diff --git a/apache-tomcat-10.1.18-src.tar.gz b/apache-tomcat-10.1.18-src.tar.gz
deleted file mode 100644
index 19dba99..0000000
--- a/apache-tomcat-10.1.18-src.tar.gz
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:cd7cdd2ae143271893e486d6b809c69e4615c556bc9f9e2ebf186c409685545e
-size 6166424
diff --git a/apache-tomcat-10.1.18-src.tar.gz.asc b/apache-tomcat-10.1.18-src.tar.gz.asc
deleted file mode 100644
index c54ad21..0000000
--- a/apache-tomcat-10.1.18-src.tar.gz.asc
+++ /dev/null
@@ -1,16 +0,0 @@
------BEGIN PGP SIGNATURE-----
-
-iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmWYGCoACgkQHPApP6U8
-pFgFuhAAuP0n+aPDB9AokSY4TQfRNZuJRRof9IjWZENwsCN+/8s0vejBLtuyRrfR
-IFbE8DqdOFWZQTbuAWP4YtvBtXxTkwnNnkldhveABDOV63Fv5GyPtMHj2b2O1lay
-LS6v40oy4816/l9muBY8w0bdUp7QHF/bvftGkvAw3ukqYDpNYs2zjP+Zvf1rNelV
-Y9pXKoxfTe9JXKiggYHU/PuWEYsKvnBTos/lwJeNwr9yHo5lsOE2CQh4ix6O8OSP
-YhmW+XrJTWhpFJiX99iN3lKFBJ0ZkTK//MaYOhvlF8JEAClbl9AMZtwkTu0z/yTN
-jdUOMXB9mcABCHxibbEnSNEC1fTThvChvXFZxRfWlgdQr3PHGH6ncJKc9o3wNN1K
-VKp45dsuvYRWGwwBN+D//U7GaWAkFGH1Tuk5WYgmd42c7fkPEoQ0m8eomWyoOdcN
-OvtzypufTsrGM/Up7szgBOhCM7izy1t3qBQ+Zey5PHYiN8/astYtKbvb7XHaAP6O
-/RrB4JV6euvgRgf4RBLHJmwWkPEzBysL1GEhJez5JjxCQNijS+9zmWwHPmjTcp+v
-HVhG3AftBme3df2LR0AMzgfsQZsIiLdgcSrLqwmhl2N3rxZ2U5cRO/eyaMgia/Kw
-atGk0QMZYwKH/EB41r5EiNtG0BIuRIq4a7Ssb1y0YpJQWvc89wc=
-=pryG
------END PGP SIGNATURE-----
diff --git a/apache-tomcat-10.1.20-src.tar.gz b/apache-tomcat-10.1.20-src.tar.gz
new file mode 100644
index 0000000..97f141e
--- /dev/null
+++ b/apache-tomcat-10.1.20-src.tar.gz
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:d5f020e5761f75654c071a94188c30bc69c053984c8829f15963aa86c9225026
+size 6187831
diff --git a/apache-tomcat-10.1.20-src.tar.gz.asc b/apache-tomcat-10.1.20-src.tar.gz.asc
new file mode 100644
index 0000000..84f94bf
--- /dev/null
+++ b/apache-tomcat-10.1.20-src.tar.gz.asc
@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmX5itQACgkQHPApP6U8
+pFhopA/+K7t0yWfvbBhzqcAq/fwRG8r9/0pdYpSCNLXyNslSkzT9ZPcvEBQx5n1G
+dXsi9wqymY42YLnY7ABKTtk1jQucTSITAm3lhMC10Ql8Y3Aqbw3YZbAM5DeVThe6
+gX/aju76WNMKNHqMPOq4sQ5M99jD3C+qu3kRl8Hgx6Ro8qQ0tzxlQkKZJPtYDJZ5
+PCrRICZBLKzoP9max7aSCcTkU5BBeSmXURlI4HOKA5JNh03BI4FBrTpwcJzPL7Jq
+S4e+ZGv4//M/fRAFm9NpDqps7uTV/ELA6AMhx+2Zw7yvwUqa/JhC7qVIEKVJF0Kh
+N2afnyVCSCBSi+ZMemFxjPMyCPNREpCus9OynuP+otxoYSiZjTLeavDbSHPLva07
+dGaRQ8z+yHJ5xg1YuGG9k8AoLMR+1kcVwICrFxauKmdXFbhneZHZexjzpuRtgUmF
+zOWzXCOtJo3VDN4mYL+5ZMibkm0oTa3JhcqHyjOIHYVlAHNXr3w2Qhq1WaM+9yUb
+RXuYf7y6teJPnLWCHSJo1hjbrIa+33pMRZg/+Jrp/11Y6qlJrk1xdElGwwaR7iw2
+TmJme2DFMM9RVgyJLiptNYKnHcAmJdHfqypcldrr+nQ1XkqLY58GOq+dTb0WT7ix
+CJGBo79aRY1ewy++UHLOBoRqFdMR+2mKopVmUWVKO9ahzts/St8=
+=39SI
+-----END PGP SIGNATURE-----
diff --git a/tomcat-jdt.patch b/tomcat-jdt.patch
index ea95382..a15596f 100644
--- a/tomcat-jdt.patch
+++ b/tomcat-jdt.patch
@@ -1,8 +1,6 @@
-Index: apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.java
-===================================================================
---- apache-tomcat-10.1.14-src.orig/java/org/apache/jasper/compiler/JDTCompiler.java
-+++ apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.java
-@@ -310,13 +310,13 @@ public class JDTCompiler extends org.apa
+--- apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:17.015180386 +0200
++++ apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java 2024-04-06 14:14:33.635284982 +0200
+@@ -310,13 +310,13 @@
} else if(opt.equals("15")) {
settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
@@ -18,9 +16,9 @@ Index: apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.jav
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_19);
+ settings.put(CompilerOptions.OPTION_Source, "19");
} else if (opt.equals("20")) {
- // Constant not available in latest ECJ version shipped with
- // Tomcat. May be supported in a snapshot build.
-@@ -383,17 +383,17 @@ public class JDTCompiler extends org.apa
+ // Constant not available in latest ECJ version that runs on
+ // Java 11.
+@@ -388,17 +388,17 @@
settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
} else if(opt.equals("16")) {
@@ -44,5 +42,5 @@ Index: apache-tomcat-10.1.14-src/java/org/apache/jasper/compiler/JDTCompiler.jav
+ settings.put(CompilerOptions.OPTION_TargetPlatform, "19");
+ settings.put(CompilerOptions.OPTION_Compliance, "19");
} else if (opt.equals("20")) {
- // Constant not available in latest ECJ version shipped with
- // Tomcat. May be supported in a snapshot build.
+ // Constant not available in latest ECJ version that runs on
+ // Java 11.
diff --git a/tomcat10.changes b/tomcat10.changes
index b5fc36e..43cfbb9 100644
--- a/tomcat10.changes
+++ b/tomcat10.changes
@@ -1,3 +1,154 @@
+-------------------------------------------------------------------
+Fri Apr 5 16:00:06 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.20
+ * Fixed CVEs:
+ + CVE-2024-24549: Improved request header validation for HTTP/2 stream
+ (bsc#1221386)
+ + CVE-2024-23672: Ensure that WebSocket connection closure completes if
+ the connection is closed when the server side has used the proprietary
+ suspend/resume feature to suspend the connection (bsc#1221385)
+ * Catalina
+ + Fix: Minor performance improvement for building filter chains.
+ Based on ideas from #702 by Luke Miao. (remm)
+ + Fix: Align error handling for Writer and OutputStream. Ensure
+ use of either once the response has been recycled triggers a
+ NullPointerException provided that discardFacades is configured with
+ the default value of true. (markt)
+ + Fix: 68692: The standard thread pool implementations that are
+ configured using the Executor element now implement ExecutorService
+ for better support NIO2. (remm)
+ + Fix: 68495: When restoring a saved POST request after a
+ successful FORM authentication, ensure that neither the URI, the
+ query string nor the protocol are corrupted when restoring the
+ request body. (markt)
+ + Fix: After forwarding a request, attempt to unwrap the
+ response in order to suspend it, instead of simply closing it if it
+ was wrapped. Add a new suspendWrappedResponseAfterForward boolean
+ attribute on Context to control the bahavior, defaulting to false.
+ (remm)
+ + Fix: 68721: Workaround a possible cause of duplicate class
+ definitions when using ClassFileTransformers and the transformation
+ of a class also triggers the loading of the same class. (markt)
+ + Fix: The rewrite valve should not do a rewrite if the output
+ is identical to the input. (remm)
+ + Update: Add a new valveSkip (or VS) rule flag to the rewrite
+ valve to allow skipping over the next valve in the Catalina pipeline.
+ (remm)
+ + Update: Add highConcurrencyStatus attribute to the
+ SemaphoreValve to optionally allow the valve to return an error
+ status code to the client when a permit cannot be acquired from the
+ semaphore. (remm)
+ + Add: Add checking of the "age" of the running Tomcat instance
+ since its build-date to the SecurityListener, and log a warning if
+ the server is old. (schultz)
+ + Fix: When using the AsyncContext, throw an
+ IllegalStateException, rather than allowing an NullPointerException,
+ if an attempt is made to use the AsyncContext after it has been
+ recycled. (markt)
+ + Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar
+ by removing reference to org.apache.catalina.ssi package that is no
+ longer included in the JAR. Based on pull request #684 by Jendrik
+ Johannes. (markt)
+ + Fix: Fix ServiceBindingPropertySource so that trailing \r\n
+ sequences are correctly removed from files containing property values
+ when configured to do so. Bug identified by Coverity Scan. (markt)
+ + Add: Add improvements to the CSRF prevention filter including
+ the ability to skip adding nonces for resource name and subtree URL
+ patterns. (schultz)
+ + Fix: Review usage of debug logging and downgrade trace or data
+ dumping operations from debug level to trace. (remm)
+ + Fix: 68089: Further improve the performance of request
+ attribute access for ApplicationHttpRequest and ApplicationRequest.
+ (markt)
+ + Fix: 68559: Allow asynchronous error handling to write to the
+ response after an error during asynchronous processing. (markt)
+ * Coyote
+ + Fix: Improve the HTTP/2 stream prioritisation process. If a
+ stream uses all of the connection windows and still has content to
+ write, it will now be added to the backlog immediately rather than
+ waiting until the write attempt for the remaining content. (markt)
+ + Fix: Add threadsMaxIdleTime attribute to the endpoint, to
+ allow configuring the amount of time before an internal executor will
+ scale back to the configured minSpareThreads size. (remm)
+ + Fix: Correct a regression in the support for user provided
+ SSLContext instances that broke the
+ org.apache.catalina.security.TLSCertificateReloadListener. (markt)
+ + Fix: Setting a null value for a cookie attribute should remove
+ the attribute. (markt)
+ + Fix: Make asynchronous error handling more robust. Ensure that
+ once a connection is marked to be closed, further asynchronous
+ processing cannot change that. (markt)
+ + Fix: Make asynchronous error handling more robust. Ensure that
+ once the call to AsyncListener.onError() has returned to the
+ container, only container threads can access the AsyncContext. This
+ protects against various race conditions that woudl otherwise occur
+ if application threads continued to access the AsyncContext.
+ + Fix: Review usage of debug logging and downgrade trace or data
+ dumping operations from debug level to trace. In particular, most of
+ the HTTP/2 debug logging has been changed to trace level. (remm)
+ + Fix: Add support for user provided SSLContext instances
+ configured on SSLHostConfigCertificate instances. Based on pull
+ request #673 provided by Hakan Altındağ. (markt)
+ + Fix: Partial fix for 68558: Cache the result of converting to
+ String for request URI, HTTP header names and the request
+ Content-Type value to improve performance by reducing repeated byte[]
+ to String conversions. (markt)
+ + Fix: Improve error reporting to HTTP/2 clients for header
+ processing errors by reporting problems at the end of the frame where
+ the error was detected rather than at the end of the headers. (markt)
+ + Fix: Remove the remaining reference to a stream once the
+ stream has been recycled. This makes the stream eligible for garbage
+ collection earlier and thereby improves scalability. (markt)
+ * Jasper
+ + Add: Add support for specifying Java 22 (with the value 22) as
+ the compiler source and/or compiler target for JSP compilation. If
+ used with an Eclipse JDT compiler version that does not support these
+ values, a warning will be logged and the default will used. (markt)
+ + Fix: Handle the case where the JSP engine forwards a
+ request/response to a Servlet that uses an OutputStream rather than a
+ Writer. This was triggering an IllegalStateException on code paths
+ where there was a subsequent attempt to obtain a Writer. (markt)
+ + Fix: Correctly handle the case where a tag library is packaged
+ in a JAR file and the web application is deployed as a WAR file
+ rather than an unpacked directory. (markt)
+ + Fix: 68546: Generate optimal size and types for JSP imports
+ maps, as suggested by John Engebretson. (remm)
+ + Fix: Review usage of debug logging and downgrade trace or data
+ dumping operations from debug level to trace. (remm)
+ * Cluster
+ + Fix: Avoid updating request count stats on async. (remm)
+ * WebSocket
+ + Fix: Correct a regression in the fix for 66508 that could
+ cause an UpgradeProcessor leak in some circumstances. (markt)
+ + Fix: Review usage of debug logging and downgrade trace or data
+ dumping operations from debug level to trace. (remm)
+ + Fix: Ensure that WebSocket connection closure completes if the
+ connection is closed when the server side has used the proprietary
+ suspend/resume feature to suspend the connection. (markt)
+ * Web applications
+ Add: Add support for responses in JSON format from the examples
+ application RequestHeaderExample. (schultz)
+ * Other
+ + Add: Improvements to French translations. (remm)
+ + Add: Improvements to Japanese translations by tak7iji. (markt)
+ + Fix: 57130: Allow digest.(sh|bat) to accept password from a
+ file or stdin. (csutherl/schultz)
+ + Update: Update Checkstyle to 10.14.1. (markt)
+ + Fix: Correct the remaining OSGi contract references in the
+ manifest files to refer to the Jakarta EE contract names rather than
+ the Java EE contract names. Based on pull request #685 provided by
+ Paul A. Nicolucci. (markt)
+ + Update: Update Checkstyle to 10.13.0. (markt)
+ + Update: Update JSign to 6.0. (markt)
+ + Update: Update the packaged version of the Tomcat Migration
+ Tool for Jakarta EE to 1.0.7. (markt)
+ + Update: Update Tomcat Native to 2.0.7. (markt)
+ + Update: Add strings for debug level messages. (remm)
+ + Add: Improvements to French translations. (remm)
+ + Add: Improvements to Japanese translations by tak7iji. (markt)
+- Regenerated patch: tomcat-jdt.patch
+
-------------------------------------------------------------------
Wed Mar 6 07:18:06 UTC 2024 - Dan Čermák <dcermak@suse.com>
diff --git a/tomcat10.spec b/tomcat10.spec
index 97e0194..47910e8 100644
--- a/tomcat10.spec
+++ b/tomcat10.spec
@@ -29,7 +29,7 @@
%define elspec %{elspec_major}.%{elspec_minor}
%define major_version 10
%define minor_version 1
-%define micro_version 18
+%define micro_version 20
%define java_major 1
%define java_minor 11
%define java_version %{java_major}.%{java_minor}