diff --git a/tomcat10.changes b/tomcat10.changes
index cd5eb87..7f7b539 100644
--- a/tomcat10.changes
+++ b/tomcat10.changes
@@ -1,7 +1,7 @@
--------------------------------------------------------------------
-Tue Feb  6 10:04:21 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+Fri Jan 26 12:37:05 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
 
-- rpm 4.19 requires dependencies on tomcat user and group (bsc#1219530)
+- Fixed CVEs:
+  * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)
 
 -------------------------------------------------------------------
 Wed Jan 17 15:59:25 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
diff --git a/tomcat10.spec b/tomcat10.spec
index 108c284..4f84243 100644
--- a/tomcat10.spec
+++ b/tomcat10.spec
@@ -138,8 +138,6 @@ Requires:       libtcnative-1-0 >= 1.2.38
 Requires:       logrotate
 BuildArch:      noarch
 Conflicts:      %{app_name}
-Provides:       group(tomcat)
-Provides:       user(tomcat)
 
 %description
 Tomcat is the servlet container that is used in the official Reference
@@ -593,7 +591,8 @@ getent passwd tomcat >/dev/null || %{_sbindir}/useradd -c "Apache Tomcat" \
 %post
 %service_add_post %{app_name}.service
 %{fillup_only %{app_name}}
-xsltproc  --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
+chown -R tomcat:tomcat %{confdir}/server.xml
+runuser -u tomcat -g tomcat -- xsltproc --output %{confdir}/server.xml %{confdir}/valve.xslt %{confdir}/server.xml
 
 %preun
 %service_del_preun %{app_name}.service
@@ -665,17 +664,22 @@ rm -f \
     %{libdir}/\[ecj\].jar >/dev/null 2>&1
 
 %post webapps
-xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
-if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then
-    ln -sf  %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT
-fi
-xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/examples/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/examples/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/examples ]; then
     ln -sf %{tomcatappdir}/examples %{_datadir}/%{app_name}/webapps/examples
 fi
 #use the same context.xml for sample war
+mkdir -p %{tomcatappdir}/ROOT/META-INF
+chown -R tomcat:tomcat %{tomcatappdir}/ROOT/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/ROOT/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+if [ ! -e %{_datadir}/%{app_name}/webapps/ROOT ]; then
+    ln -sf  %{tomcatappdir}/ROOT %{_datadir}/%{app_name}/webapps/ROOT
+fi
+#use the same context.xml for sample war
 mkdir -p %{tomcatappdir}/webapps/sample/META-INF
-xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/sample/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/sample/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/examples/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/sample ]; then
     ln -sf %{tomcatappdir}/sample  %{_datadir}/%{app_name}/webapps/sample
 fi
@@ -687,18 +691,21 @@ if [ $1 -eq 0 ]; then # uninstall only
 fi
 
 %post admin-webapps
-xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/manager/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/manager ]; then
     ln -sf %{tomcatappdir}/manager %{_datadir}/%{app_name}/webapps/manager
 fi
 
-xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/host-manager/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/host-manager/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/host-manager/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/host-manager ]; then
     ln -sf %{tomcatappdir}/host-manager %{_datadir}/%{app_name}/webapps/host-manager
 fi
 
 %post docs-webapp
-xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml
+chown -R tomcat:tomcat %{tomcatappdir}/docs/META-INF
+runuser -u tomcat -g tomcat -- xsltproc --output %{tomcatappdir}/docs/META-INF/context.xml %{confdir}/allowLinking.xslt %{tomcatappdir}/docs/META-INF/context.xml
 if [ ! -e %{_datadir}/%{app_name}/webapps/docs ]; then
     ln -sf %{tomcatappdir}/docs %{_datadir}/%{app_name}/webapps/docs
 fi