From 5c6a19b36dd791a59e1dde26434e8367de13ebda Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Wed, 15 Apr 2026 15:08:18 -0400 Subject: [PATCH] Resolves: RHEL-168243 --- rhel-168243.patch | 54 +++++++++++++++++++++++++++++++++++++++++++++++ tomcat9.spec | 7 +++++- 2 files changed, 60 insertions(+), 1 deletion(-) create mode 100644 rhel-168243.patch diff --git a/rhel-168243.patch b/rhel-168243.patch new file mode 100644 index 0000000..cc65185 --- /dev/null +++ b/rhel-168243.patch @@ -0,0 +1,54 @@ +diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java +--- ./java/org/apache/coyote/ajp/Constants.java 2025-10-01 04:36:05.000000000 -0400 ++++ ./java/org/apache/coyote/ajp/Constants.java 2026-04-14 15:27:50.820988961 -0400 +@@ -105,7 +105,7 @@ + + // Translates integer codes to names of HTTP methods + private static final String[] methodTransArray = +- { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, ++ { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, + Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT", + "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" }; + +diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java +--- ./test/org/apache/catalina/realm/TestRealmBase.java 2025-10-01 04:36:05.000000000 -0400 ++++ ./test/org/apache/catalina/realm/TestRealmBase.java 2026-04-14 15:27:50.821211035 -0400 +@@ -660,7 +660,7 @@ + SecurityConstraint deleteConstraint = new SecurityConstraint(); + deleteConstraint.addAuthRole(ROLE1); + SecurityCollection deleteCollection = new SecurityCollection(); +- deleteCollection.addMethod(Method.OPTIONS); ++ deleteCollection.addMethod(Method.DELETE); + deleteCollection.addPatternDecoded("/*"); + deleteConstraint.addCollection(deleteCollection); + +@@ -772,7 +772,7 @@ + + // Only user1 should be able to perform a DELETE as only that user has + // role1. +- request.setMethod(Method.OPTIONS); ++ request.setMethod(Method.DELETE); + + SecurityConstraint[] constraintsDelete = + mapRealm.findSecurityConstraints(request, context); +diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml +--- ./webapps/docs/changelog.xml.orig 2026-04-14 15:48:53.192243701 -0400 ++++ ./webapps/docs/changelog.xml 2026-04-14 15:49:48.893470762 -0400 +@@ -104,6 +104,17 @@ + They eventually become mixed with the numbered issues (i.e., numbered + issues do not "pop up" wrt. others). + --> ++
++ ++ ++ ++ 69848: Fix copy/paste error that meant DELETE ++ requests received via the AJP connector were processed as OPTIONS ++ requests. (markt) ++ ++ ++ ++
+
+ + diff --git a/tomcat9.spec b/tomcat9.spec index 500269f..8389b5e 100644 --- a/tomcat9.spec +++ b/tomcat9.spec @@ -53,7 +53,7 @@ Name: tomcat9 Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 2%{?dist} +Release: 3%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: Apache-2.0 @@ -79,6 +79,7 @@ Patch4: rhbz-1857043.patch Patch6: tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch Patch7: build-with-java-25.patch Patch8: rhel-158962.patch +Patch9: rhel-168243.patch BuildArch: noarch @@ -212,6 +213,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch -P6 -p0 %patch -P7 -p0 %patch -P8 -p1 +%patch -P9 -p1 # Remove webservices naming resources as it's generally unused %{__rm} -rf java/org/apache/naming/factory/webservices @@ -634,6 +636,9 @@ fi %{appdir}/ROOT %changelog +* Tue Apr 14 2026 Coty Sutherland - 1:9.0.110-3 +- Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848) + * Mon Mar 23 2026 Coty Sutherland - 1:9.0.110-2 - Resolves: RHEL-158962 NPE in tomcat9 when used with TLS enabled custom connector