Index index by Group index by Distribution index by Vendor index by creation date index by Name Mirrors Help Search

tomcat-jsp-2_3-api-9.0.87-1.1 RPM for noarch

From OpenSuSE Ports Tumbleweed for noarch

Name: tomcat-jsp-2_3-api Distribution: openSUSE:Factory:zSystems
Version: 9.0.87 Vendor: openSUSE
Release: 1.1 Build date: Fri Apr 5 16:24:14 2024
Group: Productivity/Networking/Web/Servers Build host: reproducible
Size: 79175 Source RPM: tomcat-9.0.87-1.1.src.rpm
Packager: https://bugs.opensuse.org
Url: https://tomcat.apache.org
Summary: Apache Tomcat JSP API implementation classes
Apache Tomcat JSP API implementation classes version 2.3

Provides

Requires

License

Apache-2.0

Changelog

* Fri Apr 05 2024 Ricardo Mestre <ricardo.mestre@suse.com>
  - Update to Tomcat 9.0.87
    * Fixed CVEs:
      + CVE-2024-24549: Improved request header validation for HTTP/2 stream
      (bsc#1221386)
      + CVE-2024-23672: Ensure that WebSocket connection closure completes if
      the connection is closed when the server side has used the proprietary
      suspend/resume feature to suspend the connection (bsc#1221385)
    * Catalina
      + Fix:  Minor performance improvement for building filter chains. Based
      on ideas from #702 by Luke Miao. (remm)
      + Fix:  Align error handling for Writer and OutputStream. Ensure use of
      either once the response has been recycled triggers a
      NullPointerException provided that discardFacades is configured with
      the default value of true. (markt)
      + Fix:  68692: The standard thread pool implementations that are configured
      using the Executor element now implement ExecutorService for better
      support NIO2. (remm)
      + Fix:  68495: When restoring a saved POST request after a successful FORM
      authentication, ensure that neither the URI, the query string nor the
      protocol are corrupted when restoring the request body. (markt)
      + Fix:  68721: Workaround a possible cause of duplicate class definitions
      when using ClassFileTransformers and the transformation of a class also
      triggers the loading of the same class. (markt)
      + Fix:  The rewrite valve should not do a rewrite if the output is
      identical to the input. (remm)
      + Update:  Add a new valveSkip (or VS) rule flag to the rewrite valve to
      allow skipping over the next valve in the Catalina pipeline. (remm)
      + Fix:  Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by
      removing reference to org.apache.catalina.ssi package that is no longer
      included in the JAR. Based on pull request #684 by Jendrik Johannes.
      (markt)
      + Fix:  Fix ServiceBindingPropertySource so that trailing \r\n sequences
      are correctly removed from files containing property values when
      configured to do so. Bug identified by Coverity Scan. (markt)
      + Add:  Add improvements to the CSRF prevention filter including the
      ability to skip adding nonces for resource name and subtree URL patterns.
      (schultz)
      + Fix:  Review usage of debug logging and downgrade trace or data dumping
      operations from debug level to trace. (remm)
      + Fix:  68089: Further improve the performance of request attribute
      access for ApplicationHttpRequest and ApplicationRequest. (markt)
      + Fix:  68559: Allow asynchronous error handling to write to the
      response after an error during asynchronous processing. (markt)
    * Coyote
      + Fix:  Improve the HTTP/2 stream prioritisation process. If a stream
      uses all of the connection windows and still has content to write, it
      will now be added to the backlog immediately rather than waiting until
      the write  attempt for the remaining content. (markt)
      + Fix:  Make asynchronous error handling more robust. Ensure that once
      a connection is marked to be closed, further asynchronous processing
      cannot change that. (markt)
      + Fix:  Make asynchronous error handling more robust. Ensure that once
      the call to AsyncListener.onError() has returned to the container, only
      container threads can access the AsyncContext. This protects against
      various race conditions that woudl otherwise occur if application threads
      continued to access the AsyncContext.
      + Fix:  Review usage of debug logging and downgrade trace or data
      dumping operations from debug level to trace. In particular, most of the
      HTTP/2 debug logging has been changed to trace level. (remm)
      + Fix:  Add support for user provided SSLContext instances configured
      on SSLHostConfigCertificate instances. Based on pull request #673
      provided by Hakan Altındağ. (markt)
      + Fix:  Improve the Tomcat Native shutdown process to reduce the likelihood
      of a JVM crash during Tomcat shutdown. (markt)
      + Fix:  Partial fix for 68558: Cache the result of converting to String
      for request URI, HTTP header names and the request Content-Type value to
      improve performance by reducing repeated byte[] to String conversions.
      (markt)
      + Fix:  Improve error reporting to HTTP/2 clients for header processing
      errors by reporting problems at the end of the frame where the error was
      detected rather than at the end of the headers. (markt)
      + Fix:  Remove the remaining reference to a stream once the stream has
      been recycled. This makes the stream eligible for garbage collection
      earlier and thereby improves scalability. (markt)
    * Jasper
      + Add:  Add support for specifying Java 22 (with the value 22) as the
      compiler source and/or compiler target for JSP compilation. If used with
      an  Eclipse JDT compiler version that does not support these values, a
      warning will be logged and the default will used. (markt)
      + Fix:  68546: Generate optimal size and types for JSP imports maps, as
      suggested by John Engebretson. (remm)
      + Fix:  Review usage of debug logging and downgrade trace or data
      dumping operations from debug level to trace. (remm)
    * Cluster
      + Fix:  Avoid updating request count stats on async. (remm)
    * WebSocket
      + Fix:  Correct a regression in the fix for 66508 that could cause an
      UpgradeProcessor leak in some circumstances. (markt)
      + Fix:  Review usage of debug logging and downgrade trace or data dumping
      operations from debug level to trace. (remm)
      + Fix:  Ensure that WebSocket connection closure completes if the
      connection is closed when the server side has used the proprietary
      suspend/resume feature to suspend the connection. (markt)
    * Web applications
      + Add:  Add support for responses in JSON format from the examples
      application RequestHeaderExample. (schultz)
    * Other
      + Add:  Improvements to French translations. (remm)
      + Add:  Improvements to Japanese translations by tak7iji. (markt)
      + Update:  Update Checkstyle to 10.13.0. (markt)
      + Update:  Update JSign to 6.0. (markt)
      + Update:  Add strings for debug level messages. (remm)
      + Update:  Update Tomcat Native to 1.3.0. (markt)
      + Add:  Improvements to French translations. (remm)
      + Add:  Improvements to Japanese translations by tak7iji. (markt)
* Wed Mar 06 2024 Dan Čermák <dcermak@suse.com>
  - Add missing Requires(post): util-linux to have runuser into post
* Mon Mar 04 2024 Fridrich Strba <fstrba@suse.com>
  - Add %%systemd_ordering to packages with systemd unit files, so
    that the order is the right one if those packages find themselves
    in the same transaction with systemd
* Sat Feb 17 2024 Fridrich Strba <fstrba@suse.com>
  - Link ecj.jar into the install instead of copying it
* Tue Feb 06 2024 Michele Bussolotto <michele.bussolotto@suse.com>
  - rpm 4.19 requires dependencies on tomcat user and group (bsc#1219530)
* Fri Jan 26 2024 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)
* Wed Jan 17 2024 Michele Bussolotto <michele.bussolotto@suse.com>
  - Update to Tomcat 9.0.85
    * Fixed CVEs:
      + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
      incorrect headers parsing (bsc#1217649)
    * Catalina
      + Update:  68378: Align extension to MIME type mappings in the
      global web.xml with those in httpd by adding
      application/vnd.geogebra.slides for ggs, text/javascript for mjs
      and audio/ogg for opus. (markt)
      + Fix:  Background processes should not be run concurrently with
      lifecycle operations of a container. (remm)
      + Fix:  Correct unintended escaping of XML in some WebDAV
      responses. The XML list of support locks when provided in
      response to a PROPFIND request was incorrectly XML escaped.
      (markt)
      + Fix:  68227: Ensure that AsyncListener.onComplete() is called
      if AsyncListener.onError() calls AsyncContext.dispatch().
      (markt)
      + Fix:  68228: Use a 408 status code if a read timeout occurs
      during HTTP request processing. Includes a test case based on
      code provided by adwsingh. (markt)
      + Fix:  67667: TLSCertificateReloadListener prints unreadable
      rendering of X509Certificate#getNotAfter(). (michaelo)
      + Update:  The status servlet included in the manager webapp
      can now output statistics as JSON, using the JSON=true URL
      parameter. (remm)
      + Update:  Optionally allow ServiceBindingPropertySource to
      trim a trailing newline from a file containing a
      property-value. (schultz)
      + Fix:  67793: Ensure the original session timeout is restored
      after FORM authentication if the user refreshes a page during
      the FORM authentication process. Based on a suggestion by
      Mircea Butmalai. (markt)
      + Update:  67926: PEMFile prints unidentifiable string
      representation of ASN.1 OIDs. (michaelo)
      + Fix:  66875: Ensure that setting the request attribute
      jakarta.servlet.error.exception is not sufficient to trigger
      error handling for the current request and response. (markt)
      + Fix:  68054: Avoid some file canonicalization calls
      introduced by the fix for 65433. (remm)
      + Fix:  68089: Improve performance of request attribute access
      for ApplicationHttpRequest and ApplicationRequest. (markt)
      + Fix:  Use a 400 status code to report an error due to a bad
      request (e.g. an invalid trailer header) rather than a 500
      status code. (markt)
      + Fix:  Ensure that an IOException during the reading of the
      request triggers always error handling, regardless of whether
      the application swallows the exception. (markt)
    * Coyote
      + Fix:  Refactor the VirtualThreadExecutor so that it can be
      used by the NIO2 connector which was using platform threads
      even when configured to use virtual threads. (markt)
      + Fix:  Correct a regression in the fix for 67675 that broke
      TLS key file parsing for PKCS#8 format keys that do not specify
      an explicit pseudo-random function and rely on the default.
      This typically affects keys generated by OpenSSL 1.0.2.
      (markt)
      + Fix:  Allow multiple operations with the same name on
      introspected mbeans, fixing a regression caused by the
      introduction of a second addSslHostConfig method. (remm)
      + Fix:  Relax the check that the HTTP Host header is consistent
      with the host used in the request line, if any, to make the
      check case insensitive since host names are case insensitive.
      (markt)
      + Add:  68348: Add support for the partitioned attribute for
      cookies. (markt)
      + Add:  66670: Add SSLHostConfig#certificateKeyPasswordFile and
      SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
      + Add:  When calling
      SSLHostConfigCertificate.setCertificateKeystore(ks),
      automatically call setCertificateKeystoreType(ks.getType()).
      (markt)
      + Fix:  67628: Clarify how the ciphers attribute of the
      SSLHostConfig is used. (markt)
      + Fix:  67666: Ensure TLS connectors using PEM files either
      work with the TLSCertificateReloadListener or, in the rare case
      that they do not, log a warning on Connector start. (markt)
      + Fix:  67675: Support a wider range of KDF and ciphers for PEM
      files than the combinations supported by the JVM by default.
      Specifically, support the OpenSSL default of HmacSHA256 and
      DES-EDE3-CBC. (markt)
      + Fix:  67927: Reloading TLS configuration can cause the
      Connector to refuse new connections or the JVM to crash.
      (markt)
      + Fix:  67934: If both Tomcat Native 1.2.x and 2.0.x are
      available, prefer 1.2.x since it supports the APR/Native
      connector whereas 2.0.x does not. (markt)
      + Fix:  67938: Correct handling of large TLS client hello
      messages that were causing the TLS handshake to fail. (markt)
      + Fix:  68026: Convert selected MessageByte values to String
      when first accessed to speed up subsequent accesses and reduce
      garbage collection. (markt)
    * Jasper
      + Code:  68119: Refactor the CompositeELResolver to improve
      performance during type conversion operations. (markt)
      + Fix:  68068: Performance improvement for EL. Based on a
      suggestion by John Engebretson. (markt)
    * Web Applications
      + Fix:  68035: Additional fix to the Manager application to
      enable the deployment of a web application located in a Host's
      appBase where the web application is specified by a bare (no
      path) WAR or directory name as shown in the documentation.
      (markt)
      + Fix:  Examples. Improve the error handling so snakes
      associated with a user that drops from the network are removed
      from the game. (markt)
      + Fix:  68035: Correct a regression in the fix for 56248 that
      prevented deployment via the Manager of a WAR or directory that
      was already present in the appBase or a context file that was
      already present in the xmlBase. (markt)
    * Other
      + Update:  Update Checkstyle to 10.12.7. (markt)
      + Update:  Update SpotBugs to 4.8.3. (markt)
      + Add:  Improvements to French translations. (remm)
      + Add:  Improvements to Japanese translations by tak7iji.
      (markt)
      + Update:  Update UnboundID to 6.0.11. (markt)
      + Update:  Update Checkstyle to 10.12.5. (markt)
      + Update:  Update SpotBugs to 4.8.2. (markt)
      + Update:  Update Derby to 10.17.1. (markt)
      + Add:  Improvements to French translations. (remm)
      + Add:  Improvements to Japanese translations by tak7iji.
      (markt)
      + Add:  Improvements to Brazilian Portuguese translations by
      John William Vicente. (markt)
      + Add:  Improvements to Russian translations by usmazat and
      remm. (markt)
      + Add:  67538: Make use of Ant's <javaversion /> task to enfore
      the mininum Java build version. (michaelo)
      + Update:  Update Checkstyle to 10.12.4. (markt)
      + Update:  Update JaCoCo to 0.8.11. (markt)
      + Update:  Update SpotBugs to 4.8.0. (markt)
      + Update:  Update BND to 7.0.0. (markt)
      + Update:  The minimum Java version required to build Tomcat
      has been raised to Java 17. (markt)
  - Added patches:
    * tomcat-9.0-build-with-java-11.patch
* Wed Jan 17 2024 Michele Bussolotto <michele.bussolotto@suse.com>
  - change server.xml during %post instead of %posttrans
* Fri Jan 12 2024 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fix server.xml permission (bsc#1217768, bsc#1217402)
  - remove serverxmltool and use xsltproc
* Thu Nov 23 2023 Ricardo Mestre <ricardo.mestre@suse.com>
  - replace prep setup and patches macro with autosetup
* Fri Oct 13 2023 Fridrich Strba <fstrba@suse.com>
  - Update to Tomcat 9.0.82
    * Fixed CVEs:
      + CVE-2023-45648: Improve trailer header parsing (bsc#1216118)
      + CVE-2023-42794: FileUpload: remove tmp files to avoid DoS
      on Windows (bsc#1216120)
      + CVE-2023-42795: Improve handling of failures during recycle()
      methods (bsc#1216119)
    * Catalina
      + Add: 65770: Provide a lifecycle listener that will
      automatically reload TLS configurations a set time before the
      certificate is due to expire. This is intended to be used with
      third-party tools that regularly renew TLS certificates.
      + Fix: Fix handling of an error reading a context descriptor on
      deployment.
      + Fix: Fix rewrite rule qsd (query string discard) being ignored
      if qsa was also use, while it should instead take precedence.
      + Fix: 67472: Send fewer CORS-related headers when CORS is not
      actually being engaged.
      + Add: Improve handling of failures within recycle() methods.
    * Coyote
      + Fix: 67670: Fix regression with HTTP compression after code
      refactoring.
      + Fix: 67198: Ensure that the AJP connector attribute
      tomcatAuthorization takes precedence over the
      tomcatAuthentication attribute when processing an auth_type
      attribute received from a proxy server.
      + Fix: 67235: Fix a NullPointerException when an AsyncListener
      handles an error with a dispatch rather than a complete.
      + Fix: When an error occurs during asynchronous processing,
      ensure that the error handling process is only triggered once
      per asynchronous cycle.
      + Fix: Fix logic issue trying to match no argument method in
      IntropectionUtil.
      + Fix: Improve thread safety around readNotify and writeNotify
      in the NIO2 endpoint.
      + Fix: Avoid rare thread safety issue accessing message digest
      map.
      + Fix: Improve statistics collection for upgraded connections
      under load.
      + Fix: Align validation of HTTP trailer fields with standard
      fields.
      + Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
      CVE-2023-44487)
    * jdbc-pool
      + Fix: 67664: Correct a regression in the clean-up of
      unnecessary use of fully qualified class names in 9.0.81
      that broke the jdbc-pool.
    * Jasper
      + Fix: 67080: Improve performance of EL expressions in JSPs that
      use implicit objects
* Thu Sep 21 2023 Fridrich Strba <fstrba@suse.com>
  - Update to Tomcat 9.0.80
    * Catalina
      + Add RateLimitFilter which can be used to mitigate DoS and
      Brute Force attacks
      + Move the management of the utility executor from the
      init()/destroy() methods of components to the start()/stop()
      methods.
      + Add org.apache.catalina.core.StandardVirtualThreadExecutor,
      a virtual thread based executor that may be used with one or
      more Connectors to process requests received by those
      Connectors using virtual threads. This Executor requires a
      minimum Java version of Java 21.
      + 66513: Add a per session Semaphore to the PersistentValve that
      ensures that, within a single Tomcat instance, there is no
      more than one concurrent request per session. Also expand the
      debug logging to include whether a request bypasses the Valve
      and the reason if a request fails to obtain the per session
      Semaphore.
      + 66609: Ensure that the default servlet correctly escapes file
      names in directory listings when using XML output.
      + 66618: Add a numeric last modified field to the XML directory
      listings produced by the default servlet to enable sorting in
      the XSLT.
      + 66621: Attempts to lock a collection with WebDAV may
      incorrectly fail if a child collection has an expired lock.
      + 66622: Deprecate the xssProtectionEnabled setting from the
      HttpHeaderSecurityFilter and change the default value to false
      as support for the associated HTTP header has been removed
      from all major browsers.
      + 59232: Add org.apache.catalina.core.ContextNamingInfoListener,
      a listener which creates context naming information
      environment entries.
      + 66665: Add
      org.apache.catalina.core.PropertiesRoleMappingListener, a
      listener which populates the context's role mapping from a
      properties file.
      + Fix an edge case where intra-web application symlinks would be
      followed if the web applications were deliberately crafted to
      allow it even when allowLinking was set to false.
      + Add utility config file resource lookup on Context to allow
      looking up resources from the webapp (prefixed with webapp:)
      and make the resource lookup API more visible.
      + Fix potential database connection leaks in
      DataSourceUserDatabase identified by Coverity Scan.
      + Make parsing of ExtendedAccessLogValve patterns more robust.
      + Fix failure trying to persist configuration for an internal
      credential handler.
      + 66680: When serializing a session during the session
      presistence process, do not log a warning that null Principals
      are not serializable.
      + Catch NamingException in JNDIRealm#getPrincipal. It is used in
      Java up to 17 to signal closed connections.
      + 66822: Use the same naming format in log messages for
      Connector instances as the associated ProtocolHandler instance.
      + The parts count should also lower the actual maxParameterCount
      used for parsing parameters if parts are parsed first.
      + If an application or library sets both a non-500 error code
      and the javax.servlet.error.exception request attribute, use
      the provided error code during error page processing rather
      than assuming an error code of 500.
      + Update code comments and Tomcat output to use MiB for
      1024 * 1024 bytes and KiB for 1024 bytes rather than
      MB and kB.
      + Avoid protocol relative redirects in FORM authentication
      (CVE-2023-41080, bsc#1214666).
    * Coyote
      + Update the HTTP/2 implementation to use the prioritization
      scheme defined in RFC 9218 rather than the one defined in
      RFC 7540.
      + 66602: not sending WINDOW_UPDATE when dataLength is ZERO on
      call SwallowedDataFramePayload.
      + 66627: Restore the documented behaviour of
      MessageBytes.getType() that it returns the type of the
      original content rather than reflecting the most recent
      conversion.
      + 66635: Correct certificate logging on start-up so it
      differentiates between keystore based keys/certificates and
      PEM file based keys/certificates and logs the relevant
      information for each.
      + Refactor blocking reads and writes for the NIO connector to
      remove code paths that could allow a notification from the
      Poller to be missed resuting in a timeout rather than the
      expected read or write.
      + Refactor waiting for an HTTP/2 stream or connection window
      update to handle spurious wake-ups during the wait.
      + Correct a regression introduced in 9.0.78 and use the correct
      constant when constructing the default value for the
      certificateKeystoreFile attribute of an
      SSLHostConfigCertificate instance.
      + Refactor HTTP/2 implementation to reduce pinning when using
      virtual threads.
      + Pass through ciphers referring to an OpenSSL profile, such as
      PROFILE=SYSTEM instead of producing an error trying to parse
      it.
      + 66841: Ensure that AsyncListener.onError() is called after an
      error during asynchronous processing with HTTP/2.
      + 66842: When using asynchronous I/O (the default for NIO and
      NIO2), include DATA frames when calculating the HTTP/2
      overhead count to ensure that connections are not prematurely
      terminated.
      + Correct a race condition that could cause spurious RST
      messages to be sent after the response had been written to an
      HTTP/2 stream.
    * WebSocket
      + 66548: Expand the validation of the value of the
      Sec-Websocket-Key header in the HTTP upgrade request that
      initiates a WebSocket connection. The value is not decoded but
      it is checked for the correct length and that only valid
      characters from the base64 alphabet are used.
      + Improve handling of error conditions for the WebSocket server,
      particularly during Tomcat shutdown.
      + Correct a regression in the fix for 66574 that meant the
      WebSocket session could return false for onOpen() before the
      onClose() event had been completed.
      + 66681: Fix a NullPointerException when flushing batched
      messages with compression enabled using permessage-deflate.
    * Web applications
      + Documentation. Expand the security guidance to cover the
      embedded use case and add notes on the uses made of the
      java.io.tmpdir system property.
      + 66662: Documentation. Fix a typo in the name of the algorithms
      attribute in the configuration section for the Digest
      authentication value.
      + Documentation. Update documentation to use MiB for
      1024 * 1024 bytes and KiB for 1024 bytes rather than
      MB and kB.
    * jdbc-pool
      + Fix the releaseIdleCounter does not increment when testAllIdle
      releases them.
      + Fix the ConnectionState state will be inconsistent with actual
      state on the connection when an exception occurs while
      writing.
    * Other
      + Update to Commons Daemon 1.3.4.
      + Improvements to French translations.
      + Update Checkstyle to 10.12.0.
      + Update the packaged version of the Apache Tomcat Native
      Library to 1.2.37 to pick up the Windows binaries built with
      with OpenSSL 1.1.1u.
      + Include the Windows specific binary distributions in the files
      uploaded to Maven Central.
      + Improvements to French translations.
      + Improvements to Japanese translations.
      + Update UnboundID to 6.0.9.
      + Update Checkstyle to 10.12.1.
      + Update BND to 6.4.1.
      + Update JSign to 5.0.
      + Correct properties for JSign dependency.
      + Align documentation for maxParameterCount to match hard-coded
      defaults.
      + Update NSIS to 3.0.9.
      + Update Checkstyle to 10.12.2.
      + Improvements to French translations.
      + Improvements to Japanese translations.
      + 66829: Fix quoting so users can use the _RUNJAVA environment
      variable as intended on Windows when the path to the Java
      executable contains spaces.
      + Update Tomcat Native to 1.2.38 to pick up Windows binaries
      built with OpenSSL 1.1.1v.
      + Improvements to Chinese translations.
      + Improvements to French translations.
      + Improvements to Japanese translations
  - Removed patch:
    * tomcat-9.0.75-CVE-2023-41080.patch
      + integrated in this version
* Thu Sep 21 2023 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)
  - Added patches:
    * tomcat-9.0.75-CVE-2023-41080.patch
* Mon Sep 18 2023 Fridrich Strba <fstrba@suse.com>
  - Modified patch:
    * tomcat-9.0-osgi-build.patch
      + make it more robust to change in number of artifacts in bnd
      + do not enumerate jars, just take all jars from the aqute-bnd
      directory into the classpath
* Tue Sep 12 2023 Fridrich Strba <fstrba@suse.com>
  - Require(pre) shadow because groupadd is needed early
* Tue May 23 2023 Fridrich Strba <fstrba@suse.com>
  - Update to Tomcat 9.0.75.
    * See changelog at
      https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.75_(markt)
    * Fixes:
      + bsc#1211608, CVE-2023-28709
      + bsc#1208513, CVE-2023-24998 (previous incomplete fix)
  - Remove patches:
    * tomcat-9.0-CVE-2021-30640.patch
    * tomcat-9.0-CVE-2021-33037.patch
    * tomcat-9.0-CVE-2021-41079.patch
    * tomcat-9.0-CVE-2022-23181.patch
    * tomcat-9.0-NPE-JNDIRealm.patch
    * tomcat-9.0-hardening_getResources.patch
    * tomcat-9.0.43-CVE-2021-43980.patch
    * tomcat-9.0.43-CVE-2022-42252.patch
    * tomcat-9.0.43-CVE-2022-45143.patch
    * tomcat-9.0.43-CVE-2023-24998.patch
    * tomcat-9.0.43-CVE-2023-28708.patch
      + integrated in this version
    * tomcat-9.0.43-java8compat.patch
      + problem with Java 8 compatibility solved in this version
  - Modified patch:
    * tomcat-9.0.31-secretRequired-default.patch
    - > tomcat-9.0.75-secretRequired-default.patch
      + rediffed to changed context
    * tomcat-9.0-javadoc.patch
      + drop integrated hunks
    * tomcat-9.0-osgi-build.patch
      + fix to work with current version
  - Added patch:
    * tomcat-9.0-jdt.patch
      + fix build against our ecj
* Fri Apr 07 2023 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2022-45143: JsonErrorReportValve: add escape for type, message or description (bsc#1206840)
  - Added patches:
    * tomcat-9.0.43-CVE-2022-45143.patch
* Thu Mar 23 2023 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2023-28708: tomcat: not including the secure attribute
      causes information disclosure (bsc#1209622)
  - Added patches:
    * tomcat-9.0.43-CVE-2023-28708.patch
* Tue Feb 28 2023 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts (bsc#1208513)
  - Added patches:
    * tomcat-9.0.43-CVE-2023-24998.patch
* Fri Dec 23 2022 Michele Bussolotto <michele.bussolotto@suse.com>
  - set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt
  - use logrotate for catalina.out
    * update tomcat-serverxml-tool and spec to configure server.xml
  - Added patch:
    * tomcat-9.0-logrotate_everything.patch
    * tomcat-serverxml-tool.tar.gz
  - Removed:
    * tomcat-serverxml-tool-1.0.tar.gz
* Tue Nov 29 2022 Michele Bussolotto <michele.bussolotto@suse.com>
  - Use catalina.out for logging (bsc#1205647)
  - Added patches:
    * tomcat-9.0-fix_catalina.patch
* Mon Nov 21 2022 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2022-42252: reject invalid content-length requests. (bsc#1204918)
  - Added patches:
    * tomcat-9.0.43-CVE-2022-42252.patch
* Thu Oct 20 2022 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868)
  - Added patches:
    * tomcat-9.0.43-CVE-2021-43980.patch
* Wed Jul 13 2022 Fridrich Strba <fstrba@suse.com>
  - Do not hardcode /usr/libexec but use %%_libexecdir during the
    build
    * Fixes for platforms, where /usr/libexec and %%_libexecdir are
      different
* Thu Jul 07 2022 Fridrich Strba <fstrba@suse.com>
  - Fix bsc#1201081 by building with release=8 all files that can be
    built this way. The one file remaining, build it with source=8 and
    target=8
  - Modified patch:
    * tomcat-9.0.43-java8compat.patch
      + Do not cast ByteBuffer to Buffer to call the Java 8 compatible
      methods. Build with release=8 instead
* Thu Apr 07 2022 Michele Bussolotto <michele.bussolotto@suse.com>
  - Security hardening. Deprecate getResources() and always return null. (bsc#1198136)
  - Added patch: tomcat-9.0-hardening_getResources.patch
* Wed Feb 23 2022 Fridrich Strba <fstrba@suse.com>
  - Remove dependency on log4j/reload4j completely (bsc#1196137)
* Tue Feb 22 2022 Fridrich Strba <fstrba@suse.com>
  - Do not build against the log4j12 packages, use the new reload4j
* Fri Jan 28 2022 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255)
  - Added patches:
    * tomcat-9.0-CVE-2022-23181.patch
* Mon Jan 10 2022 olaf@aepfle.de
  - remove instance units from post scripts, they can not be reloaded
* Fri Dec 10 2021 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fix NPE in JNDIRealm, when userRoleAttribute is not set (bsc#1193569)
  - Added patch:
    * tomcat-9.0-NPE-JNDIRealm.patch
* Wed Nov 10 2021 Fridrich Strba <fstrba@suse.com>
  - Modified patch:
    * tomcat-9.0-osgi-build.patch
      + account for biz.aQute.bnd.ant artifact in aqute-bnd >= 5.2.0
* Fri Oct 29 2021 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279)
    * CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278)
  - Added patches:
    * tomcat-9.0-CVE-2021-30640.patch
    * tomcat-9.0-CVE-2021-33037.patch
* Thu Oct 28 2021 Michele Bussolotto <michele.bussolotto@suse.com>
  - Fixed CVEs:
    * CVE-2021-41079: Validate incoming TLS packet (bsc#1190558)
  - Added patches:
    * tomcat-9.0-CVE-2021-41079.patch
* Mon Oct 18 2021 Marcel Witte <wittemar@googlemail.com>
  - Update to Tomcat 9.0.43. See changelog at
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.43_(markt)
  - Removed Patches because fixed upstream now:
    * tomcat-9.0-CVE-2021-25122.patch
    * tomcat-9.0-CVE-2021-25329.patch
  - Rebased patch:
    tomcat-9.0.39-java8compat.patch -> tomcat-9.0.43-java8compat.patch
* Mon Oct 18 2021 Marcel Witte <wittemar@googlemail.com>
  - Update to Tomcat 9.0.41. See changelog at
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)
* Mon Oct 18 2021 Marcel Witte <wittemar@googlemail.com>
  - Update to Tomcat 9.0.40. See changelog at
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.40_(markt)
  - Removed Patches because fixed upstream now:
    * tomcat-9.0-CVE-2020-17527.patch
    * tomcat-9.0-CVE-2021-24122.patch
* Mon Mar 22 2021 Abid Mehmood <amehmood@suse.com>
  - Fixed CVEs:
    * CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912)
    * CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909)
  - Added patches:
    * tomcat-9.0-CVE-2021-25122.patch
    * tomcat-9.0-CVE-2021-25329.patch
* Wed Mar 17 2021 Abid Mehmood <amehmood@suse.com>
  - Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947)
  - Added patch:
    * tomcat-9.0-CVE-2021-24122.patch
* Mon Mar 15 2021 Marcel Witte <wittemar@googlemail.com>
  - Update to Tomcat 9.0.39. See changelog at
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.39_(markt)
  - Rebased patches:
    * tomcat-9.0.38-java8compat.patch -> tomcat-9.0.39-java8compat.patch
* Mon Mar 15 2021 Marcel Witte <wittemar@googlemail.com>
  - Update to Tomcat 9.0.38. See changelog at
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.38_(markt)
  - Rebased patches:
    * tomcat-9.0.37-java8compat.patch -> tomcat-9.0.38-java8compat.patch
  - Removed tomcat-9.0-CVE-2020-13943.patch because that fix is upstream now
* Mon Feb 22 2021 Marcel Witte <wittemar@googlemail.com>
  - Update to Tomcat 9.0.37. See changelog at
    https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.37_(markt)
  - Fixed CVEs:
    * CVE-2020-13934 (bsc#1174121)
    * CVE-2020-13935 (bsc#1174117)
  - Rebased patches:
    * tomcat-9.0-osgi-build.patch
    * tomcat-9.0.31-java8compat.patch -> tomcat-9.0.37-java8compat.patch

Files

/etc/alternatives/jsp
/usr/share/java/tomcat-jsp-2.3-api.jar
/usr/share/java/tomcat-jsp-api.jar
/usr/share/java/tomcat-jsp.jar
/usr/share/maven-metadata/tomcat-jsp-api.xml
/usr/share/maven-poms/JPP-tomcat-jsp-api.pom


Generated by rpm2html 1.8.1

Fabrice Bellet, Tue Jul 9 12:25:21 2024