diff --git a/9.0.98.tar.gz b/9.0.104.tar.gz similarity index 48% rename from 9.0.98.tar.gz rename to 9.0.104.tar.gz index 114aae1900677c566ab1c6c524f434c007f1a519..119e74d753cee316923aba64aebed7fac5be1091 100644 Binary files a/9.0.98.tar.gz and b/9.0.104.tar.gz differ diff --git a/bugfix-for-cve-2025-24813.patch b/bugfix-for-cve-2025-24813.patch deleted file mode 100644 index a35527b0d15481ccf9f1d636374fb3d0b177c051..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-24813.patch +++ /dev/null @@ -1,75 +0,0 @@ -From eb61aade8f8daccaecabf07d428b877975622f72 Mon Sep 17 00:00:00 2001 -From: remm -Date: Fri, 24 Jan 2025 15:06:02 +0100 -Subject: [PATCH] Enhance lifecycle of temporary files used by partial PUT - -Delete temporary file right after finishing request processing. -Simplify using createTempFile. ---- - .../catalina/servlets/DefaultServlet.java | 17 +++++++---------- - webapps/docs/changelog.xml | 3 +++ - 2 files changed, 10 insertions(+), 10 deletions(-) - -diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java -index 34b6f4379ecf..0886155e3a41 100644 ---- a/java/org/apache/catalina/servlets/DefaultServlet.java -+++ b/java/org/apache/catalina/servlets/DefaultServlet.java -@@ -625,7 +625,7 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws Se - } - - InputStream resourceInputStream = null; -- -+ File tempContentFile = null; - try { - // Append data specified in ranges to existing content for this - // resource - create a temp. file on the local filesystem to -@@ -634,8 +634,8 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws Se - if (range == IGNORE) { - resourceInputStream = req.getInputStream(); - } else { -- File contentFile = executePartialPut(req, range, path); -- resourceInputStream = new FileInputStream(contentFile); -+ tempContentFile = executePartialPut(req, range, path); -+ resourceInputStream = new FileInputStream(tempContentFile); - } - - if (resources.write(path, resourceInputStream, true)) { -@@ -659,6 +659,9 @@ protected void doPut(HttpServletRequest req, HttpServletResponse resp) throws Se - // Ignore - } - } -+ if (tempContentFile != null) { -+ tempContentFile.delete(); -+ } - } - } - -@@ -681,13 +684,7 @@ protected File executePartialPut(HttpServletRequest req, Range range, String pat - // resource - create a temp. file on the local filesystem to - // perform this operation - File tempDir = (File) getServletContext().getAttribute(ServletContext.TEMPDIR); -- // Convert all '/' characters to '.' in resourcePath -- String convertedResourcePath = path.replace('/', '.'); -- File contentFile = new File(tempDir, convertedResourcePath); -- if (contentFile.createNewFile()) { -- // Clean up contentFile when Tomcat is terminated -- contentFile.deleteOnExit(); -- } -+ File contentFile = File.createTempFile("put-part-", null, tempDir); - - try (RandomAccessFile randAccessContentFile = new RandomAccessFile(contentFile, "rw")) { - -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index cf2fa86bfcfa..84fbc23e0136 100644 ---- a/webapps/docs/changelog.xml -+++ b/webapps/docs/changelog.xml -@@ -222,6 +222,9 @@ - Add DataSource based property storage for the - WebdavServlet. (remm) - -+ -+ Enhance lifecycle of temporary files used by partial PUT. (remm) -+ - - - diff --git a/bugfix-for-cve-2025-31650.patch b/bugfix-for-cve-2025-31650.patch deleted file mode 100644 index 81a11b573df4fc1604e6f01dbb1f796d2a819468..0000000000000000000000000000000000000000 --- a/bugfix-for-cve-2025-31650.patch +++ /dev/null @@ -1,67 +0,0 @@ -From 91b39b33d725e82f7a9c9bcdf2ac1d6fda761ef3 Mon Sep 17 00:00:00 2001 -From: Mark Thomas -Date: Wed, 19 Mar 2025 03:47:11 +0000 -Subject: [PATCH] Improve handling of unexpected errors during HTTP/2 - processing - ---- - java/org/apache/coyote/http2/Http2UpgradeHandler.java | 8 ++++++++ - java/org/apache/coyote/http2/LocalStrings.properties | 1 + - webapps/docs/changelog.xml | 3 +++ - 3 files changed, 12 insertions(+) - -diff --git a/java/org/apache/coyote/http2/Http2UpgradeHandler.java b/java/org/apache/coyote/http2/Http2UpgradeHandler.java -index a45a354..2c4880a 100644 ---- a/java/org/apache/coyote/http2/Http2UpgradeHandler.java -+++ b/java/org/apache/coyote/http2/Http2UpgradeHandler.java -@@ -47,6 +47,7 @@ import org.apache.coyote.http2.Http2Parser.Input; - import org.apache.coyote.http2.Http2Parser.Output; - import org.apache.juli.logging.Log; - import org.apache.juli.logging.LogFactory; -+import org.apache.tomcat.util.ExceptionUtils; - import org.apache.tomcat.util.http.MimeHeaders; - import org.apache.tomcat.util.http.parser.Priority; - import org.apache.tomcat.util.log.UserDataHelper; -@@ -439,6 +440,13 @@ class Http2UpgradeHandler extends AbstractStream implements InternalHttpUpgradeH - log.debug(sm.getString("upgradeHandler.ioerror", connectionId), ioe); - } - close(); -+ } catch (Throwable t) { -+ ExceptionUtils.handleThrowable(t); -+ if (log.isDebugEnabled()) { -+ log.debug(sm.getString("upgradeHandler.throwable", connectionId), t); -+ } -+ // Unexpected errors close the connection. -+ close(); - } - - if (log.isTraceEnabled()) { -diff --git a/java/org/apache/coyote/http2/LocalStrings.properties b/java/org/apache/coyote/http2/LocalStrings.properties -index 6ab82e8..82251c9 100644 ---- a/java/org/apache/coyote/http2/LocalStrings.properties -+++ b/java/org/apache/coyote/http2/LocalStrings.properties -@@ -159,6 +159,7 @@ upgradeHandler.stream.error=Connection [{0}], Stream [{1}] Closed due to error - upgradeHandler.stream.even=A new remote stream ID of [{0}] was requested but all remote streams must use odd identifiers - upgradeHandler.stream.notWritable=Connection [{0}], Stream [{1}], This stream is in state [{2}] and is not writable - upgradeHandler.stream.old=A new remote stream ID of [{0}] was requested but the most recent stream was [{1}] -+upgradeHandler.throwable=Connection [{0}] - upgradeHandler.tooManyRemoteStreams=The client attempted to use more than [{0}] active streams - upgradeHandler.tooMuchOverhead=Connection [{0}], Too much overhead so the connection will be closed - upgradeHandler.unexpectedAck=Connection [{0}], Stream [{1}], A settings acknowledgement was received when not expected -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index 1b9bc9e..cf70b67 100644 ---- a/webapps/docs/changelog.xml -+++ b/webapps/docs/changelog.xml -@@ -225,6 +225,9 @@ - - Enhance lifecycle of temporary files used by partial PUT. (remm) - -+ -+ Improve handling of unexpected errors during HTTP/2 processing. (markt) -+ - - - --- -2.39.3 - diff --git a/tomcat.spec b/tomcat.spec index a9664696b9e19ee89e595d24067cacdff58e7f95..0e813f8eedf1553cfbc67282ec1389980cb12340 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -1,15 +1,15 @@ -%define anolis_release 3 +%define anolis_release 1 %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 98 +%global micro_version 104 %global packdname tomcat-%{version} %global servletspec 4.0 %global elspec 3.0 %global tcuid 53 # Recommended version is specified in java/org/apache/catalina/core/AprLifecycleListener.java -%global native_version 1.2.38 +%global native_version 1.2.21 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/ @@ -31,7 +31,8 @@ Version: %{major_version}.%{minor_version}.%{micro_version} Release: %{anolis_release}%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API -License: ASL 2.0 +# Automatically converted from old format: ASL 2.0 - review is highly recommended. +License: Apache-2.0 URL: http://tomcat.apache.org/ Source0: https://github.com/apache/tomcat/archive/refs/tags/%{version}.tar.gz Source1: %{name}-%{major_version}.%{minor_version}.conf @@ -54,11 +55,6 @@ Patch3: %{name}-%{major_version}.%{minor_version}-catalina-policy.patch Patch4: rhbz-1857043.patch Patch6: %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch -# https://github.com/apache/tomcat/commit/eb61aade8f8daccaecabf07d428b877975622f72 -Patch7: bugfix-for-cve-2025-24813.patch -#https://github.com/apache/tomcat/commit/b7674782679e1514a0d154166b1d04d38aaac4a9 -Patch8: bugfix-for-cve-2025-31650.patch - BuildArch: noarch BuildRequires: ant @@ -70,7 +66,7 @@ BuildRequires: aqute-bnd BuildRequires: aqute-bndlib BuildRequires: systemd -Requires: java-headless >= 1:1.8.0 +Requires: (java-headless >= 1:1.8 or java-1.8.0-headless or java-11-headless or java-17-headless or java-21-headless or java >= 1:1.8) Requires: javapackages-tools Requires: %{name}-lib = %{EVR} Recommends: tomcat-native >= %{native_version} @@ -109,7 +105,7 @@ The docs web application for Apache Tomcat. %package jsp-%{jspspec}-api Summary: Apache Tomcat JavaServer Pages v%{jspspec} API Implementation Classes Provides: jsp = %{jspspec} -Obsoletes: %{name}-jsp-2.2-api < 2.3 +Obsoletes: %{name}-jsp-2.2-api Requires: %{name}-servlet-%{servletspec}-api = %{EVR} Requires: %{name}-el-%{elspec}-api = %{EVR} @@ -132,7 +128,7 @@ Summary: Apache Tomcat Java Servlet v%{servletspec} API Implementation Classes Provides: servlet = %{servletspec} Provides: servlet6 Provides: servlet3 -Obsoletes: %{name}-servlet-3.1-api < 4.0 +Obsoletes: %{name}-servlet-3.1-api %description servlet-%{servletspec}-api Apache Tomcat Servlet API Implementation Classes. @@ -140,7 +136,7 @@ Apache Tomcat Servlet API Implementation Classes. %package el-%{elspec}-api Summary: Apache Tomcat Expression Language v%{elspec} API Implementation Classes Provides: el_api = %{elspec} -Obsoletes: %{name}-el-2.2-api < 3.0 +Obsoletes: %{name}-el-2.2-api %description el-%{elspec}-api Apache Tomcat EL API Implementation Classes. @@ -425,7 +421,7 @@ fi %files %defattr(0664,root,tomcat,0755) -%license LICENSE +%doc {LICENSE,NOTICE,RELEASE*} %attr(0755,root,root) %{_bindir}/%{name}-digest %attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper %attr(0755,root,root) %{_sbindir}/%{name} @@ -506,13 +502,13 @@ fi %{_javadir}/%{name}-jsp-api.jar %files servlet-%{servletspec}-api -f .mfiles-tomcat-servlet-api -%license LICENSE +%doc LICENSE %{_javadir}/%{name}-servlet-%{servletspec}*.jar %{libdir}/%{name}-servlet-%{servletspec}*.jar %{_javadir}/%{name}-servlet-api.jar %files el-%{elspec}-api -f .mfiles-tomcat-el-api -%license LICENSE +%doc LICENSE %{_javadir}/%{name}-el-%{elspec}-api.jar %{libdir}/%{name}-el-%{elspec}-api.jar %{_javadir}/%{name}-el-api.jar @@ -525,6 +521,9 @@ fi %doc {NOTICE,RELEASE*} %changelog +* Wed Apr 09 2025 Packit - 1:9.0.104-1 +- Update to version 9.0.104 to fix CVE-2025-31651 + * Sun May 11 2025 yangjinglin01 - 1:9.0.98-3 - Fix CVE-2025-31650