diff --git a/tomcat.changes b/tomcat.changes
index e30749c..bc1fedf 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -3,6 +3,12 @@ Tue Feb  6 09:55:04 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
 
 - rpm 4.19 requires dependencies on tomcat user and group (bsc#1219530)
 
+-------------------------------------------------------------------
+Fri Jan 26 12:33:23 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Fixed CVEs:
+  * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)
+
 -------------------------------------------------------------------
 Wed Jan 17 16:57:21 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
 
diff --git a/tomcat.spec b/tomcat.spec
index d64f51e..90ebd94 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -562,7 +562,8 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \
 %post
 %service_add_post %{name}.service
 %{fillup_only %{name}}
-xsltproc  --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
+chown -R tomcat:tomcat %{confdir}/server.xml
+runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
 
 %preun
 %service_del_preun %{name}.service
@@ -636,17 +637,22 @@ rm -f \
     %{libdir}/\[ecj\].jar >/dev/null 2>&1
 
 %post webapps
-xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
-if [ ! -e %{_datadir}/%{name}/webapps/ROOT ]; then
-    ln -sf  %{tomcatappdir}/ROOT %{_datadir}/%{name}/webapps/ROOT
-fi
-xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/examples/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
 if [ ! -e %{_datadir}/%{name}/webapps/examples ]; then
     ln -sf %{tomcatappdir}/examples %{_datadir}/%{name}/webapps/examples
 fi
 #use the same context.xml for sample war
+mkdir -p %{tomcatappdir}/ROOT/META-INF
+chown -R tomcat:tomcat %{tomcatappdir}/ROOT/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+if [ ! -e %{_datadir}/%{name}/webapps/ROOT ]; then
+    ln -sf  %{tomcatappdir}/ROOT %{_datadir}/%{name}/webapps/ROOT
+fi
+#use the same context.xml for sample war
 mkdir -p %{tomcatappdir}/webapps/sample/META-INF
-xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/sample/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
 if [ ! -e %{_datadir}/%{name}/webapps/sample ]; then
     ln -sf %{tomcatappdir}/sample  %{_datadir}/%{name}/webapps/sample
 fi
@@ -658,18 +664,21 @@ if [ $1 -eq 0 ]; then # uninstall only
 fi
 
 %post admin-webapps
-xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml
 if [ ! -e %{_datadir}/%{name}/webapps/manager ]; then
     ln -sf %{tomcatappdir}/manager %{_datadir}/%{name}/webapps/manager
 fi
 
-xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/host-manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml
 if [ ! -e %{_datadir}/%{name}/webapps/host-manager ]; then
     ln -sf %{tomcatappdir}/host-manager %{_datadir}/%{name}/webapps/host-manager
 fi
 
 %post docs-webapp
-xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/docs/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml
 if [ ! -e %{_datadir}/%{name}/webapps/docs ]; then
     ln -sf %{tomcatappdir}/docs %{_datadir}/%{name}/webapps/docs
 fi