Summary: | www/tomcat{85,9,10,-devel}: Update to 8.5.78, 9.0.62, 10.0.20, 10.1.0-M14 | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Product: | Ports & Packages | Reporter: | Vladimir Druzenko <vvd> | ||||||||||
Component: | Individual Port(s) | Assignee: | Mikael Urankar <mikael> | ||||||||||
Status: | Closed FIXED | ||||||||||||
Severity: | Affects Many People | CC: | mikael | ||||||||||
Priority: | --- | Flags: | vvd:
merge-quarterly?
|
||||||||||
Version: | Latest | ||||||||||||
Hardware: | Any | ||||||||||||
OS: | Any | ||||||||||||
URL: | https://tomcat.apache.org | ||||||||||||
Attachments: |
|
Description
Vladimir Druzenko
![]() ![]() Created attachment 232860 [details] update to 9.0.62 Tested on 12.3-p4 amd64: make check-plist/install/run. https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm) Created attachment 232861 [details] update to 10.0.20 Tested on 12.3-p4 amd64: make check-plist/install/run. https://tomcat.apache.org/tomcat-10.0-doc/changelog.html#Tomcat_10.0.20_(markt) Created attachment 232862 [details] update to 10.1.0-M14 Tested on 12.3-p4 amd64: make check-plist/install/run. https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=e9395fe9f8bf883705051291aabb7c7603ab41df commit e9395fe9f8bf883705051291aabb7c7603ab41df Author: VVD <vvd@unislabs.com> AuthorDate: 2022-04-01 10:44:42 +0000 Commit: Mikael Urankar <mikael@FreeBSD.org> CommitDate: 2022-04-01 10:57:05 +0000 www/tomcat9: Update to 9.0.62 Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. Changes: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.62_(remm) PR: 262975 www/tomcat9/Makefile | 2 +- www/tomcat9/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=8126f2d8db74bb034cd5f6950c7caf9f87eef054 commit 8126f2d8db74bb034cd5f6950c7caf9f87eef054 Author: VVD <vvd@unislabs.com> AuthorDate: 2022-04-01 10:51:42 +0000 Commit: Mikael Urankar <mikael@FreeBSD.org> CommitDate: 2022-04-01 10:57:05 +0000 www/tomcat85: Update to 8.5.78 Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. Changes: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.78_(markt) PR: 262975 www/tomcat85/Makefile | 2 +- www/tomcat85/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=cbc9cfb51de10aa12cc9a2979331c21f2246d9c8 commit cbc9cfb51de10aa12cc9a2979331c21f2246d9c8 Author: VVD <vvd@unislabs.com> AuthorDate: 2022-04-01 10:47:10 +0000 Commit: Mikael Urankar <mikael@FreeBSD.org> CommitDate: 2022-04-01 10:57:06 +0000 www/tomcat10: Update to 10.0.20 Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. Changes: https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt) PR: 262975 www/tomcat10/Makefile | 2 +- www/tomcat10/distinfo | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) Where is www/tomcat-devel? (In reply to VVD from comment #7) I forgot this one A commit in branch main references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=530a0b5108770215b871ffce6096efde37e65a65 commit 530a0b5108770215b871ffce6096efde37e65a65 Author: VVD <vvd@unislabs.com> AuthorDate: 2022-04-02 13:42:33 +0000 Commit: Mikael Urankar <mikael@FreeBSD.org> CommitDate: 2022-04-02 14:02:20 +0000 www/tomcat-devel: Update to 10.1.0-M14 Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. Changes: https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt) PR: 262975 www/tomcat-devel/Makefile | 2 +- www/tomcat-devel/distinfo | 6 +++--- www/tomcat-devel/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) A commit in branch 2022Q2 references this bug: URL: https://cgit.FreeBSD.org/ports/commit/?id=aa0e9b08ea569c14dbabe482b675fadfab5f0a52 commit aa0e9b08ea569c14dbabe482b675fadfab5f0a52 Author: VVD <vvd@unislabs.com> AuthorDate: 2022-04-02 13:42:33 +0000 Commit: Mikael Urankar <mikael@FreeBSD.org> CommitDate: 2022-04-02 14:04:24 +0000 www/tomcat-devel: Update to 10.1.0-M14 Harden the class loader to provide a mitigation for CVE-2022-22965 a Spring Framework vulnerability: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. Changes: https://tomcat.apache.org/tomcat-10.1-doc/changelog.html#Tomcat_10.1.0-M14_(markt) PR: 262975 (cherry picked from commit 530a0b5108770215b871ffce6096efde37e65a65) www/tomcat-devel/Makefile | 2 +- www/tomcat-devel/distinfo | 6 +++--- www/tomcat-devel/pkg-plist | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) Thanks. Commit to 2022Q2 other versions? (In reply to VVD from comment #11) already there: https://cgit.freebsd.org/ports/commit/www/tomcat9?h=2022Q2&id=e9395fe9f8bf883705051291aabb7c7603ab41df |