[packages/tomcat] - up to 7.0.70; add patch that fixes CVE-2016-5388
arekm
arekm at pld-linux.org
Tue Jul 19 15:56:47 CEST 2016
commit 0d6b705c2004236057cbf0ca7ce6ae4aef8533a0
Author: Arkadiusz Miśkiewicz <arekm at maven.pl>
Date: Tue Jul 19 15:56:42 2016 +0200
- up to 7.0.70; add patch that fixes CVE-2016-5388
tomcat-CVE-2016-5388.patch | 12 ++++++++++++
tomcat-build.patch | 33 +++++++++++++++++++++++++++++++++
tomcat.spec | 8 ++++++--
3 files changed, 51 insertions(+), 2 deletions(-)
---
diff --git a/tomcat.spec b/tomcat.spec
index fd824c6..40284e7 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -15,12 +15,12 @@
Summary: Web server and Servlet/JSP Engine, RI for Servlet %{servletapiver}/JSP %{jspapiver} API
Summary(pl.UTF-8): Serwer www i silnik Servlet/JSP będący wzorcową implementacją API Servlet %{servletapiver}/JSP %{jspapiver}
Name: tomcat
-Version: 7.0.69
+Version: 7.0.70
Release: 1
License: Apache v2.0
Group: Networking/Daemons/Java
Source0: http://www.apache.org/dist/tomcat/tomcat-7/v%{version}/src/apache-%{name}-%{version}-src.tar.gz
-# Source0-md5: c055311b06f3f314b7cf7932ab31bd4a
+# Source0-md5: 0f56c888df5002cce25fce91634a65c9
Source1: apache-%{name}.init
Source2: apache-%{name}.sysconfig
Source3: %{name}-build.properties
@@ -40,6 +40,8 @@ Patch3: %{name}-catalina.policy-javadir.patch
Patch4: %{name}-userdir.patch
Patch5: logging.patch
Patch6: jcl.patch
+Patch7: %{name}-build.patch
+Patch8: tomcat-CVE-2016-5388.patch
Patch100: jcl-build.xml.patch
URL: http://tomcat.apache.org/
BuildRequires: ant >= 1.5.3
@@ -269,6 +271,8 @@ javax.servlet.http, javax.servlet.jsp i java.servlet.jsp.tagext).
%patch4 -p1
%patch5 -p1
%patch6 -p1
+%patch7 -p1
+%patch8 -p1
# Prepare java-commmons-logging sources
install -d output/extras/logging
diff --git a/tomcat-CVE-2016-5388.patch b/tomcat-CVE-2016-5388.patch
new file mode 100644
index 0000000..d856006
--- /dev/null
+++ b/tomcat-CVE-2016-5388.patch
@@ -0,0 +1,12 @@
+--- apache-tomcat-7.0.70-src/java/org/apache/catalina/servlets/CGIServlet.java.orig 2016-06-15 18:45:50.000000000 +0200
++++ apache-tomcat-7.0.70-src/java/org/apache/catalina/servlets/CGIServlet.java 2016-07-19 15:35:56.656316104 +0200
+@@ -1107,7 +1107,8 @@ public final class CGIServlet extends Ht
+ //REMIND: change character set
+ //REMIND: I forgot what the previous REMIND means
+ if ("AUTHORIZATION".equalsIgnoreCase(header) ||
+- "PROXY_AUTHORIZATION".equalsIgnoreCase(header)) {
++ "PROXY_AUTHORIZATION".equalsIgnoreCase(header) ||
++ "PROXY".equalsIgnoreCase(header)) {
+ //NOOP per CGI specification section 11.2
+ } else {
+ envp.put("HTTP_" + header.replace('-', '_'),
diff --git a/tomcat-build.patch b/tomcat-build.patch
new file mode 100644
index 0000000..403779e
--- /dev/null
+++ b/tomcat-build.patch
@@ -0,0 +1,33 @@
+--- apache-tomcat-7.0.70-src/build.xml~ 2016-07-19 15:43:44.000000000 +0200
++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:48:19.615551746 +0200
+@@ -1836,7 +1836,7 @@ Apache Tomcat ${version} native binaries
+ encoding="ISO-8859-1"
+ docencoding="ISO-8859-1"
+ charset="ISO-8859-1"
+- additionalparam="-breakiterator -notimestamp"
++ additionalparam="-Xdoclint:none -breakiterator -notimestamp"
+ maxmemory="512m"
+ failonerror="true"
+ executable="${java.7.home}/bin/javadoc">
+--- apache-tomcat-7.0.70-src/build.xml~ 2016-07-19 15:48:55.000000000 +0200
++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:52:07.842156930 +0200
+@@ -1857,7 +1857,7 @@ Apache Tomcat ${version} native binaries
+ encoding="ISO-8859-1"
+ docencoding="ISO-8859-1"
+ charset="ISO-8859-1"
+- additionalparam="-breakiterator -notimestamp"
++ additionalparam="-Xdoclint:none -breakiterator -notimestamp"
+ maxmemory="512m"
+ failonerror="true"
+ executable="${java.7.home}/bin/javadoc">
+--- apache-tomcat-7.0.70-src/build.xml~ 2016-07-19 15:52:27.000000000 +0200
++++ apache-tomcat-7.0.70-src/build.xml 2016-07-19 15:53:28.337957151 +0200
+@@ -1919,7 +1919,7 @@ Apache Tomcat ${version} native binaries
+ encoding="ISO-8859-1"
+ docencoding="ISO-8859-1"
+ charset="ISO-8859-1"
+- additionalparam="-breakiterator -notimestamp"
++ additionalparam="-Xdoclint:none -breakiterator -notimestamp"
+ maxmemory="512m"
+ failonerror="true"
+ executable="${java.7.home}/bin/javadoc">
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/tomcat.git/commitdiff/0d6b705c2004236057cbf0ca7ce6ae4aef8533a0
More information about the pld-cvs-commit
mailing list