Update source tar ball

Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability

change-defaults-for-CVE-2020-1938.patch

@@ -0,0 +1,71 @@
+diff -up ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java
+--- ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java.orig	2020-04-22 15:31:12.889587528 -0400
++++ ./java/org/apache/coyote/ajp/AbstractAjpProtocol.java	2020-04-22 15:31:37.907534419 -0400
+@@ -16,7 +16,6 @@
+  */
+ package org.apache.coyote.ajp;
+ 
+-import java.net.InetAddress;
+ import java.util.regex.Pattern;
+ 
+ import org.apache.coyote.AbstractProtocol;
+@@ -49,8 +48,6 @@ public abstract class AbstractAjpProtoco
+         setConnectionTimeout(Constants.DEFAULT_CONNECTION_TIMEOUT);
+         // AJP does not use Send File
+         getEndpoint().setUseSendfile(false);
+-        // AJP listens on loopback by default
+-        getEndpoint().setAddress(InetAddress.getLoopbackAddress());
+         ConnectionHandler<S> cHandler = new ConnectionHandler<>(this);
+         setHandler(cHandler);
+         getEndpoint().setHandler(cHandler);
+@@ -180,7 +177,7 @@ public abstract class AbstractAjpProtoco
+     }
+ 
+ 
+-    private boolean secretRequired = true;
++    private boolean secretRequired = false;
+     public void setSecretRequired(boolean secretRequired) {
+         this.secretRequired = secretRequired;
+     }
+diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
+--- ./webapps/docs/changelog.xml.orig	2020-04-03 08:12:03.000000000 -0400
++++ ./webapps/docs/changelog.xml	2020-04-22 15:31:37.911534411 -0400
+@@ -526,14 +526,10 @@
+         Disable (comment out in server.xml) the AJP/1.3 connector by default.
+         (markt)
+       </update>
+-      <update>
+-        Change the default bind address for the AJP/1.3 connector to be the
+-        loopback address. (markt)
+-      </update>
+       <add>
+         Rename the <code>requiredSecret</code> attribute of the AJP/1.3
+         Connector to <code>secret</code> and add a new attribute
+-        <code>secretRequired</code> that defaults to <code>true</code>. When
++        <code>secretRequired</code> that defaults to <code>false</code>. When
+         <code>secretRequired</code> is <code>true</code> the AJP/1.3 Connector
+         will not start unless the <code>secret</code> attribute is configured to
+         a non-null, non-zero length String. (markt)
+diff -up ./webapps/docs/config/ajp.xml.orig ./webapps/docs/config/ajp.xml
+--- ./webapps/docs/config/ajp.xml.orig	2020-04-22 15:31:37.913534406 -0400
++++ ./webapps/docs/config/ajp.xml	2020-04-22 15:35:35.003031090 -0400
+@@ -327,7 +327,9 @@
+     <attribute name="address" required="false">
+       <p>For servers with more than one IP address, this attribute specifies
+       which address will be used for listening on the specified port. By
+-      default, the connector will listen on the loopback address. Unless the JVM
++      default, this port will be used on all IP addresses associated with the
++      server. A value of <code>127.0.0.1</code> indicates that the Connector
++      will only listen on the loopback interface. Unless the JVM
+       is configured otherwise using system properties, the Java based connectors
+       (NIO, NIO2) will listen on both IPv4 and IPv6 addresses when configured
+       with either <code>0.0.0.0</code> or <code>::</code>. The APR/native
+@@ -500,7 +502,7 @@
+       the <strong>secret</strong> attribute is required to be specified for the
+       AJP Connector to start. It <strong>does not</strong> control whether
+       workers are required to provide the secret. The default value is
+-      <code>true</code>. This attribute should only be set to <code>false</code>
++      <code>false</code>. This attribute should only be set to <code>false</code>
+       when the Connector is used on a trusted network.</p>
+     </attribute>
+ 

rhbz-1857043.patch

@@ -0,0 +1,200 @@
+diff -up ./build.xml.orig ./build.xml
+--- ./build.xml.orig	2020-07-24 10:24:08.313796968 -0400
++++ ./build.xml	2020-07-24 10:24:38.027427445 -0400
+@@ -757,7 +757,7 @@
+       filesDir="${tomcat.classes}"
+       filesId="files.annotations-api"
+       manifest="${tomcat.manifests}/annotations-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Servlet 4.0 Implementation JAR File -->
+     <jarIt jarfile="${servlet-api.jar}"
+@@ -766,41 +766,41 @@
+       manifest="${tomcat.manifests}/servlet-api.jar.manifest"
+       notice="${tomcat.manifests}/servlet-api.jar.notice"
+       license="${tomcat.manifests}/servlet-api.jar.license"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- EL Implementation JAR File -->
+     <jarIt jarfile="${el-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.el-api"
+       manifest="${tomcat.manifests}/el-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- JSP Implementation JAR File -->
+     <jarIt jarfile="${jsp-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jsp-api"
+       manifest="${tomcat.manifests}/jsp-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- WebSocket API JAR File -->
+     <jarIt jarfile="${websocket-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.websocket-api"
+       manifest="${tomcat.manifests}/websocket-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- JASPIC 1.1 API JAR File -->
+     <jarIt jarfile="${jaspic-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jaspic-api"
+       manifest="${tomcat.manifests}/jaspic-api.jar.manifest"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Tomcat-juli JAR File -->
+     <jarIt jarfile="${tomcat-juli.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-juli"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Bootstrap JAR File -->
+     <jarIt jarfile="${bootstrap.jar}"
+@@ -812,61 +812,61 @@
+     <jarIt jarfile="${tomcat-util.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-util"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Tomcat API JAR File -->
+     <jarIt jarfile="${tomcat-api.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-api"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Tomcat Util Scan JAR File -->
+     <jarIt jarfile="${tomcat-util-scan.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-util-scan"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <jarIt jarfile="${tomcat-jni.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-jni"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Protocol handlers - Coyote -->
+     <jarIt jarfile="${tomcat-coyote.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-coyote"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- WebSocket implementation JAR File -->
+     <jarIt jarfile="${tomcat-websocket.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-websocket"
+       meta-inf="${tomcat.manifests}/tomcat-websocket.jar"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina GroupCom/Tribes JAR File -->
+     <jarIt jarfile="${catalina-tribes.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-tribes"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina Main JAR File -->
+     <jarIt jarfile="${catalina.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina Cluster/HA JAR File -->
+     <jarIt jarfile="${catalina-ha.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-ha"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Server-Side Includes (SSI) -->
+     <jarIt jarfile="${catalina-ssi.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-ssi"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Catalina Ant Tasks JAR File -->
+     <jarIt jarfile="${catalina-ant.jar}"
+@@ -877,27 +877,27 @@
+     <jarIt jarfile="${catalina-storeconfig.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.catalina-storeconfig"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Jasper EL Implementation JAR File -->
+     <jarIt jarfile="${jasper-el.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jasper-el"
+       meta-inf="${tomcat.manifests}/jasper-el.jar"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Jasper Implementation JAR File -->
+     <jarIt jarfile="${jasper.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.jasper"
+       meta-inf="${tomcat.manifests}/jasper.jar"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- Re-packaged Apache Commons DBCP 2-->
+     <jarIt jarfile="${tomcat-dbcp.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-dbcp"
+-      addOSGi="true" />
++      addOSGi="false" />
+ 
+     <!-- i18n JARs -->
+     <jar jarfile="${tomcat.build}/lib/tomcat-i18n-cs.jar"
+@@ -1375,7 +1375,7 @@
+            filesId="files.tomcat-embed-core"
+            notice="${tomcat.manifests}/servlet-api.jar.notice"
+            license="${tomcat.manifests}/servlet-api.jar.license"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-core"
+            graalFiles="res/graal/tomcat-embed-core/native-image"
+@@ -1383,7 +1383,7 @@
+     <jarIt jarfile="${tomcat-embed-el.jar}"
+            filesDir="${tomcat.classes}"
+            filesId="files.tomcat-embed-el"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-el"
+            graalFiles="res/graal/tomcat-embed-el/native-image"
+@@ -1392,7 +1392,7 @@
+            filesDir="${tomcat.classes}"
+            filesId="files.tomcat-embed-jasper"
+            meta-inf="${tomcat.manifests}/jasper.jar"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-jasper"
+            graalFiles="res/graal/tomcat-embed-jasper/native-image"
+@@ -1401,7 +1401,7 @@
+            filesDir="${tomcat.classes}"
+            filesId="files.tomcat-embed-websocket"
+            meta-inf="${tomcat.manifests}/tomcat-websocket.jar"
+-           addOSGi="true"
++           addOSGi="false"
+            addGraal="true"
+            graalPrefix="org.apache.tomcat.embed/tomcat-embed-websocket"
+            graalFiles="res/graal/tomcat-embed-websocket/native-image"

sources

@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.26-src.tar.gz) = 8f430439c66f5a43c7a35bc99edd11549100be28b17fb44e17ec432f72e1797cdebd641a7f19c1d918635e51c164ecd1c9d1399a63abfce05d9a8c37db381837
+SHA512 (apache-tomcat-9.0.39-src.tar.gz) = d13a74789db0fdd9d814296cb66ae1321407b1452e0aa7b4f554c86b9c4f0abbeb9c9c6ab4723740174fe95ade4673c67fb7cb6f220d0d3c71ac27146faf5374

tomcat-9.0-LogFactory.patch

@@ -0,0 +1,20 @@
+diff -up ./java/org/apache/juli/logging/LogFactory.java.orig ./java/org/apache/juli/logging/LogFactory.java
+--- ./java/org/apache/juli/logging/LogFactory.java.orig	2020-11-06 13:22:26.231141049 +0800
++++ ./java/org/apache/juli/logging/LogFactory.java	2020-11-06 13:24:03.941098001 +0800
+@@ -21,8 +21,6 @@ import java.nio.file.FileSystems;
+ import java.util.ServiceLoader;
+ import java.util.logging.LogManager;
+ 
+-import aQute.bnd.annotation.spi.ServiceConsumer;
+-
+ /**
+  * This is a modified LogFactory that uses a simple {@link ServiceLoader} based
+  * discovery mechanism with a default of using JDK based logging. An
+@@ -63,7 +61,6 @@ import aQute.bnd.annotation.spi.ServiceC
+  * @author Costin Manolache
+  * @author Richard A. Sitze
+  */
+-@ServiceConsumer(value=org.apache.juli.logging.Log.class)
+ public class LogFactory {
+ 
+     private static final LogFactory singleton = new LogFactory();

tomcat-9.0-catalina-policy.patch

@@ -1,39 +1,20 @@
---- conf/catalina.policy~	2016-06-17 10:20:17.649171968 -0400
-+++ conf/catalina.policy	2016-06-17 10:23:35.358309244 -0400
-@@ -50,6 +50,36 @@ grant codeBase "file:${java.home}/lib/ex
-         permission java.security.AllPermission;
+--- conf/catalina.policy.orig	2020-04-22 14:51:13.734893403 -0400
++++ conf/catalina.policy	2020-04-22 15:14:57.609677967 -0400
+@@ -51,6 +51,17 @@ grant codeBase "file:${java.home}/lib/ex
  };
  
+ 
 +// ========== RHEL SPECIFIC CODE PERMISSIONS =======================================
 +
++
 +// Allowing everything in /usr/share/java allows too many unknowns to be permitted
 +// Specifying the individual jars that tomcat needs to function with the security manager
 +// is the safest way forward.
-+grant codeBase "file:/usr/share/java/tomcat-servlet-3.0-api.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/tomcat-jsp-2.2-api.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/tomcat-el-2.2-api.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/log4j.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/ecj.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/apache-commons-pool.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" {
-+        permission java.security.AllPermission;
-+};
-+grant codeBase "file:/usr/share/java/apache-commons-collections.jar" {
++grant codeBase "file:/usr/share/java/ecj/ecj.jar" {
 +        permission java.security.AllPermission;
 +};
 +
- 
++
  // ========== CATALINA CODE PERMISSIONS =======================================
  
+ 

tomcat-build.patch

@@ -1,12 +1,27 @@
---- build.xml.orig	2018-08-07 10:32:04.994403913 -0400
-+++ build.xml	2018-08-07 10:32:30.874319588 -0400
-@@ -2989,6 +2989,9 @@ Read the Building page on the Apache Tom
-     <path id="bndlib.classpath">
+diff -up ./build.xml.orig ./build.xml
+--- ./build.xml.orig	2020-07-13 12:59:09.555368724 -0400
++++ ./build.xml	2020-07-13 13:06:51.246135917 -0400
+@@ -3307,6 +3307,11 @@ Read the Building page on the Apache Tom
+     <!-- Add bnd tasks to project -->
+     <path id="bnd.classpath">
        <fileset file="${bnd.jar}" />
-       <fileset file="${bndlib.jar}" />
++      <fileset file="${bndlib.jar}" />
 +      <fileset file="${bndlibg.jar}" />
 +      <fileset file="${bndannotation.jar}" />
 +      <fileset file="${slf4j-api.jar}" />
++      <fileset file="${osgi-cmpn.jar}" />
      </path>
  
-     <taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bndlib.classpath" />
+     <taskdef resource="aQute/bnd/ant/taskdef.properties" classpathref="bnd.classpath" />
+diff -up ./res/bnd/build-defaults.bnd.orig ./res/bnd/build-defaults.bnd
+--- ./res/bnd/build-defaults.bnd.orig	2020-07-13 13:47:01.229077747 -0400
++++ ./res/bnd/build-defaults.bnd	2020-07-13 13:47:12.923095618 -0400
+@@ -13,7 +13,7 @@
+ # See the License for the specific language governing permissions and
+ # limitations under the License.
+ 
+-Bundle-Version: ${version_cleanup;${version}}
++Bundle-Version: ${version}
+ 
+ Specification-Title: Apache Tomcat
+ Specification-Version: ${version.major.minor}

tomcat.spec

@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 26
+%global micro_version 39
 %global packdname apache-tomcat-%{version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -81,6 +81,10 @@ Source32:      tomcat-named.service
 Patch0:        %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch
 Patch1:        %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch
 Patch2:        %{name}-build.patch
+Patch3:        change-defaults-for-CVE-2020-1938.patch
+Patch4:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
+Patch5:        rhbz-1857043.patch
+Patch6:        %{name}-%{major_version}.%{minor_version}-LogFactory.patch
 
 BuildArch:     noarch
 
@@ -206,6 +210,10 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch0 -p0
 %patch1 -p0
 %patch2 -p0
+%patch3 -p0
+%patch4 -p0
+%patch5 -p0
+%patch6 -p0
 
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-impl) webapps/examples/WEB-INF/lib/jstl.jar
 %{__ln_s} $(build-classpath tomcat-taglibs-standard/taglibs-standard-compat) webapps/examples/WEB-INF/lib/standard.jar
@@ -234,7 +242,9 @@ export OPT_JAR_LIST="xalan-j2-serializer"
       -Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \
       -Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \
       -Dbndannotation.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
+      -Dosgi-annotations.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.annotation)" \
       -Dslf4j-api.jar="$(build-classpath slf4j/slf4j-api)" \
+      -Dosgi-cmpn.jar="$(build-classpath osgi-compendium/osgi.cmpn)" \
       -Dversion="%{version}" \
       -Dversion.build="%{micro_version}" \
       deploy dist-source
@@ -610,6 +620,41 @@ fi
 %attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out
 
 %changelog
+* Fri Nov 06 2020 Hui Wang <huwang@redhat.com> - 1:9.0.39-1
+- Update to 9.0.39
+- Revert upstream fix d1f4d8712ddb52857f40a8cc4a82bf8b8e013f88 for LogFactory.java because of our lower version of bnd
+
+* Mon Sep 21 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-2
+- Related: rhbz#1857043 Temporarily remove OSGi metadata from tomcat jars
+
+* Wed Sep 16 2020 Hui Wang <huwang@redhat.com> - 1:9.0.38-1
+- Update to 9.0.38
+
+* Wed Jul 15 2020 Hui Wang <huwang@redhat.com> - 1:9.0.37-1
+- Upgrade to 9.0.37
+
+* Wed Jun 10 2020 Hui Wang <huwang@redhat.com> - 1:9.0.36-1
+- Upgrade to 9.0.36
+
+* Sun May 31 2020 Hui Wang <huwang@redhat.com> - 1:9.0.35-2
+- Upgrade to 9.0.35
+
+* Wed Apr 22 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-2
+- Add updated catalina.policy patch to allow ECJ usage under the Security Manager
+
+* Tue Apr 21 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.34-1
+- Update to 9.0.34
+
+* Thu Mar 12 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-2
+- Related: rhbz#1806398 Undo changes in defaults for AJP connector (CVE-2020-1938) to prevent breakage, please update your configuration accordingly
+
+* Thu Mar 05 2020 Coty Sutherland <csutherl@redhat.com> - 1:9.0.31-1
+- Update to 9.0.31
+- Resolves: rhbz#1806398 - CVE-2020-1938 tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability
+
+* Fri Dec 20 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.30-1
+- Update to 9.0.30
+
 * Thu Sep 26 2019 Coty Sutherland <csutherl@redhat.com> - 1:9.0.26-1
 - Update to 9.0.26
 - Resolves: rhbz#1523112 tomcat systemd does not cope with - in service names