Update dependency for ECJ to version 4.11 and some patch adjustments

Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability

change-defaults-for-CVE-2020-1938.patch

@@ -0,0 +1,71 @@
+diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig	2020-04-22 15:31:12.889587528 -0400
++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java	2020-04-22 15:31:37.907534419 -0400
+@@ -16,7 +16,6 @@
+  */
+ package org.apache.coyote.ajp;
+ 
+-import java.net.InetAddress;
+ import java.util.regex.Pattern;
+ 
+ import org.apache.coyote.AbstractProtocol;
+@@ -49,8 +48,6 @@ public abstract class AbstractAjpProtoco
+         setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT);
+         // AJP does not use Send File
+         getEndpoint().setUseSendfile(false);
+-        // AJP listens on loopback by default
+-        getEndpoint().setAddress(InetAddress.getLoopbackAddress());
+         ConnectionHandler<S> cHandler = new ConnectionHandler<>(this);
+         setHandler(cHandler);
+         getEndpoint().setHandler(cHandler);
+@@ -180,7 +177,7 @@ public abstract class AbstractAjpProtoco
+     }
+ 
+ 
+-    private boolean secretRequired = true;
++    private boolean secretRequired = false;
+     public void setSecretRequired(boolean secretRequired) {
+         this.secretRequired = secretRequired;
+     }
+diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
+--- ./webapps/docs/changelog.xml.orig	2020-04-03 08:12:03.000000000 -0400
++++ ./webapps/docs/changelog.xml	2020-04-22 15:31:37.911534411 -0400
+@@ -526,14 +526,10 @@
+         Disable (comment out in server.xml) the AJP/1.3 connector by default.
+         (markt)
+       </update>
+-      <update>
+-        Change the default bind address for the AJP/1.3 connector to be the
+-        loopback address. (markt)
+-      </update>
+       <add>
+         Rename the <code>requiredSecret</code> attribute of the AJP/1.3
+         Connector to <code>secret</code> and add a new attribute
+-        <code>secretRequired</code> that defaults to <code>true</code>. When
++        <code>secretRequired</code> that defaults to <code>false</code>. When
+         <code>secretRequired</code> is <code>true</code> the AJP/1.3 Connector
+         will not start unless the <code>secret</code> attribute is configured to
+         a non-null, non-zero length String. (markt)
+diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml
+--- ./webapps/docs/config/ajp.xml.orig	2020-04-22 15:31:37.913534406 -0400
++++ ./webapps/docs/config/ajp.xml	2020-04-22 15:35:35.003031090 -0400
+@@ -327,7 +327,9 @@
+     <attribute name="address" required="false">
+       <p>For servers with more than one IP address, this attribute specifies
+       which address will be used for listening on the specified port. By
+-      default, the connector will listen on the loopback address. Unless the JVM
++      default, this port will be used on all IP addresses associated with the
++      server. A value of <code>127.0.0.1</code> indicates that the Connector
++      will only listen on the loopback interface. Unless the JVM
+       is configured otherwise using system properties, the Java based connectors
+       (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
+       with either <code>0.0.0.0</code> or <code>::</code>. The APR/native
+@@ -500,7 +502,7 @@
+       the <strong>secret</strong> attribute is required to be specified for the
+       AJP Connector to start. It <strong>does not</strong> control whether
+       workers are required to provide the secret. The default value is
+-      <code>true</code>. This attribute should only be set to <code>false</code>
++      <code>false</code>. This attribute should only be set to <code>false</code>
+       when the Connector is used on a trusted network.</p>
+     </attribute>
+ 

sources

@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.26-src.tar.gz) = 8f430439c66f5a43c7a35bc99edd11549100be28b17fb44e17ec432f72e1797cdebd641a7f19c1d918635e51c164ecd1c9d1399a63abfce05d9a8c37db381837
+SHA512 (apache-tomcat-9.0.34-src.tar.gz) = 8ac8a916bfe2d3daf679dab9f299bc50f138f3cc9a6e8679a22862d122dea1e5ce3b9101472295398366f5b5d8477097a3cfb536f01136e72ff09d69b2f6c3df

tomcat-9.0-RemoveCompilerOptions.patch

@@ -0,0 +1,58 @@
+diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java.orig ./java/org/apache/jasper/compiler/JDTCompiler.java
+--- ./java/org/apache/jasper/compiler/JDTCompiler.java.orig	2020-04-03 08:11:52.000000000 -0400
++++ ./java/org/apache/jasper/compiler/JDTCompiler.java	2020-04-22 16:03:04.710594419 -0400
+@@ -324,24 +324,6 @@ public class JDTCompiler extends org.apa
+             } else if(opt.equals("11")) {
+                 settings.put(CompilerOptions.OPTION_Source,
+                              CompilerOptions.VERSION_11);
+-            } else if(opt.equals("12")) {
+-                settings.put(CompilerOptions.OPTION_Source,
+-                             CompilerOptions.VERSION_12);
+-            } else if(opt.equals("13")) {
+-                // Constant not available in latest ECJ version shipped with
+-                // Tomcat. May be supported in a snapshot build.
+-                // This is checked against the actual version below.
+-                settings.put(CompilerOptions.OPTION_Source, "13");
+-            } else if(opt.equals("14")) {
+-                // Constant not available in latest ECJ version shipped with
+-                // Tomcat. May be supported in a snapshot build.
+-                // This is checked against the actual version below.
+-                settings.put(CompilerOptions.OPTION_Source, "14");
+-            } else if(opt.equals("15")) {
+-                // Constant not available in latest ECJ version shipped with
+-                // Tomcat. May be supported in a snapshot build.
+-                // This is checked against the actual version below.
+-                settings.put(CompilerOptions.OPTION_Source, "15");
+             } else {
+                 log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt));
+                 settings.put(CompilerOptions.OPTION_Source,
+@@ -405,29 +387,6 @@ public class JDTCompiler extends org.apa
+                         CompilerOptions.VERSION_11);
+                 settings.put(CompilerOptions.OPTION_Compliance,
+                         CompilerOptions.VERSION_11);
+-            } else if(opt.equals("12")) {
+-                settings.put(CompilerOptions.OPTION_TargetPlatform,
+-                        CompilerOptions.VERSION_12);
+-                settings.put(CompilerOptions.OPTION_Compliance,
+-                        CompilerOptions.VERSION_12);
+-            } else if(opt.equals("13")) {
+-                // Constant not available in latest ECJ version shipped with
+-                // Tomcat. May be supported in a snapshot build.
+-                // This is checked against the actual version below.
+-                settings.put(CompilerOptions.OPTION_TargetPlatform, "13");
+-                settings.put(CompilerOptions.OPTION_Compliance, "13");
+-            } else if(opt.equals("14")) {
+-                // Constant not available in latest ECJ version shipped with
+-                // Tomcat. May be supported in a snapshot build.
+-                // This is checked against the actual version below.
+-                settings.put(CompilerOptions.OPTION_TargetPlatform, "14");
+-                settings.put(CompilerOptions.OPTION_Compliance, "14");
+-            } else if(opt.equals("15")) {
+-                // Constant not available in latest ECJ version shipped with
+-                // Tomcat. May be supported in a snapshot build.
+-                // This is checked against the actual version below.
+-                settings.put(CompilerOptions.OPTION_TargetPlatform, "15");
+-                settings.put(CompilerOptions.OPTION_Compliance, "15");
+             } else {
+                 log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt));
+                 settings.put(CompilerOptions.OPTION_TargetPlatform,

tomcat.spec

@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 26
+%global micro_version 34
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -81,11 +81,13 @@ Source32:      tomcat-named.service
 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
 Patch2:        %{name}-build.patch
+Patch3:        %{name}-%{major_version}.%{minor_version}-RemoveCompilerOptions.patch
+Patch4:        change-defaults-for-CVE-2020-1938.patch
 
 BuildArch:     noarch
 
 BuildRequires: ant
-BuildRequires: ecj >= 1:4.10
+BuildRequires: ecj >= 1:4.11
 BuildRequires: findutils
 BuildRequires: apache-commons-daemon
 BuildRequires: tomcat-taglibs-standard
@@ -206,6 +208,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch0 -p0
 %patch1 -p0
 %patch2 -p0
+%patch3 -p0
+%patch4 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -610,6 +614,21 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Tue Apr 21 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-1
+- Update to 9.0.34
+- Update dependency for ECJ to version 4.11
+
+* Thu Mar 12 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-2
+- Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly
+
+* Thu Mar 05 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-1
+- Update to 9.0.31
+- Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
+
+* Fri Dec 20 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.30-1
+- Update to 9.0.30
+- Remove Java 12 support from JDTCompiler due to older ECJ version availablility
+
 * Thu Sep 26 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.26-1
 - Update to 9.0.26
 - Resolves: rhbz#1523112 tomcat systemd does not cope with - in service names