Update to Tomcat 9.0.111

.gitattributes

@@ -21,3 +21,4 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
+*.changes merge=merge-changes

.gitignore

@@ -1 +1,5 @@
 .osc
+*.obscpio
+*.osc
+_build.*
+.pbuild

apache-tomcat-9.0.107-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCgAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmhk2Z0ACgkQaCSJWTWe
-citEfg/9FbNoAFAP0ui2XT9+AdE/i8SuZEPenAqxY4vxupjtx4mtMCXMlrZaddkQ
-+AofszUn0Q2zLIPCpf79Tp4FB0AgH+z6X2SXPBIqBY9bauC7ZEqpxpuiP3WIehRV
-oGHKv4PucGNndbm96gK+qu3BhwhbJzyXxqpf12+CAJ+uPBw1ywgX2MmqVwfkBeYb
-vIB85Io1BOtZPmp2v0XGXX4/uCqgTRXKE28mrleIghxOrd+Dezn0OQOcT112gejF
-FVk5j3+W64ZaRj3YAU5rkv7f+IeDAj1sc+JxytaGWyTuGlc0rCf7H++c7P9RltyM
-y0/LNKyECTIJW/0lZaaFHrLDZGgBXOzEwGki1xL+NiJSjWJimnqGM8wYGsydjEpi
-t4Z88q+C5hQH95cMxbBbKxy5nME63iVOXWrRAJF8Q0jmmNjoOpKv1J44v5fqOqro
-WqGu6i38mj/EFE9DjjOk86QCRoF4sVVG/QdeNdOzQ1wBmT+1SsYCDXAnE2sYEXBx
-MaVG6buEWJyVhi1Bz5nncm4sRPeq/m7WJDi+0sdHb6Fnut9FKKIKtAOQ6hj4OBNu
-FL3DLIjs8QamxDXfwGY/Vo3NZebt7KKH7nvPdY4QHJQCgqspOCQtz8XjOaseb1ct
-Qn6+QbcABPcCJ4tVco1Yu+5afz97r9x4CeyZlR3lo91o8B+7gfY=
-=5ujs
------END PGP SIGNATURE-----

apache-tomcat-9.0.111-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCgAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmjpFVsACgkQaCSJWTWe
+citA8A//f4bPRUjetQR+xJRmS+eak5rudfxtSqVFgAuoGC1iamAH/nxTRlOY4Fr+
+9GsJ14CKiP8BTQyxxoDPn6f2KNLY2huu5q5Q63ZzBG9UpNBmA78ucl7EoNmurQV0
+cPlzkV0c3SEJVbG2pvrSU5HkAuIk7HI72nPZiew6Ggb54+RH+w9Bs/0GS+Tk3Nt0
++a9AG0MwTNKxlBpluqR1BYgOdUKUGO+X4JFxJF2plgdqW08LHu7AXQRDW6dWxpEO
+ATyosue846tK51hWt1qlaf+RCVvr4PS8BwNrpY5qI4/i9GtcQINyNYasLJJ5+gSG
+zKCRZUwmjQpswA1jCUKJj6RZ4G4tSGeALZlpszU3STBLeIOVvVS5U9OdDq7Ehgby
+WBXSCCx6UcsqAvtnPFGChGqImT9gLs11E4g7b/Ahyn+Uok8Jl43BlNaFzPmQ+xlb
+ksdoyAK88+5eHlhnpT8nmUFjxmNIJERP0xErih7haicXcMv1YGa0OL5xHNhP205d
+LPl08+0wpdtMR64bjkrHjfK7m7SDY6ryrsppxyKHxeIcIPQDZkfqLdz+eldA4QaI
+NRJAFofUxwq/8dXJ8H4OWLipFQkvXOgbZM2WO+iegF0VWN9q1+Hkvqhru+YUAVoT
+7qmhqLblq5Ya5ZLwjd6cOkqPfXV+yXkFKbsCr4Uy+1kbK/A30+Y=
+=BT0K
+-----END PGP SIGNATURE-----

tomcat.changes

@@ -1,3 +1,142 @@
+-------------------------------------------------------------------
+Thu Nov  6 14:57:36 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.111
+  * Fixed CVEs:
+    + CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT
+      is enabled (bsc#1252753)
+    + CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control 
+      Sequences vulnerability in Apache Tomcat (bsc#1252905)
+    + CVE-2025-61795: temporary copies during the processing of multipart 
+      upload can lead to a denial of service (bsc#1252756)
+  * Catalina
+    + Fix: Log warnings when the SSO configuration does not comply with the
+      documentation. (remm)
+    + Update: Deprecate the RemoteAddrFilter and RemoteAddValve in favour of the
+      RemoteCIDRFilter and RemoteCIDRValve. (markt)
+    + Fix: 69837: Fix corruption of the class path generated by the Loader when
+      running on Windows. (markt)
+    + Fix: Reject requests that map to invalid Windows file names earlier.
+      (markt)
+    + Fix: 69839: Ensure that changes to session IDs (typically after
+      authentication) are promulgated to the SSO Valve to ensure that SSO
+      entries are fully clean-up on session expiration. Patch provided by Kim
+      Johan Andersson. (markt)
+    + Fix: Fix a race condition in the creation of the storage location for the
+      FileStore. (markt)
+    + Update: Change the digest used to calculate strong ETags (if enabled) for
+      the default Servlet from SHA-1 to SHA-256 to align with the recommendation
+      in RFC 9110 that hash functions used to generate strong ETags should be
+      collision resistant. (markt)
+    + Fix: Correct a regression in the fix for 69781 that broke FileStore.
+      (markt)
+    + Fix: HTTP methods are case-sensitive so always use case sensitive
+      comparisons when comparing HTTP methods. (markt)
+    + Fix: 69814: Ensure that HttpSession.isNew() returns false once the client
+      has joined the session. (markt)
+    + Fix: Further performance improvements for ParameterMap. (jengebr/markt)
+    + Fix: Fix a case-sensitivity issue in the trailer header allow list.
+      (markt)
+    + Fix: Be proactive in cleaning up temporary files after a failed multi-part
+      upload rather than waiting for GC to do it. (markt)
+    + Code: Remove a number of unnecessary packages from the
+      catalina-deployer.jar. (markt)
+    + Fix: 69781: Fix concurrent access issues in the session FileStore
+      implementation that were causing lost sessions when the store was used
+      with the PersistentValve. Based on pull request #882 by Aaron Ogburn.
+      (markt)
+    + Fix: Fix handling of QSA and QSD flags in RewriteValve. (markt)
+  * Cluster
+    + Fix: Prevent the channel configuration (sender, receiver, membership
+      service) from being changed unless the channel is fully stopped. (markt)
+    + Fix: Handle spurious wake-ups during leader election for
+      NonBlockingCoordinator. (markt)
+    + Fix: Handle spurious wake-ups during sending of messages by RpcChannel.
+      (markt)
+  * Coyote
+    + Fix: 69848: Fix copy/paste errors in 9.0.110 that meant DELETE requests
+      received via the AJP connector were processed as OPTIONS requests and
+      PROPFIND requests were processed as TRACE. (markt)
+    + Update: Add specific certificate selection code for TLS 1.3 supporting
+      post quantum cryptography. Certificates defined with type MLDSA will be
+      selected depending on the TLS client hello. (remm)
+    + Update: Add groups attribute on SSLHostConfig allowing to restrict which
+      groups can be enabled on the SSL engine. (remm)
+    + Add: Optimize the conversion of HTTP method from byte form to String form.
+      (markt)
+    + Fix: Store HTTP request headers using the original case for the header
+      name rather than forcing it to lower case. (markt)
+    + Fix: 69762: Additional overflow fix for HPACK decoding of integers. Pull
+      request #880 by Chenjp. (markt)
+    + Fix: Ensure keys are handed out to OpenSSL even if PEMFile fails to
+      process it, with appropriate logging. (remm)
+    + Fix: Add new ML-DSA key algorithm to PEMFile and improve reporting when
+      reading a key fails. (remm)
+    + Fix: Fix possible early timeouts for network operations caused by a
+      spurious wake-up of a waiting thread. Found by Coverity Scan. (markt)
+  * Web applications
+    + Fix: Documentation. Clarify the purpose of the maxPostSize attribute of
+      the Connector element. (markt)
+    + Fix: Avoid NPE in manager webapp displaying certificate information.
+      (remm)
+  * Websocket
+    + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the
+      underlying Inflater and/or Deflater throwing IllegalStateException when
+      closed rather than NullPointerException as they do in Java 24 and earlier.
+      (markt)
+  * Other
+    + Update: Update Byte Buddy to 1.17.7. (markt)
+    + Update: Update Checkstyle to 11.1.0. (markt)
+    + Update: Update SpotBugs to 4.9.6. (markt)
+    + Update: Update Jsign to 7.2. (markt)
+    + Add: Improvements to Russian translations provided by usmazat. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations provided by tak7iji. (markt)
+    + Update: Minor refactoring in JULI loggers. Patch provided by minjund.
+      (schultz)
+    + Code: Review logging and include the full stack trace and exception
+      message by default rather then just the exception message when logging an
+      error or warning in response to an exception. (markt)
+    + Add: Add escaping to log formatters to align with JSON formatter. (markt)
+    + Update: Update Checkstyle to 11.0.0. (markt)
+
+-------------------------------------------------------------------
+Wed Oct  1 12:18:58 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Do not use update-alternatives
+
+-------------------------------------------------------------------
+Mon Aug 25 12:58:40 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 9.0.108
+  * Fixed CVEs:
+    + CVE-2025-48989: Update the HTTP/2 overhead documentation (bsc#1243895)
+  * Catalina
+    + Fix: Fix bloom filter population for archive indexing when using a packed
+      WAR containing one or more JAR files. (markt)
+  * Coyote
+    + Fix: 69748: Add missing call to set keep-alive timeout when using
+      HTTP/1.1 following an async request, which was present for AJP.
+      (remm/markt)
+    + Fix: 69762: Fix possible overflow during HPACK decoding of integers. Note
+      that the maximum permitted value of an HPACK decoded integer is
+      Integer.MAX_VALUE. (markt)
+    + Fix: Update the HTTP/2 overhead documentation - particularly the code
+      comments - to reflect the deprecation of the PRIORITY frame and clarify
+      that a stream reset always triggers an overhead increase. (markt)
+  * Cluster
+    + Update: Add enableStatistics configuration attribute for the DeltaManager,
+      defaulting to true. (remm)
+  * Web applications
+    + Fix: Manager and Host Manager. Provide the Manager and Host Manager web
+      applications with a dedicated favicon file rather than using the one from
+      the ROOT web application which might not be present or may represent
+      something entirely different. Pull requests #876 and #878 by Simon Arame.
+  * Other
+    + Update: Update Checkstyle to 10.26.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+
 -------------------------------------------------------------------
 Wed Aug  6 09:41:41 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
 

tomcat.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 107
+%define micro_version 111
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
@@ -175,13 +175,8 @@ The documentation of web application for Apache Tomcat.
 %package el-3_0-api
 Summary:        Expression Language v3.0 API
 Group:          Development/Libraries/Java
-Requires(post): update-alternatives
-Requires(preun): update-alternatives
 Conflicts:      %{name}-implementation-el-api
 Provides:       %{name}-el-%{elspec}-api = %{version}-%{release}
-Provides:       el_3_0_api = %{version}-%{release}
-Provides:       el_api = %{elspec}
-Obsoletes:      el_api < %{elspec}
 Obsoletes:      tomcat-el-2_2-api
 Provides:       %{name}-implementation-el-api = %{version}
 
@@ -203,8 +198,6 @@ Summary:        Apache Tomcat JSP API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires:       mvn(org.apache.tomcat:tomcat-el-api)
 Requires:       mvn(org.apache.tomcat:tomcat-servlet-api)
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Conflicts:      %{name}-implementation-jsp-api
 Provides:       %{name}-implementation-jsp-api = %{version}
 Provides:       %{name}-jsp-%{jspspec}-api
@@ -249,8 +242,6 @@ Libraries required to successfully run the Tomcat Web container
 %package servlet-4_0-api
 Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Conflicts:      %{name}-implementation-servlet-api
 Provides:       %{name}-servlet-%{servletspec}-api = %{version}-%{release}
 Provides:       servlet = %{servletspec}
@@ -577,15 +568,6 @@ echo "%{name}/catalina-ant" > %{buildroot}/%{_sysconfdir}/ant.d/catalina-ant
 #bnc#565901
 ln -sf %{_sbindir}/%{name} %{buildroot}/%{bindir}/catalina.sh
 
-# Install update-alternatives content
-mkdir -p %{buildroot}%{_sysconfdir}/alternatives
-ln -s -f %{_sysconfdir}/alternatives/el_api %{buildroot}%{_javadir}/%{name}-el_api.jar
-ln -s -f %{_sysconfdir}/alternatives/el_1_0_api %{buildroot}%{_javadir}/%{name}-el_1_0_api.jar
-ln -s -f %{_sysconfdir}/alternatives/jsp %{buildroot}%{_javadir}/%{name}-jsp.jar
-# To avoid conflicts with servletapi4 and servletapi5 create a link to incorrect /etc/alternatives/servlet.jar.
-# It will be changed anyways to the correct symlink by update-alternatives.
-ln -s -f %{_sysconfdir}/alternatives/servlet.jar %{buildroot}%{_javadir}/servlet.jar
-
 %pre
 # add the tomcat user and group
 getent group tomcat >/dev/null || %{_sbindir}/groupadd -r tomcat
@@ -617,51 +599,6 @@ runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir
 %postun jsvc
 %service_del_postun %{name}-jsvc.service
 
-%post el-3_0-api
-update-alternatives --install %{_javadir}/%{name}-el_api.jar el_api %{_javadir}/%{name}-el-%{elspec}-api.jar 20300
-update-alternatives --install %{_javadir}/%{name}-el_1_0_api.jar el_1_0_api %{_javadir}/%{name}-el-%{elspec}-api.jar 20300
-
-%preun el-3_0-api
-if [ $1 -eq 0 ] ; then
-    update-alternatives --remove el_api %{_javadir}/%{name}-el-%{elspec}-api.jar
-    update-alternatives --remove el_1_0_api %{_javadir}/%{name}-el-%{elspec}-api.jar
-fi
-
-%post jsp-2_3-api
-update-alternatives --install %{_javadir}/%{name}-jsp.jar jsp \
-    %{_javadir}/%{name}-jsp-%{jspspec}-api.jar 20200
-
-%postun jsp-2_3-api
-if [ $1 -eq 0 ] ; then
-    update-alternatives --remove jsp \
-        %{_javadir}/%{name}-jsp-%{jspspec}-api.jar
-fi
-
-%post servlet-4_0-api
-update-alternatives --install %{_javadir}/servlet.jar servlet \
-    %{_javadir}/%{name}-servlet-%{servletspec}-api.jar 30000
-# Fix for bsc#1092163.
-# Keep the /usr/share/java/tomcat-servlet.jar symlink for compatibility.
-# In case of update from an older version where /usr/share/java/tomcat-servlet.jar is an alternatives symlink
-# the update-alternatives in the new version will cause a rename tomcat-servlet.jar -> servlet.jar.
-# This makes sure the tomcat-servlet.jar is recreated if it's missing because of the rename.
-if [ ! -f %{_javadir}/%{name}-servlet.jar ]; then
-    echo "Recreating symlink %{_javadir}/%{name}-servlet.jar"
-    ln -s %{_javadir}/%{name}-servlet-%{servletspec}-api.jar %{_javadir}/%{name}-servlet.jar
-fi
-
-%postun servlet-4_0-api
-if [ $1 -eq 0 ] ; then
-    if [ ! -f %{_sysconfdir}/alternatives/servlet ]; then
-        # %{_sysconfdir}/alternatives/servlet was removed on uninstall.
-        # Create a broken symlink to make sure update-alternatives works correctly and falls back
-        # to servletapi5 or servletapi4 if they're installed.
-        ln -s %{_javadir}/%{name}-servlet-%{servletspec}-api.jar %{_sysconfdir}/alternatives/servlet
-    fi
-    update-alternatives --remove servlet \
-        %{_javadir}/%{name}-servlet-%{servletspec}-api.jar
-fi
-
 %post lib
 # those links are no longer needed
 rm -f \
@@ -785,10 +722,6 @@ fi
 %{_javadir}/%{name}-el-%{elspec}-api.jar
 %{_javadir}/%{name}-el-api.jar
 %{libdir}/%{name}-el-%{elspec}-api.jar
-%{_javadir}/%{name}-el_1_0_api.jar
-%{_javadir}/%{name}-el_api.jar
-%ghost %{_sysconfdir}/alternatives/el_1_0_api
-%ghost %{_sysconfdir}/alternatives/el_api
 
 %files javadoc
 %doc %{_javadocdir}/%{name}
@@ -796,8 +729,6 @@ fi
 %files jsp-2_3-api -f output/dist/src/res/maven/.mfiles-jsp-api
 %{_javadir}/%{name}-jsp-%{jspspec}-api.jar
 %{_javadir}/%{name}-jsp-api.jar
-%{_javadir}/%{name}-jsp.jar
-%ghost %{_sysconfdir}/alternatives/jsp
 
 %files lib -f output/dist/src/res/maven/.mfiles
 %{libdir}
@@ -817,8 +748,6 @@ fi
 %{_javadir}/%{name}-servlet-%{servletspec}-api.jar
 %{_javadir}/%{name}-servlet-api.jar
 %{_javadir}/%{name}-servlet.jar
-%{_javadir}/servlet.jar
-%ghost %{_sysconfdir}/alternatives/servlet
 
 %files webapps
 %defattr(0644,root,tomcat,0755)