Fix CVE-20225-48989

Resolves: RHEL-102186 - tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames
Fix multiple CVES
2025-08-21 21:22:57 +02:00 · 2025-08-21 15:14:26 +02:00 · 2025-07-21 18:13:38 +02:00
8 changed files with 37 additions and 10 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/.gitignore
+++ b/.gitignore
@ -1 +1,6 @@
-tomcat-9.0.87.redhat-00013-src.zip
+/tomcat-9.0.87.redhat-00005-src.zip
+/tomcat-9.0.87.redhat-00006-src.zip
+/tomcat-9.0.87.redhat-00008-src.zip
+/tomcat-9.0.87.redhat-00010-src.zip
+/tomcat-9.0.87.redhat-00011-src.zip
+/tomcat-9.0.87.redhat-00012-src.zip
--- a/ci.fmf
+++ b/ci.fmf
@ -0,0 +1 @@
+resultsdb-testcase: separate
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
--- a/plans/smoke.fmf
+++ b/plans/smoke.fmf
@ -0,0 +1,9 @@
+summary: Basic smoke test
+prepare:
+  - name: packages
+    how: install
+    package:
+      - tomcat9
+execute:
+    how: tmt
+    script: which tomcat
--- a/plans/tier1-internal.fmf
+++ b/plans/tier1-internal.fmf
@ -0,0 +1,11 @@
+summary: Internal Tier1 beakerlib tests.
+discover:
+  - name: rhel
+    how: fmf
+    url: git://pkgs.devel.redhat.com/tests/tomcat9
+    filter: 'tier: 1'
+execute:
+    how: tmt
+adjust:
+    enabled: false
+    when: distro == centos-stream-10
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (tomcat-9.0.87.redhat-00013-src.zip) = 1049d86d4bbdfd251a3f0cc72840cb6535a5637a76becaec8cb9c6532430dabaefd007af285fa1ac8d6a2a70f1d0378f6a1e908f7e7c5aff7c2bbedcd521cc9d
+SHA512 (tomcat-9.0.87.redhat-00012-src.zip) = 09c490294696114a2fd1c0680db96c969a331d070d1855ae4814bea5d57f9e891d6576b4acae56f53864280e53c3e6983c2b1a11861b0b0f52c021048482c696
--- a/tomcat9.spec
+++ b/tomcat9.spec
@ -32,7 +32,7 @@
 %global major_version 9
 %global minor_version 0
 %global micro_version 87
-%global packdname tomcat-%{major_version}.%{minor_version}.%{micro_version}.redhat-00013-src
+%global packdname tomcat-%{major_version}.%{minor_version}.%{micro_version}.redhat-00012-src
 %global servletspec 4.0
 %global elspec 3.0
 %global tcuid 53
@ -53,7 +53,7 @@
 Name:          tomcat9
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       8%{?dist}.1
+Release:       8%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 License:       Apache-2.0
@ -622,12 +622,6 @@ fi
 %{appdir}/ROOT

 %changelog
-* Thu Nov 27 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-8.el10_1.1
- Resolves: RHEL-124497
-  tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752)
- Resolves: RHEL-91732
-  tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651)
-
 * Mon Aug 18 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-8
 - Resolves: RHEL-102186
  tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)