import CS git tomcat9-9.0.117-1.el10_2
This commit is contained in:
parent
b7d933898b
commit
f43672eebd
2
.gitignore
vendored
2
.gitignore
vendored
@ -1 +1 @@
|
||||
apache-tomcat-9.0.110-src.tar.gz
|
||||
apache-tomcat-9.0.117-src.tar.gz
|
||||
|
||||
@ -1,46 +0,0 @@
|
||||
From 93fc51176bbcf643a46cc271b85ff49cbb01f1a6 Mon Sep 17 00:00:00 2001
|
||||
From: remm <remm@apache.org>
|
||||
Date: Wed, 3 Dec 2025 21:22:54 +0100
|
||||
Subject: [PATCH] Avoid possible NPEs when using a TLS enabled custom connector
|
||||
|
||||
---
|
||||
.../org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 +++++++++
|
||||
webapps/docs/changelog.xml | 7 +++++++
|
||||
2 files changed, 16 insertions(+)
|
||||
|
||||
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
|
||||
index 1d639176eb17..9a4b8fa37fb5 100644
|
||||
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
|
||||
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
|
||||
@@ -127,8 +127,17 @@ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgum
|
||||
protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
|
||||
List<String> clientRequestedApplicationProtocols) {
|
||||
List<String> clientRequestedProtocols = clientRequestedProtocolsThreadLocal.get();
|
||||
+ if (clientRequestedProtocols == null) {
|
||||
+ clientRequestedProtocols = new ArrayList<String>();
|
||||
+ }
|
||||
List<Group> clientSupportedGroups = clientSupportedGroupsThreadLocal.get();
|
||||
+ if (clientSupportedGroups == null) {
|
||||
+ clientSupportedGroups = new ArrayList<Group>();
|
||||
+ }
|
||||
List<SignatureScheme> clientSignatureSchemes = clientSignatureSchemesThreadLocal.get();
|
||||
+ if (clientSignatureSchemes == null) {
|
||||
+ clientSignatureSchemes = new ArrayList<SignatureScheme>();
|
||||
+ }
|
||||
|
||||
SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
|
||||
|
||||
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
|
||||
index 9ef3d9b04912..03be8d1358ae 100644
|
||||
--- a/webapps/docs/changelog.xml
|
||||
+++ b/webapps/docs/changelog.xml
|
||||
@@ -155,6 +155,9 @@
|
||||
Store HTTP request headers using the original case for the header name
|
||||
rather than forcing it to lower case. (markt)
|
||||
</fix>
|
||||
+ <fix>
|
||||
+ Avoid possible NPEs when using a TLS enabled custom connector. (remm)
|
||||
+ </fix>
|
||||
</changelog>
|
||||
</subsection>
|
||||
<subsection name="Cluster">
|
||||
@ -1,54 +0,0 @@
|
||||
diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java
|
||||
--- ./java/org/apache/coyote/ajp/Constants.java 2025-10-01 04:36:05.000000000 -0400
|
||||
+++ ./java/org/apache/coyote/ajp/Constants.java 2026-04-14 15:27:50.820988961 -0400
|
||||
@@ -105,7 +105,7 @@
|
||||
|
||||
// Translates integer codes to names of HTTP methods
|
||||
private static final String[] methodTransArray =
|
||||
- { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
|
||||
+ { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
|
||||
Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT",
|
||||
"SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" };
|
||||
|
||||
diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java
|
||||
--- ./test/org/apache/catalina/realm/TestRealmBase.java 2025-10-01 04:36:05.000000000 -0400
|
||||
+++ ./test/org/apache/catalina/realm/TestRealmBase.java 2026-04-14 15:27:50.821211035 -0400
|
||||
@@ -660,7 +660,7 @@
|
||||
SecurityConstraint deleteConstraint = new SecurityConstraint();
|
||||
deleteConstraint.addAuthRole(ROLE1);
|
||||
SecurityCollection deleteCollection = new SecurityCollection();
|
||||
- deleteCollection.addMethod(Method.OPTIONS);
|
||||
+ deleteCollection.addMethod(Method.DELETE);
|
||||
deleteCollection.addPatternDecoded("/*");
|
||||
deleteConstraint.addCollection(deleteCollection);
|
||||
|
||||
@@ -772,7 +772,7 @@
|
||||
|
||||
// Only user1 should be able to perform a DELETE as only that user has
|
||||
// role1.
|
||||
- request.setMethod(Method.OPTIONS);
|
||||
+ request.setMethod(Method.DELETE);
|
||||
|
||||
SecurityConstraint[] constraintsDelete =
|
||||
mapRealm.findSecurityConstraints(request, context);
|
||||
diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
|
||||
--- ./webapps/docs/changelog.xml.orig 2026-04-14 15:48:53.192243701 -0400
|
||||
+++ ./webapps/docs/changelog.xml 2026-04-14 15:49:48.893470762 -0400
|
||||
@@ -104,6 +104,17 @@
|
||||
They eventually become mixed with the numbered issues (i.e., numbered
|
||||
issues do not "pop up" wrt. others).
|
||||
-->
|
||||
+<section name="Tomcat 9.0.110-redhat (csutherl)" rtext="">
|
||||
+ <subsection name="Coyote">
|
||||
+ <changelog>
|
||||
+ <fix>
|
||||
+ <bug>69848</bug>: Fix copy/paste error that meant DELETE
|
||||
+ requests received via the AJP connector were processed as OPTIONS
|
||||
+ requests. (markt)
|
||||
+ </fix>
|
||||
+ </changelog>
|
||||
+ </subsection>
|
||||
+</section>
|
||||
<section name="Tomcat 9.0.110 (remm)" rtext="">
|
||||
<subsection name="Catalina">
|
||||
<changelog>
|
||||
2
sources
2
sources
@ -1 +1 @@
|
||||
SHA512 (apache-tomcat-9.0.110-src.tar.gz) = a8fe2c59a801d6fb16ea74019c6fc58c34543d4d25a16d64e929e67c7736f6e16d08ec2061b37f1783ebfa0b1dacfff991e46ed5d24d89300a140cb94449f570
|
||||
SHA512 (apache-tomcat-9.0.117-src.tar.gz) = f40854a6ed1f208ccdd3da82527fc806eb9231aebaee86d6987e9699d1d31bb548765241424368708b89bdce01d4558a638532a35932f686d3edabd26951041d
|
||||
|
||||
38
tomcat9.spec
38
tomcat9.spec
@ -31,7 +31,7 @@
|
||||
%global jspspec 2.3
|
||||
%global major_version 9
|
||||
%global minor_version 0
|
||||
%global micro_version 110
|
||||
%global micro_version 117
|
||||
%global packdname apache-tomcat-%{major_version}.%{minor_version}.%{micro_version}-src
|
||||
%global servletspec 4.0
|
||||
%global elspec 3.0
|
||||
@ -53,7 +53,7 @@
|
||||
Name: tomcat9
|
||||
Epoch: 1
|
||||
Version: %{major_version}.%{minor_version}.%{micro_version}
|
||||
Release: 3%{?dist}
|
||||
Release: 1%{?dist}
|
||||
Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
|
||||
|
||||
License: Apache-2.0
|
||||
@ -78,8 +78,6 @@ Patch3: tomcat-%{major_version}.%{minor_version}-catalina-policy.patch
|
||||
Patch4: rhbz-1857043.patch
|
||||
Patch6: tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch
|
||||
Patch7: build-with-java-25.patch
|
||||
Patch8: rhel-158962.patch
|
||||
Patch9: rhel-168243.patch
|
||||
|
||||
BuildArch: noarch
|
||||
|
||||
@ -212,8 +210,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
|
||||
%patch -P4 -p0
|
||||
%patch -P6 -p0
|
||||
%patch -P7 -p0
|
||||
%patch -P8 -p1
|
||||
%patch -P9 -p1
|
||||
|
||||
# Remove webservices naming resources as it's generally unused
|
||||
%{__rm} -rf java/org/apache/naming/factory/webservices
|
||||
@ -636,6 +632,36 @@ fi
|
||||
%{appdir}/ROOT
|
||||
|
||||
%changelog
|
||||
* Thu May 29 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.117-1
|
||||
- Resolves: RHEL-150720
|
||||
Tomcat: Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
|
||||
- Resolves:
|
||||
Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
|
||||
- Resolves:
|
||||
Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
|
||||
- Resolves:
|
||||
Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
|
||||
- Resolves:
|
||||
Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
|
||||
- Resolves:
|
||||
Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
|
||||
- Resolves:
|
||||
Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
|
||||
- Resolves:
|
||||
Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
|
||||
- Resolves:
|
||||
Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
|
||||
- Resolves:
|
||||
Tomcat: Occasionally open redirect (CVE-2026-25854)
|
||||
- Resolves:
|
||||
Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
|
||||
- Resolves:
|
||||
Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
|
||||
- Resolves:
|
||||
Tomcat: Security constraint bypass (CVE-2026-24733)
|
||||
- Resolves:
|
||||
Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)
|
||||
|
||||
* Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
|
||||
- Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user