PR#7: Update to 9.0.58 - rpms/tomcat

rpms / tomcat

#7 Update to 9.0.58

Closed 2 years ago by sonix. Opened 2 years ago by sonix.

rpms/ sonix/tomcat pr-update-9.0.58 into rawhide

Update to 9.0.58

Sonia Xu • 2 years ago

2b8c939

sources

file modified

+1 -1

		`@@ -1,1 +1,1 @@`
		`- SHA512 (apache-tomcat-9.0.56-src.tar.gz) = 43332241fda149f9da107496cc6b812e38544c9043c567e3fe11ee01b5abfbd02b6a377c3f6090902048bd9dc67746cdc65d59f03bd0de68c05e0955bfe018c5`
		`+ SHA512 (apache-tomcat-9.0.58-src.tar.gz) = b2b572dcad2efadf3e5e5a6ae6e108f5699af23b7751ca3c9c00e6ba896f5179745108fa602d8bd87a9611fd8bebe8817fad53c38fc75b0063835b953c67d74a`

tomcat-9.0-JDTCompiler.patch

file modified

+10 -9

		`@@ -1,16 +1,17 @@`
		`- diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java.orig ./java/org/apache/jasper/compiler/JDTCompiler.java`
		`- --- java/org/apache/jasper/compiler/JDTCompiler.java.orig 2021-07-07 11:31:21.583507995 +0800`
		`- +++ java/org/apache/jasper/compiler/JDTCompiler.java 2021-07-07 11:35:13.009251246 +0800`
		`- @@ -310,7 +310,7 @@ public class JDTCompiler extends org.apa`
		`+ diff -up ./java/org/apache/jasper/compiler/JDTCompiler.java ./java/org/apache/jasper/compiler/JDTCompiler.java`
		`+ index 2e361f2..277d8f4 100644`
		`+ --- java/org/apache/jasper/compiler/JDTCompiler.java`
		`+ +++ java/org/apache/jasper/compiler/JDTCompiler.java`
		`+ @@ -310,7 +310,7 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {`
		`} else if(opt.equals("15")) {`
		`settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);`
		`} else if(opt.equals("16")) {`
		`- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);`
		`+ settings.put(CompilerOptions.OPTION_Source, "16");`
		`} else if(opt.equals("17")) {`
		`- // Constant not available in latest ECJ version shipped with`
		`- // Tomcat. May be supported in a snapshot build.`
		`- @@ -372,8 +372,8 @@ public class JDTCompiler extends org.apa`
		`+ // Constant not available in latest ECJ version that runs on`
		`+ // Java 8.`
		`+ @@ -377,8 +377,8 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {`
		`settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);`
		`settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);`
		`} else if(opt.equals("16")) {`
		`@@ -19,5 +20,5 @@`
		`+ settings.put(CompilerOptions.OPTION_TargetPlatform, "16");`
		`+ settings.put(CompilerOptions.OPTION_Compliance, "16");`
		`} else if(opt.equals("17")) {`
		`- // Constant not available in latest ECJ version shipped with`
		`- // Tomcat. May be supported in a snapshot build.`
		`+ // Constant not available in latest ECJ version that runs on`
		`+ // Java 8.`

tomcat.spec

file modified

+6 -2

		`@@ -31,7 +31,7 @@`
		`%global jspspec 2.3`
		`%global major_version 9`
		`%global minor_version 0`
		`- %global micro_version 56`
		`+ %global micro_version 58`
mcinglis commented 2 years ago We may instead want to update straight to `9.0.59`, which I noticed has been released recently? https://tomcat.apache.org/tomcat-9.0-doc/changelog.html Suggests a notable ton of fixes relevant. Doesn't seem to be any CVEs in that (yet?), but we may as well while we're doing this.
		`%global packdname apache-tomcat-%{version}-src`
		`%global servletspec 4.0`
		`%global elspec 3.0`
		`@@ -56,7 +56,7 @@`
		`Name: tomcat`
		`Epoch: 1`
		`Version: %{major_version}.%{minor_version}.%{micro_version}`
		`- Release: 3%{?dist}`
		`+ Release: 1%{?dist}`
		`Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API`

		`License: ASL 2.0`
		`@@ -496,6 +496,10 @@`
		`%{appdir}/ROOT`

		`%changelog`
		`+ * Wed Mar 02 2022 Sonia Xu <sonix@amazon.com> - 1:9.0.58-1`
		`+ - Update to 9.0.58`
		`+ - Fixes CVE-2022-23181`
mcinglis commented 2 years ago In keeping with prior changelog entry convention, we should instead reference the RHBZ item for this: https://bugzilla.redhat.com/show_bug.cgi?id=2047419 , like `- Resolves: rhbz#2047419 - CVE-2022-23181 tomcat: local privilege escalation vulnerability` (note you can see all current `tomcat` issues by the "Issues" link on the repo page)
		`+`
		`* Sat Feb 05 2022 Jiri Vanek <jvanek@redhat.com> - 1:9.0.56-3`
		`- Rebuilt for java-17-openjdk as system jdk`

sonix commented 2 years ago

Update to 9.0.58 fixes CVE-2022-23181

mcinglis commented on line 25 of tomcat.spec 2 years ago

In keeping with prior changelog entry convention, we should instead reference the RHBZ item for this: https://bugzilla.redhat.com/show_bug.cgi?id=2047419 , like

- Resolves: rhbz#2047419 - CVE-2022-23181 tomcat: local privilege escalation vulnerability

(note you can see all current tomcat issues by the "Issues" link on the repo page)

mcinglis commented on line 6 of tomcat.spec 2 years ago

We may instead want to update straight to 9.0.59, which I noticed has been released recently? https://tomcat.apache.org/tomcat-9.0-doc/changelog.html

Suggests a notable ton of fixes relevant. Doesn't seem to be any CVEs in that (yet?), but we may as well while we're doing this.

mcinglis commented 2 years ago

Congrats on your first PR, and welcome to the Fedora Project community! 🎉

Love to see ever-increasing open-source collaboration from Amazon!

sonix commented 2 years ago

Closing in favor of building 9.0.59
https://src.fedoraproject.org/rpms/tomcat/pull-request/8#

Pull-Request has been closed by sonix

2 years ago