Sync from SUSE:SLFO:Main tomcat revision 0dd02bb63d6ac69bf18c3bbe8f155b21

apache-tomcat-9.0.104-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmfv1ZQACgkQaCSJWTWe
-cis+XQ/9HuXjoCNrPyNer5F7eRw5Z3i9IqNopuA3eHmEQjvRE89/O8OMbP3t4Ddi
-MR8Cky1YY0nZe+ymFA1vTpj5/cLiwxeiBOlqQpt8ulEYyFyi7eey8JdXirOc/J8V
-7adrvs7cFstcKk+J3oarXiZGe0CxGo5NYjA0eKZIm3UzzRvrq0h2NcHhfqDqKiBv
-/J66V+ngJEkb2lUPNEKErN8GDJ5R9u0I7kMm5d945hkh1CtHGeR00bKdwim3mG3F
-vpa9p9RboIi2GCRp4chcCTwbNvpl5CQqypRYZTGQZvabQvY95hTWt80g5P8+STaL
-e/2uIWWOstUIGAL4E4fTEXFFdFZLWhTipCh9qBupwsWNWkDmG3jL5VTnQlUfQGUT
-XcgcEUbwJuIsYz+u0SZKqnbrEq1Rlr9wI68VX9VgPnrx7sAZtY4A/RE4raRhSfak
-ejjZueu7sqp+PnLcIHsncwcaVAPzcESzphc5TRUuRPJOvBFcVHKyNYbIyJ/iClal
-TCKOSwcYjGJxMqPYiOTm1IvHiuaZSZ7Ul+RnuNd/XiRiEU9oNL8XdrMc1JCG0oMt
-gikYtVikfKp5F1cao8YCBCGZ/cxkIZV/SWOCXs/B/IlVYVhFDmRbAmteHajKThAX
-H8afyoFdXs33Ik/BYxj3H7AC7XHFS6qkvmUzlZllrTABvImpzoE=
-=Q1aN
------END PGP SIGNATURE-----

apache-tomcat-9.0.106-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmhCApMACgkQaCSJWTWe
+ciszzw/7ByOhKu20Mn72ndNIHbHG9aeZHo/XIk1aPGXpAzOiXh6uHbVkc//T0YVR
+AVMezY2Ye24w2QOOnnmF8fXG5pLJ4mM08wJsdUwDIoVPTXW0SxBHj60QrGW70dIR
+NlBSsT6ZvzxLC42JrajcWknIum6ftibt3jToWKTjc2cv2eDfTw70XV5iDD+tZRXY
+TUlYdIIlj5HY2/p+0Wp52eafBfDXNTmTKd4wKcGAneqIse8tx+Gw3e6dM9aWueCZ
+MU3rKNDdzI6EqwSU4qtyD6GEfEhRDJVCx86Ppu/7ghtjXeZ7czVjHviphruktFTC
+JRW7OjwWSRRcXw5pKJ77uQHa5O16WsgbUMDwV0hj+4YFNmRV51HvNNcb8UxHVrAs
+xTrdJR+MamvIzSYbbO3uKWytPErs3Rg/yZ4C8YG9i3j+9dgWzkxZ0xKgWrvg8ilp
+USlNCjI5AV7Xy9B7IcxmxPjzcViqEtv6A+QxX5Emi1OG7fTVrk0aLAl2wyevRzTk
+gK62XgCK8Tuytz0Z7gysZGsP4UpOQTWhxJz+RlE03t541NW58rJsKn2sFAE6sIMA
+cIsyvU2BaFpm7J4MyNWeu/WCIAgICf97IXEgqsWS7GK4cToHg7tQ05aI9+pItJ8h
+2tftZ3lc93g6rRly7gikATeii37jqMgiZjSu3QxvIjCgVmsJn1w=
+=sAf2
+-----END PGP SIGNATURE-----

tomcat.changes

@@ -1,3 +1,101 @@
+-------------------------------------------------------------------
+Tue Jun 24 09:24:21 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 9.0.106
+  * Fixed CVEs:
+    + CVE-2025-46701: refactor CGI servlet to access resources via
+      WebResources (bsc#1243815)
+    + CVE-2025-48988: limits the total number of parts in a
+      multi-part request and limits the size of
+      the headers provided with each part (bsc#1244656)
+    + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
+  * Catalina
+    + Add: Support for the java:module namespace which mirrors the
+      java:comp namespace.
+    + Add: Support parsing of multiple path parameters separated by ; in a
+      single URL segment. Based on pull request #860 by Chenjp.
+    + Add: Support for limiting the number of parameters in HTTP requests
+      through the new ParameterLimitValve. The valve allows configurable
+      URL-specific limits on the number of parameters.
+    + Fix: 69699: Encode redirect URL used by the rewrite valve with the
+      session id if appropriate, and handle cross context with different
+      session configuration when using rewrite.
+    + Add: #863: Support for comments at the end of lines in text rewrite
+      map files to align behaviour with Apache httpd. Pull request
+      provided by Chenjp.
+    + Fix: 69706: Saved request serialization issue in FORM introduced
+      when allowing infinite session timeouts.
+    + Fix: Expand the path checks for Pre-Resources and Post-Resources
+      mounted at a path within the web application.
+    + Fix: 69588: Enable allowLinking to be set on PreResources,
+      JarResources and PostResources. If not set explicitly, the setting
+      will be inherited from the Resources.
+    + Add: 69633: Support for Filters using context root mappings.
+    + Fix: #843: Off by one validation logic for partial PUT ranges and
+      associated test case. Submitted by Chenjp.
+    + Refactor: Replace the unused buffer in
+      org.apache.catalina.connector.InputBuffer with a static, zero
+      length buffer.
+    + Refactor: GCI servlet to access resources via the WebResource API.
+    + Fix: 69662: Report name in exception message when a naming lookup
+      failure occurs. Based on code submitted by Donald Smith.
+    + Fix: Ensure that the FORM authentication attribute
+      authenticationSessionTimeout works correctly when sessions have an
+      infinite timeout when authentication starts.
+    + Add: Provide a content type based on file extension when web
+      application resources are accessed via a URL.
+  * Coyote
+    + Refactor: #861: TaskQueue to use the new interface RetryableQueue
+      which enables better integration of custom Executors which provide
+      their own BlockingQueue implementation. Pull request provided by
+      Paulo Almeida.
+    + Add: Finer grained control of multi-part request processing via two
+      new attributes on the Connector element. maxPartCount limits the
+      total number of parts in a multi-part request and maxPartHeaderSize
+      limits the size of the headers provided with each part. Add support
+      for these new attributes to the ParameterLimitValve.
+    + Refactor: The SavedRequestInputFilter so the buffered data is used
+      directly rather than copied.
+  * Jasper
+    + Fix: 69696: Mark the JSP wrapper for reload after a failed
+      compilation.
+    + Fix: 69635: Add support to javax.el.ImportHandler for resolving
+      inner classes.
+    + Add: #842: Support for optimized execution of c:set and c:remove
+      tags, when activated via JSP servlet param
+      useNonstandardTagOptimizations.
+    + Fix: An edge case compilation bug for JSP and tag files on case
+      insensitive file systems that was exposed by the test case for
+      69635.
+  * Web applications
+    + Fix: 69694: Improve error reporting of deployment tasks done using
+      the manager webapp when a copy operation fails.
+    + Add: 68876: Documentation. Update the UML diagrams for server
+      start-up, request processing and authentication using PlantUML and
+      include the source files for each diagram.
+  * Other
+    + Add: Thread name to webappClassLoader.stackTraceRequestThread
+      message. Patch provided by Felix Zhang.
+    + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
+      (2025-06-05).
+    + Update: EasyMock to 5.6.0.
+    + Update: Checkstyle to 10.25.0.
+    + Fix: #858: Extend improvements to CVE-2024-56337 protection to
+      service.bat. Pull request provided by Markus Hoffrogge.
+    + Fix: Use the full path when the installer for Windows sets calls
+      icacls.exe to set file permissions.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+    + Update: Jacoco to 0.8.13.
+    + Code: Explicitly set the locale to be used for Javadoc. For
+      official releases, this locale will be English (US) to support
+      reproducible builds.
+    + Update: Byte Buddy to 1.17.5.
+    + Update: Checkstyle to 10.23.1.
+    + Update: File extension to media type mappings to align with the
+      current list used by the Apache Web Server (httpd).
+    + Update: Improvements to French translations.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+
 -------------------------------------------------------------------
 Wed May  7 09:32:52 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
 

tomcat.spec

@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 104
+%define micro_version 106
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}