commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-07-10 16:49:44 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.2080 (New) Package is "tomcat10" Wed Jul 10 16:49:44 2024 rev:11 rq:1186460 version:10.1.25 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-04-07 22:13:29.131037286 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.2080/tomcat10.changes 2024-07-10 16:49:45.808164318 +0200 @@ -1,0 +2,160 @@ +Tue Jul 9 12:52:37 UTC 2024 - Ricardo Mestre + +- Update to Tomcat 10.1.25 + * Fixed CVEs: ++ CVE-2024-34750: Improper handling of exceptional conditions + (bsc#1227399) + * Catalina ++ Add: Add support for shallow copies when using WebDAV. (markt) ++ Code: Deprecate the WebdavFixFilter as it is no longer required. (markt) ++ Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64. + Submitted by Daniel Lyko. (remm) ++ Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for + retrieving extended/additional information from an established GSS + context. (michaelo) ++ Fix: Correct a regression in the fix for 68721 that caused some instances + of LinkageError to be reported as ClassNotFoundException. (markt) ++ Fix: Ensure that static resources deployed via a JAR file remain + accessible when the context is configured to use a bloom filter. Based on + pull request #730 provided by bergander. (markt) ++ Add: Introduce reference counting so the AprLifecycleListener is more + robust. This particularly targets more complex embedded configurations + with multiple server instances with independent lifecycles where more than + one server instance requires the AprLifecycleListener. (markt) ++ Add: Small performance optimization when logging cookies with no values. + (schultz) ++ Fix: Correct error handling for asynchronous requests. If the application + performs an dispatch during AsyncListener.onError() the dispatch is now + performed rather than completing the request using the error page + mechanism. (markt) ++ Add: Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a + customizable style. (schultz) ++ Add: Add more timescale options to AccessLogValve and + ExtendedAccessLogValve. Allow timescales to apply to "time-taken" token in + ExtendedAccessLogValve. (schultz) ++ Fix: Fix WebDAV lock null (locks for non existing resources) thread safety + and removal. (remm) ++ Fix: Add periodic checking for WebDAV locks expiration. (remm) ++ Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo) ++ Fix: Remove MBean metadata for attibutes that have been removed. Based on + pull request #719 by Shawn Q. (markt) ++ Update: Deprecate and remove sessionCounter (replaced by the addition of + the active session count and the expired session count, as a reasonable + approximation) and duplicates (which does not represent a possible event + in current implementations) statistics from the session manager. (remm) ++ Fix: 68890 Align output encoding of JSPs in the Manager webapp with the + XML declarations in those same files. (schultz) ++ Fix: Update Basic authentication to implement the requirements of RFC 7617 + including the changing of the trimCredentials setting which is now + defaults to false. Note that the trimCredentials setting will be removed + in Tomcat 11. (markt) ++ Fix: Change the thread-safety mechanism for protecting + StandardServer.services from a simple synchronized lock to a + ReentrantReadWriteLock to allow multiple readers to operate + simultaneously. Based upon a suggestion by Markus Wolfe. (schultz) ++ Fix: Improve Service connectors, Container children and Service executors + access sync using a ReentrantReadWriteLock. (remm) ++ Fix: Improve handling of integer overflow if an attempt is made to upload + a file via the Servlet API and the file is larger than + Integer.MAX_VALUE. (markt) ++ Fix: 68862: Handle possible response commit when processing read errors. + (remm) + * Jasper ++ Fix: 68546: Small additional optimisation for initial loading of Servlet + code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt) ++ Add: Add support for specifying Java 23 (with the value 23) as the + compiler source and/or compiler target for JSP compilation. If used with + an Eclipse JDT compiler version that does not support these values, a + warning will be logged and the default will used. (markt) + * Web applications +
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat10 for openSUSE:Factory
checked in at 2024-03-06 23:05:25
Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old)
and /work/SRC/openSUSE:Factory/.tomcat10.new.1770 (New)
Package is "tomcat10"
Wed Mar 6 23:05:25 2024 rev:9 rq:1155429 version:10.1.18
Changes:
--- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-03-05
18:50:13.608095019 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat10.new.1770/tomcat10.changes
2024-03-06 23:05:57.16700 +0100
@@ -1,0 +2,5 @@
+Wed Mar 6 07:18:06 UTC 2024 - Dan Äermák
+
+- Add missing Requires(post): util-linux to have runuser into post
+
+---
Other differences:
--
++ tomcat10.spec ++
--- /var/tmp/diff_new_pack.ozH5Ji/_old 2024-03-06 23:05:58.160442681 +0100
+++ /var/tmp/diff_new_pack.ozH5Ji/_new 2024-03-06 23:05:58.164442827 +0100
@@ -131,16 +131,18 @@
Requires: apache-commons-pool2
Requires: jakarta-servlet
Requires: java >= %{java_version}
+Requires: libtcnative-1-0 >= 1.2.38
+Requires: logrotate
Requires(post): %fillup_prereq
Requires(post): libxslt-tools
+# for runuser
+Requires(post): util-linux
Requires(pre): shadow
-Requires: libtcnative-1-0 >= 1.2.38
-Requires: logrotate
%systemd_ordering
-BuildArch: noarch
Conflicts: %{app_name}
Provides: group(tomcat)
Provides: user(tomcat)
+BuildArch: noarch
%description
Tomcat is the servlet container that is used in the official Reference
@@ -155,6 +157,8 @@
Group: Productivity/Networking/Web/Servers
Requires: %{name} = %{version}-%{release}
Requires(post): libxslt-tools
+# for runuser
+Requires(post): util-linux
Conflicts: %{app_name}-admin-webapps
%description admin-webapps
@@ -173,6 +177,8 @@
Group: Productivity/Networking/Web/Servers
Requires: %{name} = %{version}-%{release}
Requires(post): libxslt-tools
+# for runuser
+Requires(post): util-linux
Conflicts: %{app_name}-docs-webapp
%description docs-webapp
@@ -183,12 +189,12 @@
Group: Development/Libraries/Java
Requires(post): update-alternatives
Requires(preun): update-alternatives
+Conflicts: %{app_name}-el-3_0-api < %{version}
Provides: %{app_name}-el-%{elspec}-api = %{version}-%{release}
Provides: el_%{elspec_major}_%{elspec_minor}_api = %{version}-%{release}
Provides: el_api = %{elspec}
Obsoletes: %{app_name}-el-2_2-api < %{version}
Obsoletes: el_api < %{elspec}
-Conflicts: %{app_name}-el-3_0-api < %{version}
%description el-%{elspec_major}_%{elspec_minor}-api
Expression Language API version %{elspec}.
@@ -196,8 +202,8 @@
%package doc
Summary:Javadoc generated documentation for Apache Tomcat
Group: Documentation/HTML
-BuildArch: noarch
Conflicts: %{app_name}-javadoc
+BuildArch: noarch
%description doc
Javadoc generated documentation files for Apache Tomcat.
@@ -207,12 +213,12 @@
Group: Productivity/Networking/Web/Servers
Requires(post): update-alternatives
Requires(postun): update-alternatives
+Conflicts: %{app_name}-jsp-2_3-api < %{version}
Provides: %{app_name}-jsp-%{jspspec}-api
Provides: jsp = %{jspspec}
Provides: jsp%{jspspec_major}%{jspspec_minor}
Obsoletes: %{app_name}-jsp-2_2-api < %{version}
Obsoletes: jsp < %{jspspec}
-Conflicts: %{app_name}-jsp-2_3-api < %{version}
%description jsp-%{jspspec_major}_%{jspspec_minor}-api
Apache Tomcat JSP API implementation classes version %{jspspec}
@@ -222,8 +228,8 @@
Group: Productivity/Networking/Web/Servers
Requires: %{name} = %{version}-%{release}
Requires: apache-commons-daemon-jsvc
-%systemd_ordering
Conflicts: %{app_name}-jsvc
+%systemd_ordering
%description jsvc
Systemd service and wrapper scripts to start tomcat with jsvc,
@@ -239,9 +245,9 @@
Requires: mvn(org.apache.tomcat:tomcat-websocket-client-api)
Requires(post): ecj >= 4.4
Requires(preun): coreutils
+Conflicts: %{app_name}-lib
Provides: jakarta-commons-dbcp-tomcat5 = 1.4
Obsoletes: jakarta-commons-dbcp-tomcat5 < 1.4
-Conflicts: %{app_name}-lib
%description lib
Libraries required to successfully run the Tomcat Web container
@@ -251,6 +257,7 @@
Group: Productivity/Networking/Web/Servers
Requires(post): update-alternatives
Requires(postun): update-alternatives
+Conflicts: %{app_name}-servlet-4_0-api < %{version}
Provides: %{app_name}-servlet-%{servletspec}-api = %{version}-%{release}
Provides: servlet = %{servletspec}
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat10 for openSUSE:Factory
checked in at 2024-03-05 18:50:11
Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old)
and /work/SRC/openSUSE:Factory/.tomcat10.new.1770 (New)
Package is "tomcat10"
Tue Mar 5 18:50:11 2024 rev:8 rq:1154894 version:10.1.18
Changes:
--- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-02-18
20:25:21.498748785 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat10.new.1770/tomcat10.changes
2024-03-05 18:50:13.608095019 +0100
@@ -1,0 +2,7 @@
+Mon Mar 4 16:49:37 UTC 2024 - Fridrich Strba
+
+- Add %%systemd_ordering to packages with systemd unit files, so
+ that the order is the right one if those packages find themselves
+ in the same transaction with systemd
+
+---
Other differences:
--
++ tomcat10.spec ++
--- /var/tmp/diff_new_pack.6CXDFB/_old 2024-03-05 18:50:14.596130893 +0100
+++ /var/tmp/diff_new_pack.6CXDFB/_new 2024-03-05 18:50:14.596130893 +0100
@@ -136,6 +136,7 @@
Requires(pre): shadow
Requires: libtcnative-1-0 >= 1.2.38
Requires: logrotate
+%systemd_ordering
BuildArch: noarch
Conflicts: %{app_name}
Provides: group(tomcat)
@@ -221,6 +222,7 @@
Group: Productivity/Networking/Web/Servers
Requires: %{name} = %{version}-%{release}
Requires: apache-commons-daemon-jsvc
+%systemd_ordering
Conflicts: %{app_name}-jsvc
%description jsvc
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat10 for openSUSE:Factory
checked in at 2024-02-18 20:24:47
Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old)
and /work/SRC/openSUSE:Factory/.tomcat10.new.1815 (New)
Package is "tomcat10"
Sun Feb 18 20:24:47 2024 rev:7 rq:1147339 version:10.1.18
Changes:
--- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-02-15
21:02:22.360152155 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat10.new.1815/tomcat10.changes
2024-02-18 20:25:21.498748785 +0100
@@ -1,0 +2,5 @@
+Sat Feb 17 14:55:36 UTC 2024 - Fridrich Strba
+
+- Link ecj.jar into the install instead of copying it
+
+---
Other differences:
--
++ tomcat10.spec ++
--- /var/tmp/diff_new_pack.WeiZdc/_old 2024-02-18 20:25:22.250775868 +0100
+++ /var/tmp/diff_new_pack.WeiZdc/_new 2024-02-18 20:25:22.254776012 +0100
@@ -438,7 +438,7 @@
popd
pushd output/build
-%{_bindir}/build-jar-repository lib commons-collections \
+%{_bindir}/build-jar-repository -s lib commons-collections \
commons-dbcp2 commons-pool2 ecj/ecj
2>&1
# need to use -p here with b-j-r otherwise the examples webapp fails to
# load with a java.io.IOException
@@ -455,6 +455,8 @@
rm -f commons-dbcp.jar
ln -s $(build-classpath commons-dbcp2) commons-dbcp2.jar
ln -s $(build-classpath commons-pool2) commons-pool2.jar
+rm ecj.jar
+ln -s $(build-classpath ecj/ecj) ecj.jar
ln -s $(build-classpath ecj/ecj) jasper-jdt.jar
# Temporary copy the juli jar here from %%{_datadir}/java/tomcat (for
maven depmap)
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat10 for openSUSE:Factory
checked in at 2024-02-15 21:01:10
Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old)
and /work/SRC/openSUSE:Factory/.tomcat10.new.1815 (New)
Package is "tomcat10"
Thu Feb 15 21:01:10 2024 rev:6 rq:1146831 version:10.1.18
Changes:
--- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-02-06
16:36:26.987175151 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat10.new.1815/tomcat10.changes
2024-02-15 21:02:22.360152155 +0100
@@ -6,0 +7,6 @@
+Fri Jan 26 12:37:05 UTC 2024 - Michele Bussolotto
+
+- Fixed CVEs:
+ * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)
+
+---
Other differences:
--
++ tomcat10.spec ++
--- /var/tmp/diff_new_pack.23yXh9/_old 2024-02-15 21:02:23.088177743 +0100
+++ /var/tmp/diff_new_pack.23yXh9/_new 2024-02-15 21:02:23.092177883 +0100
@@ -593,7 +593,8 @@
%post
%service_add_post %{app_name}.service
%{fillup_only %{app_name}}
-xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt
%{confdir}/server.xml
+chown -R tomcat:tomcat %{confdir}/server.xml
+runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml
%{confdir}/valve.xslt %{confdir}/server.xml
%preun
%service_del_preun %{app_name}.service
@@ -665,17 +666,22 @@
%{libdir}/\[ecj\].jar >/dev/null 2>&1
%post webapps
-xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml
%{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
-if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then
-ln -sf %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT
-fi
-xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml
%{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/examples/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output
%{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt
%{tomcatappdir}/examples/META-INF/context.xml
if [ ! -e %{_datadir}/%{app_name}/webapps/examples ]; then
ln -sf %{tomcatappdir}/examples %{_datadir}/%{app_name}/webapps/examples
fi
#use the same context.xml for sample war
+mkdir -p %{tomcatappdir}/ROOT/META-INF
+chown -R tomcat:tomcat %{tomcatappdir}/ROOT/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output
%{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt
%{tomcatappdir}/examples/META-INF/context.xml
+if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then
+ln -sf %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT
+fi
+#use the same context.xml for sample war
mkdir -p %{tomcatappdir}/webapps/sample/META-INF
-xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml
%{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/sample/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output
%{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt
%{tomcatappdir}/examples/META-INF/context.xml
if [ ! -e %{_datadir}/%{app_name}/webapps/sample ]; then
ln -sf %{tomcatappdir}/sample %{_datadir}/%{app_name}/webapps/sample
fi
@@ -687,18 +693,21 @@
fi
%post admin-webapps
-xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml
%{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output
%{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt
%{tomcatappdir}/manager/META-INF/context.xml
if [ ! -e %{_datadir}/%{app_name}/webapps/manager ]; then
ln -sf %{tomcatappdir}/manager %{_datadir}/%{app_name}/webapps/manager
fi
-xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml
%{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/host-manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output
%{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt
%{tomcatappdir}/host-manager/META-INF/context.xml
if [ ! -e %{_datadir}/%{app_name}/webapps/host-manager ]; then
ln -sf %{tomcatappdir}/host-manager
%{_datadir}/%{app_name}/webapps/host-manager
fi
%post docs-webapp
-xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml
%{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/docs/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output
%{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt
commit tomcat10 for openSUSE:Factory
Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2024-01-18 21:53:42 Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.16006 (New) Package is "tomcat10" Thu Jan 18 21:53:42 2024 rev:4 rq:1139643 version:10.1.18 Changes: --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes2024-01-16 21:38:54.554496249 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.16006/tomcat10.changes 2024-01-18 21:54:21.254833544 +0100 @@ -1,0 +2,149 @@ +Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto + +- Update to Tomcat 10.1.18 + * Fixed CVEs: ++ CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to + incorrect headers parsing (bsc#1217649) + * Catalina ++ Update: 68378: Align extension to MIME type mappings in the + global web.xml with those in httpd by adding + application/vnd.geogebra.slides for ggs, text/javascript for mjs + and audio/ogg for opus. (markt) ++ Fix: Background processes should not be run concurrently with + lifecycle operations of a container. (remm) ++ Fix: Correct unintended escaping of XML in some WebDAV + responses. The XML list of support locks when provided in + response to a PROPFIND request was incorrectly XML escaped. + (markt) ++ Fix: 68227: Ensure that AsyncListener.onComplete() is called + if AsyncListener.onError() calls AsyncContext.dispatch(). + (markt) ++ Fix: 68228: Use a 408 status code if a read timeout occurs + during HTTP request processing. Includes a test case based on + code provided by adwsingh. (markt) ++ Fix: 67667: TLSCertificateReloadListener prints unreadable + rendering of X509Certificate#getNotAfter(). (michaelo) ++ Update: The status servlet included in the manager webapp + can now output statistics as JSON, using the JSON=true URL + parameter. (remm) ++ Update: Optionally allow ServiceBindingPropertySource to + trim a trailing newline from a file containing a + property-value. (schultz) ++ Fix: 67793: Ensure the original session timeout is restored + after FORM authentication if the user refreshes a page during + the FORM authentication process. Based on a suggestion by + Mircea Butmalai. (markt) ++ Update: 67926: PEMFile prints unidentifiable string + representation of ASN.1 OIDs. (michaelo) ++ Fix: 66875: Ensure that setting the request attribute + jakarta.servlet.error.exception is not sufficient to trigger + error handling for the current request and response. (markt) ++ Fix: 68054: Avoid some file canonicalization calls + introduced by the fix for 65433. (remm) ++ Fix: 68089: Improve performance of request attribute access + for ApplicationHttpRequest and ApplicationRequest. (markt) ++ Fix: Use a 400 status code to report an error due to a bad + request (e.g. an invalid trailer header) rather than a 500 + status code. (markt) ++ Fix: Ensure that an IOException during the reading of the + request triggers always error handling, regardless of whether + the application swallows the exception. (markt) + * Coyote ++ Fix: Refactor the VirtualThreadExecutor so that it can be + used by the NIO2 connector which was using platform threads + even when configured to use virtual threads. (markt) ++ Fix: Correct a regression in the fix for 67675 that broke + TLS key file parsing for PKCS#8 format keys that do not specify + an explicit pseudo-random function and rely on the default. + This typically affects keys generated by OpenSSL 1.0.2. + (markt) ++ Fix: Allow multiple operations with the same name on + introspected mbeans, fixing a regression caused by the + introduction of a second addSslHostConfig method. (remm) ++ Fix: Relax the check that the HTTP Host header is consistent + with the host used in the request line, if any, to make the + check case insensitive since host names are case insensitive. + (markt) ++ Add: 68348: Add support for the partitioned attribute for + cookies. (markt) ++ Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and + SSLHostConfig#certificateKeystorePasswordFile. (michaelo) ++ Add: When calling + SSLHostConfigCertificate.setCertificateKeystore(ks), + automatically call setCertificateKeystoreType(ks.getType()). + (markt) ++ Fix: 67628: Clarify how the ciphers attribute of the + SSLHostConfig is used. (markt) ++ Fix: 67666: Ensure TLS connectors using PEM files either + work with the TLSCertificateReloadListener or, in the rare case + that they do not, log a
