From b7d933898b34f746ea16d0890e2094101e52514d Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Tue, 19 May 2026 15:15:27 -0400 Subject: [PATCH] import CS tomcat9-9.0.110-3.el10 --- .gitignore | 2 +- JmxRemoteLifecycleListener.patch | 40 ----------------- build-with-java-25.patch | 76 ++++++++++++++++++++++++++++++++ rhbz-1857043.patch | 29 +++++++----- rhel-158962.patch | 46 +++++++++++++++++++ rhel-168243.patch | 54 +++++++++++++++++++++++ sources | 2 +- tomcat9.spec | 50 +++++++++++++++------ 8 files changed, 233 insertions(+), 66 deletions(-) delete mode 100644 JmxRemoteLifecycleListener.patch create mode 100644 build-with-java-25.patch create mode 100644 rhel-158962.patch create mode 100644 rhel-168243.patch diff --git a/.gitignore b/.gitignore index b36b0ca..5ffc81f 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -tomcat-9.0.87.redhat-00013-src.zip +apache-tomcat-9.0.110-src.tar.gz diff --git a/JmxRemoteLifecycleListener.patch b/JmxRemoteLifecycleListener.patch deleted file mode 100644 index 3145a54..0000000 --- a/JmxRemoteLifecycleListener.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff --git a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java -index f62f8d1..db19960 100644 ---- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java -+++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java -@@ -611,34 +611,28 @@ public class JmxRemoteLifecycleListener extends SSLHostConfig implements Lifecyc - * Better to use the internal API than re-invent the wheel. - */ - @SuppressWarnings("restriction") -- private static class JmxRegistry extends sun.rmi.registry.RegistryImpl { -+ private static class JmxRegistry { - private static final long serialVersionUID = -3772054804656428217L; - private final String jmxName; - private final Remote jmxServer; - public JmxRegistry(int port, RMIClientSocketFactory csf, - RMIServerSocketFactory ssf, String jmxName, Remote jmxServer) throws RemoteException { -- super(port, csf, ssf); - this.jmxName = jmxName; - this.jmxServer = jmxServer; - } -- @Override - public Remote lookup(String name) - throws RemoteException, NotBoundException { - return (jmxName.equals(name)) ? jmxServer : null; - } -- @Override - public void bind(String name, Remote obj) - throws RemoteException, AlreadyBoundException, AccessException { - } -- @Override - public void unbind(String name) - throws RemoteException, NotBoundException, AccessException { - } -- @Override - public void rebind(String name, Remote obj) - throws RemoteException, AccessException { - } -- @Override - public String[] list() throws RemoteException { - return new String[] { jmxName }; - } diff --git a/build-with-java-25.patch b/build-with-java-25.patch new file mode 100644 index 0000000..cb7c5eb --- /dev/null +++ b/build-with-java-25.patch @@ -0,0 +1,76 @@ +--- build.xml.orig 2026-02-12 14:28:31.466893106 -0500 ++++ build.xml 2026-02-12 14:28:44.320933346 -0500 +@@ -968,7 +968,7 @@ + + ++ addOSGi="false" /> + + + + addOSGi="false" /> @@ -130,7 +137,7 @@ diff -up ./build.xml.orig ./build.xml +Date: Wed, 3 Dec 2025 21:22:54 +0100 +Subject: [PATCH] Avoid possible NPEs when using a TLS enabled custom connector + +--- + .../org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 +++++++++ + webapps/docs/changelog.xml | 7 +++++++ + 2 files changed, 16 insertions(+) + +diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java +index 1d639176eb17..9a4b8fa37fb5 100644 +--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java ++++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java +@@ -127,8 +127,17 @@ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgum + protected SSLEngine createSSLEngine(String sniHostName, List clientRequestedCiphers, + List clientRequestedApplicationProtocols) { + List clientRequestedProtocols = clientRequestedProtocolsThreadLocal.get(); ++ if (clientRequestedProtocols == null) { ++ clientRequestedProtocols = new ArrayList(); ++ } + List clientSupportedGroups = clientSupportedGroupsThreadLocal.get(); ++ if (clientSupportedGroups == null) { ++ clientSupportedGroups = new ArrayList(); ++ } + List clientSignatureSchemes = clientSignatureSchemesThreadLocal.get(); ++ if (clientSignatureSchemes == null) { ++ clientSignatureSchemes = new ArrayList(); ++ } + + SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName); + +diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml +index 9ef3d9b04912..03be8d1358ae 100644 +--- a/webapps/docs/changelog.xml ++++ b/webapps/docs/changelog.xml +@@ -155,6 +155,9 @@ + Store HTTP request headers using the original case for the header name + rather than forcing it to lower case. (markt) + ++ ++ Avoid possible NPEs when using a TLS enabled custom connector. (remm) ++ + + + diff --git a/rhel-168243.patch b/rhel-168243.patch new file mode 100644 index 0000000..cc65185 --- /dev/null +++ b/rhel-168243.patch @@ -0,0 +1,54 @@ +diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java +--- ./java/org/apache/coyote/ajp/Constants.java 2025-10-01 04:36:05.000000000 -0400 ++++ ./java/org/apache/coyote/ajp/Constants.java 2026-04-14 15:27:50.820988961 -0400 +@@ -105,7 +105,7 @@ + + // Translates integer codes to names of HTTP methods + private static final String[] methodTransArray = +- { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, ++ { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, + Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT", + "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" }; + +diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java +--- ./test/org/apache/catalina/realm/TestRealmBase.java 2025-10-01 04:36:05.000000000 -0400 ++++ ./test/org/apache/catalina/realm/TestRealmBase.java 2026-04-14 15:27:50.821211035 -0400 +@@ -660,7 +660,7 @@ + SecurityConstraint deleteConstraint = new SecurityConstraint(); + deleteConstraint.addAuthRole(ROLE1); + SecurityCollection deleteCollection = new SecurityCollection(); +- deleteCollection.addMethod(Method.OPTIONS); ++ deleteCollection.addMethod(Method.DELETE); + deleteCollection.addPatternDecoded("/*"); + deleteConstraint.addCollection(deleteCollection); + +@@ -772,7 +772,7 @@ + + // Only user1 should be able to perform a DELETE as only that user has + // role1. +- request.setMethod(Method.OPTIONS); ++ request.setMethod(Method.DELETE); + + SecurityConstraint[] constraintsDelete = + mapRealm.findSecurityConstraints(request, context); +diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml +--- ./webapps/docs/changelog.xml.orig 2026-04-14 15:48:53.192243701 -0400 ++++ ./webapps/docs/changelog.xml 2026-04-14 15:49:48.893470762 -0400 +@@ -104,6 +104,17 @@ + They eventually become mixed with the numbered issues (i.e., numbered + issues do not "pop up" wrt. others). + --> ++
++ ++ ++ ++ 69848: Fix copy/paste error that meant DELETE ++ requests received via the AJP connector were processed as OPTIONS ++ requests. (markt) ++ ++ ++ ++
+
+ + diff --git a/sources b/sources index d789131..38dc472 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (tomcat-9.0.87.redhat-00013-src.zip) = 1049d86d4bbdfd251a3f0cc72840cb6535a5637a76becaec8cb9c6532430dabaefd007af285fa1ac8d6a2a70f1d0378f6a1e908f7e7c5aff7c2bbedcd521cc9d +SHA512 (apache-tomcat-9.0.110-src.tar.gz) = a8fe2c59a801d6fb16ea74019c6fc58c34543d4d25a16d64e929e67c7736f6e16d08ec2061b37f1783ebfa0b1dacfff991e46ed5d24d89300a140cb94449f570 diff --git a/tomcat9.spec b/tomcat9.spec index 53846fe..8389b5e 100644 --- a/tomcat9.spec +++ b/tomcat9.spec @@ -31,8 +31,8 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 87 -%global packdname tomcat-%{major_version}.%{minor_version}.%{micro_version}.redhat-00013-src +%global micro_version 110 +%global packdname apache-tomcat-%{major_version}.%{minor_version}.%{micro_version}-src %global servletspec 4.0 %global elspec 3.0 %global tcuid 53 @@ -53,12 +53,12 @@ Name: tomcat9 Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 8%{?dist}.1 +Release: 3%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: Apache-2.0 URL: http://tomcat.apache.org/ -Source0: %{packdname}.zip +Source0: %{packdname}.tar.gz Source1: tomcat-%{major_version}.%{minor_version}.conf Source3: tomcat-%{major_version}.%{minor_version}.sysconfig Source4: tomcat-%{major_version}.%{minor_version}.wrapper @@ -77,20 +77,22 @@ Patch1: tomcat-%{major_version}.%{minor_version}-tomcat-users-webapp.patc Patch3: tomcat-%{major_version}.%{minor_version}-catalina-policy.patch Patch4: rhbz-1857043.patch Patch6: tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch -Patch7: JmxRemoteLifecycleListener.patch +Patch7: build-with-java-25.patch +Patch8: rhel-158962.patch +Patch9: rhel-168243.patch BuildArch: noarch BuildRequires: ant BuildRequires: ecj >= 1:4.10 BuildRequires: findutils -BuildRequires: java-devel BuildRequires: javapackages-local BuildRequires: aqute-bnd BuildRequires: aqute-bndlib BuildRequires: systemd +BuildRequires: java-25-devel -Requires: java-headless +Requires: (java-headless or java-25-headless) Requires: javapackages-tools Requires: %{name}-lib = %{epoch}:%{version}-%{release} @@ -199,7 +201,7 @@ Obsoletes: tomcat-webapps < 1:10.0.0-1 The ROOT web application for Apache Tomcat. %prep -%setup -q -n apache-%{packdname} +%setup -q -n %{packdname} # remove pre-built binaries and windows files find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "*.gz" -o \ -name "*.jar" -o -name "*.war" -o -name "*.zip" \) -delete @@ -209,7 +211,9 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch -P3 -p0 %patch -P4 -p0 %patch -P6 -p0 -%patch -P7 -p1 +%patch -P7 -p0 +%patch -P8 -p1 +%patch -P9 -p1 # Remove webservices naming resources as it's generally unused %{__rm} -rf java/org/apache/naming/factory/webservices @@ -229,8 +233,12 @@ export OPT_JAR_LIST="xalan-j2-serializer" # so just create a dummy file for later removal touch HACK +# Adding JAVA_HOME to always compile with java-25 instead of autodetecting +export JAVA_HOME=%{_jvmdir}/java-25-openjdk +export PATH=$JAVA_HOME/bin:$PATH + # who needs a build.properties file anyway -%{ant} -Dbase.path="." \ +ant -Dbase.path="." \ -Dbuild.compiler="modern" \ -Dcommons-daemon.jar="HACK" \ -Dcommons-daemon.native.src.tgz="HACK" \ @@ -249,6 +257,9 @@ touch HACK # remove some jars that we'll replace with symlinks later %{__rm} output/build/lib/ecj.jar +# Cleanup commons-daemon.jar that somehow appeared since last build, but is unnecessary +%{__rm} -rf output/build/bin/commons-daemon.jar + # Remove the example webapps per Apache Tomcat Security Considerations # see https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html %{__rm} -rf output/build/webapps/examples @@ -396,6 +407,9 @@ popd %mvn_file org.apache.tomcat:tomcat-coyote tomcat/tomcat-coyote %mvn_artifact res/maven/tomcat-coyote.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote.jar +%mvn_file org.apache.tomcat:tomcat-coyote-ffm tomcat/tomcat-coyote-ffm +%mvn_artifact res/maven/tomcat-coyote-ffm.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote-ffm.jar + %mvn_file org.apache.tomcat:tomcat-dbcp tomcat/tomcat-dbcp %mvn_artifact res/maven/tomcat-dbcp.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-dbcp.jar @@ -622,10 +636,20 @@ fi %{appdir}/ROOT %changelog -* Thu Nov 27 2025 Adam Krajcik - 1:9.0.87-8.el10_1.1 -- Resolves: RHEL-124497 +* Tue Apr 14 2026 Coty Sutherland - 1:9.0.110-3 +- Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848) + +* Mon Mar 23 2026 Coty Sutherland - 1:9.0.110-2 +- Resolves: RHEL-158962 NPE in tomcat9 when used with TLS enabled custom connector + +* Wed Feb 11 2026 Coty Sutherland - 1:9.0.110-1 +- Resolves: RHEL-148687 + Update to 9.0.110 and compile with Java 25 to enable FFM features for PQC support + +* Fri Jan 23 2026 Pietro Meloni - 1:9.0.87-9 +- Resolves: RHEL-124496 tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752) -- Resolves: RHEL-91732 +- Resolves: RHEL-132559 tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651) * Mon Aug 18 2025 Adam Krajcik - 1:9.0.87-8