Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-01-18 21:53:42 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.16006 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat10" Thu Jan 18 21:53:42 2024 rev:4 rq:1139643 version:10.1.18 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes 2024-01-16 21:38:54.554496249 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.16006/tomcat10.changes 2024-01-18 21:54:21.254833544 +0100 @@ -1,0 +2,149 @@ +Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto <michele.bussolo...@suse.com> + +- Update to Tomcat 10.1.18 + * Fixed CVEs: + + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to + incorrect headers parsing (bsc#1217649) + * Catalina + + Update: 68378: Align extension to MIME type mappings in the + global web.xml with those in httpd by adding + application/vnd.geogebra.slides for ggs, text/javascript for mjs + and audio/ogg for opus. (markt) + + Fix: Background processes should not be run concurrently with + lifecycle operations of a container. (remm) + + Fix: Correct unintended escaping of XML in some WebDAV + responses. The XML list of support locks when provided in + response to a PROPFIND request was incorrectly XML escaped. + (markt) + + Fix: 68227: Ensure that AsyncListener.onComplete() is called + if AsyncListener.onError() calls AsyncContext.dispatch(). + (markt) + + Fix: 68228: Use a 408 status code if a read timeout occurs + during HTTP request processing. Includes a test case based on + code provided by adwsingh. (markt) + + Fix: 67667: TLSCertificateReloadListener prints unreadable + rendering of X509Certificate#getNotAfter(). (michaelo) + + Update: The status servlet included in the manager webapp + can now output statistics as JSON, using the JSON=true URL + parameter. (remm) + + Update: Optionally allow ServiceBindingPropertySource to + trim a trailing newline from a file containing a + property-value. (schultz) + + Fix: 67793: Ensure the original session timeout is restored + after FORM authentication if the user refreshes a page during + the FORM authentication process. Based on a suggestion by + Mircea Butmalai. (markt) + + Update: 67926: PEMFile prints unidentifiable string + representation of ASN.1 OIDs. (michaelo) + + Fix: 66875: Ensure that setting the request attribute + jakarta.servlet.error.exception is not sufficient to trigger + error handling for the current request and response. (markt) + + Fix: 68054: Avoid some file canonicalization calls + introduced by the fix for 65433. (remm) + + Fix: 68089: Improve performance of request attribute access + for ApplicationHttpRequest and ApplicationRequest. (markt) + + Fix: Use a 400 status code to report an error due to a bad + request (e.g. an invalid trailer header) rather than a 500 + status code. (markt) + + Fix: Ensure that an IOException during the reading of the + request triggers always error handling, regardless of whether + the application swallows the exception. (markt) + * Coyote + + Fix: Refactor the VirtualThreadExecutor so that it can be + used by the NIO2 connector which was using platform threads + even when configured to use virtual threads. (markt) + + Fix: Correct a regression in the fix for 67675 that broke + TLS key file parsing for PKCS#8 format keys that do not specify + an explicit pseudo-random function and rely on the default. + This typically affects keys generated by OpenSSL 1.0.2. + (markt) + + Fix: Allow multiple operations with the same name on + introspected mbeans, fixing a regression caused by the + introduction of a second addSslHostConfig method. (remm) + + Fix: Relax the check that the HTTP Host header is consistent + with the host used in the request line, if any, to make the + check case insensitive since host names are case insensitive. + (markt) + + Add: 68348: Add support for the partitioned attribute for + cookies. (markt) + + Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and + SSLHostConfig#certificateKeystorePasswordFile. (michaelo) + + Add: When calling + SSLHostConfigCertificate.setCertificateKeystore(ks), + automatically call setCertificateKeystoreType(ks.getType()). + (markt) + + Fix: 67628: Clarify how the ciphers attribute of the + SSLHostConfig is used. (markt) + + Fix: 67666: Ensure TLS connectors using PEM files either + work with the TLSCertificateReloadListener or, in the rare case + that they do not, log a warning on Connector start. (markt) + + Fix: 67675: Support a wider range of KDF and ciphers for PEM + files than the combinations supported by the JVM by default. + Specifically, support the OpenSSL default of HmacSHA256 and + DES-EDE3-CBC. (markt) + + Fix: 67927: Reloading TLS configuration can cause the + Connector to refuse new connections or the JVM to crash. + (markt) + + Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are + available, prefer 1.2.x since it supports the APR/Native + connector whereas 2.0.x does not. (markt) + + Fix: 67938: Correct handling of large TLS client hello + messages that were causing the TLS handshake to fail. (markt) + + Fix: 68026: Convert selected MessageByte values to String + when first accessed to speed up subsequent accesses and reduce + garbage collection. (markt) + * Jasper + + Code: 68119: Refactor the CompositeELResolver to improve + performance during type conversion operations. (markt) + + Fix: 68068: Performance improvement for EL. Based on a + suggestion by John Engebretson. (markt) + * Web Applications + + Fix: 68035: Additional fix to the Manager application to + enable the deployment of a web application located in a Host's + appBase where the web application is specified by a bare (no + path) WAR or directory name as shown in the documentation. + (markt) + + Fix: Examples. Improve the error handling so snakes + associated with a user that drops from the network are removed + from the game. (markt) + + Fix: 68035: Correct a regression in the fix for 56248 that + prevented deployment via the Manager of a WAR or directory that + was already present in the appBase or a context file that was + already present in the xmlBase. (markt) + * Other + + Update: Update Checkstyle to 10.12.7. (markt) + + Update: Update SpotBugs to 4.8.3. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. + (markt) + + Update: Update UnboundID to 6.0.11. (markt) + + Update: Update Checkstyle to 10.12.5. (markt) + + Update: Update SpotBugs to 4.8.2. (markt) + + Update: Update Derby to 10.17.1. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. + (markt) + + Add: Improvements to Brazilian Portuguese translations by + John William Vicente. (markt) + + Add: Improvements to Russian translations by usmazat and + remm. (markt) + + Add: 67538: Make use of Ant's <javaversion /> task to enfore + the mininum Java build version. (michaelo) + + Update: Update Checkstyle to 10.12.4. (markt) + + Update: Update JaCoCo to 0.8.11. (markt) + + Update: Update SpotBugs to 4.8.0. (markt) + + Update: Update BND to 7.0.0. (markt) + + Update: The minimum Java version required to build Tomcat + has been raised to Java 17. (markt) + + Update: Update the OWB module to Apache OpenWebBeans 4.0.0. + (remm) +- Added patches: + * tomcat-10.1-build-with-java-11.patch + +------------------------------------------------------------------- +Wed Jan 17 15:35:51 UTC 2024 - Michele Bussolotto <michele.bussolo...@suse.com> + +- change server.xml during %post instead of %posttrans +- add libxslt-tools requirement + +------------------------------------------------------------------- Old: ---- apache-tomcat-10.1.14-src.tar.gz apache-tomcat-10.1.14-src.tar.gz.asc New: ---- apache-tomcat-10.1.18-src.tar.gz apache-tomcat-10.1.18-src.tar.gz.asc tomcat-10.1-build-with-java-11.patch BETA DEBUG BEGIN: New:- Added patches: * tomcat-10.1-build-with-java-11.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat10.spec ++++++ --- /var/tmp/diff_new_pack.vZuHBE/_old 2024-01-18 21:54:22.026861581 +0100 +++ /var/tmp/diff_new_pack.vZuHBE/_new 2024-01-18 21:54:22.026861581 +0100 @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 10 %define minor_version 1 -%define micro_version 14 +%define micro_version 18 %define java_major 1 %define java_minor 11 %define java_version %{java_major}.%{java_minor} @@ -92,6 +92,7 @@ Patch6: %{app_name}-secretRequired-default.patch Patch7: %{app_name}-fix_catalina.patch Patch8: %{app_name}-logrotate_everything.patch +Patch9: tomcat-10.1-build-with-java-11.patch BuildRequires: ant >= 1.10.2 BuildRequires: ant-antlr BuildRequires: apache-commons-collections @@ -111,7 +112,6 @@ BuildRequires: java-devel >= 11 BuildRequires: javapackages-local BuildRequires: junit -BuildRequires: libxslt-tools BuildRequires: osgi-annotation BuildRequires: osgi-compendium BuildRequires: osgi-core @@ -132,6 +132,7 @@ Requires: jakarta-servlet Requires: java >= %{java_version} Requires(post): %fillup_prereq +Requires(post): libxslt-tools Requires(pre): shadow Requires: libtcnative-1-0 >= 1.2.38 Requires: logrotate @@ -150,6 +151,7 @@ Summary: The host manager and manager web applications for Apache Tomcat Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} +Requires(post): libxslt-tools Conflicts: %{app_name}-admin-webapps %description admin-webapps @@ -167,6 +169,7 @@ Summary: The "docs" web application for Apache Tomcat Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} +Requires(post): libxslt-tools Conflicts: %{app_name}-docs-webapp %description docs-webapp @@ -261,6 +264,7 @@ Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} Requires: jakarta-taglibs-standard >= 1.1 +Requires(post): libxslt-tools Conflicts: %{app_name}-webapps %description webapps @@ -587,6 +591,7 @@ %post %service_add_post %{app_name}.service %{fillup_only %{app_name}} +xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml %preun %service_del_preun %{app_name}.service @@ -696,9 +701,6 @@ ln -sf %{tomcatappdir}/docs %{_datadir}/%{app_name}/webapps/docs fi -%posttrans -xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml - %files %doc {LICENSE,NOTICE,RELEASE*} %attr(0755,root,root) %{_bindir}/%{app_name}-digest ++++++ apache-tomcat-10.1.14-src.tar.gz -> apache-tomcat-10.1.18-src.tar.gz ++++++ ++++ 25154 lines of diff (skipped) ++++++ tomcat-10.1-build-with-java-11.patch ++++++ Index: apache-tomcat-10.1.18-src/build.xml =================================================================== --- apache-tomcat-10.1.18-src.orig/build.xml +++ apache-tomcat-10.1.18-src/build.xml @@ -108,7 +108,7 @@ <!-- Keep in sync with webapps/docs/tomcat-docs.xsl --> <property name="compile.release" value="11"/> <property name="min.java.version" value="11"/> - <property name="build.java.version" value="17"/> + <property name="build.java.version" value="11"/> <!-- Check Java Build Version --> <fail message="Java version ${build.java.version} or newer is required (${java.version} is installed)">