- up to 7.0.70; add patch that fixes CVE-2016-5388

author Arkadiusz Miśkiewicz <arekm@maven.pl>

Tue, 19 Jul 2016 13:56:42 +0000 (15:56 +0200)

committer Arkadiusz Miśkiewicz <arekm@maven.pl>

Tue, 19 Jul 2016 13:56:42 +0000 (15:56 +0200)
author Arkadiusz Miśkiewicz <arekm@maven.pl>
Tue, 19 Jul 2016 13:56:42 +0000 (15:56 +0200)
committer Arkadiusz Miśkiewicz <arekm@maven.pl>
Tue, 19 Jul 2016 13:56:42 +0000 (15:56 +0200)
diff --git a/tomcat-CVE-2016-5388.patch b/tomcat-CVE-2016-5388.patch

new file mode 100644 (file)

index 0000000..d856006
--- /dev/null
+++ b/tomcat-CVE-2016-5388.patch
@@ -0,0 +1,12 @@
+--- apache-tomcat-7.0.70-src/java/org/apache/catalina/servlets/CGIServlet.java.orig    2016-06-15 18:45:50.000000000 +0200
++++ apache-tomcat-7.0.70-src/java/org/apache/catalina/servlets/CGIServlet.java 2016-07-19 15:35:56.656316104 +0200
+@@ -1107,7 +1107,8 @@ public final class CGIServlet extends Ht
+                 //REMIND: change character set
+                 //REMIND: I forgot what the previous REMIND means
+                 if ("AUTHORIZATION".equalsIgnoreCase(header) ||
+-                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
++                    "PROXY_AUTHORIZATION".equalsIgnoreCase(header) ||
++                    "PROXY".equalsIgnoreCase(header)) {
+                     //NOOP per CGI specification section 11.2
+                 } else {
+                     envp.put("HTTP_" + header.replace('-', '_'),
diff --git a/tomcat-build.patch b/tomcat-build.patch

new file mode 100644 (file)

index 0000000..403779e
--- /dev/null
+++ b/tomcat-build.patch
@@ -0,0 +1,33 @@
+--- apache-tomcat-7.0.70-src/build.xml~        2016-07-19 15:43:44.000000000 +0200
++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:48:19.615551746 +0200
+@@ -1836,7 +1836,7 @@ Apache Tomcat ${version} native binaries
+       encoding="ISO-8859-1"
+       docencoding="ISO-8859-1"
+       charset="ISO-8859-1"
+-      additionalparam="-breakiterator -notimestamp"
++      additionalparam="-Xdoclint:none -breakiterator -notimestamp"
+       maxmemory="512m"
+       failonerror="true"
+       executable="${java.7.home}/bin/javadoc">
+--- apache-tomcat-7.0.70-src/build.xml~        2016-07-19 15:48:55.000000000 +0200
++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:52:07.842156930 +0200
+@@ -1857,7 +1857,7 @@ Apache Tomcat ${version} native binaries
+       encoding="ISO-8859-1"
+       docencoding="ISO-8859-1"
+       charset="ISO-8859-1"
+-      additionalparam="-breakiterator -notimestamp"
++      additionalparam="-Xdoclint:none -breakiterator -notimestamp"
+       maxmemory="512m"
+       failonerror="true"
+       executable="${java.7.home}/bin/javadoc">
+--- apache-tomcat-7.0.70-src/build.xml~        2016-07-19 15:52:27.000000000 +0200
++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:53:28.337957151 +0200
+@@ -1919,7 +1919,7 @@ Apache Tomcat ${version} native binaries
+       encoding="ISO-8859-1"
+       docencoding="ISO-8859-1"
+       charset="ISO-8859-1"
+-      additionalparam="-breakiterator -notimestamp"
++      additionalparam="-Xdoclint:none -breakiterator -notimestamp"
+       maxmemory="512m"
+       failonerror="true"
+       executable="${java.7.home}/bin/javadoc">
diff --git a/tomcat.spec b/tomcat.spec

index fd824c601788cd4fff01f552517f7b2f0d1863b1..40284e772c61b7210acf26dc81006cf9e64fdac4 100644 (file)
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -15,12 +15,12 @@
  Summary:       Web server and Servlet/JSP Engine, RI for Servlet %{servletapiver}/JSP %{jspapiver} API
  Summary(pl.UTF-8):     Serwer www i silnik Servlet/JSP będący wzorcową implementacją API Servlet %{servletapiver}/JSP %{jspapiver}
  Name:          tomcat
-Version:       7.0.69
+Version:       7.0.70
  Release:       1
  License:       Apache v2.0
  Group:         Networking/Daemons/Java
  Source0:       http://www.apache.org/dist/tomcat/tomcat-7/v%{version}/src/apache-%{name}-%{version}-src.tar.gz
-# Source0-md5: c055311b06f3f314b7cf7932ab31bd4a
+# Source0-md5: 0f56c888df5002cce25fce91634a65c9
  Source1:       apache-%{name}.init
  Source2:       apache-%{name}.sysconfig
  Source3:       %{name}-build.properties
@@ -40,6 +40,8 @@ Patch3:               %{name}-catalina.policy-javadir.patch
  Patch4:                %{name}-userdir.patch
  Patch5:                logging.patch
  Patch6:                jcl.patch
+Patch7:                %{name}-build.patch
+Patch8:                tomcat-CVE-2016-5388.patch
  Patch100:      jcl-build.xml.patch
  URL:           http://tomcat.apache.org/
  BuildRequires: ant >= 1.5.3
@@ -269,6 +271,8 @@ javax.servlet.http, javax.servlet.jsp i java.servlet.jsp.tagext).
  %patch4 -p1
  %patch5 -p1
  %patch6 -p1
+%patch7 -p1
+%patch8 -p1
  
  # Prepare java-commmons-logging sources
  install -d output/extras/logging
author	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Tue, 19 Jul 2016 13:56:42 +0000 (15:56 +0200)
committer	Arkadiusz Miśkiewicz <arekm@maven.pl>
	Tue, 19 Jul 2016 13:56:42 +0000 (15:56 +0200)
tomcat-CVE-2016-5388.patch	[new file with mode: 0644]	patch \| blob
tomcat-build.patch	[new file with mode: 0644]	patch \| blob
tomcat.spec		patch \| blob \| blame \| history