- Update to Tomcat 9.0.107

* Fixed CVEs:
    + CVE-2025-52520: Align size tracking for multipart requests with
      FileUpload's use of long. (bsc#1246388)
    + CVE-2025-52434: Improve stability of APR/native connector.
      (bsc#1246389)
    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
      (bsc#1246318)
  * Catalina
    + Fix: Ensure application configured welcome files override the defaults
      when configuring an embedded web application programmatically. (markt)
    + Fix: Allow the default servlet to set the content length when the content
      length is known, no content has been written and a Writer is being used.
      (markt)
    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
      prevented access to PreResources and PostResources when mounted below the
      web application root with a path that was terminated with a file
      separator. (remm/markt)
    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
      applied was smaller than intended for multipart uploads with non-file
      parts when the parts were processed before query string parameters.
      (markt)
    + Fix: Align size tracking for multipart requests with FileUpload's use of
      long. (schultz)
  * Coyote
    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
      the documentation to provide more details on the memory requirements to
      support multi-part uploads while avoiding a denial of service risk.
      (markt)
    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
      when the headers include a content-length. (remm/markt)
    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
      one request multiple times. Based on pull request #868 by qingdaoheze.
      (markt)
    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
      of useVirtualThreads in JMX. (remm)
    + Fix: Improve stability of APR/native connector. (markt)
    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
      certificate verification and improve the warnings when a web application
      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
      TLS 1.3. (markt)
    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
      earlier. (markt)
  * Jasper
    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
      grammar as both are unused. (markt)
  * Web applications
    + Add: Documentation. Provide more explicit guidance regarding the security
      considerations for enabling write access to the web application via
      WebDAV, HTTP PUT requests or similar. (markt)
    + Add: Documentation. Add a section on reverse proxies to the security
      considerations page. (markt)
  * Other
    + Update: Update UnboundID to 7.0.3. (markt)
    + Update: Update Checkstyle to 10.25.1. (markt)
    + Update: Improvements to French translations. (remm)
    + Update: Improvements to Japanese translations provided by tak7iji. (markt)

OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=343

apache-tomcat-9.0.107-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmhk2Z0ACgkQaCSJWTWe
+citEfg/9FbNoAFAP0ui2XT9+AdE/i8SuZEPenAqxY4vxupjtx4mtMCXMlrZaddkQ
++AofszUn0Q2zLIPCpf79Tp4FB0AgH+z6X2SXPBIqBY9bauC7ZEqpxpuiP3WIehRV
+oGHKv4PucGNndbm96gK+qu3BhwhbJzyXxqpf12+CAJ+uPBw1ywgX2MmqVwfkBeYb
+vIB85Io1BOtZPmp2v0XGXX4/uCqgTRXKE28mrleIghxOrd+Dezn0OQOcT112gejF
+FVk5j3+W64ZaRj3YAU5rkv7f+IeDAj1sc+JxytaGWyTuGlc0rCf7H++c7P9RltyM
+y0/LNKyECTIJW/0lZaaFHrLDZGgBXOzEwGki1xL+NiJSjWJimnqGM8wYGsydjEpi
+t4Z88q+C5hQH95cMxbBbKxy5nME63iVOXWrRAJF8Q0jmmNjoOpKv1J44v5fqOqro
+WqGu6i38mj/EFE9DjjOk86QCRoF4sVVG/QdeNdOzQ1wBmT+1SsYCDXAnE2sYEXBx
+MaVG6buEWJyVhi1Bz5nncm4sRPeq/m7WJDi+0sdHb6Fnut9FKKIKtAOQ6hj4OBNu
+FL3DLIjs8QamxDXfwGY/Vo3NZebt7KKH7nvPdY4QHJQCgqspOCQtz8XjOaseb1ct
+Qn6+QbcABPcCJ4tVco1Yu+5afz97r9x4CeyZlR3lo91o8B+7gfY=
+=5ujs
+-----END PGP SIGNATURE-----

apache-tomcat-9.0.98-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmdSBNoACgkQaCSJWTWe
-citlcw//UyA6O47D4cYTkgLaBMzNATMfYll9VLYaZFt3zipCKQ0Z1uIKVuXSYlty
-UQBrOIo3pbhgrDR2ndRF3IPv4+c5IN2q8lyo/PMbhaF1Jx6Qi+w07MBX58EBO88Q
-+2ZXOQ5KTY7YSl4uhKJHA14iH1hevJHt9ELO8D7npbsDDVz4OIJfeRGyp97lrlmE
-4jbE6VnF13kAEzvQdcTGcbxRHlCBWd3g+tJK3/0xfW3y9fWws/hOn5A0PM/Wb2yB
-nsm824VYOvwcYgSolKkgqEM/02lGbvcMtoF3pAzlHqE3WcZBL1SQh7BRVvj6MMB5
-zI21ThTqg+prSNK4ZQ6kdM+UHnJpQNwmiEvZh4E/sJuEzbouMhxCv/IydLM3j2Ck
-9Fa0fF26yA3bcwQHzjG5pB7IP6YVeR4t95hnvclMHYrTOvHttxnnb5NwSF4EpE5b
-JaufFixcUEjlb/9dWfOd4MQmf9yqupTiJh98ovqR6qjuBOfTXKDUmk1I8qIBne7Y
-OJExU/YdjZrgKgAQQLGB6G+u/T/ytvWlFNe2N+wCrunhlIPaFuK/3zj1/cM7ZwpA
-qtMFh+30IzPOBJSGDf4fvQsWIv490l+OMqlkv6arO7RFHkqWqq5gum/I2pF91OVt
-GL3AAjOuSkyLJwe2gW+aMeCyPegyTkNBp4gpslKXbtQtOIF1Lc8=
-=EWT+
------END PGP SIGNATURE-----

tomcat-9.0-build-with-java-11.patch

@@ -1,13 +1,13 @@
-Index: apache-tomcat-9.0.97-src/build.xml
+Index: apache-tomcat-9.0.104-src/build.xml
 ===================================================================
---- apache-tomcat-9.0.97-src.orig/build.xml
-+++ apache-tomcat-9.0.97-src/build.xml
+--- apache-tomcat-9.0.104-src.orig/build.xml
++++ apache-tomcat-9.0.104-src/build.xml
 @@ -108,7 +108,7 @@
    <!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
    <property name="compile.release" value="8"/>
    <property name="min.java.version" value="8"/>
 -  <property name="build.java.version" value="17"/>
 +  <property name="build.java.version" value="11"/>
-   <property name="release.java.version" value="17"/>
+   <property name="release.java.version" value="22"/>
  
    <!-- Check Java Build Version -->

tomcat-9.0-javadoc.patch

@@ -1,12 +1,12 @@
-Index: apache-tomcat-9.0.35-src/build.xml
+Index: apache-tomcat-9.0.104-src/build.xml
 ===================================================================
---- apache-tomcat-9.0.35-src.orig/build.xml
-+++ apache-tomcat-9.0.35-src/build.xml
-@@ -2038,8 +2039,6 @@ Apache Tomcat ${version} native binaries
+--- apache-tomcat-9.0.104-src.orig/build.xml
++++ apache-tomcat-9.0.104-src/build.xml
+@@ -2436,8 +2436,6 @@ Apache Tomcat ${version} native binaries
        <link href="../elapi"/>
        <link href="../websocketapi"/>
        <link href="../jaspicapi"/>
--      <link href="https://docs.oracle.com/javase/8/docs/api/"/>
+-      <link href="https://docs.oracle.com/en/java/javase/11/docs/api/"/>
 -      <link href="https://javaee.github.io/javaee-spec/javadocs/"/>
        <packageset dir="${tomcat.dist}/src/java/">
          <include name="org/**"/>

tomcat-9.0-jdt.patch

@@ -1,22 +1,22 @@
---- apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java	2023-05-22 18:12:16.915658492 +0200
-+++ apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java	2023-05-22 19:45:14.491706823 +0200
-@@ -310,7 +310,7 @@
-             } else if(opt.equals("15")) {
+--- apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java	2025-01-06 17:29:55.096709905 +0100
++++ apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java	2025-01-06 17:32:39.494486072 +0100
+@@ -298,7 +298,7 @@
+             } else if (opt.equals("15")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_Source, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 8.
-@@ -392,8 +392,8 @@
+@@ -395,8 +395,8 @@
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
 +                settings.put(CompilerOptions.OPTION_Compliance, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 8.

tomcat-9.0-sle.catalina.policy.patch

@@ -1,7 +1,7 @@
-Index: apache-tomcat-9.0.82-src/conf/catalina.policy
+Index: apache-tomcat-9.0.104-src/conf/catalina.policy
 ===================================================================
---- apache-tomcat-9.0.82-src.orig/conf/catalina.policy
-+++ apache-tomcat-9.0.82-src/conf/catalina.policy
+--- apache-tomcat-9.0.104-src.orig/conf/catalina.policy
++++ apache-tomcat-9.0.104-src/conf/catalina.policy
 @@ -171,6 +171,9 @@ grant {
      permission java.lang.RuntimePermission "accessClassInPackage.org.apache.tomcat";
  

tomcat.changes

@@ -1,10 +1,430 @@
+-------------------------------------------------------------------
+Wed Aug  6 09:41:41 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 9.0.107
+  * Fixed CVEs:
+    + CVE-2025-52520: Align size tracking for multipart requests with
+      FileUpload's use of long. (bsc#1246388)
+    + CVE-2025-52434: Improve stability of APR/native connector.
+      (bsc#1246389)
+    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
+      (bsc#1246318)
+  * Catalina
+    + Fix: Ensure application configured welcome files override the defaults
+      when configuring an embedded web application programmatically. (markt)
+    + Fix: Allow the default servlet to set the content length when the content
+      length is known, no content has been written and a Writer is being used.
+      (markt)
+    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
+      prevented access to PreResources and PostResources when mounted below the
+      web application root with a path that was terminated with a file
+      separator. (remm/markt)
+    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
+      applied was smaller than intended for multipart uploads with non-file
+      parts when the parts were processed before query string parameters.
+      (markt)
+    + Fix: Align size tracking for multipart requests with FileUpload's use of
+      long. (schultz)
+  * Coyote
+    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
+      the documentation to provide more details on the memory requirements to
+      support multi-part uploads while avoiding a denial of service risk.
+      (markt)
+    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
+      when the headers include a content-length. (remm/markt)
+    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
+      one request multiple times. Based on pull request #868 by qingdaoheze.
+      (markt)
+    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
+      of useVirtualThreads in JMX. (remm)
+    + Fix: Improve stability of APR/native connector. (markt)
+    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
+      certificate verification and improve the warnings when a web application
+      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
+      TLS 1.3. (markt)
+    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
+      earlier. (markt)
+  * Jasper
+    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
+    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
+      grammar as both are unused. (markt)
+  * Web applications
+    + Add: Documentation. Provide more explicit guidance regarding the security
+      considerations for enabling write access to the web application via
+      WebDAV, HTTP PUT requests or similar. (markt)
+    + Add: Documentation. Add a section on reverse proxies to the security
+      considerations page. (markt)
+  * Other
+    + Update: Update UnboundID to 7.0.3. (markt)
+    + Update: Update Checkstyle to 10.25.1. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt) 
+
+-------------------------------------------------------------------
+Tue Jun 24 09:24:21 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 9.0.106
+  * Fixed CVEs:
+    + CVE-2025-46701: refactor CGI servlet to access resources via
+      WebResources (bsc#1243815)
+    + CVE-2025-48988: limits the total number of parts in a
+      multi-part request and limits the size of
+      the headers provided with each part (bsc#1244656)
+    + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
+  * Catalina
+    + Add: Support for the java:module namespace which mirrors the
+      java:comp namespace.
+    + Add: Support parsing of multiple path parameters separated by ; in a
+      single URL segment. Based on pull request #860 by Chenjp.
+    + Add: Support for limiting the number of parameters in HTTP requests
+      through the new ParameterLimitValve. The valve allows configurable
+      URL-specific limits on the number of parameters.
+    + Fix: 69699: Encode redirect URL used by the rewrite valve with the
+      session id if appropriate, and handle cross context with different
+      session configuration when using rewrite.
+    + Add: #863: Support for comments at the end of lines in text rewrite
+      map files to align behaviour with Apache httpd. Pull request
+      provided by Chenjp.
+    + Fix: 69706: Saved request serialization issue in FORM introduced
+      when allowing infinite session timeouts.
+    + Fix: Expand the path checks for Pre-Resources and Post-Resources
+      mounted at a path within the web application.
+    + Fix: 69588: Enable allowLinking to be set on PreResources,
+      JarResources and PostResources. If not set explicitly, the setting
+      will be inherited from the Resources.
+    + Add: 69633: Support for Filters using context root mappings.
+    + Fix: #843: Off by one validation logic for partial PUT ranges and
+      associated test case. Submitted by Chenjp.
+    + Refactor: Replace the unused buffer in
+      org.apache.catalina.connector.InputBuffer with a static, zero
+      length buffer.
+    + Refactor: GCI servlet to access resources via the WebResource API.
+    + Fix: 69662: Report name in exception message when a naming lookup
+      failure occurs. Based on code submitted by Donald Smith.
+    + Fix: Ensure that the FORM authentication attribute
+      authenticationSessionTimeout works correctly when sessions have an
+      infinite timeout when authentication starts.
+    + Add: Provide a content type based on file extension when web
+      application resources are accessed via a URL.
+  * Coyote
+    + Refactor: #861: TaskQueue to use the new interface RetryableQueue
+      which enables better integration of custom Executors which provide
+      their own BlockingQueue implementation. Pull request provided by
+      Paulo Almeida.
+    + Add: Finer grained control of multi-part request processing via two
+      new attributes on the Connector element. maxPartCount limits the
+      total number of parts in a multi-part request and maxPartHeaderSize
+      limits the size of the headers provided with each part. Add support
+      for these new attributes to the ParameterLimitValve.
+    + Refactor: The SavedRequestInputFilter so the buffered data is used
+      directly rather than copied.
+  * Jasper
+    + Fix: 69696: Mark the JSP wrapper for reload after a failed
+      compilation.
+    + Fix: 69635: Add support to javax.el.ImportHandler for resolving
+      inner classes.
+    + Add: #842: Support for optimized execution of c:set and c:remove
+      tags, when activated via JSP servlet param
+      useNonstandardTagOptimizations.
+    + Fix: An edge case compilation bug for JSP and tag files on case
+      insensitive file systems that was exposed by the test case for
+      69635.
+  * Web applications
+    + Fix: 69694: Improve error reporting of deployment tasks done using
+      the manager webapp when a copy operation fails.
+    + Add: 68876: Documentation. Update the UML diagrams for server
+      start-up, request processing and authentication using PlantUML and
+      include the source files for each diagram.
+  * Other
+    + Add: Thread name to webappClassLoader.stackTraceRequestThread
+      message. Patch provided by Felix Zhang.
+    + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
+      (2025-06-05).
+    + Update: EasyMock to 5.6.0.
+    + Update: Checkstyle to 10.25.0.
+    + Fix: #858: Extend improvements to CVE-2024-56337 protection to
+      service.bat. Pull request provided by Markus Hoffrogge.
+    + Fix: Use the full path when the installer for Windows sets calls
+      icacls.exe to set file permissions.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+    + Update: Jacoco to 0.8.13.
+    + Code: Explicitly set the locale to be used for Javadoc. For
+      official releases, this locale will be English (US) to support
+      reproducible builds.
+    + Update: Byte Buddy to 1.17.5.
+    + Update: Checkstyle to 10.23.1.
+    + Update: File extension to media type mappings to align with the
+      current list used by the Apache Web Server (httpd).
+    + Update: Improvements to French translations.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+
+-------------------------------------------------------------------
+Wed May  7 09:32:52 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Hardening permissions (bsc#1242722) 
+
+-------------------------------------------------------------------
+Fri May  2 14:54:04 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Make conflicts and provides more generic
+
+-------------------------------------------------------------------
+Wed Apr 30 10:48:23 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 9.0.104
+  * Fixed CVEs:  
+    + CVE-2025-31650: invalid priority field values should be ignored
+      (bsc#1242008)
+    + CVE-2025-31651: Better handling of URLs with literal ';' and '?'
+      (bsc#1242009)
+  * Catalina
+    + Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve.
+      (rjung)
+    + Fix: Process possible path parameters rewrite production in the rewrite
+      valve. (remm)
+    + Fix: 69643: Optimize directory listing for large amount of files. Patch
+      submitted by Loic de l'Eprevier. (remm)
+    + Fix: Return 400 if the amount of content sent for a partial PUT is
+      inconsistent with the range that was specified. (remm)
+    + Add: Add a new RateLimiter implementation,
+      org.apache.catalina.util.ExactRateLimiter, that can be used with
+      org.apache.catalina.filters.RateLimitFilter to provide rate limit based
+      on the exact values configured. Based on pull request #794 by Chenjp.
+      (markt)
+    + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve.
+      (remm)
+    + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and
+      FIPS mode. (remm)
+    + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the
+      default internal proxies for the RemoteIpFilter and RemoteIpValve.
+      (markt)
+    + Fix: 69615: Improve integration with the not found class resources cache
+      for users who are using a custom web application class loader and/or
+      using reflection to dynamically add external repositories to the web
+      application class loader. (markt)
+    + Add: Add a new initialisation parameter to the Default servlet -
+      allowPostAsGet - which controls whether a direct request (i.e. not a
+      forward or an include) for a static resource using the POST method will
+      be processed as if the GET method had been used. If not allowed, the
+      request will be rejected. The default behaviour of processing the request
+      as if the GET method had been used is unchanged. (markt)
+    + Fix: 69623: Correct a long standing regression that meant that calls to
+      ClassLoader.getResource().getContent() failed when made from within a web
+      application with resource caching enabled. (markt)
+    + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm)
+    + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent
+      to the one from ErrorReportValve. (remm)
+    + Fix: Improve the handling of %nn URL encoding in the RewriteValve and
+      document how %nn URL encoding may be used with rewrite rules. (markt)
+    + Fix: Fix a potential exception when calling
+      WebappClassLoaderBase.getResource(""). (markt)
+  * Coyote
+    + Fix: 69607: Allow failed initialization of MD5. Based on code submitted
+      by Shivam Verma. (remm)
+    + Fix: 69614: HTTP/2 priority frames with an invalid priority field value
+      should be ignored. (markt)
+    + Fix: Improve handling of unexpected errors during HTTP/2 processing.
+      (markt)
+    + Fix: Add missing code to process an OpenSSL profile, such as PROFILE=
+      SYSTEM, using FFM. (remm)
+    + Add: Simplify the process of using a custom SSLContext for an HTTPS
+      enabled connector. Based on pull request #805 by Hakky54. (markt)
+  * Jasper
+    + Code: Replace custom URL encoding provided by the JSP runtime library
+      with calls to java.net.URLEncoder.encode(). (markt)
+    + Add: Add compiler using the Java Compiler API, supporting exploded web
+      applications. The compilerClassName to use is
+      org.apache.jasper.compiler.JavaCompiler. (remm)
+    + Add: Add support for specifying Java 25 (with the value 25) as the
+      compiler source and/or compiler target for JSP compilation. If used with
+      an Eclipse JDT compiler version that does not support these values, a
+      warning will be logged and the default will be used. (markt)
+  * Cluster
+    + Fix: Fix resetting cross context sessions in the ReplicationValve.
+      (remm)
+  * Web applications
+    + Add: Documentation. Add a link to the Log4j documentation that describes
+      how to use Log4j rather than JULI for Tomcat's internal logging. (markt)
+    + Add: Documentation. Document the runtime attributes available to web
+      applications via the Request or the ServletContext. Based on pull request
+      #832 by usmazat. (markt)
+  * Other
+    + Fix: Set sun.io.useCanonCaches in service.bat. Based on pull request
+      #841 by Paul Lodge. (remm)
+    + Fix: The minimum Java version to build a release is now Java 22,
+      mirroring Tomcat 10.1. This removes the need for using a java-ffm.home
+      property. (remm)
+    + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt)
+    + Update: Update to NSIS 3.11. (markt)
+    + Update: Update to ByteBuddy 1.17.4. (markt)
+    + Update: Update to Checkstyle 10.21.4. (markt)
+    + Update: Update to SpotBugs to 4.9.3. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt)
+
+-------------------------------------------------------------------
+Tue Mar 18 21:04:04 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.102
+  * Fixes:
+    + launch with java 17 (bsc#1239676)
+  * Catalina
+    + Fix: Weak etags in the If-Range header should not match as strong etags
+      are required. (remm)
+    + Fix: When looking up class loader resources by resource name, the resource
+      name should not start with '/'. If the resource name does start with '/',
+      Tomcat is lenient and looks it up as if the '/' was not present. When the
+      web application class loader was configured with external repositories and
+      names starting with '/' were used for lookups, it was possible that cached
+      'not found' results could effectively hide lookup results using the
+      correct resource name. (markt)
+    + Fix: Enable the JNDIRealm to validate credentials provided to
+      HttpServletRequest.login(String username, String password) when the realm
+      is configured to use GSSAPI authentication. (markt)
+    + Fix: Fix a bug in the JRE compatibility detection that incorrectly
+      identified Java 19 and Java 20 as supporting Java 21 features. (markt)
+    + Fix: Improve the checks for exposure to and protection against
+      CVE-2024-56337 so that reflection is not used unless required. The checks
+      for whether the file system is case sensitive or not have been removed.
+      (markt)
+    + Fix: Avoid scenarios where temporary files used for partial PUT would not
+      be deleted. (remm)
+    + Fix: 69602: Fix regression in releases from 12-2024 that were too strict
+      and rejected weak etags in the If-Range header. (remm)
+    + Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught
+      exception introduced for the check for CVE-2024-56337. (remm)
+  * Cluster
+    + Add: 69598: Add detection of service account token changes to the
+      KubernetesMembershipProvider implementation and reload the token if it
+      changes. Based on a patch by Miroslav Jezbera. (markt)
+  * Coyote
+    + Fix: 69575: Avoid using compression if a response is already compressed
+      using compress, deflate or zstd. (remm)
+    + Update: Use Transfer-Encoding for compression rather than Content-Encoding
+      if the client submits a TE header containing gzip. (remm)
+    + Fix: Fix a race condition in the handling of HTTP/2 stream reset that
+      could cause unexpected 500 responses. (markt)
+  * Other
+    + Add: Add makensis as an option for building the Installer for Windows on
+      non-Windows platforms. (rjung/markt)
+    + Update: Update Byte Buddy to 1.17.1. (markt)
+    + Update: Update Checkstyle to 10.21.3. (markt)
+    + Update: Update SpotBugs to 4.9.1. (markt)
+    + Update: Update JSign to 7.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Add: Add org.apache.juli.JsonFormatter to format log as one line JSON
+      documents. (remm) 
+
+-------------------------------------------------------------------
+Wed Mar 12 16:21:08 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.99
+  * Fixed CVE:
+    + CVE-2025-24813: potential RCE and/or information disclosure/corruption with
+      partial PUT (bsc#1239302)    
+  * Catalina
+    + Update: Add tableName configuration on the DataSourcePropertyStore that
+      may be used by the WebDAV Servlet. (remm)
+    + Update: Improve HTTP If headers processing according to RFC 9110. Based on
+      pull request #796 by Chenjp. (remm/markt)
+    + Update: Allow readOnly attribute configuration on the Resources element
+      and allow configure the readOnly attribute value of the main resources.
+      The attribute value will also be used by the default and WebDAV Servlets.
+      (remm)
+    + Fix: 69285: Optimise the creation of the parameter map for included
+      requests. Based on sample code and test cases provided by John
+      Engebretson. (markt)
+    + Fix: 69527: Avoid rare cases where a cached resource could be set with 0
+      content length, or could be evicted immediately. (remm)
+    + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect
+      requests without body for WebDAV LOCK and PROPFIND. (remm)
+    + Fix: 69528: Add multi-release JAR support for the bloom
+      archiveIndexStrategy of the Resources. (remm)
+    + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based
+      on a patch submitted by Chenjp. (remm)
+    + Add: Add a check to ensure that, if one or more web applications are
+      potentially vulnerable to CVE-2024-56337, the JVM has been configured to
+      protect against the vulnerability and to configure the JVM correctly if
+      not. Where one or more web applications are potentially vulnerable to
+      CVE-2024-56337 and the JVM cannot be correctly configured or it cannot be
+      confirmed that the JVM has been correctly configured, prevent the impacted
+      web applications from starting. (markt)
+    + Fix: Remove unused session to client map from CrawlerSessionManagerValve.
+      Submitted by Brian Matzon. (remm)
+    + Fix: When using the WebDAV servlet with serveSubpathOnly set to true,
+      ensure that the destination for any requested WebDAV operation is also
+      restricted to the sub-path. (markt)
+    + Fix: Generate an appropriate Allow HTTP header when the Default servlet
+      returns a 405 (method not allowed) response in response to a DELETE
+      request because the target resource cannot be deleted. Pull request #802
+      provided by Chenjp. (markt)
+    + Code: Refactor creation of RequestDispatcher instances so that the
+      processing of the provided path is consistent with normal request
+      processing. (markt)
+    + Add: Add encodedReverseSolidusHandling and encodedSolidusHandling
+      attributes to Context to provide control over the handling of the path
+      used to created a RequestDispatcher. (markt)
+    + Fix: Handle a potential NullPointerException after an IOException occurs
+      on a non-container thread during asynchronous processing. (markt)
+    + Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)
+  * Coyote
+    + Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does
+      not support. These settings are now silently ignored. (markt)
+    + Fix: Avoid a rare NullPointerException when recycling the
+      Http11InputBuffer. (markt)
+    + Fix: Lower the log level to debug for logging an invalid socket channel
+      when processing poller events for the NIO Connector as this may occur in
+      normal usage. (markt)
+    + Code: Clean-up references to the HTTP/2 stream once request processing has
+      completed to aid GC and reduce the size of the HTTP/2 recycled request and
+      response cache. (markt)
+    + Add: Add a new Connector configuration attribute,
+      encodedReverseSolidusHandling, to control how %5c sequences in URLs are
+      handled. The default behaviour is unchanged (decode) keeping in mind that
+      the allowBackslash attribute determines how the decoded URI is processed.
+      (markt)
+    + Fix: 69545: Improve CRLF skipping for the available method of the
+      ChunkedInputFilter. (remm)
+    + Fix: Improve the performance of repeated calls to getHeader(). Pull
+      request #813 provided by Adwait Kumar Singh. (markt)
+    + Fix: 69559: Ensure that the Java 24 warning regarding the use of
+      sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code
+      will be used. (markt)
+  * Jasper
+    + Fix: 69508: Correct a regression in the fix for 69382 that broke JSP
+      include actions if both the page attribute and the body contained
+      parameters. Pull request #803 provided by Chenjp. (markt)
+    + Fix: 69521: Update the EL Parser to allow the full range of valid
+      characters in an EL identifier as defined by the Java Language
+      Specification. (markt)
+    + Fix: 69532: Optimise the creation of ExpressionFactory instances. Patch
+      provided by John Engebretson. (markt)
+  * Web applications
+    + Add: Documentation. Expand the description of the security implications of
+      setting mapperContextRootRedirectEnabled and/or
+      mapperDirectoryRedirectEnabled to true. (markt)
+    + Fix: Documentation. Better document the default for the truststoreProvider
+      attribute of a SSLHostConfig element. (markt)
+  * Other
+    + Update: Update to Commons Daemon 1.4.1. (markt)
+    + Update: Update the internal fork of Commons Pool to 2.12.1. (markt)
+    + Update: Update Byte Buddy to 1.16.1. (markt)
+    + Update: Update UnboundID to 7.0.2. (markt)
+    + Update: Update Checkstyle to 10.21.2. (markt)
+    + Update: Update SpotBugs to 4.9.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Chinese translations by leeyazhou. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+  
 -------------------------------------------------------------------
 Fri Jan  3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
 
 - Update to Tomcat 9.0.98
   * Fixed CVEs:
-    + CVE-2024-54677: DoS in examples web application (bsc#1233434)
+    + CVE-2024-54677: DoS in examples web application (bsc#1234664)
     + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
+    + CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
   * Catalina
     + Add: Add option to serve resources from subpath only with WebDAV Servlet
       like with DefaultServlet. (michaelo)
@@ -66,20 +486,17 @@ Fri Jan  3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
       default servlet. It will be removed in Tomcat 12 onwards where it will
       effectively be hard coded to true. (markt)
     + Add: Add DataSource based property storage for the WebdavServlet. (remm)
-
   * Coyote
     + Fix: Align encodedSolidusHandling with the Servlet specification. If the
       pass-through mode is used, any %25 sequences will now also be passed
       through to avoid errors and/or corruption when the application decodes the
       path. (markt)
-
   * Jasper
     + Fix: Further optimise EL evaluation of method parameters. Patch provided
       by Paolo B. (markt)
     + Fix: Follow-up to the fix for 69381. Apply the optimisation for method
       lookup performance in expression language to an additional location.
       (markt)
-
   * Web applications
     + Fix: Documentation. Remove references to the ResourceParams element.
       Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
@@ -100,7 +517,6 @@ Fri Jan  3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
     + Add: Examples. Limit the shopping cart example to only allow adding the
       pre-defined items to the cart. (markt)
     + Fix: Examples. Remove JSP calendar example. (markt)
-
   * Other
     + Fix: 69465: Fix warnings during native image compilation using the Tomcat
       embedded JARs. (markt)
@@ -112,7 +528,9 @@ Fri Jan  3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
     + Add: Improvements to Korean translations. (markt)
     + Add: Improvements to Chinese translations. (markt)
     + Add: Improvements to Japanese translations by tak7iji. (markt)
-
+- Modified patch:
+  * tomcat-9.0-jdt.patch
+    + rediff
 
 -------------------------------------------------------------------
 Fri Nov 22 19:51:47 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>

tomcat.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 98
+%define micro_version 107
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
@@ -120,12 +120,14 @@ Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
 Requires(pre):  shadow
-%systemd_ordering
 Recommends:     libtcnative-1-0 >= 1.1.24
 Recommends:     logrotate
+Conflicts:      %{name}-implementation
+Provides:       %{name}-implementation = %{version}
 Provides:       group(tomcat)
 Provides:       user(tomcat)
 BuildArch:      noarch
+%systemd_ordering
 
 %description
 Tomcat is the servlet container that is used in the official Reference
@@ -142,6 +144,8 @@ Requires:       %{name} = %{version}-%{release}
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
+Conflicts:      %{name}-implementation-admin-webapps
+Provides:       %{name}-implementation-admin-webapps = %{version}
 
 %description admin-webapps
 The host manager and manager web-based applications for Apache Tomcat.
@@ -149,6 +153,8 @@ The host manager and manager web-based applications for Apache Tomcat.
 %package embed
 Summary:        Libraries for Embedding Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
+Conflicts:      %{name}-implementation-embed
+Provides:       %{name}-implementation-embed = %{version}
 
 %description embed
 Embeddeding support (various libraries) for Apache Tomcat.
@@ -160,6 +166,8 @@ Requires:       %{name} = %{version}-%{release}
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
+Conflicts:      %{name}-implementation-docs-webapp
+Provides:       %{name}-implementation-docs-webapp = %{version}
 
 %description docs-webapp
 The documentation of web application for Apache Tomcat.
@@ -169,11 +177,13 @@ Summary:        Expression Language v3.0 API
 Group:          Development/Libraries/Java
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
+Conflicts:      %{name}-implementation-el-api
 Provides:       %{name}-el-%{elspec}-api = %{version}-%{release}
 Provides:       el_3_0_api = %{version}-%{release}
 Provides:       el_api = %{elspec}
 Obsoletes:      el_api < %{elspec}
 Obsoletes:      tomcat-el-2_2-api
+Provides:       %{name}-implementation-el-api = %{version}
 
 %description el-3_0-api
 Expression Language API version 3.0.
@@ -181,6 +191,8 @@ Expression Language API version 3.0.
 %package javadoc
 Summary:        Javadoc generated documentation for Apache Tomcat
 Group:          Documentation/HTML
+Conflicts:      %{name}-implementation-javadoc
+Provides:       %{name}-implementation-javadoc = %{version}
 BuildArch:      noarch
 
 %description javadoc
@@ -193,6 +205,8 @@ Requires:       mvn(org.apache.tomcat:tomcat-el-api)
 Requires:       mvn(org.apache.tomcat:tomcat-servlet-api)
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
+Conflicts:      %{name}-implementation-jsp-api
+Provides:       %{name}-implementation-jsp-api = %{version}
 Provides:       %{name}-jsp-%{jspspec}-api
 Provides:       jsp = %{jspspec}
 Provides:       jsp23
@@ -207,6 +221,8 @@ Summary:        Apache jsvc wrapper for Apache Tomcat as separate service
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
 Requires:       apache-commons-daemon-jsvc
+Conflicts:      %{name}-implementation-jsvc
+Provides:       %{name}-implementation-jsvc = %{version}
 %systemd_ordering
 
 %description jsvc
@@ -222,8 +238,10 @@ Requires:       %{name}-jsp-%{jspspec}-api = %{version}-%{release}
 Requires:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Requires(post): ecj >= 4.4
 Requires(preun): coreutils
+Conflicts:      %{name}-implementation-lib
 Provides:       jakarta-commons-dbcp-tomcat5 = 1.4
 Obsoletes:      jakarta-commons-dbcp-tomcat5 < 1.4
+Provides:       %{name}-implementation-lib = %{version}
 
 %description lib
 Libraries required to successfully run the Tomcat Web container
@@ -233,6 +251,7 @@ Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
+Conflicts:      %{name}-implementation-servlet-api
 Provides:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Provides:       servlet = %{servletspec}
 Provides:       servlet31
@@ -240,6 +259,7 @@ Provides:       servlet7
 Obsoletes:      servlet < %{servletspec}
 Obsoletes:      tomcat-servlet-3_0-api
 Obsoletes:      tomcat-servlet-3_1-api
+Provides:       %{name}-implementation-servlet-api = %{version}
 
 %description servlet-4_0-api
 Apache Tomcat Servlet API implementation classes version 3.1
@@ -252,6 +272,8 @@ Requires:       jakarta-taglibs-standard >= 1.1
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
+Conflicts:      %{name}-implementation-webapps
+Provides:       %{name}-implementation-webapps = %{version}
 
 %description webapps
 The ROOT and examples web applications for Apache Tomcat
@@ -308,7 +330,7 @@ ant -Dbase.path="." \
     -Dno.build.dbcp=true \
     -Dversion="%{version}" \
     -Dversion.build="%{micro_version}" \
-    deploy dist-prepare dist-source javadoc package embed-jars
+    deploy javadoc package embed-jars
 
 # remove some jars that we'll replace with symlinks later
 rm output/build/bin/commons-daemon.jar \
@@ -697,22 +719,22 @@ fi
 
 %files
 %doc {LICENSE,NOTICE,RELEASE*}
-%attr(0755,root,root) %{_bindir}/%{name}-digest
-%attr(0755,root,root) %{_bindir}/%{name}-tool-wrapper
-%attr(0755,root,root) %{_sbindir}/%{name}
-%attr(0644,root,root) %{_unitdir}/%{name}.service
+%{_bindir}/%{name}-digest
+%{_bindir}/%{name}-tool-wrapper
+%{_sbindir}/%{name}
+%{_unitdir}/%{name}.service
 %{_sbindir}/rc%{name}
-%attr(0644,root,root) %{_unitdir}/%{name}@.service
-%attr(0755,root,root) %dir %{_libexecdir}/%{name}
-%attr(0755,root,root) %dir %{_localstatedir}/lib/tomcats
-%attr(0755,root,root) %{_libexecdir}/%{name}/functions
-%attr(0755,root,root) %{_libexecdir}/%{name}/preamble
-%attr(0755,root,root) %{_libexecdir}/%{name}/server
+%{_unitdir}/%{name}@.service
+%dir %{_libexecdir}/%{name}
+%dir %{_localstatedir}/lib/tomcats
+%{_libexecdir}/%{name}/functions
+%{_libexecdir}/%{name}/preamble
+%{_libexecdir}/%{name}/server
 #bnc#565901
 %{bindir}/catalina.sh
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
-%attr(0755,root,tomcat) %dir %{basedir}
-%attr(0755,root,tomcat) %dir %{confdir}
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{name}
+%dir %{basedir}
+%dir %{confdir}
 %attr(0775,root,tomcat) %dir %{appdir}
 %attr(0770,tomcat,tomcat) %dir %{logdir}
 %attr(0660,tomcat,tomcat) %{logdir}/catalina.out
@@ -725,29 +747,29 @@ fi
 %attr(0775,root,tomcat) %dir %{tomcatappdir}
 
 %{confdir}/Catalina
-%attr(0755,root,tomcat) %dir %{confdir}/conf.d
-%attr(0644,root,tomcat) %{confdir}/conf.d/README
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{name}.conf
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.policy
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml
+%dir %{confdir}/conf.d
+%{confdir}/conf.d/README
+%config(noreplace) %{confdir}/%{name}.conf
+%config(noreplace) %{confdir}/*.policy
+%config(noreplace) %{confdir}/*.properties
+%config(noreplace) %{confdir}/context.xml
+%config(noreplace) %{confdir}/server.xml
 # keep tomcat-users.xml readable only by root and tomcat group
 %attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
-%attr(0755,root,tomcat) %dir %{homedir}
-%attr(0644,root,tomcat) %{bindir}/bootstrap.jar
-%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml
+%config(noreplace) %{confdir}/web.xml
+%config(noreplace) %{confdir}/jaspic-providers.xml
+%dir %{homedir}
+%{bindir}/bootstrap.jar
+%{bindir}/catalina-tasks.xml
 %{homedir}/lib
 %{homedir}/temp
 %{homedir}/work
 %{homedir}/webapps
 %{homedir}/logs
 %{homedir}/conf
-%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{name}
-%attr(0644,root,tomcat) %{confdir}/allowLinking.xslt
-%attr(0644,root,tomcat) %{confdir}/valve.xslt
+%{_fillupdir}/sysconfig.%{name}
+%{confdir}/allowLinking.xslt
+%{confdir}/valve.xslt
 
 %files admin-webapps
 %defattr(0644,root,tomcat,0755)
@@ -808,7 +830,7 @@ fi
 
 %files jsvc
 %defattr(755,root,root,0755)
-%attr(0644,root,root) %{_unitdir}/%{name}-jsvc.service
+%{_unitdir}/%{name}-jsvc.service
 %{_sbindir}/rc%{name}-jsvc
 
 %changelog