Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-07-10 16:49:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.2080 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat10" Wed Jul 10 16:49:44 2024 rev:11 rq:1186460 version:10.1.25 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes 2024-04-07 22:13:29.131037286 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.2080/tomcat10.changes 2024-07-10 16:49:45.808164318 +0200 @@ -1,0 +2,160 @@ +Tue Jul 9 12:52:37 UTC 2024 - Ricardo Mestre <ricardo.mes...@suse.com> + +- Update to Tomcat 10.1.25 + * Fixed CVEs: + + CVE-2024-34750: Improper handling of exceptional conditions + (bsc#1227399) + * Catalina + + Add: Add support for shallow copies when using WebDAV. (markt) + + Code: Deprecate the WebdavFixFilter as it is no longer required. (markt) + + Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64. + Submitted by Daniel Lyko. (remm) + + Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for + retrieving extended/additional information from an established GSS + context. (michaelo) + + Fix: Correct a regression in the fix for 68721 that caused some instances + of LinkageError to be reported as ClassNotFoundException. (markt) + + Fix: Ensure that static resources deployed via a JAR file remain + accessible when the context is configured to use a bloom filter. Based on + pull request #730 provided by bergander. (markt) + + Add: Introduce reference counting so the AprLifecycleListener is more + robust. This particularly targets more complex embedded configurations + with multiple server instances with independent lifecycles where more than + one server instance requires the AprLifecycleListener. (markt) + + Add: Small performance optimization when logging cookies with no values. + (schultz) + + Fix: Correct error handling for asynchronous requests. If the application + performs an dispatch during AsyncListener.onError() the dispatch is now + performed rather than completing the request using the error page + mechanism. (markt) + + Add: Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a + customizable style. (schultz) + + Add: Add more timescale options to AccessLogValve and + ExtendedAccessLogValve. Allow timescales to apply to "time-taken" token in + ExtendedAccessLogValve. (schultz) + + Fix: Fix WebDAV lock null (locks for non existing resources) thread safety + and removal. (remm) + + Fix: Add periodic checking for WebDAV locks expiration. (remm) + + Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo) + + Fix: Remove MBean metadata for attibutes that have been removed. Based on + pull request #719 by Shawn Q. (markt) + + Update: Deprecate and remove sessionCounter (replaced by the addition of + the active session count and the expired session count, as a reasonable + approximation) and duplicates (which does not represent a possible event + in current implementations) statistics from the session manager. (remm) + + Fix: 68890 Align output encoding of JSPs in the Manager webapp with the + XML declarations in those same files. (schultz) + + Fix: Update Basic authentication to implement the requirements of RFC 7617 + including the changing of the trimCredentials setting which is now + defaults to false. Note that the trimCredentials setting will be removed + in Tomcat 11. (markt) + + Fix: Change the thread-safety mechanism for protecting + StandardServer.services from a simple synchronized lock to a + ReentrantReadWriteLock to allow multiple readers to operate + simultaneously. Based upon a suggestion by Markus Wolfe. (schultz) + + Fix: Improve Service connectors, Container children and Service executors + access sync using a ReentrantReadWriteLock. (remm) + + Fix: Improve handling of integer overflow if an attempt is made to upload + a file via the Servlet API and the file is larger than + Integer.MAX_VALUE. (markt) + + Fix: 68862: Handle possible response commit when processing read errors. + (remm) + * Jasper + + Fix: 68546: Small additional optimisation for initial loading of Servlet + code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt) + + Add: Add support for specifying Java 23 (with the value 23) as the + compiler source and/or compiler target for JSP compilation. If used with + an Eclipse JDT compiler version that does not support these values, a + warning will be logged and the default will used. (markt) + * Web applications + + Add: Add the ability to set a sub-title for the Manager web application + main page. This is intended to allow users with lots of instances to + easily distinguish them. Based on pull request #724 by Simon Arame. + (markt) + + Fix: Examples: Improve performance of WebSocket chat application when + multiple clients disconnect at the same time. (markt) + + Update: Examples: Increase the number of previous messages displayed when + using the WebSocket chat application. (markt) + + Fix: Examples: Improve performance of WebSocket snake application when + multiple clients disconnect at the same time. (markt) + * Coyote + + Fix: Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer, and + use ERR_error_string_n instead. (remm) + + Fix: Fix a crash on Windows setting CA certificate on null path. (remm) + + Fix: 69068: Ensure read timouts are triggered for asynchronous, + non-blocking reads when using HTTP/2. (markt) + + Update: 69133: Add task queue size configuration on the Connector element, + similar to the Executor element, for consistency. (remm) + + Fix: Make counting of active HTTP/2 streams per connection more robust. + (markt) + + Add: Add support for TLS 1.3 client initiated re-keying. (markt) + + Fix: Improve the algorithm used to identify the IP address to use to + unlock the acceptor thread when a Connector is listening on all local + addresses. Interfaces that are configured for point to point connections + or are not currently up are now skipped. (markt) + + Fix: Align non-secure and secure writes with NIO and skip the write + attempt when there are no bytes to be written. (markt) + + Fix: Allow any positive value for socket.unlockTimeout. If a negative or + zero value is configured, the default of 250ms will be used. (mark) + + Fix: Reduce the time spent waiting for the connector to unlock. The + previous default of 10s was noticeably too long for cases where the unlock + has failed. The wait time is now 100ms plus twice socket.unlockTimeout. + (markt) + + Fix: Ensure that the onAllDataRead() event is triggered when the request + body uses chunked encoding and is read using non-blocking IO. (markt) + + Fix: 68934: Add debug logging in the latch object when exceeding + maxConnections. (remm) + + Fix: Refactor trailer field handling to use a MimeHeaders instance to + store trailer fields. (markt) + + Fix: Ensure that multiple instances of the same trailer field are handled + correctly. (markt) + + Fix: Fix non-blocking reads of chunked request bodies. (markt) + + Fix: When an invalid HTTP response header was dropped, an off-by-one error + meant that the first header in the response was also dropped. Fix based on + pull request #710 by foremans. (markt) + + Fix: Fix bnd jar descriptor to include the OpenSSL FFM support. (remm) + + Fix: Add OpenSSL FFM classes to tomcat-embed-core.jar. (remm) + + Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. + OpenSSL support may be enabled by adding the + org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server + element when using Java 22 or later. (remm) + * WebSocket + + Fix: 68884: Reduce the write timeout when writing WebSocket close messages + for abnormal closes. The timeout defaults to 50 milliseconds and may be + controlled using the + org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property + in the user properties collection associated with the WebSocket session. + (markt) + * Other + + Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby + that runs on Java 17. (markt) + + Update: Update to Commons Daemon 1.4.0. (markt) + + Update: Update to Objenesis 3.4. (markt) + + Update: Update to Checkstyle 10.17.0. (markt) + + Update: Update to SpotBugs 4.8.5. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (markt) + + Update: Switch to using the Base64 encoder and decoder provided by the JRE + rather than the version provided by Commons Codec. The internal fork of + Commons Codec has been deprecated and will be removed in Tomcat 11. + (markt) + + Update: Update NSIS to 3.10. (mark0t) + + Update: Update UnboundID to 7.0.0. (markt) + + Update: Update Checkstyle to 10.16.0. (markt) + + Update: Update JaCoCo to 0.8.12. (markt) + + Update: Update SpotBugs to 4.8.4. (markt) + + Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt) + + Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (markt) + + Fix: Release re-built using correct JDK version. + + Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt) + + Update: Update the internal fork of Apache Commons Codec to 1.16.1. + (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (remm) + + Add: Improvements to Chinese translations by leeyazhou. (remm) +- Modified patch: + * tomcat-10.1-build-with-java-11.patch + + rediff to changed context +------------------------------------------------------------------- Old: ---- apache-tomcat-10.1.20-src.tar.gz apache-tomcat-10.1.20-src.tar.gz.asc New: ---- apache-tomcat-10.1.25-src.tar.gz apache-tomcat-10.1.25-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat10.spec ++++++ --- /var/tmp/diff_new_pack.ErvjZc/_old 2024-07-10 16:49:47.092211465 +0200 +++ /var/tmp/diff_new_pack.ErvjZc/_new 2024-07-10 16:49:47.092211465 +0200 @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 10 %define minor_version 1 -%define micro_version 20 +%define micro_version 25 %define java_major 1 %define java_minor 11 %define java_version %{java_major}.%{java_minor} ++++++ apache-tomcat-10.1.20-src.tar.gz -> apache-tomcat-10.1.25-src.tar.gz ++++++ ++++ 72966 lines of diff (skipped) ++++++ tomcat-10.1-build-with-java-11.patch ++++++ --- /var/tmp/diff_new_pack.ErvjZc/_old 2024-07-10 16:49:48.288255382 +0200 +++ /var/tmp/diff_new_pack.ErvjZc/_new 2024-07-10 16:49:48.292255529 +0200 @@ -1,14 +1,14 @@ -Index: apache-tomcat-10.1.18-src/build.xml +Index: apache-tomcat-10.1.25-src/build.xml =================================================================== ---- apache-tomcat-10.1.18-src.orig/build.xml -+++ apache-tomcat-10.1.18-src/build.xml +--- apache-tomcat-10.1.25-src.orig/build.xml ++++ apache-tomcat-10.1.25-src/build.xml @@ -108,7 +108,7 @@ <!-- Keep in sync with webapps/docs/tomcat-docs.xsl --> <property name="compile.release" value="11"/> <property name="min.java.version" value="11"/> - <property name="build.java.version" value="17"/> + <property name="build.java.version" value="11"/> + <property name="release.java.version" value="22"/> <!-- Check Java Build Version --> - <fail message="Java version ${build.java.version} or newer is required (${java.version} is installed)">