Accepting request 1254481 from Java:packages

OBS-URL: https://build.opensuse.org/request/show/1254481
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat?expand=0&rev=115

apache-tomcat-9.0.102-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmfGBbUACgkQaCSJWTWe
+ciucbA/5AYI47J3tlOLsRdtvH815aXghxAEbOMkHtJJS79Y+I0d4CWS4jqpL++oX
+jIOfZsO1D9rJ9A0d/F0IbMym7fgDItlvOOAXHMpLWEo9TF7gTXhFuiqcl/5K24qa
+n9MMMZJOFR7599IE6Ie6spq+7FgO7/AF7s4zVzqJU661yH3ZgGftS5VcYvfX77vg
+ErCsjE/v0foqcG0PwgmUYbWzFYeI6DR8mwRXIvCGZxCH7PqYlwDdsnF4usFhQDGN
+Y6c7DKLAamd8Z7vyPejpoNnBBYr5o/BpKNSgAKvOMpy2N0vI1DAMBhCjPkASvxvr
+bdSkxNhqRgicnEmEFMtvQW4dapkjUBJ9aswdYEEHmkE4zLUp4tkadjetqnwdrv+F
+DRij5uOgj7kSNDjTee4lxMGpSMoXF447KRDjzvnj2m1/XHQhV/Rpf9yjG8Welkj6
+KIZaEe02XlfHgExxX7rH2fVvzbtAUapKgyhaQ+nTynJqZ0pgMRDr8epqgoFxiepI
+ZcdeoRTvkVAcdBdheNpNg4sRzCVauKuAyh7CfbRUIXJwF3hEBKAp8ZNldlbzK+mO
+G1Kx+fskzYtRHi3eUpiPweXg4fnw3ZDeFqcsYhV6/7z1RMznP4xIlqGSFdctxXBC
+qb/cjb7GIU5ZKlWO9NhY4MadGUXSbJmZjtI8Ztz6q+2GJ0zmJtw=
+=4WIa
+-----END PGP SIGNATURE-----

apache-tomcat-9.0.91-src.tar.gz.asc

@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEESPjmn2OQyfJc/tzSaCSJWTWecisFAmaD9OQACgkQaCSJWTWe
-cit6cA/+L/gMzNTxjtqsuWDrT1Wkr9MeU6/5oEB/LpUxhWUWam0Ni+eyj51vLO6X
-7UfHOQt8qClNUsyqz6kpmedPLowrhPk2UM9LdJsn7Sh9ttdbJQzjHD3LqVze9CKu
-eHggf6KUTJGcbOpP+8/gttwVM7U4wGppzOLi4vQCSI54yO4tinyyaSEk0DH8zlAa
-Rcb6tJoKEtqtlq1gam9udjPFFcNOcpXEOCLCgLRLqVkna3IVvFUNTx0bccilUDl/
-vGcD/7W1tsULb4A0sqLhQINzZlBpu2kp/5qdWLFhnJhRp0pZbLDo5/gjW77jLrIx
-HMmSuPVuswn/OQmAe57YRo2YF3e+7zxjKJ+73aDhfK/xHEInsQMgMCdgYH+d6Inn
-OT4MrUVEPApOnQPpV2Ag9HEvw3E9zT3dkcNqn3QCF+RaXNtdJgGurRl5UaQapWkH
-Mj6WbnmWpqTBO1SxxPCb1KqIoO3jLqKMR7h0TAchBH/XdRuafy3Ga632dUYX722J
-K73vU1fC1pyh0NZMPsDEAwv3V0JDnYzAF4PKxKb2gnQ/2u/e/p/ACBgaVqXRMAD9
-JFfhgBnt5vj7GOOm5opYoW+B1dtRyJ2CmYmO+g9UstRxYhShH7HPQbyExJo81JgZ
-S1W7wYlopgIAsL9gy1TlPAofa25SI24UaaC4VivDK2FyyAYk21Y=
-=1v5b
------END PGP SIGNATURE-----

tomcat-9.0-build-with-java-11.patch

@@ -1,13 +1,13 @@
-Index: apache-tomcat-9.0.91-src/build.xml
+Index: apache-tomcat-9.0.97-src/build.xml
 ===================================================================
---- apache-tomcat-9.0.91-src.orig/build.xml
+--- apache-tomcat-9.0.97-src.orig/build.xml
-+++ apache-tomcat-9.0.91-src/build.xml
++++ apache-tomcat-9.0.97-src/build.xml
-@@ -107,7 +107,7 @@
+@@ -108,7 +108,7 @@
    <!-- Keep in sync with webapps/docs/tomcat-docs.xsl -->
    <property name="compile.release" value="8"/>
    <property name="min.java.version" value="8"/>
 -  <property name="build.java.version" value="17"/>
 +  <property name="build.java.version" value="11"/>
    <property name="release.java.version" value="17"/>
-   <property name="skip.build.java.version" value="false"/>
  
+   <!-- Check Java Build Version -->

tomcat-9.0-digest.script

@@ -3,6 +3,9 @@
 # tomcat-digest script
 # JPackage Project <http://www.jpackage.org/>
 
+# Set default JAVA_HOME
+export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
+
 # Source functions library
 if [ -f /usr/share/java-utils/java-functions ] ; then
   . /usr/share/java-utils/java-functions

tomcat-9.0-jdt.patch

@@ -1,22 +1,22 @@
---- apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java	2023-05-22 18:12:16.915658492 +0200
+--- apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java	2025-01-06 17:29:55.096709905 +0100
-+++ apache-tomcat-9.0.75-src/java/org/apache/jasper/compiler/JDTCompiler.java	2023-05-22 19:45:14.491706823 +0200
++++ apache-tomcat-9.0.98-src/java/org/apache/jasper/compiler/JDTCompiler.java	2025-01-06 17:32:39.494486072 +0100
-@@ -310,7 +310,7 @@
+@@ -298,7 +298,7 @@
-             } else if(opt.equals("15")) {
+             } else if (opt.equals("15")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_Source, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 8.
-@@ -392,8 +392,8 @@
+@@ -395,8 +395,8 @@
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
 +                settings.put(CompilerOptions.OPTION_Compliance, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 8.

tomcat-9.0-osgi-build.patch

@@ -1,6 +1,8 @@
---- apache-tomcat-9.0.91-src/build.xml	2024-07-08 18:21:26.161496515 +0200
+Index: apache-tomcat-9.0.97-src/build.xml
-+++ apache-tomcat-9.0.91-src/build.xml	2024-07-08 18:30:43.722334075 +0200
+===================================================================
-@@ -226,11 +226,21 @@
+--- apache-tomcat-9.0.97-src.orig/build.xml
++++ apache-tomcat-9.0.97-src/build.xml
+@@ -228,11 +228,21 @@
    <!--<defaultexcludes echo="true" />-->
  
    <!-- Classpaths -->
@@ -23,9 +25,9 @@
    </path>
  
    <path id="tomcat.classpath">
-@@ -3960,10 +3970,6 @@
+@@ -4034,10 +4044,6 @@ Read the Building page on the Apache Tom
  
-   <target name="setup-bnd" depends="download-bnd" unless="skip.build.java.version">
+   <target name="setup-bnd" depends="download-bnd" unless="${skip.build.java.version}">
      <!-- Add bnd tasks to project -->
 -    <path id="bnd.classpath">
 -      <fileset file="${bnd.jar}" />

tomcat-9.0-tool-wrapper.script

@@ -3,6 +3,9 @@
 # tomcat-digest script
 # JPackage Project <http://www.jpackage.org/>
 
+# Set default JAVA_HOME
+export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
+
 # Source functions library
 if [ -f /usr/share/java-utils/java-functions ] ; then
   . /usr/share/java-utils/java-functions

tomcat.changes

@@ -1,3 +1,571 @@
+-------------------------------------------------------------------
+Tue Mar 18 21:04:04 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.102
+  * Fixes:
+    + launch with java 17 (bsc#1239676)
+  * Catalina
+    + Fix: Weak etags in the If-Range header should not match as strong etags
+      are required. (remm)
+    + Fix: When looking up class loader resources by resource name, the resource
+      name should not start with '/'. If the resource name does start with '/',
+      Tomcat is lenient and looks it up as if the '/' was not present. When the
+      web application class loader was configured with external repositories and
+      names starting with '/' were used for lookups, it was possible that cached
+      'not found' results could effectively hide lookup results using the
+      correct resource name. (markt)
+    + Fix: Enable the JNDIRealm to validate credentials provided to
+      HttpServletRequest.login(String username, String password) when the realm
+      is configured to use GSSAPI authentication. (markt)
+    + Fix: Fix a bug in the JRE compatibility detection that incorrectly
+      identified Java 19 and Java 20 as supporting Java 21 features. (markt)
+    + Fix: Improve the checks for exposure to and protection against
+      CVE-2024-56337 so that reflection is not used unless required. The checks
+      for whether the file system is case sensitive or not have been removed.
+      (markt)
+    + Fix: Avoid scenarios where temporary files used for partial PUT would not
+      be deleted. (remm)
+    + Fix: 69602: Fix regression in releases from 12-2024 that were too strict
+      and rejected weak etags in the If-Range header. (remm)
+    + Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught
+      exception introduced for the check for CVE-2024-56337. (remm)
+  * Cluster
+    + Add: 69598: Add detection of service account token changes to the
+      KubernetesMembershipProvider implementation and reload the token if it
+      changes. Based on a patch by Miroslav Jezbera. (markt)
+  * Coyote
+    + Fix: 69575: Avoid using compression if a response is already compressed
+      using compress, deflate or zstd. (remm)
+    + Update: Use Transfer-Encoding for compression rather than Content-Encoding
+      if the client submits a TE header containing gzip. (remm)
+    + Fix: Fix a race condition in the handling of HTTP/2 stream reset that
+      could cause unexpected 500 responses. (markt)
+  * Other
+    + Add: Add makensis as an option for building the Installer for Windows on
+      non-Windows platforms. (rjung/markt)
+    + Update: Update Byte Buddy to 1.17.1. (markt)
+    + Update: Update Checkstyle to 10.21.3. (markt)
+    + Update: Update SpotBugs to 4.9.1. (markt)
+    + Update: Update JSign to 7.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Add: Add org.apache.juli.JsonFormatter to format log as one line JSON
+      documents. (remm) 
+
+-------------------------------------------------------------------
+Wed Mar 12 16:21:08 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.99
+  * Fixed CVE:
+    + CVE-2025-24813: potential RCE and/or information disclosure/corruption with
+      partial PUT (bsc#1239302)    
+  * Catalina
+    + Update: Add tableName configuration on the DataSourcePropertyStore that
+      may be used by the WebDAV Servlet. (remm)
+    + Update: Improve HTTP If headers processing according to RFC 9110. Based on
+      pull request #796 by Chenjp. (remm/markt)
+    + Update: Allow readOnly attribute configuration on the Resources element
+      and allow configure the readOnly attribute value of the main resources.
+      The attribute value will also be used by the default and WebDAV Servlets.
+      (remm)
+    + Fix: 69285: Optimise the creation of the parameter map for included
+      requests. Based on sample code and test cases provided by John
+      Engebretson. (markt)
+    + Fix: 69527: Avoid rare cases where a cached resource could be set with 0
+      content length, or could be evicted immediately. (remm)
+    + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect
+      requests without body for WebDAV LOCK and PROPFIND. (remm)
+    + Fix: 69528: Add multi-release JAR support for the bloom
+      archiveIndexStrategy of the Resources. (remm)
+    + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based
+      on a patch submitted by Chenjp. (remm)
+    + Add: Add a check to ensure that, if one or more web applications are
+      potentially vulnerable to CVE-2024-56337, the JVM has been configured to
+      protect against the vulnerability and to configure the JVM correctly if
+      not. Where one or more web applications are potentially vulnerable to
+      CVE-2024-56337 and the JVM cannot be correctly configured or it cannot be
+      confirmed that the JVM has been correctly configured, prevent the impacted
+      web applications from starting. (markt)
+    + Fix: Remove unused session to client map from CrawlerSessionManagerValve.
+      Submitted by Brian Matzon. (remm)
+    + Fix: When using the WebDAV servlet with serveSubpathOnly set to true,
+      ensure that the destination for any requested WebDAV operation is also
+      restricted to the sub-path. (markt)
+    + Fix: Generate an appropriate Allow HTTP header when the Default servlet
+      returns a 405 (method not allowed) response in response to a DELETE
+      request because the target resource cannot be deleted. Pull request #802
+      provided by Chenjp. (markt)
+    + Code: Refactor creation of RequestDispatcher instances so that the
+      processing of the provided path is consistent with normal request
+      processing. (markt)
+    + Add: Add encodedReverseSolidusHandling and encodedSolidusHandling
+      attributes to Context to provide control over the handling of the path
+      used to created a RequestDispatcher. (markt)
+    + Fix: Handle a potential NullPointerException after an IOException occurs
+      on a non-container thread during asynchronous processing. (markt)
+    + Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)
+  * Coyote
+    + Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does
+      not support. These settings are now silently ignored. (markt)
+    + Fix: Avoid a rare NullPointerException when recycling the
+      Http11InputBuffer. (markt)
+    + Fix: Lower the log level to debug for logging an invalid socket channel
+      when processing poller events for the NIO Connector as this may occur in
+      normal usage. (markt)
+    + Code: Clean-up references to the HTTP/2 stream once request processing has
+      completed to aid GC and reduce the size of the HTTP/2 recycled request and
+      response cache. (markt)
+    + Add: Add a new Connector configuration attribute,
+      encodedReverseSolidusHandling, to control how %5c sequences in URLs are
+      handled. The default behaviour is unchanged (decode) keeping in mind that
+      the allowBackslash attribute determines how the decoded URI is processed.
+      (markt)
+    + Fix: 69545: Improve CRLF skipping for the available method of the
+      ChunkedInputFilter. (remm)
+    + Fix: Improve the performance of repeated calls to getHeader(). Pull
+      request #813 provided by Adwait Kumar Singh. (markt)
+    + Fix: 69559: Ensure that the Java 24 warning regarding the use of
+      sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code
+      will be used. (markt)
+  * Jasper
+    + Fix: 69508: Correct a regression in the fix for 69382 that broke JSP
+      include actions if both the page attribute and the body contained
+      parameters. Pull request #803 provided by Chenjp. (markt)
+    + Fix: 69521: Update the EL Parser to allow the full range of valid
+      characters in an EL identifier as defined by the Java Language
+      Specification. (markt)
+    + Fix: 69532: Optimise the creation of ExpressionFactory instances. Patch
+      provided by John Engebretson. (markt)
+  * Web applications
+    + Add: Documentation. Expand the description of the security implications of
+      setting mapperContextRootRedirectEnabled and/or
+      mapperDirectoryRedirectEnabled to true. (markt)
+    + Fix: Documentation. Better document the default for the truststoreProvider
+      attribute of a SSLHostConfig element. (markt)
+  * Other
+    + Update: Update to Commons Daemon 1.4.1. (markt)
+    + Update: Update the internal fork of Commons Pool to 2.12.1. (markt)
+    + Update: Update Byte Buddy to 1.16.1. (markt)
+    + Update: Update UnboundID to 7.0.2. (markt)
+    + Update: Update Checkstyle to 10.21.2. (markt)
+    + Update: Update SpotBugs to 4.9.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Chinese translations by leeyazhou. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+  
+-------------------------------------------------------------------
+Fri Jan  3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 9.0.98
+  * Fixed CVEs:
+    + CVE-2024-54677: DoS in examples web application (bsc#1234664)
+    + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
+    + CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
+  * Catalina
+    + Add: Add option to serve resources from subpath only with WebDAV Servlet
+      like with DefaultServlet. (michaelo)
+    + Fix: Add special handling for the protocols attribute of SSLHostConfig in
+      storeconfig. (remm)
+    + Fix: 69442: Fix case sensitive check on content-type when parsing request
+      parameters. (remm)
+    + Code: Refactor duplicate code for extracting media type and subtype from
+      content-type into a single method. (markt)
+    + Fix: Compatibility of generated embedded code with components where
+      constructors or property related methods throw a checked exception. (remm)
+    + Fix: The previous fix for inconsistent resource metadata during concurrent
+      reads and writes was incomplete. (markt)
+    + Fix: 69444: Ensure that the javax.servlet.error.message request attribute
+      is set when an application defined error page is called. (markt)
+    + Fix: Avoid quotes for numeric values in the JSON generated by the status
+      servlet. (remm)
+    + Add: Add strong ETag support for the WebDAV and default servlet, which can
+      be enabled by using the useStrongETags init parameter with a value set to
+      true. The ETag generated will be a SHA-1 checksum of the resource content.
+      (remm)
+    + Fix: Use client locale for directory listings. (remm)
+    + Fix: 69439: Improve the handling of multiple Cache-Control headers in the
+      ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
+    + Fix: 69447: Update the support for caching classes the web application
+      class loader cannot find to take account of classes loaded from external
+      repositories. Prior to this fix, these classes could be incorrectly marked
+      as not found. (markt)
+    + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
+      users will not be removed and any header present in a HEAD request will
+      also be present in the equivalent GET request. There may be some headers,
+      as per RFC 9110, section 9.3.2, that are present in a GET request that are
+      not present in the equivalent HEAD request. (markt)
+    + Fix: 69471: Log instances of CloseNowException caught by
+      ApplicationDispatcher.invoke() at debug level rather than error level as
+      they are very likely to have been caused by a client disconnection or
+      similar I/O issue. (markt)
+    + Add: Add a test case for the fix for 69442. Also refactor references to
+      application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
+      (markt)
+    + Fix: 69476: Catch possible ISE when trying to report PUT failure in the
+      DefaultServlet. (remm)
+    + Add: Add support for RateLimit header fields for HTTP (draft) in the
+      RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
+    + Add: #787: Add regression tests for 69478. Pull request provided by Thomas
+      Krisch. (markt)
+    + Fix: The default servlet now rejects HTTP range requests when two or more
+      of the requested ranges overlap. Based on pull request #782 provided by
+      Chenjp. (markt)
+    + Fix: Enhance Content-Range verification for partial PUT requests handled
+      by the default servlet. Provided by Chenjp in pull request #778. (markt)
+    + Fix: Harmonize DataSourceStore lookup in the global resources to
+      optionally avoid the comp/env prefix which is usually not used there.
+      (remm)
+    + Fix: As required by RFC 9110, the HTTP Range header will now only be
+      processed for GET requests. Based on pull request #790 provided by Chenjp.
+      (markt)
+    + Fix: Deprecate the useAcceptRanges initialisation parameter for the
+      default servlet. It will be removed in Tomcat 12 onwards where it will
+      effectively be hard coded to true. (markt)
+    + Add: Add DataSource based property storage for the WebdavServlet. (remm)
+  * Coyote
+    + Fix: Align encodedSolidusHandling with the Servlet specification. If the
+      pass-through mode is used, any %25 sequences will now also be passed
+      through to avoid errors and/or corruption when the application decodes the
+      path. (markt)
+  * Jasper
+    + Fix: Further optimise EL evaluation of method parameters. Patch provided
+      by Paolo B. (markt)
+    + Fix: Follow-up to the fix for 69381. Apply the optimisation for method
+      lookup performance in expression language to an additional location.
+      (markt)
+  * Web applications
+    + Fix: Documentation. Remove references to the ResourceParams element.
+      Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
+    + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
+      The attribute is internalProxies rather than allowedInternalProxies. Pull
+      request #786 provided by Jorge Díaz. (markt)
+    + Fix: Examples. Fix broken links when Servlet Request Info example is
+      called via a URL that includes a pathInfo component. (markt)
+    + Fix: Examples. Expand the obfuscation of session cookie values in the
+      request header example to JSON responses. (markt)
+    + Add: Examples. Add the ability to delete session attributes in the servlet
+      session example. (markt)
+    + Add: Examples. Add a hard coded limit of 10 attributes per session for the
+      servlet session example. (markt)
+    + Add: Examples. Add the ability to delete session attributes and add a hard
+      coded limit of 10 attributes per session for the JSP form authentication
+      example. (markt)
+    + Add: Examples. Limit the shopping cart example to only allow adding the
+      pre-defined items to the cart. (markt)
+    + Fix: Examples. Remove JSP calendar example. (markt)
+  * Other
+    + Fix: 69465: Fix warnings during native image compilation using the Tomcat
+      embedded JARs. (markt)
+    + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
+    + Update: Update EasyMock to 5.5.0. (markt)
+    + Update: Update Checkstyle to 10.20.2. (markt)
+    + Update: Update BND to 7.1.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Korean translations. (markt)
+    + Add: Improvements to Chinese translations. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+- Modified patch:
+  * tomcat-9.0-jdt.patch
+    + rediff
+
+-------------------------------------------------------------------
+Fri Nov 22 19:51:47 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 9.0.97
+  * Fixed CVEs:
+    + CVE-2024-52316: If the Jakarta Authentication fails with an exception,
+      set a 500 status (bsc#1233434)
+  * Catalina
+    + Add: Add support for the new Servlet API method 
+      HttpServletResponse.sendEarlyHints(). (markt)
+    + Add: 55470: Add debug logging that reports the class path when a 
+      ClassNotFoundException occurs in the digester or the web application 
+      class loader. Based on a patch by Ralf Hauser. (markt)
+    + Update: 69374: Properly separate between table header and body in 
+      DefaultServlet's listing. (michaelo)
+    + Update: 69373: Make DefaultServlet's HTML listing file last modified 
+      rendering better (flexible). (michaelo)
+    + Update: Improve HTML output of DefaultServlet. (michaelo)
+    + Code: Refactor RateLimitFilter to use FilterBase as the base class. The 
+      primary advantage for doing this is less code to process init-param 
+      values. (markt)
+    + Update: 69370: DefaultServlet's HTML listing uses incorrect labels. 
+      (michaelo)
+    + Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped 
+      requests. (remm)
+    + Fix: Add missing WebDAV Lock-Token header in the response when locking 
+      a folder. (remm)
+    + Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
+    + Fix: Fix regression in WebDAV when attempting to unlock a collection. 
+      (remm)
+    + Fix: Verify that destination is not locked for a WebDAV copy operation. 
+      (remm)
+    + Fix: Send 415 response to WebDAV MKCOL operations that include a 
+      request body since this is optional and unsupported. (remm)
+    + Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
+    + Fix: Do not allow a new WebDAV lock on a child resource if a parent 
+      collection is locked (RFC 4918 section 6.1). (remm)
+    + Fix: WebDAV Delete should remove any existing lock on successfully 
+      deleted resources. (remm)
+    + Update: Remove WebDAV lock null support in accordance with RFC 4918 
+      section 7.3 and annex D. Instead, a lock on a non-existing resource 
+      will create an empty file locked with a regular lock. (remm)
+    + Update: Rewrite implementation of WebDAV shared locks to comply with 
+      RFC 4918. (remm)
+    + Update: Implement WebDAV If header using code from the Apache Jackrabbit 
+      project. (remm)
+    + Add: Add PropertyStore interface in the WebDAV Servlet, to allow 
+      implementation of dead properties storage. The store used can be 
+      configured using the 'propertyStore' init parameter of the WebDAV 
+      servlet. A simple non-persistent implementation is used if no custom 
+      store is configured. (remm)
+    + Update: Implement WebDAV PROPPATCH method using the newly added 
+      PropertyStore. (remm)
+    + Fix: Cache not found results when searching for web application class 
+      loader resources. This addresses performance problems caused by 
+      components such as java.sql.DriverManager which, in some circumstances, 
+      will search for the same class repeatedly. In a large web application 
+      this can cause performance problems. The size of the cache can be 
+      controlled via the new notFoundClassResourceCacheSize on the 
+      StandardContext. (markt)
+    + Fix: Stop after INITIALIZED state should be a noop since it is possible 
+      for subcomponents to be in FAILED after init. (remm)
+    + Fix: Fix incorrect web resource cache size calculations when there are 
+      concurrent PUT and DELETE requests for the same resource. (markt)
+    + Add: Add debug logging for the web resource cache so the current size 
+      can be tracked as resources are added and removed. (markt)
+    + Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens 
+      with urn:uuid: as recommended by RFC 4918, and remove secret init 
+      parameter. (remm)
+    + Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the 
+      same path caused corruption of the FileResource where some of the 
+      fields were set as if the file exists and some as set as if it does 
+      not. This resulted in inconsistent metadata. (markt)
+    + Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on 
+      GET and HEAD requests. Also skip requests where the application has set 
+      Cache-Control: no-store. (markt)
+    + Fix: 69419: Improve the performance of ServletRequest.getAttribute() 
+      when there are multiple levels of nested includes. Based on a patch 
+      provided by John Engebretson. (markt)
+    + Add: All applications to send an early hints informational response by 
+      calling HttpServletResponse.sendError() with a status code of 103. 
+      (schultz)
+    + Fix: Ensure that the Jakarta Authentication CallbackHandler only 
+      creates one GenericPrincipal in the Subject. (markt)
+    + Fix: If the Jakarta Authentication process fails with an Exception, 
+      explicitly set the HTTP response status to 500 as the ServerAuthContext 
+      may not have set it. (markt)
+    + Fix: When persisting the Jakarta Authentication provider configuration, 
+      create any necessary parent directories that don't already exist. 
+      (markt)
+    + Fix: Correct the logic used to detect errors when deleting temporary 
+      files associated with persisting the Jakarta Authentication provider 
+      configuration. (markt)
+    + Fix: When processing Jakarta Authentication callbacks, don't overwrite 
+      a Principal obtained from the PasswordValidationCallback with null if 
+      the CallerPrincipalCallback does not provide a Principal. (markt)
+    + Fix: Avoid store config backup loss when storing one configuration more 
+      than once per second. (remm)
+    + Fix: 69359: WebdavServlet duplicates getRelativePath() method from 
+      super class with incorrect Javadoc. (michaelo)
+    + Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and 
+      DefaultServlet. (michaelo)
+    + Fix: Make WebdavServlet properly return the Allow header when deletion 
+      of a resource is not allowed. (michaelo)
+    + Fix: Add log warning if non wildcard mappings are used with the 
+      WebdavServlet. (remm)
+    + Fix: 69361: Ensure that the order of entries in a multi-status response 
+      to a WebDAV is consistent with the order in which resources were 
+      processed. (markt)
+    + Fix: 69362: Provide a better multi-status response when deleting a 
+      collection via WebDAV fails. Empty directories that cannot be deleted 
+      will now be included in the response. (markt)
+    + Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to 
+      ensure that the correct path is used when the WebDAV servlet is mounted 
+      at a sub-path within the web application. (markt)
+    + Fix: Improve performance of ApplicationHttpRequest.parseParameters(). 
+      Based on sample code and test cases provided by John Engebretson. 
+      (markt)
+    + Add: Add support for RFC 8297 (Early Hints). Applications can use 
+      this feature by casting the HttpServletResponse to 
+      org.apache.catalina.connector.Reponse and then calling the method 
+      void sendEarlyHints(). This method will be added to the Servlet API 
+      (removing the need for the cast) in Servlet 6.2 onwards. (markt)
+    + Fix: 69214: Do not reject a CORS request that uses POST but does not 
+      include a content-type header. Tomcat now correctly processes this as 
+      a simple CORS request. Based on a patch suggested by thebluemountain. 
+      (markt)
+    + Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather 
+      than Subject.doAs() when available. (markt)
+
+  * Coyote
+    + Fix: Return null SSL session id on zero length byte array returned from 
+      the SSL implementation. (remm)
+    + Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
+    + Fix: Create the HttpParser in Http11Processor if it is not present on 
+      the AbstractHttp11Protocol to provide better lifecycle robustness for 
+      regular HTTP/1.1. The new behavior was introduced on a previous 
+      refactoring to improve HTTP/2 performance. (remm)
+    + Fix: OpenSSLContext will now throw a KeyManagementException if something 
+      is known to have gone wrong in the init method, which is the behavior 
+      documented by javax.net.ssl.SSLContext.init. This makes error handling 
+      more consistent. (remm)
+    + Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to 
+      generate Date headers for HTTP responses) generates the correct string 
+      for the given input. Prior to this change, the output may have been 
+      wrong by one second in some cases. Pull request #751 provided by Chenjp. 
+      (markt)
+    + Add: Add server and serverRemoveAppProvidedValues to the list of 
+      attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector 
+      it is nested within. (markt)
+    + Fix: Avoid possible crashes when using Apache Tomcat Native, caused by 
+      destroying SSLContext objects through GC after APR has been terminated. 
+      (remm)
+    + Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer 
+      fields no longer need to be received before the headers of the 
+      subsequent stream nor are trailer fields for an in-progress stream 
+      swallowed if the Connector is paused before the trailer fields are 
+      received. (markt)
+    + Fix: Ensure the request and response are not recycled too soon for an 
+      HTTP/2 stream when a stream level error is detected during the processing 
+      of incoming HTTP/2 frames. This could lead to incorrect processing times 
+      appearing in the access log. (markt)
+    + Fix: Fix 69320, a regression in the fix for 69302 that meant the 
+      HTTP/2 processing was likely to be broken for all clients once any 
+      client sent an HTTP/2 reset frame. (markt)
+    + Fix: Correct a regression in the fix for non-blocking reads of chunked 
+      request bodies that caused InputStream.available() to return a non-zero 
+      value when there was no data to read. In some circumstances this could 
+      cause a blocking read to block waiting for more data rather than return 
+      the data it had already received. (markt)
+    + Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. 
+      The default behaviour is unchanged. (markt)
+    + Fix: Ensure that Tomcat sends a TLS close_notify message after receiving 
+      one from the client when using the OpenSSLImplementation. (markt)
+    + Fix: 69301: Fix trailer headers replacing non-trailer headers when writing 
+      response headers to the access log. Based on a patch and test case 
+      provided by hypnoce. (markt)
+    + Fix: 69302: If an HTTP/2 client resets a stream before the request body is 
+      fully written, ensure that any ReadListener is notified via a call to 
+      ReadListener.onErrror(). (markt)
+    + Fix: Correct regressions in the refactoring that added recycling of the 
+      coyote request and response to the HTTP/2 processing. (markt)
+    + Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. 
+      OpenSSL support may be enabled by adding the 
+      org.apache.catalina.core.OpenSSLLifecycleListener listener on the 
+      Server element when using Java 22 or later. (remm)
+    + Fix: Ensure that HTTP/2 stream input buffers are only created when there 
+      is a request body to be read. (markt)
+    + Code: Refactor creation of HttpParser instances from the Processor level 
+      to the Protocol level since the parser configuration depends on the 
+      protocol and the parser is, otherwise, stateless. (markt)
+    + Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal 
+      request and response processing objects by default. This behaviour can 
+      be controlled via the new discardRequestsAndResponses attribute on the 
+      HTTP/2 upgrade protocol. (markt)
+
+  * Jasper
+    + Fix: Add back tag release method as deprecated in the runtime for 
+      compatibility with old generated code. (remm)
+    + Fix: 69399: Fix regression caused by the improvement 69333 which caused 
+      the tag release to be called when using tag pooling, and to be skipped 
+      when not using it. Patch submitted by Michal Sobkiewicz. (remm)
+    + Fix: 69381: Improve method lookup performance in expression language. 
+      When the required method has no arguments there is no need to consider 
+      casting or coercion and the method lookup process can be simplified. 
+      Based on pull request #770 by John Engebretson.
+    + Fix: 69382: Improve the performance of the JSP include action by 
+      re-using results of relatively expensive method calls in the generated 
+      code rather than repeating them. Patch provided by John Engebretson. 
+      (markt)
+    + Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. 
+      Based on a suggestion by John Engebretson. (markt)
+    + Fix: 69406: When using StringInterpreterEnum, do not throw an 
+      IllegalArgumentException when an invalid Enum is encountered. Instead, 
+      resolve the value at runtime. Patch provided by John Engebretson. 
+      (markt)
+    + Fix: 69429: Optimise EL evaluation of method parameters for methods 
+      that do not accept any parameters. Patch provided by John Engebretson. 
+      (markt)
+    + Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
+    + Fix: 69338: Improve the performance of processing expressions that 
+      include AND or OR operations with more than two operands and expressions 
+      that use not empty. (markt)
+    + Fix: 69348: Reduce memory consumption in ELContext by using lazy 
+      initialization for the data structure used to track lambda arguments. 
+      (markt)
+    + Fix: Switch the TldScanner back to logging detailed scan results at debug 
+      level rather than trace level. (markt)
+
+  * Web applications
+    + Fix: The manager webapp will now be able to access certificates again 
+      when OpenSSL is used. (remm)
+    + Fix: Documentation. Align the logging configuration documentation with 
+      the current defaults. (markt)
+
+  * WebSocket
+    + Fix: If a blocking message write exceeds the timeout, don't attempt the 
+      write again before throwing the exception. (markt)
+    + Fix: An EncodeException being thrown during a message write should not 
+      automatically cause the connection to close. The application should 
+      handle the exception and make the decision whether or not to close the 
+      connection. (markt)
+
+  * jdbc-pool
+    + Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions 
+      executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException 
+      rather than the application seeing the original SQLException. Fixed by 
+      pull request #744 provided by Michael Clarke. (markt)
+    + Fix: 69279: Correct a regression in the fix for 69206 that meant that 
+      methods that previously returned a null ResultSet were returning a proxy 
+      with a null delegate. Fixed by pull request #745 provided by Huub de Beer. 
+      (markt)
+    + Fix: 69206: Ensure statements returned from Statement methods 
+      executeQuery(), getResultSet() and getGeneratedKeys() are correctly 
+      wrapped before being returned to the caller. Based on pull request 
+      #742 provided by Michael Clarke.
+
+  * Other
+    + Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. 
+      (markt)
+    + Update: Update Byte Buddy to 1.15.10. (markt)
+    + Update: Update CheckStyle to 10.20.0. (markt)
+    + Add: Improvements to German translations. (remm)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Add: Improvements to Chinese translations by Ch_jp. (markt)
+    + Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. 
+      (markt)
+    + Fix: Change the default log handler level to ALL so log messages are 
+      not dropped by default if a logger is configured to use trace (FINEST) 
+      level logging. (markt)
+    + Update: Update Hamcrest to 3.0. (markt)
+    + Update: Update EasyMock to 5.4.0. (markt)
+    + Update: Update Byte Buddy to 1.15.0. (markt)
+    + Update: Update CheckStyle to 10.18.0. (markt)
+    + Update: Update the internal fork of Apache Commons BCEL to 6.10.0. 
+      (markt)
+    + Add: Improvements to Spanish translations by Fernando. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Fix: Fix packaging regression with missing osgi information following 
+      addition of the test-only build target. (remm)
+    + Update: Update Tomcat Native to 1.3.1. (markt)
+    + Update: Update Byte Buddy to 1.14.18. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+
+
+-------------------------------------------------------------------
+Thu Oct  3 13:17:03 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Adapt the scripts to run also with javapackages-tools >= 6.3
+
+-------------------------------------------------------------------
+Sun Sep 29 19:42:03 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Fix build after removal of the default %%{java_home} define
+
 -------------------------------------------------------------------
 Mon Jul  8 16:34:38 UTC 2024 - Fridrich Strba <fstrba@suse.com>
 

tomcat.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -22,7 +22,7 @@
 %define elspec 3.0
 %define major_version 9
 %define minor_version 0
-%define micro_version 91
+%define micro_version 102
 %define packdname apache-tomcat-%{version}-src
 # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/
 %global basedir /srv/%{name}
@@ -120,12 +120,12 @@ Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
 Requires(pre):  shadow
-%systemd_ordering
 Recommends:     libtcnative-1-0 >= 1.1.24
 Recommends:     logrotate
 Provides:       group(tomcat)
 Provides:       user(tomcat)
 BuildArch:      noarch
+%systemd_ordering
 
 %description
 Tomcat is the servlet container that is used in the official Reference
@@ -457,7 +457,7 @@ popd
 # install sample webapp
 mkdir -p %{buildroot}%{tomcatappdir}/sample
 pushd %{buildroot}%{tomcatappdir}/sample
-%jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
+jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
 popd
 
 pushd %{buildroot}%{tomcatappdir}/examples/WEB-INF/lib