From 37136861dfa67cc58a4d72d3928f2b0ee8ef99c8 Mon Sep 17 00:00:00 2001 From: Sonia Xu Date: Mar 03 2022 02:09:56 +0000 Subject: Update to 9.0.59 Fixes CVE-2022-23181 --- diff --git a/sources b/sources index 259252b..8ef1969 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (apache-tomcat-9.0.56-src.tar.gz) = 43332241fda149f9da107496cc6b812e38544c9043c567e3fe11ee01b5abfbd02b6a377c3f6090902048bd9dc67746cdc65d59f03bd0de68c05e0955bfe018c5 +SHA512 (apache-tomcat-9.0.59-src.tar.gz) = cea0125ca9b90b247ed114fa7b2e9c63da38b1ef97b3a373a43ed0d775764178534a4014b254219c8c5a26575eaf0ddc25ebc1e276b2ad5086ef3406627f1c80 diff --git a/tomcat-9.0-JDTCompiler.patch b/tomcat-9.0-JDTCompiler.patch index 20605ce..edf156a 100644 --- a/tomcat-9.0-JDTCompiler.patch +++ b/tomcat-9.0-JDTCompiler.patch @@ -1,16 +1,17 @@ -diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java.orig ./java/org/apache/jasper/compiler/JDTCompiler.java ---- java/org/apache/jasper/compiler/JDTCompiler.java.orig 2021-07-07 11:31:21.583507995 +0800 -+++ java/org/apache/jasper/compiler/JDTCompiler.java 2021-07-07 11:35:13.009251246 +0800 -@@ -310,7 +310,7 @@ public class JDTCompiler extends org.apa +diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java ./java/org/apache/jasper/compiler/JDTCompiler.java +index 2e361f2..277d8f4 100644 +--- java/org/apache/jasper/compiler/JDTCompiler.java ++++ java/org/apache/jasper/compiler/JDTCompiler.java +@@ -310,7 +310,7 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler { } else if(opt.equals("15")) { settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15); } else if(opt.equals("16")) { - settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16); + settings.put(CompilerOptions.OPTION_Source, "16"); } else if(opt.equals("17")) { - // Constant not available in latest ECJ version shipped with - // Tomcat. May be supported in a snapshot build. -@@ -372,8 +372,8 @@ public class JDTCompiler extends org.apa + // Constant not available in latest ECJ version that runs on + // Java 8. +@@ -377,8 +377,8 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler { settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15); settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15); } else if(opt.equals("16")) { @@ -19,5 +20,5 @@ diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java.orig ./java/org/apac + settings.put(CompilerOptions.OPTION_TargetPlatform, "16"); + settings.put(CompilerOptions.OPTION_Compliance, "16"); } else if(opt.equals("17")) { - // Constant not available in latest ECJ version shipped with - // Tomcat. May be supported in a snapshot build. + // Constant not available in latest ECJ version that runs on + // Java 8. diff --git a/tomcat.spec b/tomcat.spec index 31a5258..8f3948c 100644 --- a/tomcat.spec +++ b/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.3 %global major_version 9 %global minor_version 0 -%global micro_version 56 +%global micro_version 59 %global packdname apache-tomcat-%{version}-src %global servletspec 4.0 %global elspec 3.0 @@ -56,7 +56,7 @@ Name: tomcat Epoch: 1 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 3%{?dist} +Release: 1%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API License: ASL 2.0 @@ -496,6 +496,10 @@ fi %{appdir}/ROOT %changelog +* Wed Mar 02 2022 Sonia Xu - 1:9.0.59-1 +- Update to 9.0.59 +- Resolves: rhbz#2047419 - CVE-2022-23181 tomcat: local privilege escalation vulnerability + * Sat Feb 05 2022 Jiri Vanek - 1:9.0.56-3 - Rebuilt for java-17-openjdk as system jdk