- Update to Tomcat 11.0.10

- Update to Tomcat 11.0.9
- adapt tomcat-jdt.patch * Fixed CVEs: + CVE-2025-52520: Align size tracking for multipart requests with FileUpload's use of long. (bsc#1246388) + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier. (bsc#1246318) * Catalina + Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt) + Update: Optimize Request#getCharsetHolder to avoid repeated parsing when charset is null. Patch provided by morning-gu. (schultz) + Fix: Allow the default servlet to set the content length when the content length is known, no content has been written and a Writer is being used. (markt) + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt) + Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt) + Fix: Align size tracking for multipart requests with FileUpload's use of long. (schultz) * Coyote + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt) + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt) + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt) + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm) + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt) + Fix: When setting the initial HTTP/2 connection limit, apply those limits earlier. (markt) * Jasper + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt) + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt) * Web applications + Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV, HTTP PUT requests or similar. (markt) + Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt) * Other + Update: Update to the Eclipse JDT compiler 4.36. (markt) + Update: Update UnboundID to 7.0.3. (markt) + Update: Update Checkstyle to 10.25.1. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt) OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat11?expand=0&rev=15
2025-08-25 15:43:27 +02:00 · 2025-08-14 08:00:45 +00:00 · 2025-06-24 12:02:11 +00:00 · 2025-06-10 13:48:55 +00:00
6 changed files with 60 additions and 20 deletions
--- a/apache-tomcat-11.0.10-src.tar.gz
+++ b/apache-tomcat-11.0.10-src.tar.gz
--- a/apache-tomcat-11.0.10-src.tar.gz.asc
+++ b/apache-tomcat-11.0.10-src.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmiLoBUACgkQEMAcWi9g
+Wef1ZhAA88WDLuHSHd4cMO9XFoQ+GPlYFw/exFo17GJ6W9Hi0iLYwzZKfgup9evq
+K86HmhecGHFh2qL7rjo1aB6Kl3ls3yEhIeYNyZA1tdMs7CKtcUyqtVQCR4AG4p9J
+hcq8U5dwxCUyl29/pkJw4x7og8WmQh6+5fHy0HEm6xfk1Wie0aAAkIaGKWixo43l
+R+ZVmWqbgaHK3QP0EIGtGfS2Q3GELuTyEQD5IokeE8REjgWSixvpmo6xI+JcxeA2
+u9bZguvH2lOmG+grGWWOQKe/JZNXE8nHKoMo1eDeFi9FSw0lsYDLcOHUdsZ2I7PY
+yOfkDZ9fEZOvLLnSOcbFjD2bJsXT93p3lL9Gg3/OiA2uhWr7NjLxGHAtVgvpocm9
+FQ79hMhMvGvPjCuY6gI6E+xmbEEocfVGTWLNnHtCfCgcR75sfWXePS3nHZRlbr9b
+6AsmXvjJJF9ob+a5qTRYB4lCndYsCcHDbhI5BJqa8c4tN6+FUWcZlimFWpTJmvC7
+C0w0t8AVpOxvaSOWNj+ndbivSBCsouFyPLzFB0xS6wxMZBkmlLcz4m0ydENFKIXz
+ruEP3FVZMaEtS7P3tr3MBKSamIYImS84gBT/V0Z1FhS4OEy7PVkZo7vhbxzFfr+t
+9wnv4581cn+fYYzPIE/I3kvFztLn30dV3p89hSvmD0nR37WY5xk=
+=uKQB
+-----END PGP SIGNATURE-----
--- a/apache-tomcat-11.0.9-src.tar.gz
+++ b/apache-tomcat-11.0.9-src.tar.gz
--- a/apache-tomcat-11.0.9-src.tar.gz.asc
+++ b/apache-tomcat-11.0.9-src.tar.gz.asc
@@ -1,16 +0,0 @@
-----BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEqcXfTSLpmZjZh1pREMAcWi9gWecFAmhkURgACgkQEMAcWi9g
-WeckXQ//fn7jwCs78FjdqvF65OV3hTkhWcmd7JHBc0at/9ol/FofUE2s4VanpqKc
-ykjQuxbHMA/gajpgvUNeW0CuJjlFAfRPl0pibCw3rdkUHH5i/JO65zvNpN0wQjWj
-8Jxb8KZfgn0LtQnYSa4h7hFN3D17GiAJkmWgdpJY/fJpeQep3zBvEX0WZx6bSQfn
-zEBmbXVC+oLd+M60j/q9K2cwpl8QVqy2kKejvIS0pz4Nugg9jm/MifwMAAfzqhoO
-L2xstI3sTxpAQfuD3tHuqjuUKIcX+QnyfeBdTNAizP7nuwy4jb262HoWO42reJCz
-MTe3kzeev0BvemdCVBvT6ZURgoYfpVtGlzRu79/8kxmyayvqAFSVBOZEz0G9IkXL
-L9MdLCIwIZqEU7gM2k7Ayi2jrnBDj1edAX/C+/qFCwU8juXCpxLMGEwwld1ns14n
-XZ8NsFjKSZ01a2bowLtGXrj0yWGyGTt1lhj6vMNQl1v7c3/e+kuwBQkB0yZVjrZu
-lbA2WHZT5B0RFG3QgFucvRRJwHxdFZ8ZApYpNcdkwT58Lz1ZF1t7ovg5lWBdB9MN
-izN925A0zAbt8is3++d0J7QRcVopCHd+551f4pZID0upiBb5IBOB7GPF0/6ucRac
-LiGm74GGISa1OLu545N6g8m3r1CzhfAktcd+no/25WgoaeN04ro=
-=TW1e
-----END PGP SIGNATURE-----
--- a/tomcat11.changes
+++ b/tomcat11.changes
@@ -1,3 +1,43 @@
+-------------------------------------------------------------------
+Mon Aug 25 13:38:13 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 11.0.10
+  * Fixed CVEs:
+    + CVE-2025-48989: Update the HTTP/2 overhead documentation (bsc#1243895)
+  * Catalina
+    + Fix: Fix bloom filter population for archive indexing when using a
+      packed WAR containing one or more JAR files. (markt)
+  * Coyote
+    + Fix: 69748: Add missing call to set keep-alive timeout when using
+      HTTP/1.1 following an async request, which was present for AJP.
+      (remm/markt)
+    + Fix: 69762: Fix possible overflow during HPACK decoding of integers.
+      Note that the maximum permitted value of an HPACK decoded integer is
+      Integer.MAX_VALUE. (markt)
+    + Fix: Update the HTTP/2 overhead documentation - particularly the code
+      comments - to reflect the deprecation of the PRIORITY frame and
+      clarify that a stream reset always triggers an overhead increase.
+      (markt)
+  * Cluster
+    + Update: Add enableStatistics configuration attribute for the
+      DeltaManager, defaulting to true. (remm)
+  * WebSocket
+    + Fix: Align the WebSocket extension handling for WebSocket client
+      connections with WebSocket server connections. The WebSocket client
+      now only includes an extension requested by an endpoint in the
+      opening handshake if the WebSocket client supports that extension.
+      (markt)
+  * Web applications
+    + Fix: Manager and Host Manager. Provide the Manager and Host Manager
+      web applications with a dedicated favicon file rather than using the
+      one from the ROOT web application which might not be present or may
+      represent something entirely different. Pull requests #876 and #878
+      by Simon Arame.
+  * Other
+    + Update: Update Checkstyle to 10.26.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+
 -------------------------------------------------------------------
 Wed Aug  6 13:07:07 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>

--- a/tomcat11.spec
+++ b/tomcat11.spec
@@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 11
 %define minor_version 0
-%define micro_version 9
+%define micro_version 10
 %define java_major 1
 %define java_minor 17
 %define java_version %{java_major}.%{java_minor}
Author	SHA256	Message	Date
mbussolotto	c0fea7b4c7	- Update to Tomcat 11.0.10	2025-08-25 15:43:27 +02:00
Fridrich Strba	9702856deb	- Update to Tomcat 11.0.9 - adapt tomcat-jdt.patch * Fixed CVEs: + CVE-2025-52520: Align size tracking for multipart requests with FileUpload's use of long. (bsc#1246388) + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier. (bsc#1246318) * Catalina + Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt) + Update: Optimize Request#getCharsetHolder to avoid repeated parsing when charset is null. Patch provided by morning-gu. (schultz) + Fix: Allow the default servlet to set the content length when the content length is known, no content has been written and a Writer is being used. (markt) + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt) + Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt) + Fix: Align size tracking for multipart requests with FileUpload's use of long. (schultz) * Coyote + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt) + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt) + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt) + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm) + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt) + Fix: When setting the initial HTTP/2 connection limit, apply those limits earlier. (markt) * Jasper + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt) + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt) * Web applications + Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV, HTTP PUT requests or similar. (markt) + Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt) * Other + Update: Update to the Eclipse JDT compiler 4.36. (markt) + Update: Update UnboundID to 7.0.3. (markt) + Update: Update Checkstyle to 10.25.1. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt) OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat11?expand=0&rev=15	2025-08-14 08:00:45 +00:00
Fridrich Strba	8abce25171	- Update to Tomcat 11.0.8 * Fixed CVEs: + CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815) + CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656) + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649) * Catalina + Add: Support for the java:module namespace which mirrors the java:comp namespace. + Fix: 69690: Calling HttpServletRequest.getParameter() and related methods for a request with content type multipart/form-data when the mapped servlet does not have a @MultipartConfig or equivalent should not trigger an exception. Note that calling getPart() or getParts() is these circumstances will trigger an exception. + Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. + Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. + Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. + Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts. + Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. + Fix: Process possible path parameters rewrite production in the rewrite valve. + Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. + Add: 69633: Support for Filters using context root mappings. + Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. + Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. + Refactor: GCI servlet to access resources via the WebResource API. + Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. + Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. + Add: Provide a content type based on file extension when web application resources are accessed via a URL. * Coyote + Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. + Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. * Jasper + Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes. + Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. + Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. * Web applications + Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. + Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. * Other + Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. + Update: Tomcat Native to 2.0.9. + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). + Update: EasyMock to 5.6.0. + Update: Checkstyle to 10.25.0. + Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. + Update: Improvements to Japanese translations provided by tak7iji. + Update: Jacoco to 0.8.13. + Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. + Update: Byte Buddy to 1.17.5. + Update: Checkstyle to 10.23.1. + Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd). + Update: Improvements to French translations. + Update: Improvements to Japanese translations provided by tak7iji. OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat11?expand=0&rev=13	2025-06-24 12:02:11 +00:00
Fridrich Strba	f9c0aa4b46	- Hardening permissions (bsc#1242722) OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat11?expand=0&rev=11	2025-06-10 13:48:55 +00:00