From f78fb2986319f8819b04da40e00f3edece5cb4e0 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Wed, 9 Nov 2022 16:13:58 +0800 Subject: [PATCH 01/10] Update to 9.0.68 --- sources | 2 +- tomcat-9.0-catalina-policy.patch | 9 ++++----- tomcat-9.0-osgi-annotations.patch | 4 ++-- tomcat.spec | 5 ++++- 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/sources b/sources index 78df857..5c55728 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.65-src.tar.gz) = 3ff344370cc36f5bed389ed198054783a4f5bc86476a751cda280618457a06bae38c1e764b0c110c2f68efe2d34243a4e24596e8b90e8fbd171bf584a22fd3bc +SHA512 (apache-tomcat-9.0.68-src.tar.gz) = 63bb2c42f683c4c5e362b19bda046de172382714e80298106c61cc728feea9681b568450f04cb95d6cae08e5a71933c7755b9b81b706c46d63f4683c2a3a96be diff --git a/tomcat-9.0-catalina-policy.patch b/tomcat-9.0-catalina-policy.patch index 0211e70..dd6a47d 100644 --- a/tomcat-9.0-catalina-policy.patch +++ b/tomcat-9.0-catalina-policy.patch @@ -1,6 +1,6 @@ ---- conf/catalina.policy.orig 2021-07-07 10:25:53.461393329 +0800 -+++ conf/catalina.policy 2021-07-07 10:27:47.688682404 +0800 -@@ -56,6 +56,16 @@ grant codeBase "file:${java.home}/lib/ex +--- conf/catalina.policy.orig 2022-11-04 16:17:41.227506990 +0800 ++++ conf/catalina.policy 2022-11-04 16:21:51.393351415 +0800 +@@ -56,6 +56,15 @@ grant codeBase "file:${java.home}/lib/ex // permission java.security.AllPermission; //}; @@ -13,11 +13,10 @@ +grant codeBase "file:/usr/share/java/ecj/ecj.jar" { + permission java.security.AllPermission; +}; -+ // ========== CATALINA CODE PERMISSIONS ======================================= -@@ -261,4 +271,4 @@ grant codeBase "file:${catalina.home}/we +@@ -261,4 +270,4 @@ grant codeBase "file:${catalina.home}/we // // The permissions granted to a specific JAR // grant codeBase "war:file:${catalina.base}/webapps/examples.war*/WEB-INF/lib/foo.jar" { diff --git a/tomcat-9.0-osgi-annotations.patch b/tomcat-9.0-osgi-annotations.patch index c68708a..c70b463 100644 --- a/tomcat-9.0-osgi-annotations.patch +++ b/tomcat-9.0-osgi-annotations.patch @@ -1,6 +1,6 @@ --- build.properties.default.orig 2022-06-21 20:30:04.498997718 +0800 +++ build.properties.default 2022-06-21 20:30:57.579522800 +0800 -@@ -308,6 +308,16 @@ bnd.home=${base.path}/bnd-${bnd.version} +@@ -309,6 +309,16 @@ bnd.home=${base.path}/bnd-${bnd.version} bnd.jar=${bnd.home}/biz.aQute.bnd-${bnd.version}.jar bnd.loc=${base-maven.loc}/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar @@ -15,7 +15,7 @@ +osgi-annotations.loc=${base-maven.loc}/org/osgi/org.osgi.annotation.bundle/${osgi-annotations.version}/org.osgi.annotation.bundle-${osgi-annotations.version}.jar + # ----- JSign, version 4.1 or later ----- - jsign.version=4.1 + jsign.version=4.2 --- build.xml.orig 2022-06-21 20:36:12.785560093 +0800 +++ build.xml 2022-06-21 20:40:41.155154959 +0800 diff --git a/tomcat.spec b/tomcat.spec index 22e25c2..7acea9b 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 65 +%global micro_version 68 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -503,6 +503,9 @@ fi %{appdir}/ROOT %changelog +* Thu Nov 03 2033 Hui Wang - 1:9.0.68-1 +- Update to 9.0.68 + * Thu Jul 21 2022 Hui Wang - 1:9.0.65-1 - Update to 9.0.65 From 67478c73aa8e24c0e82bf606a785c317c0b71ca9 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Fri, 13 Jan 2023 19:38:05 +0800 Subject: [PATCH 02/10] Update to 9.0.70 --- sources | 2 +- tomcat.spec | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 5c55728..e456e94 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.68-src.tar.gz) = 63bb2c42f683c4c5e362b19bda046de172382714e80298106c61cc728feea9681b568450f04cb95d6cae08e5a71933c7755b9b81b706c46d63f4683c2a3a96be +SHA512 (apache-tomcat-9.0.70-src.tar.gz) = 266ffbdfa57bd9778ea3485f5e2cabf9a2d389235afa74b154e684bcf2806a4fe7a54049f2bd8ea96414396d06695fe890b1eed9672278d9eb345ba3cd71032e diff --git a/tomcat.spec b/tomcat.spec index 7acea9b..d86c64b 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 68 +%global micro_version 70 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -503,7 +503,10 @@ fi %{appdir}/ROOT %changelog -* Thu Nov 03 2033 Hui Wang - 1:9.0.68-1 +* Fri Jan 13 2023 Hui Wang - 1:9.0.70-1 +- Update to 9.0.70 + +* Thu Nov 03 2022 Hui Wang - 1:9.0.68-1 - Update to 9.0.68 * Thu Jul 21 2022 Hui Wang - 1:9.0.65-1 From dd61b0ad3a6027bcbaca25b56b41657654c93aff Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Sun, 29 Jan 2023 19:50:31 +0800 Subject: [PATCH 03/10] Update to 9.0.71 Remove osgi-annotations patch Add bnd-annotation dependency which is in bndlib package --- sources | 2 +- tomcat-9.0-bnd-annotation.patch | 10 +++++ tomcat-9.0-osgi-annotations.patch | 66 ------------------------------- tomcat.spec | 20 +++++----- 4 files changed, 20 insertions(+), 78 deletions(-) create mode 100644 tomcat-9.0-bnd-annotation.patch delete mode 100644 tomcat-9.0-osgi-annotations.patch diff --git a/sources b/sources index e456e94..fa93e4d 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.70-src.tar.gz) = 266ffbdfa57bd9778ea3485f5e2cabf9a2d389235afa74b154e684bcf2806a4fe7a54049f2bd8ea96414396d06695fe890b1eed9672278d9eb345ba3cd71032e +SHA512 (apache-tomcat-9.0.71-src.tar.gz) = 0c62a5e526178e39c68717223ce2cb4a31096e5765b718639e4ba4bbf3d70ba28238cd1bb5cf74747f718b35baf98de32c7ee8a7ebd445c6191700070c1ca930 diff --git a/tomcat-9.0-bnd-annotation.patch b/tomcat-9.0-bnd-annotation.patch new file mode 100644 index 0000000..9d57c81 --- /dev/null +++ b/tomcat-9.0-bnd-annotation.patch @@ -0,0 +1,10 @@ +--- build.xml.orig 2023-01-29 17:38:29.477052402 +0800 ++++ build.xml 2023-01-29 17:42:03.369583841 +0800 +@@ -216,6 +216,7 @@ + + + ++ + + + diff --git a/tomcat-9.0-osgi-annotations.patch b/tomcat-9.0-osgi-annotations.patch deleted file mode 100644 index c70b463..0000000 --- a/tomcat-9.0-osgi-annotations.patch +++ /dev/null @@ -1,66 +0,0 @@ ---- build.properties.default.orig 2022-06-21 20:30:04.498997718 +0800 -+++ build.properties.default 2022-06-21 20:30:57.579522800 +0800 -@@ -309,6 +309,16 @@ bnd.home=${base.path}/bnd-${bnd.version} - bnd.jar=${bnd.home}/biz.aQute.bnd-${bnd.version}.jar - bnd.loc=${base-maven.loc}/biz/aQute/bnd/biz.aQute.bnd/${bnd.version}/biz.aQute.bnd-${bnd.version}.jar - -+# ----- OSGi annotations bundle, version 1.0.0 or later ----- -+# ----- required to avoid Javadoc error when using bnd annotations ----- -+osgi-annotations.version=1.1.1 -+osgi-annotations.checksum.enabled=true -+osgi-annotations.checksum.algorithm=MD5|SHA-1 -+osgi-annotations.checksum.value=04e5db48a469cb53dd0e4e954deab2e0|a1644f3dbbb614f2a44671d27dd13c4d9142007d -+osgi-annotations.home=${base.path}/osgi-annotations-${osgi-annotations.version} -+osgi-annotations.jar=${osgi-annotations.home}/org.osgi.annotation.bundle-${osgi-annotations.version}.jar -+osgi-annotations.loc=${base-maven.loc}/org/osgi/org.osgi.annotation.bundle/${osgi-annotations.version}/org.osgi.annotation.bundle-${osgi-annotations.version}.jar -+ - # ----- JSign, version 4.1 or later ----- - jsign.version=4.2 - ---- build.xml.orig 2022-06-21 20:36:12.785560093 +0800 -+++ build.xml 2022-06-21 20:40:41.155154959 +0800 -@@ -213,6 +213,7 @@ - - - -+ - - - -@@ -2270,7 +2271,8 @@ Apache Tomcat ${version} native binaries - failonwarning="true"> - - -- -+ -+ - - - -@@ -3671,12 +3673,26 @@ Read the Building page on the Apache Tom - - - -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - - - - -+ -+ -+ -+ -+ - - - diff --git a/tomcat.spec b/tomcat.spec index d86c64b..1c1a09d 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 70 +%global micro_version 71 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -81,7 +81,7 @@ Patch2: %{name}-build.patch Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch Patch4: rhbz-1857043.patch Patch5: %{name}-%{major_version}.%{minor_version}-JDTCompiler.patch -Patch6: %{name}-%{major_version}.%{minor_version}-osgi-annotations.patch +Patch6: %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch BuildArch: noarch ExclusiveArch: %{java_arches} noarch @@ -93,12 +93,10 @@ BuildRequires: java-devel >= 1:1.8.0 BuildRequires: javapackages-local BuildRequires: aqute-bnd BuildRequires: aqute-bndlib -BuildRequires: wsdl4j BuildRequires: systemd Requires: java-headless >= 1:1.8.0 Requires: javapackages-tools -Requires: procps Requires: %{name}-lib = %{epoch}:%{version}-%{release} %if 0%{?fedora} || 0%{?rhel} > 7 Recommends: tomcat-native >= %{native_version} @@ -224,14 +222,9 @@ touch HACK -Dcommons-daemon.native.win.mgr.exe="HACK" \ -Dnsis.exe="HACK" \ -Djaxrpc-lib.jar="HACK" \ - -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \ + -Dwsdl4j-lib.jar="HACK" \ -Dbnd.jar="$(build-classpath aqute-bnd/biz.aQute.bnd)" \ - -Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \ - -Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \ - -Dbndannotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \ - -Dosgi-annotations.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \ - -Dslf4j-api.jar="$(build-classpath slf4j/slf4j-api)" \ - -Dosgi-cmpn.jar="$(build-classpath osgi-compendium/osgi.cmpn)" \ + -Dbnd-annotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \ -Dversion="%{version}" \ -Dversion.build="%{micro_version}" \ deploy @@ -503,6 +496,11 @@ fi %{appdir}/ROOT %changelog +* Sun Jan 29 2023 Hui Wang - 1:9.0.71-1 +- Update to 9.0.71 +- Remove osgi-annotations patch +- Add bnd-annotation dependency which is in bndlib package + * Fri Jan 13 2023 Hui Wang - 1:9.0.70-1 - Update to 9.0.70 From 9f76d0bd3717dc83a93ade8d08545dcf16b4aa3a Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Fri, 9 Jun 2023 15:44:40 +0800 Subject: [PATCH 04/10] Update to 9.0.75 --- sources | 2 +- tomcat.spec | 8 +++++--- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/sources b/sources index fa93e4d..27278f4 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.71-src.tar.gz) = 0c62a5e526178e39c68717223ce2cb4a31096e5765b718639e4ba4bbf3d70ba28238cd1bb5cf74747f718b35baf98de32c7ee8a7ebd445c6191700070c1ca930 +SHA512 (apache-tomcat-9.0.75-src.tar.gz) = 19f78fbe3391bbad65494e0071a6df9a26ceb1a4bd387b3425c5f34a02391fcaaae40442cdca3a98c4b7b45963d3a9e51dd6a1b72f11c29904c755cff03def64 diff --git a/tomcat.spec b/tomcat.spec index 1c1a09d..17ea44d 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 71 +%global micro_version 75 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -80,7 +80,6 @@ Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat Patch2: %{name}-build.patch Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch Patch4: rhbz-1857043.patch -Patch5: %{name}-%{major_version}.%{minor_version}-JDTCompiler.patch Patch6: %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch BuildArch: noarch @@ -190,7 +189,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch2 -p0 %patch3 -p0 %patch4 -p0 -%patch5 -p0 %patch6 -p0 # Remove webservices naming resources as it's generally unused @@ -496,6 +494,10 @@ fi %{appdir}/ROOT %changelog +* Fri Jun 09 2023 Hui Wang - 1:9.0.75-1 +- Update to 9.0.75 +- Remove JDTCompiler.patch + * Sun Jan 29 2023 Hui Wang - 1:9.0.71-1 - Update to 9.0.71 - Remove osgi-annotations patch From 85725ed4fa743cc86d0692eed55f8ad1a8988ccf Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Wed, 14 Jun 2023 13:12:12 +0800 Subject: [PATCH 05/10] Update to 9.0.76 Resolves: rhbz#2188218 Link bin/tomcat-juli.jar to /usr/share/java Move tomcat-jsp-2.3-api.jar,tomcat-servlet-4.0-api.jar and tomcat-el-api.jar to the subpackages --- sources | 2 +- tomcat.spec | 19 ++++++++++++++++++- 2 files changed, 19 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 27278f4..2bc150a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.75-src.tar.gz) = 19f78fbe3391bbad65494e0071a6df9a26ceb1a4bd387b3425c5f34a02391fcaaae40442cdca3a98c4b7b45963d3a9e51dd6a1b72f11c29904c755cff03def64 +SHA512 (apache-tomcat-9.0.76-src.tar.gz) = 64de4778a4e142baa6e49d5b2d2ca30aaf0133fa1cb450ceb528d6da0440933d01dc9571b6f7b35162de41bf740b71487948ba179ea3d2c75a842848e1bae7bf diff --git a/tomcat.spec b/tomcat.spec index 17ea44d..d0f2722 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 75 +%global micro_version 76 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -326,6 +326,8 @@ pushd ${RPM_BUILD_ROOT}%{libdir} %{__ln_s} ../../java/%{name}-servlet-%{servletspec}-api.jar . %{__ln_s} ../../java/%{name}-el-%{elspec}-api.jar . %{__ln_s} $(build-classpath ecj/ecj) jasper-jdt.jar + + %{__cp} -a ../../%{name}/bin/tomcat-juli.jar . popd # symlink to the FHS locations where we've installed things @@ -473,27 +475,42 @@ fi %{_javadir}/*.jar %{bindir}/tomcat-juli.jar %exclude %{libdir}/%{name}-el-%{elspec}-api.jar +%exclude %{libdir}/%{name}-servlet-%{servletspec}*.jar +%exclude %{libdir}/%{name}-jsp-%{jspspec}*.jar %exclude %{_javadir}/%{name}-servlet-%{servletspec}*.jar %exclude %{_javadir}/%{name}-el-%{elspec}-api.jar %exclude %{_javadir}/%{name}-jsp-%{jspspec}*.jar +%exclude %{_javadir}/%{name}-servlet-api.jar +%exclude %{_javadir}/%{name}-el-api.jar +%exclude %{_javadir}/%{name}-jsp-api.jar %files jsp-%{jspspec}-api -f .mfiles-tomcat-jsp-api %{_javadir}/%{name}-jsp-%{jspspec}*.jar +%{libdir}/%{name}-jsp-%{jspspec}*.jar +%{_javadir}/%{name}-jsp-api.jar %files servlet-%{servletspec}-api -f .mfiles-tomcat-servlet-api %doc LICENSE %{_javadir}/%{name}-servlet-%{servletspec}*.jar +%{libdir}/%{name}-servlet-%{servletspec}*.jar +%{_javadir}/%{name}-servlet-api.jar %files el-%{elspec}-api -f .mfiles-tomcat-el-api %doc LICENSE %{_javadir}/%{name}-el-%{elspec}-api.jar %{libdir}/%{name}-el-%{elspec}-api.jar +%{_javadir}/%{name}-el-api.jar %files webapps %defattr(0644,tomcat,tomcat,0755) %{appdir}/ROOT %changelog +* Wed Jun 14 2023 Hui Wang - 1:9.0.76-1 +- Update to 9.0.76 +- Resolves: rhbz#2188218 Link bin/tomcat-juli.jar to /usr/share/java +- Move tomcat-jsp-2.3-api.jar,tomcat-servlet-4.0-api.jar and tomcat-el-api.jar to the subpackages + * Fri Jun 09 2023 Hui Wang - 1:9.0.75-1 - Update to 9.0.75 - Remove JDTCompiler.patch From a533a845cccaae9aa64bb051d9914f88e73928d2 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Tue, 20 Jun 2023 15:43:02 +0800 Subject: [PATCH 06/10] Resolves: rhbz#2173782 CVE-2023-24998 tomcat: Apache Commons FileUpload: FileUpload DoS with excessive parts Resolves: rhbz#2181443 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure Install missing poms --- tomcat.spec | 41 ++++++++++++++++++++++++++++++++++++++--- 1 file changed, 38 insertions(+), 3 deletions(-) diff --git a/tomcat.spec b/tomcat.spec index d0f2722..64d47c4 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -56,7 +56,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -343,7 +343,7 @@ popd # Install the maven metadata for the spec impl artifacts as other projects use them #%{__install} -d -m 0755 ${RPM_BUILD_ROOT}%{_mavenpomdir} pushd res/maven - for pom in tomcat-el-api.pom tomcat-jsp-api.pom tomcat-servlet-api.pom; do + for pom in *.pom; do # fix-up version in all pom files sed -i 's/@MAVEN.DEPLOY.VERSION@/%{version}/g' $pom done @@ -353,6 +353,36 @@ popd %mvn_artifact res/maven/tomcat-el-api.pom output/build/lib/el-api.jar %mvn_artifact res/maven/tomcat-jsp-api.pom output/build/lib/jsp-api.jar %mvn_artifact res/maven/tomcat-servlet-api.pom output/build/lib/servlet-api.jar +%mvn_artifact res/maven/tomcat-annotations-api.pom ${RPM_BUILD_ROOT}%{libdir}/annotations-api.jar +%mvn_artifact res/maven/tomcat-api.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-api.jar +%mvn_artifact res/maven/tomcat-catalina-ant.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ant.jar +%mvn_artifact res/maven/tomcat-catalina-ha.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ha.jar +%mvn_artifact res/maven/tomcat-ssi.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ssi.jar +%mvn_artifact res/maven/tomcat-storeconfig.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-storeconfig.jar +%mvn_artifact res/maven/tomcat-tribes.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-tribes.jar +%mvn_artifact res/maven/tomcat-catalina.pom ${RPM_BUILD_ROOT}%{libdir}/catalina.jar +%mvn_artifact res/maven/tomcat-jasper-el.pom ${RPM_BUILD_ROOT}%{libdir}/jasper-el.jar +%mvn_artifact res/maven/tomcat-jasper.pom ${RPM_BUILD_ROOT}%{libdir}/jasper.jar +%mvn_artifact res/maven/tomcat-jaspic-api.pom ${RPM_BUILD_ROOT}%{libdir}/jaspic-api.jar +%mvn_artifact res/maven/tomcat-coyote.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote.jar +%mvn_artifact res/maven/tomcat-dbcp.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-dbcp.jar +%mvn_artifact res/maven/tomcat-i18n-cs.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-cs.jar +%mvn_artifact res/maven/tomcat-i18n-de.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-de.jar +%mvn_artifact res/maven/tomcat-i18n-es.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-es.jar +%mvn_artifact res/maven/tomcat-i18n-fr.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-fr.jar +%mvn_artifact res/maven/tomcat-i18n-ja.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-ja.jar +%mvn_artifact res/maven/tomcat-i18n-ko.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-ko.jar +%mvn_artifact res/maven/tomcat-i18n-pt-BR.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-pt-BR.jar +%mvn_artifact res/maven/tomcat-i18n-ru.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-ru.jar +%mvn_artifact res/maven/tomcat-i18n-zh-CN.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-zh-CN.jar +%mvn_artifact res/maven/tomcat-jdbc.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-jdbc.jar +%mvn_artifact res/maven/tomcat-jni.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-jni.jar +%mvn_artifact res/maven/tomcat-juli.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-juli.jar +%mvn_artifact res/maven/tomcat-util-scan.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util-scan.jar +%mvn_artifact res/maven/tomcat-util.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util.jar +%mvn_artifact res/maven/tomcat-websocket-api.pom ${RPM_BUILD_ROOT}%{libdir}/websocket-api.jar +%mvn_artifact res/maven/tomcat-websocket.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-websocket.jar +%mvn_artifact res/maven/tomcat.pom %mvn_install %pre @@ -469,7 +499,7 @@ fi %files docs-webapp %{appdir}/docs -%files lib +%files lib -f .mfiles %dir %{libdir} %{libdir}/*.jar %{_javadir}/*.jar @@ -506,6 +536,11 @@ fi %{appdir}/ROOT %changelog +* Tue Jun 20 2023 Hui Wang - 1:9.0.76-2 +- Resolves: rhbz#2173782 CVE-2023-24998 tomcat: Apache Commons FileUpload: FileUpload DoS with excessive parts +- Resolves: rhbz#2181443 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure +- Install missing poms + * Wed Jun 14 2023 Hui Wang - 1:9.0.76-1 - Update to 9.0.76 - Resolves: rhbz#2188218 Link bin/tomcat-juli.jar to /usr/share/java From 6c211fad498554a10b9c24c6f27fcea42188a81b Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Wed, 26 Jul 2023 19:06:30 +0800 Subject: [PATCH 07/10] Fix duplicated jars in the tomcat lib subpackage --- sources | 2 +- tomcat.spec | 46 ++++++++++++++++++++++++++++++++-------------- 2 files changed, 33 insertions(+), 15 deletions(-) diff --git a/sources b/sources index 2bc150a..fcff246 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.76-src.tar.gz) = 64de4778a4e142baa6e49d5b2d2ca30aaf0133fa1cb450ceb528d6da0440933d01dc9571b6f7b35162de41bf740b71487948ba179ea3d2c75a842848e1bae7bf +SHA512 (apache-tomcat-9.0.78-src.tar.gz) = 220bf46004c4cbad536a7040c979651ee49a13994cf83045369c1bfdc0a96c0172ddc8fd24ab76c9526591c50033d915dbd258939b24d22d660050dcb5abcad4 diff --git a/tomcat.spec b/tomcat.spec index 64d47c4..f1a6e59 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 76 +%global micro_version 78 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -56,7 +56,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 2%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -184,12 +184,12 @@ The ROOT web application for Apache Tomcat. find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "*.gz" -o \ -name "*.jar" -o -name "*.war" -o -name "*.zip" \) -delete -%patch0 -p0 -%patch1 -p0 -%patch2 -p0 -%patch3 -p0 -%patch4 -p0 -%patch6 -p0 +%patch 0 -p0 +%patch 1 -p0 +%patch 2 -p0 +%patch 3 -p0 +%patch 4 -p0 +%patch 6 -p0 # Remove webservices naming resources as it's generally unused %{__rm} -rf java/org/apache/naming/factory/webservices @@ -353,17 +353,16 @@ popd %mvn_artifact res/maven/tomcat-el-api.pom output/build/lib/el-api.jar %mvn_artifact res/maven/tomcat-jsp-api.pom output/build/lib/jsp-api.jar %mvn_artifact res/maven/tomcat-servlet-api.pom output/build/lib/servlet-api.jar + +%mvn_file org.apache.tomcat:tomcat-annotations-api tomcat/annotations-api %mvn_artifact res/maven/tomcat-annotations-api.pom ${RPM_BUILD_ROOT}%{libdir}/annotations-api.jar %mvn_artifact res/maven/tomcat-api.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-api.jar +%mvn_file org.apache.tomcat:tomcat-catalina-ant tomcat/catalina-ant %mvn_artifact res/maven/tomcat-catalina-ant.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ant.jar +%mvn_file org.apache.tomcat:tomcat-catalina-ha tomcat/catalina-ha %mvn_artifact res/maven/tomcat-catalina-ha.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ha.jar -%mvn_artifact res/maven/tomcat-ssi.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ssi.jar -%mvn_artifact res/maven/tomcat-storeconfig.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-storeconfig.jar -%mvn_artifact res/maven/tomcat-tribes.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-tribes.jar +%mvn_file org.apache.tomcat:tomcat-catalina tomcat/catalina %mvn_artifact res/maven/tomcat-catalina.pom ${RPM_BUILD_ROOT}%{libdir}/catalina.jar -%mvn_artifact res/maven/tomcat-jasper-el.pom ${RPM_BUILD_ROOT}%{libdir}/jasper-el.jar -%mvn_artifact res/maven/tomcat-jasper.pom ${RPM_BUILD_ROOT}%{libdir}/jasper.jar -%mvn_artifact res/maven/tomcat-jaspic-api.pom ${RPM_BUILD_ROOT}%{libdir}/jaspic-api.jar %mvn_artifact res/maven/tomcat-coyote.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote.jar %mvn_artifact res/maven/tomcat-dbcp.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-dbcp.jar %mvn_artifact res/maven/tomcat-i18n-cs.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-cs.jar @@ -375,14 +374,28 @@ popd %mvn_artifact res/maven/tomcat-i18n-pt-BR.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-pt-BR.jar %mvn_artifact res/maven/tomcat-i18n-ru.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-ru.jar %mvn_artifact res/maven/tomcat-i18n-zh-CN.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-zh-CN.jar +%mvn_file org.apache.tomcat:tomcat-jasper-el tomcat/jasper-el +%mvn_artifact res/maven/tomcat-jasper-el.pom ${RPM_BUILD_ROOT}%{libdir}/jasper-el.jar +%mvn_file org.apache.tomcat:tomcat-jasper tomcat/jasper +%mvn_artifact res/maven/tomcat-jasper.pom ${RPM_BUILD_ROOT}%{libdir}/jasper.jar +%mvn_file org.apache.tomcat:tomcat-jaspic-api tomcat/jaspic-api +%mvn_artifact res/maven/tomcat-jaspic-api.pom ${RPM_BUILD_ROOT}%{libdir}/jaspic-api.jar %mvn_artifact res/maven/tomcat-jdbc.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-jdbc.jar %mvn_artifact res/maven/tomcat-jni.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-jni.jar %mvn_artifact res/maven/tomcat-juli.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-juli.jar +%mvn_file org.apache.tomcat:tomcat-ssi tomcat/catalina-ssi +%mvn_artifact res/maven/tomcat-ssi.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ssi.jar +%mvn_file org.apache.tomcat:tomcat-storeconfig tomcat/catalina-storeconfig +%mvn_artifact res/maven/tomcat-storeconfig.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-storeconfig.jar +%mvn_file org.apache.tomcat:tomcat-tribes tomcat/catalina-tribes +%mvn_artifact res/maven/tomcat-tribes.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-tribes.jar %mvn_artifact res/maven/tomcat-util-scan.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util-scan.jar %mvn_artifact res/maven/tomcat-util.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util.jar +%mvn_file org.apache.tomcat:tomcat-websocket-api tomcat/websocket-api %mvn_artifact res/maven/tomcat-websocket-api.pom ${RPM_BUILD_ROOT}%{libdir}/websocket-api.jar %mvn_artifact res/maven/tomcat-websocket.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-websocket.jar %mvn_artifact res/maven/tomcat.pom + %mvn_install %pre @@ -513,6 +526,7 @@ fi %exclude %{_javadir}/%{name}-servlet-api.jar %exclude %{_javadir}/%{name}-el-api.jar %exclude %{_javadir}/%{name}-jsp-api.jar +%exclude %{_jnidir}/* %files jsp-%{jspspec}-api -f .mfiles-tomcat-jsp-api %{_javadir}/%{name}-jsp-%{jspspec}*.jar @@ -536,6 +550,10 @@ fi %{appdir}/ROOT %changelog +* Wed Jul 26 2023 Hui Wang - 1:9.0.78-1 +- Fix duplicated jars in the tomcat lib subpackage +- Fix patchN command + * Tue Jun 20 2023 Hui Wang - 1:9.0.76-2 - Resolves: rhbz#2173782 CVE-2023-24998 tomcat: Apache Commons FileUpload: FileUpload DoS with excessive parts - Resolves: rhbz#2181443 CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure From 1ce4993fc5b207c8af6381a30b5c54341b137494 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Wed, 13 Sep 2023 16:24:34 +0800 Subject: [PATCH 08/10] Update to 9.0.80 --- sources | 2 +- tomcat.spec | 8 ++++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/sources b/sources index fcff246..2068d0a 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.78-src.tar.gz) = 220bf46004c4cbad536a7040c979651ee49a13994cf83045369c1bfdc0a96c0172ddc8fd24ab76c9526591c50033d915dbd258939b24d22d660050dcb5abcad4 +SHA512 (apache-tomcat-9.0.80-src.tar.gz) = a2fb298c1fd2615e1a69371b5f84eb569e897faad3cbe17e3626460f5ce311085c120dd3f62c255fde87e6517915365ab52ada613776d45185b8e53624935114 diff --git a/tomcat.spec b/tomcat.spec index f1a6e59..0f7d8a0 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 78 +%global micro_version 80 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -94,7 +94,7 @@ BuildRequires: aqute-bnd BuildRequires: aqute-bndlib BuildRequires: systemd -Requires: java-headless >= 1:1.8.0 +Requires: (java-headless >= 1:1.8 or java-1.8.0-headless or java-11-headless or java-17-headless or java >= 1:1.8) Requires: javapackages-tools Requires: %{name}-lib = %{epoch}:%{version}-%{release} %if 0%{?fedora} || 0%{?rhel} > 7 @@ -550,6 +550,10 @@ fi %{appdir}/ROOT %changelog +* Wed Sep 13 2023 Hui Wang - 1:9.0.80-1 +- Update to 9.0.80 +- Fix java version + * Wed Jul 26 2023 Hui Wang - 1:9.0.78-1 - Fix duplicated jars in the tomcat lib subpackage - Fix patchN command From eee715ee5c0737156503eab785012415fa5d5ad2 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Mon, 16 Oct 2023 13:38:49 +0800 Subject: [PATCH 09/10] Update to 9.0.82 Resolves: rhbz#2244348 Wrong dbcp class in tomcat 9 --- sources | 2 +- tomcat-build.patch | 13 ++++++++++--- tomcat.spec | 6 +++++- 3 files changed, 16 insertions(+), 5 deletions(-) diff --git a/sources b/sources index 2068d0a..05325b8 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.80-src.tar.gz) = a2fb298c1fd2615e1a69371b5f84eb569e897faad3cbe17e3626460f5ce311085c120dd3f62c255fde87e6517915365ab52ada613776d45185b8e53624935114 +SHA512 (apache-tomcat-9.0.82-src.tar.gz) = 0291196832150147230a263bcfd64f7ac9ce9f6c26924f72b831d28479e7886f00b9ab3adff175785e8c5b47d8b16f7a7897acafa3474428f48cec02fd852b3e diff --git a/tomcat-build.patch b/tomcat-build.patch index 49c63ff..cdf73ef 100644 --- a/tomcat-build.patch +++ b/tomcat-build.patch @@ -1,12 +1,19 @@ diff -up ./res/bnd/build-defaults.bnd.orig ./res/bnd/build-defaults.bnd ---- ./res/bnd/build-defaults.bnd.orig 2020-07-13 13:47:01.229077747 -0400 -+++ ./res/bnd/build-defaults.bnd 2020-07-13 13:47:12.923095618 -0400 +--- res/bnd/build-defaults.bnd.orig 2023-10-16 11:23:04.752754202 +0800 ++++ res/bnd/build-defaults.bnd 2023-10-16 11:23:29.931876910 +0800 @@ -13,7 +13,7 @@ # See the License for the specific language governing permissions and # limitations under the License. -Bundle-Version: ${version_cleanup;${version}} +Bundle-Version: ${version} + Bundle-License: https://www.apache.org/licenses/LICENSE-2.0.txt Specification-Title: Apache Tomcat - Specification-Version: ${version.major.minor} +@@ -36,4 +36,4 @@ X-Compile-Target-JDK: ${compile.release} + + -removeheaders: DSTAMP,TODAY,TSTAMP + +-module.name: org.apache.${replace;${Bundle-Name};-;.} +\ No newline at end of file ++module.name: org.apache.${replace;${Bundle-Name};-;.} diff --git a/tomcat.spec b/tomcat.spec index 0f7d8a0..6e44125 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 80 +%global micro_version 82 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -550,6 +550,10 @@ fi %{appdir}/ROOT %changelog +* Mon Oct 16 2023 Hui Wang - 1:9.0.82-1 +- Update to 9.0.82 +- Resolves: rhbz#2244348 Wrong dbcp class in tomcat 9 + * Wed Sep 13 2023 Hui Wang - 1:9.0.80-1 - Update to 9.0.80 - Fix java version From dca53cda54323b9f0b9ac3b254165a98cf987e99 Mon Sep 17 00:00:00 2001 From: Hui Wang Date: Mon, 16 Oct 2023 19:36:19 +0800 Subject: [PATCH 10/10] Update tomcat-9.0.conf --- tomcat-9.0.conf | 2 +- tomcat.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/tomcat-9.0.conf b/tomcat-9.0.conf index e5fa60a..6e9eed1 100644 --- a/tomcat-9.0.conf +++ b/tomcat-9.0.conf @@ -35,7 +35,7 @@ CATALINA_TMPDIR="/var/cache/tomcat/temp" #JAVA_OPTS="-Djava.library.path=/usr/lib" # Set default javax.sql.DataSource factory to apache commons one. See rhbz#1214381 -JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory" +JAVA_OPTS="-Djavax.sql.DataSource.Factory=org.apache.tomcat.dbcp.dbcp2.BasicDataSourceFactory" # You can change your tomcat locale here #LANG="en_US" diff --git a/tomcat.spec b/tomcat.spec index 6e44125..23a658e 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -56,7 +56,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -550,6 +550,9 @@ fi %{appdir}/ROOT %changelog +* Mon Oct 16 2023 Hui Wang - 1:9.0.82-2 +- Update tomcat-9.0.conf file + * Mon Oct 16 2023 Hui Wang - 1:9.0.82-1 - Update to 9.0.82 - Resolves: rhbz#2244348 Wrong dbcp class in tomcat 9