diff --git a/apache-tomcat-9.0.82-src.tar.gz b/apache-tomcat-9.0.82-src.tar.gz
deleted file mode 100644
index 722d119..0000000
--- a/apache-tomcat-9.0.82-src.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:064cffa1cdc2087439aaff13e8918fbf85b309ebdc8b7bc6ca7d8da28572d660
-size 6285653
diff --git a/apache-tomcat-9.0.82-src.tar.gz.asc b/apache-tomcat-9.0.82-src.tar.gz.asc
deleted file mode 100644
index fdce73b..0000000
--- a/apache-tomcat-9.0.82-src.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmUmo7MACgkQaCSJWTWe
-ciuclQ//TVgfBHVgphmkiSxW7SFAkLvKbGPYXrVMeHhpgc3A9Gq+XeGTp29uZ8TH
-sZ4BVCQmzgbsSaDsDDsC3/N0TPEdFlWS2w7a667iYWekNErhzsyf7PlD2cFn11T7
-FmQ8FerXAgtl4NwY5lt2eX748H5sR9sUpTPHZgM9WEW0CXCEqBswx+tcWT+SgYAP
-YyGvFWVCr/I4QS5HigNvmH0QjSO4xTisYUyRYcU4w677tO6STLGON30pRe4ki6GL
-F8I3W98uJKrx+H00zqdTvv0TlG56oQyI5sZBPymQykhts4FW1iXKdH47DrM+FXfW
-wgCUJjt3mQ/+2lzA4QHpRFoaa1FrCJYByeM22rPBhWLSR9UFBN9yrZb0SbnQkf9j
-3klubBBJIad0FN/gD8M/FdfjwmEKsJyAHJLWdJZVpif+xV4aUtEX/FWRv6B0B67t
-6FC8mi3J8DS4sqLtfn/M901MCO6j1XjR78TD02jNzgjD/emxoSfNDst/SRXTyeoc
-mRid8UgLF8+ecTz0GqDJen3jWmOuKmrzX6I0z9jCSJq3PUkaIS9uM91X0sqHOoqb
-HH1dE61b1VO5lbEnjnhCVirS+bKCyiJIQRNWtc8Pe0joszqysYKoOY7TssZUpziO
-w/ekZwRBndDtEtxg2zzjXRMb7Tx8tK7xZE15oLpRXw/WfREJxzI=
-=T082
------END PGP SIGNATURE-----
diff --git a/apache-tomcat-9.0.85-src.tar.gz b/apache-tomcat-9.0.85-src.tar.gz
new file mode 100644
index 0000000..7e47d02
--- /dev/null
+++ b/apache-tomcat-9.0.85-src.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:bd5f0d636ec6d6a0512079d62137b46396cb3ef89e98c47ce172921386bece86
+size 6315926
diff --git a/apache-tomcat-9.0.85-src.tar.gz.asc b/apache-tomcat-9.0.85-src.tar.gz.asc
new file mode 100644
index 0000000..984252d
--- /dev/null
+++ b/apache-tomcat-9.0.85-src.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmWXwOIACgkQaCSJWTWe
+civPQA//Qy3b3J48H/thEWhTYXy+KlcRP8p10iJu/dtSRbU1kkjP8Cj5jl0j1TXJ
+tf/qygoBV2ckJAVyJkul7TXsA5Memj2MoaK32bm/GEXd1Cv1BClBC2qDsSWcca/C
+Ua3q/2tg9muVo3JhETash2iQN4AtIbeELrsRTwvV3+w1eeJ0OcE84xytSw0b3FQu
+rv1rWBfzTnkGPB4Uipzpq6aXZtfW5B9isEhb1MniAHZYKMWhJ9svS0hWvQzhPHYo
+X5sbmkhqht2MwVdUfw9CTwITydcRsJkdz1rMtcGXbfVEhvrZi9jeM0ygqf+RxPhi
+nCSea80CeaKv4DFh3h0zYhk9k+Y6j23X4gF15tYz3JxV+tDTPD2nNnDXFyKg3RAH
+CddjOXBQONKx1O1C4D1MkBaQdNwm1qS2rooxd61sMsYAuWACUMaIBn9SozwtyJ3K
+WQx4nrpXOuLoqFGOv7eiVW5bYnxyg4jiQr6kWMFMXGhZtY9uj3uL1Ojll0EsRx1C
+yIJHh0nVKuze2zuqMqp5g40q4f2/fFl3LJoArOkunxDpi8X4HpMP1STY+0dxOSxb
+Mm9nF/10YpCyvZkvAdw3ymJEecXUJKAJiG3xCOUzCHtYnsF09kyqQ9Ho01CC5nSB
+hCJ6kCqRAhE3jS0sXNh9HLKvHcvJGZ2IT/40AU9oRSVzZncMEUc=
+=bszF
+-----END PGP SIGNATURE-----
diff --git a/tomcat-9.0-build-with-java-11.patch b/tomcat-9.0-build-with-java-11.patch
new file mode 100644
index 0000000..80ccb4a
--- /dev/null
+++ b/tomcat-9.0-build-with-java-11.patch
@@ -0,0 +1,13 @@
+Index: apache-tomcat-9.0.85-src/build.xml
+===================================================================
+--- apache-tomcat-9.0.85-src.orig/build.xml
++++ apache-tomcat-9.0.85-src/build.xml
+@@ -107,7 +107,7 @@
+
+
+
+-
++
+
+
+
diff --git a/tomcat.changes b/tomcat.changes
index c05b395..c46aa72 100644
--- a/tomcat.changes
+++ b/tomcat.changes
@@ -1,3 +1,149 @@
+-------------------------------------------------------------------
+Wed Jan 17 16:57:21 UTC 2024 - Michele Bussolotto
+
+- Update to Tomcat 9.0.85
+ * Fixed CVEs:
+ + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to
+ incorrect headers parsing (bsc#1217649)
+ * Catalina
+ + Update: 68378: Align extension to MIME type mappings in the
+ global web.xml with those in httpd by adding
+ application/vnd.geogebra.slides for ggs, text/javascript for mjs
+ and audio/ogg for opus. (markt)
+ + Fix: Background processes should not be run concurrently with
+ lifecycle operations of a container. (remm)
+ + Fix: Correct unintended escaping of XML in some WebDAV
+ responses. The XML list of support locks when provided in
+ response to a PROPFIND request was incorrectly XML escaped.
+ (markt)
+ + Fix: 68227: Ensure that AsyncListener.onComplete() is called
+ if AsyncListener.onError() calls AsyncContext.dispatch().
+ (markt)
+ + Fix: 68228: Use a 408 status code if a read timeout occurs
+ during HTTP request processing. Includes a test case based on
+ code provided by adwsingh. (markt)
+ + Fix: 67667: TLSCertificateReloadListener prints unreadable
+ rendering of X509Certificate#getNotAfter(). (michaelo)
+ + Update: The status servlet included in the manager webapp
+ can now output statistics as JSON, using the JSON=true URL
+ parameter. (remm)
+ + Update: Optionally allow ServiceBindingPropertySource to
+ trim a trailing newline from a file containing a
+ property-value. (schultz)
+ + Fix: 67793: Ensure the original session timeout is restored
+ after FORM authentication if the user refreshes a page during
+ the FORM authentication process. Based on a suggestion by
+ Mircea Butmalai. (markt)
+ + Update: 67926: PEMFile prints unidentifiable string
+ representation of ASN.1 OIDs. (michaelo)
+ + Fix: 66875: Ensure that setting the request attribute
+ jakarta.servlet.error.exception is not sufficient to trigger
+ error handling for the current request and response. (markt)
+ + Fix: 68054: Avoid some file canonicalization calls
+ introduced by the fix for 65433. (remm)
+ + Fix: 68089: Improve performance of request attribute access
+ for ApplicationHttpRequest and ApplicationRequest. (markt)
+ + Fix: Use a 400 status code to report an error due to a bad
+ request (e.g. an invalid trailer header) rather than a 500
+ status code. (markt)
+ + Fix: Ensure that an IOException during the reading of the
+ request triggers always error handling, regardless of whether
+ the application swallows the exception. (markt)
+ * Coyote
+ + Fix: Refactor the VirtualThreadExecutor so that it can be
+ used by the NIO2 connector which was using platform threads
+ even when configured to use virtual threads. (markt)
+ + Fix: Correct a regression in the fix for 67675 that broke
+ TLS key file parsing for PKCS#8 format keys that do not specify
+ an explicit pseudo-random function and rely on the default.
+ This typically affects keys generated by OpenSSL 1.0.2.
+ (markt)
+ + Fix: Allow multiple operations with the same name on
+ introspected mbeans, fixing a regression caused by the
+ introduction of a second addSslHostConfig method. (remm)
+ + Fix: Relax the check that the HTTP Host header is consistent
+ with the host used in the request line, if any, to make the
+ check case insensitive since host names are case insensitive.
+ (markt)
+ + Add: 68348: Add support for the partitioned attribute for
+ cookies. (markt)
+ + Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and
+ SSLHostConfig#certificateKeystorePasswordFile. (michaelo)
+ + Add: When calling
+ SSLHostConfigCertificate.setCertificateKeystore(ks),
+ automatically call setCertificateKeystoreType(ks.getType()).
+ (markt)
+ + Fix: 67628: Clarify how the ciphers attribute of the
+ SSLHostConfig is used. (markt)
+ + Fix: 67666: Ensure TLS connectors using PEM files either
+ work with the TLSCertificateReloadListener or, in the rare case
+ that they do not, log a warning on Connector start. (markt)
+ + Fix: 67675: Support a wider range of KDF and ciphers for PEM
+ files than the combinations supported by the JVM by default.
+ Specifically, support the OpenSSL default of HmacSHA256 and
+ DES-EDE3-CBC. (markt)
+ + Fix: 67927: Reloading TLS configuration can cause the
+ Connector to refuse new connections or the JVM to crash.
+ (markt)
+ + Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are
+ available, prefer 1.2.x since it supports the APR/Native
+ connector whereas 2.0.x does not. (markt)
+ + Fix: 67938: Correct handling of large TLS client hello
+ messages that were causing the TLS handshake to fail. (markt)
+ + Fix: 68026: Convert selected MessageByte values to String
+ when first accessed to speed up subsequent accesses and reduce
+ garbage collection. (markt)
+ * Jasper
+ + Code: 68119: Refactor the CompositeELResolver to improve
+ performance during type conversion operations. (markt)
+ + Fix: 68068: Performance improvement for EL. Based on a
+ suggestion by John Engebretson. (markt)
+ * Web Applications
+ + Fix: 68035: Additional fix to the Manager application to
+ enable the deployment of a web application located in a Host's
+ appBase where the web application is specified by a bare (no
+ path) WAR or directory name as shown in the documentation.
+ (markt)
+ + Fix: Examples. Improve the error handling so snakes
+ associated with a user that drops from the network are removed
+ from the game. (markt)
+ + Fix: 68035: Correct a regression in the fix for 56248 that
+ prevented deployment via the Manager of a WAR or directory that
+ was already present in the appBase or a context file that was
+ already present in the xmlBase. (markt)
+ * Other
+ + Update: Update Checkstyle to 10.12.7. (markt)
+ + Update: Update SpotBugs to 4.8.3. (markt)
+ + Add: Improvements to French translations. (remm)
+ + Add: Improvements to Japanese translations by tak7iji.
+ (markt)
+ + Update: Update UnboundID to 6.0.11. (markt)
+ + Update: Update Checkstyle to 10.12.5. (markt)
+ + Update: Update SpotBugs to 4.8.2. (markt)
+ + Update: Update Derby to 10.17.1. (markt)
+ + Add: Improvements to French translations. (remm)
+ + Add: Improvements to Japanese translations by tak7iji.
+ (markt)
+ + Add: Improvements to Brazilian Portuguese translations by
+ John William Vicente. (markt)
+ + Add: Improvements to Russian translations by usmazat and
+ remm. (markt)
+ + Add: 67538: Make use of Ant's task to enfore
+ the mininum Java build version. (michaelo)
+ + Update: Update Checkstyle to 10.12.4. (markt)
+ + Update: Update JaCoCo to 0.8.11. (markt)
+ + Update: Update SpotBugs to 4.8.0. (markt)
+ + Update: Update BND to 7.0.0. (markt)
+ + Update: The minimum Java version required to build Tomcat
+ has been raised to Java 17. (markt)
+- Added patches:
+ * tomcat-9.0-build-with-java-11.patch
+
+-------------------------------------------------------------------
+Wed Jan 17 14:53:08 UTC 2024 - Michele Bussolotto
+
+- change server.xml during %post instead of %posttrans
+
-------------------------------------------------------------------
Fri Jan 12 13:18:52 UTC 2024 - Michele Bussolotto
diff --git a/tomcat.spec b/tomcat.spec
index 1110ff9..559f067 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -22,7 +22,7 @@
%define elspec 3.0
%define major_version 9
%define minor_version 0
-%define micro_version 82
+%define micro_version 85
%define packdname apache-tomcat-%{version}-src
# FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
%global basedir /srv/%{name}
@@ -82,6 +82,7 @@ Patch5: %{name}-%{major_version}.%{minor_version}-jdt.patch
Patch6: tomcat-9.0.75-secretRequired-default.patch
Patch7: tomcat-9.0-fix_catalina.patch
Patch8: tomcat-9.0-logrotate_everything.patch
+Patch9: tomcat-9.0-build-with-java-11.patch
BuildRequires: ant >= 1.8.1
BuildRequires: ant-antlr
BuildRequires: apache-commons-collections
@@ -101,7 +102,6 @@ BuildRequires: jakarta-taglibs-standard >= 1.1
BuildRequires: java-devel >= 1.8
BuildRequires: javapackages-local
BuildRequires: junit
-BuildRequires: libxslt-tools
BuildRequires: pkgconfig
BuildRequires: sed
BuildRequires: systemd-rpm-macros
@@ -116,6 +116,7 @@ Requires: apache-commons-logging
Requires: apache-commons-pool2
Requires: java >= 1.8
Requires(post): %fillup_prereq
+Requires(post): libxslt-tools
Requires(pre): shadow
Recommends: libtcnative-1-0 >= 1.1.24
Recommends: logrotate
@@ -133,6 +134,7 @@ ATTENTION: This tomcat is built with java 1.8.0.
Summary: The host manager and manager web applications for Apache Tomcat
Group: Productivity/Networking/Web/Servers
Requires: %{name} = %{version}-%{release}
+Requires(post): libxslt-tools
%description admin-webapps
The host manager and manager web-based applications for Apache Tomcat.
@@ -148,6 +150,7 @@ Embeddeding support (various libraries) for Apache Tomcat.
Summary: The "docs" web application for Apache Tomcat
Group: Productivity/Networking/Web/Servers
Requires: %{name} = %{version}-%{release}
+Requires(post): libxslt-tools
%description docs-webapp
The documentation of web application for Apache Tomcat.
@@ -236,6 +239,7 @@ Summary: ROOT and examples web applications for Apache Tomcat
Group: Productivity/Networking/Web/Servers
Requires: %{name} = %{version}-%{release}
Requires: jakarta-taglibs-standard >= 1.1
+Requires(post): libxslt-tools
%description webapps
The ROOT and examples web applications for Apache Tomcat
@@ -556,6 +560,7 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \
%post
%service_add_post %{name}.service
%{fillup_only %{name}}
+xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
%preun
%service_del_preun %{name}.service
@@ -667,9 +672,6 @@ if [ ! -e %{_datadir}/%{name}/webapps/docs ]; then
ln -sf %{tomcatappdir}/docs %{_datadir}/%{name}/webapps/docs
fi
-%posttrans
-xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
-
%files
%doc {LICENSE,NOTICE,RELEASE*}
%attr(0755,root,root) %{_bindir}/%{name}-digest