From eb634a5fb1da405c9ac13c6dabc281a129a0035d Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Wed, 17 Jul 2019 13:32:12 -0400 Subject: [PATCH 01/13] Resolves: rhbz#1730755 Adding javapackages-tools back as a Requirement as it's required to run the service scripts --- tomcat.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/tomcat.spec b/tomcat.spec index 9c1b1ef..90a0481 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -104,6 +104,7 @@ BuildRequires: systemd Requires: apache-commons-daemon Requires: java-headless >= 1:1.8.0 +Requires: javapackages-tools Requires: procps Requires: %{name}-lib = %{epoch}:%{version}-%{release} Recommends: tomcat-native >= %{native_version} From 29f31768a1c9ee994b75f344e369a7878aeedb1f Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Wed, 17 Jul 2019 14:17:34 -0400 Subject: [PATCH 02/13] Bump release version --- tomcat.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tomcat.spec b/tomcat.spec index 90a0481..3e9b197 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -59,7 +59,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 From f3dacbbf6eb22acbb9bdb96c99f6675022488fda Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 20 Dec 2019 08:26:42 -0500 Subject: [PATCH 03/13] Update to 9.0.30 --- sources | 2 +- tomcat.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 462e73a..33c6aba 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.26-src.tar.gz) = 8f430439c66f5a43c7a35bc99edd11549100be28b17fb44e17ec432f72e1797cdebd641a7f19c1d918635e51c164ecd1c9d1399a63abfce05d9a8c37db381837 +SHA512 (apache-tomcat-9.0.30-src.tar.gz) = 5a693c26bc78c504ca9c30cab6356927dbeded199798b558f2efe428a98fd68a88e0c113cc7b710fe3b2109e5ae3a970ff3989f909b95eb782d47d12a2a3a20d diff --git a/tomcat.spec b/tomcat.spec index d53c576..881aa3d 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 26 +%global micro_version 30 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -610,6 +610,9 @@ fi %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %changelog +* Fri Dec 20 2019 Coty Sutherland - 1:9.0.30-1 +- Update to 9.0.30 + * Thu Sep 26 2019 Coty Sutherland - 1:9.0.26-1 - Update to 9.0.26 - Resolves: rhbz#1523112 tomcat systemd does not cope with - in service names From 3dc776fd4caaa569839c0b3d8ce3e1df1c8e4249 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 20 Dec 2019 08:26:42 -0500 Subject: [PATCH 04/13] Update to 9.0.30 --- sources | 2 +- tomcat.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 462e73a..33c6aba 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.26-src.tar.gz) = 8f430439c66f5a43c7a35bc99edd11549100be28b17fb44e17ec432f72e1797cdebd641a7f19c1d918635e51c164ecd1c9d1399a63abfce05d9a8c37db381837 +SHA512 (apache-tomcat-9.0.30-src.tar.gz) = 5a693c26bc78c504ca9c30cab6356927dbeded199798b558f2efe428a98fd68a88e0c113cc7b710fe3b2109e5ae3a970ff3989f909b95eb782d47d12a2a3a20d diff --git a/tomcat.spec b/tomcat.spec index bd40faa..6861ff4 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 26 +%global micro_version 30 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -610,6 +610,9 @@ fi %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %changelog +* Fri Dec 20 2019 Coty Sutherland - 1:9.0.30-1 +- Update to 9.0.30 + * Thu Sep 26 2019 Coty Sutherland - 1:9.0.26-1 - Update to 9.0.26 - Resolves: rhbz#1523112 tomcat systemd does not cope with - in service names From a66bbd0537e0ebe1689c6b02c92c2f9fcb8410f5 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 20 Dec 2019 08:30:35 -0500 Subject: [PATCH 05/13] Reset Release number --- tomcat.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tomcat.spec b/tomcat.spec index 6861ff4..881aa3d 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -59,7 +59,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 2%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 From e388feccaaf2af78eb9fca2acea22008a211225a Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 20 Dec 2019 08:49:11 -0500 Subject: [PATCH 06/13] Update ECJ dependency to 4.12 to support Java 12 --- tomcat.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/tomcat.spec b/tomcat.spec index 881aa3d..193c2b7 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -85,7 +85,7 @@ Patch2: %{name}-build.patch BuildArch: noarch BuildRequires: ant -BuildRequires: ecj >= 1:4.10 +BuildRequires: ecj >= 1:4.12 BuildRequires: findutils BuildRequires: apache-commons-daemon BuildRequires: tomcat-taglibs-standard @@ -612,6 +612,7 @@ fi %changelog * Fri Dec 20 2019 Coty Sutherland - 1:9.0.30-1 - Update to 9.0.30 +- Update ECJ dependency to 4.12 to support Java 12 * Thu Sep 26 2019 Coty Sutherland - 1:9.0.26-1 - Update to 9.0.26 From 7962bad230a2baea5d6950d03e86c2bf8c1e4a8d Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 20 Dec 2019 08:52:43 -0500 Subject: [PATCH 07/13] I misread, 4.12 isn't available in fc30... Revert "Update ECJ dependency to 4.12 to support Java 12" This reverts commit e388feccaaf2af78eb9fca2acea22008a211225a. --- tomcat.spec | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tomcat.spec b/tomcat.spec index 193c2b7..881aa3d 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -85,7 +85,7 @@ Patch2: %{name}-build.patch BuildArch: noarch BuildRequires: ant -BuildRequires: ecj >= 1:4.12 +BuildRequires: ecj >= 1:4.10 BuildRequires: findutils BuildRequires: apache-commons-daemon BuildRequires: tomcat-taglibs-standard @@ -612,7 +612,6 @@ fi %changelog * Fri Dec 20 2019 Coty Sutherland - 1:9.0.30-1 - Update to 9.0.30 -- Update ECJ dependency to 4.12 to support Java 12 * Thu Sep 26 2019 Coty Sutherland - 1:9.0.26-1 - Update to 9.0.26 From f177a1373b3c577453af30dcfaa923cdfc507ea9 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Fri, 20 Dec 2019 09:11:28 -0500 Subject: [PATCH 08/13] Remove Java 12 support from JDTCompiler due to older ECJ version availablility --- tomcat-9.0-RemoveCompilerOptions.patch | 36 ++++++++++++++++++++++++++ tomcat.spec | 3 +++ 2 files changed, 39 insertions(+) create mode 100644 tomcat-9.0-RemoveCompilerOptions.patch diff --git a/tomcat-9.0-RemoveCompilerOptions.patch b/tomcat-9.0-RemoveCompilerOptions.patch new file mode 100644 index 0000000..dc5714f --- /dev/null +++ b/tomcat-9.0-RemoveCompilerOptions.patch @@ -0,0 +1,36 @@ +diff -up java/org/apache/jasper/compiler/JDTCompiler.java.orig java/org/apache/jasper/compiler/JDTCompiler.java +--- java/org/apache/jasper/compiler/JDTCompiler.java.orig 2019-12-20 08:54:52.899892555 -0500 ++++ java/org/apache/jasper/compiler/JDTCompiler.java 2019-12-20 08:55:18.288822801 -0500 +@@ -324,14 +324,6 @@ public class JDTCompiler extends org.apa + } else if(opt.equals("11")) { + settings.put(CompilerOptions.OPTION_Source, + CompilerOptions.VERSION_11); +- } else if(opt.equals("12")) { +- settings.put(CompilerOptions.OPTION_Source, +- CompilerOptions.VERSION_12); +- } else if(opt.equals("13")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_Source, "13"); + } else { + log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt)); + settings.put(CompilerOptions.OPTION_Source, +@@ -395,17 +387,6 @@ public class JDTCompiler extends org.apa + CompilerOptions.VERSION_11); + settings.put(CompilerOptions.OPTION_Compliance, + CompilerOptions.VERSION_11); +- } else if(opt.equals("12")) { +- settings.put(CompilerOptions.OPTION_TargetPlatform, +- CompilerOptions.VERSION_12); +- settings.put(CompilerOptions.OPTION_Compliance, +- CompilerOptions.VERSION_12); +- } else if(opt.equals("13")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_TargetPlatform, "13"); +- settings.put(CompilerOptions.OPTION_Compliance, "13"); + } else { + log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt)); + settings.put(CompilerOptions.OPTION_TargetPlatform, diff --git a/tomcat.spec b/tomcat.spec index 881aa3d..2727b85 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -81,6 +81,7 @@ Source32: tomcat-named.service Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch Patch2: %{name}-build.patch +Patch3: %{name}-%{major_version}.%{minor_version}-RemoveCompilerOptions.patch BuildArch: noarch @@ -206,6 +207,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch0 -p0 %patch1 -p0 %patch2 -p0 +%patch3 -p0 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar @@ -612,6 +614,7 @@ fi %changelog * Fri Dec 20 2019 Coty Sutherland - 1:9.0.30-1 - Update to 9.0.30 +- Remove Java 12 support from JDTCompiler due to older ECJ version availablility * Thu Sep 26 2019 Coty Sutherland - 1:9.0.26-1 - Update to 9.0.26 From 1c5f200345e02cd8d26285a0a6418699396d1d99 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Thu, 5 Mar 2020 15:12:02 -0500 Subject: [PATCH 09/13] Update to 9.0.31 Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability --- sources | 2 +- tomcat.spec | 6 +++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/sources b/sources index 33c6aba..7481d0f 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.30-src.tar.gz) = 5a693c26bc78c504ca9c30cab6356927dbeded199798b558f2efe428a98fd68a88e0c113cc7b710fe3b2109e5ae3a970ff3989f909b95eb782d47d12a2a3a20d +SHA512 (apache-tomcat-9.0.31-src.tar.gz) = a0ba9e46a3d2a4cf708e6e29b4647c041495e45865ce5c679c9dcfee77181373a2d3034222701d0f15d5c7e71e6aa3cc7db236c66ba069b3e3660a948b44342f diff --git a/tomcat.spec b/tomcat.spec index 881aa3d..c9c0b78 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 30 +%global micro_version 31 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -610,6 +610,10 @@ fi %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %changelog +* Thu Mar 05 2020 Coty Sutherland - 1:9.0.31-1 +- Update to 9.0.31 +- Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability + * Fri Dec 20 2019 Coty Sutherland - 1:9.0.30-1 - Update to 9.0.30 From d0222aea9b8705a46558fb1d9937026950ce5c5d Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Thu, 12 Mar 2020 13:41:30 -0400 Subject: [PATCH 10/13] Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly --- change-defaults-for-CVE-2020-1938.patch | 72 +++++++++++++++++++++++++ tomcat.spec | 7 ++- 2 files changed, 78 insertions(+), 1 deletion(-) create mode 100644 change-defaults-for-CVE-2020-1938.patch diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch new file mode 100644 index 0000000..03207b1 --- /dev/null +++ b/change-defaults-for-CVE-2020-1938.patch @@ -0,0 +1,72 @@ +diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java +--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig 2020-03-12 13:33:31.792406379 -0400 ++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2020-03-12 13:35:24.222117728 -0400 +@@ -16,7 +16,6 @@ + */ + package org.apache.coyote.ajp; + +-import java.net.InetAddress; + import java.util.regex.Pattern; + + import org.apache.coyote.AbstractProtocol; +@@ -49,8 +48,6 @@ public abstract class AbstractAjpProtoco + setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT); + // AJP does not use Send File + getEndpoint().setUseSendfile(false); +- // AJP listens on loopback by default +- getEndpoint().setAddress(InetAddress.getLoopbackAddress()); + ConnectionHandler cHandler = new ConnectionHandler<>(this); + setHandler(cHandler); + getEndpoint().setHandler(cHandler); +@@ -180,7 +177,7 @@ public abstract class AbstractAjpProtoco + } + + +- private boolean secretRequired = true; ++ private boolean secretRequired = false; + public void setSecretRequired(boolean secretRequired) { + this.secretRequired = secretRequired; + } +diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml +--- ./webapps/docs/changelog.xml.orig 2020-03-12 13:33:54.354348454 -0400 ++++ ./webapps/docs/changelog.xml 2020-03-12 13:37:17.041828075 -0400 +@@ -178,14 +178,10 @@ + Disable (comment out in server.xml) the AJP/1.3 connector by default. + (markt) + +- +- Change the default bind address for the AJP/1.3 connector to be the +- loopback address. (markt) +- + + Rename the requiredSecret attribute of the AJP/1.3 + Connector to secret and add a new attribute +- secretRequired that defaults to true. When ++ secretRequired that defaults to false. When + secretRequired is true the AJP/1.3 Connector + will not start unless the secret attribute is configured to + a non-null, non-zero length String. (markt) +diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml +--- ./webapps/docs/config/ajp.xml.orig 2020-03-12 13:34:10.383307302 -0400 ++++ ./webapps/docs/config/ajp.xml 2020-03-12 13:36:17.617980639 -0400 +@@ -315,7 +315,10 @@ + +

For servers with more than one IP address, this attribute + specifies which address will be used for listening on the specified +- port. By default, the loopback address will be used.

++ port. By default, this port will be used on all IP addresses ++ associated with the server. A value of 127.0.0.1 ++ indicates that the Connector will only listen on the loopback ++ interface.

+ + + +@@ -465,7 +468,7 @@ + +

If this attribute is true, the AJP Connector will only + start if the secret attribute is configured with a +- non-null, non-zero length value. The default value is true. ++ non-null, non-zero length value. The default value is false. + This attributue should only be set to false when the + Connector is used on a trusted network.

+ diff --git a/tomcat.spec b/tomcat.spec index e6905c5..2ede7ee 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -59,7 +59,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 1%{?dist} +Release: 2%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -82,6 +82,7 @@ Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.p Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch Patch2: %{name}-build.patch Patch3: %{name}-%{major_version}.%{minor_version}-RemoveCompilerOptions.patch +Patch4: change-defaults-for-CVE-2020-1938.patch BuildArch: noarch @@ -208,6 +209,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch1 -p0 %patch2 -p0 %patch3 -p0 +%patch4 -p0 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar @@ -612,6 +614,9 @@ fi %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %changelog +* Thu Mar 12 2020 Coty Sutherland - 1:9.0.31-2 +- Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly + * Thu Mar 05 2020 Coty Sutherland - 1:9.0.31-1 - Update to 9.0.31 - Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability From be1b1085f6c036ff8f22f69223f8e42497fcdb59 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Tue, 21 Apr 2020 15:56:44 -0400 Subject: [PATCH 11/13] Update to 9.0.34 --- sources | 2 +- tomcat.spec | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/sources b/sources index 7481d0f..1bf01fc 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.31-src.tar.gz) = a0ba9e46a3d2a4cf708e6e29b4647c041495e45865ce5c679c9dcfee77181373a2d3034222701d0f15d5c7e71e6aa3cc7db236c66ba069b3e3660a948b44342f +SHA512 (apache-tomcat-9.0.34-src.tar.gz) = 8ac8a916bfe2d3daf679dab9f299bc50f138f3cc9a6e8679a22862d122dea1e5ce3b9101472295398366f5b5d8477097a3cfb536f01136e72ff09d69b2f6c3df diff --git a/tomcat.spec b/tomcat.spec index 2ede7ee..cde771d 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 31 +%global micro_version 34 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -59,7 +59,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 2%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -614,6 +614,9 @@ fi %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %changelog +* Tue Apr 21 2020 Coty Sutherland - 1:9.0.34-1 +- Update to 9.0.34 + * Thu Mar 12 2020 Coty Sutherland - 1:9.0.31-2 - Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly From 22be5e0d5f1a39613bf205d1ed7ecbf3f9508f7e Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Wed, 22 Apr 2020 15:38:47 -0400 Subject: [PATCH 12/13] Tweak the default changes for CVE-2020-1938 so the patch applies cleanly --- change-defaults-for-CVE-2020-1938.patch | 49 ++++++++++++------------- 1 file changed, 24 insertions(+), 25 deletions(-) diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch index 03207b1..a7f7c49 100644 --- a/change-defaults-for-CVE-2020-1938.patch +++ b/change-defaults-for-CVE-2020-1938.patch @@ -1,6 +1,6 @@ diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java ---- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig 2020-03-12 13:33:31.792406379 -0400 -+++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2020-03-12 13:35:24.222117728 -0400 +--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig 2020-04-22 15:31:12.889587528 -0400 ++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2020-04-22 15:31:37.907534419 -0400 @@ -16,7 +16,6 @@ */ package org.apache.coyote.ajp; @@ -28,9 +28,9 @@ diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/a this.secretRequired = secretRequired; } diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml ---- ./webapps/docs/changelog.xml.orig 2020-03-12 13:33:54.354348454 -0400 -+++ ./webapps/docs/changelog.xml 2020-03-12 13:37:17.041828075 -0400 -@@ -178,14 +178,10 @@ +--- ./webapps/docs/changelog.xml.orig 2020-04-03 08:12:03.000000000 -0400 ++++ ./webapps/docs/changelog.xml 2020-04-22 15:31:37.911534411 -0400 +@@ -526,14 +526,10 @@ Disable (comment out in server.xml) the AJP/1.3 connector by default. (markt) @@ -47,26 +47,25 @@ diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml will not start unless the secret attribute is configured to a non-null, non-zero length String. (markt) diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml ---- ./webapps/docs/config/ajp.xml.orig 2020-03-12 13:34:10.383307302 -0400 -+++ ./webapps/docs/config/ajp.xml 2020-03-12 13:36:17.617980639 -0400 -@@ -315,7 +315,10 @@ +--- ./webapps/docs/config/ajp.xml.orig 2020-04-22 15:31:37.913534406 -0400 ++++ ./webapps/docs/config/ajp.xml 2020-04-22 15:35:35.003031090 -0400 +@@ -327,7 +327,9 @@ -

For servers with more than one IP address, this attribute - specifies which address will be used for listening on the specified -- port. By default, the loopback address will be used.

-+ port. By default, this port will be used on all IP addresses -+ associated with the server. A value of 127.0.0.1 -+ indicates that the Connector will only listen on the loopback -+ interface.

+

For servers with more than one IP address, this attribute specifies + which address will be used for listening on the specified port. By +- default, the connector will listen on the loopback address. Unless the JVM ++ default, this port will be used on all IP addresses associated with the ++ server. A value of 127.0.0.1 indicates that the Connector ++ will only listen on the loopback interface.

Unless the JVM + is configured otherwise using system properties, the Java based connectors + (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured + with either 0.0.0.0 or ::. The APR/native +@@ -500,7 +502,7 @@ + the secret attribute is required to be specified for the + AJP Connector to start. It does not control whether + workers are required to provide the secret. The default value is +- true. This attribute should only be set to false ++ false. This attribute should only be set to false + when the Connector is used on a trusted network.

 - -@@ -465,7 +468,7 @@ - -

If this attribute is true, the AJP Connector will only - start if the secret attribute is configured with a -- non-null, non-zero length value. The default value is true. -+ non-null, non-zero length value. The default value is false. - This attributue should only be set to false when the - Connector is used on a trusted network.

- From 48687e3b1c35dd982992a3775e5fe03bd5486e42 Mon Sep 17 00:00:00 2001 From: Coty Sutherland Date: Wed, 22 Apr 2020 16:14:06 -0400 Subject: [PATCH 13/13] Update dependency for ECJ to version 4.11 and some patch adjustments --- change-defaults-for-CVE-2020-1938.patch | 2 +- tomcat-9.0-RemoveCompilerOptions.patch | 32 +++++++++++++++++++++---- tomcat.spec | 3 ++- 3 files changed, 30 insertions(+), 7 deletions(-) diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch index a7f7c49..02ed0df 100644 --- a/change-defaults-for-CVE-2020-1938.patch +++ b/change-defaults-for-CVE-2020-1938.patch @@ -56,7 +56,7 @@ diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml - default, the connector will listen on the loopback address. Unless the JVM + default, this port will be used on all IP addresses associated with the + server. A value of 127.0.0.1 indicates that the Connector -+ will only listen on the loopback interface.

Unless the JVM ++ will only listen on the loopback interface. Unless the JVM is configured otherwise using system properties, the Java based connectors (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured with either 0.0.0.0 or ::. The APR/native diff --git a/tomcat-9.0-RemoveCompilerOptions.patch b/tomcat-9.0-RemoveCompilerOptions.patch index dc5714f..00378f9 100644 --- a/tomcat-9.0-RemoveCompilerOptions.patch +++ b/tomcat-9.0-RemoveCompilerOptions.patch @@ -1,7 +1,7 @@ -diff -up java/org/apache/jasper/compiler/JDTCompiler.java.orig java/org/apache/jasper/compiler/JDTCompiler.java ---- java/org/apache/jasper/compiler/JDTCompiler.java.orig 2019-12-20 08:54:52.899892555 -0500 -+++ java/org/apache/jasper/compiler/JDTCompiler.java 2019-12-20 08:55:18.288822801 -0500 -@@ -324,14 +324,6 @@ public class JDTCompiler extends org.apa +diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java.orig ./java/org/apache/jasper/compiler/JDTCompiler.java +--- ./java/org/apache/jasper/compiler/JDTCompiler.java.orig 2020-04-03 08:11:52.000000000 -0400 ++++ ./java/org/apache/jasper/compiler/JDTCompiler.java 2020-04-22 16:03:04.710594419 -0400 +@@ -324,24 +324,6 @@ public class JDTCompiler extends org.apa } else if(opt.equals("11")) { settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_11); @@ -13,10 +13,20 @@ diff -up java/org/apache/jasper/compiler/JDTCompiler.java.orig java/org/apache/j - // Tomcat. May be supported in a snapshot build. - // This is checked against the actual version below. - settings.put(CompilerOptions.OPTION_Source, "13"); +- } else if(opt.equals("14")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_Source, "14"); +- } else if(opt.equals("15")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_Source, "15"); } else { log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt)); settings.put(CompilerOptions.OPTION_Source, -@@ -395,17 +387,6 @@ public class JDTCompiler extends org.apa +@@ -405,29 +387,6 @@ public class JDTCompiler extends org.apa CompilerOptions.VERSION_11); settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_11); @@ -31,6 +41,18 @@ diff -up java/org/apache/jasper/compiler/JDTCompiler.java.orig java/org/apache/j - // This is checked against the actual version below. - settings.put(CompilerOptions.OPTION_TargetPlatform, "13"); - settings.put(CompilerOptions.OPTION_Compliance, "13"); +- } else if(opt.equals("14")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_TargetPlatform, "14"); +- settings.put(CompilerOptions.OPTION_Compliance, "14"); +- } else if(opt.equals("15")) { +- // Constant not available in latest ECJ version shipped with +- // Tomcat. May be supported in a snapshot build. +- // This is checked against the actual version below. +- settings.put(CompilerOptions.OPTION_TargetPlatform, "15"); +- settings.put(CompilerOptions.OPTION_Compliance, "15"); } else { log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt)); settings.put(CompilerOptions.OPTION_TargetPlatform, diff --git a/tomcat.spec b/tomcat.spec index cde771d..290bdb4 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -87,7 +87,7 @@ Patch4: change-defaults-for-CVE-2020-1938.patch BuildArch: noarch BuildRequires: ant -BuildRequires: ecj >= 1:4.10 +BuildRequires: ecj >= 1:4.11 BuildRequires: findutils BuildRequires: apache-commons-daemon BuildRequires: tomcat-taglibs-standard @@ -616,6 +616,7 @@ fi %changelog * Tue Apr 21 2020 Coty Sutherland - 1:9.0.34-1 - Update to 9.0.34 +- Update dependency for ECJ to version 4.11 * Thu Mar 12 2020 Coty Sutherland - 1:9.0.31-2 - Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly