Bug 262975 - www/tomcat{85,9,10,-devel}: Update to 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14
Summary: www/tomcat{85,9,10,-devel}: Update to 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14
Status: Closed FIXED
Alias: None
Product: Ports & Packages
Classification: Unclassified
Component: Individual Port(s) (show other bugs)
Version: Latest
Hardware: Any Any
: --- Affects Many People
Assignee: Mikael Urankar
URL: https://tomcat.apache.org
Keywords:
Depends on:
Blocks:
 
Reported: 2022-04-01 10:27 UTC by Vladimir Druzenko
Modified: 2022-04-02 18:02 UTC (History)
1 user (show)

See Also:
vvd: merge-quarterly?

Attachments
update to 8.5.78 (860 bytes, patch)
2022-04-01 10:27 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
update to 9.0.62 (851 bytes, patch)
2022-04-01 10:28 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
update to 10.0.20 (867 bytes, patch)
2022-04-01 10:29 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
update to 10.1.0-M14 (1.28 KB, patch)
2022-04-01 10:30 UTC, Vladimir Druzenko 		vvd: maintainer-approval+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Vladimir Druzenko freebsd_committer freebsd_triage 2022-04-01 10:27:40 UTC 
Created attachment 232859 [details]
update to 8.5.78

For all versions:

Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals.


Tested on 12.3-p4 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(markt)
Comment 1 Vladimir Druzenko freebsd_committer freebsd_triage 2022-04-01 10:28:38 UTC 
Created attachment 232860 [details]
update to 9.0.62

Tested on 12.3-p4 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm)
Comment 2 Vladimir Druzenko freebsd_committer freebsd_triage 2022-04-01 10:29:23 UTC 
Created attachment 232861 [details]
update to 10.0.20

Tested on 12.3-p4 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(markt)
Comment 3 Vladimir Druzenko freebsd_committer freebsd_triage 2022-04-01 10:30:08 UTC 
Created attachment 232862 [details]
update to 10.1.0-M14

Tested on 12.3-p4 amd64: make check-plist/install/run.

https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt)
Comment 4 commit-hook freebsd_committer freebsd_triage 2022-04-01 10:59:10 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=e9395fe9f8bf883705051291aabb7c7603ab41df

commit e9395fe9f8bf883705051291aabb7c7603ab41df
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-04-01 10:44:42 +0000
Commit:     Mikael Urankar <mikael@FreeBSD.org>
CommitDate: 2022-04-01 10:57:05 +0000

    www/tomcat9: Update to 9.0.62

    Harden the class loader to provide a mitigation for CVE-2022-22965
    a Spring Framework vulnerability: Effectively disable the
    WebappClassLoaderBase.getResources() method as it is not used and
    if something accidently exposes the class loader this method can be used to gain
    access to Tomcat internals.

    Changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm)

    PR:             262975

 www/tomcat9/Makefile | 2 +-
 www/tomcat9/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 5 commit-hook freebsd_committer freebsd_triage 2022-04-01 10:59:10 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=8126f2d8db74bb034cd5f6950c7caf9f87eef054

commit 8126f2d8db74bb034cd5f6950c7caf9f87eef054
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-04-01 10:51:42 +0000
Commit:     Mikael Urankar <mikael@FreeBSD.org>
CommitDate: 2022-04-01 10:57:05 +0000

    www/tomcat85: Update to 8.5.78

    Harden the class loader to provide a mitigation for CVE-2022-22965
    a Spring Framework vulnerability: Effectively disable the
    WebappClassLoaderBase.getResources() method as it is not used and
    if something accidently exposes the class loader this method can be used to gain
    access to Tomcat internals.

    Changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(markt)

    PR:             262975

 www/tomcat85/Makefile | 2 +-
 www/tomcat85/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 6 commit-hook freebsd_committer freebsd_triage 2022-04-01 10:59:11 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=cbc9cfb51de10aa12cc9a2979331c21f2246d9c8

commit cbc9cfb51de10aa12cc9a2979331c21f2246d9c8
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-04-01 10:47:10 +0000
Commit:     Mikael Urankar <mikael@FreeBSD.org>
CommitDate: 2022-04-01 10:57:06 +0000

    www/tomcat10: Update to 10.0.20

    Harden the class loader to provide a mitigation for CVE-2022-22965
    a Spring Framework vulnerability: Effectively disable the
    WebappClassLoaderBase.getResources() method as it is not used and
    if something accidently exposes the class loader this method can be used to gain
    access to Tomcat internals.

    Changes: https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt)

    PR:             262975

 www/tomcat10/Makefile | 2 +-
 www/tomcat10/distinfo | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)
Comment 7 Vladimir Druzenko freebsd_committer freebsd_triage 2022-04-01 14:15:04 UTC 
Where is www/tomcat-devel?
Comment 8 Mikael Urankar freebsd_committer freebsd_triage 2022-04-01 14:47:09 UTC 
(In reply to VVD from comment #7)
I forgot this one
Comment 9 commit-hook freebsd_committer freebsd_triage 2022-04-02 14:02:37 UTC 
A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=530a0b5108770215b871ffce6096efde37e65a65

commit 530a0b5108770215b871ffce6096efde37e65a65
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-04-02 13:42:33 +0000
Commit:     Mikael Urankar <mikael@FreeBSD.org>
CommitDate: 2022-04-02 14:02:20 +0000

    www/tomcat-devel: Update to 10.1.0-M14

    Harden the class loader to provide a mitigation for CVE-2022-22965
    a Spring Framework vulnerability: Effectively disable the
    WebappClassLoaderBase.getResources() method as it is not used and
    if something accidently exposes the class loader this method can be used to gain
    access to Tomcat internals.

    Changes: https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt)

    PR:             262975

 www/tomcat-devel/Makefile  | 2 +-
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
Comment 10 commit-hook freebsd_committer freebsd_triage 2022-04-02 14:05:39 UTC 
A commit in branch 2022Q2 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=aa0e9b08ea569c14dbabe482b675fadfab5f0a52

commit aa0e9b08ea569c14dbabe482b675fadfab5f0a52
Author:     VVD <vvd@unislabs.com>
AuthorDate: 2022-04-02 13:42:33 +0000
Commit:     Mikael Urankar <mikael@FreeBSD.org>
CommitDate: 2022-04-02 14:04:24 +0000

    www/tomcat-devel: Update to 10.1.0-M14

    Harden the class loader to provide a mitigation for CVE-2022-22965
    a Spring Framework vulnerability: Effectively disable the
    WebappClassLoaderBase.getResources() method as it is not used and
    if something accidently exposes the class loader this method can be used to gain
    access to Tomcat internals.

    Changes: https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt)

    PR:             262975
    (cherry picked from commit 530a0b5108770215b871ffce6096efde37e65a65)

 www/tomcat-devel/Makefile  | 2 +-
 www/tomcat-devel/distinfo  | 6 +++---
 www/tomcat-devel/pkg-plist | 2 +-
 3 files changed, 5 insertions(+), 5 deletions(-)
Comment 11 Vladimir Druzenko freebsd_committer freebsd_triage 2022-04-02 14:39:58 UTC 
Thanks.

Commit to 2022Q2 other versions?