commit tomcat for openSUSE:Factory

2024-10-03 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2024-10-03 17:40:54

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.19354 (New)


Package is "tomcat"

Thu Oct  3 17:40:54 2024 rev:110 rq:1205527 version:9.0.91

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2024-09-30 
15:40:15.908681891 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.19354/tomcat.changes 2024-10-03 
17:41:54.600060032 +0200
@@ -1,0 +2,5 @@
+Thu Oct  3 13:17:03 UTC 2024 - Fridrich Strba 
+
+- Adapt the scripts to run also with javapackages-tools >= 6.3
+
+---



Other differences:
--

++ tomcat-9.0-digest.script ++
--- /var/tmp/diff_new_pack.Ji12xw/_old  2024-10-03 17:41:55.564100210 +0200
+++ /var/tmp/diff_new_pack.Ji12xw/_new  2024-10-03 17:41:55.568100377 +0200
@@ -3,6 +3,9 @@
 # tomcat-digest script
 # JPackage Project 
 
+# Set default JAVA_HOME
+export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
+
 # Source functions library
 if [ -f /usr/share/java-utils/java-functions ] ; then
   . /usr/share/java-utils/java-functions

++ tomcat-9.0-tool-wrapper.script ++
--- /var/tmp/diff_new_pack.Ji12xw/_old  2024-10-03 17:41:55.624102710 +0200
+++ /var/tmp/diff_new_pack.Ji12xw/_new  2024-10-03 17:41:55.628102877 +0200
@@ -3,6 +3,9 @@
 # tomcat-digest script
 # JPackage Project 
 
+# Set default JAVA_HOME
+export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
+
 # Source functions library
 if [ -f /usr/share/java-utils/java-functions ] ; then
   . /usr/share/java-utils/java-functions

commit tomcat for openSUSE:Factory

2024-09-30 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2024-09-30 15:39:49

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.29891 (New)


Package is "tomcat"

Mon Sep 30 15:39:49 2024 rev:109 rq:1204557 version:9.0.91

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2024-07-09 
20:06:16.289685020 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.29891/tomcat.changes 2024-09-30 
15:40:15.908681891 +0200
@@ -1,0 +2,5 @@
+Sun Sep 29 19:42:03 UTC 2024 - Fridrich Strba 
+
+- Fix build after removal of the default %%{java_home} define
+
+---



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.xM0rP1/_old  2024-09-30 15:40:16.792718713 +0200
+++ /var/tmp/diff_new_pack.xM0rP1/_new  2024-09-30 15:40:16.792718713 +0200
@@ -457,7 +457,7 @@
 # install sample webapp
 mkdir -p %{buildroot}%{tomcatappdir}/sample
 pushd %{buildroot}%{tomcatappdir}/sample
-%jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
+jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
 popd
 
 pushd %{buildroot}%{tomcatappdir}/examples/WEB-INF/lib

commit tomcat for openSUSE:Factory

2024-04-07 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2024-04-07 22:11:12

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1905 (New)


Package is "tomcat"

Sun Apr  7 22:11:12 2024 rev:107 rq:1165770 version:9.0.87

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2024-03-06 
23:05:55.756355449 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1905/tomcat.changes  2024-04-07 
22:13:22.782804801 +0200
@@ -1,0 +2,109 @@
+Fri Apr  5 14:24:14 UTC 2024 - Ricardo Mestre 
+
+- Update to Tomcat 9.0.87
+  * Fixed CVEs:
++ CVE-2024-24549: Improved request header validation for HTTP/2 stream 
+  (bsc#1221386)
++ CVE-2024-23672: Ensure that WebSocket connection closure completes if 
+  the connection is closed when the server side has used the proprietary 
+  suspend/resume feature to suspend the connection (bsc#1221385)
+  * Catalina
++ Fix:  Minor performance improvement for building filter chains. Based 
+  on ideas from #702 by Luke Miao. (remm)
++ Fix:  Align error handling for Writer and OutputStream. Ensure use of 
+  either once the response has been recycled triggers a 
+  NullPointerException provided that discardFacades is configured with 
+  the default value of true. (markt)
++ Fix:  68692: The standard thread pool implementations that are configured
+  using the Executor element now implement ExecutorService for better 
+  support NIO2. (remm)
++ Fix:  68495: When restoring a saved POST request after a successful FORM 
+  authentication, ensure that neither the URI, the query string nor the 
+  protocol are corrupted when restoring the request body. (markt)
++ Fix:  68721: Workaround a possible cause of duplicate class definitions 
+  when using ClassFileTransformers and the transformation of a class also
+  triggers the loading of the same class. (markt)
++ Fix:  The rewrite valve should not do a rewrite if the output is 
+  identical to the input. (remm)
++ Update:  Add a new valveSkip (or VS) rule flag to the rewrite valve to 
+  allow skipping over the next valve in the Catalina pipeline. (remm)
++ Fix:  Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by 
+  removing reference to org.apache.catalina.ssi package that is no longer 
+  included in the JAR. Based on pull request #684 by Jendrik Johannes. 
+  (markt)
++ Fix:  Fix ServiceBindingPropertySource so that trailing \r\n sequences 
+  are correctly removed from files containing property values when 
+  configured to do so. Bug identified by Coverity Scan. (markt)
++ Add:  Add improvements to the CSRF prevention filter including the 
+  ability to skip adding nonces for resource name and subtree URL patterns.
+  (schultz)
++ Fix:  Review usage of debug logging and downgrade trace or data dumping 
+  operations from debug level to trace. (remm)
++ Fix:  68089: Further improve the performance of request attribute 
+  access for ApplicationHttpRequest and ApplicationRequest. (markt)
++ Fix:  68559: Allow asynchronous error handling to write to the 
+  response after an error during asynchronous processing. (markt)
+  * Coyote
++ Fix:  Improve the HTTP/2 stream prioritisation process. If a stream 
+  uses all of the connection windows and still has content to write, it 
+  will now be added to the backlog immediately rather than waiting until 
+  the write  attempt for the remaining content. (markt)
++ Fix:  Make asynchronous error handling more robust. Ensure that once 
+  a connection is marked to be closed, further asynchronous processing 
+  cannot change that. (markt)
++ Fix:  Make asynchronous error handling more robust. Ensure that once 
+  the call to AsyncListener.onError() has returned to the container, only 
+  container threads can access the AsyncContext. This protects against 
+  various race conditions that woudl otherwise occur if application threads
+  continued to access the AsyncContext.
++ Fix:  Review usage of debug logging and downgrade trace or data 
+  dumping operations from debug level to trace. In particular, most of the 
+  HTTP/2 debug logging has been changed to trace level. (remm)
++ Fix:  Add support for user provided SSLContext instances configured 
+  on SSLHostConfigCertificate instances. Based on pull request #673 
+  provided by Hakan Altındağ. (markt)
++ Fix:  Improve the Tomcat Native shutdown process to reduce the likelihood
+  of a JVM crash during Tomcat shutdown. (markt)
++ Fix:  Partial fix for 68558: Cache the result of converting to String 
+  for r

commit tomcat for openSUSE:Factory

2024-02-18 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2024-02-18 20:24:46

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1815 (New)


Package is "tomcat"

Sun Feb 18 20:24:46 2024 rev:104 rq:1147338 version:9.0.85

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2024-02-15 
21:02:20.996104213 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1815/tomcat.changes  2024-02-18 
20:25:20.310705999 +0100
@@ -1,0 +2,5 @@
+Sat Feb 17 14:55:06 UTC 2024 - Fridrich Strba 
+
+- Link ecj.jar into the install instead of copying it
+
+---



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.iSIeC7/_old  2024-02-18 20:25:21.214738557 +0100
+++ /var/tmp/diff_new_pack.iSIeC7/_new  2024-02-18 20:25:21.214738557 +0100
@@ -409,7 +409,7 @@
 popd
 
 pushd output/build
-%{_bindir}/build-jar-repository lib commons-collections \
+%{_bindir}/build-jar-repository -s lib commons-collections \
 commons-dbcp2 commons-pool2 ecj/ecj 
2>&1
 # need to use -p here with b-j-r otherwise the examples webapp fails to
 # load with a java.io.IOException
@@ -427,6 +427,8 @@
 ln -s $(build-classpath commons-dbcp2) commons-dbcp2.jar
 ln -s $(build-classpath commons-pool2) commons-pool2.jar
 ln -s $(build-classpath ecj/ecj) jasper-jdt.jar
+rm ecj.jar
+ln -s $(build-classpath ecj/ecj) ecj.jar
 
 # Temporary copy the juli jar here from %%{_datadir}/java/tomcat (for 
maven depmap)
 cp -a %{buildroot}%{bindir}/tomcat-juli.jar ./

commit tomcat for openSUSE:Factory

2024-01-17 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2024-01-17 22:19:11

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.16006 (New)


Package is "tomcat"

Wed Jan 17 22:19:11 2024 rev:101 rq:1139530 version:9.0.85

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2024-01-16 
21:38:38.385906782 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.16006/tomcat.changes 2024-01-17 
22:19:43.740760619 +0100
@@ -1,0 +2,146 @@
+Wed Jan 17 16:57:21 UTC 2024 - Michele Bussolotto 
+
+- Update to Tomcat 9.0.85
+  * Fixed CVEs:
++ CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
+  incorrect headers parsing (bsc#1217649)
+  * Catalina
++ Update:  68378: Align extension to MIME type mappings in the
+  global web.xml with those in httpd by adding
+  application/vnd.geogebra.slides for ggs, text/javascript for mjs
+  and audio/ogg for opus. (markt)
++ Fix:  Background processes should not be run concurrently with
+  lifecycle operations of a container. (remm)
++ Fix:  Correct unintended escaping of XML in some WebDAV
+  responses. The XML list of support locks when provided in
+  response to a PROPFIND request was incorrectly XML escaped.
+  (markt)
++ Fix:  68227: Ensure that AsyncListener.onComplete() is called
+  if AsyncListener.onError() calls AsyncContext.dispatch().
+  (markt)
++ Fix:  68228: Use a 408 status code if a read timeout occurs
+  during HTTP request processing. Includes a test case based on
+  code provided by adwsingh. (markt)
++ Fix:  67667: TLSCertificateReloadListener prints unreadable
+  rendering of X509Certificate#getNotAfter(). (michaelo)
++ Update:  The status servlet included in the manager webapp
+  can now output statistics as JSON, using the JSON=true URL
+  parameter. (remm)
++ Update:  Optionally allow ServiceBindingPropertySource to
+  trim a trailing newline from a file containing a
+  property-value. (schultz)
++ Fix:  67793: Ensure the original session timeout is restored
+  after FORM authentication if the user refreshes a page during
+  the FORM authentication process. Based on a suggestion by
+  Mircea Butmalai. (markt)
++ Update:  67926: PEMFile prints unidentifiable string
+  representation of ASN.1 OIDs. (michaelo)
++ Fix:  66875: Ensure that setting the request attribute
+  jakarta.servlet.error.exception is not sufficient to trigger
+  error handling for the current request and response. (markt)
++ Fix:  68054: Avoid some file canonicalization calls
+  introduced by the fix for 65433. (remm)
++ Fix:  68089: Improve performance of request attribute access
+  for ApplicationHttpRequest and ApplicationRequest. (markt)
++ Fix:  Use a 400 status code to report an error due to a bad
+  request (e.g. an invalid trailer header) rather than a 500
+  status code. (markt)
++ Fix:  Ensure that an IOException during the reading of the
+  request triggers always error handling, regardless of whether
+  the application swallows the exception. (markt)
+  * Coyote
++ Fix:  Refactor the VirtualThreadExecutor so that it can be
+  used by the NIO2 connector which was using platform threads
+  even when configured to use virtual threads. (markt)
++ Fix:  Correct a regression in the fix for 67675 that broke
+  TLS key file parsing for PKCS#8 format keys that do not specify
+  an explicit pseudo-random function and rely on the default.
+  This typically affects keys generated by OpenSSL 1.0.2.
+  (markt)
++ Fix:  Allow multiple operations with the same name on
+  introspected mbeans, fixing a regression caused by the
+  introduction of a second addSslHostConfig method. (remm)
++ Fix:  Relax the check that the HTTP Host header is consistent
+  with the host used in the request line, if any, to make the
+  check case insensitive since host names are case insensitive.
+  (markt)
++ Add:  68348: Add support for the partitioned attribute for
+  cookies. (markt)
++ Add:  66670: Add SSLHostConfig#certificateKeyPasswordFile and
+  SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
++ Add:  When calling
+  SSLHostConfigCertificate.setCertificateKeystore(ks),
+  automatically call setCertificateKeystoreType(ks.getType()).
+  (markt)
++ Fix:  67628: Clarify how the ciphers attribute of the
+  SSLHostConfig is used. (markt)
++ Fix:  67666: Ensure TLS connectors using PEM files either
+  work with the TLSCertificateReloadListener or, in the rare case
+  that they do not, log a warning on Connector start.

commit tomcat for openSUSE:Factory

2024-01-16 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2024-01-16 21:38:30

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.9992 (New)


Package is "tomcat"

Tue Jan 16 21:38:30 2024 rev:100 rq:1139114 version:9.0.82

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-11-27 
22:44:03.567349443 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.9992/tomcat.changes  2024-01-16 
21:38:38.385906782 +0100
@@ -1,0 +2,6 @@
+Fri Jan 12 13:18:52 UTC 2024 - Michele Bussolotto 
+
+- Fix server.xml permission (bsc#1217768, bsc#1217402)
+- remove serverxmltool and use xsltproc
+
+---

Old:

  tomcat-serverxml-tool.sh.in
  tomcat-serverxml-tool.tar.gz

New:

  allowLinking.xslt
  valve.xslt



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.zeYr9t/_old  2024-01-16 21:38:39.445945428 +0100
+++ /var/tmp/diff_new_pack.zeYr9t/_new  2024-01-16 21:38:39.445945428 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -36,7 +36,6 @@
 %define tempdir %{cachedir}/temp
 %define workdir %{cachedir}/work
 %define tomcatappdir %{_datadir}/%{name}/tomcat-webapps
-%define serverxmltool %{_libexecdir}/%{name}/serverxml-tool.sh
 %define javac_target 1.8
 #Compat macro for new _fillupdir macro introduced in Nov 2017
 %if ! %{defined _fillupdir}
@@ -62,8 +61,8 @@
 Source30:   tomcat-preamble
 Source31:   tomcat-server
 Source32:   tomcat-named.service
-Source33:   tomcat-serverxml-tool.tar.gz
-Source34:   tomcat-serverxml-tool.sh.in
+Source100:  valve.xslt
+Source101:  allowLinking.xslt
 Source1000: tomcat-rpmlintrc
 Source1001: 
https://archive.apache.org/dist/tomcat/tomcat-%{major_version}/v%{version}/src/%{packdname}.tar.gz.asc
 Source1002: 
https://downloads.apache.org/tomcat/tomcat-9/KEYS#/%{name}.keyring
@@ -102,6 +101,7 @@
 BuildRequires:  java-devel >= 1.8
 BuildRequires:  javapackages-local
 BuildRequires:  junit
+BuildRequires:  libxslt-tools
 BuildRequires:  pkgconfig
 BuildRequires:  sed
 BuildRequires:  systemd-rpm-macros
@@ -241,7 +241,7 @@
 The ROOT and examples web applications for Apache Tomcat
 
 %prep
-%autosetup -p1 -n %{packdname} -b 33
+%autosetup -p1 -n %{packdname}
 
 # remove pre-built binaries and windows files
 find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name 
"*.gz" -o \
@@ -306,11 +306,6 @@
 popd
 popd
 
-pushd %{_builddir}/tomcat-serverxml-tool/src
-javac -source %{javac_target} -target %{javac_target} 
com/suse/tcserverxml/ApplyStylesheet.java
-jar cfe %{_builddir}/tomcat-serverxml-tool/serverxmltool.jar 
com.suse.tcserverxml.ApplyStylesheet com/suse/tcserverxml/ApplyStylesheet.class 
com/suse/tcserverxml/add-context.xslt com/suse/tcserverxml/remove-context.xslt 
com/suse/tcserverxml/add-valve-rotatable-false.xslt
-popd
-
 %install
 # build initial path structure
 install -d -m 0755 %{buildroot}%{_bindir}
@@ -338,6 +333,9 @@
 install -d -m 0755 %{buildroot}%{_libexecdir}/%{name}
 install -d -m 0755 %{buildroot}%{_fillupdir}
 
+cp -a %{SOURCE100} %{buildroot}%{confdir}
+cp -a %{SOURCE101} %{buildroot}%{confdir}
+
 # move things into place
 # First copy supporting libs to tomcat lib
 pushd output/build
@@ -444,15 +442,6 @@
 %jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
 popd
 
-# Allow linking for example webapp
-mkdir -p %{buildroot}%{tomcatappdir}/examples/META-INF
-pushd %{buildroot}%{tomcatappdir}/examples/META-INF
-echo ''>context.xml
-echo ''>>context.xml
-echo '  '>>context.xml
-echo ''>>context.xml
-popd
-
 pushd %{buildroot}%{tomcatappdir}/examples/WEB-INF/lib
 ln -s -f $(build-classpath jakarta-taglibs-core) jstl.jar
 ln -s -f $(build-classpath jakarta-taglibs-standard) standard.jar
@@ -557,14 +546,6 @@
 # It will be changed anyways to the correct symlink by update-alternatives.
 ln -s -f %{_sysconfdir}/alternatives/servlet.jar 
%{buildroot}%{_javadir}/servlet.jar
 
-# Install tool used to edit server.xml
-pushd %{_builddir}/tomcat-serverxml-tool
-cat %{SOURCE34} | sed 's#@LIBEXECDIR@#%{_libexecdir}#g' 
>tomcat-serverxml-tool.sh
-install -m 0755 tomcat-serverxml-tool.sh \
-%{buildroot}%{_libexecdir}/%{name}/serverxml-tool.sh
-cp serverxmltool.jar %{buildroot}%{_libexecdir}/%{name}/
-popd
-
 %pre
 # add the tomcat user and group
 getent group tomcat >/dev/null || %{_sbindir}/groupadd -r tomcat
@@ -648,37 +629,46 @@
 %{libdir}/\[e

commit tomcat for openSUSE:Factory

2023-10-30 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-10-30 22:10:40

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.17445 (New)


Package is "tomcat"

Mon Oct 30 22:10:40 2023 rev:98 rq:1121149 version:9.0.82

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-10-13 
23:16:33.551124276 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.17445/tomcat.changes 2023-10-30 
22:10:57.032582283 +0100
@@ -4,0 +5,6 @@
+  * Fixed CVEs:
++ CVE-2023-45648: Improve trailer header parsing (bsc#1216118)
++ CVE-2023-42794: FileUpload: remove tmp files to avoid DoS 
+  on Windows (bsc#1216120)
++ CVE-2023-42795: Improve handling of failures during recycle()
+  methods (bsc#1216119)



Other differences:
--

commit tomcat for openSUSE:Factory

2023-10-13 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-10-13 23:15:37

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.20540 (New)


Package is "tomcat"

Fri Oct 13 23:15:37 2023 rev:97 rq:1117656 version:9.0.82

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-09-22 
21:49:48.946091563 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.20540/tomcat.changes 2023-10-13 
23:16:33.551124276 +0200
@@ -1,0 +2,48 @@
+Fri Oct 13 11:12:07 UTC 2023 - Fridrich Strba 
+
+- Update to Tomcat 9.0.82
+  * Catalina
++ Add: 65770: Provide a lifecycle listener that will
+  automatically reload TLS configurations a set time before the
+  certificate is due to expire. This is intended to be used with
+  third-party tools that regularly renew TLS certificates.
++ Fix: Fix handling of an error reading a context descriptor on
+  deployment.
++ Fix: Fix rewrite rule qsd (query string discard) being ignored
+  if qsa was also use, while it should instead take precedence.
++ Fix: 67472: Send fewer CORS-related headers when CORS is not
+  actually being engaged.
++ Add: Improve handling of failures within recycle() methods.
+  * Coyote
++ Fix: 67670: Fix regression with HTTP compression after code
+  refactoring.
++ Fix: 67198: Ensure that the AJP connector attribute
+  tomcatAuthorization takes precedence over the
+  tomcatAuthentication attribute when processing an auth_type
+  attribute received from a proxy server.
++ Fix: 67235: Fix a NullPointerException when an AsyncListener
+  handles an error with a dispatch rather than a complete.
++ Fix: When an error occurs during asynchronous processing,
+  ensure that the error handling process is only triggered once
+  per asynchronous cycle.
++ Fix: Fix logic issue trying to match no argument method in
+  IntropectionUtil.
++ Fix: Improve thread safety around readNotify and writeNotify
+  in the NIO2 endpoint.
++ Fix: Avoid rare thread safety issue accessing message digest
+  map.
++ Fix: Improve statistics collection for upgraded connections
+  under load.
++ Fix: Align validation of HTTP trailer fields with standard
+  fields.
++ Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
+  CVE-2023-44487)
+  * jdbc-pool
++ Fix: 67664: Correct a regression in the clean-up of
+  unnecessary use of fully qualified class names in 9.0.81
+  that broke the jdbc-pool.
+  * Jasper
++ Fix: 67080: Improve performance of EL expressions in JSPs that
+  use implicit objects
+
+---

Old:

  apache-tomcat-9.0.80-src.tar.gz
  apache-tomcat-9.0.80-src.tar.gz.asc

New:

  apache-tomcat-9.0.82-src.tar.gz
  apache-tomcat-9.0.82-src.tar.gz.asc



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.e0PopW/_old  2023-10-13 23:16:34.287150972 +0200
+++ /var/tmp/diff_new_pack.e0PopW/_new  2023-10-13 23:16:34.287150972 +0200
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 80
+%define micro_version 82
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}

++ apache-tomcat-9.0.80-src.tar.gz -> apache-tomcat-9.0.82-src.tar.gz ++
 27401 lines of diff (skipped)

commit tomcat for openSUSE:Factory

2023-09-22 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-09-22 21:47:35

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1770 (New)


Package is "tomcat"

Fri Sep 22 21:47:35 2023 rev:96 rq:1112902 version:9.0.80

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-09-20 
13:27:50.175736354 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1770/tomcat.changes  2023-09-22 
21:49:48.946091563 +0200
@@ -1,0 +2,177 @@
+Thu Sep 21 16:41:56 UTC 2023 - Fridrich Strba 
+
+- Update to Tomcat 9.0.80
+  * Catalina
++ Add RateLimitFilter which can be used to mitigate DoS and
+  Brute Force attacks
++ Move the management of the utility executor from the
+  init()/destroy() methods of components to the start()/stop()
+  methods.
++ Add org.apache.catalina.core.StandardVirtualThreadExecutor,
+  a virtual thread based executor that may be used with one or
+  more Connectors to process requests received by those
+  Connectors using virtual threads. This Executor requires a
+  minimum Java version of Java 21.
++ 66513: Add a per session Semaphore to the PersistentValve that
+  ensures that, within a single Tomcat instance, there is no
+  more than one concurrent request per session. Also expand the
+  debug logging to include whether a request bypasses the Valve
+  and the reason if a request fails to obtain the per session
+  Semaphore.
++ 66609: Ensure that the default servlet correctly escapes file
+  names in directory listings when using XML output.
++ 66618: Add a numeric last modified field to the XML directory
+  listings produced by the default servlet to enable sorting in
+  the XSLT.
++ 66621: Attempts to lock a collection with WebDAV may
+  incorrectly fail if a child collection has an expired lock.
++ 66622: Deprecate the xssProtectionEnabled setting from the
+  HttpHeaderSecurityFilter and change the default value to false
+  as support for the associated HTTP header has been removed
+  from all major browsers.
++ 59232: Add org.apache.catalina.core.ContextNamingInfoListener,
+  a listener which creates context naming information
+  environment entries.
++ 5: Add
+  org.apache.catalina.core.PropertiesRoleMappingListener, a
+  listener which populates the context's role mapping from a
+  properties file.
++ Fix an edge case where intra-web application symlinks would be
+  followed if the web applications were deliberately crafted to
+  allow it even when allowLinking was set to false.
++ Add utility config file resource lookup on Context to allow
+  looking up resources from the webapp (prefixed with webapp:)
+  and make the resource lookup API more visible.
++ Fix potential database connection leaks in
+  DataSourceUserDatabase identified by Coverity Scan.
++ Make parsing of ExtendedAccessLogValve patterns more robust.
++ Fix failure trying to persist configuration for an internal
+  credential handler.
++ 66680: When serializing a session during the session
+  presistence process, do not log a warning that null Principals
+  are not serializable.
++ Catch NamingException in JNDIRealm#getPrincipal. It is used in
+  Java up to 17 to signal closed connections.
++ 66822: Use the same naming format in log messages for
+  Connector instances as the associated ProtocolHandler instance.
++ The parts count should also lower the actual maxParameterCount
+  used for parsing parameters if parts are parsed first.
++ If an application or library sets both a non-500 error code
+  and the javax.servlet.error.exception request attribute, use
+  the provided error code during error page processing rather
+  than assuming an error code of 500.
++ Update code comments and Tomcat output to use MiB for
+  1024 * 1024 bytes and KiB for 1024 bytes rather than
+  MB and kB.
++ Avoid protocol relative redirects in FORM authentication
+  (CVE-2023-41080, bsc#1214666).
+  * Coyote
++ Update the HTTP/2 implementation to use the prioritization
+  scheme defined in RFC 9218 rather than the one defined in
+  RFC 7540.
++ 66602: not sending WINDOW_UPDATE when dataLength is ZERO on
+  call SwallowedDataFramePayload.
++ 66627: Restore the documented behaviour of
+  MessageBytes.getType() that it returns the type of the
+  original content rather than reflecting the most recent
+  conversion.
++ 66635: Correct certificate logging on start-up so it
+  differentiates between keystore based keys/certificates and
+  PEM file based keys/certifica

commit tomcat for openSUSE:Factory

2023-09-20 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-09-20 13:25:59

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.16627 (New)


Package is "tomcat"

Wed Sep 20 13:25:59 2023 rev:95 rq:850 version:9.0.75

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-09-14 
16:28:14.516104189 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.16627/tomcat.changes 2023-09-20 
13:27:50.175736354 +0200
@@ -1,0 +2,9 @@
+Mon Sep 18 06:03:34 UTC 2023 - Fridrich Strba 
+
+- Modified patch:
+  * tomcat-9.0-osgi-build.patch
++ make it more robust to change in number of artifacts in bnd
++ do not enumerate jars, just take all jars from the aqute-bnd
+  directory into the classpath
+
+---



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.k4yH3O/_old  2023-09-20 13:27:52.999837529 +0200
+++ /var/tmp/diff_new_pack.k4yH3O/_new  2023-09-20 13:27:52.999837529 +0200
@@ -291,10 +291,7 @@
 -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \
 -Dsaaj-api.jar="$(build-classpath geronimo-saaj-1.1-api)" \
 -Dbnd.jar="$(build-classpath aqute-bnd/biz.aQute.bnd)" \
--Dbndant.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.ant)" \
--Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \
--Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \
--Dbndannotation.jar="$(build-classpath 
aqute-bnd/biz.aQute.bnd.annotation)" \
+-Dbnd.dir="%{_javadir}/aqute-bnd" \
 -Dosgiannotation.jar="$(build-classpath osgi-annotation/osgi.annotation)" \
 -Dosgi-annotations.jar="$(build-classpath 
aqute-bnd/biz.aQute.bnd.annotation)" \
 -Dosgicmpn.jar="$(build-classpath osgi-compendium/osgi.cmpn)" \


++ tomcat-9.0-osgi-build.patch ++
--- /var/tmp/diff_new_pack.k4yH3O/_old  2023-09-20 13:27:53.095840968 +0200
+++ /var/tmp/diff_new_pack.k4yH3O/_new  2023-09-20 13:27:53.095840968 +0200
@@ -12,14 +12,13 @@

  

-@@ -3845,6 +3845,13 @@
+@@ -3845,6 +3845,12 @@
  
  

-+  
-+  
-+  
-+  
++  
++
++  
 +  
 +  
 +

commit tomcat for openSUSE:Factory

2023-09-14 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-09-14 16:25:36

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1766 (New)


Package is "tomcat"

Thu Sep 14 16:25:36 2023 rev:94 rq:1110988 version:9.0.75

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-05-23 
14:55:02.482659910 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1766/tomcat.changes  2023-09-14 
16:28:14.516104189 +0200
@@ -1,0 +2,5 @@
+Tue Sep 12 11:30:29 UTC 2023 - Fridrich Strba 
+
+- Require(pre) shadow because groupadd is needed early
+
+---



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.Ne5Or7/_old  2023-09-14 16:28:17.300203647 +0200
+++ /var/tmp/diff_new_pack.Ne5Or7/_new  2023-09-14 16:28:17.304203790 +0200
@@ -83,7 +83,6 @@
 Patch6: tomcat-9.0.75-secretRequired-default.patch
 Patch7: tomcat-9.0-fix_catalina.patch
 Patch8: tomcat-9.0-logrotate_everything.patch
-
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
 BuildRequires:  apache-commons-collections
@@ -117,8 +116,7 @@
 Requires:   apache-commons-pool2
 Requires:   java >= 1.8
 Requires(post): %fillup_prereq
-Requires(pre):  %{_sbindir}/groupadd
-Requires(pre):  %{_sbindir}/useradd
+Requires(pre):  shadow
 Recommends: libtcnative-1-0 >= 1.1.24
 Recommends: logrotate
 BuildArch:  noarch

commit tomcat for openSUSE:Factory

2023-05-23 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-05-23 14:54:29

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1533 (New)


Package is "tomcat"

Tue May 23 14:54:29 2023 rev:93 rq:1088487 version:9.0.75

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-04-07 
18:17:14.940864332 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1533/tomcat.changes  2023-05-23 
14:55:02.482659910 +0200
@@ -1,0 +2,36 @@
+Tue May 23 04:25:45 UTC 2023 - Fridrich Strba 
+
+- Update to Tomcat 9.0.75.
+  * See changelog at
+
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.75_(markt)
+  * Fixes:
++ bsc#1211608, CVE-2023-28709
++ bsc#1208513, CVE-2023-24998 (previous incomplete fix)
+- Remove patches:
+  * tomcat-9.0-CVE-2021-30640.patch
+  * tomcat-9.0-CVE-2021-33037.patch
+  * tomcat-9.0-CVE-2021-41079.patch
+  * tomcat-9.0-CVE-2022-23181.patch
+  * tomcat-9.0-NPE-JNDIRealm.patch
+  * tomcat-9.0-hardening_getResources.patch
+  * tomcat-9.0.43-CVE-2021-43980.patch
+  * tomcat-9.0.43-CVE-2022-42252.patch
+  * tomcat-9.0.43-CVE-2022-45143.patch
+  * tomcat-9.0.43-CVE-2023-24998.patch
+  * tomcat-9.0.43-CVE-2023-28708.patch
++ integrated in this version
+  * tomcat-9.0.43-java8compat.patch
++ problem with Java 8 compatibility solved in this version
+- Modified patch:
+  * tomcat-9.0.31-secretRequired-default.patch
+-> tomcat-9.0.75-secretRequired-default.patch
++ rediffed to changed context
+  * tomcat-9.0-javadoc.patch
++ drop integrated hunks
+  * tomcat-9.0-osgi-build.patch
++ fix to work with current version
+- Added patch:
+  * tomcat-9.0-jdt.patch
++ fix build against our ecj
+
+---

Old:

  apache-tomcat-9.0.43-src.tar.gz
  apache-tomcat-9.0.43-src.tar.gz.asc
  tomcat-9.0-CVE-2021-30640.patch
  tomcat-9.0-CVE-2021-33037.patch
  tomcat-9.0-CVE-2021-41079.patch
  tomcat-9.0-CVE-2022-23181.patch
  tomcat-9.0-NPE-JNDIRealm.patch
  tomcat-9.0-hardening_getResources.patch
  tomcat-9.0.31-secretRequired-default.patch
  tomcat-9.0.43-CVE-2021-43980.patch
  tomcat-9.0.43-CVE-2022-42252.patch
  tomcat-9.0.43-CVE-2022-45143.patch
  tomcat-9.0.43-CVE-2023-24998.patch
  tomcat-9.0.43-CVE-2023-28708.patch
  tomcat-9.0.43-java8compat.patch

New:

  apache-tomcat-9.0.75-src.tar.gz
  apache-tomcat-9.0.75-src.tar.gz.asc
  tomcat-9.0-jdt.patch
  tomcat-9.0.75-secretRequired-default.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.fhfFXb/_old  2023-05-23 14:55:03.522666063 +0200
+++ /var/tmp/diff_new_pack.fhfFXb/_new  2023-05-23 14:55:03.530666110 +0200
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 43
+%define micro_version 75
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
@@ -77,23 +77,12 @@
 Patch3: %{name}-%{major_version}.%{minor_version}-javadoc.patch
 # PATCH-FIX-OPENSUSE: include all necessary aqute-bnd jars
 Patch4: tomcat-9.0-osgi-build.patch
-# PATCH-FIX-OPENSUSE: cast ByteBuffer to Buffer in cases where there is a risk 
of using Java 9+ apis
-Patch5: tomcat-9.0.43-java8compat.patch
+# PATCH-FIX-OPENSUSE: build against our ecj that does not have 
CompilerOptions.VERSION_16
+Patch5: %{name}-%{major_version}.%{minor_version}-jdt.patch
 # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to 
avoid tomcat not starting
-Patch6: tomcat-9.0.31-secretRequired-default.patch
-Patch7: tomcat-9.0-CVE-2021-41079.patch
-Patch8: tomcat-9.0-CVE-2021-33037.patch
-Patch9: tomcat-9.0-CVE-2021-30640.patch
-Patch10:tomcat-9.0-NPE-JNDIRealm.patch
-Patch11:tomcat-9.0-CVE-2022-23181.patch
-Patch12:tomcat-9.0-hardening_getResources.patch
-Patch13:tomcat-9.0.43-CVE-2021-43980.patch
-Patch14:tomcat-9.0.43-CVE-2022-42252.patch
-Patch15:tomcat-9.0-fix_catalina.patch
-Patch16:tomcat-9.0-logrotate_everything.patch
-Patch17:tomcat-9.0.43-CVE-2023-24998.patch
-Patch18:tomcat-9.0.43-CVE-2023-28708.patch
-Patch19:tomcat-9.0.43-CVE-2022-45143.patch
+Patch6: tomcat-9.0.75-secretRequired-default.patch
+Patch7: tomcat-9.0-fix_catalina.patch
+Patch8: tomcat-9.0-logrotate_everything.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -268,17 +257,6 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
-%patch9 -p1
-%patch10 -p1
-%patch11 -p1
-%patch12 -p1

commit tomcat for openSUSE:Factory

2023-04-07 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-04-07 18:17:06

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.19717 (New)


Package is "tomcat"

Fri Apr  7 18:17:06 2023 rev:92 rq:1077842 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-03-28 
17:51:25.043568922 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.19717/tomcat.changes 2023-04-07 
18:17:14.940864332 +0200
@@ -1,0 +2,8 @@
+Fri Apr  7 07:56:31 UTC 2023 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2022-45143: JsonErrorReportValve: add escape for type, message or 
description (bsc#1206840)
+- Added patches:
+  * tomcat-9.0.43-CVE-2022-45143.patch
+
+---

New:

  tomcat-9.0.43-CVE-2022-45143.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.pCA4uS/_old  2023-04-07 18:17:15.756869033 +0200
+++ /var/tmp/diff_new_pack.pCA4uS/_new  2023-04-07 18:17:15.756869033 +0200
@@ -93,6 +93,7 @@
 Patch16:tomcat-9.0-logrotate_everything.patch
 Patch17:tomcat-9.0.43-CVE-2023-24998.patch
 Patch18:tomcat-9.0.43-CVE-2023-28708.patch
+Patch19:tomcat-9.0.43-CVE-2022-45143.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -277,6 +278,7 @@
 %patch16 -p1
 %patch17 -p1
 %patch18 -p1
+%patch19 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0.43-CVE-2022-45143.patch ++
>From b336f4e58893ea35114f1e4a415657f723b1298e Mon Sep 17 00:00:00 2001
From: Mark Thomas 
Date: Wed, 9 Nov 2022 12:39:15 +
Subject: [PATCH] Avoid invalid JSON in JSONErrorReportValve output

---
 .../catalina/valves/JsonErrorReportValve.java |  7 +-
 .../apache/tomcat/util/json/JSONFilter.java   | 61 ++
 .../tomcat/util/json/TestJSONFilter.java  | 82 +++
 webapps/docs/changelog.xml|  5 ++
 4 files changed, 152 insertions(+), 3 deletions(-)
 create mode 100644 java/org/apache/tomcat/util/json/JSONFilter.java
 create mode 100644 test/org/apache/tomcat/util/json/TestJSONFilter.java

Index: 
apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/valves/JsonErrorReportValve.java
+++ 
apache-tomcat-9.0.43-src/java/org/apache/catalina/valves/JsonErrorReportValve.java
@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Req
 import org.apache.catalina.connector.Response;
 import org.apache.coyote.ActionCode;
 import org.apache.tomcat.util.ExceptionUtils;
+import org.apache.tomcat.util.json.JSONFilter;
 import org.apache.tomcat.util.res.StringManager;
 
 /**
@@ -82,9 +83,9 @@ public class JsonErrorReportValve extend
 }
 }
 String jsonReport = "{\n" +
-"  \"type\": \"" + type + "\",\n" +
-"  \"message\": \"" + message + "\"\n" +
-"  \"description\": \"" + description + "\"\n" +
+"  \"type\": \"" + JSONFilter.escape(type) + 
"\",\n" +
+"  \"message\": \"" + JSONFilter.escape(message) + 
"\",\n" +
+"  \"description\": \"" + 
JSONFilter.escape(description) + "\"\n" +
 "}";
 try {
 try {
Index: apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java
===
--- /dev/null
+++ apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/json/JSONFilter.java
@@ -0,0 +1,61 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.json;
+
+/**
+ * Provides escaping of values so they can be includ

commit tomcat for openSUSE:Factory

2023-03-28 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-03-28 17:51:19

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.31432 (New)


Package is "tomcat"

Tue Mar 28 17:51:19 2023 rev:91 rq:1074951 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-03-03 
22:31:15.087991396 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.31432/tomcat.changes 2023-03-28 
17:51:25.043568922 +0200
@@ -1,0 +2,9 @@
+Thu Mar 23 08:06:31 UTC 2023 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2023-28708: tomcat: not including the secure attribute
+causes information disclosure (bsc#1209622)
+- Added patches:
+  * tomcat-9.0.43-CVE-2023-28708.patch
+
+---

New:

  tomcat-9.0.43-CVE-2023-28708.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.dE3vHc/_old  2023-03-28 17:51:26.031573689 +0200
+++ /var/tmp/diff_new_pack.dE3vHc/_new  2023-03-28 17:51:26.035573707 +0200
@@ -92,6 +92,7 @@
 Patch15:tomcat-9.0-fix_catalina.patch
 Patch16:tomcat-9.0-logrotate_everything.patch
 Patch17:tomcat-9.0.43-CVE-2023-24998.patch
+Patch18:tomcat-9.0.43-CVE-2023-28708.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -275,6 +276,7 @@
 %patch15 -p1
 %patch16 -p1
 %patch17 -p1
+%patch18 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0.43-CVE-2023-28708.patch ++
>From 3b51230764da595bb19e8d0962dd8c69ab40dfab Mon Sep 17 00:00:00 2001
From: lihan 
Date: Fri, 10 Feb 2023 10:01:27 +0800
Subject: [PATCH] Fix BZ 66471 - JSessionId secure attribute missing with
 RemoteIpFilter and X-Forwarded-Proto set to https

https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
---
 java/org/apache/catalina/Globals.java |  7 ++
 .../apache/catalina/connector/Request.java| 14 +++
 .../catalina/filters/RemoteIpFilter.java  |  7 +-
 .../catalina/filters/TestRemoteIpFilter.java  | 96 ++-
 webapps/docs/changelog.xml|  5 +
 5 files changed, 100 insertions(+), 29 deletions(-)

Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/Globals.java
===
--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/Globals.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/Globals.java
@@ -113,6 +113,13 @@ public final class Globals {
 
 
 /**
+ * The request attribute that is set to the value of {@code Boolean.TRUE}
+ * if {@link org.apache.catalina.filters.RemoteIpFilter} determines
+ * that this request was submitted via a secure channel.
+ */
+public static final String REMOTE_IP_FILTER_SECURE = 
"org.apache.catalina.filters.RemoteIpFilter.secure";
+
+/**
  * The request attribute that can be used by a servlet to pass
  * to the connector the name of the file that is to be served
  * by sendfile. The value should be {@code java.lang.String}
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/connector/Request.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
@@ -3601,6 +3601,20 @@ public class Request implements HttpServ
 // NO-OP
 }
 });
+specialAttributes.put(Globals.REMOTE_IP_FILTER_SECURE,
+new SpecialAttributeAdapter() {
+@Override
+public Object get(Request request, String name) {
+return Boolean.valueOf(request.isSecure());
+}
+
+@Override
+public void set(Request request, String name, Object value) {
+if (value instanceof Boolean) {
+request.setSecure(((Boolean) value).booleanValue());
+}
+}
+});
 specialAttributes.put(Globals.STREAM_ID,
 new SpecialAttributeAdapter() {
 @Override
Index: 
apache-tomcat-9.0.43-src/java/org/apache/catalina/filters/RemoteIpFilter.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/filters/RemoteIpFilter.java
+++ 
apache-tomcat-9.0.43-src/java/org/apache/catalina/filters/RemoteIpFilter.java
@@ -581,11 +581,6 @@ public class RemoteIpFilter extends Gene
 return serverPort;

commit tomcat for openSUSE:Factory

2023-03-03 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-03-03 22:28:14

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.31432 (New)


Package is "tomcat"

Fri Mar  3 22:28:14 2023 rev:90 rq:1069054 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2023-01-17 
17:35:56.885399790 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.31432/tomcat.changes 2023-03-03 
22:31:15.087991396 +0100
@@ -1,0 +2,8 @@
+Tue Feb 28 11:14:24 UTC 2023 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts 
(bsc#1208513)
+- Added patches:
+  * tomcat-9.0.43-CVE-2023-24998.patch
+
+---

New:

  tomcat-9.0.43-CVE-2023-24998.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.aK4z6Q/_old  2023-03-03 22:31:16.107995745 +0100
+++ /var/tmp/diff_new_pack.aK4z6Q/_new  2023-03-03 22:31:16.111995763 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2022 SUSE LLC
+# Copyright (c) 2023 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -91,6 +91,7 @@
 Patch14:tomcat-9.0.43-CVE-2022-42252.patch
 Patch15:tomcat-9.0-fix_catalina.patch
 Patch16:tomcat-9.0-logrotate_everything.patch
+Patch17:tomcat-9.0.43-CVE-2023-24998.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -273,6 +274,7 @@
 %patch14 -p1
 %patch15 -p1
 %patch16 -p1
+%patch17 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@@ -693,7 +695,6 @@
 %{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/host-manager 
path=/host-manager contextXml=%{tomcatappdir}/host-manager/META-INF/context.xml
 %{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/manager 
path=/manager contextXml=%{tomcatappdir}/manager/META-INF/context.xml
 
-
 %postun admin-webapps
 if [ $1 -eq 0 ]; then # uninstall only
   %{serverxmltool} remove-context.xslt docBase=%{tomcatappdir}/host-manager 
path=/host-manager


++ tomcat-9.0.43-CVE-2023-24998.patch ++
>From cf77cc545de0488fb89e24294151504a7432df74 Mon Sep 17 00:00:00 2001
From: Mark Thomas 
Date: Tue, 13 Dec 2022 17:55:34 +
Subject: [PATCH] Update packaged renamed fork of Commons File Upload

---
 MERGE.txt |  2 +-
 .../apache/catalina/connector/Request.java| 10 +++-
 .../apache/tomcat/util/http/Parameters.java   |  5 ++
 .../util/http/fileupload/FileUploadBase.java  | 29 +++
 .../impl/FileCountLimitExceededException.java | 50 +++
 webapps/docs/changelog.xml|  8 +++
 webapps/docs/config/ajp.xml   | 15 +++---
 webapps/docs/config/http.xml  | 15 +++---
 8 files changed, 120 insertions(+), 14 deletions(-)
 create mode 100644 
java/org/apache/tomcat/util/http/fileupload/impl/FileCountLimitExceededException.java

Index: apache-tomcat-9.0.43-src/MERGE.txt
===
--- apache-tomcat-9.0.43-src.orig/MERGE.txt
+++ apache-tomcat-9.0.43-src/MERGE.txt
@@ -51,7 +51,7 @@ FileUpload
 Sub-tree:
 src/main/java/org/apache/commons/fileupload2
 The SHA1 ID / tag for the most recent commit to be merged to Tomcat is:
-ee0a7131b6b87586b28542de354951414dedac3f (2021-01-15)
+34eb241c051b02eca3b0b1b04f67b3b4e6c3a24d (2023-01-03)
 
 Note: Tomcat's copy of fileupload also includes classes copied manually from
   Commons IO.
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/connector/Request.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/connector/Request.java
@@ -2862,8 +2862,9 @@ public class Request implements HttpServ
 }
 }
 
+int maxParameterCount = getConnector().getMaxParameterCount();
 Parameters parameters = coyoteRequest.getParameters();
-parameters.setLimit(getConnector().getMaxParameterCount());
+parameters.setLimit(maxParameterCount);
 
 boolean success = false;
 try {
@@ -2915,6 +2916,13 @@ public class Request implements HttpServ
 upload.setFileItemFactory(factory);
 upload.setFileSizeMax(mce.getMaxFileSize());
 upload.setSizeMax(mce.getMaxRequestSize());
+if (maxParameterCount > -1) {
+// There is a limit. The limit for parts ne

commit tomcat for openSUSE:Factory

2023-01-17 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2023-01-17 17:35:48

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.32243 (New)


Package is "tomcat"

Tue Jan 17 17:35:48 2023 rev:89 rq:1058900 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-12-02 
13:13:52.934097671 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.32243/tomcat.changes 2023-01-17 
17:35:56.885399790 +0100
@@ -1,0 +2,12 @@
+Fri Dec 23 08:20:55 UTC 2022 - Michele Bussolotto 
+
+- set logrotate for localhost.log, manager.log, host-manager.log and 
localhost_access_log.txt
+- use logrotate for catalina.out
+  * update tomcat-serverxml-tool and spec to configure server.xml
+- Added patch:
+  * tomcat-9.0-logrotate_everything.patch
+  * tomcat-serverxml-tool.tar.gz
+- Removed:
+  * tomcat-serverxml-tool-1.0.tar.gz
+
+---

Old:

  tomcat-serverxml-tool-1.0.tar.gz

New:

  tomcat-9.0-logrotate_everything.patch
  tomcat-serverxml-tool.tar.gz



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.ShAtiB/_old  2023-01-17 17:35:58.405408359 +0100
+++ /var/tmp/diff_new_pack.ShAtiB/_new  2023-01-17 17:35:58.409408383 +0100
@@ -24,7 +24,6 @@
 %define minor_version 0
 %define micro_version 43
 %define packdname apache-tomcat-%{version}-src
-%define serverxmltool_version 1.0
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
 %define appdir %{basedir}/webapps
@@ -63,7 +62,7 @@
 Source30:   tomcat-preamble
 Source31:   tomcat-server
 Source32:   tomcat-named.service
-Source33:   
https://gitlab.suse.de/galaxy/tomcat-serverxml-tool/-/archive/%{serverxmltool_version}/tomcat-serverxml-tool-%{serverxmltool_version}.tar.gz
+Source33:   tomcat-serverxml-tool.tar.gz
 Source34:   tomcat-serverxml-tool.sh.in
 Source1000: tomcat-rpmlintrc
 Source1001: 
https://archive.apache.org/dist/tomcat/tomcat-%{major_version}/v%{version}/src/%{packdname}.tar.gz.asc
@@ -91,6 +90,7 @@
 Patch13:tomcat-9.0.43-CVE-2021-43980.patch
 Patch14:tomcat-9.0.43-CVE-2022-42252.patch
 Patch15:tomcat-9.0-fix_catalina.patch
+Patch16:tomcat-9.0-logrotate_everything.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -272,6 +272,7 @@
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
+%patch16 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@@ -335,9 +336,9 @@
 popd
 popd
 
-pushd %{_builddir}/tomcat-serverxml-tool-%{serverxmltool_version}/src
+pushd %{_builddir}/tomcat-serverxml-tool/src
 javac -source %{javac_target} -target %{javac_target} 
com/suse/tcserverxml/ApplyStylesheet.java
-jar cfe 
%{_builddir}/tomcat-serverxml-tool-%{serverxmltool_version}/serverxmltool.jar 
com.suse.tcserverxml.ApplyStylesheet com/suse/tcserverxml/ApplyStylesheet.class 
com/suse/tcserverxml/add-context.xslt com/suse/tcserverxml/remove-context.xslt
+jar cfe %{_builddir}/tomcat-serverxml-tool/serverxmltool.jar 
com.suse.tcserverxml.ApplyStylesheet com/suse/tcserverxml/ApplyStylesheet.class 
com/suse/tcserverxml/add-context.xslt com/suse/tcserverxml/remove-context.xslt 
com/suse/tcserverxml/add-valve-rotatable-false.xslt
 popd
 
 %install
@@ -587,7 +588,7 @@
 ln -s -f %{_sysconfdir}/alternatives/servlet.jar 
%{buildroot}%{_javadir}/servlet.jar
 
 # Install tool used to edit server.xml
-pushd %{_builddir}/tomcat-serverxml-tool-%{serverxmltool_version}
+pushd %{_builddir}/tomcat-serverxml-tool
 cat %{SOURCE34} | sed 's#@LIBEXECDIR@#%{_libexecdir}#g' 
>tomcat-serverxml-tool.sh
 install -m 0755 tomcat-serverxml-tool.sh \
 %{buildroot}%{_libexecdir}/%{name}/serverxml-tool.sh
@@ -677,35 +678,39 @@
 %{libdir}/\[ecj\].jar >/dev/null 2>&1
 
 %post webapps
-%{serverxmltool} add %{tomcatappdir}/ROOT /
-%{serverxmltool} add %{tomcatappdir}/sample /sample
-%{serverxmltool} add %{tomcatappdir}/examples /examples
+%{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/ROOT path=/
+%{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/sample path=/sample
+%{serverxmltool} add-context.xslt docBase=%{tomcatappdir}/examples 
path=/examples
 
 %postun webapps
 if [ $1 -eq 0 ]; then # uninstall only
-  %{serverxmltool} remove %{tomcatappdir}/ROOT /
-  %{serverxmltool} remove %{tomcatappdir}/sample /sample
-  %{serverxmltool} remove %{tomcatappdir}/examples /examples
+  %{serverxmltool} remove-context.xslt docBase=%{tomcatappdir}/ROOT path=/
+  %{serverxmltool} remove-context.xslt docBase=%{tomcatappdir}/sample 
path=/sample
+  %{serverxmltool} remove-contex

commit tomcat for openSUSE:Factory

2022-12-02 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-12-02 13:13:36

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1835 (New)


Package is "tomcat"

Fri Dec  2 13:13:36 2022 rev:88 rq:1039508 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-11-22 
16:10:28.226117504 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1835/tomcat.changes  2022-12-02 
13:13:52.934097671 +0100
@@ -1,0 +2,7 @@
+Tue Nov 29 14:46:26 UTC 2022 - Michele Bussolotto 
+
+- Use catalina.out for logging (bsc#1205647)
+- Added patches:
+  * tomcat-9.0-fix_catalina.patch
+
+---

New:

  tomcat-9.0-fix_catalina.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.xLLliI/_old  2022-12-02 13:13:53.834102621 +0100
+++ /var/tmp/diff_new_pack.xLLliI/_new  2022-12-02 13:13:53.842102665 +0100
@@ -90,6 +90,7 @@
 Patch12:tomcat-9.0-hardening_getResources.patch
 Patch13:tomcat-9.0.43-CVE-2021-43980.patch
 Patch14:tomcat-9.0.43-CVE-2022-42252.patch
+Patch15:tomcat-9.0-fix_catalina.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -270,6 +271,7 @@
 %patch12 -p1
 %patch13 -p1
 %patch14 -p1
+%patch15 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0-fix_catalina.patch ++
Index: apache-tomcat-9.0.43-src/conf/logging.properties
===
--- apache-tomcat-9.0.43-src.orig/conf/logging.properties
+++ apache-tomcat-9.0.43-src/conf/logging.properties
@@ -77,3 +77,6 @@ org.apache.catalina.core.ContainerBase.[
 
 # To see debug messages for WebSocket handling, uncomment the following line:
 #org.apache.tomcat.websocket.level = FINE
+
+1catalina.org.apache.juli.AsyncFileHandler.suffix = out
+1catalina.org.apache.juli.AsyncFileHandler.rotatable = false

++ tomcat-9.0.logrotate ++
--- /var/tmp/diff_new_pack.xLLliI/_old  2022-12-02 13:13:54.006103566 +0100
+++ /var/tmp/diff_new_pack.xLLliI/_new  2022-12-02 13:13:54.014103611 +0100
@@ -1,4 +1,5 @@
 @@@TCLOG@@@/catalina.out {
+notifempty
 copytruncate
 weekly
 rotate 52

commit tomcat for openSUSE:Factory

2022-11-22 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-11-22 16:10:22

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1597 (New)


Package is "tomcat"

Tue Nov 22 16:10:22 2022 rev:87 rq:1037218 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-07-14 
16:34:48.076658751 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1597/tomcat.changes  2022-11-22 
16:10:28.226117504 +0100
@@ -1,0 +2,16 @@
+Mon Nov 21 07:42:34 UTC 2022 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2022-42252: reject invalid content-length requests. (bsc#1204918)
+- Added patches:
+  * tomcat-9.0.43-CVE-2022-42252.patch
+
+---
+Thu Oct 20 15:58:40 UTC 2022 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2021-43980: Improve the recycling of Processor objects to make it more 
robust. (bsc#1203868)
+- Added patches:
+  * tomcat-9.0.43-CVE-2021-43980.patch
+
+---

New:

  tomcat-9.0.43-CVE-2021-43980.patch
  tomcat-9.0.43-CVE-2022-42252.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.9ZJBEh/_old  2022-11-22 16:10:29.174122314 +0100
+++ /var/tmp/diff_new_pack.9ZJBEh/_new  2022-11-22 16:10:29.182122354 +0100
@@ -88,6 +88,8 @@
 Patch10:tomcat-9.0-NPE-JNDIRealm.patch
 Patch11:tomcat-9.0-CVE-2022-23181.patch
 Patch12:tomcat-9.0-hardening_getResources.patch
+Patch13:tomcat-9.0.43-CVE-2021-43980.patch
+Patch14:tomcat-9.0.43-CVE-2022-42252.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -266,6 +268,8 @@
 %patch10 -p1
 %patch11 -p1
 %patch12 -p1
+%patch13 -p1
+%patch14 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0.43-CVE-2021-43980.patch ++
>From 170e0f792bd18ff031677890ba2fe50eb7a376c1 Mon Sep 17 00:00:00 2001
From: Mark Thomas 
Date: Tue, 29 Mar 2022 19:15:37 +0100
Subject: [PATCH] Improve the recycling of Processor objects to make it more
 robust.

---
 java/org/apache/coyote/AbstractProtocol.java  | 32 ++-
 .../tomcat/util/net/SocketWrapperBase.java| 17 +++---
 webapps/docs/changelog.xml|  4 +++
 3 files changed, 33 insertions(+), 20 deletions(-)

Index: apache-tomcat-9.0.43-src/java/org/apache/coyote/AbstractProtocol.java
===
--- apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/AbstractProtocol.java
+++ apache-tomcat-9.0.43-src/java/org/apache/coyote/AbstractProtocol.java
@@ -794,7 +794,11 @@ public abstract class AbstractProtocol socketWrapper) {
-Processor processor = (Processor) 
socketWrapper.getCurrentProcessor();
-socketWrapper.setCurrentProcessor(null);
+Processor processor = (Processor) 
socketWrapper.takeCurrentProcessor();
 release(processor);
 }
 
Index: 
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/SocketWrapperBase.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/tomcat/util/net/SocketWrapperBase.java
+++ 
apache-tomcat-9.0.43-src/java/org/apache/tomcat/util/net/SocketWrapperBase.java
@@ -29,6 +29,7 @@ import java.util.concurrent.RejectedExec
 import java.util.concurrent.Semaphore;
 import java.util.concurrent.TimeUnit;
 import java.util.concurrent.atomic.AtomicBoolean;
+import java.util.concurrent.atomic.AtomicReference;
 
 import org.apache.juli.logging.Log;
 import org.apache.juli.logging.LogFactory;
@@ -104,10 +105,12 @@ public abstract class SocketWrapperBase<
 protected volatile OperationState writeOperation = null;
 
 /**
- * The org.apache.coyote.Processor instance currently associated
- * with the wrapper.
+ * The org.apache.coyote.Processor instance currently associated with the
+ * wrapper. Only populated when required to maintain wrapper<->Processor
+ * mapping between calls to
+ * {@link AbstractEndpoint.Handler#process(SocketWrapperBase, 
SocketEvent)}.
  */
-protected Object currentProcessor = null;
+private final AtomicReference currentProcessor = new 
AtomicReference<>();
 
 public SocketWrapperBase(E socket, AbstractEndpoint endpoint) {
 this.socket = socket;
@@ -134,11 +137,15 @@ public abstract class SocketWrapperBase<
 }
 
 public Object getCurrentProcessor() {
-return currentProcessor;
+return currentProcessor.get();
 }
 
 public void setCurrentProcessor(Object currentProc

commit tomcat for openSUSE:Factory

2022-07-14 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-07-14 16:34:22

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1523 (New)


Package is "tomcat"

Thu Jul 14 16:34:22 2022 rev:86 rq:989036 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-07-08 
14:03:10.742534977 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1523/tomcat.changes  2022-07-14 
16:34:48.076658751 +0200
@@ -1,0 +2,8 @@
+Wed Jul 13 13:41:43 UTC 2022 - Fridrich Strba 
+
+- Do not hardcode /usr/libexec but use %%_libexecdir during the
+  build
+  * Fixes for platforms, where /usr/libexec and %%_libexecdir are
+different
+
+---



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.RIm5Nb/_old  2022-07-14 16:34:48.820659483 +0200
+++ /var/tmp/diff_new_pack.RIm5Nb/_new  2022-07-14 16:34:48.828659491 +0200
@@ -385,12 +385,12 @@
-e "s|\@\@\@TCTEMP\@\@\@|%{tempdir}|g" \
-e "s|\@\@\@LIBDIR\@\@\@|%{_libdir}|g" %{SOURCE3} \
 > %{buildroot}%{_fillupdir}/sysconfig.%{name}
-install -m 0644 %{SOURCE4} \
-%{buildroot}%{_sbindir}/%{name}
-install -m 0644 %{SOURCE11} \
-%{buildroot}%{_unitdir}/%{name}.service
-install -m 0644 %{SOURCE20} \
-%{buildroot}%{_unitdir}/%{name}-jsvc.service
+sed -e "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE4} \
+> %{buildroot}%{_sbindir}/%{name}
+sed -e "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE11} \
+> %{buildroot}%{_unitdir}/%{name}.service
+sed -e "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE20} \
+> %{buildroot}%{_unitdir}/%{name}-jsvc.service
 sed -e "s|\@\@\@TCLOG\@\@\@|%{logdir}|g" %{SOURCE5} \
 > %{buildroot}%{_sysconfdir}/logrotate.d/%{name}
 sed -e "s|\@\@\@TCHOME\@\@\@|%{homedir}|g" \
@@ -402,14 +402,16 @@
-e "s|\@\@\@LIBDIR\@\@\@|%{_libdir}|g" %{SOURCE7} \
 > %{buildroot}%{_bindir}/%{name}-tool-wrapper
 
-install -m 0644 %{SOURCE21} \
-%{buildroot}%{_libexecdir}/%{name}/functions
-install -m 0755 %{SOURCE30} \
-%{buildroot}%{_libexecdir}/%{name}/preamble
-install -m 0755 %{SOURCE31} \
-%{buildroot}%{_libexecdir}/%{name}/server
-install -m 0644 %{SOURCE32} \
-%{buildroot}%{_unitdir}/%{name}@.service
+sed -e "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE21} \
+> %{buildroot}%{_libexecdir}/%{name}/functions
+sed -e "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE30} \
+> %{buildroot}%{_libexecdir}/%{name}/preamble
+chmod 0755 %{buildroot}%{_libexecdir}/%{name}/preamble
+sed -e "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE31} \
+> %{buildroot}%{_libexecdir}/%{name}/server
+chmod 0755 %{buildroot}%{_libexecdir}/%{name}/server
+sed -e "s|@LIBEXECDIR@|%{_libexecdir}|g" %{SOURCE32} \
+> %{buildroot}%{_unitdir}/%{name}@.service
 
 ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rc%{name}
 ln -sf %{_sbindir}/service %{buildroot}/%{_sbindir}/rc%{name}-jsvc


++ tomcat-9.0-jsvc.service ++
--- /var/tmp/diff_new_pack.RIm5Nb/_old  2022-07-14 16:34:48.900659562 +0200
+++ /var/tmp/diff_new_pack.RIm5Nb/_new  2022-07-14 16:34:48.904659566 +0200
@@ -14,8 +14,8 @@
 Type=simple
 EnvironmentFile=/etc/tomcat/tomcat.conf
 Environment="NAME=" "USE_JSVC=true"
-ExecStart=/usr/libexec/tomcat/server start
-ExecStop=/usr/libexec/tomcat/server stop
+ExecStart=@LIBEXECDIR@/tomcat/server start
+ExecStop=@LIBEXECDIR@/tomcat/server stop
 
 [Install]
 WantedBy=multi-user.target

++ tomcat-9.0.service ++
--- /var/tmp/diff_new_pack.RIm5Nb/_old  2022-07-14 16:34:48.960659621 +0200
+++ /var/tmp/diff_new_pack.RIm5Nb/_new  2022-07-14 16:34:48.960659621 +0200
@@ -14,8 +14,8 @@
 EnvironmentFile=/etc/tomcat/tomcat.conf
 Environment="NAME="
 EnvironmentFile=-/etc/sysconfig/tomcat
-ExecStart=/usr/libexec/tomcat/server start
-ExecStop=/usr/libexec/tomcat/server stop
+ExecStart=@LIBEXECDIR@/tomcat/server start
+ExecStop=@LIBEXECDIR@/tomcat/server stop
 SuccessExitStatus=143
 User=tomcat
 Group=tomcat


++ tomcat-9.0.wrapper ++
--- /var/tmp/diff_new_pack.RIm5Nb/_old  2022-07-14 16:34:48.980659641 +0200
+++ /var/tmp/diff_new_pack.RIm5Nb/_new  2022-07-14 16:34:48.984659645 +0200
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 if [ "$1" = "version" ]; then
-  . /usr/libexec/tomcat/preamble
+  . @LIBEXECDIR@/tomcat/preamble
   exec ${JAVACMD} -classpath ${CATALINA_HOME}/lib/catalina.jar \
 org.apache.catalina.util.ServerInfo
 fi

++ tomcat-named.service ++
--- /var/tmp/diff_new_pack.RIm5Nb/_old  2022-07-14 16:34:49.012659673 +0200
+++ /var/tmp/diff_new_pack.RIm5Nb/_new  2022-07-14 16:34:49.012659673 +0200
@@ -15,8 +15,8 @@
 EnvironmentFile=/etc/tomcat/tomcat.conf
 Environment="NA

commit tomcat for openSUSE:Factory

2022-07-08 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-07-08 14:03:10

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1523 (New)


Package is "tomcat"

Fri Jul  8 14:03:10 2022 rev:85 rq:987800 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-05-24 
20:33:31.283034769 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1523/tomcat.changes  2022-07-08 
14:03:10.742534977 +0200
@@ -1,0 +2,11 @@
+Thu Jul  7 15:35:34 UTC 2022 - Fridrich Strba 
+
+- Fix bsc#1201081 by building with release=8 all files that can be
+  built this way. The one file remaining, build it with source=8 and
+  target=8
+- Modified patch:
+  * tomcat-9.0.43-java8compat.patch
++ Do not cast ByteBuffer to Buffer to call the Java 8 compatible
+  methods. Build with release=8 instead
+
+---



Other differences:
--

++ tomcat-9.0.43-java8compat.patch ++
 3453 lines (skipped)
 between /work/SRC/openSUSE:Factory/tomcat/tomcat-9.0.43-java8compat.patch
 and 
/work/SRC/openSUSE:Factory/.tomcat.new.1523/tomcat-9.0.43-java8compat.patch

commit tomcat for openSUSE:Factory

2022-05-24 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-05-24 20:33:30

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.2254 (New)


Package is "tomcat"

Tue May 24 20:33:30 2022 rev:84 rq:978763 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-04-08 
00:29:12.093321517 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.2254/tomcat.changes  2022-05-24 
20:33:31.283034769 +0200
@@ -126,0 +127,3 @@
+- Fixed CVEs:
+  * CVE-2020-13934 (bsc#1174121)
+  * CVE-2020-13935 (bsc#1174117)



Other differences:
--

commit tomcat for openSUSE:Factory

2022-04-07 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-04-08 00:28:32

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1900 (New)


Package is "tomcat"

Fri Apr  8 00:28:32 2022 rev:83 rq:967588 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-02-23 
19:06:50.507288502 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1900/tomcat.changes  2022-04-08 
00:29:12.093321517 +0200
@@ -1,0 +2,6 @@
+Thu Apr  7 08:48:46 UTC 2022 - Michele Bussolotto 
+
+- Security hardening. Deprecate getResources() and always return null. 
(bsc#1198136)
+- Added patch: tomcat-9.0-hardening_getResources.patch
+
+---

New:

  tomcat-9.0-hardening_getResources.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.cHLjxH/_old  2022-04-08 00:29:12.937312001 +0200
+++ /var/tmp/diff_new_pack.cHLjxH/_new  2022-04-08 00:29:12.941311956 +0200
@@ -87,6 +87,7 @@
 Patch9: tomcat-9.0-CVE-2021-30640.patch
 Patch10:tomcat-9.0-NPE-JNDIRealm.patch
 Patch11:tomcat-9.0-CVE-2022-23181.patch
+Patch12:tomcat-9.0-hardening_getResources.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -264,6 +265,7 @@
 %patch9 -p1
 %patch10 -p1
 %patch11 -p1
+%patch12 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0-hardening_getResources.patch ++
>From 8a904f6065080409a1e00606cd7bceec6ad8918c Mon Sep 17 00:00:00 2001
From: Mark Thomas 
Date: Wed, 30 Mar 2022 20:22:49 +0100
Subject: [PATCH] Security hardening. Deprecate getResources() and always
 return null.

This method is never used by Tomcat. If something accidently exposes the
class loader then this method can be used to gain access to Tomcat
internals.
---
 .../apache/catalina/loader/WebappClassLoaderBase.java  |  7 ++-
 webapps/docs/changelog.xml | 10 ++
 2 files changed, 16 insertions(+), 1 deletion(-)
Index: 
apache-tomcat-9.0.43-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/loader/WebappClassLoaderBase.java
+++ 
apache-tomcat-9.0.43-src/java/org/apache/catalina/loader/WebappClassLoaderBase.java
@@ -425,10 +425,15 @@ public abstract class WebappClassLoaderB
 // - Properties
 
 /**
+ * Unused. Always returns {@code null}.
+ *
  * @return associated resources.
+ *
+ * @deprecated This will be removed in Tomcat 10.1.x onwards
  */
+@Deprecated
 public WebResourceRoot getResources() {
-return this.resources;
+return null;
 }
 
 
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -106,6 +106,12 @@
 
   
 
+  
+ Effectively disable the
+ WebappClassLoaderBase.getResources() method as it is not
+ used and if something accidently exposes the class loader this method
+ can be used to gain access to Tomcat internals. (markt)
+  
   
 63508: NPE in JNDIRealm when no 
userRoleAttribute
 is given. (fschumacher)

commit tomcat for openSUSE:Factory

2022-02-23 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-02-23 19:06:49

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1958 (New)


Package is "tomcat"

Wed Feb 23 19:06:49 2022 rev:82 rq:957023 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-02-22 
21:19:03.918295867 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1958/tomcat.changes  2022-02-23 
19:06:50.507288502 +0100
@@ -1,0 +2,10 @@
+Wed Feb 23 11:57:30 UTC 2022 - Fridrich Strba 
+
+- Remove dependency on log4j/reload4j completely (bsc#1196137)
+
+---
+Tue Feb 22 19:00:25 UTC 2022 - Fridrich Strba 
+
+- Do not build against the log4j12 packages, use the new reload4j
+
+---

Old:

  tomcat-9.0-log4j.properties



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.AjXLW5/_old  2022-02-23 19:06:51.563288573 +0100
+++ /var/tmp/diff_new_pack.AjXLW5/_new  2022-02-23 19:06:51.567288573 +0100
@@ -57,7 +57,6 @@
 Source5:%{name}-%{major_version}.%{minor_version}.logrotate
 Source6:%{name}-%{major_version}.%{minor_version}-digest.script
 Source7:%{name}-%{major_version}.%{minor_version}-tool-wrapper.script
-Source10:   %{name}-%{major_version}.%{minor_version}-log4j.properties
 Source11:   %{name}-%{major_version}.%{minor_version}.service
 Source20:   %{name}-%{major_version}.%{minor_version}-jsvc.service
 Source21:   tomcat-functions
@@ -108,7 +107,6 @@
 BuildRequires:  java-devel >= 1.8
 BuildRequires:  javapackages-local
 BuildRequires:  junit
-BuildRequires:  log4j12
 BuildRequires:  pkgconfig
 BuildRequires:  sed
 BuildRequires:  systemd-rpm-macros
@@ -122,7 +120,6 @@
 Requires:   apache-commons-logging
 Requires:   apache-commons-pool2
 Requires:   java >= 1.8
-Requires:   log4j12
 Requires(post): %fillup_prereq
 Requires(pre):  %{_sbindir}/groupadd
 Requires(pre):  %{_sbindir}/useradd
@@ -366,7 +363,6 @@
 # First copy supporting libs to tomcat lib
 pushd output/build
 cp -a bin/*.{jar,xml} %{buildroot}%{bindir}
-cp %{SOURCE10} conf/log4j.properties
 cp -a conf/*.{policy,properties,xml} %{buildroot}%{confdir}
 cp -a lib/*.jar %{buildroot}%{libdir}
 cp -a webapps/* %{buildroot}%{tomcatappdir}
@@ -445,7 +441,6 @@
 rm -f commons-dbcp.jar
 ln -s $(build-classpath commons-dbcp2) commons-dbcp2.jar
 ln -s $(build-classpath commons-pool2) commons-pool2.jar
-ln -s $(build-classpath log4j12/log4j-12) log4j.jar
 ln -s $(build-classpath ecj/ecj) jasper-jdt.jar
 
 # Temporary copy the juli jar here from %%{_datadir}/java/tomcat (for 
maven depmap)

commit tomcat for openSUSE:Factory

2022-02-22 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-02-22 21:18:24

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1958 (New)


Package is "tomcat"

Tue Feb 22 21:18:24 2022 rev:81 rq:956682 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2022-01-14 
23:14:32.422682064 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1958/tomcat.changes  2022-02-22 
21:19:03.918295867 +0100
@@ -1,0 +2,8 @@
+Fri Jan 28 14:01:40 UTC 2022 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2022-23181: Make calculation of session storage location more robust 
(bsc#1195255)
+- Added patches:
+  * tomcat-9.0-CVE-2022-23181.patch
+
+---

New:

  tomcat-9.0-CVE-2022-23181.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.V3k3Jj/_old  2022-02-22 21:19:04.834296036 +0100
+++ /var/tmp/diff_new_pack.V3k3Jj/_new  2022-02-22 21:19:04.834296036 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2021 SUSE LLC
+# Copyright (c) 2022 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -87,6 +87,7 @@
 Patch8: tomcat-9.0-CVE-2021-33037.patch
 Patch9: tomcat-9.0-CVE-2021-30640.patch
 Patch10:tomcat-9.0-NPE-JNDIRealm.patch
+Patch11:tomcat-9.0-CVE-2022-23181.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -265,6 +266,7 @@
 %patch8 -p1
 %patch9 -p1
 %patch10 -p1
+%patch11 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0-CVE-2022-23181.patch ++
>From 1385c624b4a1e994426e810075c850edc38a700e Mon Sep 17 00:00:00 2001
From: Mark Thomas 
Date: Wed, 12 Jan 2022 11:11:29 +
Subject: [PATCH] Make calculation of session storage location more robust

---
 java/org/apache/catalina/session/FileStore.java | 5 +++--
 webapps/docs/changelog.xml  | 4 
 2 files changed, 7 insertions(+), 2 deletions(-)

Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
@@ -349,13 +349,14 @@ public final class FileStore extends Sto
 
 String filename = id + FILE_EXT;
 File file = new File(storageDir, filename);
+File canonicalFile = file.getCanonicalFile();
 
 // Check the file is within the storage directory
-if 
(!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath()))
 {
+if 
(!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
 log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
 return null;
 }
 
-return file;
+return canonicalFile;
 }
 }
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -118,6 +118,10 @@
 Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP 
SDK
 for Java. (markt)
   
+  
+Make the calculation of the session storage location more robust when
+using file based persistent storage. (markt)
+

commit tomcat for openSUSE:Factory

2022-01-14 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2022-01-14 23:13:07

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1892 (New)


Package is "tomcat"

Fri Jan 14 23:13:07 2022 rev:80 rq:946292 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2021-12-12 
21:28:34.160375656 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1892/tomcat.changes  2022-01-14 
23:14:32.422682064 +0100
@@ -1,0 +2,5 @@
+Mon Jan 10 16:16:16 UTC 2022 - o...@aepfle.de
+
+- remove instance units from post scripts, they can not be reloaded
+
+---



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.3g8pAS/_old  2022-01-14 23:14:33.218682577 +0100
+++ /var/tmp/diff_new_pack.3g8pAS/_new  2022-01-14 23:14:33.222682580 +0100
@@ -596,7 +596,6 @@
 
 %post
 %service_add_post %{name}.service
-%service_add_post %{name}@.service
 %{fillup_only %{name}}
 
 %preun

commit tomcat for openSUSE:Factory

2021-12-12 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2021-12-12 21:27:48

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.2520 (New)


Package is "tomcat"

Sun Dec 12 21:27:48 2021 rev:79 rq:940058 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2021-11-10 
21:47:20.695834900 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.2520/tomcat.changes  2021-12-12 
21:28:34.160375656 +0100
@@ -1,0 +2,7 @@
+Fri Dec 10 11:20:54 UTC 2021 - Michele Bussolotto 
+
+- Fix NPE in JNDIRealm, when userRoleAttribute is not set (bsc#1193569)
+- Added patch:
+  * tomcat-9.0-NPE-JNDIRealm.patch
+
+---

New:

  tomcat-9.0-NPE-JNDIRealm.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.dbjeYU/_old  2021-12-12 21:28:35.276376317 +0100
+++ /var/tmp/diff_new_pack.dbjeYU/_new  2021-12-12 21:28:35.280376319 +0100
@@ -86,6 +86,7 @@
 Patch7: tomcat-9.0-CVE-2021-41079.patch
 Patch8: tomcat-9.0-CVE-2021-33037.patch
 Patch9: tomcat-9.0-CVE-2021-30640.patch
+Patch10:tomcat-9.0-NPE-JNDIRealm.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -263,6 +264,7 @@
 %patch7 -p1
 %patch8 -p1
 %patch9 -p1
+%patch10 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0-NPE-JNDIRealm.patch ++
Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java
===
--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/realm/JNDIRealm.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/realm/JNDIRealm.java
@@ -2805,6 +2805,9 @@ public class JNDIRealm extends RealmBase
  * @return String the escaped/encoded result
  */
 protected String doFilterEscaping(String inString) {
+if (inString == null) {
+return null;
+}
 StringBuilder buf = new StringBuilder(inString.length());
 for (int i = 0; i < inString.length(); i++) {
 char c = inString.charAt(i);
@@ -2897,6 +2900,9 @@ public class JNDIRealm extends RealmBase
  * @return  The string representation of the attribute value
  */
 protected String doAttributeValueEscaping(String input) {
+if (input == null) {
+return null;
+}
 int len = input.length();
 StringBuilder result = new StringBuilder();
 
Index: 
apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
===
--- 
apache-tomcat-9.0.43-src.orig/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
+++ 
apache-tomcat-9.0.43-src/test/org/apache/catalina/realm/TestJNDIRealmIntegration.java
@@ -56,26 +56,33 @@ public class TestJNDIRealmIntegration {
 @Parameterized.Parameters(name = "{index}: user[{5}], pwd[{6}]")
 public static Collection parameters() {
 List parameterSets = new ArrayList<>();
-for (String roleSearch : new String[] { ROLE_SEARCH_A, ROLE_SEARCH_B, 
ROLE_SEARCH_C }) {
-addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, 
parameterSets);
-addUsers(null, USER_SEARCH, USER_BASE, roleSearch, ROLE_BASE, 
parameterSets);
+for (String userRoleAttribute : new String[] { "cn", null }) {
+for (String roleSearch : new String[] { ROLE_SEARCH_A, 
ROLE_SEARCH_B, ROLE_SEARCH_C }) {
+if (userRoleAttribute != null) {
+addUsers(USER_PATTERN, null, null, roleSearch, ROLE_BASE, 
userRoleAttribute, parameterSets);
+addUsers(null, USER_SEARCH, USER_BASE, roleSearch, 
ROLE_BASE, userRoleAttribute, parameterSets);
+}
+}
+parameterSets.add(new Object[] { 
"cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A,
+"{3},ou=people,dc=example,dc=com", "testsub", "test", new 
String[] { "TestGroup4" },
+userRoleAttribute });
 }
-parameterSets.add(new Object[] { 
"cn={0},ou=s\\;ub,ou=people,dc=example,dc=com", null, null, ROLE_SEARCH_A,
-"{3},ou=people,dc=example,dc=com", "testsub", "test", new 
String[] {"TestGroup4"} });
 return parameterSets;
 }
 
 
 private static void addUsers(String userPattern, String userSearch, String 
userBase, String roleSearch,
-String roleBase, List parameterSets) {
+String roleBase, String userRoleAttribute, List 
parameterSets) {

commit tomcat for openSUSE:Factory

2021-11-10 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2021-11-10 21:46:39

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1890 (New)


Package is "tomcat"

Wed Nov 10 21:46:39 2021 rev:78 rq:930612 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2021-10-21 
23:55:17.772018384 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1890/tomcat.changes  2021-11-10 
21:47:20.695834900 +0100
@@ -1,0 +2,25 @@
+Wed Nov 10 06:51:24 UTC 2021 - Fridrich Strba 
+
+- Modified patch:
+  * tomcat-9.0-osgi-build.patch
++ account for biz.aQute.bnd.ant artifact in aqute-bnd >= 5.2.0
+
+---
+Fri Oct 29 11:15:32 UTC 2021 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279)
+  * CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. 
clients (bsc#1188278)
+- Added patches:
+  * tomcat-9.0-CVE-2021-30640.patch
+  * tomcat-9.0-CVE-2021-33037.patch
+
+---
+Thu Oct 28 08:33:07 UTC 2021 - Michele Bussolotto 
+
+- Fixed CVEs:
+  * CVE-2021-41079: Validate incoming TLS packet (bsc#1190558)
+- Added patches:
+  * tomcat-9.0-CVE-2021-41079.patch
+
+---

New:

  tomcat-9.0-CVE-2021-30640.patch
  tomcat-9.0-CVE-2021-33037.patch
  tomcat-9.0-CVE-2021-41079.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.PfPRWw/_old  2021-11-10 21:47:21.531835264 +0100
+++ /var/tmp/diff_new_pack.PfPRWw/_new  2021-11-10 21:47:21.535835266 +0100
@@ -83,6 +83,9 @@
 Patch5: tomcat-9.0.43-java8compat.patch
 # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to 
avoid tomcat not starting
 Patch6: tomcat-9.0.31-secretRequired-default.patch
+Patch7: tomcat-9.0-CVE-2021-41079.patch
+Patch8: tomcat-9.0-CVE-2021-33037.patch
+Patch9: tomcat-9.0-CVE-2021-30640.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -90,8 +93,8 @@
 BuildRequires:  apache-commons-daemon
 BuildRequires:  apache-commons-dbcp >= 2.0
 BuildRequires:  apache-commons-pool2
-BuildRequires:  aqute-bnd >= 5.1.1
-BuildRequires:  aqute-bndlib >= 5.1.1
+BuildRequires:  aqute-bnd >= 5.2
+BuildRequires:  aqute-bndlib >= 5.2
 BuildRequires:  ecj >= 4.4.0
 BuildRequires:  fdupes
 BuildRequires:  findutils
@@ -257,6 +260,9 @@
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
+%patch7 -p1
+%patch8 -p1
+%patch9 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl
@@ -293,6 +299,7 @@
 -Dwsdl4j-lib.jar="$(build-classpath wsdl4j)" \
 -Dsaaj-api.jar="$(build-classpath geronimo-saaj-1.1-api)" \
 -Dbnd.jar="$(build-classpath aqute-bnd/biz.aQute.bnd)" \
+-Dbndant.jar="$(build-classpath aqute-bnd/biz.aQute.bnd.ant)" \
 -Dbndlib.jar="$(build-classpath aqute-bnd/biz.aQute.bndlib)" \
 -Dbndlibg.jar="$(build-classpath aqute-bnd/aQute.libg)" \
 -Dbndannotation.jar="$(build-classpath 
aqute-bnd/biz.aQute.bnd.annotation)" \


++ tomcat-9.0-CVE-2021-30640.patch ++
 2666 lines (skipped)

++ tomcat-9.0-CVE-2021-33037.patch ++
Index: 
apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java
===
--- 
apache-tomcat-9.0.43-src.orig/java/org/apache/coyote/http11/Http11Processor.java
+++ apache-tomcat-9.0.43-src/java/org/apache/coyote/http11/Http11Processor.java
@@ -212,11 +212,8 @@ public class Http11Processor extends Abs
 
 // Parsing trims and converts to lower case.
 
-if (encodingName.equals("identity")) {
-// Skip
-} else if (encodingName.equals("chunked")) {
-inputBuffer.addActiveFilter
-(inputFilters[Constants.CHUNKED_FILTER]);
+if (encodingName.equals("chunked")) {
+
inputBuffer.addActiveFilter(inputFilters[Constants.CHUNKED_FILTER]);
 contentDelimitation = true;
 } else {
 for (int i = pluggableFilterIndex; i < inputFilters.length; i++) {
@@ -753,13 +750,14 @@ public class Http11Processor extends Abs
 InputFilter[] inputFilters = inputBuffer.getFilters();
 
 // Parse transfer-encoding header
-if (http11) {
+// HTTP specs say an HTTP 1.1 server should accept any recognised
+// HTTP 1.x header from a 1.x client unless the specs says otherwise.
+if (!http09) {
 MessageBytes transferEncodingValueMB = 
headers.getValue(

commit tomcat for openSUSE:Factory

2021-10-21 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2021-10-21 23:55:15

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.1890 (New)


Package is "tomcat"

Thu Oct 21 23:55:15 2021 rev:77 rq:926588 version:9.0.43

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2021-03-24 
16:15:57.268128013 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.1890/tomcat.changes  2021-10-21 
23:55:17.772018384 +0200
@@ -1,0 +2,26 @@
+Mon Oct 18 21:42:48 UTC 2021 - Marcel Witte 
+
+- Update to Tomcat 9.0.43. See changelog at
+  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.43_(markt)
+- Removed Patches because fixed upstream now:
+  * tomcat-9.0-CVE-2021-25122.patch
+  * tomcat-9.0-CVE-2021-25329.patch
+- Rebased patch:
+  tomcat-9.0.39-java8compat.patch -> tomcat-9.0.43-java8compat.patch
+
+---
+Mon Oct 18 18:26:39 UTC 2021 - Marcel Witte 
+
+- Update to Tomcat 9.0.41. See changelog at
+  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)
+
+---
+Mon Oct 18 13:05:17 UTC 2021 - Marcel Witte 
+
+- Update to Tomcat 9.0.40. See changelog at
+  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.40_(markt)
+- Removed Patches because fixed upstream now:
+  * tomcat-9.0-CVE-2020-17527.patch
+  * tomcat-9.0-CVE-2021-24122.patch
+
+---
@@ -16,0 +43,26 @@
+
+---
+Mon Mar 15 21:42:07 UTC 2021 - Marcel Witte 
+
+- Update to Tomcat 9.0.39. See changelog at
+  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.39_(markt)
+- Rebased patches:
+  * tomcat-9.0.38-java8compat.patch -> tomcat-9.0.39-java8compat.patch
+
+---
+Mon Mar 15 14:57:39 UTC 2021 - Marcel Witte 
+
+- Update to Tomcat 9.0.38. See changelog at
+  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.38_(markt)
+- Rebased patches:
+  * tomcat-9.0.37-java8compat.patch -> tomcat-9.0.38-java8compat.patch
+- Removed tomcat-9.0-CVE-2020-13943.patch because that fix is upstream now
+
+---
+Mon Feb 22 08:56:03 UTC 2021 - Marcel Witte 
+
+- Update to Tomcat 9.0.37. See changelog at
+  https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.37_(markt)
+- Rebased patches:
+  * tomcat-9.0-osgi-build.patch
+  * tomcat-9.0.31-java8compat.patch -> tomcat-9.0.37-java8compat.patch

Old:

  apache-tomcat-9.0.36-src.tar.gz
  apache-tomcat-9.0.36-src.tar.gz.asc
  tomcat-9.0-CVE-2020-13943.patch
  tomcat-9.0-CVE-2020-17527.patch
  tomcat-9.0-CVE-2021-24122.patch
  tomcat-9.0-CVE-2021-25122.patch
  tomcat-9.0-CVE-2021-25329.patch
  tomcat-9.0.31-java8compat.patch

New:

  apache-tomcat-9.0.43-src.tar.gz
  apache-tomcat-9.0.43-src.tar.gz.asc
  tomcat-9.0.43-java8compat.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.aL6psb/_old  2021-10-21 23:55:18.692018857 +0200
+++ /var/tmp/diff_new_pack.aL6psb/_new  2021-10-21 23:55:18.696018859 +0200
@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2021 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 36
+%define micro_version 43
 %define packdname apache-tomcat-%{version}-src
 %define serverxmltool_version 1.0
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
@@ -80,14 +80,9 @@
 # PATCH-FIX-OPENSUSE: include all necessary aqute-bnd jars
 Patch4: tomcat-9.0-osgi-build.patch
 # PATCH-FIX-OPENSUSE: cast ByteBuffer to Buffer in cases where there is a risk 
of using Java 9+ apis
-Patch5: tomcat-9.0.31-java8compat.patch
+Patch5: tomcat-9.0.43-java8compat.patch
 # PATCH-FIX-OPENSUSE: set ajp connector secreteRequired to false by default to 
avoid tomcat not starting
 Patch6: tomcat-9.0.31-secretRequired-default.patch
-Patch7: tomcat-9.0-CVE-2020-13943.patch
-Patch8: tomcat-9.0-CVE-2020-17527.patch
-Patch9: tomcat-9.0-CVE-2021-24122.patch
-Patch10:tomcat-9.0-CVE-2021-25122.patch
-Patch11:tomcat-9.0-CVE-2021-25329.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -95,8 +90,8

commit tomcat for openSUSE:Factory

2021-03-19 Thread Source-Sync 
Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2021-03-19 16:42:50

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.2401 (New)


Package is "tomcat"

Fri Mar 19 16:42:50 2021 rev:75 rq:880011 version:9.0.36

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2021-01-13 
18:35:25.834434783 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.2401/tomcat.changes  2021-03-19 
16:43:04.574107523 +0100
@@ -1,0 +2,7 @@
+Wed Mar 17 16:16:52 UTC 2021 - Abid Mehmood 
+
+- Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947) 
+- Added patch:
+  * tomcat-9.0-CVE-2021-24122.patch
+
+---

New:

  tomcat-9.0-CVE-2021-24122.patch



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.3jvFrg/_old  2021-03-19 16:43:05.558108851 +0100
+++ /var/tmp/diff_new_pack.3jvFrg/_new  2021-03-19 16:43:05.562108857 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2020 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2021 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -85,6 +85,7 @@
 Patch6: tomcat-9.0.31-secretRequired-default.patch
 Patch7: tomcat-9.0-CVE-2020-13943.patch
 Patch8: tomcat-9.0-CVE-2020-17527.patch
+Patch9: tomcat-9.0-CVE-2021-24122.patch
 
 BuildRequires:  ant >= 1.8.1
 BuildRequires:  ant-antlr
@@ -162,7 +163,7 @@
 Summary:Expression Language v3.0 API
 Group:  Development/Libraries/Java
 Requires(post): update-alternatives
-Requires(preun): update-alternatives
+Requires(preun):update-alternatives
 Provides:   %{name}-el-%{elspec}-api = %{version}-%{release}
 Provides:   el_3_0_api = %{version}-%{release}
 Provides:   el_api = %{elspec}
@@ -186,7 +187,7 @@
 Requires:   mvn(org.apache.tomcat:tomcat-el-api)
 Requires:   mvn(org.apache.tomcat:tomcat-servlet-api)
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 Provides:   %{name}-jsp-%{jspspec}-api
 Provides:   jsp = %{jspspec}
 Provides:   jsp23
@@ -214,7 +215,7 @@
 Requires:   %{name}-jsp-%{jspspec}-api = %{version}-%{release}
 Requires:   %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Requires(post): ecj >= 4.4
-Requires(preun): coreutils
+Requires(preun):coreutils
 Provides:   jakarta-commons-dbcp-tomcat5 = 1.4
 Obsoletes:  jakarta-commons-dbcp-tomcat5 < 1.4
 
@@ -225,7 +226,7 @@
 Summary:Apache Tomcat Servlet API implementation classes
 Group:  Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
-Requires(postun): update-alternatives
+Requires(postun):update-alternatives
 Provides:   %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Provides:   servlet = %{servletspec}
 Provides:   servlet31
@@ -261,6 +262,7 @@
 %patch6 -p1
 %patch7 -p1
 %patch8 -p1
+%patch9 -p1
 
 # remove date from docs
 sed -i -e '/build-date/ d' webapps/docs/tomcat-docs.xsl


++ tomcat-9.0-CVE-2021-24122.patch ++
Index: 
apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
===
--- 
apache-tomcat-9.0.36-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ 
apache-tomcat-9.0.36-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
 import java.net.URL;
 
 import org.apache.catalina.LifecycleException;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
 import org.apache.tomcat.util.compat.JrePlatform;
 import org.apache.tomcat.util.http.RequestUtil;
 
 public abstract class AbstractFileResourceSet extends AbstractResourceSet {
 
+private static final Log log = 
LogFactory.getLog(AbstractFileResourceSet.class);
+
 protected static final String[] EMPTY_STRING_ARRAY = new String[0];
 
 private File fileBase;
@@ -128,6 +132,19 @@ public abstract class AbstractFileResour
 canPath = normalize(canPath);
 }
 if (!canPath.equals(absPath)) {
+if (!canPath.equalsIgnoreCase(absPath)) {
+// Typically means symlinks are in use but being ignored. Given
+// the symlink was likely created for a reason, log a warning
+// that it was ignored.
+String msg = 
sm.getString("abstractFileResourceSet.canonicalfileCheckFa

commit tomcat for openSUSE:Factory

2020-12-04 Thread User for buildservice source handling 
Hello community,

here is the log from the commit of package tomcat for openSUSE:Factory checked 
in at 2020-12-04 21:27:50

Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
 and  /work/SRC/openSUSE:Factory/.tomcat.new.5913 (New)


Package is "tomcat"

Fri Dec  4 21:27:50 2020 rev:73 rq:845778 version:9.0.36

Changes:

--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes2020-10-14 
15:41:03.382401462 +0200
+++ /work/SRC/openSUSE:Factory/.tomcat.new.5913/tomcat.changes  2020-12-04 
21:27:52.350071839 +0100
@@ -1,0 +2,19 @@
+Tue Nov  3 10:08:03 UTC 2020 - Matei Albu 
+
+- Add source url for tomcat-serverxml-tool
+- Fix typo in tomcat-webapps %postun that caused /examples
+  context to remain in server.xml when package was removed
+- Remove tomcat-9.0.init and /usr/lib/tmpfiles.d/tomcat.conf from
+  package. They're not used anymore becuse of systemd (bsc#1178396)
+
+---
+Fri Oct 30 17:05:52 UTC 2020 - Matei Albu 
+
+- Fix tomcat-servlet-4_0-api package alternatives to use
+  /usr/share/java/servlet.jar instead of /usr/share/java/tomcat-servlet.jar.
+  Keep /usr/share/java/tomcat-servlet.jar symlink for compatibility. 
+  (bsc#1092163) 
+- Change default file ownership in tomcat-webapps from 
+  tomcat:tomcat to root:tomcat
+
+---
@@ -8,0 +28,9 @@
+
+---
+Tue Oct 13 10:47:39 UTC 2020 - Jan Engelhardt 
+
+- Replace old specfile constructs. Remove support for SUSE 11.x.
+- Drop %systemd_requires, which is considered a no-op.
+- Trim redundant license mention from description.
+- Make documentation noarch.
+- Do not suppress errors from useradd.

Old:

  tomcat-9.0.init
  tomcat-serverxml-tool.tar.gz

New:

  tomcat-serverxml-tool-1.0.tar.gz



Other differences:
--
++ tomcat.spec ++
--- /var/tmp/diff_new_pack.lNf5Of/_old  2020-12-04 21:27:53.242073119 +0100
+++ /var/tmp/diff_new_pack.lNf5Of/_new  2020-12-04 21:27:53.242073119 +0100
@@ -24,6 +24,7 @@
 %define minor_version 0
 %define micro_version 36
 %define packdname apache-tomcat-%{version}-src
+%define serverxmltool_version 1.0
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
 %define appdir %{basedir}/webapps
@@ -51,7 +52,6 @@
 URL:https://tomcat.apache.org
 Source0:
https://archive.apache.org/dist/tomcat/tomcat-%{major_version}/v%{version}/src/%{packdname}.tar.gz
 Source1:%{name}-%{major_version}.%{minor_version}.conf
-Source2:%{name}-%{major_version}.%{minor_version}.init
 Source3:%{name}-%{major_version}.%{minor_version}.sysconfig
 Source4:%{name}-%{major_version}.%{minor_version}.wrapper
 Source5:%{name}-%{major_version}.%{minor_version}.logrotate
@@ -64,7 +64,7 @@
 Source30:   tomcat-preamble
 Source31:   tomcat-server
 Source32:   tomcat-named.service
-Source33:   tomcat-serverxml-tool.tar.gz
+Source33:   
https://gitlab.suse.de/galaxy/tomcat-serverxml-tool/-/archive/%{serverxmltool_version}/tomcat-serverxml-tool-%{serverxmltool_version}.tar.gz
 Source34:   tomcat-serverxml-tool.sh.in
 Source1000: tomcat-rpmlintrc
 Source1001: 
https://archive.apache.org/dist/tomcat/tomcat-%{major_version}/v%{version}/src/%{packdname}.tar.gz.asc
@@ -125,7 +125,6 @@
 Recommends: libtcnative-1-0 >= 1.1.24
 Recommends: logrotate
 BuildArch:  noarch
-%systemd_requires
 
 %description
 Tomcat is the servlet container that is used in the official Reference
@@ -133,11 +132,6 @@
 The Java Servlet and JavaServer Pages specifications are developed by
 Sun under the Java Community Process.
 
-Tomcat is developed in an open and participatory environment and
-released under the Apache Software License version 2.0. Tomcat is
-intended to be a collaboration of the best-of-breed developers from
-around the world.
-
 ATTENTION: This tomcat is built with java 1.8.0.
 
 %package admin-webapps
@@ -180,6 +174,7 @@
 %package javadoc
 Summary:Javadoc generated documentation for Apache Tomcat
 Group:  Documentation/HTML
+BuildArch:  noarch
 
 %description javadoc
 Javadoc generated documentation files for Apache Tomcat.
@@ -323,15 +318,12 @@
 popd
 popd
 
-pushd %{_builddir}/tomcat-serverxml-tool
+pushd %{_builddir}/tomcat-serverxml-tool-%{serverxmltool_version}/src
 javac -source %{javac_target} -target %{javac_target} 
com/suse/tcserverxml/ApplyStylesheet.java
-jar cfe serverxmltool.jar com.suse.tcserverxml.ApplyStylesheet 
com/suse/tcserverxml/ApplyStylesheet.class 
com/suse/tcserverxml/add-context.xslt com/suse/tcserverxml/remove-context.xslt
+jar cfe 
%{_builddir}/t