import CS tomcat9-9.0.110-2.el10

2026-04-14 05:59:35 -04:00
9 changed files with 52 additions and 73 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -1 +0,0 @@
-1
--- a/.gitignore
+++ b/.gitignore
@ -1,9 +1 @@
-results_tomcat9
-*.rpm
-/tomcat-9.0.87.redhat-*-src.zip
-/apache-tomcat-9*-src.tar.gz
-apache-tomcat-*-src
-/tomcat9.iml
-/.idea/.gitignore
-/.idea/modules.xml
-/.idea/vcs.xml
+apache-tomcat-9.0.110-src.tar.gz
--- a/ci.fmf
+++ b/ci.fmf
@ -1 +0,0 @@
-resultsdb-testcase: separate
--- a/gating.yaml
+++ b/gating.yaml
@ -1,6 +0,0 @@
--- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}
--- a/plans/smoke.fmf
+++ b/plans/smoke.fmf
@ -1,9 +0,0 @@
-summary: Basic smoke test
-prepare:
-  - name: packages
-    how: install
-    package:
-      - tomcat9
-execute:
-    how: tmt
-    script: which tomcat
--- a/plans/tier1-internal.fmf
+++ b/plans/tier1-internal.fmf
@ -1,11 +0,0 @@
-summary: Internal Tier1 beakerlib tests.
-discover:
-  - name: rhel
-    how: fmf
-    url: git://pkgs.devel.redhat.com/tests/tomcat9
-    filter: 'tier: 1'
-execute:
-    how: tmt
-adjust:
-    enabled: false
-    when: distro == centos-stream-10
--- a/rhel-158962.patch
+++ b/rhel-158962.patch
@ -0,0 +1,46 @@
+From 93fc51176bbcf643a46cc271b85ff49cbb01f1a6 Mon Sep 17 00:00:00 2001
+From: remm <remm@apache.org>
+Date: Wed, 3 Dec 2025 21:22:54 +0100
+Subject: [PATCH] Avoid possible NPEs when using a TLS enabled custom connector
+
+---
+ .../org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 +++++++++
+ webapps/docs/changelog.xml                               | 7 +++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+index 1d639176eb17..9a4b8fa37fb5 100644
+--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+@@ -127,8 +127,17 @@ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgum
+     protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
+             List<String> clientRequestedApplicationProtocols) {
+         List<String> clientRequestedProtocols = clientRequestedProtocolsThreadLocal.get();
+        if (clientRequestedProtocols == null) {
+            clientRequestedProtocols = new ArrayList<String>();
+        }
+         List<Group> clientSupportedGroups = clientSupportedGroupsThreadLocal.get();
+        if (clientSupportedGroups == null) {
+            clientSupportedGroups = new ArrayList<Group>();
+        }
+         List<SignatureScheme> clientSignatureSchemes = clientSignatureSchemesThreadLocal.get();
+        if (clientSignatureSchemes == null) {
+            clientSignatureSchemes = new ArrayList<SignatureScheme>();
+        }
+
+         SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 9ef3d9b04912..03be8d1358ae 100644
+--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
+@@ -155,6 +155,9 @@
+         Store HTTP request headers using the original case for the header name
+         rather than forcing it to lower case. (markt)
+       </fix>
+      <fix>
+        Avoid possible NPEs when using a TLS enabled custom connector. (remm)
+      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Cluster">
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.117-src.tar.gz) = f40854a6ed1f208ccdd3da82527fc806eb9231aebaee86d6987e9699d1d31bb548765241424368708b89bdce01d4558a638532a35932f686d3edabd26951041d
+SHA512 (apache-tomcat-9.0.110-src.tar.gz) = a8fe2c59a801d6fb16ea74019c6fc58c34543d4d25a16d64e929e67c7736f6e16d08ec2061b37f1783ebfa0b1dacfff991e46ed5d24d89300a140cb94449f570
--- a/tomcat9.spec
+++ b/tomcat9.spec
@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 117
+%global micro_version 110
 %global packdname apache-tomcat-%{major_version}.%{minor_version}.%{micro_version}-src
 %global servletspec 4.0
 %global elspec 3.0
@ -53,7 +53,7 @@
 Name:          tomcat9
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 License:       Apache-2.0
@ -78,6 +78,7 @@ Patch3:        tomcat-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch
 Patch7:        build-with-java-25.patch
+Patch8:        rhel-158962.patch

 BuildArch:     noarch

@ -210,6 +211,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P4 -p0
 %patch -P6 -p0
 %patch -P7 -p0
+%patch -P8 -p1

 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@ -632,39 +634,6 @@ fi
 %{appdir}/ROOT

 %changelog
-* Thu May 29 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.117-1
- Resolves: RHEL-150720
-  Tomcat: Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
- Resolves:
-  Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
- Resolves:
-  Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
- Resolves:
-  Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
- Resolves:
-  Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
- Resolves:
-  Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
- Resolves:
-  Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
- Resolves:
-  Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
- Resolves:
-  Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
- Resolves:
-  Tomcat: Occasionally open redirect (CVE-2026-25854)
- Resolves:
-  Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
- Resolves:
-  Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
- Resolves:
-  Tomcat: Security constraint bypass (CVE-2026-24733)
- Resolves:
-  Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)
-
-* Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
- Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)
-
 * Mon Mar 23 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-2
 - Resolves: RHEL-158962 NPE in tomcat9 when used with TLS enabled custom connector