Fix CVE-2025-31650 and CVE-2024-56337

Resolves: RHEL-91750 - tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE
Resolves: RHEL-94960 - tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation
This commit is contained in:
Adam Krajcik 2025-06-04 07:35:13 +02:00
parent 916ab516bb
commit 56a8925bc9
4 changed files with 12 additions and 4 deletions

1
.gitignore vendored
View File

@ -1,3 +1,4 @@
/tomcat-9.0.87.redhat-00005-src.zip
/tomcat-9.0.87.redhat-00006-src.zip
/tomcat-9.0.87.redhat-00008-src.zip
/tomcat-9.0.87.redhat-00010-src.zip

View File

@ -1 +1 @@
SHA512 (tomcat-9.0.87.redhat-00008-src.zip) = 5863c033928427db91d1ecf92485641aa3de8d0bf38dd23293c6d86667da46df77b592342031f7caf915a52ed87a415a1d88937809a0b799a17b5901ceda03c2
SHA512 (tomcat-9.0.87.redhat-00010-src.zip) = fd65e91c2fd11d48396692e0e88fbba8c2025ec35cbefb29b9b192c516af958ad357a1232e21abd262187d14add45b1441c34d3fa76ac40ba0866febbbfb341d

View File

@ -10,7 +10,8 @@ OPTIONS="-Dcatalina.base=$CATALINA_BASE \
-Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \
-Djava.io.tmpdir=$CATALINA_TMPDIR \
-Djava.util.logging.config.file=${LOGGING_PROPERTIES} \
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
-Dsun.io.useCanonCaches=false"
if [ "$1" = "start" ] ; then
FLAGS="${FLAGS} $CATALINA_OPTS"

View File

@ -32,7 +32,7 @@
%global major_version 9
%global minor_version 0
%global micro_version 87
%global packdname tomcat-%{major_version}.%{minor_version}.%{micro_version}.redhat-00008-src
%global packdname tomcat-%{major_version}.%{minor_version}.%{micro_version}.redhat-00010-src
%global servletspec 4.0
%global elspec 3.0
%global tcuid 53
@ -53,7 +53,7 @@
Name: tomcat9
Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 5%{?dist}
Release: 6%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
License: Apache-2.0
@ -622,6 +622,12 @@ fi
%{appdir}/ROOT
%changelog
* Mon May 26 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-5.el10_0.1
- Resolves: RHEL-91750
tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
- Resolves: RHEL-94960
tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation (CVE-2024-56337)
* Mon Apr 14 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-5
- Resolves: RHEL-82927
tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)