rpms/tomcat5/F-7 tomcat5-5.5-acceptlangheader.patch, NONE, 1.1 tomcat5-5.5-http11-build.patch, 1.3, 1.4 tomcat5-5.5-webdav.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 sources, 1.10, 1.11 tomcat5.spec, 1.99, 1.100
Devrim GÜNDÜZ (devrim)
fedora-extras-commits at redhat.com
Fri Nov 16 16:43:05 UTC 2007
- Previous message: rpms/tomcat5/F-8 tomcat5-5.5-acceptlangheader.patch, NONE, 1.1 tomcat5-5.5-http11-build.patch, 1.3, 1.4 tomcat5-5.5-webdav.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 sources, 1.10, 1.11 tomcat5.spec, 1.101, 1.102
- Next message: rpms/tomcat5/F-7 jasper-OSGi-MANIFEST.MF, NONE, 1.1 jsp-api-OSGi-MANIFEST.MF, NONE, 1.1 servlet-api-OSGi-MANIFEST.MF, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
Author: devrim
Update of /cvs/extras/rpms/tomcat5/F-7
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv11029
Modified Files:
.cvsignore sources tomcat5.spec
Added Files:
tomcat5-5.5-acceptlangheader.patch
tomcat5-5.5-http11-build.patch tomcat5-5.5-webdav.patch
Log Message:
- Updated to 5.5.25, to fix the following issues:
* CVE-2007-1355
* CVE-2007-3386
* CVE-2007-3385
* CVE-2007-3382
* CVE-2007-2450, RH bugzilla #244808, #244810, #244812, #363081
* CVE-2007-2449, RH bugzilla #244810, #244812, #244804, #363081
- Applied patch(20) for RH bugzilla #333791, CVE-2007-5461
- Applied patch(21) for RH bugzilla #244803, #244812, #363081, CVE-2007-1358
tomcat5-5.5-acceptlangheader.patch:
--- NEW FILE tomcat5-5.5-acceptlangheader.patch ---
--- container/catalina/src/share/org/apache/catalina/connector/Request.java.old 2007-11-15 16:40:42.000000000 -0800
+++ container/catalina/src/share/org/apache/catalina/connector/Request.java 2007-11-15 16:46:19.000000000 -0800
@@ -2488,6 +2488,9 @@
String variant = null;
int dash = entry.indexOf('-');
if (dash < 0) {
+ if (!entry.matches(localeRegex)) {
+ continue;
+ }
language = entry;
country = "";
variant = "";
@@ -2501,6 +2504,12 @@
country = cTemp;
} else {
variant = "";
+ }
+ if (!language.matches(localeRegex)) {
+ continue;
+ }
+ if (!country.matches(localeRegex)) {
+ continue;
}
}
if (!isAlpha(language) || !isAlpha(country) || !isAlpha(variant)) {
tomcat5-5.5-http11-build.patch:
Index: tomcat5-5.5-http11-build.patch
===================================================================
RCS file: tomcat5-5.5-http11-build.patch
diff -N tomcat5-5.5-http11-build.patch
--- /dev/null 1 Jan 1970 00:00:00 -0000
+++ tomcat5-5.5-http11-build.patch 16 Nov 2007 16:43:01 -0000 1.4
@@ -0,0 +1,23 @@
+--- connectors/http11/build.xml.orig 2007-02-26 10:27:04.000000000 -0500
++++ connectors/http11/build.xml 2007-02-26 10:28:11.000000000 -0500
+@@ -31,7 +31,7 @@
+
+ <!-- The locations of necessary jar files -->
+ <property name="tomcat-util.jar" value="${util.home}/build/lib/tomcat-util.jar"/>
+- <property name="tomcat-jni.jar" value="../jni/dist/tomcat-native-1.0.0.jar" />
++ <property name="tomcat-jni.jar" value="../../build/build/server/lib/tomcat-apr.jar" />
+ <property name="tomcat-coyote.jar" value="${coyote.home}/build/lib/tomcat-coyote.jar"/>
+ <property name="tomcat33-coyote.jar"
+ value="${coyote.home}/build/lib/tomcat33-coyote.jar"/>
+@@ -169,7 +169,10 @@
+ deprecation="${compile.deprecation}"
+ optimize="${compile.optimize}">
+ <exclude name="org\apache\coyote\http11\*Apr*" unless="jdk.1.4.present" />
+- <classpath refid="compile.classpath"/>
++ <classpath>
++ <path refid="compile.classpath"/>
++ <pathelement location="${build.home}/../../jakarta-tomcat-5/build/classes"/>
++ </classpath>
+ </javac>
+ <copy todir="${build.home}/classes" filtering="on">
+ <fileset dir="${source.home}" excludes="**/*.java"/>
tomcat5-5.5-webdav.patch:
--- NEW FILE tomcat5-5.5-webdav.patch ---
Index: container/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
===================================================================
--- container/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties (revision 586817)
+++ container/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties (working copy)
@@ -25,6 +25,7 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Index: org/apache/catalina/servlets/WebdavServlet.java
===================================================================
--- container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (revision 586817)
+++ container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (working copy)
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -36,6 +37,7 @@
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.UnavailableException;
import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -245,6 +248,8 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(
+ new WebdavResolver(this.getServletContext()));
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@
}
+ // --------------------------------------------- WebdavResolver Inner Class
+ /**
+ * Work around for XML parsers that don't fully respect
+ * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+ * references are filtered out for security reasons. See CVE-2007-5461.
+ */
+ private class WebdavResolver implements EntityResolver {
+ private ServletContext context;
+
+ public WebdavResolver(ServletContext theContext) {
+ context = theContext;
+ }
+
+ public InputSource resolveEntity (String publicId, String systemId) {
+ context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+ publicId, systemId));
+ return new InputSource(
+ new StringReader("Ignored external entity"));
+ }
+ }
};
Index: .cvsignore
===================================================================
RCS file: /cvs/extras/rpms/tomcat5/F-7/.cvsignore,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- .cvsignore 16 May 2007 10:57:12 -0000 1.12
+++ .cvsignore 16 Nov 2007 16:43:01 -0000 1.13
@@ -1 +1 @@
-apache-tomcat-5.5.23-src.tar.gz
+apache-tomcat-5.5.25-src.tar.gz
Index: sources
===================================================================
RCS file: /cvs/extras/rpms/tomcat5/F-7/sources,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- sources 16 May 2007 10:57:12 -0000 1.10
+++ sources 16 Nov 2007 16:43:01 -0000 1.11
@@ -1 +1 @@
-362d1d8b15dc09882440dcab8c592dd7 apache-tomcat-5.5.23-src.tar.gz
+2d6cc9a16aceeef4ec3610cd782d5c9d apache-tomcat-5.5.25-src.tar.gz
Index: tomcat5.spec
===================================================================
RCS file: /cvs/extras/rpms/tomcat5/F-7/tomcat5.spec,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100
--- tomcat5.spec 23 Jul 2007 18:06:03 -0000 1.99
+++ tomcat5.spec 16 Nov 2007 16:43:01 -0000 1.100
@@ -68,8 +68,8 @@
Name: tomcat5
Epoch: 0
-Version: 5.5.23
-Release: 9jpp.3%{?dist}
+Version: 5.5.25
+Release: 1jpp.1%{?dist}
Summary: Apache Servlet/JSP Engine, RI for Servlet 2.4/JSP 2.0 API
Group: Networking/Daemons
@@ -81,6 +81,9 @@
Source3: %{name}-%{majversion}.wrapper
Source4: %{name}-%{majversion}.logrotate
Source5: %{name}-%{majversion}.relink
+Source6: jasper-OSGi-MANIFEST.MF
+Source7: servlet-api-OSGi-MANIFEST.MF
+Source8: jsp-api-OSGi-MANIFEST.MF
Patch0: %{name}-%{majversion}.link_admin_jar.patch
Patch1: %{name}-%{majversion}-skip-build-on-install.patch
Patch2: %{name}-%{majversion}-jt5-build.patch
@@ -92,7 +95,7 @@
Patch9: %{name}-%{majversion}-jspc.sh.patch
Patch10: %{name}-%{majversion}-setclasspath.sh.patch
Patch12: %{name}-%{majversion}-util-build.patch
-Patch13: %{name}-%{version}-http11-build.patch
+Patch13: %{name}-%{majversion}-http11-build.patch
Patch14: %{name}-%{majversion}-jk-build.patch
Patch16: %{name}-%{majversion}-jspc-classpath.patch
#FIXME Disable JSP pre-compilation on ppc64 and x390x
@@ -101,6 +104,9 @@
# Seems to be only needed when building with ECJ for java 1.5 since
# the default source type for ecj is still 1.4
Patch19: %{name}-%{majversion}-connectors-util-build.patch
+Patch20: %{name}-%{majversion}-webdav.patch
+Patch21: %{name}-%{majversion}-acceptlangheader.patch
+
BuildRoot: %{_tmppath}/%{name}-%{epoch}-%{version}-%{release}-root-%(%{__id_u} -n)
%if ! %{gcj_support}
BuildArch: noarch
@@ -398,6 +404,20 @@
Javadoc for generated documentation %{name}-%{jname}
%endif
+%if %{with_ecj}
+%package jasper-eclipse
+Group: Text Editors/Integrated Development Environments (IDE)
+Summary: Jasper OSGi Eclipse plugin
+%if %{gcj_support}
+Requires(post): java-gcj-compat >= 1.0.64
+Requires(postun): java-gcj-compat >= 1.0.64
+%endif
+
+%description jasper-eclipse
+Jasper OSGi Eclipse plugin that contains class files from jasper-compiler,
+jasper-runtime and ECJ.
+%endif
+
%prep
%{__cat} << EOT
@@ -431,6 +451,8 @@
%patch18 -b .p18
%endif
%patch19 -b .p19
+%patch20 -b .p20
+%patch21 -b .p21
%if %{without_ecj}
%{__rm} %{jname}/src/share/org/apache/jasper/compiler/JDTCompiler.java
@@ -565,6 +587,28 @@
popd
%endif
+# create jasper-eclipse jar
+%if %{with_ecj}
+mkdir org.apache.jasper
+pushd org.apache.jasper
+unzip -qq ../apache-tomcat-5.5.25-src/build/build/common/lib/jasper-compiler.jar
+unzip -qq ../apache-tomcat-5.5.25-src/build/build/common/lib/jasper-runtime.jar \
+ -x META-INF/MANIFEST.MF org/apache/jasper/compiler/Localizer.class
+unzip -qq %{_javadir}/jdtcore.jar -x META-INF/MANIFEST.MF
+cp %{SOURCE6} META-INF/MANIFEST.MF
+rm plugin.properties plugin.xml about.html jdtCompilerAdapter.jar META-INF/eclipse.inf
+zip -qq -r ../org.apache.jasper_5.5.17.v200706111724.jar .
+popd
+%endif
+
+# inject OSGi manifests
+mkdir META-INF
+cp %{SOURCE7} META-INF/MANIFEST.MF
+zip -u %{packdname}/servletapi/jsr154/dist/lib/servlet-api.jar META-INF/MANIFEST.MF
+cp %{SOURCE8} META-INF/MANIFEST.MF
+zip -u %{packdname}/servletapi/jsr152/dist/lib/jsp-api.jar META-INF/MANIFEST.MF
+
+
%install
%{__rm} -rf $RPM_BUILD_ROOT
%{__install} -d -m 755 ${RPM_BUILD_ROOT}%{_javadir}
@@ -861,6 +905,11 @@
--exclude var/lib/%{name}/server/lib/servlets-ssi.renametojar
%endif
+%if %{with_ecj}
+%{__install} -d -m 755 ${RPM_BUILD_ROOT}%{_datadir}/eclipse/plugins
+%{__cp} org.apache.jasper_5.5.17.v200706111724.jar ${RPM_BUILD_ROOT}%{_datadir}/eclipse/plugins
+%endif
+
%clean
%{__rm} -rf $RPM_BUILD_ROOT
@@ -915,6 +964,16 @@
%endif
%if %{gcj_support}
+%post jasper-eclipse
+%{_bindir}/rebuild-gcj-db
+%endif
+
+%if %{gcj_support}
+%postun jasper-eclipse
+%{_bindir}/rebuild-gcj-db
+%endif
+
+%if %{gcj_support}
%post server-lib
%{_bindir}/rebuild-gcj-db
%endif
@@ -1231,7 +1290,30 @@
%doc %{_javadocdir}/%{name}-jsp-%{jspspec}-api-%{version}
%ghost %doc %{_javadocdir}/%{name}-jsp-%{jspspec}-api
+%if %{with_ecj}
+%files jasper-eclipse
+%defattr(-,root,root)
+%dir %{_datadir}/eclipse
+%dir %{_datadir}/eclipse/plugins
+%{_datadir}/eclipse/plugins/org.apache.jasper_*
+%endif
+
%changelog
+* Thu Nov 15 2007 Devrim GUNDUZ <devrim at commandprompt.com> 0:5.5.25-1jpp.1
+- Updated to 5.5.25, to fix the following issues:
+ * CVE-2007-1355
+ * CVE-2007-3386
+ * CVE-2007-3385
+ * CVE-2007-3382
+ * CVE-2007-2450, RH bugzilla #244808, #244810, #244812, #363081
+ * CVE-2007-2449, RH bugzilla #244810, #244812, #244804, #363081
+- Applied patch(20) for RH bugzilla #333791, CVE-2007-5461
+- Applied patch(21) for RH bugzilla #244803, #244812, #363081, CVE-2007-1358
+
+* Mon Aug 06 2007 Ben Konrath <bkonrath at redhat.com> 0:5.5.23-9jpp.4
+- Add jasper-eclipse subpackage which is needed for eclipse 3.3.
+- Inject OSGi manifest into servlet api jar and jsp api jar.
+
* Mon Jul 23 2007 Vivek Lakshmanan <vivekl at redhat.com> 0:5.5.23-9jpp.3
- Resolves: Bug 246374
- Previous message: rpms/tomcat5/F-8 tomcat5-5.5-acceptlangheader.patch, NONE, 1.1 tomcat5-5.5-http11-build.patch, 1.3, 1.4 tomcat5-5.5-webdav.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 sources, 1.10, 1.11 tomcat5.spec, 1.101, 1.102
- Next message: rpms/tomcat5/F-7 jasper-OSGi-MANIFEST.MF, NONE, 1.1 jsp-api-OSGi-MANIFEST.MF, NONE, 1.1 servlet-api-OSGi-MANIFEST.MF, NONE, 1.1
- Messages sorted by:
[ date ]
[ thread ]
[ subject ]
[ author ]
More information about the scm-commits
mailing list