commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-07-10 16:49:44 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.2080 (New) Package is "tomcat10" Wed Jul 10 16:49:44 2024 rev:11 rq:1186460 version:10.1.25 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-04-07 22:13:29.131037286 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.2080/tomcat10.changes 2024-07-10 16:49:45.808164318 +0200 @@ -1,0 +2,160 @@ +Tue Jul 9 12:52:37 UTC 2024 - Ricardo Mestre + +- Update to Tomcat 10.1.25 + * Fixed CVEs: ++ CVE-2024-34750: Improper handling of exceptional conditions + (bsc#1227399) + * Catalina ++ Add: Add support for shallow copies when using WebDAV. (markt) ++ Code: Deprecate the WebdavFixFilter as it is no longer required. (markt) ++ Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64. + Submitted by Daniel Lyko. (remm) ++ Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for + retrieving extended/additional information from an established GSS + context. (michaelo) ++ Fix: Correct a regression in the fix for 68721 that caused some instances + of LinkageError to be reported as ClassNotFoundException. (markt) ++ Fix: Ensure that static resources deployed via a JAR file remain + accessible when the context is configured to use a bloom filter. Based on + pull request #730 provided by bergander. (markt) ++ Add: Introduce reference counting so the AprLifecycleListener is more + robust. This particularly targets more complex embedded configurations + with multiple server instances with independent lifecycles where more than + one server instance requires the AprLifecycleListener. (markt) ++ Add: Small performance optimization when logging cookies with no values. + (schultz) ++ Fix: Correct error handling for asynchronous requests. If the application + performs an dispatch during AsyncListener.onError() the dispatch is now + performed rather than completing the request using the error page + mechanism. (markt) ++ Add: Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a + customizable style. (schultz) ++ Add: Add more timescale options to AccessLogValve and + ExtendedAccessLogValve. Allow timescales to apply to "time-taken" token in + ExtendedAccessLogValve. (schultz) ++ Fix: Fix WebDAV lock null (locks for non existing resources) thread safety + and removal. (remm) ++ Fix: Add periodic checking for WebDAV locks expiration. (remm) ++ Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo) ++ Fix: Remove MBean metadata for attibutes that have been removed. Based on + pull request #719 by Shawn Q. (markt) ++ Update: Deprecate and remove sessionCounter (replaced by the addition of + the active session count and the expired session count, as a reasonable + approximation) and duplicates (which does not represent a possible event + in current implementations) statistics from the session manager. (remm) ++ Fix: 68890 Align output encoding of JSPs in the Manager webapp with the + XML declarations in those same files. (schultz) ++ Fix: Update Basic authentication to implement the requirements of RFC 7617 + including the changing of the trimCredentials setting which is now + defaults to false. Note that the trimCredentials setting will be removed + in Tomcat 11. (markt) ++ Fix: Change the thread-safety mechanism for protecting + StandardServer.services from a simple synchronized lock to a + ReentrantReadWriteLock to allow multiple readers to operate + simultaneously. Based upon a suggestion by Markus Wolfe. (schultz) ++ Fix: Improve Service connectors, Container children and Service executors + access sync using a ReentrantReadWriteLock. (remm) ++ Fix: Improve handling of integer overflow if an attempt is made to upload + a file via the Servlet API and the file is larger than + Integer.MAX_VALUE. (markt) ++ Fix: 68862: Handle possible response commit when processing read errors. + (remm) + * Jasper ++ Fix: 68546: Small additional optimisation for initial loading of Servlet + code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt) ++ Add: Add support for specifying Java 23 (with the value 23) as the + compiler source and/or compiler target for JSP compilation. If used with + an Eclipse JDT compiler version that does not support these values, a + warning will be logged and the default will used. (markt) + * Web applications +
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-03-06 23:05:25 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.1770 (New) Package is "tomcat10" Wed Mar 6 23:05:25 2024 rev:9 rq:1155429 version:10.1.18 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-03-05 18:50:13.608095019 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.1770/tomcat10.changes 2024-03-06 23:05:57.16700 +0100 @@ -1,0 +2,5 @@ +Wed Mar 6 07:18:06 UTC 2024 - Dan Äermák + +- Add missing Requires(post): util-linux to have runuser into post + +--- Other differences: -- ++ tomcat10.spec ++ --- /var/tmp/diff_new_pack.ozH5Ji/_old 2024-03-06 23:05:58.160442681 +0100 +++ /var/tmp/diff_new_pack.ozH5Ji/_new 2024-03-06 23:05:58.164442827 +0100 @@ -131,16 +131,18 @@ Requires: apache-commons-pool2 Requires: jakarta-servlet Requires: java >= %{java_version} +Requires: libtcnative-1-0 >= 1.2.38 +Requires: logrotate Requires(post): %fillup_prereq Requires(post): libxslt-tools +# for runuser +Requires(post): util-linux Requires(pre): shadow -Requires: libtcnative-1-0 >= 1.2.38 -Requires: logrotate %systemd_ordering -BuildArch: noarch Conflicts: %{app_name} Provides: group(tomcat) Provides: user(tomcat) +BuildArch: noarch %description Tomcat is the servlet container that is used in the official Reference @@ -155,6 +157,8 @@ Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} Requires(post): libxslt-tools +# for runuser +Requires(post): util-linux Conflicts: %{app_name}-admin-webapps %description admin-webapps @@ -173,6 +177,8 @@ Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} Requires(post): libxslt-tools +# for runuser +Requires(post): util-linux Conflicts: %{app_name}-docs-webapp %description docs-webapp @@ -183,12 +189,12 @@ Group: Development/Libraries/Java Requires(post): update-alternatives Requires(preun): update-alternatives +Conflicts: %{app_name}-el-3_0-api < %{version} Provides: %{app_name}-el-%{elspec}-api = %{version}-%{release} Provides: el_%{elspec_major}_%{elspec_minor}_api = %{version}-%{release} Provides: el_api = %{elspec} Obsoletes: %{app_name}-el-2_2-api < %{version} Obsoletes: el_api < %{elspec} -Conflicts: %{app_name}-el-3_0-api < %{version} %description el-%{elspec_major}_%{elspec_minor}-api Expression Language API version %{elspec}. @@ -196,8 +202,8 @@ %package doc Summary:Javadoc generated documentation for Apache Tomcat Group: Documentation/HTML -BuildArch: noarch Conflicts: %{app_name}-javadoc +BuildArch: noarch %description doc Javadoc generated documentation files for Apache Tomcat. @@ -207,12 +213,12 @@ Group: Productivity/Networking/Web/Servers Requires(post): update-alternatives Requires(postun): update-alternatives +Conflicts: %{app_name}-jsp-2_3-api < %{version} Provides: %{app_name}-jsp-%{jspspec}-api Provides: jsp = %{jspspec} Provides: jsp%{jspspec_major}%{jspspec_minor} Obsoletes: %{app_name}-jsp-2_2-api < %{version} Obsoletes: jsp < %{jspspec} -Conflicts: %{app_name}-jsp-2_3-api < %{version} %description jsp-%{jspspec_major}_%{jspspec_minor}-api Apache Tomcat JSP API implementation classes version %{jspspec} @@ -222,8 +228,8 @@ Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} Requires: apache-commons-daemon-jsvc -%systemd_ordering Conflicts: %{app_name}-jsvc +%systemd_ordering %description jsvc Systemd service and wrapper scripts to start tomcat with jsvc, @@ -239,9 +245,9 @@ Requires: mvn(org.apache.tomcat:tomcat-websocket-client-api) Requires(post): ecj >= 4.4 Requires(preun): coreutils +Conflicts: %{app_name}-lib Provides: jakarta-commons-dbcp-tomcat5 = 1.4 Obsoletes: jakarta-commons-dbcp-tomcat5 < 1.4 -Conflicts: %{app_name}-lib %description lib Libraries required to successfully run the Tomcat Web container @@ -251,6 +257,7 @@ Group: Productivity/Networking/Web/Servers Requires(post): update-alternatives Requires(postun): update-alternatives +Conflicts: %{app_name}-servlet-4_0-api < %{version} Provides: %{app_name}-servlet-%{servletspec}-api = %{version}-%{release} Provides: servlet = %{servletspec}
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-03-05 18:50:11 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.1770 (New) Package is "tomcat10" Tue Mar 5 18:50:11 2024 rev:8 rq:1154894 version:10.1.18 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-02-18 20:25:21.498748785 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.1770/tomcat10.changes 2024-03-05 18:50:13.608095019 +0100 @@ -1,0 +2,7 @@ +Mon Mar 4 16:49:37 UTC 2024 - Fridrich Strba + +- Add %%systemd_ordering to packages with systemd unit files, so + that the order is the right one if those packages find themselves + in the same transaction with systemd + +--- Other differences: -- ++ tomcat10.spec ++ --- /var/tmp/diff_new_pack.6CXDFB/_old 2024-03-05 18:50:14.596130893 +0100 +++ /var/tmp/diff_new_pack.6CXDFB/_new 2024-03-05 18:50:14.596130893 +0100 @@ -136,6 +136,7 @@ Requires(pre): shadow Requires: libtcnative-1-0 >= 1.2.38 Requires: logrotate +%systemd_ordering BuildArch: noarch Conflicts: %{app_name} Provides: group(tomcat) @@ -221,6 +222,7 @@ Group: Productivity/Networking/Web/Servers Requires: %{name} = %{version}-%{release} Requires: apache-commons-daemon-jsvc +%systemd_ordering Conflicts: %{app_name}-jsvc %description jsvc
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-02-18 20:24:47 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.1815 (New) Package is "tomcat10" Sun Feb 18 20:24:47 2024 rev:7 rq:1147339 version:10.1.18 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-02-15 21:02:22.360152155 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.1815/tomcat10.changes 2024-02-18 20:25:21.498748785 +0100 @@ -1,0 +2,5 @@ +Sat Feb 17 14:55:36 UTC 2024 - Fridrich Strba + +- Link ecj.jar into the install instead of copying it + +--- Other differences: -- ++ tomcat10.spec ++ --- /var/tmp/diff_new_pack.WeiZdc/_old 2024-02-18 20:25:22.250775868 +0100 +++ /var/tmp/diff_new_pack.WeiZdc/_new 2024-02-18 20:25:22.254776012 +0100 @@ -438,7 +438,7 @@ popd pushd output/build -%{_bindir}/build-jar-repository lib commons-collections \ +%{_bindir}/build-jar-repository -s lib commons-collections \ commons-dbcp2 commons-pool2 ecj/ecj 2>&1 # need to use -p here with b-j-r otherwise the examples webapp fails to # load with a java.io.IOException @@ -455,6 +455,8 @@ rm -f commons-dbcp.jar ln -s $(build-classpath commons-dbcp2) commons-dbcp2.jar ln -s $(build-classpath commons-pool2) commons-pool2.jar +rm ecj.jar +ln -s $(build-classpath ecj/ecj) ecj.jar ln -s $(build-classpath ecj/ecj) jasper-jdt.jar # Temporary copy the juli jar here from %%{_datadir}/java/tomcat (for maven depmap)
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-02-15 21:01:10 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.1815 (New) Package is "tomcat10" Thu Feb 15 21:01:10 2024 rev:6 rq:1146831 version:10.1.18 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-02-06 16:36:26.987175151 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.1815/tomcat10.changes 2024-02-15 21:02:22.360152155 +0100 @@ -6,0 +7,6 @@ +Fri Jan 26 12:37:05 UTC 2024 - Michele Bussolotto + +- Fixed CVEs: + * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208) + +--- Other differences: -- ++ tomcat10.spec ++ --- /var/tmp/diff_new_pack.23yXh9/_old 2024-02-15 21:02:23.088177743 +0100 +++ /var/tmp/diff_new_pack.23yXh9/_new 2024-02-15 21:02:23.092177883 +0100 @@ -593,7 +593,8 @@ %post %service_add_post %{app_name}.service %{fillup_only %{app_name}} -xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml +chown -R tomcat:tomcat %{confdir}/server.xml +runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml %preun %service_del_preun %{app_name}.service @@ -665,17 +666,22 @@ %{libdir}/\[ecj\].jar >/dev/null 2>&1 %post webapps -xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml -if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then -ln -sf %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT -fi -xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/examples/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml if [ ! -e %{_datadir}/%{app_name}/webapps/examples ]; then ln -sf %{tomcatappdir}/examples %{_datadir}/%{app_name}/webapps/examples fi #use the same context.xml for sample war +mkdir -p %{tomcatappdir}/ROOT/META-INF +chown -R tomcat:tomcat %{tomcatappdir}/ROOT/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml +if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then +ln -sf %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT +fi +#use the same context.xml for sample war mkdir -p %{tomcatappdir}/webapps/sample/META-INF -xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/sample/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml if [ ! -e %{_datadir}/%{app_name}/webapps/sample ]; then ln -sf %{tomcatappdir}/sample %{_datadir}/%{app_name}/webapps/sample fi @@ -687,18 +693,21 @@ fi %post admin-webapps -xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/manager/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml if [ ! -e %{_datadir}/%{app_name}/webapps/manager ]; then ln -sf %{tomcatappdir}/manager %{_datadir}/%{app_name}/webapps/manager fi -xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/host-manager/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml if [ ! -e %{_datadir}/%{app_name}/webapps/host-manager ]; then ln -sf %{tomcatappdir}/host-manager %{_datadir}/%{app_name}/webapps/host-manager fi %post docs-webapp -xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml +chown -R tomcat:tomcat %{tomcatappdir}/docs/META-INF +runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-01-18 21:53:42 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.16006 (New) Package is "tomcat10" Thu Jan 18 21:53:42 2024 rev:4 rq:1139643 version:10.1.18 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-01-16 21:38:54.554496249 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.16006/tomcat10.changes 2024-01-18 21:54:21.254833544 +0100 @@ -1,0 +2,149 @@ +Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto + +- Update to Tomcat 10.1.18 + * Fixed CVEs: ++ CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to + incorrect headers parsing (bsc#1217649) + * Catalina ++ Update: 68378: Align extension to MIME type mappings in the + global web.xml with those in httpd by adding + application/vnd.geogebra.slides for ggs, text/javascript for mjs + and audio/ogg for opus. (markt) ++ Fix: Background processes should not be run concurrently with + lifecycle operations of a container. (remm) ++ Fix: Correct unintended escaping of XML in some WebDAV + responses. The XML list of support locks when provided in + response to a PROPFIND request was incorrectly XML escaped. + (markt) ++ Fix: 68227: Ensure that AsyncListener.onComplete() is called + if AsyncListener.onError() calls AsyncContext.dispatch(). + (markt) ++ Fix: 68228: Use a 408 status code if a read timeout occurs + during HTTP request processing. Includes a test case based on + code provided by adwsingh. (markt) ++ Fix: 67667: TLSCertificateReloadListener prints unreadable + rendering of X509Certificate#getNotAfter(). (michaelo) ++ Update: The status servlet included in the manager webapp + can now output statistics as JSON, using the JSON=true URL + parameter. (remm) ++ Update: Optionally allow ServiceBindingPropertySource to + trim a trailing newline from a file containing a + property-value. (schultz) ++ Fix: 67793: Ensure the original session timeout is restored + after FORM authentication if the user refreshes a page during + the FORM authentication process. Based on a suggestion by + Mircea Butmalai. (markt) ++ Update: 67926: PEMFile prints unidentifiable string + representation of ASN.1 OIDs. (michaelo) ++ Fix: 66875: Ensure that setting the request attribute + jakarta.servlet.error.exception is not sufficient to trigger + error handling for the current request and response. (markt) ++ Fix: 68054: Avoid some file canonicalization calls + introduced by the fix for 65433. (remm) ++ Fix: 68089: Improve performance of request attribute access + for ApplicationHttpRequest and ApplicationRequest. (markt) ++ Fix: Use a 400 status code to report an error due to a bad + request (e.g. an invalid trailer header) rather than a 500 + status code. (markt) ++ Fix: Ensure that an IOException during the reading of the + request triggers always error handling, regardless of whether + the application swallows the exception. (markt) + * Coyote ++ Fix: Refactor the VirtualThreadExecutor so that it can be + used by the NIO2 connector which was using platform threads + even when configured to use virtual threads. (markt) ++ Fix: Correct a regression in the fix for 67675 that broke + TLS key file parsing for PKCS#8 format keys that do not specify + an explicit pseudo-random function and rely on the default. + This typically affects keys generated by OpenSSL 1.0.2. + (markt) ++ Fix: Allow multiple operations with the same name on + introspected mbeans, fixing a regression caused by the + introduction of a second addSslHostConfig method. (remm) ++ Fix: Relax the check that the HTTP Host header is consistent + with the host used in the request line, if any, to make the + check case insensitive since host names are case insensitive. + (markt) ++ Add: 68348: Add support for the partitioned attribute for + cookies. (markt) ++ Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and + SSLHostConfig#certificateKeystorePasswordFile. (michaelo) ++ Add: When calling + SSLHostConfigCertificate.setCertificateKeystore(ks), + automatically call setCertificateKeystoreType(ks.getType()). + (markt) ++ Fix: 67628: Clarify how the ciphers attribute of the + SSLHostConfig is used. (markt) ++ Fix: 67666: Ensure TLS connectors using PEM files either + work with the TLSCertificateReloadListener or, in the rare case + that they do not, log a