- Update to Tomcat 10.1.43

* Fixed CVEs:
    + CVE-2025-52520: Align size tracking for multipart requests with
      FileUpload's use of long. (bsc#1246388)
    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
      (bsc#1246318)
  * Catalina
    + Fix: Ensure application configured welcome files override the defaults
      when configuring an embedded web application programmatically. (markt)
    + Fix: Allow the default servlet to set the content length when the content
      length is known, no content has been written and a Writer is being used.
      (markt)
    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
      prevented access to PreResources and PostResources when mounted below the
      web application root with a path that was terminated with a file
      separator. (remm/markt)
    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
      applied was smaller than intended for multipart uploads with non-file
      parts when the parts were processed before query string parameters.
      (markt)
    + Fix: Align size tracking for multipart requests with FileUpload's use of
      long. (schultz)
  * Coyote
    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
      the documentation to provide more details on the memory requirements to
      support multi-part uploads while avoiding a denial of service risk.
      (markt)
    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
      when the headers include a content-length. (remm/markt)
    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
      one request multiple times. Based on pull request #868 by qingdaoheze.
      (markt)
    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
      of useVirtualThreads in JMX. (remm)
    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
      certificate verification and improve the warnings when a web application
      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
      TLS 1.3. (markt)
    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
      earlier. (markt)
  * Jasper
    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
      grammar as both are unused. (markt)
  * Web applications
    + Add: Documentation. Provide more explicit guidance regarding the security
      considerations for enabling write access to the web application via
      WebDAV, HTTP PUT requests or similar. (markt)
    + Add: Documentation. Add a section on reverse proxies to the security
      considerations page. (markt)
  * Other
    + Update: Update UnboundID to 7.0.3. (markt)
    + Update: Update Checkstyle to 10.25.1. (markt)
    + Update: Improvements to French translations. (remm)
    + Update: Improvements to Japanese translations provided by tak7iji. (markt)

OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat10?expand=0&rev=72

apache-tomcat-10.1.35-src.tar.gz

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c5e98381530b15e88411ac99ede6226d51a2dd108d7157501c6c7899b50e2f4b
-size 6979367

apache-tomcat-10.1.43-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmhkU9cACgkQHPApP6U8
+pFhElw/+PtORhhIobN6tQaSZYWQ8wfgNnd+gYpT31sp7ufUmKpHDYU0/FeU/kCmZ
+FEIPbxPfEA4vHjbJh6E+sN59+s8HO5A255M3qum/NIJW8XsN5EdZcn+8fZVogMp7
+jWtnB7A9TPZ32mOljY7GXfXe4Da7PUoH8DZgD+eJ/iXrYoK6dgha5Z0cUQWuHq7j
+h/nCajbnNhsicIipAXUlUEwkWi6br3CPSFTdULmG9WvxgUEvKetSftOScqtOCE5C
+Tb5SZFyHuui2BAT9d6D6Varjae8GcpvkBupa6YhL981jERrGybo38IfSP2HWAlwP
+vQIuCGkhSoe/Nn65f2UxMiftyWPY8AgyedRFzE2EXxyxWZCOXksbovvqlhKxoStk
+MofhhAMhNApdk7d+wipuLcjRXdQBXo5PSo0782uDE+Fyl7sTl7dRnVmQNCTyrVUg
+/bFqMUzuQS7znqXNj+0yD9x1aC+LeiNMsvYTfPihqv7SeJUqz10CyqkkO8aYetGJ
+RhHlcrzl0+hsCzyYV8W2BG28GHfTRxSfYA43tlTqg5c7BFzOs3NlJFLwMcxToszw
+7Lb2xXevGnBRSM27UbXeLFXr9/xDiMu9C0fxAIpCNKhFVIidNoJ/vvIkMtj38xzT
+DWz0EQB/8TSwfEmqs+c5uppziZa7eN6iJfWBp18IqPLC1wPgKGY=
+=VK2I
+-----END PGP SIGNATURE-----

tomcat10.changes

@@ -1,3 +1,316 @@
+-------------------------------------------------------------------
+Wed Aug  6 12:45:13 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.43
+  * Fixed CVEs:
+    + CVE-2025-52520: Align size tracking for multipart requests with
+      FileUpload's use of long. (bsc#1246388)
+    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
+      (bsc#1246318)
+  * Catalina
+    + Fix: Ensure application configured welcome files override the defaults
+      when configuring an embedded web application programmatically. (markt)
+    + Fix: Allow the default servlet to set the content length when the content
+      length is known, no content has been written and a Writer is being used.
+      (markt)
+    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
+      prevented access to PreResources and PostResources when mounted below the
+      web application root with a path that was terminated with a file
+      separator. (remm/markt)
+    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
+      applied was smaller than intended for multipart uploads with non-file
+      parts when the parts were processed before query string parameters.
+      (markt)
+    + Fix: Align size tracking for multipart requests with FileUpload's use of
+      long. (schultz)
+  * Coyote
+    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
+      the documentation to provide more details on the memory requirements to
+      support multi-part uploads while avoiding a denial of service risk.
+      (markt)
+    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
+      when the headers include a content-length. (remm/markt)
+    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
+      one request multiple times. Based on pull request #868 by qingdaoheze.
+      (markt)
+    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
+      of useVirtualThreads in JMX. (remm)
+    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
+      certificate verification and improve the warnings when a web application
+      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
+      TLS 1.3. (markt)
+    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
+      earlier. (markt)
+  * Jasper
+    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
+    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
+      grammar as both are unused. (markt)
+  * Web applications
+    + Add: Documentation. Provide more explicit guidance regarding the security
+      considerations for enabling write access to the web application via
+      WebDAV, HTTP PUT requests or similar. (markt)
+    + Add: Documentation. Add a section on reverse proxies to the security
+      considerations page. (markt)
+  * Other
+    + Update: Update UnboundID to 7.0.3. (markt)
+    + Update: Update Checkstyle to 10.25.1. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt)
+
+-------------------------------------------------------------------
+Tue Jun 24 09:51:59 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.42
+  * Fixed CVEs:
+    + CVE-2025-46701: refactor CGI servlet to access resources via
+      WebResources (bsc#1243815)
+    + CVE-2025-48988: limits the total number of parts in a
+      multi-part request and limits the size of
+      the headers provided with each part (bsc#1244656)
+    + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
+  * Catalina
+    + Add: Support for the java:module namespace which mirrors the
+      java:comp namespace.
+    + Add: Support parsing of multiple path parameters separated by ; in a
+      single URL segment. Based on pull request #860 by Chenjp.
+    + Add: Support for limiting the number of parameters in HTTP requests
+      through the new ParameterLimitValve. The valve allows configurable
+      URL-specific limits on the number of parameters.
+    + Fix: 69699: Encode redirect URL used by the rewrite valve with the
+      session id if appropriate, and handle cross context with different
+      session configuration when using rewrite.
+    + Add: #863: Support for comments at the end of lines in text rewrite
+      map files to align behaviour with Apache httpd. Pull request
+      provided by Chenjp.
+    + Fix: 69706: Saved request serialization issue in FORM introduced
+      when allowing infinite session timeouts.
+    + Fix: Expand the path checks for Pre-Resources and Post-Resources
+      mounted at a path within the web application.
+    + Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve.
+    + Fix: Process possible path parameters rewrite production in the
+      rewrite valve.
+    + Fix: 69588: Enable allowLinking to be set on PreResources,
+      JarResources and PostResources. If not set explicitly, the setting
+      will be inherited from the Resources.
+    + Add: 69633: Support for Filters using context root mappings.
+    + Fix: 69643: Optimize directory listing for large amount of files.
+      Patch submitted by Loic de l'Eprevier.
+    + Fix: #843: Off by one validation logic for partial PUT ranges and
+      associated test case. Submitted by Chenjp.
+    + Refactor: Replace the unused buffer in
+      org.apache.catalina.connector.InputBuffer with a static, zero
+      length buffer.
+    + Refactor: GCI servlet to access resources via the WebResource API.
+    + Fix: 69662: Report name in exception message when a naming lookup
+      failure occurs. Based on code submitted by Donald Smith.
+    + Fix: Ensure that the FORM authentication attribute
+      authenticationSessionTimeout works correctly when sessions have an
+      infinite timeout when authentication starts.
+    + Add: Provide a content type based on file extension when web
+      application resources are accessed via a URL.
+  * Coyote
+    + Refactor: #861: TaskQueue to use the new interface RetryableQueue
+      which enables better integration of custom Executors which provide
+      their own BlockingQueue implementation. Pull request provided by
+      Paulo Almeida.
+    + Add: Finer grained control of multi-part request processing via two
+      new attributes on the Connector element. maxPartCount limits the
+      total number of parts in a multi-part request and maxPartHeaderSize
+      limits the size of the headers provided with each part. Add support
+      for these new attributes to the ParameterLimitValve.
+    + Refactor: The SavedRequestInputFilter so the buffered data is used
+      directly rather than copied.
+  * Jasper
+    + Fix: 69696: Mark the JSP wrapper for reload after a failed
+      compilation.
+    + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving
+      inner classes.
+    + Add: #842: Support for optimized execution of c:set and c:remove
+      tags, when activated via JSP servlet param
+      useNonstandardTagOptimizations.
+    + Fix: An edge case compilation bug for JSP and tag files on case
+      insensitive file systems that was exposed by the test case for
+      69635.
+  * Web applications
+    + Fix: 69694: Improve error reporting of deployment tasks done using
+      the manager webapp when a copy operation fails.
+    + Add: 68876: Documentation. Update the UML diagrams for server
+      start-up, request processing and authentication using PlantUML and
+      include the source files for each diagram.
+  * Other
+    + Add: Thread name to webappClassLoader.stackTraceRequestThread
+      message. Patch provided by Felix Zhang.
+    + Update: Tomcat Native to 2.0.9.
+    + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
+      (2025-06-05).
+    + Update: EasyMock to 5.6.0.
+    + Update: Checkstyle to 10.25.0.
+    + Fix: Use the full path when the installer for Windows sets calls
+      icacls.exe to set file permissions.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+    + Fix: Set sun.io.useCanonCaches in service.bat Based on pull request
+      #841 by Paul Lodge.
+    + Update: Jacoco to 0.8.13.
+    + Code: Explicitly set the locale to be used for Javadoc. For
+      official releases, this locale will be English (US) to support
+      reproducible builds.
+    + Update: Byte Buddy to 1.17.5.
+    + Update: Checkstyle to 10.23.1.
+    + Update: File extension to media type mappings to align with the
+      current list used by the Apache Web Server (httpd).
+    + Update: Improvements to French translations.
+    + Update: Improvements to Japanese translations provided by tak7iji. 
+
+-------------------------------------------------------------------
+Tue Jun 10 12:56:25 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Hardening permissions (bsc#1242722)
+
+-------------------------------------------------------------------
+Fri May  2 14:55:24 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Make conflicts and provides more generic
+
+-------------------------------------------------------------------
+Wed Apr 30 10:31:05 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.40
+  * Fixed CVEs:  
+    + CVE-2025-31650: invalid priority field values should be ignored
+      (bsc#1242008)
+    + CVE-2025-31651: Better handling of URLs with literal ';' and '?'
+      (bsc#1242009)
+  * Catalina
+    + Fix: Return 400 if the amount of content sent for a partial PUT is
+      inconsistent with the range that was specified. (remm)
+    + Add: Add a new RateLimiter implementation,
+      org.apache.catalina.util.ExactRateLimiter, that can be used with
+      org.apache.catalina.filters.RateLimitFilter to provide rate limit based
+      on the exact values configured. Based on pull request #794 by Chenjp.
+      (markt)
+    + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve.
+      (remm)
+    + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and
+      FIPS mode. (remm)
+    + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the
+      default internal proxies for the RemoteIpFilter and RemoteIpValve.
+      (markt)
+    + Fix: 69615: Improve integration with the not found class resources cache
+      for users who are using a custom web application class loader and/or
+      using reflection to dynamically add external repositories to the web
+      application class loader. (markt)
+    + Add: Add a new initialisation parameter to the Default servlet -
+      allowPostAsGet - which controls whether a direct request (i.e. not a
+      forward or an include) for a static resource using the POST method will
+      be processed as if the GET method had been used. If not allowed, the
+      request will be rejected. The default behaviour of processing the request
+      as if the GET method had been used is unchanged. (markt)
+    + Fix: 69623: Correct a long standing regression that meant that calls to
+      ClassLoader.getResource().getContent() failed when made from within a web
+      application with resource caching enabled. (markt)
+    + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm)
+    + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent
+      to the one from ErrorReportValve. (remm)
+    + Fix: Improve the handling of %nn URL encoding in the RewriteValve and
+      document how %nn URL encoding may be used with rewrite rules. (markt)
+    + Fix: Fix a potential exception when calling
+      WebappClassLoaderBase.getResource(""). (markt)
+  * Coyote
+    + Fix: 69607: Allow failed initialization of MD5. Based on code submitted by
+      Shivam Verma. (remm)
+    + Fix: 69614: HTTP/2 priority frames with an invalid priority field value
+      should be ignored. (markt)
+    + Fix: Improve handling of unexpected errors during HTTP/2 processing.
+      (markt)
+    + Fix: Add missing code to process an OpenSSL profile, such as
+      PROFILE=SYSTEM, using FFM. (remm)
+    + Add: Simplify the process of using a custom SSLContext for an HTTPS
+      enabled connector. Based on pull request #805 by Hakky54. (markt)
+  * Jasper
+    + Code: Replace custom URL encoding provided by the JSP runtime library with
+      calls to java.net.URLEncoder.encode(). (markt)
+    + Add: Add compiler using the Java Compiler API, supporting exploded web
+      applications. The compilerClassName to use is
+      org.apache.jasper.compiler.JavaCompiler. (remm)
+    + Add: Add support for specifying Java 25 (with the value 25) as the
+      compiler source and/or compiler target for JSP compilation. If used with
+      an Eclipse JDT compiler version that does not support these values, a
+      warning will be logged and the default will be used. (markt)
+  * Cluster
+    + Fix: Fix resetting cross context sessions in the ReplicationValve. (remm)
+  * Web applications
+    + Add: Documentation. Add a link to the Log4j documentation that describes
+      how to use Log4j rather than JULI for Tomcat's internal logging. (markt)
+    + Add: Documentation. Document the runtime attributes available to web
+      applications via the Request or the ServletContext. Based on pull request
+      #832 by usmazat. (markt)
+  * Other
+    + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt)
+    + Update: Update to NSIS 3.11. (markt)
+    + Update: Update to ByteBuddy 1.17.4. (markt)
+    + Update: Update to Checkstyle 10.21.4. (markt)
+    + Update: Update to SpotBugs to 4.9.3. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt)
+
+-------------------------------------------------------------------
+Tue Mar 18 21:16:30 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 10.1.39
+  * Fixes:
+    + launch with java 17 (bsc#1239676)
+  * Catalina
+    + Fix: 69602: Fix regression in releases from 12-2024 that were too strict
+      and rejected weak etags in the If-Range header with a 400 response.
+      Instead will consider it as a failed match since strong etags are required
+      for If-Range. (remm)
+    + Fix: When looking up class loader resources by resource name, the resource
+      name should not start with '/'. If the resource name does start with '/',
+      Tomcat is lenient and looks it up as if the '/' was not present. When the
+      web application class loader was configured with external repositories and
+      names starting with '/' were used for lookups, it was possible that cached
+      'not found' results could effectively hide lookup results using the
+      correct resource name. (markt)
+    + Fix: Enable the JNDIRealm to validate credentials provided to
+      HttpServletRequest.login(String username, String password) when the realm
+      is configured to use GSSAPI authentication. (markt)
+    + Fix: Fix a bug in the JRE compatibility detection that incorrectly
+      identified Java 19 and Java 20 as supporting Java 21 features. (markt)
+    + Fix: Improve the checks for exposure to and protection against
+      CVE-2024-56337 so that reflection is not used unless required. The checks
+      for whether the file system is case sensitive or not have been removed.
+      (markt)
+    + Add: Add support for logging the connection ID (as returned by
+      ServletRequest.getServletConnection().getConnectionId()) with the
+      AccessLogValve and ExtendedAccessLogValve. Based on pull request #814 by
+      Dmole. (markt)
+    + Fix: Avoid scenarios where temporary files used for partial PUT would not
+      be deleted. (remm)
+    + Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught
+      exception introduced for the check for CVE-2024-56337. (remm)
+  * Cluster
+    + Add: 69598: Add detection of service account token changes to the
+      KubernetesMembershipProvider implementation and reload the token if it
+      changes. Based on a patch by Miroslav Jezbera. (markt)
+  * Coyote
+    + Fix: 69575: Avoid using compression if a response is already compressed
+      using compress, deflate or zstd. (remm)
+    + Update: Use Transfer-Encoding for compression rather than Content-Encoding
+      if the client submits a TE header containing gzip. (remm)
+    + Fix: Fix a race condition in the handling of HTTP/2 stream reset that
+      could cause unexpected 500 responses. (markt)
+  * Other
+    + Add: Add makensis as an option for building the Installer for Windows on
+      non-Windows platforms. (rjung/markt)
+    + Update: Update Byte Buddy to 1.17.1. (markt)
+    + Update: Update Checkstyle to 10.21.3. (markt)
+    + Update: Update SpotBugs to 4.9.1. (markt)
+    + Update: Update JSign to 7.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Add: Add org.apache.juli.JsonFormatter to format log as one line JSON
+      documents. (remm) 
+
 -------------------------------------------------------------------
 Wed Mar 12 16:42:43 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
 
@@ -31,7 +344,7 @@ Wed Mar 12 16:42:43 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
       potentially vulnerable to CVE-2024-56337, the JVM has been configured to
       protect against the vulnerability and to configure the JVM correctly if
       not. Where one or more web applications are potentially vulnerable to
-      CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be
+      CVE-2024-56337 and the JVM cannot be correctly configured or it cannot be
       confirmed that the JVM has been correctly configured, prevent the impacted
       web applications from starting. (markt)
     + Fix: When using the WebDAV servlet with serveSubpathOnly set to true,
@@ -109,8 +422,9 @@ Fri Jan  3 18:33:44 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
 
 - Update to Tomcat 10.1.34
   * Fixed CVEs:
-    + CVE-2024-54677: DoS in examples web application (bsc#1233434)
+    + CVE-2024-54677: DoS in examples web application (bsc#1234664)
     + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) 
+    + CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
   * Catalina
     + Add: Add option to serve resources from subpath only with WebDAV Servlet
       like with DefaultServlet. (michaelo)

tomcat10.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat10
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 10
 %define minor_version 1
-%define micro_version 35
+%define micro_version 43
 %define java_major 1
 %define java_minor 11
 %define java_version %{java_major}.%{java_minor}
@@ -138,11 +138,12 @@ Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
 Requires(pre):  shadow
-%systemd_ordering
-Conflicts:      %{app_name}
+Conflicts:      %{app_name}-implementation
+Provides:       %{app_name}-implementation = %{version}
 Provides:       group(tomcat)
 Provides:       user(tomcat)
 BuildArch:      noarch
+%systemd_ordering
 
 %description
 Tomcat is the servlet container that is used in the official Reference
@@ -159,7 +160,8 @@ Requires:       %{name} = %{version}-%{release}
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
-Conflicts:      %{app_name}-admin-webapps
+Conflicts:      %{app_name}-implementation-admin-webapps
+Provides:       %{app_name}-implementation-admin-webapps = %{version}
 
 %description admin-webapps
 The host manager and manager web-based applications for Apache Tomcat.
@@ -167,7 +169,8 @@ The host manager and manager web-based applications for Apache Tomcat.
 %package embed
 Summary:        Libraries for Embedding Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
-Conflicts:      %{app_name}-embed
+Conflicts:      %{app_name}-implementation-embed
+Provides:       %{app_name}-implementation-embed = %{version}
 
 %description embed
 Embeddeding support (various libraries) for Apache Tomcat.
@@ -179,7 +182,8 @@ Requires:       %{name} = %{version}-%{release}
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
-Conflicts:      %{app_name}-docs-webapp
+Conflicts:      %{app_name}-implementation-docs-webapp
+Provides:       %{app_name}-implementation-docs-webapp = %{version}
 
 %description docs-webapp
 The documentation of web application for Apache Tomcat.
@@ -189,8 +193,9 @@ Summary:        Expression Language v%{elspec} API
 Group:          Development/Libraries/Java
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
-Conflicts:      %{app_name}-el-3_0-api < %{version}
+Conflicts:      %{app_name}-implementation-el-api
 Provides:       %{app_name}-el-%{elspec}-api = %{version}-%{release}
+Provides:       %{app_name}-implementation-el-api = %{version}
 Provides:       el_%{elspec_major}_%{elspec_minor}_api = %{version}-%{release}
 Provides:       el_api = %{elspec}
 Obsoletes:      %{app_name}-el-2_2-api < %{version}
@@ -202,7 +207,8 @@ Expression Language API version %{elspec}.
 %package doc
 Summary:        Javadoc generated documentation for Apache Tomcat
 Group:          Documentation/HTML
-Conflicts:      %{app_name}-javadoc
+Conflicts:      %{app_name}-implementation-javadoc
+Provides:       %{app_name}-implementation-javadoc = %{version}
 BuildArch:      noarch
 
 %description doc
@@ -213,7 +219,8 @@ Summary:        Apache Tomcat JSP API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
-Conflicts:      %{app_name}-jsp-2_3-api < %{version}
+Conflicts:      %{app_name}-implementation-jsp-api
+Provides:       %{app_name}-implementation-jsp-api = %{version}
 Provides:       %{app_name}-jsp-%{jspspec}-api
 Provides:       jsp = %{jspspec}
 Provides:       jsp%{jspspec_major}%{jspspec_minor}
@@ -228,7 +235,8 @@ Summary:        Apache jsvc wrapper for Apache Tomcat as separate service
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
 Requires:       apache-commons-daemon-jsvc
-Conflicts:      %{app_name}-jsvc
+Conflicts:      %{app_name}-implementation-jsvc
+Provides:       %{app_name}-implementation-jsvc = %{version}
 %systemd_ordering
 
 %description jsvc
@@ -245,7 +253,8 @@ Requires:       %{app_name}-servlet-%{servletspec}-api = %{version}-%{release}
 Requires:       mvn(org.apache.tomcat:tomcat-websocket-client-api)
 Requires(post): ecj >= 4.4
 Requires(preun): coreutils
-Conflicts:      %{app_name}-lib
+Conflicts:      %{app_name}-implementation-lib
+Provides:       %{app_name}-implementation-lib = %{version}
 Provides:       jakarta-commons-dbcp-tomcat5 = 1.4
 Obsoletes:      jakarta-commons-dbcp-tomcat5 < 1.4
 
@@ -257,7 +266,8 @@ Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
-Conflicts:      %{app_name}-servlet-4_0-api < %{version}
+Conflicts:      %{app_name}-implementation-servlet-api
+Provides:       %{app_name}-implementation-servlet-api = %{version}
 Provides:       %{app_name}-servlet-%{servletspec}-api = %{version}-%{release}
 Provides:       servlet = %{servletspec}
 Provides:       servlet11
@@ -277,7 +287,8 @@ Requires:       jakarta-taglibs-standard >= 1.1
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
-Conflicts:      %{app_name}-webapps
+Conflicts:      %{app_name}-implementation-webapps
+Provides:       %{app_name}-implementation-webapps = %{version}
 
 %description webapps
 The ROOT and examples web applications for Apache Tomcat
@@ -337,7 +348,7 @@ ant -Dbase.path="." \
     -Dno.build.dbcp=true \
     -Dversion="%{version}" \
     -Dversion.build="%{micro_version}" \
-    deploy dist-prepare dist-source javadoc package embed-jars
+    deploy javadoc package embed-jars
 
 # remove some jars that we'll replace with symlinks later
 rm output/build/bin/commons-daemon.jar \
@@ -726,22 +737,22 @@ fi
 
 %files
 %doc {LICENSE,NOTICE,RELEASE*}
-%attr(0755,root,root) %{_bindir}/%{app_name}-digest
-%attr(0755,root,root) %{_bindir}/%{app_name}-tool-wrapper
-%attr(0755,root,root) %{_sbindir}/%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}.service
+%{_bindir}/%{app_name}-digest
+%{_bindir}/%{app_name}-tool-wrapper
+%{_sbindir}/%{app_name}
+%{_unitdir}/%{app_name}.service
 %{_sbindir}/rc%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}@.service
-%attr(0755,root,root) %dir %{_libexecdir}/%{app_name}
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{app_name}s
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/functions
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/preamble
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/server
+%{_unitdir}/%{app_name}@.service
+%dir %{_libexecdir}/%{app_name}
+%dir %{_localstatedir}/lib/%{app_name}s
+%{_libexecdir}/%{app_name}/functions
+%{_libexecdir}/%{app_name}/preamble
+%{_libexecdir}/%{app_name}/server
 #bnc#565901
 %{bindir}/catalina.sh
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
-%attr(0755,root,tomcat) %dir %{basedir}
-%attr(0755,root,tomcat) %dir %{confdir}
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
+%dir %{basedir}
+%dir %{confdir}
 %attr(0775,root,tomcat) %dir %{appdir}
 %attr(0770,tomcat,tomcat) %dir %{logdir}
 %attr(0660,tomcat,tomcat) %{logdir}/catalina.out
@@ -754,29 +765,29 @@ fi
 %attr(0775,root,tomcat) %dir %{tomcatappdir}
 
 %{confdir}/Catalina
-%attr(0755,root,tomcat) %dir %{confdir}/conf.d
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/conf.d/README
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{app_name}.conf
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.policy
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml
+%dir %{confdir}/conf.d
+%config(noreplace) %{confdir}/conf.d/README
+%config(noreplace) %{confdir}/%{app_name}.conf
+%config(noreplace) %{confdir}/*.policy
+%config(noreplace) %{confdir}/*.properties
+%config(noreplace) %{confdir}/context.xml
+%config(noreplace) %{confdir}/server.xml
 # keep tomcat-users.xml readable only by root and tomcat group
 %attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
-%attr(0755,root,tomcat) %dir %{homedir}
-%attr(0644,root,tomcat) %{bindir}/bootstrap.jar
-%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml
+%config(noreplace) %{confdir}/web.xml
+%config(noreplace) %{confdir}/jaspic-providers.xml
+%dir %{homedir}
+%{bindir}/bootstrap.jar
+%{bindir}/catalina-tasks.xml
 %{homedir}/lib
 %{homedir}/temp
 %{homedir}/webapps
 %{homedir}/work
 %{homedir}/logs
 %{homedir}/conf
-%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{app_name}
-%attr(0644,root,tomcat) %{confdir}/allowLinking.xslt
-%attr(0644,root,tomcat) %{confdir}/valve.xslt
+%{_fillupdir}/sysconfig.%{app_name}
+%{confdir}/allowLinking.xslt
+%{confdir}/valve.xslt
 
 %files admin-webapps
 %defattr(0644,root,tomcat,0755)
@@ -841,7 +852,7 @@ fi
 
 %files jsvc
 %defattr(755,root,root,0755)
-%attr(0644,root,root) %{_unitdir}/%{app_name}-jsvc.service
+%{_unitdir}/%{app_name}-jsvc.service
 %{_sbindir}/rc%{app_name}-jsvc
 
 %changelog