diff --git a/.gitignore b/.gitignore index fbdde0d..daa0815 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,3 @@ -SOURCES/apache-tomcat-7.0.54-src.tar.gz +SOURCES/apache-tomcat-7.0.69-src.tar.gz +SOURCES/tomcat-juli-adapters.jar +SOURCES/tomcat-juli.jar diff --git a/.tomcat.metadata b/.tomcat.metadata index 5f4aba0..ef6c8c3 100644 --- a/.tomcat.metadata +++ b/.tomcat.metadata @@ -1 +1,3 @@ -70253e53572005adca147414a3d0eea4dbcc1ae0 SOURCES/apache-tomcat-7.0.54-src.tar.gz +0be9ee73295f0125b391db17ec58053cead73f09 SOURCES/apache-tomcat-7.0.69-src.tar.gz +b5aad5a5c8e358e014b3865aaa899e0deb3fa31a SOURCES/tomcat-juli-adapters.jar +da220d83c3aceea91e55b26bf4ca07ad6a8b5b29 SOURCES/tomcat-juli.jar diff --git a/SOURCES/tomcat-7.0-catalina-policy.patch b/SOURCES/tomcat-7.0-catalina-policy.patch new file mode 100644 index 0000000..8aaf93e --- /dev/null +++ b/SOURCES/tomcat-7.0-catalina-policy.patch @@ -0,0 +1,39 @@ +--- conf/catalina.policy~ 2016-06-17 10:20:17.649171968 -0400 ++++ conf/catalina.policy 2016-06-17 10:23:35.358309244 -0400 +@@ -50,6 +50,36 @@ grant codeBase "file:${java.home}/lib/ex + permission java.security.AllPermission; + }; + ++// ========== RHEL SPECIFIC CODE PERMISSIONS ======================================= ++ ++// Allowing everything in /usr/share/java allows too many unknowns to be permitted ++// Specifying the individual jars that tomcat needs to function with the security manager ++// is the safest way forward. ++grant codeBase "file:/usr/share/java/tomcat-servlet-3.0-api.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/omcat-jsp-2.2-api.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/tomcat-el-2.2-api.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/log4j.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/ecj.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/apache-commons-pool.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/apache-commons-dbcp.jar" { ++ permission java.security.AllPermission; ++}; ++grant codeBase "file:/usr/share/java/apache-commons-collections.jar" { ++ permission java.security.AllPermission; ++}; ++ + + // ========== CATALINA CODE PERMISSIONS ======================================= + diff --git a/SOURCES/tomcat-7.0-digest.script b/SOURCES/tomcat-7.0-digest.script index 2ff7e64..86f05ec 100644 --- a/SOURCES/tomcat-7.0-digest.script +++ b/SOURCES/tomcat-7.0-digest.script @@ -34,7 +34,7 @@ export CLASSPATH MAIN_CLASS="org.apache.catalina.startup.Tool" BASE_FLAGS="-Dcatalina.home=\"$CATALINA_HOME\"" BASE_OPTIONS="" -BASE_JARS="commons-daemon tomcat/catalina servlet" +BASE_JARS="commons-daemon tomcat/catalina servlet tomcat/tomcat-util tomcat/tomcat-coyote" # Set parameters set_classpath $BASE_JARS diff --git a/SOURCES/tomcat-7.0-jsvc.service b/SOURCES/tomcat-7.0-jsvc.service index 3792cef..f480324 100644 --- a/SOURCES/tomcat-7.0-jsvc.service +++ b/SOURCES/tomcat-7.0-jsvc.service @@ -11,9 +11,12 @@ Description=Apache Tomcat Web Application Container JSVC wrapper After=syslog.target network.target [Service] -Type=forking -ExecStart=/usr/sbin/tomcat-jsvc-sysd start -ExecStop=/usr/sbin/tomcat-jsvc-sysd stop +Type=simple +EnvironmentFile=/etc/tomcat/tomcat.conf +Environment="NAME=" "USE_JSVC=true" +EnvironmentFile=-/etc/sysconfig/tomcat +ExecStart=/usr/libexec/tomcat/server start +ExecStop=/usr/libexec/tomcat/server stop [Install] WantedBy=multi-user.target diff --git a/SOURCES/tomcat-7.0-tomcat-users-webapp.patch b/SOURCES/tomcat-7.0-tomcat-users-webapp.patch index 9f05e37..5304bad 100644 --- a/SOURCES/tomcat-7.0-tomcat-users-webapp.patch +++ b/SOURCES/tomcat-7.0-tomcat-users-webapp.patch @@ -1,8 +1,8 @@ ---- conf/tomcat-users.xml~ 2008-01-28 17:41:06.000000000 -0500 -+++ conf/tomcat-users.xml 2008-03-07 19:40:07.000000000 -0500 -@@ -23,4 +23,14 @@ - - +--- conf/tomcat-users.xml 2016-04-11 04:02:30.000000000 -0400 ++++ conf/tomcat-users.xml 2016-06-06 16:39:12.751217530 -0400 +@@ -38,4 +38,14 @@ + + --> + + diff --git a/SOURCES/tomcat-7.0.54-CVE-2014-0227.patch b/SOURCES/tomcat-7.0.54-CVE-2014-0227.patch deleted file mode 100755 index 3d07cc4..0000000 --- a/SOURCES/tomcat-7.0.54-CVE-2014-0227.patch +++ /dev/null @@ -1,410 +0,0 @@ ---- java/org/apache/coyote/http11/filters/ChunkedInputFilter.java.orig 2015-03-24 16:32:02.657913000 -0400 -+++ java/org/apache/coyote/http11/filters/ChunkedInputFilter.java 2015-03-24 18:21:47.397617000 -0400 -@@ -14,7 +14,6 @@ - * See the License for the specific language governing permissions and - * limitations under the License. - */ -- - package org.apache.coyote.http11.filters; - - import java.io.EOFException; -@@ -29,6 +28,7 @@ - import org.apache.tomcat.util.buf.HexUtils; - import org.apache.tomcat.util.buf.MessageBytes; - import org.apache.tomcat.util.http.MimeHeaders; -+import org.apache.tomcat.util.res.StringManager; - - /** - * Chunked input filter. Parses chunked data according to -@@ -39,9 +39,11 @@ - */ - public class ChunkedInputFilter implements InputFilter { - -+ private static final StringManager sm = StringManager.getManager( -+ ChunkedInputFilter.class.getPackage().getName()); - -- // -------------------------------------------------------------- Constants - -+ // -------------------------------------------------------------- Constants - - protected static final String ENCODING_NAME = "chunked"; - protected static final ByteChunk ENCODING = new ByteChunk(); -@@ -49,7 +51,6 @@ - - // ----------------------------------------------------- Static Initializer - -- - static { - ENCODING.setBytes(ENCODING_NAME.getBytes(Charset.defaultCharset()), 0, - ENCODING_NAME.length()); -@@ -58,7 +59,6 @@ - - // ----------------------------------------------------- Instance Variables - -- - /** - * Next buffer in the pipeline. - */ -@@ -106,6 +106,7 @@ - */ - protected ByteChunk trailingHeaders = new ByteChunk(); - -+ - /** - * Flag set to true if the next call to doRead() must parse a CRLF pair - * before doing anything else. -@@ -130,21 +131,29 @@ - */ - private final int maxTrailerSize; - -+ - /** - * Size of extensions processed for this request. - */ - private long extensionSize; - - -+ /** -+ * Flag that indicates if an error has occurred. -+ */ -+ private boolean error; -+ -+ - // ----------------------------------------------------------- Constructors -+ - public ChunkedInputFilter(int maxTrailerSize, int maxExtensionSize) { - this.trailingHeaders.setLimit(maxTrailerSize); - this.maxExtensionSize = maxExtensionSize; - this.maxTrailerSize = maxTrailerSize; - } - -- // ---------------------------------------------------- InputBuffer Methods - -+ // ---------------------------------------------------- InputBuffer Methods - - /** - * Read bytes. -@@ -156,11 +165,12 @@ - * control, the returned value should be -1. - */ - @Override -- public int doRead(ByteChunk chunk, Request req) -- throws IOException { -- -- if (endChunk) -+ public int doRead(ByteChunk chunk, Request req) throws IOException { -+ if (endChunk) { - return -1; -+ } -+ -+ checkError(); - - if(needCRLFParse) { - needCRLFParse = false; -@@ -169,7 +179,7 @@ - - if (remaining <= 0) { - if (!parseChunkHeader()) { -- throw new IOException("Invalid chunk header"); -+ throwIOException(sm.getString("chunkedInputFilter.invalidHeader")); - } - if (endChunk) { - parseEndChunk(); -@@ -181,8 +191,7 @@ - - if (pos >= lastValid) { - if (readBytes() < 0) { -- throw new IOException( -- "Unexpected end of stream whilst reading request body"); -+ throwIOException(sm.getString("chunkedInputFilter.eos")); - } - } - -@@ -207,13 +216,11 @@ - } - - return result; -- - } - - - // ---------------------------------------------------- InputFilter Methods - -- - /** - * Read the content length from the request. - */ -@@ -227,17 +234,13 @@ - * End the current request. - */ - @Override -- public long end() -- throws IOException { -- -- // Consume extra bytes : parse the stream until the end chunk is found -+ public long end() throws IOException { - while (doRead(readChunk, null) >= 0) { -- // NOOP: Just consume the input -+ // NOOP: just consume the input - } - - // Return the number of extra bytes which were consumed -- return (lastValid - pos); -- -+ return lastValid - pos; - } - - -@@ -246,7 +249,7 @@ - */ - @Override - public int available() { -- return (lastValid - pos); -+ return lastValid - pos; - } - - -@@ -272,6 +275,7 @@ - trailingHeaders.recycle(); - trailingHeaders.setLimit(maxTrailerSize); - extensionSize = 0; -+ error = false; - } - - -@@ -287,12 +291,10 @@ - - // ------------------------------------------------------ Protected Methods - -- - /** - * Read bytes from the previous buffer. - */ -- protected int readBytes() -- throws IOException { -+ protected int readBytes() throws IOException { - - int nRead = buffer.doRead(readChunk, null); - pos = readChunk.getStart(); -@@ -300,7 +302,6 @@ - buf = readChunk.getBytes(); - - return nRead; -- - } - - -@@ -315,8 +316,7 @@ - * digits. We should not parse F23IAMGONNAMESSTHISUP34CRLF as a valid - * header according to the spec. - */ -- protected boolean parseChunkHeader() -- throws IOException { -+ protected boolean parseChunkHeader() throws IOException { - - int result = 0; - boolean eol = false; -@@ -356,7 +356,7 @@ - // validated. Currently it is simply ignored. - extensionSize++; - if (maxExtensionSize > -1 && extensionSize > maxExtensionSize) { -- throw new IOException("maxExtensionSize exceeded"); -+ throwIOException(sm.getString("chunkedInputFilter.maxExtension")); - } - } - -@@ -364,21 +364,22 @@ - if (!eol) { - pos++; - } -- - } - -- if (readDigit == 0 || result < 0) -+ if (readDigit == 0 || result < 0) { - return false; -+ } - -- if (result == 0) -+ if (result == 0) { - endChunk = true; -+ } - - remaining = result; -- if (remaining < 0) -+ if (remaining < 0) { - return false; -+ } - - return true; -- - } - - -@@ -405,26 +406,27 @@ - boolean crfound = false; - - while (!eol) { -- - if (pos >= lastValid) { -- if (readBytes() <= 0) -- throw new IOException("Invalid CRLF"); -+ if (readBytes() <= 0) { -+ throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoData")); -+ } - } - - if (buf[pos] == Constants.CR) { -- if (crfound) throw new IOException("Invalid CRLF, two CR characters encountered."); -+ if (crfound) { -+ throwIOException(sm.getString("chunkedInputFilter.invalidCrlfCRCR")); -+ } - crfound = true; - } else if (buf[pos] == Constants.LF) { - if (!tolerant && !crfound) { -- throw new IOException("Invalid CRLF, no CR character encountered."); -+ throwIOException(sm.getString("chunkedInputFilter.invalidCrlfNoCR")); - } - eol = true; - } else { -- throw new IOException("Invalid CRLF"); -+ throwIOException(sm.getString("chunkedInputFilter.invalidCrlf")); - } - - pos++; -- - } - } - -@@ -433,7 +435,6 @@ - * Parse end chunk data. - */ - protected void parseEndChunk() throws IOException { -- - // Handle optional trailer headers - while (parseHeader()) { - // Loop until we run out of headers -@@ -449,8 +450,9 @@ - - // Read new bytes if needed - if (pos >= lastValid) { -- if (readBytes() <0) -- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); -+ if (readBytes() <0) { -+ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); -+ } - } - - chr = buf[pos]; -@@ -474,8 +476,9 @@ - - // Read new bytes if needed - if (pos >= lastValid) { -- if (readBytes() <0) -- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); -+ if (readBytes() <0) { -+ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); -+ } - } - - chr = buf[pos]; -@@ -515,8 +518,9 @@ - - // Read new bytes if needed - if (pos >= lastValid) { -- if (readBytes() <0) -- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); -+ if (readBytes() <0) { -+ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); -+ } - } - - chr = buf[pos]; -@@ -526,7 +530,7 @@ - // limit placed on trailing header size - int newlimit = trailingHeaders.getLimit() -1; - if (trailingHeaders.getEnd() > newlimit) { -- throw new IOException("Exceeded maxTrailerSize"); -+ throwIOException(sm.getString("chunkedInputFilter.maxTrailer")); - } - trailingHeaders.setLimit(newlimit); - } else { -@@ -540,8 +544,9 @@ - - // Read new bytes if needed - if (pos >= lastValid) { -- if (readBytes() <0) -- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); -+ if (readBytes() <0) { -+ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); -+ } - } - - chr = buf[pos]; -@@ -565,8 +570,9 @@ - - // Read new bytes if needed - if (pos >= lastValid) { -- if (readBytes() <0) -- throw new EOFException("Unexpected end of stream whilst reading trailer headers for chunked request"); -+ if (readBytes() <0) { -+ throwEOFException(sm.getString("chunkedInputFilter.eosTrailer")); -+ } - } - - chr = buf[pos]; -@@ -587,4 +593,23 @@ - - return true; - } -+ -+ -+ private void throwIOException(String msg) throws IOException { -+ error = true; -+ throw new IOException(msg); -+ } -+ -+ -+ private void throwEOFException(String msg) throws IOException { -+ error = true; -+ throw new EOFException(msg); -+ } -+ -+ -+ private void checkError() throws IOException { -+ if (error) { -+ throw new IOException(sm.getString("chunkedInputFilter.error")); -+ } -+ } - } ---- java/org/apache/coyote/http11/filters/LocalStrings.properties.orig 2015-03-24 16:32:02.662909000 -0400 -+++ java/org/apache/coyote/http11/filters/LocalStrings.properties 2015-03-24 16:39:31.017419000 -0400 -@@ -0,0 +1,27 @@ -+# Licensed to the Apache Software Foundation (ASF) under one or more -+# contributor license agreements. See the NOTICE file distributed with -+# this work for additional information regarding copyright ownership. -+# The ASF licenses this file to You under the Apache License, Version 2.0 -+# (the "License"); you may not use this file except in compliance with -+# the License. You may obtain a copy of the License at -+# -+# http://www.apache.org/licenses/LICENSE-2.0 -+# -+# Unless required by applicable law or agreed to in writing, software -+# distributed under the License is distributed on an "AS IS" BASIS, -+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -+# See the License for the specific language governing permissions and -+# limitations under the License. -+ -+chunkedInputFilter.error=No data available due to previous error -+chunkedInputFilter.eos=Unexpected end of stream while reading request body -+chunkedInputFilter.eosTrailer=Unexpected end of stream while reading trailer headers -+chunkedInputFilter.invalidCrlf=Invalid end of line sequence (character other than CR or LF found) -+chunkedInputFilter.invalidCrlfCRCR=Invalid end of line sequence (CRCR) -+chunkedInputFilter.invalidCrlfNoCR=Invalid end of line sequence (No CR before LF) -+chunkedInputFilter.invalidCrlfNoData=Invalid end of line sequence (no data available to read) -+chunkedInputFilter.invalidHeader=Invalid chunk header -+chunkedInputFilter.maxExtension=maxExtensionSize exceeded -+chunkedInputFilter.maxTrailer=maxTrailerSize exceeded -+ -+inputFilter.maxSwallow=maxSwallowSize exceeded -\ No newline at end of file diff --git a/SOURCES/tomcat-7.0.54-CVE-2014-7810.patch b/SOURCES/tomcat-7.0.54-CVE-2014-7810.patch deleted file mode 100644 index 32ca660..0000000 --- a/SOURCES/tomcat-7.0.54-CVE-2014-7810.patch +++ /dev/null @@ -1,120 +0,0 @@ ---- java/javax/el/BeanELResolver.java.orig 2016-06-02 09:46:15.019196027 -0400 -+++ java/javax/el/BeanELResolver.java 2016-06-02 09:46:15.025196055 -0400 -@@ -251,15 +251,39 @@ - try { - BeanInfo info = Introspector.getBeanInfo(this.type); - PropertyDescriptor[] pds = info.getPropertyDescriptors(); -- for (int i = 0; i < pds.length; i++) { -- this.properties.put(pds[i].getName(), new BeanProperty( -- type, pds[i])); -+ for (PropertyDescriptor pd: pds) { -+ this.properties.put(pd.getName(), new BeanProperty(type, pd)); -+ } -+ if (System.getSecurityManager() != null) { -+ // When running with SecurityManager, some classes may be -+ // not accessible, but have accessible interfaces. -+ populateFromInterfaces(type); - } - } catch (IntrospectionException ie) { - throw new ELException(ie); - } - } - -+ private void populateFromInterfaces(Class aClass) throws IntrospectionException { -+ Class interfaces[] = aClass.getInterfaces(); -+ if (interfaces.length > 0) { -+ for (Class ifs : interfaces) { -+ BeanInfo info = Introspector.getBeanInfo(ifs); -+ PropertyDescriptor[] pds = info.getPropertyDescriptors(); -+ for (PropertyDescriptor pd : pds) { -+ if (!this.properties.containsKey(pd.getName())) { -+ this.properties.put(pd.getName(), new BeanProperty( -+ this.type, pd)); -+ } -+ } -+ } -+ } -+ Class superclass = aClass.getSuperclass(); -+ if (superclass != null) { -+ populateFromInterfaces(superclass); -+ } -+ } -+ - private BeanProperty get(ELContext ctx, String name) { - BeanProperty property = this.properties.get(name); - if (property == null) { ---- java/org/apache/jasper/runtime/PageContextImpl.java.orig 2016-06-02 09:46:15.020196032 -0400 -+++ java/org/apache/jasper/runtime/PageContextImpl.java 2016-06-02 09:46:15.026196060 -0400 -@@ -937,37 +937,11 @@ - final Class expectedType, final PageContext pageContext, - final ProtectedFunctionMapper functionMap, final boolean escape) - throws ELException { -- Object retValue; - final ExpressionFactory exprFactory = jspf.getJspApplicationContext(pageContext.getServletContext()).getExpressionFactory(); -- if (SecurityUtil.isPackageProtectionEnabled()) { -- try { -- retValue = AccessController -- .doPrivileged(new PrivilegedExceptionAction() { -- -- @Override -- public Object run() throws Exception { -- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); -- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); -- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); -- return ve.getValue(ctx); -- } -- }); -- } catch (PrivilegedActionException ex) { -- Exception realEx = ex.getException(); -- if (realEx instanceof ELException) { -- throw (ELException) realEx; -- } else { -- throw new ELException(realEx); -- } -- } -- } else { -- ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); -- ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); -- ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); -- retValue = ve.getValue(ctx); -- } -- -- return retValue; -+ ELContextImpl ctx = (ELContextImpl) pageContext.getELContext(); -+ ctx.setFunctionMapper(new FunctionMapperImpl(functionMap)); -+ ValueExpression ve = exprFactory.createValueExpression(ctx, expression, expectedType); -+ return ve.getValue(ctx); - } - - @Override ---- java/org/apache/jasper/security/SecurityClassLoad.java.orig 2016-06-02 09:46:15.020196032 -0400 -+++ java/org/apache/jasper/security/SecurityClassLoad.java 2016-06-02 09:46:15.027196065 -0400 -@@ -93,8 +93,6 @@ - "runtime.PageContextImpl$11"); - loader.loadClass( basePackage + - "runtime.PageContextImpl$12"); -- loader.loadClass( basePackage + -- "runtime.PageContextImpl$13"); - - loader.loadClass( basePackage + - "runtime.JspContextWrapper"); ---- webapps/docs/changelog.xml.orig 2016-06-02 09:46:15.022196041 -0400 -+++ webapps/docs/changelog.xml 2016-06-02 09:48:48.443915711 -0400 -@@ -55,6 +55,17 @@ - They eventually become mixed with the numbered issues. (I.e., numbered - issues to not "pop up" wrt. others). - --> -+
-+ -+ -+ -+ Fix potential issue with BeanELresolver when running under a security -+ manager. Some classes may not be accessible but may have accessible -+ interfaces. (markt) -+ -+ -+ -+
-
- - diff --git a/SOURCES/tomcat-7.0.54-CVE-2015-5346.patch b/SOURCES/tomcat-7.0.54-CVE-2015-5346.patch deleted file mode 100644 index 48c38b7..0000000 --- a/SOURCES/tomcat-7.0.54-CVE-2015-5346.patch +++ /dev/null @@ -1,84 +0,0 @@ ---- java/org/apache/catalina/connector/CoyoteAdapter.java.orig 2016-07-06 14:53:28.217385543 -0400 -+++ java/org/apache/catalina/connector/CoyoteAdapter.java 2016-07-06 15:02:49.045710268 -0400 -@@ -750,6 +750,10 @@ - version = ctxt.getWebappVersion(); - // Reset mapping - request.getMappingData().recycle(); -+ mapRequired = true; -+ // Recycle session info in case the correct -+ // context is configured with different settings -+ request.recycleSessionInfo(); - break; - } - } ---- java/org/apache/catalina/connector/Request.java.orig 2016-07-06 14:53:28.218385547 -0400 -+++ java/org/apache/catalina/connector/Request.java 2016-07-06 14:53:28.222385563 -0400 -@@ -494,18 +494,7 @@ - notes.clear(); - cookies = null; - -- if (session != null) { -- try { -- session.endAccess(); -- } catch (Throwable t) { -- ExceptionUtils.handleThrowable(t); -- log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); -- } -- } -- session = null; -- requestedSessionCookie = false; -- requestedSessionId = null; -- requestedSessionURL = false; -+ recycleSessionInfo(); - - if (Globals.IS_SECURITY_ENABLED || Connector.RECYCLE_FACADES) { - parameterMap = new ParameterMap(); -@@ -553,11 +542,24 @@ - } - - -- /** -- * Clear cached encoders (to save memory for Comet requests). -- */ -- public boolean read() -- throws IOException { -+ protected void recycleSessionInfo() { -+ if (session != null) { -+ try { -+ session.endAccess(); -+ } catch (Throwable t) { -+ ExceptionUtils.handleThrowable(t); -+ log.warn(sm.getString("coyoteRequest.sessionEndAccessFail"), t); -+ } -+ } -+ session = null; -+ requestedSessionCookie = false; -+ requestedSessionId = null; -+ requestedSessionURL = false; -+ requestedSessionSSL = false; -+ } -+ -+ -+ public boolean read() throws IOException { - return (inputBuffer.realReadBytes(null, 0, 0) > 0); - } - ---- webapps/docs/changelog.xml.orig 2016-07-06 14:53:28.219385551 -0400 -+++ webapps/docs/changelog.xml 2016-07-06 15:04:26.761927698 -0400 -@@ -55,6 +55,16 @@ - They eventually become mixed with the numbered issues. (I.e., numbered - issues to not "pop up" wrt. others). - --> -+
-+ -+ -+ -+ Handle the unlikely case where different versions of a web application -+ are deployed with different session settings. (markt) -+ -+ -+ -+
-
- - diff --git a/SOURCES/tomcat-7.0.54-CVE-2016-5388.patch b/SOURCES/tomcat-7.0.54-CVE-2016-5388.patch deleted file mode 100644 index f420b57..0000000 --- a/SOURCES/tomcat-7.0.54-CVE-2016-5388.patch +++ /dev/null @@ -1,117 +0,0 @@ ---- conf/web.xml.orig 2016-08-23 14:53:40.388143818 -0400 -+++ conf/web.xml 2016-08-23 14:53:40.393143812 -0400 -@@ -325,6 +325,15 @@ - - - -+ -+ -+ -+ -+ -+ -+ -+ -+ - - - -@@ -348,7 +357,7 @@ - cgiPathPrefix - WEB-INF/cgi - -- 5 -+ 5 - - --> - ---- java/org/apache/catalina/servlets/CGIServlet.java.orig 2016-08-23 14:53:40.388143818 -0400 -+++ java/org/apache/catalina/servlets/CGIServlet.java 2016-08-23 14:55:47.393989981 -0400 -@@ -36,6 +36,7 @@ - import java.util.Locale; - import java.util.StringTokenizer; - import java.util.Vector; -+import java.util.regex.Pattern; - - import javax.servlet.RequestDispatcher; - import javax.servlet.ServletConfig; -@@ -268,6 +269,16 @@ - */ - private long stderrTimeout = 2000; - -+ /** -+ * The regular expression used to select HTTP headers to be passed to the -+ * CGI process as environment variables. The name of the environment -+ * variable will be the name of the HTTP header converter to upper case, -+ * prefixed with HTTP_ and with all - characters -+ * converted to _. -+ */ -+ private Pattern envHttpHeadersPattern = Pattern.compile( -+ "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT"); -+ - /** object used to ensure multiple threads don't try to expand same file */ - static Object expandFileLock = new Object(); - -@@ -331,6 +342,10 @@ - "stderrTimeout")); - } - -+ if (getServletConfig().getInitParameter("envHttpHeaders") != null) { -+ envHttpHeadersPattern = -+ Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders")); -+ } - } - - -@@ -1072,12 +1087,8 @@ - //REMIND: rewrite multiple headers as if received as single - //REMIND: change character set - //REMIND: I forgot what the previous REMIND means -- if ("AUTHORIZATION".equalsIgnoreCase(header) || -- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) { -- //NOOP per CGI specification section 11.2 -- } else { -- envp.put("HTTP_" + header.replace('-', '_'), -- req.getHeader(header)); -+ if (envHttpHeadersPattern.matcher(header).matches()) { -+ envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header)); - } - } - ---- webapps/docs/cgi-howto.xml.orig 2016-08-23 14:53:40.389143817 -0400 -+++ webapps/docs/cgi-howto.xml 2016-08-23 14:57:37.634856451 -0400 -@@ -86,6 +86,12 @@ -
  • executable-arg-1, executable-arg-2, - and so on - additional arguments for the executable. These precede the - CGI script name. By default there are no additional arguments.
    • -+
  • envHttpHeaders - A regular expression used to select the -+HTTP headers passed to the CGI process as environment variables. Note that -+headers are converted to upper case before matching and that the entire header -+name must match the pattern. Default is -+ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT -+
    • -
  • parameterEncoding - Name of the parameter encoding - to be used with the CGI servlet. Default is - System.getProperty("file.encoding","UTF-8").
    • ---- webapps/docs/changelog.xml.orig 2016-08-23 14:53:40.390143815 -0400 -+++ webapps/docs/changelog.xml 2016-08-23 14:57:09.959889972 -0400 -@@ -55,6 +55,19 @@ - They eventually become mixed with the numbered issues. (I.e., numbered - issues to not "pop up" wrt. others). - --> -+
    -+ -+ -+ -+ Add a new initialisation parameter, envHttpHeaders, to -+ the CGI Servlet to mitigate httpoxy -+ (CVE-2016-5388) by default and to provide a mechanism that can be -+ used to mitigate any future, similar issues. (markt) -+ -+ -+ -+
    -
    - - diff --git a/SOURCES/tomcat-7.0.69-CVE-2016-3092.patch b/SOURCES/tomcat-7.0.69-CVE-2016-3092.patch new file mode 100644 index 0000000..056bcde --- /dev/null +++ b/SOURCES/tomcat-7.0.69-CVE-2016-3092.patch @@ -0,0 +1,49 @@ +--- java/org/apache/tomcat/util/http/fileupload/MultipartStream.java.orig 2016-06-27 11:26:04.561937786 -0400 ++++ java/org/apache/tomcat/util/http/fileupload/MultipartStream.java 2016-06-27 11:24:26.556751185 -0400 +@@ -282,11 +282,10 @@ public class MultipartStream { + byte[] boundary, + int bufSize, + ProgressNotifier pNotifier) { +- this.input = input; +- this.bufSize = bufSize; +- this.buffer = new byte[bufSize]; +- this.notifier = pNotifier; + ++ if (boundary == null) { ++ throw new IllegalArgumentException("boundary may not be null"); ++ } + // We prepend CR/LF to the boundary to chop trailing CR/LF from + // body-data tokens. + this.boundaryLength = boundary.length + BOUNDARY_PREFIX.length; +@@ -294,6 +293,12 @@ public class MultipartStream { + throw new IllegalArgumentException( + "The buffer size specified for the MultipartStream is too small"); + } ++ ++ this.input = input; ++ this.bufSize = Math.max(bufSize, boundaryLength*2); ++ this.buffer = new byte[this.bufSize]; ++ this.notifier = pNotifier; ++ + this.boundary = new byte[this.boundaryLength]; + this.keepRegion = this.boundary.length; + +--- webapps/docs/changelog.xml.orig 2016-06-27 11:26:15.578958762 -0400 ++++ webapps/docs/changelog.xml 2016-06-27 11:25:26.024864412 -0400 +@@ -57,6 +57,16 @@ + They eventually become mixed with the numbered issues. (I.e., numbered + issues do not "pop up" wrt. others). + --> ++
    ++ ++ ++ ++ Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus ++ additional fixes). (markt) ++ ++ ++ ++
    +
    + + diff --git a/SOURCES/tomcat-7.0.69-CVE-2016-5388.patch b/SOURCES/tomcat-7.0.69-CVE-2016-5388.patch new file mode 100644 index 0000000..e7620cc --- /dev/null +++ b/SOURCES/tomcat-7.0.69-CVE-2016-5388.patch @@ -0,0 +1,117 @@ +--- conf/web.xml.orig 2016-08-23 14:41:14.488986580 -0400 ++++ conf/web.xml 2016-08-23 14:41:14.497986572 -0400 +@@ -346,6 +346,15 @@ + + + ++ ++ ++ ++ ++ ++ ++ ++ ++ + + + +@@ -369,7 +378,7 @@ + cgiPathPrefix + WEB-INF/cgi + +- 5 ++ 5 + + --> + +--- java/org/apache/catalina/servlets/CGIServlet.java.orig 2016-08-23 14:41:14.489986579 -0400 ++++ java/org/apache/catalina/servlets/CGIServlet.java 2016-08-23 14:42:41.287905267 -0400 +@@ -36,6 +36,7 @@ + import java.util.Locale; + import java.util.StringTokenizer; + import java.util.Vector; ++import java.util.regex.Pattern; + + import javax.servlet.RequestDispatcher; + import javax.servlet.ServletConfig; +@@ -276,6 +277,16 @@ + */ + private long stderrTimeout = 2000; + ++ /** ++ * The regular expression used to select HTTP headers to be passed to the ++ * CGI process as environment variables. The name of the environment ++ * variable will be the name of the HTTP header converter to upper case, ++ * prefixed with HTTP_ and with all - characters ++ * converted to _. ++ */ ++ private Pattern envHttpHeadersPattern = Pattern.compile( ++ "ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT"); ++ + /** object used to ensure multiple threads don't try to expand same file */ + static Object expandFileLock = new Object(); + +@@ -339,6 +350,10 @@ + "stderrTimeout")); + } + ++ if (getServletConfig().getInitParameter("envHttpHeaders") != null) { ++ envHttpHeadersPattern = ++ Pattern.compile(getServletConfig().getInitParameter("envHttpHeaders")); ++ } + } + + +@@ -1106,12 +1121,8 @@ + //REMIND: rewrite multiple headers as if received as single + //REMIND: change character set + //REMIND: I forgot what the previous REMIND means +- if ("AUTHORIZATION".equalsIgnoreCase(header) || +- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) { +- //NOOP per CGI specification section 11.2 +- } else { +- envp.put("HTTP_" + header.replace('-', '_'), +- req.getHeader(header)); ++ if (envHttpHeadersPattern.matcher(header).matches()) { ++ envp.put("HTTP_" + header.replace('-', '_'), req.getHeader(header)); + } + } + +--- webapps/docs/cgi-howto.xml.orig 2016-08-23 14:41:14.490986578 -0400 ++++ webapps/docs/cgi-howto.xml 2016-08-23 14:41:14.494986575 -0400 +@@ -111,6 +111,12 @@ +
  • executable-arg-1, executable-arg-2, + and so on - additional arguments for the executable. These precede the + CGI script name. By default there are no additional arguments.
    • ++
  • envHttpHeaders - A regular expression used to select the ++HTTP headers passed to the CGI process as environment variables. Note that ++headers are converted to upper case before matching and that the entire header ++name must match the pattern. Default is ++ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT ++
    • +
  • parameterEncoding - Name of the parameter encoding + to be used with the CGI servlet. Default is + System.getProperty("file.encoding","UTF-8"). That is the system +--- webapps/docs/changelog.xml.orig 2016-08-23 14:41:14.491986578 -0400 ++++ webapps/docs/changelog.xml 2016-08-23 14:42:04.119940086 -0400 +@@ -57,6 +57,19 @@ + They eventually become mixed with the numbered issues. (I.e., numbered + issues do not "pop up" wrt. others). + --> ++
    ++ ++ ++ ++ Add a new initialisation parameter, envHttpHeaders, to ++ the CGI Servlet to mitigate httpoxy ++ (CVE-2016-5388) by default and to provide a mechanism that can be ++ used to mitigate any future, similar issues. (markt) ++ ++ ++ ++
    +
    + + diff --git a/SOURCES/tomcat-7.0.conf b/SOURCES/tomcat-7.0.conf index 03119b7..21e1506 100644 --- a/SOURCES/tomcat-7.0.conf +++ b/SOURCES/tomcat-7.0.conf @@ -1,6 +1,7 @@ # System-wide configuration file for tomcat services # This will be loaded by systemd as an environment file, -# so please keep the syntax. +# so please keep the syntax. For shell expansion support +# place your custom files as /etc/tomcat/conf.d/*.conf # # There are 2 "classes" of startup behavior in this package. # The old one, the default service named tomcat.service. diff --git a/SOURCES/tomcat-7.0.service b/SOURCES/tomcat-7.0.service index 103d464..2b20aa0 100644 --- a/SOURCES/tomcat-7.0.service +++ b/SOURCES/tomcat-7.0.service @@ -13,7 +13,6 @@ EnvironmentFile=/etc/tomcat/tomcat.conf Environment="NAME=" EnvironmentFile=-/etc/sysconfig/tomcat ExecStart=/usr/libexec/tomcat/server start -ExecStop=/usr/libexec/tomcat/server stop SuccessExitStatus=143 User=tomcat Group=tomcat diff --git a/SOURCES/tomcat-7.0.sysconfig b/SOURCES/tomcat-7.0.sysconfig index 4d2c297..fd2274a 100644 --- a/SOURCES/tomcat-7.0.sysconfig +++ b/SOURCES/tomcat-7.0.sysconfig @@ -50,4 +50,3 @@ # If you wish to further customize your tomcat environment, # put your own definitions here # (i.e. LD_LIBRARY_PATH for some jdbc drivers) - diff --git a/SOURCES/tomcat-functions b/SOURCES/tomcat-functions index 6f03951..5afc9fe 100644 --- a/SOURCES/tomcat-functions +++ b/SOURCES/tomcat-functions @@ -1,10 +1,10 @@ #!/bin/bash if [ -r /usr/share/java-utils/java-functions ]; then - . /usr/share/java-utils/java-functions + . /usr/share/java-utils/java-functions else - echo "Can't read Java functions library, aborting" - exit 1 + echo "Can't read Java functions library, aborting" + exit 1 fi _save_function() { @@ -15,28 +15,27 @@ _save_function() { run_jsvc(){ if [ -x /usr/bin/jsvc ]; then - TOMCAT_USER="tomcat" - JSVC="/usr/bin/jsvc" + TOMCAT_USER="${TOMCAT_USER:-tomcat}" + JSVC="/usr/bin/jsvc" - JSVC_OPTS="-nodetach -pidfile /var/run/jsvc-tomcat${NAME}.pid -user ${TOMCAT_USER} -outfile ${CATALINA_BASE}/logs/catalina.out -errfile ${CATALINA_BASE}/logs/catalina.out" - if [ "$1" = "stop" ]; then - JSVC_OPTS="${JSVC_OPTS} -stop" - fi + JSVC_OPTS="-nodetach -pidfile /var/run/jsvc-tomcat${NAME}.pid -user ${TOMCAT_USER} -outfile ${CATALINA_BASE}/logs/catalina.out -errfile ${CATALINA_BASE}/logs/catalina.out" + if [ "$1" = "stop" ]; then + JSVC_OPTS="${JSVC_OPTS} -stop" + fi exec "${JSVC}" ${JSVC_OPTS} ${FLAGS} -classpath "${CLASSPATH}" ${OPTIONS} "${MAIN_CLASS}" "${@}" else echo "Can't find /usr/bin/jsvc executable" fi - } _save_function run run_java run() { - if [ "${USE_JSVC}" = "true" ] ; then - run_jsvc $@ - else - run_java $@ - fi + if [ "${USE_JSVC}" = "true" ] ; then + run_jsvc $@ + else + run_java $@ + fi } diff --git a/SOURCES/tomcat-preamble b/SOURCES/tomcat-preamble index 0079a8c..1271dca 100644 --- a/SOURCES/tomcat-preamble +++ b/SOURCES/tomcat-preamble @@ -11,6 +11,14 @@ if [ -z "${TOMCAT_CFG_LOADED}" ]; then . $TOMCAT_CFG fi +if [ -d "${TOMCAT_CONFD=/etc/tomcat/conf.d}" ]; then + for file in ${TOMCAT_CONFD}/*.conf ; do + if [ -f "$file" ] ; then + . "$file" + fi + done +fi + if [ -z "$CATALINA_BASE" ]; then if [ -n "$NAME" ]; then if [ -z "$TOMCATS_BASE" ]; then diff --git a/SOURCES/tomcat-server b/SOURCES/tomcat-server index bd55999..17ae385 100644 --- a/SOURCES/tomcat-server +++ b/SOURCES/tomcat-server @@ -4,7 +4,7 @@ MAIN_CLASS=org.apache.catalina.startup.Bootstrap -FLAGS="$JAVA_OPTS $CATALINA_OPTS" +FLAGS="$JAVA_OPTS" OPTIONS="-Dcatalina.base=$CATALINA_BASE \ -Dcatalina.home=$CATALINA_HOME \ -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \ @@ -13,6 +13,7 @@ OPTIONS="-Dcatalina.base=$CATALINA_BASE \ -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager" if [ "$1" = "start" ] ; then + FLAGS="${FLAGS} $CATALINA_OPTS" if [ "${SECURITY_MANAGER}" = "true" ] ; then OPTIONS="${OPTIONS} \ -Djava.security.manager \ diff --git a/SPECS/tomcat.spec b/SPECS/tomcat.spec index d8816a4..dcc30ae 100644 --- a/SPECS/tomcat.spec +++ b/SPECS/tomcat.spec @@ -31,7 +31,7 @@ %global jspspec 2.2 %global major_version 7 %global minor_version 0 -%global micro_version 54 +%global micro_version 69 %global packdname apache-tomcat-%{version}-src %global servletspec 3.0 %global elspec 2.2 @@ -54,7 +54,7 @@ Name: tomcat Epoch: 0 Version: %{major_version}.%{minor_version}.%{micro_version} -Release: 8%{?dist} +Release: 10%{?dist} Summary: Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API Group: System Environment/Daemons @@ -81,15 +81,15 @@ Source21: tomcat-functions Source22: tomcat-preamble Source23: tomcat-server Source24: tomcat-named.service - +Source25: tomcat-juli-adapters.jar +Source26: tomcat-juli.jar Patch0: %{name}-%{major_version}.%{minor_version}-bootstrap-MANIFEST.MF.patch Patch1: %{name}-%{major_version}.%{minor_version}-tomcat-users-webapp.patch -Patch2: tomcat-7.0.54-rebase.patch -Patch3: %{name}-7.0.54-CVE-2014-0227.patch -Patch4: %{name}-7.0.54-CVE-2014-7810.patch -Patch5: %{name}-7.0.54-CVE-2015-5346.patch -Patch6: %{name}-7.0.54-CVE-2016-5388.patch +Patch2: %{name}-7.0.54-rebase.patch +Patch3: %{name}-7.0-catalina-policy.patch +Patch4: %{name}-7.0.69-CVE-2016-3092.patch +Patch5: %{name}-7.0.69-CVE-2016-5388.patch BuildArch: noarch @@ -240,7 +240,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name " %patch3 -p0 %patch4 -p0 %patch5 -p0 -%patch6 -p0 %{__ln_s} $(build-classpath jakarta-taglibs-core) webapps/examples/WEB-INF/lib/jstl.jar %{__ln_s} $(build-classpath jakarta-taglibs-standard) webapps/examples/WEB-INF/lib/standard.jar @@ -329,6 +328,8 @@ zip -u output/build/bin/tomcat-juli.jar META-INF/MANIFEST.MF %{__install} -d -m 0755 ${RPM_BUILD_ROOT}%{bindir} %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{confdir} %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{confdir}/Catalina/localhost +%{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{confdir}/conf.d +/bin/echo "Place your custom *.conf files here. Shell expansion is supported." > ${RPM_BUILD_ROOT}%{confdir}/conf.d/README %{__install} -d -m 0755 ${RPM_BUILD_ROOT}%{libdir} %{__install} -d -m 0775 ${RPM_BUILD_ROOT}%{logdir} /bin/touch ${RPM_BUILD_ROOT}%{logdir}/catalina.out @@ -419,6 +420,13 @@ pushd ${RPM_BUILD_ROOT}%{libdir} # Temporary copy the juli jar here from /usr/share/java/tomcat (for maven depmap) %{__cp} -a ${RPM_BUILD_ROOT}%{bindir}/tomcat-juli.jar ./ + + # Add extras JULI jars + %{__mkdir} extras + pushd extras + %{__cp} -p %{SOURCE25} . + %{__cp} -p %{SOURCE26} . + popd popd # symlink to the FHS locations where we've installed things @@ -502,7 +510,7 @@ done # add the tomcat user and group %{_sbindir}/groupadd -g %{tcuid} -r tomcat 2>/dev/null || : %{_sbindir}/useradd -c "Apache Tomcat" -u %{tcuid} -g tomcat \ - -s /bin/nologin -r -d %{homedir} tomcat 2>/dev/null || : + -s /sbin/nologin -r -d %{homedir} tomcat 2>/dev/null || : %post # install but don't activate @@ -574,7 +582,7 @@ fi %attr(0770,tomcat,root) %dir %{logdir} %defattr(0664,root,tomcat,0770) -%attr(0660,tomcat,tomcat) %{logdir}/catalina.out +%attr(0660,tomcat,tomcat) %verify(not size md5 mtime) %{logdir}/catalina.out %attr(0770,root,tomcat) %dir %{cachedir} %attr(0770,root,tomcat) %dir %{tempdir} %attr(0770,root,tomcat) %dir %{workdir} @@ -583,6 +591,8 @@ fi %attr(0775,root,tomcat) %dir %{appdir} %attr(0775,root,tomcat) %dir %{confdir}/Catalina %attr(0775,root,tomcat) %dir %{confdir}/Catalina/localhost +%attr(0755,root,tomcat) %dir %{confdir}/conf.d +%{confdir}/conf.d/README %config(noreplace) %{confdir}/%{name}.conf %config(noreplace) %{confdir}/*.policy %config(noreplace) %{confdir}/*.properties @@ -604,6 +614,8 @@ fi %defattr(0664,root,tomcat,0755) %{appdir}/host-manager %{appdir}/manager +%config(noreplace) %{appdir}/manager/WEB-INF/web.xml +%config(noreplace) %{appdir}/host-manager/WEB-INF/web.xml %files docs-webapp %defattr(-,root,root,-) @@ -667,21 +679,50 @@ fi %attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service %changelog -* Thu Aug 25 2016 Coty Sutherland - 0:7.0.54-8 -- Resolves: rhbz#1368121 - -* Tue Aug 23 2016 Coty Sutherland - 0:7.0.54-7 -- Resolves: rhbz#1362212 Tomcat: CGI sets environmental variable based on user supplied Proxy request header -- Resolves: rhbz#1368121 - -* Wed Aug 03 2016 Coty Sutherland - 0:7.0.54-5 -- Resolves: rhbz#1362567 - -* Wed Jul 06 2016 Coty Sutherland 0:7.0.54-4 -- Resolves: CVE-2015-5346 - -* Thu Jun 02 2016 Coty Sutherland 0:7.0.54-3 -- Resolves: CVE-2014-7810 +* Thu Aug 25 2016 Coty Sutherland - 0:7.0.69-10 +- Related: rhbz#1368122 + +* Tue Aug 23 2016 Coty Sutherland - 0:7.0.69-9 +- Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header +- Resolves: rhbz#1368122 + +* Wed Aug 03 2016 Coty Sutherland - 0:7.0.69-7 +- Resolves: rhbz#1362545 + +* Fri Jul 08 2016 Coty Sutherland - 0:7.0.69-6 +- Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service + +* Fri Jul 01 2016 Coty Sutherland - 0:7.0.69-5 +- Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully + +* Mon Jun 27 2016 Coty Sutherland - 0:7.0.69-4 +- Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service + +* Fri Jun 17 2016 Coty Sutherland - 0:7.0.69-3 +- Resolves: rhbz#1347774 The security manager doesn't work correctly (JSPs cannot be compiled) + +* Tue Jun 07 2016 Coty Sutherland - 0:7.0.69-2 +- Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat +- Rebase Resolves: rhbz#1320853 Add HSTS support +- Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions +- Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet +- Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation +- Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure +- Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue +- Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() +- Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms +- Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak + +* Mon Jun 06 2016 Coty Sutherland - 0:7.0.69-1 +- Resolves: rhbz#1287928 Rebase to tomcat 7.0.69 +- Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out +- Resolves: rhbz#1277197 tomcat user has non-existing default shell set +- Resolves: rhbz#1240279 The command tomcat-digest doesn't work with RHEL 7 +- Resolves: rhbz#1229476 Tomcat startup ONLY options +- Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar +- Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit +- Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion +- Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file * Tue Mar 24 2015 David Knox - 0:7.0.54-2 - Resolves: CVE-2014-0227