From d861cf9a3047629484053d77ded24a020e241084 Mon Sep 17 00:00:00 2001
From: Coty Sutherland <csutherl@redhat.com>
Date: Thu, 12 Mar 2020 13:41:30 -0400
Subject: [PATCH 01/20] Related: rhbz#1806398 Undo changes in defaults for AJP
 connector (CVE-2020-1938) to prevent breakage, please update your
 configuration accordingly

---
 change-defaults-for-CVE-2020-1938.patch | 72 +++++++++++++++++++++++++
 tomcat.spec                             |  7 ++-
 2 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 change-defaults-for-CVE-2020-1938.patch

diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch
new file mode 100644
index 0000000..03207b1
--- /dev/null
+++ b/change-defaults-for-CVE-2020-1938.patch
@@ -0,0 +1,72 @@
+diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig	2020-03-12 13:33:31.792406379 -0400
++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java	2020-03-12 13:35:24.222117728 -0400
+@@ -16,7 +16,6 @@
+  */
+ package org.apache.coyote.ajp;
+ 
+-import java.net.InetAddress;
+ import java.util.regex.Pattern;
+ 
+ import org.apache.coyote.AbstractProtocol;
+@@ -49,8 +48,6 @@ public abstract class AbstractAjpProtoco
+         setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT);
+         // AJP does not use Send File
+         getEndpoint().setUseSendfile(false);
+-        // AJP listens on loopback by default
+-        getEndpoint().setAddress(InetAddress.getLoopbackAddress());
+         ConnectionHandler<S> cHandler = new ConnectionHandler<>(this);
+         setHandler(cHandler);
+         getEndpoint().setHandler(cHandler);
+@@ -180,7 +177,7 @@ public abstract class AbstractAjpProtoco
+     }
+ 
+ 
+-    private boolean secretRequired = true;
++    private boolean secretRequired = false;
+     public void setSecretRequired(boolean secretRequired) {
+         this.secretRequired = secretRequired;
+     }
+diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
+--- ./webapps/docs/changelog.xml.orig	2020-03-12 13:33:54.354348454 -0400
++++ ./webapps/docs/changelog.xml	2020-03-12 13:37:17.041828075 -0400
+@@ -178,14 +178,10 @@
+         Disable (comment out in server.xml) the AJP/1.3 connector by default.
+         (markt)
+       </update>
+-      <update>
+-        Change the default bind address for the AJP/1.3 connector to be the
+-        loopback address. (markt)
+-      </update>
+       <add>
+         Rename the <code>requiredSecret</code> attribute of the AJP/1.3
+         Connector to <code>secret</code> and add a new attribute
+-        <code>secretRequired</code> that defaults to <code>true</code>. When
++        <code>secretRequired</code> that defaults to <code>false</code>. When
+         <code>secretRequired</code> is <code>true</code> the AJP/1.3 Connector
+         will not start unless the <code>secret</code> attribute is configured to
+         a non-null, non-zero length String. (markt)
+diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml
+--- ./webapps/docs/config/ajp.xml.orig	2020-03-12 13:34:10.383307302 -0400
++++ ./webapps/docs/config/ajp.xml	2020-03-12 13:36:17.617980639 -0400
+@@ -315,7 +315,10 @@
+     <attribute name="address" required="false">
+       <p>For servers with more than one IP address, this attribute
+       specifies which address will be used for listening on the specified
+-      port. By default, the loopback address will be used.</p>
++      port.  By default, this port will be used on all IP addresses
++      associated with the server. A value of <code>127.0.0.1</code>
++      indicates that the Connector will only listen on the loopback
++      interface.</p>
+     </attribute>
+ 
+     <attribute name="allowedRequestAttributesPattern" required="false">
+@@ -465,7 +468,7 @@
+     <attribute name="secretRequired" required="false">
+       <p>If this attribute is <code>true</code>, the AJP Connector will only
+       start if the <strong>secret</strong> attribute is configured with a
+-      non-null, non-zero length value. The default value is <code>true</code>.
++      non-null, non-zero length value. The default value is <code>false</code>.
+       This attributue should only be set to <code>false</code> when the
+       Connector is used on a trusted network.</p>
+     </attribute>
diff --git a/tomcat.spec b/tomcat.spec
index 66877fa..e2efc8a 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -81,6 +81,7 @@ Source32:      tomcat-named.service
 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
 Patch2:        %{name}-build.patch
+Patch3:        change-defaults-for-CVE-2020-1938.patch
 
 BuildArch:     noarch
 
@@ -206,6 +207,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch0 -p0
 %patch1 -p0
 %patch2 -p0
+%patch3 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -615,6 +617,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Thu Mar 12 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-2
+- Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly
+
 * Thu Mar 05 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-1
 - Update to 9.0.31
 - Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability

From e1d3ecb3c98ae1ccb0bf2f6c99057787831350f2 Mon Sep 17 00:00:00 2001
From: Coty Sutherland <csutherl@redhat.com>
Date: Tue, 21 Apr 2020 15:56:44 -0400
Subject: [PATCH 02/20] Update to 9.0.34

---
 sources     | 2 +-
 tomcat.spec | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/sources b/sources
index 7481d0f..1bf01fc 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.31-src.tar.gz) = a0ba9e46a3d2a4cf708e6e29b4647c041495e45865ce5c679c9dcfee77181373a2d3034222701d0f15d5c7e71e6aa3cc7db236c66ba069b3e3660a948b44342f
+SHA512 (apache-tomcat-9.0.34-src.tar.gz) = 8ac8a916bfe2d3daf679dab9f299bc50f138f3cc9a6e8679a22862d122dea1e5ce3b9101472295398366f5b5d8477097a3cfb536f01136e72ff09d69b2f6c3df
diff --git a/tomcat.spec b/tomcat.spec
index e2efc8a..825aeba 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 31
+%global micro_version 34
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -617,6 +617,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Tue Apr 21 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-1
+- Update to 9.0.34
+
 * Thu Mar 12 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-2
 - Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly
 

From ea233a2e5a90872f756e60f3c62e17467b0a2545 Mon Sep 17 00:00:00 2001
From: Coty Sutherland <csutherl@redhat.com>
Date: Tue, 21 Apr 2020 16:05:25 -0400
Subject: [PATCH 03/20] Reset Release number

---
 tomcat.spec | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tomcat.spec b/tomcat.spec
index 825aeba..a10f05f 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       2%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0

From ad57f1127ffad893698b0e95b98e4382e0ca0094 Mon Sep 17 00:00:00 2001
From: Coty Sutherland <csutherl@redhat.com>
Date: Wed, 22 Apr 2020 14:55:15 -0400
Subject: [PATCH 04/20] Add updated catalina.policy patch to allow ECJ usage
 under the Security Manager

---
 tomcat-9.0-catalina-policy.patch | 35 ++++++++------------------------
 tomcat.spec                      |  7 ++++++-
 2 files changed, 14 insertions(+), 28 deletions(-)

diff --git a/tomcat-9.0-catalina-policy.patch b/tomcat-9.0-catalina-policy.patch
index 3694929..487e2be 100644
--- a/tomcat-9.0-catalina-policy.patch
+++ b/tomcat-9.0-catalina-policy.patch
@@ -1,39 +1,20 @@
---- conf/catalina.policy~	2016-06-17 10:20:17.649171968 -0400
-+++ conf/catalina.policy	2016-06-17 10:23:35.358309244 -0400
-@@ -50,6 +50,36 @@ grant codeBase "file:${java.home}/lib/ex
-         permission java.security.AllPermission;
+--- conf/catalina.policy.orig	2020-04-22 14:51:13.734893403 -0400
++++ conf/catalina.policy	2020-04-22 15:14:57.609677967 -0400
+@@ -51,6 +51,17 @@ grant codeBase "file:${java.home}/lib/ex
  };
  
+ 
 +// ========== RHEL SPECIFIC CODE PERMISSIONS =======================================
 +
++
 +// Allowing everything in /usr/share/java allows too many unknowns to be permitted
 +// Specifying the individual jars that tomcat needs to function with the security manager
 +// is the safest way forward.
-+grant codeBase "file:/usr/share/java/tomcat-servlet-3.0-api.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/tomcat-jsp-2.2-api.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/tomcat-el-2.2-api.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/log4j.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/ecj.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/apache-commons-pool.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/apache-commons-collections.jar" {
++grant codeBase "file:/usr/share/java/ecj/ecj.jar" {
 +        permission java.security.AllPermission;
 +};
 +
- 
++
  // ========== CATALINA CODE PERMISSIONS =======================================
  
+ 
diff --git a/tomcat.spec b/tomcat.spec
index a10f05f..8589391 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -82,6 +82,7 @@ Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.p
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
 Patch2:        %{name}-build.patch
 Patch3:        change-defaults-for-CVE-2020-1938.patch
+Patch4:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 
 BuildArch:     noarch
 
@@ -208,6 +209,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch1 -p0
 %patch2 -p0
 %patch3 -p0
+%patch4 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -617,6 +619,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Wed Apr 22 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-2
+- Add updated catalina.policy patch to allow ECJ usage under the Security Manager
+
 * Tue Apr 21 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-1
 - Update to 9.0.34
 

From bbf729ecbcf62cda2808d0f102a8885e1c3220cb Mon Sep 17 00:00:00 2001
From: Coty Sutherland <csutherl@redhat.com>
Date: Wed, 22 Apr 2020 15:38:47 -0400
Subject: [PATCH 05/20] Tweak the default changes for CVE-2020-1938 so the
 patch applies cleanly

---
 change-defaults-for-CVE-2020-1938.patch | 49 ++++++++++++-------------
 1 file changed, 24 insertions(+), 25 deletions(-)

diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch
index 03207b1..a7f7c49 100644
--- a/change-defaults-for-CVE-2020-1938.patch
+++ b/change-defaults-for-CVE-2020-1938.patch
@@ -1,6 +1,6 @@
 diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java
---- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig	2020-03-12 13:33:31.792406379 -0400
-+++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java	2020-03-12 13:35:24.222117728 -0400
+--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig	2020-04-22 15:31:12.889587528 -0400
++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java	2020-04-22 15:31:37.907534419 -0400
 @@ -16,7 +16,6 @@
   */
  package org.apache.coyote.ajp;
@@ -28,9 +28,9 @@ diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/a
          this.secretRequired = secretRequired;
      }
 diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
---- ./webapps/docs/changelog.xml.orig	2020-03-12 13:33:54.354348454 -0400
-+++ ./webapps/docs/changelog.xml	2020-03-12 13:37:17.041828075 -0400
-@@ -178,14 +178,10 @@
+--- ./webapps/docs/changelog.xml.orig	2020-04-03 08:12:03.000000000 -0400
++++ ./webapps/docs/changelog.xml	2020-04-22 15:31:37.911534411 -0400
+@@ -526,14 +526,10 @@
          Disable (comment out in server.xml) the AJP/1.3 connector by default.
          (markt)
        </update>
@@ -47,26 +47,25 @@ diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
          will not start unless the <code>secret</code> attribute is configured to
          a non-null, non-zero length String. (markt)
 diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml
---- ./webapps/docs/config/ajp.xml.orig	2020-03-12 13:34:10.383307302 -0400
-+++ ./webapps/docs/config/ajp.xml	2020-03-12 13:36:17.617980639 -0400
-@@ -315,7 +315,10 @@
+--- ./webapps/docs/config/ajp.xml.orig	2020-04-22 15:31:37.913534406 -0400
++++ ./webapps/docs/config/ajp.xml	2020-04-22 15:35:35.003031090 -0400
+@@ -327,7 +327,9 @@
      <attribute name="address" required="false">
-       <p>For servers with more than one IP address, this attribute
-       specifies which address will be used for listening on the specified
--      port. By default, the loopback address will be used.</p>
-+      port.  By default, this port will be used on all IP addresses
-+      associated with the server. A value of <code>127.0.0.1</code>
-+      indicates that the Connector will only listen on the loopback
-+      interface.</p>
+       <p>For servers with more than one IP address, this attribute specifies
+       which address will be used for listening on the specified port. By
+-      default, the connector will listen on the loopback address. Unless the JVM
++      default, this port will be used on all IP addresses associated with the
++      server. A value of <code>127.0.0.1</code> indicates that the Connector
++      will only listen on the loopback interface.</p> Unless the JVM
+       is configured otherwise using system properties, the Java based connectors
+       (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
+       with either <code>0.0.0.0</code> or <code>::</code>. The APR/native
+@@ -500,7 +502,7 @@
+       the <strong>secret</strong> attribute is required to be specified for the
+       AJP Connector to start. It <strong>does not</strong> control whether
+       workers are required to provide the secret. The default value is
+-      <code>true</code>. This attribute should only be set to <code>false</code>
++      <code>false</code>. This attribute should only be set to <code>false</code>
+       when the Connector is used on a trusted network.</p>
      </attribute>
  
-     <attribute name="allowedRequestAttributesPattern" required="false">
-@@ -465,7 +468,7 @@
-     <attribute name="secretRequired" required="false">
-       <p>If this attribute is <code>true</code>, the AJP Connector will only
-       start if the <strong>secret</strong> attribute is configured with a
--      non-null, non-zero length value. The default value is <code>true</code>.
-+      non-null, non-zero length value. The default value is <code>false</code>.
-       This attributue should only be set to <code>false</code> when the
-       Connector is used on a trusted network.</p>
-     </attribute>

From 09af901510c74c25775ada70d8ba91919ee51fbc Mon Sep 17 00:00:00 2001
From: Coty Sutherland <csutherl@redhat.com>
Date: Wed, 22 Apr 2020 16:23:59 -0400
Subject: [PATCH 06/20] Fix ajp.xml (remove erroneous element)

---
 change-defaults-for-CVE-2020-1938.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/change-defaults-for-CVE-2020-1938.patch b/change-defaults-for-CVE-2020-1938.patch
index a7f7c49..02ed0df 100644
--- a/change-defaults-for-CVE-2020-1938.patch
+++ b/change-defaults-for-CVE-2020-1938.patch
@@ -56,7 +56,7 @@ diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml
 -      default, the connector will listen on the loopback address. Unless the JVM
 +      default, this port will be used on all IP addresses associated with the
 +      server. A value of <code>127.0.0.1</code> indicates that the Connector
-+      will only listen on the loopback interface.</p> Unless the JVM
++      will only listen on the loopback interface. Unless the JVM
        is configured otherwise using system properties, the Java based connectors
        (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
        with either <code>0.0.0.0</code> or <code>::</code>. The APR/native

From f9bad3febc27f89d052afbedc2909a714cf7f8ba Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Sun, 31 May 2020 21:10:41 +0800
Subject: [PATCH 07/20] Upgrade to 9.0.35

---
 sources     | 2 +-
 tomcat.spec | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/sources b/sources
index 1bf01fc..9722027 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.34-src.tar.gz) = 8ac8a916bfe2d3daf679dab9f299bc50f138f3cc9a6e8679a22862d122dea1e5ce3b9101472295398366f5b5d8477097a3cfb536f01136e72ff09d69b2f6c3df
+SHA512 (apache-tomcat-9.0.35-src.tar.gz) = 8931c0f7c30f50d352879f8dfddc02fa59d7128813399e4eca3994be7cf2448e32e726a3cb8b387a5470ccbfa3fb74d0192c825b5f68bbb9fb6b43a9353cb24a
diff --git a/tomcat.spec b/tomcat.spec
index 8589391..90ce681 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 34
+%global micro_version 35
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       2%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -619,6 +619,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Sun May 31 2020 Hui Wang <huwang@redhat.com> - 1:9.0.34-1
+- Upgrade to 9.0.35
+
 * Wed Apr 22 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-2
 - Add updated catalina.policy patch to allow ECJ usage under the Security Manager
 

From 1cdfffc9595e3fc147cb915074ad37fa0ea53d55 Mon Sep 17 00:00:00 2001
From: Coty Sutherland <csutherl@redhat.com>
Date: Mon, 1 Jun 2020 09:09:44 -0400
Subject: [PATCH 08/20] Fix changelog entry

---
 tomcat.spec | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tomcat.spec b/tomcat.spec
index 90ce681..f2ce0fd 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -619,7 +619,7 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
-* Sun May 31 2020 Hui Wang <huwang@redhat.com> - 1:9.0.34-1
+* Sun May 31 2020 Hui Wang <huwang@redhat.com> - 1:9.0.35-2
 - Upgrade to 9.0.35
 
 * Wed Apr 22 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-2

From 9b96c63128b4e3144ebe5bb4f09ecebefceac697 Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Wed, 10 Jun 2020 16:07:31 +0800
Subject: [PATCH 09/20] Upgrade to 9.0.36

---
 sources     | 2 +-
 tomcat.spec | 7 +++++--
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/sources b/sources
index 9722027..63e6a2c 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.35-src.tar.gz) = 8931c0f7c30f50d352879f8dfddc02fa59d7128813399e4eca3994be7cf2448e32e726a3cb8b387a5470ccbfa3fb74d0192c825b5f68bbb9fb6b43a9353cb24a
+SHA512 (apache-tomcat-9.0.36-src.tar.gz) = f8263594bc679f75cecf5bcf4ad8e8ccfea42ad8e90eaeb7004c63875c6b700b0f863d68f1cdd932ebc7b303bdfb86d70afe88686e576c8ea7ccd9574c74e25b
diff --git a/tomcat.spec b/tomcat.spec
index f2ce0fd..8b94197 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 35
+%global micro_version 36
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       2%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -619,6 +619,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Wed Jun 10 2020 Hui Wang <huwang@redhat.com> - 1:9.0.36-1
+- Upgrade to 9.0.36
+
 * Sun May 31 2020 Hui Wang <huwang@redhat.com> - 1:9.0.35-2
 - Upgrade to 9.0.35
 

From c00e72f8e6a5b4dfec6be5e68e60491480cf5f20 Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Thu, 9 Jul 2020 15:21:53 +0800
Subject: [PATCH 10/20] Upgrade to 9.0.37

---
 sources     | 2 +-
 tomcat.spec | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/sources b/sources
index 63e6a2c..1cf78f2 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.36-src.tar.gz) = f8263594bc679f75cecf5bcf4ad8e8ccfea42ad8e90eaeb7004c63875c6b700b0f863d68f1cdd932ebc7b303bdfb86d70afe88686e576c8ea7ccd9574c74e25b
+SHA512 (apache-tomcat-9.0.37-src.tar.gz) = 6e819fe255c467b0081e91c17a53fa383fe84d922492c62d7dd93cabf00e22ab30872ecaa298a9b12977b8c7518f36c8429091b24c9fb5200db64e80e853ce98
diff --git a/tomcat.spec b/tomcat.spec
index 8b94197..fa24b18 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 36
+%global micro_version 37
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -619,6 +619,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Thu Jul 09 2020 Hui Wang <huwang@redhat.com> - 1:9.0.37-1
+- Upgrade to 9.0.37
+
 * Wed Jun 10 2020 Hui Wang <huwang@redhat.com> - 1:9.0.36-1
 - Upgrade to 9.0.36
 

From 73eb59cb6a9bb909f2f22c11f92aa0fadc27324b Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Thu, 9 Jul 2020 16:38:07 +0800
Subject: [PATCH 11/20] Update tomcat-build.patch because of BZ 64513

---
 tomcat-build.patch | 15 +++++++--------
 tomcat.spec        |  1 +
 2 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/tomcat-build.patch b/tomcat-build.patch
index acaac9c..b8e8fe7 100644
--- a/tomcat-build.patch
+++ b/tomcat-build.patch
@@ -1,12 +1,11 @@
---- build.xml.orig	2018-08-07 10:32:04.994403913 -0400
-+++ build.xml	2018-08-07 10:32:30.874319588 -0400
-@@ -2989,6 +2989,9 @@ Read the Building page on the Apache Tom
-     <path id="bndlib.classpath">
+--- build.xml.orig      2020-07-09 15:35:49.411099426 +0800
++++ build.xml   2020-07-09 16:19:30.947234020 +0800
+@@ -3307,6 +3307,8 @@
+     <!-- Add bnd tasks to project -->
+     <path id="bnd.classpath">
        <fileset file="${bnd.jar}" />
-       <fileset file="${bndlib.jar}" />
-+      <fileset file="${bndlibg.jar}" />
 +      <fileset file="${bndannotation.jar}" />
 +      <fileset file="${slf4j-api.jar}" />
      </path>
- 
-     <taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bndlib.classpath" />
+
+     <taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bnd.classpath" />
diff --git a/tomcat.spec b/tomcat.spec
index fa24b18..630bd9e 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -621,6 +621,7 @@ fi
 %changelog
 * Thu Jul 09 2020 Hui Wang <huwang@redhat.com> - 1:9.0.37-1
 - Upgrade to 9.0.37
+- Update tomcat-build.patch because of Fix BZ 64513 - bndlib is not needed, normalize the name to bnd everywhere
 
 * Wed Jun 10 2020 Hui Wang <huwang@redhat.com> - 1:9.0.36-1
 - Upgrade to 9.0.36

From e740598bb3bc23f0d84b0b367920400a8a7bc28e Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Thu, 9 Jul 2020 23:23:04 +0800
Subject: [PATCH 12/20] Remove tomcat-build.patch from the spec file

---
 tomcat.spec | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/tomcat.spec b/tomcat.spec
index 630bd9e..e56148c 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -80,9 +80,8 @@ Source32:      tomcat-named.service
 
 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
-Patch2:        %{name}-build.patch
-Patch3:        change-defaults-for-CVE-2020-1938.patch
-Patch4:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
+Patch2:        change-defaults-for-CVE-2020-1938.patch
+Patch3:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 
 BuildArch:     noarch
 
@@ -100,7 +99,6 @@ BuildRequires: javapackages-local
 BuildRequires: geronimo-jaxrpc
 BuildRequires: geronimo-saaj
 BuildRequires: aqute-bnd
-BuildRequires: aqute-bndlib
 BuildRequires: wsdl4j
 BuildRequires: systemd
 
@@ -209,7 +207,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch1 -p0
 %patch2 -p0
 %patch3 -p0
-%patch4 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -235,10 +232,6 @@ export OPT_JAR_LIST="xalan-j2-serializer"
       -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \
       -Dsaaj-api.jar="$(build-classpath geronimo-saaj)" \
       -Dbnd.jar="$(build-classpath aqute-bnd/biz.aQute.bnd)" \
-      -Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \
-      -Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \
-      -Dbndannotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
-      -Dslf4j-api.jar="$(build-classpath slf4j/slf4j-api)" \
       -Dversion="%{version}" \
       -Dversion.build="%{micro_version}" \
       deploy dist-source
@@ -621,7 +614,8 @@ fi
 %changelog
 * Thu Jul 09 2020 Hui Wang <huwang@redhat.com> - 1:9.0.37-1
 - Upgrade to 9.0.37
-- Update tomcat-build.patch because of Fix BZ 64513 - bndlib is not needed, normalize the name to bnd everywhere
+- Remove tomcat-build.patch because of Fix BZ 64513 - bndlib is not needed, normalize the name to bnd everywhere
+- Remove BR aqute-bndlib
 
 * Wed Jun 10 2020 Hui Wang <huwang@redhat.com> - 1:9.0.36-1
 - Upgrade to 9.0.36

From 350dbfaf685eb06043fd78bc44fa344b6315845a Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Wed, 15 Jul 2020 16:49:50 +0800
Subject: [PATCH 13/20] Sync with master branch and update to 9.0.37

---
 tomcat-build.patch | 24 ++++++++++++++++++++----
 tomcat.spec        | 16 +++++++++++-----
 2 files changed, 31 insertions(+), 9 deletions(-)

diff --git a/tomcat-build.patch b/tomcat-build.patch
index b8e8fe7..d0d8fc6 100644
--- a/tomcat-build.patch
+++ b/tomcat-build.patch
@@ -1,11 +1,27 @@
---- build.xml.orig      2020-07-09 15:35:49.411099426 +0800
-+++ build.xml   2020-07-09 16:19:30.947234020 +0800
-@@ -3307,6 +3307,8 @@
+diff -up ./build.xml.orig ./build.xml
+--- ./build.xml.orig	2020-07-13 12:59:09.555368724 -0400
++++ ./build.xml	2020-07-13 13:06:51.246135917 -0400
+@@ -3307,6 +3307,11 @@ Read the Building page on the Apache Tom
      <!-- Add bnd tasks to project -->
      <path id="bnd.classpath">
        <fileset file="${bnd.jar}" />
++      <fileset file="${bndlib.jar}" />
++      <fileset file="${bndlibg.jar}" />
 +      <fileset file="${bndannotation.jar}" />
 +      <fileset file="${slf4j-api.jar}" />
++      <fileset file="${osgi-cmpn.jar}" />
      </path>
-
+ 
      <taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bnd.classpath" />
+diff -up ./res/bnd/build-defaults.bnd.orig ./res/bnd/build-defaults.bnd
+--- ./res/bnd/build-defaults.bnd.orig	2020-07-13 13:47:01.229077747 -0400
++++ ./res/bnd/build-defaults.bnd	2020-07-13 13:47:12.923095618 -0400
+@@ -13,7 +13,7 @@
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ 
+-Bundle-Version: ${version_cleanup;${version}}
++Bundle-Version: ${version}
+ 
+ Specification-Title: Apache Tomcat
+ Specification-Version: ${version.major.minor}
diff --git a/tomcat.spec b/tomcat.spec
index e56148c..f431745 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -80,8 +80,9 @@ Source32:      tomcat-named.service
 
 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
-Patch2:        change-defaults-for-CVE-2020-1938.patch
-Patch3:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
+Patch2:        %{name}-build.patch
+Patch3:        change-defaults-for-CVE-2020-1938.patch
+Patch4:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 
 BuildArch:     noarch
 
@@ -99,6 +100,7 @@ BuildRequires: javapackages-local
 BuildRequires: geronimo-jaxrpc
 BuildRequires: geronimo-saaj
 BuildRequires: aqute-bnd
+BuildRequires: aqute-bndlib
 BuildRequires: wsdl4j
 BuildRequires: systemd
 
@@ -207,6 +209,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch1 -p0
 %patch2 -p0
 %patch3 -p0
+%patch4 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -232,6 +235,11 @@ export OPT_JAR_LIST="xalan-j2-serializer"
       -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \
       -Dsaaj-api.jar="$(build-classpath geronimo-saaj)" \
       -Dbnd.jar="$(build-classpath aqute-bnd/biz.aQute.bnd)" \
+      -Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \
+      -Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \
+      -Dbndannotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
+      -Dslf4j-api.jar="$(build-classpath slf4j/slf4j-api)" \
+      -Dosgi-cmpn.jar="$(build-classpath osgi-compendium/osgi.cmpn)" \
       -Dversion="%{version}" \
       -Dversion.build="%{micro_version}" \
       deploy dist-source
@@ -612,10 +620,8 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
-* Thu Jul 09 2020 Hui Wang <huwang@redhat.com> - 1:9.0.37-1
+* Wed Jul 15 2020 Hui Wang <huwang@redhat.com> - 1:9.0.37-1
 - Upgrade to 9.0.37
-- Remove tomcat-build.patch because of Fix BZ 64513 - bndlib is not needed, normalize the name to bnd everywhere
-- Remove BR aqute-bndlib
 
 * Wed Jun 10 2020 Hui Wang <huwang@redhat.com> - 1:9.0.36-1
 - Upgrade to 9.0.36

From 9c2d658498d4baa91fd1dae12ce9be289123c582 Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Wed, 16 Sep 2020 17:58:33 +0800
Subject: [PATCH 14/20] Update to 9.0.38

---
 sources     | 2 +-
 tomcat.spec | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/sources b/sources
index 1cf78f2..564403f 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.37-src.tar.gz) = 6e819fe255c467b0081e91c17a53fa383fe84d922492c62d7dd93cabf00e22ab30872ecaa298a9b12977b8c7518f36c8429091b24c9fb5200db64e80e853ce98
+SHA512 (apache-tomcat-9.0.38-src.tar.gz) = 13c79abed71ead564b108ec8a046e78374611acd906f4b6e775ac0427446117192be6b25f29894e625e2dc13f79abbc97bc52b32120ce5701cbe0f5ae05bc57b
diff --git a/tomcat.spec b/tomcat.spec
index f431745..6839cb2 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 37
+%global micro_version 38
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -620,6 +620,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Wed Sep 16 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-1
+- Update to 9.0.38
+
 * Wed Jul 15 2020 Hui Wang <huwang@redhat.com> - 1:9.0.37-1
 - Upgrade to 9.0.37
 

From 2bcbc25c38bf33c092a675793667e7d6f4f238ba Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Mon, 21 Sep 2020 12:18:43 +0800
Subject: [PATCH 15/20] Sync with f33 branch: rhbz#1857043 related

---
 rhbz-1857043.patch | 200 +++++++++++++++++++++++++++++++++++++++++++++
 tomcat.spec        |   7 +-
 2 files changed, 206 insertions(+), 1 deletion(-)
 create mode 100644 rhbz-1857043.patch

diff --git a/rhbz-1857043.patch b/rhbz-1857043.patch
new file mode 100644
index 0000000..3730769
--- /dev/null
+++ b/rhbz-1857043.patch
@@ -0,0 +1,200 @@
+diff -up ./build.xml.orig ./build.xml
+--- ./build.xml.orig	2020-07-24 10:24:08.313796968 -0400
++++ ./build.xml	2020-07-24 10:24:38.027427445 -0400
+@@ -757,7 +757,7 @@
+       filesDir="${tomcat.classes}"
+       filesId="files.annotations-api"
+       manifest="${tomcat.manifests}/annotations-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Servlet 4.0 Implementation JAR File -->
+     <jarIt jarfile="${servlet-api.jar}"
+@@ -766,41 +766,41 @@
+       manifest="${tomcat.manifests}/servlet-api.jar.manifest"
+       notice="${tomcat.manifests}/servlet-api.jar.notice"
+       license="${tomcat.manifests}/servlet-api.jar.license"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- EL Implementation JAR File -->
+     <jarIt jarfile="${el-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.el-api"
+       manifest="${tomcat.manifests}/el-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- JSP Implementation JAR File -->
+     <jarIt jarfile="${jsp-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jsp-api"
+       manifest="${tomcat.manifests}/jsp-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- WebSocket API JAR File -->
+     <jarIt jarfile="${websocket-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.websocket-api"
+       manifest="${tomcat.manifests}/websocket-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- JASPIC 1.1 API JAR File -->
+     <jarIt jarfile="${jaspic-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jaspic-api"
+       manifest="${tomcat.manifests}/jaspic-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Tomcat-juli JAR File -->
+     <jarIt jarfile="${tomcat-juli.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-juli"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Bootstrap JAR File -->
+     <jarIt jarfile="${bootstrap.jar}"
+@@ -812,61 +812,61 @@
+     <jarIt jarfile="${tomcat-util.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-util"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Tomcat API JAR File -->
+     <jarIt jarfile="${tomcat-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-api"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Tomcat Util Scan JAR File -->
+     <jarIt jarfile="${tomcat-util-scan.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-util-scan"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <jarIt jarfile="${tomcat-jni.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-jni"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Protocol handlers - Coyote -->
+     <jarIt jarfile="${tomcat-coyote.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-coyote"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- WebSocket implementation JAR File -->
+     <jarIt jarfile="${tomcat-websocket.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-websocket"
+       meta-inf="${tomcat.manifests}/tomcat-websocket.jar"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina GroupCom/Tribes JAR File -->
+     <jarIt jarfile="${catalina-tribes.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-tribes"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina Main JAR File -->
+     <jarIt jarfile="${catalina.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina Cluster/HA JAR File -->
+     <jarIt jarfile="${catalina-ha.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-ha"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Server-Side Includes (SSI) -->
+     <jarIt jarfile="${catalina-ssi.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-ssi"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina Ant Tasks JAR File -->
+     <jarIt jarfile="${catalina-ant.jar}"
+@@ -877,27 +877,27 @@
+     <jarIt jarfile="${catalina-storeconfig.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-storeconfig"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Jasper EL Implementation JAR File -->
+     <jarIt jarfile="${jasper-el.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jasper-el"
+       meta-inf="${tomcat.manifests}/jasper-el.jar"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Jasper Implementation JAR File -->
+     <jarIt jarfile="${jasper.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jasper"
+       meta-inf="${tomcat.manifests}/jasper.jar"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Re-packaged Apache Commons DBCP 2-->
+     <jarIt jarfile="${tomcat-dbcp.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-dbcp"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- i18n JARs -->
+     <jar jarfile="${tomcat.build}/lib/tomcat-i18n-cs.jar"
+@@ -1375,7 +1375,7 @@
+            filesId="files.tomcat-embed-core"
+            notice="${tomcat.manifests}/servlet-api.jar.notice"
+            license="${tomcat.manifests}/servlet-api.jar.license"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-core"
+            graalFiles="res/graal/tomcat-embed-core/native-image"
+@@ -1383,7 +1383,7 @@
+     <jarIt jarfile="${tomcat-embed-el.jar}"
+            filesDir="${tomcat.classes}"
+            filesId="files.tomcat-embed-el"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-el"
+            graalFiles="res/graal/tomcat-embed-el/native-image"
+@@ -1392,7 +1392,7 @@
+            filesDir="${tomcat.classes}"
+            filesId="files.tomcat-embed-jasper"
+            meta-inf="${tomcat.manifests}/jasper.jar"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-jasper"
+            graalFiles="res/graal/tomcat-embed-jasper/native-image"
+@@ -1401,7 +1401,7 @@
+            filesDir="${tomcat.classes}"
+            filesId="files.tomcat-embed-websocket"
+            meta-inf="${tomcat.manifests}/tomcat-websocket.jar"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-websocket"
+            graalFiles="res/graal/tomcat-embed-websocket/native-image"
diff --git a/tomcat.spec b/tomcat.spec
index 6839cb2..8abb4d2 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -83,6 +83,7 @@ Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.pat
 Patch2:        %{name}-build.patch
 Patch3:        change-defaults-for-CVE-2020-1938.patch
 Patch4:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
+Patch5:        rhbz-1857043.patch
 
 BuildArch:     noarch
 
@@ -210,6 +211,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch2 -p0
 %patch3 -p0
 %patch4 -p0
+%patch5 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -620,6 +622,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Mon Sep 21 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-2
+- Related: rhbz#1857043 Temporarily remove OSGi metadata from tomcat jars
+
 * Wed Sep 16 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-1
 - Update to 9.0.38
 

From ae0fc93e981127dbe1e9299db4cc232b833071cd Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Wed, 14 Oct 2020 11:23:55 +0800
Subject: [PATCH 16/20] Update to 9.0.39

---
 sources     | 2 +-
 tomcat.spec | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/sources b/sources
index 564403f..0f52225 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.38-src.tar.gz) = 13c79abed71ead564b108ec8a046e78374611acd906f4b6e775ac0427446117192be6b25f29894e625e2dc13f79abbc97bc52b32120ce5701cbe0f5ae05bc57b
+SHA512 (apache-tomcat-9.0.39-src.tar.gz) = d13a74789db0fdd9d814296cb66ae1321407b1452e0aa7b4f554c86b9c4f0abbeb9c9c6ab4723740174fe95ade4673c67fb7cb6f220d0d3c71ac27146faf5374
diff --git a/tomcat.spec b/tomcat.spec
index 8abb4d2..1bda52e 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 38
+%global micro_version 39
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -240,6 +240,7 @@ export OPT_JAR_LIST="xalan-j2-serializer"
       -Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \
       -Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \
       -Dbndannotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
+      -Dosgi-annotations.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
       -Dslf4j-api.jar="$(build-classpath slf4j/slf4j-api)" \
       -Dosgi-cmpn.jar="$(build-classpath osgi-compendium/osgi.cmpn)" \
       -Dversion="%{version}" \
@@ -622,6 +623,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Mon Oct 12 2020 Hui Wang <huwang@redhat.com> - 1:9.0.39-1
+- Update to 9.0.39
+
 * Mon Sep 21 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-2
 - Related: rhbz#1857043 Temporarily remove OSGi metadata from tomcat jars
 

From 33bb1404925cac5a49e5512babfb028e33d163f2 Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Fri, 6 Nov 2020 13:53:33 +0800
Subject: [PATCH 17/20] Revert upstream fix for LogFactory.java because of our
 lower version of bnd

---
 tomcat-9.0-LogFactory.patch | 20 ++++++++++++++++++++
 tomcat.spec                 |  5 ++++-
 2 files changed, 24 insertions(+), 1 deletion(-)
 create mode 100644 tomcat-9.0-LogFactory.patch

diff --git a/tomcat-9.0-LogFactory.patch b/tomcat-9.0-LogFactory.patch
new file mode 100644
index 0000000..eb89fbd
--- /dev/null
+++ b/tomcat-9.0-LogFactory.patch
@@ -0,0 +1,20 @@
+diff -up ./java/org/apache/juli/logging/LogFactory.java.orig ./java/org/apache/juli/logging/LogFactory.java
+--- ./java/org/apache/juli/logging/LogFactory.java.orig	2020-11-06 13:22:26.231141049 +0800
++++ ./java/org/apache/juli/logging/LogFactory.java	2020-11-06 13:24:03.941098001 +0800
+@@ -21,8 +21,6 @@ import java.nio.file.FileSystems;
+ import java.util.ServiceLoader;
+ import java.util.logging.LogManager;
+ 
+-import aQute.bnd.annotation.spi.ServiceConsumer;
+-
+ /**
+  * This is a modified LogFactory that uses a simple {@link ServiceLoader} based
+  * discovery mechanism with a default of using JDK based logging. An
+@@ -63,7 +61,6 @@ import aQute.bnd.annotation.spi.ServiceC
+  * @author Costin Manolache
+  * @author Richard A. Sitze
+  */
+-@ServiceConsumer(value=org.apache.juli.logging.Log.class)
+ public class LogFactory {
+ 
+     private static final LogFactory singleton = new LogFactory();
diff --git a/tomcat.spec b/tomcat.spec
index 1bda52e..e507497 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       2%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -84,6 +84,7 @@ Patch2:        %{name}-build.patch
 Patch3:        change-defaults-for-CVE-2020-1938.patch
 Patch4:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch5:        rhbz-1857043.patch
+Patch6:        %{name}-%{major_version}.%{minor_version}-LogFactory.patch
 
 BuildArch:     noarch
 
@@ -212,6 +213,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch3 -p0
 %patch4 -p0
 %patch5 -p0
+%patch6 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -625,6 +627,7 @@ fi
 %changelog
 * Mon Oct 12 2020 Hui Wang <huwang@redhat.com> - 1:9.0.39-1
 - Update to 9.0.39
+- Revert upstream fix d1f4d8712ddb52857f40a8cc4a82bf8b8e013f88 for LogFactory.java because of our lower version of bnd 
 
 * Mon Sep 21 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-2
 - Related: rhbz#1857043 Temporarily remove OSGi metadata from tomcat jars

From 8b9ce81ef97c69788b22e2b96aa37e154de3fc7f Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Wed, 18 Nov 2020 16:28:07 +0800
Subject: [PATCH 18/20] Update to 9.0.40

---
 sources     | 2 +-
 tomcat.spec | 5 ++++-
 2 files changed, 5 insertions(+), 2 deletions(-)

diff --git a/sources b/sources
index 0f52225..7b614e9 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.39-src.tar.gz) = d13a74789db0fdd9d814296cb66ae1321407b1452e0aa7b4f554c86b9c4f0abbeb9c9c6ab4723740174fe95ade4673c67fb7cb6f220d0d3c71ac27146faf5374
+SHA512 (apache-tomcat-9.0.40-src.tar.gz) = 61b8e191315cee2bc0437013dbe7d1fb3451182e0b316fb377581c7d47a59cefb7f2ff30d96a2d6326a99c86f4151b26d1ef76bda5029b30d81c8297a0b362fb
diff --git a/tomcat.spec b/tomcat.spec
index e507497..81159e2 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 39
+%global micro_version 40
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -625,6 +625,9 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Wed Nov 18 2020 Hui Wang <huwang@redhat.com> - 1:9.0.40-1
+- Update to 9.0.40
+
 * Mon Oct 12 2020 Hui Wang <huwang@redhat.com> - 1:9.0.39-1
 - Update to 9.0.39
 - Revert upstream fix d1f4d8712ddb52857f40a8cc4a82bf8b8e013f88 for LogFactory.java because of our lower version of bnd 

From ea0cdf7d9157e700f64fac718fdea50f15de1f28 Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Tue, 22 Dec 2020 14:14:54 +0800
Subject: [PATCH 19/20] Related: rhbz#64830 concurrency issue in HPACK decoder
 (CVE-2020-17527)

---
 concurrency-issue-for-CVE-2020-17527.patch | 49 ++++++++++++++++++++++
 tomcat.spec                                | 10 +++--
 2 files changed, 55 insertions(+), 4 deletions(-)
 create mode 100644 concurrency-issue-for-CVE-2020-17527.patch

diff --git a/concurrency-issue-for-CVE-2020-17527.patch b/concurrency-issue-for-CVE-2020-17527.patch
new file mode 100644
index 0000000..44b5521
--- /dev/null
+++ b/concurrency-issue-for-CVE-2020-17527.patch
@@ -0,0 +1,49 @@
+diff -up ./java/org/apache/coyote/http2/HpackDecoder.java.orig ./java/org/apache/coyote/http2/HpackDecoder.java
+--- ./java/org/apache/coyote/http2/HpackDecoder.java.orig	2020-12-18 17:16:34.502408251 +0800
++++ ./java/org/apache/coyote/http2/HpackDecoder.java	2020-12-18 17:22:27.675912403 +0800
+@@ -72,8 +72,6 @@ public class HpackDecoder {
+     private volatile boolean countedCookie;
+     private volatile int headerSize = 0;
+ 
+-    private final StringBuilder stringBuilder = new StringBuilder();
+-
+     HpackDecoder(int maxMemorySize) {
+         this.maxMemorySizeHard = maxMemorySize;
+         this.maxMemorySizeSoft = maxMemorySize;
+@@ -222,19 +220,17 @@ public class HpackDecoder {
+         if (huffman) {
+             return readHuffmanString(length, buffer);
+         }
++	StringBuilder stringBuilder = new StringBuilder(length);
+         for (int i = 0; i < length; ++i) {
+             stringBuilder.append((char) buffer.get());
+         }
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        return stringBuilder.toString();
+     }
+ 
+     private String readHuffmanString(int length, ByteBuffer buffer) throws HpackException {
++	StringBuilder stringBuilder = new StringBuilder(length);
+         HPackHuffman.decode(buffer, length, stringBuilder);
+-        String ret = stringBuilder.toString();
+-        stringBuilder.setLength(0);
+-        return ret;
++        return stringBuilder.toString();
+     }
+ 
+     private String handleIndexedHeaderName(int index) throws HpackException {
+diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
+--- webapps/docs/changelog.xml.orig	2020-12-18 17:25:29.287714327 +0800
++++ webapps/docs/changelog.xml	2020-12-18 17:30:42.780824782 +0800
+@@ -159,6 +159,9 @@
+         frame in the input buffer. (markt)
+       </fix>
+     </changelog>
++      <fix>
++        <bug>64830</bug>: Fix concurrency issue in HPACK decoder. (markt)
++      </fix>
+   </subsection>
+   <subsection name="Jasper">
+     <changelog>
diff --git a/tomcat.spec b/tomcat.spec
index 81159e2..994e96d 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 40
+%global micro_version 39
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -59,7 +59,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       ASL 2.0
@@ -85,6 +85,7 @@ Patch3:        change-defaults-for-CVE-2020-1938.patch
 Patch4:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch5:        rhbz-1857043.patch
 Patch6:        %{name}-%{major_version}.%{minor_version}-LogFactory.patch
+Patch7:        concurrency-issue-for-CVE-2020-17527.patch
 
 BuildArch:     noarch
 
@@ -214,6 +215,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch4 -p0
 %patch5 -p0
 %patch6 -p0
+%patch7 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -625,8 +627,8 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
-* Wed Nov 18 2020 Hui Wang <huwang@redhat.com> - 1:9.0.40-1
-- Update to 9.0.40
+* Fri Dec 18 2020 Hui Wang <huwang@redhat.com> - 1:9.0.39-2
+- Related: rhbz#64830 concurrency issue in HPACK decoder (CVE-2020-17527)
 
 * Mon Oct 12 2020 Hui Wang <huwang@redhat.com> - 1:9.0.39-1
 - Update to 9.0.39

From 7215607ac9458aac828572d5234db63d12267776 Mon Sep 17 00:00:00 2001
From: Hui Wang <huwang@redhat.com>
Date: Tue, 22 Dec 2020 14:22:29 +0800
Subject: [PATCH 20/20] Revert to 9.0.39

---
 sources | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sources b/sources
index 7b614e9..0f52225 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.40-src.tar.gz) = 61b8e191315cee2bc0437013dbe7d1fb3451182e0b316fb377581c7d47a59cefb7f2ff30d96a2d6326a99c86f4151b26d1ef76bda5029b30d81c8297a0b362fb
+SHA512 (apache-tomcat-9.0.39-src.tar.gz) = d13a74789db0fdd9d814296cb66ae1321407b1452e0aa7b4f554c86b9c4f0abbeb9c9c6ab4723740174fe95ade4673c67fb7cb6f220d0d3c71ac27146faf5374