@\@\@|%{homedir}|g" \ -e "s|\@\@\@TCTEMP\@\@\@|%{tempdir}|g" \ -e "s|\@\@\@LIBDIR\@\@\@|%{_libdir}|g" %{SOURCE1} \ @@ -388,8 +396,6 @@ popd %mvn_artifact res/maven/tomcat-api.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-api.jar %mvn_file org.apache.tomcat:tomcat-catalina-ant tomcat/catalina-ant %mvn_artifact res/maven/tomcat-catalina-ant.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ant.jar -%mvn_file org.apache.tomcat:tomcat-catalina-ha tomcat/catalina-ha -%mvn_artifact res/maven/tomcat-catalina-ha.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ha.jar %mvn_file org.apache.tomcat:tomcat-catalina tomcat/catalina %mvn_artifact res/maven/tomcat-catalina.pom ${RPM_BUILD_ROOT}%{libdir}/catalina.jar %mvn_artifact res/maven/tomcat-coyote.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote.jar @@ -417,8 +423,6 @@ popd %mvn_artifact res/maven/tomcat-ssi.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ssi.jar %mvn_file org.apache.tomcat:tomcat-storeconfig tomcat/catalina-storeconfig %mvn_artifact res/maven/tomcat-storeconfig.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-storeconfig.jar -%mvn_file org.apache.tomcat:tomcat-tribes tomcat/catalina-tribes -%mvn_artifact res/maven/tomcat-tribes.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-tribes.jar %mvn_artifact res/maven/tomcat-util-scan.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util-scan.jar %mvn_artifact res/maven/tomcat-util.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util.jar %mvn_file org.apache.tomcat:tomcat-websocket-api tomcat/websocket-api @@ -553,9 +557,20 @@ exit 0 %{appdir}/ROOT %changelog -* Tue May 19 2026 Eduard Abdullin - 1:10.1.49-1.1.alma.1 +* Fri Jul 10 2026 Eduard Abdullin - 1:10.1.49-3.alma.1 - Exclude i686 architecture from build +* Mon Jul 6 2026 Pietro Meloni - 1:10.1.49-3 +- Related: RHEL-168577 Remove unnecessary patch + +* Thu Jun 4 2026 Pietro Meloni - 1:10.1.49-2 +- Resolves: RHEL-168577 Remove tomcat clustering JAR from RPM builds + Resolves: CVE-2026-29146 + tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor + Resolves: CVE-2026-34486 + tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass + + * Wed Apr 22 2026 Pietro Meloni - 1:10.1.36-3.el10_1.1 - Resolves: RHEL-150719 Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734) @@ -571,6 +586,9 @@ exit 0 - Resolves: RHEL-132526 tomcat: Denial of service (CVE-2025-61795) +* Mon Dec 15 2025 Eduard Abdullin - 1:10.1.36-4 +- Exclude i686 architecture from build + * Thu Aug 14 2025 Adam Krajcik - 1:10.1.36-3 - Resolves: RHEL-102184 tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)