diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch new file mode 100644 index 0000000..02ed0df --- /dev/null +++ b/change-defaults-for-CVE-2020-1938.patch @@ -0,0 +1,71 @@ +diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java +--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig 2020-04-22 15:31:12.889587528 -0400 ++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2020-04-22 15:31:37.907534419 -0400 +@@ -16,7 +16,6 @@ + */ + package org.apache.coyote.ajp; + +-import java.net.InetAddress; + import java.util.regex.Pattern; + + import org.apache.coyote.AbstractProtocol; +@@ -49,8 +48,6 @@ public abstract class AbstractAjpProtoco + setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT); + // AJP does not use Send File + getEndpoint().setUseSendfile(false); +- // AJP listens on loopback by default +- getEndpoint().setAddress(InetAddress.getLoopbackAddress()); + ConnectionHandler cHandler = new ConnectionHandler<>(this); + setHandler(cHandler); + getEndpoint().setHandler(cHandler); +@@ -180,7 +177,7 @@ public abstract class AbstractAjpProtoco + } + + +- private boolean secretRequired = true; ++ private boolean secretRequired = false; + public void setSecretRequired(boolean secretRequired) { + this.secretRequired = secretRequired; + } +diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml +--- ./webapps/docs/changelog.xml.orig 2020-04-03 08:12:03.000000000 -0400 ++++ ./webapps/docs/changelog.xml 2020-04-22 15:31:37.911534411 -0400 +@@ -526,14 +526,10 @@ + Disable (comment out in server.xml) the AJP/1.3 connector by default. + (markt) + +- +- Change the default bind address for the AJP/1.3 connector to be the +- loopback address. (markt) +- + + Rename the requiredSecret attribute of the AJP/1.3 + Connector to secret and add a new attribute +- secretRequired that defaults to true. When ++ secretRequired that defaults to false. When + secretRequired is true the AJP/1.3 Connector + will not start unless the secret attribute is configured to + a non-null, non-zero length String. (markt) +diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml +--- ./webapps/docs/config/ajp.xml.orig 2020-04-22 15:31:37.913534406 -0400 ++++ ./webapps/docs/config/ajp.xml 2020-04-22 15:35:35.003031090 -0400 +@@ -327,7 +327,9 @@ + +

For servers with more than one IP address, this attribute specifies + which address will be used for listening on the specified port. By +- default, the connector will listen on the loopback address. Unless the JVM ++ default, this port will be used on all IP addresses associated with the ++ server. A value of 127.0.0.1 indicates that the Connector ++ will only listen on the loopback interface. Unless the JVM + is configured otherwise using system properties, the Java based connectors + (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured + with either 0.0.0.0 or ::. The APR/native +@@ -500,7 +502,7 @@ + the secret attribute is required to be specified for the + AJP Connector to start. It does not control whether + workers are required to provide the secret. The default value is +- true. This attribute should only be set to false ++ false. This attribute should only be set to false + when the Connector is used on a trusted network.

+ + diff --git a/sources b/sources index 462e73a..1bf01fc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.26-src.tar.gz) = 8f430439c66f5a43c7a35bc99edd11549100be28b17fb44e17ec432f72e1797cdebd641a7f19c1d918635e51c164ecd1c9d1399a63abfce05d9a8c37db381837 +SHA512 (apache-tomcat-9.0.34-src.tar.gz) = 8ac8a916bfe2d3daf679dab9f299bc50f138f3cc9a6e8679a22862d122dea1e5ce3b9101472295398366f5b5d8477097a3cfb536f01136e72ff09d69b2f6c3df diff --git a/tomcat-9.0-RemoveCompilerOptions.patch b/tomcat-9.0-RemoveCompilerOptions.patch new file mode 100644 index 0000000..00378f9 --- /dev/null +++ b/tomcat-9.0-RemoveCompilerOptions.patch @@ -0,0 +1,58 @@ +diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java.orig ./java/org/apache/jasper/compiler/JDTCompiler.java +--- ./java/org/apache/jasper/compiler/JDTCompiler.java.orig 2020-04-03 08:11:52.000000000 -0400 ++++ ./java/org/apache/jasper/compiler/JDTCompiler.java 2020-04-22 16:03:04.710594419 -0400 +@@ -324,24 +324,6 @@ public class JDTCompiler extends org.apa + } else if(opt.equals("11")) { + settings.put(CompilerOptions.OPTION_Source, + CompilerOptions.VERSION_11); +- } else if(opt.equals("12")) { +- settings.put(CompilerOptions.OPTION_Source, +- CompilerOptions.VERSION_12); +- } else if(opt.equals("13")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_Source, "13"); +- } else if(opt.equals("14")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_Source, "14"); +- } else if(opt.equals("15")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_Source, "15"); + } else { + log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt)); + settings.put(CompilerOptions.OPTION_Source, +@@ -405,29 +387,6 @@ public class JDTCompiler extends org.apa + CompilerOptions.VERSION_11); + settings.put(CompilerOptions.OPTION_Compliance, + CompilerOptions.VERSION_11); +- } else if(opt.equals("12")) { +- settings.put(CompilerOptions.OPTION_TargetPlatform, +- CompilerOptions.VERSION_12); +- settings.put(CompilerOptions.OPTION_Compliance, +- CompilerOptions.VERSION_12); +- } else if(opt.equals("13")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_TargetPlatform, "13"); +- settings.put(CompilerOptions.OPTION_Compliance, "13"); +- } else if(opt.equals("14")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_TargetPlatform, "14"); +- settings.put(CompilerOptions.OPTION_Compliance, "14"); +- } else if(opt.equals("15")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_TargetPlatform, "15"); +- settings.put(CompilerOptions.OPTION_Compliance, "15"); + } else { + log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt)); + settings.put(CompilerOptions.OPTION_TargetPlatform, diff --git a/tomcat.spec b/tomcat.spec index d53c576..290bdb4 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 26 +%global micro_version 34 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -81,11 +81,13 @@ Source32: tomcat-named.service Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch Patch2: %{name}-build.patch +Patch3: %{name}-%{major_version}.%{minor_version}-RemoveCompilerOptions.patch +Patch4: change-defaults-for-CVE-2020-1938.patch BuildArch: noarch BuildRequires: ant -BuildRequires: ecj >= 1:4.10 +BuildRequires: ecj >= 1:4.11 BuildRequires: findutils BuildRequires: apache-commons-daemon BuildRequires: tomcat-taglibs-standard @@ -206,6 +208,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch0 -p0 %patch1 -p0 %patch2 -p0 +%patch3 -p0 +%patch4 -p0 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar @@ -610,6 +614,21 @@ fi %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %changelog +* Tue Apr 21 2020 Coty Sutherland - 1:9.0.34-1 +- Update to 9.0.34 +- Update dependency for ECJ to version 4.11 + +* Thu Mar 12 2020 Coty Sutherland - 1:9.0.31-2 +- Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly + +* Thu Mar 05 2020 Coty Sutherland - 1:9.0.31-1 +- Update to 9.0.31 +- Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability + +* Fri Dec 20 2019 Coty Sutherland - 1:9.0.30-1 +- Update to 9.0.30 +- Remove Java 12 support from JDTCompiler due to older ECJ version availablility + * Thu Sep 26 2019 Coty Sutherland - 1:9.0.26-1 - Update to 9.0.26 - Resolves: rhbz#1523112 tomcat systemd does not cope with - in service names