Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package tomcat for openSUSE:Factory checked
in at 2025-05-02 14:58:26
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/tomcat (Old)
and /work/SRC/openSUSE:Factory/.tomcat.new.30101 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat"
Fri May 2 14:58:26 2025 rev:116 rq:1273836 version:9.0.104
Changes:
--------
--- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2025-03-19
22:34:57.145229382 +0100
+++ /work/SRC/openSUSE:Factory/.tomcat.new.30101/tomcat.changes 2025-05-02
14:58:38.475944898 +0200
@@ -1,0 +2,94 @@
+Wed Apr 30 10:48:23 UTC 2025 - Michele Bussolotto <michele.bussolo...@suse.com>
+
+- Update to Tomcat 9.0.104
+ * Fixed CVEs:
+ + CVE-2025-31650: invalid priority field values should be ignored
+ (bsc#1242008)
+ + CVE-2025-31651: Better handling of URLs with literal ';' and '?'
+ (bsc#1242009)
+ * Catalina
+ + Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve.
+ (rjung)
+ + Fix: Process possible path parameters rewrite production in the rewrite
+ valve. (remm)
+ + Fix: 69643: Optimize directory listing for large amount of files. Patch
+ submitted by Loic de l'Eprevier. (remm)
+ + Fix: Return 400 if the amount of content sent for a partial PUT is
+ inconsistent with the range that was specified. (remm)
+ + Add: Add a new RateLimiter implementation,
+ org.apache.catalina.util.ExactRateLimiter, that can be used with
+ org.apache.catalina.filters.RateLimitFilter to provide rate limit based
+ on the exact values configured. Based on pull request #794 by Chenjp.
+ (markt)
+ + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve.
+ (remm)
+ + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and
+ FIPS mode. (remm)
+ + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the
+ default internal proxies for the RemoteIpFilter and RemoteIpValve.
+ (markt)
+ + Fix: 69615: Improve integration with the not found class resources cache
+ for users who are using a custom web application class loader and/or
+ using reflection to dynamically add external repositories to the web
+ application class loader. (markt)
+ + Add: Add a new initialisation parameter to the Default servlet -
+ allowPostAsGet - which controls whether a direct request (i.e. not a
+ forward or an include) for a static resource using the POST method will
+ be processed as if the GET method had been used. If not allowed, the
+ request will be rejected. The default behaviour of processing the request
+ as if the GET method had been used is unchanged. (markt)
+ + Fix: 69623: Correct a long standing regression that meant that calls to
+ ClassLoader.getResource().getContent() failed when made from within a web
+ application with resource caching enabled. (markt)
+ + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm)
+ + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent
+ to the one from ErrorReportValve. (remm)
+ + Fix: Improve the handling of %nn URL encoding in the RewriteValve and
+ document how %nn URL encoding may be used with rewrite rules. (markt)
+ + Fix: Fix a potential exception when calling
+ WebappClassLoaderBase.getResource(""). (markt)
+ * Coyote
+ + Fix: 69607: Allow failed initialization of MD5. Based on code submitted
+ by Shivam Verma. (remm)
+ + Fix: 69614: HTTP/2 priority frames with an invalid priority field value
+ should be ignored. (markt)
+ + Fix: Improve handling of unexpected errors during HTTP/2 processing.
+ (markt)
+ + Fix: Add missing code to process an OpenSSL profile, such as PROFILE=
+ SYSTEM, using FFM. (remm)
+ + Add: Simplify the process of using a custom SSLContext for an HTTPS
+ enabled connector. Based on pull request #805 by Hakky54. (markt)
+ * Jasper
+ + Code: Replace custom URL encoding provided by the JSP runtime library
+ with calls to java.net.URLEncoder.encode(). (markt)
+ + Add: Add compiler using the Java Compiler API, supporting exploded web
+ applications. The compilerClassName to use is
+ org.apache.jasper.compiler.JavaCompiler. (remm)
+ + Add: Add support for specifying Java 25 (with the value 25) as the
+ compiler source and/or compiler target for JSP compilation. If used with
+ an Eclipse JDT compiler version that does not support these values, a
+ warning will be logged and the default will be used. (markt)
+ * Cluster
+ + Fix: Fix resetting cross context sessions in the ReplicationValve.
+ (remm)
+ * Web applications
+ + Add: Documentation. Add a link to the Log4j documentation that describes
+ how to use Log4j rather than JULI for Tomcat's internal logging. (markt)
+ + Add: Documentation. Document the runtime attributes available to web
+ applications via the Request or the ServletContext. Based on pull request
+ #832 by usmazat. (markt)
+ * Other
+ + Fix: Set sun.io.useCanonCaches in service.bat. Based on pull request
+ #841 by Paul Lodge. (remm)
+ + Fix: The minimum Java version to build a release is now Java 22,
+ mirroring Tomcat 10.1. This removes the need for using a java-ffm.home
+ property. (remm)
+ + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt)
+ + Update: Update to NSIS 3.11. (markt)
+ + Update: Update to ByteBuddy 1.17.4. (markt)
+ + Update: Update to Checkstyle 10.21.4. (markt)
+ + Update: Update to SpotBugs to 4.9.3. (markt)
+ + Update: Improvements to French translations. (remm)
+ + Update: Improvements to Japanese translations provided by tak7iji.
(markt)
+
+-------------------------------------------------------------------
Old:
----
apache-tomcat-9.0.102-src.tar.gz
apache-tomcat-9.0.102-src.tar.gz.asc
New:
----
apache-tomcat-9.0.104-src.tar.gz
apache-tomcat-9.0.104-src.tar.gz.asc
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ tomcat.spec ++++++
--- /var/tmp/diff_new_pack.WO86qH/_old 2025-05-02 14:58:39.968008962 +0200
+++ /var/tmp/diff_new_pack.WO86qH/_new 2025-05-02 14:58:39.968008962 +0200
@@ -22,7 +22,7 @@
%define elspec 3.0
%define major_version 9
%define minor_version 0
-%define micro_version 102
+%define micro_version 104
%define packdname apache-tomcat-%{version}-src
# FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
%global basedir /srv/%{name}
@@ -308,7 +308,7 @@
-Dno.build.dbcp=true \
-Dversion="%{version}" \
-Dversion.build="%{micro_version}" \
- deploy dist-prepare dist-source javadoc package embed-jars
+ deploy javadoc package embed-jars
# remove some jars that we'll replace with symlinks later
rm output/build/bin/commons-daemon.jar \
++++++ apache-tomcat-9.0.102-src.tar.gz -> apache-tomcat-9.0.104-src.tar.gz
++++++
/work/SRC/openSUSE:Factory/tomcat/apache-tomcat-9.0.102-src.tar.gz
/work/SRC/openSUSE:Factory/.tomcat.new.30101/apache-tomcat-9.0.104-src.tar.gz
differ: char 14, line 1
++++++ tomcat-9.0-build-with-java-11.patch ++++++
--- /var/tmp/diff_new_pack.WO86qH/_old 2025-05-02 14:58:40.036011882 +0200
+++ /var/tmp/diff_new_pack.WO86qH/_new 2025-05-02 14:58:40.040012053 +0200
@@ -1,14 +1,14 @@
-Index: apache-tomcat-9.0.97-src/build.xml
+Index: apache-tomcat-9.0.104-src/build.xml
===================================================================
---- apache-tomcat-9.0.97-src.orig/build.xml
-+++ apache-tomcat-9.0.97-src/build.xml
+--- apache-tomcat-9.0.104-src.orig/build.xml
++++ apache-tomcat-9.0.104-src/build.xml
@@ -108,7 +108,7 @@
<!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
<property name="compile.release" value="8"/>
<property name="min.java.version" value="8"/>
- <property name="build.java.version" value="17"/>
+ <property name="build.java.version" value="11"/>
- <property name="release.java.version" value="17"/>
+ <property name="release.java.version" value="22"/>
<!-- Check Java Build Version -->
++++++ tomcat-9.0-javadoc.patch ++++++
--- /var/tmp/diff_new_pack.WO86qH/_old 2025-05-02 14:58:40.064013084 +0200
+++ /var/tmp/diff_new_pack.WO86qH/_new 2025-05-02 14:58:40.068013255 +0200
@@ -1,12 +1,12 @@
-Index: apache-tomcat-9.0.35-src/build.xml
+Index: apache-tomcat-9.0.104-src/build.xml
===================================================================
---- apache-tomcat-9.0.35-src.orig/build.xml
-+++ apache-tomcat-9.0.35-src/build.xml
-@@ -2038,8 +2039,6 @@ Apache Tomcat ${version} native binaries
+--- apache-tomcat-9.0.104-src.orig/build.xml
++++ apache-tomcat-9.0.104-src/build.xml
+@@ -2436,8 +2436,6 @@ Apache Tomcat ${version} native binaries
<link href="../elapi"/>
<link href="../websocketapi"/>
<link href="../jaspicapi"/>
-- <link href="https://docs.oracle.com/javase/8/docs/api/"/>
+- <link href="https://docs.oracle.com/en/java/javase/11/docs/api/"/>
- <link href="https://javaee.github.io/javaee-spec/javadocs/"/>
<packageset dir="${tomcat.dist}/src/java/">
<include name="org/**"/>
++++++ tomcat-9.0-sle.catalina.policy.patch ++++++
--- /var/tmp/diff_new_pack.WO86qH/_old 2025-05-02 14:58:40.104014801 +0200
+++ /var/tmp/diff_new_pack.WO86qH/_new 2025-05-02 14:58:40.112015145 +0200
@@ -1,7 +1,7 @@
-Index: apache-tomcat-9.0.82-src/conf/catalina.policy
+Index: apache-tomcat-9.0.104-src/conf/catalina.policy
===================================================================
---- apache-tomcat-9.0.82-src.orig/conf/catalina.policy
-+++ apache-tomcat-9.0.82-src/conf/catalina.policy
+--- apache-tomcat-9.0.104-src.orig/conf/catalina.policy
++++ apache-tomcat-9.0.104-src/conf/catalina.policy
@@ -171,6 +171,9 @@ grant {
permission java.lang.RuntimePermission
"accessClassInPackage.org.apache.tomcat";
