From f43672eebd35e45d254b75dccf0d164021a80e34 Mon Sep 17 00:00:00 2001 From: AlmaLinux RelEng Bot Date: Thu, 25 Jun 2026 08:31:29 -0400 Subject: [PATCH] import CS git tomcat9-9.0.117-1.el10_2 --- .gitignore | 2 +- rhel-158962.patch | 46 ---------------------------------------- rhel-168243.patch | 54 ----------------------------------------------- sources | 2 +- tomcat9.spec | 38 +++++++++++++++++++++++++++------ 5 files changed, 34 insertions(+), 108 deletions(-) delete mode 100644 rhel-158962.patch delete mode 100644 rhel-168243.patch diff --git a/.gitignore b/.gitignore index 5ffc81f..5298c11 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -apache-tomcat-9.0.110-src.tar.gz +apache-tomcat-9.0.117-src.tar.gz diff --git a/rhel-158962.patch b/rhel-158962.patch deleted file mode 100644 index 6842993..0000000 --- a/rhel-158962.patch +++ /dev/null @@ -1,46 +0,0 @@ -From 93fc51176bbcf643a46cc271b85ff49cbb01f1a6 Mon Sep 17 00:00:00 2001 -From: remm -Date: Wed, 3 Dec 2025 21:22:54 +0100 -Subject: [PATCH] Avoid possible NPEs when using a TLS enabled custom connector - ---- - .../org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 +++++++++ - webapps/docs/changelog.xml | 7 +++++++ - 2 files changed, 16 insertions(+) - -diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java -index 1d639176eb17..9a4b8fa37fb5 100644 ---- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java -+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java -@@ -127,8 +127,17 @@ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgum - protected SSLEngine createSSLEngine(String sniHostName, List clientRequestedCiphers, - List clientRequestedApplicationProtocols) { - List clientRequestedProtocols = clientRequestedProtocolsThreadLocal.get(); -+ if (clientRequestedProtocols == null) { -+ clientRequestedProtocols = new ArrayList(); -+ } - List clientSupportedGroups = clientSupportedGroupsThreadLocal.get(); -+ if (clientSupportedGroups == null) { -+ clientSupportedGroups = new ArrayList(); -+ } - List clientSignatureSchemes = clientSignatureSchemesThreadLocal.get(); -+ if (clientSignatureSchemes == null) { -+ clientSignatureSchemes = new ArrayList(); -+ } - - SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName); - -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index 9ef3d9b04912..03be8d1358ae 100644 ---- a/webapps/docs/changelog.xml -+++ b/webapps/docs/changelog.xml -@@ -155,6 +155,9 @@ - Store HTTP request headers using the original case for the header name - rather than forcing it to lower case. (markt) - -+ -+ Avoid possible NPEs when using a TLS enabled custom connector. (remm) -+ - - - diff --git a/rhel-168243.patch b/rhel-168243.patch deleted file mode 100644 index cc65185..0000000 --- a/rhel-168243.patch +++ /dev/null @@ -1,54 +0,0 @@ -diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java ---- ./java/org/apache/coyote/ajp/Constants.java 2025-10-01 04:36:05.000000000 -0400 -+++ ./java/org/apache/coyote/ajp/Constants.java 2026-04-14 15:27:50.820988961 -0400 -@@ -105,7 +105,7 @@ - - // Translates integer codes to names of HTTP methods - private static final String[] methodTransArray = -- { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, -+ { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY, - Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT", - "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" }; - -diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java ---- ./test/org/apache/catalina/realm/TestRealmBase.java 2025-10-01 04:36:05.000000000 -0400 -+++ ./test/org/apache/catalina/realm/TestRealmBase.java 2026-04-14 15:27:50.821211035 -0400 -@@ -660,7 +660,7 @@ - SecurityConstraint deleteConstraint = new SecurityConstraint(); - deleteConstraint.addAuthRole(ROLE1); - SecurityCollection deleteCollection = new SecurityCollection(); -- deleteCollection.addMethod(Method.OPTIONS); -+ deleteCollection.addMethod(Method.DELETE); - deleteCollection.addPatternDecoded("/*"); - deleteConstraint.addCollection(deleteCollection); - -@@ -772,7 +772,7 @@ - - // Only user1 should be able to perform a DELETE as only that user has - // role1. -- request.setMethod(Method.OPTIONS); -+ request.setMethod(Method.DELETE); - - SecurityConstraint[] constraintsDelete = - mapRealm.findSecurityConstraints(request, context); -diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml ---- ./webapps/docs/changelog.xml.orig 2026-04-14 15:48:53.192243701 -0400 -+++ ./webapps/docs/changelog.xml 2026-04-14 15:49:48.893470762 -0400 -@@ -104,6 +104,17 @@ - They eventually become mixed with the numbered issues (i.e., numbered - issues do not "pop up" wrt. others). - --> -+
-+ -+ -+ -+ 69848: Fix copy/paste error that meant DELETE -+ requests received via the AJP connector were processed as OPTIONS -+ requests. (markt) -+ -+ -+ -+
-
- - diff --git a/sources b/sources index 38dc472..111567c 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.110-src.tar.gz) = a8fe2c59a801d6fb16ea74019c6fc58c34543d4d25a16d64e929e67c7736f6e16d08ec2061b37f1783ebfa0b1dacfff991e46ed5d24d89300a140cb94449f570 +SHA512 (apache-tomcat-9.0.117-src.tar.gz) = f40854a6ed1f208ccdd3da82527fc806eb9231aebaee86d6987e9699d1d31bb548765241424368708b89bdce01d4558a638532a35932f686d3edabd26951041d diff --git a/tomcat9.spec b/tomcat9.spec index 8389b5e..ba25728 100644 --- a/tomcat9.spec +++ b/tomcat9.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 110 +%global micro_version 117 %global packdname apache-tomcat-%{major_version}.%{minor_version}.%{micro_version}-src %global servletspec 4.0 %global elspec 3.0 @@ -53,7 +53,7 @@ Name: tomcat9 Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 3%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: Apache-2.0 @@ -78,8 +78,6 @@ Patch3: tomcat-%{major_version}.%{minor_version}-catalina-policy.patch Patch4: rhbz-1857043.patch Patch6: tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch Patch7: build-with-java-25.patch -Patch8: rhel-158962.patch -Patch9: rhel-168243.patch BuildArch: noarch @@ -212,8 +210,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch -P4 -p0 %patch -P6 -p0 %patch -P7 -p0 -%patch -P8 -p1 -%patch -P9 -p1 # Remove webservices naming resources as it's generally unused %{__rm} -rf java/org/apache/naming/factory/webservices @@ -636,6 +632,36 @@ fi %{appdir}/ROOT %changelog +* Thu May 29 2026 Pietro Meloni - 1:9.0.117-1 +- Resolves: RHEL-150720 + Tomcat: Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734) +- Resolves: + Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500) +- Resolves: + Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487) +- Resolves: + Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486) +- Resolves: + Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483) +- Resolves: + Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990) +- Resolves: + Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146) +- Resolves: + Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145) +- Resolves: + Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129) +- Resolves: + Tomcat: Occasionally open redirect (CVE-2026-25854) +- Resolves: + Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880) +- Resolves: + Tomcat: Incomplete OCSP verification checks (CVE-2026-24734) +- Resolves: + Tomcat: Security constraint bypass (CVE-2026-24733) +- Resolves: + Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614) + * Tue Apr 14 2026 Coty Sutherland - 1:9.0.110-3 - Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)