tomcat security, bug fix, and enhancement update

[0:7.0.76-2]

• Resolves: rhbz#1459747 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
• Resolves: rhbz#1441481 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
  [0:7.0.76-1]
• Resolves: rhbz#1414895 Rebase tomcat to the current release
  [0:7.0.69-10]
• Related: rhbz#1368122
  [0:7.0.69-9]
• Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
• Resolves: rhbz#1368122
  [0:7.0.69-7]
• Resolves: rhbz#1362545
  [0:7.0.69-6]
• Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service
  [0:7.0.69-5]
• Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully
  [0:7.0.69-4]
• Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service
  [0:7.0.69-3]
• Resolves: rhbz#1347774 The security manager doesn’t work correctly (JSPs cannot be compiled)
  [0:7.0.69-2]
• Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat
• Rebase Resolves: rhbz#1320853 Add HSTS support
• Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions
• Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
• Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation
• Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure
• Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue
• Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
• Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
• Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak
  [0:7.0.69-1]
• Resolves: rhbz#1287928 Rebase to tomcat 7.0.69
• Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out
• Resolves: rhbz#1277197 tomcat user has non-existing default shell set
• Resolves: rhbz#1240279 The command tomcat-digest doesn’t work with RHEL 7
• Resolves: rhbz#1229476 Tomcat startup ONLY options
• Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar
• Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit
• Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion
• Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file
  [0:7.0.54-2]
• Resolves: CVE-2014-0227
  [0:7.0.54-1]
• Resolves: rhbz#1141372 - Remove systemv artifacts. Add new systemd
• artifacts. Rebase on 7.0.54.
  [0:7.0.43-6]
• Resolves: CVE-2014-0099
• Resolves: CVE-2014-0096
• Resolves: CVE-2014-0075
  [0:7.0.42-5]
• Related: CVE-2013-4286
• Related: CVE-2013-4322
• Related: CVE-2014-0050
• revisit patches for above.
  [0:7.0.42-4]
• Related: rhbz#1056696 correct packaging for sbin tomcat
  [0:7.0.42-3]
• Related: CVE-2013-4286. increment build number. missed doing
• it.
• Resolves: rhbz#1038183 remove BR for ant-nodeps. it’s
• no long used.
  [0:7.0.42-2]
• Resolves: rhbz#1056673 Invocation of useradd with shell
• other than sbin nologin
• Resolves: rhbz#1056677 preun systemv scriptlet unconditionally
• stops service
• Resolves: rhbz#1056696 init.d tomcat does not conform to RHEL7
• systemd rules. systemv subpackage is removed.
• Resolves: CVE-2013-4286
• Resolves: CVE-2013-4322
• Resolves: CVE-2014-0050
• Built for rhel-7 RC
  [0:7.0.42-1]
• Resolves: rhbz#1051657 update to 7.0.42. Ant-nodeps is
• deprecated.
  [07.0.40-3]
• Mass rebuild 2013-12-27
  [0:7.0.40-1]
• Updated to 7.0.40
• Resolves: rhbz 956569 added missing commons-pool link
  [0:7.0.37-2]
• Add depmaps for org.eclipse.jetty.orbit
• Resolves: rhbz#917626
  [0:7.0.39-1]
• Updated to 7.0.39
  [0:7.0.37-1]
• Updated to 7.0.37
  [0:7.0.35-1]
• Updated to 7.0.35
• systemd SuccessExitStatus=143 for proper stop exit code processing
  [0:7.0.34-1]
• Updated to 7.0.34
• ecj >= 4.2.1 now required
• Resolves: rhbz 889395 concat classpath correctly; chdir to
  [0:7.0.33-2]
• Resolves: rhbz 883806 refix logdir ownership
  [0:7.0.33-1]
• Updated to 7.0.33
• Resolves: rhbz 873620 need chkconfig for update-alternatives
  [0:7.0.32-1]
• Updated to 7.0.32
• Resolves: rhbz 842620 symlinks to taglibs
  [0:7.0.29-1]
• Updated to 7.0.29
• Add pidfile as tmpfile
• Use systemd for running as unprivileged user
• Resolves: rhbz 847751 upgrade path was broken
• Resolves: rhbz 850343 use new systemd-rpm macros
  [0:7.0.28-2]
• Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild
  [0:7.0.28-1]
• Updated to 7.0.28
• Resolves: rhbz 820119 Remove bundled apache-commons-dbcp
• Resolves: rhbz 814900 Added tomcat-coyote POM
• Resolves: rhbz 810775 Remove systemv stuff from %post scriptlet
• Remove redhat-lsb R
  [0:7.0.27-2]
• Fixed native download hack
  [0:7.0.27-1]
• Updated to 7.0.27
• Fixed jakarta-taglibs-standard BR and R
  [0:7.0.26-2]
• Add more depmaps to J2EE apis to help jetty/glassfish updates
  [0:7.0.26-2]
• Added the POM files for tomcat-api and tomcat-util (#803495)
  [0:7.0.26-1]
• Updated to 7.0.26
• Bug 790334: Change ownership of logdir for logrotate
  [0:7.0.25-4]
• Bug 790694: Priorities of jsp, servlet and el packages updated.
  [0:7.0.25-3]
• Dropped indirect dependecy to tomcat 5
  [0:7.0.25-2]
• Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly
  [0:7.0.25-1]
• Updated to 7.0.25
• Removed EntityResolver patch (changes already in upstream sources)
• Place poms and depmaps in the same package as jars
• Added javax.servlet.descriptor to export-package of servlet-api
• Move several chkconfig actions and reqs to systemv subpackage
• New maven depmaps generation method
• Add patch to support java7. (patch sent upstream).
• Require java >= 1:1.6.0
  [0:7.0.23-5]
• Exported javax.servlet.* packages in version 3.0 as 2.6 to make
  servlet-api compatible with Eclipse.
  [0:7.0.23-4]
• Move jsvc support to subpackage
  [0:7.0.23-2]
• Add EntityResolver setter patch to jasper for jetty’s need. (patch sent upstream).
  [0:7.0.23-3]
• Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for
  starting tomcat with jsvc, which allows tomcat to perform some
  privileged operations (e.g. bind to a port < 1024) and then switch
  identity to a non-privileged user. Must add USE_JSVC=‘true’ to
  /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.
  [0:7.0.23-1]
• Updated to 7.0.23
  [0:7.0.22-2]
• Move tomcat-juli.jar to lib package
• Drop %update_maven_depmap as in tomcat6
• Provide native systemd unit file ported from tomcat6
  [0:7.0.22-1]
• Updated to 7.0.22
  [0:7.0.21-3.1]
• rebuild (java), rel-eng#4932
  [0:7.0.21-3]
• Fix basedir mode
  [0:7.0.21-2]
• Add manifests for el-api, jasper-el, jasper, tomcat, and tomcat-juli.
  [0:7.0.21-1]
• Updated to 7.0.21
  [0:7.0.20-3]
• Require java = 1:1.6.0
  [0:7.0.20-2]
• Require java < 1.7.0
  [0:7.0.20-1]
• Updated to 7.0.20
  [0:7.0.19-1]
• Updated to 7.0.19
  [0:7.0.16-1]
• Updated to 7.0.16
  [0:7.0.14-3]
• Added initial systemd service
• Fix some paths
  [0:7.0.14-2]
• Fixed http source link
• Securify some permissions
• Added licenses for el-api and servlet-api
• Added dependency on jpackage-utils for the javadoc subpackage
  [0:7.0.14-1]
• Updated to 7.0.14
  [0:7.0.12-4]
• Provided local paths for libs
• Fixed dependencies
• Fixed update temp/work cleanup
  [0:7.0.12-3]
• Fixed package groups
• Fixed some permissions
• Fixed some links
• Removed old tomcat6 crap
  [0:7.0.12-2]
• Package now named just tomcat instead of tomcat7
• Removed Provides: tomcat-log4j
• Switched to apache-commons-* names instead of jakarta-commons-* .
• Remove the old changelog
• BR/R java >= 1:1.6.0 , same for java-devel
• Removed old tomcat6 crap
  [0:7.0.12-1]
• Tomcat7