Update to Tomcat 11.0.13

- adapt tomcat-jdt.patch
  * Fixed CVEs:
    + CVE-2025-52520: Align size tracking for multipart requests with
      FileUpload's use of long. (bsc#1246388)
    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
      (bsc#1246318)
  * Catalina
    + Fix: Ensure application configured welcome files override the defaults
      when configuring an embedded web application programmatically. (markt)
    + Update: Optimize Request#getCharsetHolder to avoid repeated parsing when
      charset is null. Patch provided by morning-gu. (schultz)
    + Fix: Allow the default servlet to set the content length when the content
      length is known, no content has been written and a Writer is being used.
      (markt)
    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
      prevented access to PreResources and PostResources when mounted below the
      web application root with a path that was terminated with a file
      separator. (remm/markt)
    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
      applied was smaller than intended for multipart uploads with non-file
      parts when the parts were processed before query string parameters.
      (markt)
    + Fix: Align size tracking for multipart requests with FileUpload's use of
      long. (schultz)
  * Coyote
    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
      the documentation to provide more details on the memory requirements to
      support multi-part uploads while avoiding a denial of service risk.
      (markt)
    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
      when the headers include a content-length. (remm/markt)
    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
      one request multiple times. Based on pull request #868 by qingdaoheze.
      (markt)
    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
      of useVirtualThreads in JMX. (remm)
    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
      certificate verification and improve the warnings when a web application
      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
      TLS 1.3. (markt)
    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
      earlier. (markt)
  * Jasper
    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
      grammar as both are unused. (markt)
  * Web applications
    + Add: Documentation. Provide more explicit guidance regarding the security
      considerations for enabling write access to the web application via
      WebDAV, HTTP PUT requests or similar. (markt)
    + Add: Documentation. Add a section on reverse proxies to the security
      considerations page. (markt)
  * Other
    + Update: Update to the Eclipse JDT compiler 4.36. (markt)
    + Update: Update UnboundID to 7.0.3. (markt)
    + Update: Update Checkstyle to 10.25.1. (markt)
    + Update: Improvements to French translations. (remm)
    + Update: Improvements to Japanese translations provided by tak7iji. (markt)

OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat11?expand=0&rev=15

apache-tomcat-11.0.13-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmjpFScACgkQEMAcWi9g
+WeenIxAA9swmm5DatkFudRkx7BQCHt+J5qXnN0r9YCEwIWiXSRFUSqKOesGf3oqD
+yXsy/DweapfKTwAhzUnx57ZRgJ09e5cTZ27Y2WoaQwlDNZbJ8pYziBfkIc6We+HS
+VlpEtqChNLWc4+x7GdNLswywv5yq5pRcAVHBM2eNSqDEin5uwcj4YTdBT3OPH1dp
+HEKkrVOtho2Aj9f8SjHXEDdiDGL4mmUp3o/lajNditLJiAlolXPgbdW326u5phLY
+Xylehoe0rBKXls1HVWIdzkRF1YWxyW22dcqVBTI2R/kWyecmbPnXA9eYt4nUVvoc
+KpbvSNErt3o+5q7K5GJg8Tp7vy7NqUD4Jd95hDUx+DId8Li6kXaLp6QrzxyiLIAP
+QuQfl3ZHjcjSiBBGAZxws0tpaBO4d5INM7Nbdb9Sy0hiCJGTevugJKkl0NOKfb0K
+7IUJfofI1ZF9zKuy9uSNwqGAKUSe36qgRXFpEpsbZ9E+ZwXRqldCbyBH+Lk3YsXb
+x4Jw8YydPmRdaUdHmK5paicD6DgBh18MSOeoKEHL+t5fNLWExTIKOhly7w9lZSVq
+i/SwpvkS0htmPCK8OFyLxHF9oBKbzqMqfs4914pBdbd2TfT1o8xFDHGvUILv3Pho
+iuxXwsQtS9XidlgUReDFU9iB3D/Q3PR9FleUpwtnl4ZNe4NQRxc=
+=NWy6
+-----END PGP SIGNATURE-----

apache-tomcat-11.0.6-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmfr/o8ACgkQEMAcWi9g
-WecdvxAA9qQwEx53mR0rlzpXAVc5ORdDmyC/rGY59oxyCsq22sWpLPRi5NBpohv7
-xRqnnFJVi+YC8c1J+M4g+d1hJWRwC0S6auydofL2EbkKx3t6WbD+ku0syXfz+5ia
-D4rOo55HZKEFXiMJexBLadC8VCTmKjT3Jng66/XLrAtlPHhcdyzaI+umbqTi2yNu
-VoWVB6IDAxW6YoubouhHt35EXQTTYL8EqE6iLKsNgxHOula/Yj/L2lAgiiIU/aPV
-gtJfP7WiR34Gdug/ppAdE0aatxkp+lANd5s1TPMGhmDvkI+n8tMpAeA91Q2cBoOT
-KpVJvKnSID5xxiJVHRSNPgGUxR5s0USAEkLkJpKIgjwnEaIsJZwPJXepdSRaNURt
-MP1/mYO9/5Fi93oUx+1RrJCmrTUlF4nA/zfSFOt49fovhU20l42zEHjFsNKVmqet
-8eaBOwfjpiurr0vPklziJ3kdyV2AiiX+n9prNzAh5tZ3I9bripSWPYFG1gBw0Ln6
-As3X5EjaQto1YkLOQ9oKNzzNVKoQ5wh/dfGxr4VY0FFuXBIWRiy5IFXEZH55ssGZ
-7m5jqIDUmyQ+M+J+WvdVSHJfzGO9O8Ms9DIKrEoMV9gXcz9eMtFvbECFeCDFJQit
-CD3T8rL5AlbDoU+GV111a94RMiUnvZUe2EtQockfMOHP1o/LhLk=
-=+ON7
------END PGP SIGNATURE-----

tomcat-jdt.patch

@@ -1,8 +1,8 @@
-Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
+Index: apache-tomcat-11.0.9-src/java/org/apache/jasper/compiler/JDTCompiler.java
 ===================================================================
---- apache-tomcat-11.0.6-src.orig/java/org/apache/jasper/compiler/JDTCompiler.java
-+++ apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
-@@ -310,21 +310,21 @@ public class JDTCompiler extends org.apa
+--- apache-tomcat-11.0.9-src.orig/java/org/apache/jasper/compiler/JDTCompiler.java
++++ apache-tomcat-11.0.9-src/java/org/apache/jasper/compiler/JDTCompiler.java
+@@ -318,23 +318,23 @@ public class JDTCompiler extends org.apa
              } else if (opt.equals("15")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
              } else if (opt.equals("16")) {
@@ -30,9 +30,12 @@ Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_23);
 +                settings.put(CompilerOptions.OPTION_Source, "23");
              } else if (opt.equals("24")) {
+-                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_24);
++                settings.put(CompilerOptions.OPTION_Source, "24");
+             } else if (opt.equals("25")) {
                  // Constant not available in latest ECJ version shipped with
                  // Tomcat. May be supported in a snapshot build.
-@@ -337,11 +337,11 @@ public class JDTCompiler extends org.apa
+@@ -342,11 +342,11 @@ public class JDTCompiler extends org.apa
                  settings.put(CompilerOptions.OPTION_Source, "25");
              } else {
                  log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt));
@@ -46,7 +49,7 @@ Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
          }
  
          // Target JVM
-@@ -391,29 +391,29 @@ public class JDTCompiler extends org.apa
+@@ -396,32 +396,32 @@ public class JDTCompiler extends org.apa
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
              } else if (opt.equals("16")) {
@@ -90,9 +93,14 @@ Index: apache-tomcat-11.0.6-src/java/org/apache/jasper/compiler/JDTCompiler.java
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "23");
 +                settings.put(CompilerOptions.OPTION_Compliance, "23");
              } else if (opt.equals("24")) {
+-                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_24);
+-                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_24);
++                settings.put(CompilerOptions.OPTION_TargetPlatform, "24");
++                settings.put(CompilerOptions.OPTION_Compliance, "24");
+             } else if (opt.equals("25")) {
                  // Constant not available in latest ECJ version shipped with
                  // Tomcat. May be supported in a snapshot build.
-@@ -428,12 +428,12 @@ public class JDTCompiler extends org.apa
+@@ -430,12 +430,12 @@ public class JDTCompiler extends org.apa
                  settings.put(CompilerOptions.OPTION_Compliance, "25");
              } else {
                  log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt));

tomcat11.changes

@@ -1,3 +1,327 @@
+-------------------------------------------------------------------
+Thu Nov  6 16:11:41 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 11.0.13
+  * Fixed CVEs:
+    + CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT
+      is enabled (bsc#1252753)
+    + CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control 
+      Sequences vulnerability in Apache Tomcat (bsc#1252905)
+    + CVE-2025-61795: temporary copies during the processing of multipart 
+      upload can lead to a denial of service (bsc#1252756) 
+  * Catalina
+    + Add: Add CIDR support for the configuration of internal and trusted
+      proxies for the RemoteIpFilter and RemoteIpValve. Configuration via
+      regular expression has been deprecated and will be removed in Tomcat 12.
+      (markt)
+    + Fix: Log warnings when the SSO configuration does not comply with the
+      documentation. (remm)
+    + Update: Deprecate the RemoteAddrFilter and RemoteAddValve in favour of the
+      RemoteCIDRFilter and RemoteCIDRValve. (markt)
+    + Fix: 69837: Fix corruption of the class path generated by the Loader when
+      running on Windows. (markt)
+    + Fix: Reject requests that map to invalid Windows file names earlier.
+      (markt)
+    + Fix: 69839: Ensure that changes to session IDs (typically after
+      authentication) are promulgated to the SSO Valve to ensure that SSO
+      entries are fully clean-up on session expiration. Patch provided by Kim
+      Johan Andersson. (markt)
+    + Fix: Fix a race condition in the creation of the storage location for the
+      FileStore. (markt)
+    + Update: Change the digest used to calculate strong ETags (if enabled) for
+      the default Servlet from SHA-1 to SHA-256 to align with the recommendation
+      in RFC 9110 that hash functions used to generate strong ETags should be
+      collision resistant. (markt)
+    + Fix: HTTP methods are case-sensitive so always use case sensitive
+      comparisons when comparing HTTP methods. (markt)
+    + Fix: 69814: Ensure that HttpSession.isNew() returns false once the client
+      has joined the session. (markt)
+    + Fix: Further performance improvements for ParameterMap. (jengebr/markt)
+    + Code: Refactor access log time stamps to be based on the Instant request
+      processing starts. (markt)
+    + Fix: Fix a case-sensitivity issue in the trailer header allow list.
+      (markt)
+    + Fix: Be proactive in cleaning up temporary files after a failed multi-part
+      upload rather than waiting for GC to do it. (markt)
+    + Code: Remove a number of unnecessary packages from the
+      catalina-deployer.jar. (markt)
+    + Fix: 69781: Fix concurrent access issues in the session FileStore
+      implementation that were causing lost sessions when the store was used
+      with the PersistentValve. Based on pull request #882 by Aaron Ogburn.
+      (markt)
+    + Code: Refactor WebResource locking to use the new
+      KeyedReentrantReadWriteLock. (markt)
+    + Fix: Fix handling of QSA and QSD flags in RewriteValve. (markt)
+  * Cluster
+    + Fix: Prevent the channel configuration (sender, receiver, membership
+      service) from being changed unless the channel is fully stopped. (markt)
+    + Fix: Handle spurious wake-ups during leader election for
+      NonBlockingCoordinator. (markt)
+    + Fix: Handle spurious wake-ups during sending of messages by RpcChannel.
+      (markt)
+  * Coyote
+    + Fix: 69836: Incorrect processing of partitioned setting when generating
+      session cookie. Patch submitted by Marc Pynaert. (remm)
+    + Fix: 69848: Fix copy/paste errors in 11.0.12 that meant DELETE requests
+      received via the AJP connector were processed as OPTIONS requests and
+      PROPFIND requests were processed as TRACE. (markt)
+    + Update: Add specific certificate selection code for TLS 1.3 supporting
+      post quantum cryptography. Certificates defined with type MLDSA will be
+      selected depending on the TLS client hello. (remm)
+    + Update: Add groups attribute on SSLHostConfig allowing to restrict which
+      groups can be enabled on the SSL engine. (remm)
+    + Add: Optimize the conversion of HTTP method from byte form to String form.
+      (markt)
+    + Fix: Store HTTP request headers using the original case for the header
+      name rather than forcing it to lower case. (markt)
+    + Fix: 69762: Additional overflow fix for HPACK decoding of integers. Pull
+      request #880 by Chenjp. (markt)
+    + Fix: Ensure keys are handed out to OpenSSL even if PEMFile fails to
+      process it, with appropriate logging. (remm)
+    + Fix: Add new ML-DSA key algorithm to PEMFile and improve reporting when
+      reading a key fails. (remm)
+    + Fix: Fix possible early timeouts for network operations caused by a
+      spurious wake-up of a waiting thread. Found by Coverity Scan. (markt)
+  * Web applications
+    + Fix: Documentation. Clarify the purpose of the maxPostSize attribute of
+      the Connector element. (markt)
+    + Fix: Avoid NPE in manager webapp displaying certificate information.
+      (remm)
+  * Websocket
+    + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the
+      underlying Inflater and/or Deflater throwing IllegalStateException when
+      closed rather than NullPointerException as they do in Java 24 and earlier.
+      (markt)
+  * Other
+    + Fix: 69847: Remove remaining references to the
+      org.apache.tomcat.util.codec.binary package which has been deleted.
+      (markt)
+    + Update: Update Byte Buddy to 1.17.7. (markt)
+    + Update: Update Checkstyle to 11.1.0. (markt)
+    + Update: Update SpotBugs to 4.9.6. (markt)
+    + Update: Update Jsign to 7.2. (markt)
+    + Add: Improvements to Russian translations provided by usmazat. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations provided by tak7iji. (markt)
+    + Update: Minor refactoring in JULI loggers. Patch provided by minjund.
+      (schultz)
+    + Code: Review logging and include the full stack trace and exception
+      message by default rather then just the exception message when logging an
+      error or warning in response to an exception. (markt)
+    + Add: Add escaping to log formatters to align with JSON formatter. (markt)
+    + Update: Update Checkstyle to 11.0.0. (markt)
+
+-------------------------------------------------------------------
+Wed Oct  1 12:19:04 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Do not use update-alternatives
+
+-------------------------------------------------------------------
+Mon Aug 25 13:38:13 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 11.0.10
+  * Fixed CVEs:
+    + CVE-2025-48989: Update the HTTP/2 overhead documentation (bsc#1243895)
+  * Catalina
+    + Fix: Fix bloom filter population for archive indexing when using a
+      packed WAR containing one or more JAR files. (markt)
+  * Coyote
+    + Fix: 69748: Add missing call to set keep-alive timeout when using
+      HTTP/1.1 following an async request, which was present for AJP.
+      (remm/markt)
+    + Fix: 69762: Fix possible overflow during HPACK decoding of integers.
+      Note that the maximum permitted value of an HPACK decoded integer is
+      Integer.MAX_VALUE. (markt)
+    + Fix: Update the HTTP/2 overhead documentation - particularly the code
+      comments - to reflect the deprecation of the PRIORITY frame and
+      clarify that a stream reset always triggers an overhead increase.
+      (markt)
+  * Cluster
+    + Update: Add enableStatistics configuration attribute for the
+      DeltaManager, defaulting to true. (remm)
+  * WebSocket
+    + Fix: Align the WebSocket extension handling for WebSocket client
+      connections with WebSocket server connections. The WebSocket client
+      now only includes an extension requested by an endpoint in the
+      opening handshake if the WebSocket client supports that extension.
+      (markt)
+  * Web applications
+    + Fix: Manager and Host Manager. Provide the Manager and Host Manager
+      web applications with a dedicated favicon file rather than using the
+      one from the ROOT web application which might not be present or may
+      represent something entirely different. Pull requests #876 and #878
+      by Simon Arame.
+  * Other
+    + Update: Update Checkstyle to 10.26.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+
+-------------------------------------------------------------------
+Wed Aug  6 13:07:07 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 11.0.9
+  - adapt tomcat-jdt.patch
+  * Fixed CVEs:
+    + CVE-2025-52520: Align size tracking for multipart requests with
+      FileUpload's use of long. (bsc#1246388)
+    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
+      (bsc#1246318)
+  * Catalina
+    + Fix: Ensure application configured welcome files override the defaults
+      when configuring an embedded web application programmatically. (markt)
+    + Update: Optimize Request#getCharsetHolder to avoid repeated parsing when
+      charset is null. Patch provided by morning-gu. (schultz)
+    + Fix: Allow the default servlet to set the content length when the content
+      length is known, no content has been written and a Writer is being used.
+      (markt)
+    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
+      prevented access to PreResources and PostResources when mounted below the
+      web application root with a path that was terminated with a file
+      separator. (remm/markt)
+    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
+      applied was smaller than intended for multipart uploads with non-file
+      parts when the parts were processed before query string parameters.
+      (markt)
+    + Fix: Align size tracking for multipart requests with FileUpload's use of
+      long. (schultz)
+  * Coyote
+    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
+      the documentation to provide more details on the memory requirements to
+      support multi-part uploads while avoiding a denial of service risk.
+      (markt)
+    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
+      when the headers include a content-length. (remm/markt)
+    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
+      one request multiple times. Based on pull request #868 by qingdaoheze.
+      (markt)
+    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
+      of useVirtualThreads in JMX. (remm)
+    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
+      certificate verification and improve the warnings when a web application
+      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
+      TLS 1.3. (markt)
+    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
+      earlier. (markt)
+  * Jasper
+    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
+    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
+      grammar as both are unused. (markt)
+  * Web applications
+    + Add: Documentation. Provide more explicit guidance regarding the security
+      considerations for enabling write access to the web application via
+      WebDAV, HTTP PUT requests or similar. (markt)
+    + Add: Documentation. Add a section on reverse proxies to the security
+      considerations page. (markt)
+  * Other
+    + Update: Update to the Eclipse JDT compiler 4.36. (markt)
+    + Update: Update UnboundID to 7.0.3. (markt)
+    + Update: Update Checkstyle to 10.25.1. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt) 
+
+-------------------------------------------------------------------
+Tue Jun 24 10:09:09 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 11.0.8
+ * Fixed CVEs:
+    + CVE-2025-46701: refactor CGI servlet to access resources via
+      WebResources (bsc#1243815)
+    + CVE-2025-48988: limits the total number of parts in a
+      multi-part request and limits the size of
+      the headers provided with each part (bsc#1244656)
+    + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
+  * Catalina
+    + Add: Support for the java:module namespace which mirrors the
+      java:comp namespace.
+    + Fix: 69690: Calling HttpServletRequest.getParameter() and related
+      methods for a request with content type multipart/form-data when
+      the mapped servlet does not have a @MultipartConfig or equivalent
+      should not trigger an exception. Note that calling getPart() or
+      getParts() is these circumstances will trigger an exception.
+    + Add: Support parsing of multiple path parameters separated by ; in a
+      single URL segment. Based on pull request #860 by Chenjp.
+    + Fix: 69699: Encode redirect URL used by the rewrite valve with the
+      session id if appropriate, and handle cross context with different
+      session configuration when using rewrite.
+    + Add: #863: Support for comments at the end of lines in text rewrite
+      map files to align behaviour with Apache httpd. Pull request
+      provided by Chenjp.
+    + Fix: 69706: Saved request serialization issue in FORM introduced
+      when allowing infinite session timeouts.
+    + Fix: Expand the path checks for Pre-Resources and Post-Resources
+      mounted at a path within the web application.
+    + Fix: Process possible path parameters rewrite production in the
+      rewrite valve.
+    + Fix: 69588: Enable allowLinking to be set on PreResources,
+      JarResources and PostResources. If not set explicitly, the setting
+      will be inherited from the Resources.
+    + Add: 69633: Support for Filters using context root mappings.
+    + Fix: 69643: Optimize directory listing for large amount of files.
+      Patch submitted by Loic de l'Eprevier.
+    + Fix: #843: Off by one validation logic for partial PUT ranges and
+      associated test case. Submitted by Chenjp.
+    + Refactor: GCI servlet to access resources via the WebResource API.
+    + Fix: 69662: Report name in exception message when a naming lookup
+      failure occurs. Based on code submitted by Donald Smith.
+    + Fix: Ensure that the FORM authentication attribute
+      authenticationSessionTimeout works correctly when sessions have an
+      infinite timeout when authentication starts.
+    + Add: Provide a content type based on file extension when web
+      application resources are accessed via a URL.
+  * Coyote
+    + Refactor: #861: TaskQueue to use the new interface RetryableQueue
+      which enables better integration of custom Executors which provide
+      their own BlockingQueue implementation. Pull request provided by
+      Paulo Almeida.
+    + Add: Finer grained control of multi-part request processing via two
+      new attributes on the Connector element. maxPartCount limits the
+      total number of parts in a multi-part request and maxPartHeaderSize
+      limits the size of the headers provided with each part. Add support
+      for these new attributes to the ParameterLimitValve.
+  * Jasper
+    + Fix: 69696: Mark the JSP wrapper for reload after a failed
+      compilation.
+    + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving
+      inner classes.
+    + Add: #842: Support for optimized execution of c:set and c:remove
+      tags, when activated via JSP servlet param
+      useNonstandardTagOptimizations.
+    + Fix: An edge case compilation bug for JSP and tag files on case
+      insensitive file systems that was exposed by the test case for
+      69635.
+  * Web applications
+    + Fix: 69694: Improve error reporting of deployment tasks done using
+      the manager webapp when a copy operation fails.
+    + Add: 68876: Documentation. Update the UML diagrams for server
+      start-up, request processing and authentication using PlantUML and
+      include the source files for each diagram.
+  * Other
+    + Add: Thread name to webappClassLoader.stackTraceRequestThread
+      message. Patch provided by Felix Zhang.
+    + Update: Tomcat Native to 2.0.9.
+    + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
+      (2025-06-05).
+    + Update: EasyMock to 5.6.0.
+    + Update: Checkstyle to 10.25.0.
+    + Fix: Use the full path when the installer for Windows sets calls
+      icacls.exe to set file permissions.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+    + Update: Jacoco to 0.8.13.
+    + Code: Explicitly set the locale to be used for Javadoc. For
+      official releases, this locale will be English (US) to support
+      reproducible builds.
+    + Update: Byte Buddy to 1.17.5.
+    + Update: Checkstyle to 10.23.1.
+    + Update: File extension to media type mappings to align with the
+      current list used by the Apache Web Server (httpd).
+    + Update: Improvements to French translations.
+    + Update: Improvements to Japanese translations provided by tak7iji. 
+
+-------------------------------------------------------------------
+Tue Jun 10 13:09:57 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Hardening permissions (bsc#1242722)
+
 -------------------------------------------------------------------
 Fri May  9 07:06:53 UTC 2025 - Fridrich Strba <fstrba@suse.com>
 

tomcat11.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat11
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 11
 %define minor_version 0
-%define micro_version 6
+%define micro_version 13
 %define java_major 1
 %define java_minor 17
 %define java_version %{java_major}.%{java_minor}
@@ -181,15 +181,11 @@ The documentation of web application for Apache Tomcat.
 %package el-%{elspec_major}_%{elspec_minor}-api
 Summary:        Expression Language v%{elspec} API
 Group:          Development/Libraries/Java
-Requires(post): update-alternatives
-Requires(preun): update-alternatives
 Conflicts:      %{app_name}-implementation-el-api
 Provides:       %{app_name}-el-%{elspec}-api = %{version}-%{release}
 Provides:       %{app_name}-implementation-el-api = %{version}
 Provides:       el_%{elspec_major}_%{elspec_minor}_api = %{version}-%{release}
-Provides:       el_api = %{elspec}
 Obsoletes:      %{app_name}-el-2_2-api < %{version}
-Obsoletes:      el_api < %{elspec}
 
 %description el-%{elspec_major}_%{elspec_minor}-api
 Expression Language API version %{elspec}.
@@ -207,15 +203,11 @@ Javadoc generated documentation files for Apache Tomcat.
 %package jsp-%{jspspec_major}_%{jspspec_minor}-api
 Summary:        Apache Tomcat JSP API implementation classes
 Group:          Productivity/Networking/Web/Servers
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Conflicts:      %{app_name}-implementation-jsp-api
 Provides:       %{app_name}-implementation-jsp-api = %{version}
 Provides:       %{app_name}-jsp-%{jspspec}-api
-Provides:       jsp = %{jspspec}
 Provides:       jsp%{jspspec_major}%{jspspec_minor}
 Obsoletes:      %{app_name}-jsp-2_2-api < %{version}
-Obsoletes:      jsp < %{jspspec}
 
 %description jsp-%{jspspec_major}_%{jspspec_minor}-api
 Apache Tomcat JSP API implementation classes version %{jspspec}
@@ -254,17 +246,13 @@ Libraries required to successfully run the Tomcat Web container
 %package servlet-%{servletspec_major}_%{servletspec_minor}-api
 Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
-Requires(post): update-alternatives
-Requires(postun): update-alternatives
 Conflicts:      %{app_name}-implementation-servlet-api
 Provides:       %{app_name}-implementation-servlet-api = %{version}
 Provides:       %{app_name}-servlet-%{servletspec}-api = %{version}-%{release}
-Provides:       servlet = %{servletspec}
 Provides:       servlet11
 Provides:       servlet60
 Obsoletes:      %{app_name}-servlet-3_0-api < %{version}
 Obsoletes:      %{app_name}-servlet-3_1-api < %{version}
-Obsoletes:      servlet < %{servletspec}
 
 %description servlet-%{servletspec_major}_%{servletspec_minor}-api
 Apache Tomcat Servlet API implementation classes version %{servletspec}
@@ -588,14 +576,6 @@ echo "tomcat/catalina-ant" > %{buildroot}/%{_sysconfdir}/ant.d/catalina-ant
 #bnc#565901
 ln -sf %{_sbindir}/%{app_name} %{buildroot}/%{bindir}/catalina.sh
 
-# Install update-alternatives content
-mkdir -p %{buildroot}%{_sysconfdir}/alternatives
-ln -s -f %{_sysconfdir}/alternatives/el_api %{buildroot}%{_javadir}/%{app_name}-el_api.jar
-ln -s -f %{_sysconfdir}/alternatives/jsp %{buildroot}%{_javadir}/%{app_name}-jsp.jar
-# To avoid conflicts with servletapi4 and servletapi5 create a link to incorrect /etc/alternatives/servlet.jar.
-# It will be changed anyways to the correct symlink by update-alternatives.
-ln -s -f %{_sysconfdir}/alternatives/servlet.jar %{buildroot}%{_javadir}/servlet.jar
-
 %pre
 # add the tomcat user and group
 getent group tomcat >/dev/null || %{_sbindir}/groupadd -r tomcat
@@ -627,49 +607,6 @@ runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir
 %postun jsvc
 %service_del_postun %{app_name}-jsvc.service
 
-%post el-%{elspec_major}_%{elspec_minor}-api
-update-alternatives --install %{_javadir}/%{app_name}-el_api.jar el_api %{_javadir}/%{app_name}-el-%{elspec}-api.jar 20300
-
-%postun el-%{elspec_major}_%{elspec_minor}-api
-if [ $1 -eq 0 ] ; then
-    update-alternatives --remove el_api %{_javadir}/%{app_name}-el-%{elspec}-api.jar
-fi
-
-%post jsp-%{jspspec_major}_%{jspspec_minor}-api
-update-alternatives --install %{_javadir}/%{app_name}-jsp.jar jsp \
-    %{_javadir}/%{app_name}-jsp-%{jspspec}-api.jar 20200
-
-%postun jsp-%{jspspec_major}_%{jspspec_minor}-api
-if [ $1 -eq 0 ] ; then
-    update-alternatives --remove jsp \
-        %{_javadir}/%{app_name}-jsp-%{jspspec}-api.jar
-fi
-
-%post servlet-%{servletspec_major}_%{servletspec_minor}-api
-update-alternatives --install %{_javadir}/servlet.jar servlet \
-    %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar 30000
-# Fix for bsc#1092163.
-# Keep the /usr/share/java/tomcat-servlet.jar symlink for compatibility.
-# In case of update from an older version where /usr/share/java/tomcat-servlet.jar is an alternatives symlink
-# the update-alternatives in the new version will cause a rename tomcat-servlet.jar -> servlet.jar.
-# This makes sure the %{app_name}-servlet.jar is recreated if it's missing because of the rename.
-if [ ! -f %{_javadir}/%{app_name}-servlet.jar ]; then
-    echo "Recreating symlink %{_javadir}/%{app_name}-servlet.jar"
-    ln -s %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar %{_javadir}/%{app_name}-servlet.jar
-fi
-
-%postun servlet-%{servletspec_major}_%{servletspec_minor}-api
-if [ $1 -eq 0 ] ; then
-    if [ ! -f %{_sysconfdir}/alternatives/servlet ]; then
-        # servlet was removed on uninstall.
-        # Create a broken symlink to make sure update-alternatives works correctly and falls back
-        # to servletapi5 or servletapi4 if they're installed.
-        ln -s %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar %{_sysconfdir}/alternatives/servlet
-    fi
-    update-alternatives --remove servlet \
-        %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar
-fi
-
 %post lib
 # those links are no longer needed
 rm -f \
@@ -727,22 +664,22 @@ fi
 
 %files
 %doc {LICENSE,NOTICE,RELEASE*}
-%attr(0755,root,root) %{_bindir}/%{app_name}-digest
-%attr(0755,root,root) %{_bindir}/%{app_name}-tool-wrapper
-%attr(0755,root,root) %{_sbindir}/%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}.service
+%{_bindir}/%{app_name}-digest
+%{_bindir}/%{app_name}-tool-wrapper
+%{_sbindir}/%{app_name}
+%{_unitdir}/%{app_name}.service
 %{_sbindir}/rc%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}@.service
-%attr(0755,root,root) %dir %{_libexecdir}/%{app_name}
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{app_name}s
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/functions
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/preamble
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/server
+%{_unitdir}/%{app_name}@.service
+%dir %{_libexecdir}/%{app_name}
+%dir %{_localstatedir}/lib/%{app_name}s
+%{_libexecdir}/%{app_name}/functions
+%{_libexecdir}/%{app_name}/preamble
+%{_libexecdir}/%{app_name}/server
 #bnc#565901
 %{bindir}/catalina.sh
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
-%attr(0755,root,tomcat) %dir %{basedir}
-%attr(0755,root,tomcat) %dir %{confdir}
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
+%dir %{basedir}
+%dir %{confdir}
 %attr(0775,root,tomcat) %dir %{appdir}
 %attr(0770,tomcat,tomcat) %dir %{logdir}
 %attr(0660,tomcat,tomcat) %{logdir}/catalina.out
@@ -755,28 +692,28 @@ fi
 %attr(0775,root,tomcat) %dir %{tomcatappdir}
 
 %{confdir}/Catalina
-%attr(0755,root,tomcat) %dir %{confdir}/conf.d
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/conf.d/README
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{app_name}.conf
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml
+%dir %{confdir}/conf.d
+%config(noreplace) %{confdir}/conf.d/README
+%config(noreplace) %{confdir}/%{app_name}.conf
+%config(noreplace) %{confdir}/*.properties
+%config(noreplace) %{confdir}/context.xml
+%config(noreplace) %{confdir}/server.xml
 # keep tomcat-users.xml readable only by root and tomcat group
 %attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
-%attr(0755,root,tomcat) %dir %{homedir}
-%attr(0644,root,tomcat) %{bindir}/bootstrap.jar
-%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml
+%config(noreplace) %{confdir}/web.xml
+%config(noreplace) %{confdir}/jaspic-providers.xml
+%dir %{homedir}
+%{bindir}/bootstrap.jar
+%{bindir}/catalina-tasks.xml
 %{homedir}/lib
 %{homedir}/temp
 %{homedir}/webapps
 %{homedir}/work
 %{homedir}/logs
 %{homedir}/conf
-%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{app_name}
-%attr(0644,root,tomcat) %{confdir}/allowLinking.xslt
-%attr(0644,root,tomcat) %{confdir}/valve.xslt
+%{_fillupdir}/sysconfig.%{app_name}
+%{confdir}/allowLinking.xslt
+%{confdir}/valve.xslt
 
 %files admin-webapps
 %defattr(0644,root,tomcat,0755)
@@ -792,11 +729,6 @@ fi
 %{_javadir}/%{app_name}-el-%{elspec}-api.jar
 %{_javadir}/%{app_name}-el-api.jar
 %{libdir}/%{app_name}-el-%{elspec}-api.jar
-%ghost %{_javadir}/%{app_name}-el_1_0_api.jar
-%ghost %{_javadir}/%{app_name}-el_api.jar
-%ghost %{_sysconfdir}/alternatives/%{app_name}-el_api.jar
-%ghost %{_sysconfdir}/alternatives/el_1_0_api
-%ghost %{_sysconfdir}/alternatives/el_api
 
 %files doc
 %doc %{_javadocdir}/%{app_name}
@@ -804,9 +736,6 @@ fi
 %files jsp-%{jspspec_major}_%{jspspec_minor}-api -f output/dist/src/res/maven/.mfiles-jsp-api
 %{_javadir}/%{app_name}-jsp-%{jspspec}-api.jar
 %{_javadir}/%{app_name}-jsp-api.jar
-%ghost %{_javadir}/%{app_name}-jsp.jar
-%ghost %{_sysconfdir}/alternatives/%{app_name}-jsp.jar
-%ghost %{_sysconfdir}/alternatives/jsp
 
 %files lib -f output/dist/src/res/maven/.mfiles
 %{libdir}
@@ -826,10 +755,6 @@ fi
 %{_javadir}/%{app_name}-servlet-%{servletspec}-api.jar
 %{_javadir}/%{app_name}-servlet-api.jar
 %{_javadir}/%{app_name}-servlet.jar
-%{_javadir}/servlet.jar
-%ghost %{_sysconfdir}/alternatives/tomcat-servlet.jar
-%ghost %attr(-,root,root) %{_sysconfdir}/alternatives/servlet.jar
-%ghost %attr(-,root,root) %{_sysconfdir}/alternatives/servlet
 
 %files webapps
 %defattr(0644,root,tomcat,0755)
@@ -841,7 +766,7 @@ fi
 
 %files jsvc
 %defattr(755,root,root,0755)
-%attr(0644,root,root) %{_unitdir}/%{app_name}-jsvc.service
+%{_unitdir}/%{app_name}-jsvc.service
 %{_sbindir}/rc%{app_name}-jsvc
 
 %changelog