diff --git a/apache-tomcat-9.0.87-src.tar.gz b/apache-tomcat-9.0.87-src.tar.gz
deleted file mode 100644
index 05c9438..0000000
--- a/apache-tomcat-9.0.87-src.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cf9248f068152518445f6e418b5a6a1251ea3b8c7a60f6d35c6d3a79d13d26b1
-size 6332438
diff --git a/apache-tomcat-9.0.87-src.tar.gz.asc b/apache-tomcat-9.0.87-src.tar.gz.asc
deleted file mode 100644
index 9ace728..0000000
--- a/apache-tomcat-9.0.87-src.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmXu2nYACgkQaCSJWTWe
-cis4lg//VHmtdBX2BrPuE8AV2R3ob9KI4uxrBxfjukb/HfvsXT1Zz00R27HVbKln
-h1hx7PCTrVJq+sHLDiDnYF1FDC5M+atvryoXcFIAEgnkqQ4toSgqBTa85NcRxrKY
-lBnQrZ5ZF5MJ7h+E8r7PIXwjbKbcvMLnhqvXwIB6TOMgUC3UOwZPN2vvq20XqYHA
-tevMCDLdMjcAdiOMqkekmq6y8KaEMoEY2rJG3KHCPXKkVQflQoX1bNs88vSd4t4F
-CQTcLauo9oyT+IaaanJWrawnKxlAD6x8QuFkJWNK2SC7145IGWeo1R32xzPvQdau
-Lu69YayASXq2nilYCLI3uZQ4tFSjCosi+DZaJVatMi2wbGXheau36vS8WLYkroWt
-w9deOo+KYiibckgEGbEncAD54sBVKF5Eun751CzSDZC1yV+08oII16koIl0TQlcd
-ZFhpIgQ5fo19VUReLQ9JlR98vbLnVFGg+3GVzHqfIATrVuulaliw6HOK7UT/ixFX
-jWNdR+/szFe3gTy+RifMU4C3D0hWEhRQGjnVoUPdck2ANBOm5CPV3R5IL2ej03yj
-LYXCJ++r+e/O5tftlax2Tnpmxzo0HFrQCSr+1HTsE4VY7Upy0liiV3btBWPcKKVp
-0e3E2wYv9P1PcTJD+XUOLX1yuYZv0xCS5fQ4t/ZlSR2R20+rUu4=
-=F+I2
------END PGP SIGNATURE-----
diff --git a/apache-tomcat-9.0.91-src.tar.gz b/apache-tomcat-9.0.91-src.tar.gz
new file mode 100644
index 0000000..39319cb
--- /dev/null
+++ b/apache-tomcat-9.0.91-src.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:ed77edc0ba0db471c4b4799fa5b67a1e01ed8b4f65abc5684b39c0b2935ee13e
+size 6325998
diff --git a/apache-tomcat-9.0.91-src.tar.gz.asc b/apache-tomcat-9.0.91-src.tar.gz.asc
new file mode 100644
index 0000000..54341ad
--- /dev/null
+++ b/apache-tomcat-9.0.91-src.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmaD9OQACgkQaCSJWTWe
+cit6cA/+L/gMzNTxjtqsuWDrT1Wkr9MeU6/5oEB/LpUxhWUWam0Ni+eyj51vLO6X
+7UfHOQt8qClNUsyqz6kpmedPLowrhPk2UM9LdJsn7Sh9ttdbJQzjHD3LqVze9CKu
+eHggf6KUTJGcbOpP+8/gttwVM7U4wGppzOLi4vQCSI54yO4tinyyaSEk0DH8zlAa
+Rcb6tJoKEtqtlq1gam9udjPFFcNOcpXEOCLCgLRLqVkna3IVvFUNTx0bccilUDl/
+vGcD/7W1tsULb4A0sqLhQINzZlBpu2kp/5qdWLFhnJhRp0pZbLDo5/gjW77jLrIx
+HMmSuPVuswn/OQmAe57YRo2YF3e+7zxjKJ+73aDhfK/xHEInsQMgMCdgYH+d6Inn
+OT4MrUVEPApOnQPpV2Ag9HEvw3E9zT3dkcNqn3QCF+RaXNtdJgGurRl5UaQapWkH
+Mj6WbnmWpqTBO1SxxPCb1KqIoO3jLqKMR7h0TAchBH/XdRuafy3Ga632dUYX722J
+K73vU1fC1pyh0NZMPsDEAwv3V0JDnYzAF4PKxKb2gnQ/2u/e/p/ACBgaVqXRMAD9
+JFfhgBnt5vj7GOOm5opYoW+B1dtRyJ2CmYmO+g9UstRxYhShH7HPQbyExJo81JgZ
+S1W7wYlopgIAsL9gy1TlPAofa25SI24UaaC4VivDK2FyyAYk21Y=
+=1v5b
+-----END PGP SIGNATURE-----
diff --git a/tomcat-9.0-build-with-java-11.patch b/tomcat-9.0-build-with-java-11.patch
index 80ccb4a..25bacb3 100644
--- a/tomcat-9.0-build-with-java-11.patch
+++ b/tomcat-9.0-build-with-java-11.patch
@@ -1,13 +1,13 @@
-Index: apache-tomcat-9.0.85-src/build.xml
+Index: apache-tomcat-9.0.91-src/build.xml
===================================================================
---- apache-tomcat-9.0.85-src.orig/build.xml
-+++ apache-tomcat-9.0.85-src/build.xml
+--- apache-tomcat-9.0.91-src.orig/build.xml
++++ apache-tomcat-9.0.91-src/build.xml
@@ -107,7 +107,7 @@
-
+
+
+
-
-
diff --git a/tomcat-9.0-osgi-build.patch b/tomcat-9.0-osgi-build.patch
index cc0ce1b..2e2f51c 100644
--- a/tomcat-9.0-osgi-build.patch
+++ b/tomcat-9.0-osgi-build.patch
@@ -1,8 +1,19 @@
---- apache-tomcat-9.0.75-src/build.xml 2023-05-22 18:12:16.995658642 +0200
-+++ apache-tomcat-9.0.75-src/build.xml 2023-05-22 19:41:42.051370923 +0200
-@@ -215,10 +215,10 @@
+--- apache-tomcat-9.0.91-src/build.xml 2024-07-08 18:21:26.161496515 +0200
++++ apache-tomcat-9.0.91-src/build.xml 2024-07-08 18:30:43.722334075 +0200
+@@ -226,11 +226,21 @@
+
++
++
++
++
++
++
++
++
++
++
-
@@ -12,16 +23,14 @@
-@@ -3845,6 +3845,12 @@
-
-
-
-+
-+
-+
-+
-+
-+
-
+@@ -3960,10 +3970,6 @@
+
+
+-
+-
+-
+-
+
+
diff --git a/tomcat.changes b/tomcat.changes
index e330a9c..6aeec7e 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,228 @@
+-------------------------------------------------------------------
+Mon Jul 8 16:34:38 UTC 2024 - Fridrich Strba
+
+- Modified patch:
+ * tomcat-9.0-osgi-build.patch
+ + move the definition of bnd.classpath out of the setup-bnd task
+ since it is one component in build.classpath
+
+-------------------------------------------------------------------
+Mon Jul 8 14:54:54 UTC 2024 - Ricardo Mestre
+
+- Update to Tomcat 9.0.91
+ * Fixed CVEs:
+ + CVE-2024-34750: Improper handling of exceptional conditions
+ (bsc#1227399)
+ * Catalina
+ + Fix: Allow JAASRealm to use the configuration source to load a configured
+ configFile, for easier use with testing. (remm)
+ + Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
+ + Fix: 69131: Expand the implementation of the filter value of the
+ Authenticator attribute allowCorsPreflight, so that it applies to all
+ requests that match the configured URL patterns for the CORS filter,
+ rather than only applying if the CORS filter is mapped to /*. (markt)
+ + Add: Add support for shallow copies when using WebDAV. (markt)
+ + Code: Deprecate the WebdavFixFilter as it is no longer required. (markt)
+ + Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64.
+ Submitted by Daniel Lyko. (remm)
+ + Update: Update minimum recommended version of Tomcat Native to 1.3.0. Pull
+ request #728 provided by Dimitrios Soumis. (markt)
+ + Update: The system property org.apache.catalina.connector.RECYCLE_FACADES
+ will now default to true if not specified, which will in turn set the
+ default value for the discardFacades connector attribute, thus causing
+ facade objects to be discarded by default. (remm)
+ + Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for
+ retrieving extended/additional information from an established GSS
+ context. (michaelo)
+ + Fix: Correct a regression in the fix for 68721 that caused some instances
+ of LinkageError to be reported as ClassNotFoundException. (markt)
+ + Fix: Ensure that static resources deployed via a JAR file remain
+ accessible when the context is configured to use a bloom filter. Based on
+ pull request #730 provided by bergander. (markt)
+ + Add: Introduce reference counting so the AprLifecycleListener is more
+ robust. This particularly targets more complex embedded configurations
+ with multiple server instances with independent lifecycles where more than
+ one server instance requires the AprLifecycleListener. (markt)
+ + Update: Deprecate and remove sessionCounter (replaced by the addition of
+ the active session count and the expired session count, as a reasonable
+ approximation) and duplicates (which does not represent a possible event
+ in current implementations) statistics from the session manager. (remm)
+ + Fix: 68890 Align output encoding of JSPs in the Manager webapp with the
+ XML declarations in those same files. (schultz)
+ + Fix: Update Basic authentication to implement the requirements of RFC 7617
+ including the changing of the trimCredentials setting which is now
+ defaults to false. Note that the trimCredentials setting will be removed
+ in Tomcat 11. (markt)
+ + Add: Small performance optimization when logging cookies with no values.
+ (schultz)
+ + Fix: Correct error handling for asynchronous requests. If the application
+ performs an dispatch during AsyncListener.onError() the dispatch is now
+ performed rather than completing the request using the error page
+ mechanism. (markt)
+ + Fix: Fix WebDAV lock null (locks for non existing resources) thread safety
+ and removal. (remm)
+ + Fix: Add periodic checking for WebDAV locks expiration. (remm)
+ + Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo)
+ + Update: Add highConcurrencyStatus attribute to the SemaphoreValve to
+ optionally allow the valve to return an error status code to the client
+ when a permit cannot be acquired from the semaphore. (remm)
+ + Add: Add checking of the "age" of the running Tomcat instance since its
+ build-date to the SecurityListener, and log a warning if the server is
+ old. (schultz)
+ + Fix: When using the AsyncContext, throw an IllegalStateException, rather
+ than allowing an NullPointerException, if an attempt is made to use the
+ AsyncContext after it has been recycled. (markt)
+ + Fix: Change the thread-safety mechanism for protecting
+ StandardServer.services from a simple synchronized lock to a
+ ReentrantReadWriteLock to allow multiple readers to operate
+ simultaneously. Based upon a suggestion by Markus Wolfe. (schultz)
+ + Fix: Improve Service connectors, Container children and Service executors
+ access sync using a ReentrantReadWriteLock. (remm)
+ + Fix: Improve handling of integer overflow if an attempt is made to upload
+ a file via the Servlet API and the file is larger than
+ Integer.MAX_VALUE. (markt)
+ + Fix: 68862: Handle possible response commit when processing read errors.
+ (remm)
+ * Jasper
+ + Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of
+ new classes added to the java.lang package in Java 23. (markt)
+ + Fix: Ensure that an exception in toString() still results in an
+ ELException when an object is coerced to a String using
+ ExpressionFactory.coerceToType(). (markt)
+ + Add: Add support for specifying Java 24 (with the value 24) as the
+ compiler source and/or compiler target for JSP compilation. If used with
+ an Eclipse JDT compiler version that does not support these values, a
+ warning will be logged and the default will used. (markt)
+ + Fix: 69135: When using include directives in a tag file packaged in a JAR
+ file, ensure that context relative includes are processed correctly. (
+ markt)
+ + Fix: 69135: When using include directives in a tag file packaged in a JAR
+ file, ensure that file relative includes are processed correctly. (markt)
+ + Fix: 69135: When using include directives in a tag file packaged in a JAR
+ file, ensure that file relative includes are are not permitted to access
+ files outside of the /META_INF/tags/ directory nor outside of the JAR
+ file. (markt)
+ + Fix: 68546: Small additional optimisation for initial loading of Servlet
+ code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt)
+ + Add: Add support for specifying Java 23 (with the value 23) as the
+ compiler source and/or compiler target for JSP compilation. If used with
+ an Eclipse JDT compiler version that does not support these values, a
+ warning will be logged and the default will used. (markt)
+ + Fix: Handle the case where the JSP engine forwards a request/response to a
+ Servlet that uses an OutputStream rather than a Writer. This was
+ triggering an IllegalStateException on code paths where there was a
+ subsequent attempt to obtain a Writer. (markt)
+ + Fix: Correctly handle the case where a tag library is packaged in a JAR
+ file and the web application is deployed as a WAR file rather than an
+ unpacked directory. (markt)
+ + Fix: Prevent the web application's ClassLoader from being pinned by the
+ JSP compiler if an application uses a custom XMLInputFactory. Based upon a
+ suggestion from Simon Niederberger. (schultz)
+ * Web applications
+ + Fix: Fix status servlet detailed view of the connectors when using
+ automatic port. (remm)
+ + Add: Add the ability to set a sub-title for the Manager web application
+ main page. This is intended to allow users with lots of instances to
+ easily distinguish them. Based on pull request #724 by Simon Arame.
+ (markt)
+ + Fix: Examples: Improve performance of WebSocket chat application when
+ multiple clients disconnect at the same time. (markt)
+ + Update: Examples: Increase the number of previous messages displayed when
+ using the WebSocket chat application. (markt)
+ + Fix: Examples: Improve performance of WebSocket snake application when
+ multiple clients disconnect at the same time. (markt)
+ * Coyote
+ + Fix: Improve the algorithm used to identify the IP address to use to
+ unlock the acceptor thread when a Connector is listening on all local
+ addresses. Interfaces that are configured for point to point connections
+ or are not currently up are now skipped. (markt)
+ + Fix: 69121: Ensure that the onComplete() event is triggered if
+ AsyncListener.onError() dispatches to a target that throws an exception.
+ (markt)
+ + Fix: Following the trailer header field refactoring, -1 is no longer an
+ allowed value for maxTrailerSize. Adjust documentation accordingly. (remm)
+ + Fix: 69068: Ensure read timouts are triggered for asynchronous,
+ non-blocking reads when using HTTP/2. (markt)
+ + Update: 69133: Add task queue size configuration on the Connector element,
+ similar to the Executor element, for consistency. (remm)
+ + Fix: Make counting of active HTTP/2 streams per connection more robust.
+ (markt)
+ + Add: Add support for TLS 1.3 client initiated re-keying. (markt)
+ + Fix: Align non-secure and secure writes with NIO and skip the write
+ attempt when there are no bytes to be written. (markt)
+ + Fix: Allow any positive value for socket.unlockTimeout. If a negative or
+ zero value is configured, the default of 250ms will be used. (mark)
+ + Fix: Reduce the time spent waiting for the connector to unlock. The
+ previous default of 10s was noticeably too long for cases where the unlock
+ has failed. The wait time is now 100ms plus twice socket.unlockTimeout.
+ (markt)
+ + Fix: Ensure that the onAllDataRead() event is triggered when the request
+ body uses chunked encoding and is read using non-blocking IO. (markt)
+ + Fix: 68934: Add debug logging in the latch object when exceeding
+ maxConnections. (remm)
+ + Fix: Refactor trailer field handling to use a MimeHeaders instance to
+ store trailer fields. (markt)
+ + Fix: Ensure that multiple instances of the same trailer field are handled
+ correctly. (markt)
+ + Fix: Fix non-blocking reads of chunked request bodies. (markt)
+ + Fix: When an invalid HTTP response header was dropped, an off-by-one error
+ meant that the first header in the response was also dropped. Fix based on
+ pull request #710 by foremans. (markt)
+ + Fix: Add threadsMaxIdleTime attribute to the endpoint, to allow
+ configuring the amount of time before an internal executor will scale back
+ to the configured minSpareThreads size. (remm)
+ * WebSocket
+ + Fix: 68884: Reduce the write timeout when writing WebSocket close messages
+ for abnormal closes. The timeout defaults to 50 milliseconds and may be
+ controlled using the
+ org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property
+ in the user properties collection associated with the WebSocket session.
+ (markt)
+ * Other
+ + Update: Add test-only build target to allow running only the testsuite,
+ supporting Java versions down to the minimum supported to run Tomcat.
+ (rjung)
+ + Update: Update UnboundID to 7.0.1. (markt)
+ + Update: Update to SpotBugs 4.8.6. (markt)
+ + Update: Remove cglib dependency as it is not required by the version of
+ EasyMock used by the unit tests. (markt)
+ + Update: Update EasyMock to 5.3.0. This adds a test dependency on
+ Byte-Buddy 1.14.17. (markt)
+ + Add: Improvements to Czech translations by VladimĂr Chlup. (markt)
+ + Add: Improvements to French translations. (remm)
+ + Add: Improvements to Japanese translations by tak7iji. (markt)
+ + Add: Improvements to Chinese translations by fangzheng. (markt)
+ + Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby
+ that runs on Java 17. (markt)
+ + Update: Update to Commons Daemon 1.4.0. (markt)
+ + Update: Update to Objenesis 3.4. (markt)
+ + Update: Update to Checkstyle 10.17.0. (markt)
+ + Update: Update to SpotBugs 4.8.5. (markt)
+ + Add: Improvements to French translations. (remm)
+ + Add: Improvements to Japanese translations by tak7iji. (markt)
+ + Update: Switch to using the Base64 encoder and decoder provided by the JRE
+ rather than the version provided by Commons Codec. The internal fork of
+ Commons Codec has been deprecated and will be removed in Tomcat 11.
+ (markt)
+ + Update: Update NSIS to 3.10. (mark0t)
+ + Update: Update UnboundID to 7.0.0. (markt)
+ + Update: Update Checkstyle to 10.16.0. (markt)
+ + Update: Update JaCoCo to 0.8.12. (markt)
+ + Update: Update SpotBugs to 4.8.4. (markt)
+ + Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
+ + Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
+ + Add: Improvements to Japanese translations by tak7iji. (markt)
+ + Update: Update Checkstyle to 10.14.1. (markt)
+ + Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
+ + Update: Update the internal fork of Apache Commons Codec to 1.16.1.
+ (markt)
+ + Add: Improvements to French translations. (remm)
+ + Add: Improvements to Japanese translations by tak7iji. (remm)
+ + Add: Improvements to Chinese translations by leeyazhou. (remm)
+- Modified patch:
+ * tomcat-9.0-build-with-java-11.patch
+ + rediff to changed context
+
-------------------------------------------------------------------
Fri Apr 5 14:24:14 UTC 2024 - Ricardo Mestre
diff --git a/tomcat.spec b/tomcat.spec
index 11a0a50..5265bfe 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -22,7 +22,7 @@
%define elspec 3.0
%define major_version 9
%define minor_version 0
-%define micro_version 87
+%define micro_version 91
%define packdname apache-tomcat-%{version}-src
# FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
%global basedir /srv/%{name}