Accepting request 1299338 from Java:packages

OBS-URL: https://build.opensuse.org/request/show/1299338
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/tomcat10?expand=0&rev=23

apache-tomcat-10.1.25-src.tar.gz.asc

@@ -1,17 +0,0 @@
------BEGIN PGP SIGNATURE-----
-Comment: GPGTools - http://gpgtools.org
-
-iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmZsrB0ACgkQHPApP6U8
-pFgWehAAsL94Pf+o5NqhdP9RXxOLfGkAjwC6UdWEGbi/UUhJz/tEx3A66P3eyKJx
-KZw+0oqnwI9dXNry9TH3zZHk1Qj93HzOQRPolomCZWnwAcq964IutIc0PQMvga8+
-kaNfCloaOo9+VPeOAQ5rSn2jbdui+lYuTvHUuMiJ2+/U33Dn45JtTY+sQZxGFI0D
-OM9Bu7j64Vxp6tLMtYwcO33vsKnlT6WmC7NekkbyWlkLIDTKfaNp6PstKI1cxOvY
-8Cc1G276iGjPsyf06ooPZ6yunXYOXXT5SSsyvsKdWyacdFQ9BxlC5asOIwr+OKjp
-6tDIWK2RZQPs5fVGAeW4+6YN4jpTDrjjJvvC2M/Quyn7eRME0yB7qa6QAFM7mpqk
-oATHa+np0X3a5iNHW6w61En1F8yG2DtMyxIApkS25SGyA3XCRmZy2v14WPEaJURb
-PTrXY4+p18ae7cB6R5eoQZlBMxN+yqmwr7+RLcU3bTvMb65g19RPUcZ78/aKWteF
-G0wHn/QQy1yjDg4zJ0RQZzF0GhChux/G8Is423PiAskQJjQMB2O39PJV3D+hbrwk
-VXkH1JNwl5O18S76o0/t7eMF1Z1LViyS3Ldr/M9vpxtGmtX5VdfzmZ+Z6+JvAaZI
-+Ae7aA9B3BLWGiAjJNsu2FBY94jx2FZJgedg3pvPIyFSP6+W1Hg=
-=l6Tt
------END PGP SIGNATURE-----

apache-tomcat-10.1.43-src.tar.gz.asc

@@ -0,0 +1,16 @@
+-----BEGIN PGP SIGNATURE-----
+
+iQIzBAABCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAmhkU9cACgkQHPApP6U8
+pFhElw/+PtORhhIobN6tQaSZYWQ8wfgNnd+gYpT31sp7ufUmKpHDYU0/FeU/kCmZ
+FEIPbxPfEA4vHjbJh6E+sN59+s8HO5A255M3qum/NIJW8XsN5EdZcn+8fZVogMp7
+jWtnB7A9TPZ32mOljY7GXfXe4Da7PUoH8DZgD+eJ/iXrYoK6dgha5Z0cUQWuHq7j
+h/nCajbnNhsicIipAXUlUEwkWi6br3CPSFTdULmG9WvxgUEvKetSftOScqtOCE5C
+Tb5SZFyHuui2BAT9d6D6Varjae8GcpvkBupa6YhL981jERrGybo38IfSP2HWAlwP
+vQIuCGkhSoe/Nn65f2UxMiftyWPY8AgyedRFzE2EXxyxWZCOXksbovvqlhKxoStk
+MofhhAMhNApdk7d+wipuLcjRXdQBXo5PSo0782uDE+Fyl7sTl7dRnVmQNCTyrVUg
+/bFqMUzuQS7znqXNj+0yD9x1aC+LeiNMsvYTfPihqv7SeJUqz10CyqkkO8aYetGJ
+RhHlcrzl0+hsCzyYV8W2BG28GHfTRxSfYA43tlTqg5c7BFzOs3NlJFLwMcxToszw
+7Lb2xXevGnBRSM27UbXeLFXr9/xDiMu9C0fxAIpCNKhFVIidNoJ/vvIkMtj38xzT
+DWz0EQB/8TSwfEmqs+c5uppziZa7eN6iJfWBp18IqPLC1wPgKGY=
+=VK2I
+-----END PGP SIGNATURE-----

tomcat-digest.script

@@ -3,6 +3,9 @@
 # tomcat-digest script
 # JPackage Project <http://www.jpackage.org/>
 
+# Set default JAVA_HOME
+export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
+
 # Source functions library
 if [ -f /usr/share/java-utils/java-functions ] ; then
   . /usr/share/java-utils/java-functions

tomcat-jdt.patch

@@ -1,15 +1,15 @@
---- apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java	2024-04-06 14:14:17.015180386 +0200
+--- apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java     2025-01-03 18:40:16.470885660 +0000
-+++ apache-tomcat-10.1.20-src/java/org/apache/jasper/compiler/JDTCompiler.java	2024-04-06 14:14:33.635284982 +0200
++++ apache-tomcat-10.1.34-src/java/org/apache/jasper/compiler/JDTCompiler.java    2024-12-05 16:01:16.000000000 +0000
-@@ -310,13 +310,13 @@
+@@ -298,13 +298,13 @@
-             } else if(opt.equals("15")) {
+             } else if (opt.equals("15")) {
                  settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_Source, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_17);
 +                settings.put(CompilerOptions.OPTION_Source, "17");
-             } else if(opt.equals("18")) {
+             } else if (opt.equals("18")) {
 -                settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_18);
 +                settings.put(CompilerOptions.OPTION_Source, "18");
              } else if (opt.equals("19")) {
@@ -18,20 +18,20 @@
              } else if (opt.equals("20")) {
                  // Constant not available in latest ECJ version that runs on
                  // Java 11.
-@@ -388,17 +388,17 @@
+@@ -386,17 +386,17 @@
                  settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
                  settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
-             } else if(opt.equals("16")) {
+             } else if (opt.equals("16")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "16");
 +                settings.put(CompilerOptions.OPTION_Compliance, "16");
-             } else if(opt.equals("17")) {
+             } else if (opt.equals("17")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_17);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_17);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "17");
 +                settings.put(CompilerOptions.OPTION_Compliance, "17");
-             } else if(opt.equals("18")) {
+             } else if (opt.equals("18")) {
 -                settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_18);
 -                settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_18);
 +                settings.put(CompilerOptions.OPTION_TargetPlatform, "18");

tomcat-tool-wrapper.script

@@ -3,6 +3,9 @@
 # tomcat-digest script
 # JPackage Project <http://www.jpackage.org/>
 
+# Set default JAVA_HOME
+export JAVA_HOME="${JAVA_HOME:-%{?java_home}}"
+
 # Source functions library
 if [ -f /usr/share/java-utils/java-functions ] ; then
   . /usr/share/java-utils/java-functions

tomcat10.changes

@@ -1,3 +1,881 @@
+-------------------------------------------------------------------
+Wed Aug  6 12:45:13 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.43
+  * Fixed CVEs:
+    + CVE-2025-52520: Align size tracking for multipart requests with
+      FileUpload's use of long. (bsc#1246388)
+    + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
+      (bsc#1246318)
+  * Catalina
+    + Fix: Ensure application configured welcome files override the defaults
+      when configuring an embedded web application programmatically. (markt)
+    + Fix: Allow the default servlet to set the content length when the content
+      length is known, no content has been written and a Writer is being used.
+      (markt)
+    + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
+      prevented access to PreResources and PostResources when mounted below the
+      web application root with a path that was terminated with a file
+      separator. (remm/markt)
+    + Fix: 69731: Fix an issue that meant that the value of maxParameterCount
+      applied was smaller than intended for multipart uploads with non-file
+      parts when the parts were processed before query string parameters.
+      (markt)
+    + Fix: Align size tracking for multipart requests with FileUpload's use of
+      long. (schultz)
+  * Coyote
+    + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
+      the documentation to provide more details on the memory requirements to
+      support multi-part uploads while avoiding a denial of service risk.
+      (markt)
+    + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
+      when the headers include a content-length. (remm/markt)
+    + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
+      one request multiple times. Based on pull request #868 by qingdaoheze.
+      (markt)
+    + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
+      of useVirtualThreads in JMX. (remm)
+    + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
+      certificate verification and improve the warnings when a web application
+      tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
+      TLS 1.3. (markt)
+    + Fix: When setting the initial HTTP/2 connection limit, apply those limits
+      earlier. (markt)
+  * Jasper
+    + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
+    + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
+      grammar as both are unused. (markt)
+  * Web applications
+    + Add: Documentation. Provide more explicit guidance regarding the security
+      considerations for enabling write access to the web application via
+      WebDAV, HTTP PUT requests or similar. (markt)
+    + Add: Documentation. Add a section on reverse proxies to the security
+      considerations page. (markt)
+  * Other
+    + Update: Update UnboundID to 7.0.3. (markt)
+    + Update: Update Checkstyle to 10.25.1. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt)
+
+-------------------------------------------------------------------
+Tue Jun 24 09:51:59 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.42
+  * Fixed CVEs:
+    + CVE-2025-46701: refactor CGI servlet to access resources via
+      WebResources (bsc#1243815)
+    + CVE-2025-48988: limits the total number of parts in a
+      multi-part request and limits the size of
+      the headers provided with each part (bsc#1244656)
+    + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
+  * Catalina
+    + Add: Support for the java:module namespace which mirrors the
+      java:comp namespace.
+    + Add: Support parsing of multiple path parameters separated by ; in a
+      single URL segment. Based on pull request #860 by Chenjp.
+    + Add: Support for limiting the number of parameters in HTTP requests
+      through the new ParameterLimitValve. The valve allows configurable
+      URL-specific limits on the number of parameters.
+    + Fix: 69699: Encode redirect URL used by the rewrite valve with the
+      session id if appropriate, and handle cross context with different
+      session configuration when using rewrite.
+    + Add: #863: Support for comments at the end of lines in text rewrite
+      map files to align behaviour with Apache httpd. Pull request
+      provided by Chenjp.
+    + Fix: 69706: Saved request serialization issue in FORM introduced
+      when allowing infinite session timeouts.
+    + Fix: Expand the path checks for Pre-Resources and Post-Resources
+      mounted at a path within the web application.
+    + Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve.
+    + Fix: Process possible path parameters rewrite production in the
+      rewrite valve.
+    + Fix: 69588: Enable allowLinking to be set on PreResources,
+      JarResources and PostResources. If not set explicitly, the setting
+      will be inherited from the Resources.
+    + Add: 69633: Support for Filters using context root mappings.
+    + Fix: 69643: Optimize directory listing for large amount of files.
+      Patch submitted by Loic de l'Eprevier.
+    + Fix: #843: Off by one validation logic for partial PUT ranges and
+      associated test case. Submitted by Chenjp.
+    + Refactor: Replace the unused buffer in
+      org.apache.catalina.connector.InputBuffer with a static, zero
+      length buffer.
+    + Refactor: GCI servlet to access resources via the WebResource API.
+    + Fix: 69662: Report name in exception message when a naming lookup
+      failure occurs. Based on code submitted by Donald Smith.
+    + Fix: Ensure that the FORM authentication attribute
+      authenticationSessionTimeout works correctly when sessions have an
+      infinite timeout when authentication starts.
+    + Add: Provide a content type based on file extension when web
+      application resources are accessed via a URL.
+  * Coyote
+    + Refactor: #861: TaskQueue to use the new interface RetryableQueue
+      which enables better integration of custom Executors which provide
+      their own BlockingQueue implementation. Pull request provided by
+      Paulo Almeida.
+    + Add: Finer grained control of multi-part request processing via two
+      new attributes on the Connector element. maxPartCount limits the
+      total number of parts in a multi-part request and maxPartHeaderSize
+      limits the size of the headers provided with each part. Add support
+      for these new attributes to the ParameterLimitValve.
+    + Refactor: The SavedRequestInputFilter so the buffered data is used
+      directly rather than copied.
+  * Jasper
+    + Fix: 69696: Mark the JSP wrapper for reload after a failed
+      compilation.
+    + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving
+      inner classes.
+    + Add: #842: Support for optimized execution of c:set and c:remove
+      tags, when activated via JSP servlet param
+      useNonstandardTagOptimizations.
+    + Fix: An edge case compilation bug for JSP and tag files on case
+      insensitive file systems that was exposed by the test case for
+      69635.
+  * Web applications
+    + Fix: 69694: Improve error reporting of deployment tasks done using
+      the manager webapp when a copy operation fails.
+    + Add: 68876: Documentation. Update the UML diagrams for server
+      start-up, request processing and authentication using PlantUML and
+      include the source files for each diagram.
+  * Other
+    + Add: Thread name to webappClassLoader.stackTraceRequestThread
+      message. Patch provided by Felix Zhang.
+    + Update: Tomcat Native to 2.0.9.
+    + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
+      (2025-06-05).
+    + Update: EasyMock to 5.6.0.
+    + Update: Checkstyle to 10.25.0.
+    + Fix: Use the full path when the installer for Windows sets calls
+      icacls.exe to set file permissions.
+    + Update: Improvements to Japanese translations provided by tak7iji.
+    + Fix: Set sun.io.useCanonCaches in service.bat Based on pull request
+      #841 by Paul Lodge.
+    + Update: Jacoco to 0.8.13.
+    + Code: Explicitly set the locale to be used for Javadoc. For
+      official releases, this locale will be English (US) to support
+      reproducible builds.
+    + Update: Byte Buddy to 1.17.5.
+    + Update: Checkstyle to 10.23.1.
+    + Update: File extension to media type mappings to align with the
+      current list used by the Apache Web Server (httpd).
+    + Update: Improvements to French translations.
+    + Update: Improvements to Japanese translations provided by tak7iji. 
+
+-------------------------------------------------------------------
+Tue Jun 10 12:56:25 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Hardening permissions (bsc#1242722)
+
+-------------------------------------------------------------------
+Fri May  2 14:55:24 UTC 2025 - Fridrich Strba <fstrba@suse.com>
+
+- Make conflicts and provides more generic
+
+-------------------------------------------------------------------
+Wed Apr 30 10:31:05 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.40
+  * Fixed CVEs:  
+    + CVE-2025-31650: invalid priority field values should be ignored
+      (bsc#1242008)
+    + CVE-2025-31651: Better handling of URLs with literal ';' and '?'
+      (bsc#1242009)
+  * Catalina
+    + Fix: Return 400 if the amount of content sent for a partial PUT is
+      inconsistent with the range that was specified. (remm)
+    + Add: Add a new RateLimiter implementation,
+      org.apache.catalina.util.ExactRateLimiter, that can be used with
+      org.apache.catalina.filters.RateLimitFilter to provide rate limit based
+      on the exact values configured. Based on pull request #794 by Chenjp.
+      (markt)
+    + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve.
+      (remm)
+    + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and
+      FIPS mode. (remm)
+    + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the
+      default internal proxies for the RemoteIpFilter and RemoteIpValve.
+      (markt)
+    + Fix: 69615: Improve integration with the not found class resources cache
+      for users who are using a custom web application class loader and/or
+      using reflection to dynamically add external repositories to the web
+      application class loader. (markt)
+    + Add: Add a new initialisation parameter to the Default servlet -
+      allowPostAsGet - which controls whether a direct request (i.e. not a
+      forward or an include) for a static resource using the POST method will
+      be processed as if the GET method had been used. If not allowed, the
+      request will be rejected. The default behaviour of processing the request
+      as if the GET method had been used is unchanged. (markt)
+    + Fix: 69623: Correct a long standing regression that meant that calls to
+      ClassLoader.getResource().getContent() failed when made from within a web
+      application with resource caching enabled. (markt)
+    + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm)
+    + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent
+      to the one from ErrorReportValve. (remm)
+    + Fix: Improve the handling of %nn URL encoding in the RewriteValve and
+      document how %nn URL encoding may be used with rewrite rules. (markt)
+    + Fix: Fix a potential exception when calling
+      WebappClassLoaderBase.getResource(""). (markt)
+  * Coyote
+    + Fix: 69607: Allow failed initialization of MD5. Based on code submitted by
+      Shivam Verma. (remm)
+    + Fix: 69614: HTTP/2 priority frames with an invalid priority field value
+      should be ignored. (markt)
+    + Fix: Improve handling of unexpected errors during HTTP/2 processing.
+      (markt)
+    + Fix: Add missing code to process an OpenSSL profile, such as
+      PROFILE=SYSTEM, using FFM. (remm)
+    + Add: Simplify the process of using a custom SSLContext for an HTTPS
+      enabled connector. Based on pull request #805 by Hakky54. (markt)
+  * Jasper
+    + Code: Replace custom URL encoding provided by the JSP runtime library with
+      calls to java.net.URLEncoder.encode(). (markt)
+    + Add: Add compiler using the Java Compiler API, supporting exploded web
+      applications. The compilerClassName to use is
+      org.apache.jasper.compiler.JavaCompiler. (remm)
+    + Add: Add support for specifying Java 25 (with the value 25) as the
+      compiler source and/or compiler target for JSP compilation. If used with
+      an Eclipse JDT compiler version that does not support these values, a
+      warning will be logged and the default will be used. (markt)
+  * Cluster
+    + Fix: Fix resetting cross context sessions in the ReplicationValve. (remm)
+  * Web applications
+    + Add: Documentation. Add a link to the Log4j documentation that describes
+      how to use Log4j rather than JULI for Tomcat's internal logging. (markt)
+    + Add: Documentation. Document the runtime attributes available to web
+      applications via the Request or the ServletContext. Based on pull request
+      #832 by usmazat. (markt)
+  * Other
+    + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt)
+    + Update: Update to NSIS 3.11. (markt)
+    + Update: Update to ByteBuddy 1.17.4. (markt)
+    + Update: Update to Checkstyle 10.21.4. (markt)
+    + Update: Update to SpotBugs to 4.9.3. (markt)
+    + Update: Improvements to French translations. (remm)
+    + Update: Improvements to Japanese translations provided by tak7iji. (markt)
+
+-------------------------------------------------------------------
+Tue Mar 18 21:16:30 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 10.1.39
+  * Fixes:
+    + launch with java 17 (bsc#1239676)
+  * Catalina
+    + Fix: 69602: Fix regression in releases from 12-2024 that were too strict
+      and rejected weak etags in the If-Range header with a 400 response.
+      Instead will consider it as a failed match since strong etags are required
+      for If-Range. (remm)
+    + Fix: When looking up class loader resources by resource name, the resource
+      name should not start with '/'. If the resource name does start with '/',
+      Tomcat is lenient and looks it up as if the '/' was not present. When the
+      web application class loader was configured with external repositories and
+      names starting with '/' were used for lookups, it was possible that cached
+      'not found' results could effectively hide lookup results using the
+      correct resource name. (markt)
+    + Fix: Enable the JNDIRealm to validate credentials provided to
+      HttpServletRequest.login(String username, String password) when the realm
+      is configured to use GSSAPI authentication. (markt)
+    + Fix: Fix a bug in the JRE compatibility detection that incorrectly
+      identified Java 19 and Java 20 as supporting Java 21 features. (markt)
+    + Fix: Improve the checks for exposure to and protection against
+      CVE-2024-56337 so that reflection is not used unless required. The checks
+      for whether the file system is case sensitive or not have been removed.
+      (markt)
+    + Add: Add support for logging the connection ID (as returned by
+      ServletRequest.getServletConnection().getConnectionId()) with the
+      AccessLogValve and ExtendedAccessLogValve. Based on pull request #814 by
+      Dmole. (markt)
+    + Fix: Avoid scenarios where temporary files used for partial PUT would not
+      be deleted. (remm)
+    + Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught
+      exception introduced for the check for CVE-2024-56337. (remm)
+  * Cluster
+    + Add: 69598: Add detection of service account token changes to the
+      KubernetesMembershipProvider implementation and reload the token if it
+      changes. Based on a patch by Miroslav Jezbera. (markt)
+  * Coyote
+    + Fix: 69575: Avoid using compression if a response is already compressed
+      using compress, deflate or zstd. (remm)
+    + Update: Use Transfer-Encoding for compression rather than Content-Encoding
+      if the client submits a TE header containing gzip. (remm)
+    + Fix: Fix a race condition in the handling of HTTP/2 stream reset that
+      could cause unexpected 500 responses. (markt)
+  * Other
+    + Add: Add makensis as an option for building the Installer for Windows on
+      non-Windows platforms. (rjung/markt)
+    + Update: Update Byte Buddy to 1.17.1. (markt)
+    + Update: Update Checkstyle to 10.21.3. (markt)
+    + Update: Update SpotBugs to 4.9.1. (markt)
+    + Update: Update JSign to 7.1. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Add: Add org.apache.juli.JsonFormatter to format log as one line JSON
+      documents. (remm) 
+
+-------------------------------------------------------------------
+Wed Mar 12 16:42:43 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 10.1.35
+  * Fixed CVE:
+    + CVE-2025-24813: potential RCE and/or information disclosure/corruption with
+      partial PUT (bsc#1239302)
+  * Catalina
+    + Update: Add tableName configuration on the DataSourcePropertyStore that
+      may be used by the WebDAV Servlet. (remm)
+    + Update: Improve HTTP If headers processing according to RFC 9110. Based on
+      pull request #796 by Chenjp. (remm/markt)
+    + Update: Allow readOnly attribute configuration on the Resources element
+      and allow configure the readOnly attribute value of the main resources.
+      The attribute value will also be used by the default and WebDAV Servlets.
+      (remm)
+    + Fix: 69285: Optimise the creation of the parameter map for included
+      requests. Based on sample code and test cases provided by John
+      Engebretson. (markt)
+    + Fix: 69527: Avoid rare cases where a cached resource could be set with 0
+      content length, or could be evicted immediately. (remm)
+    + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect
+      requests without body for WebDAV LOCK and PROPFIND. (remm)
+    + Fix: 69528: Add multi-release JAR support for the bloom
+      archiveIndexStrategy of the Resources. (remm)
+    + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based
+      on a patch submitted by Chenjp. (remm)
+    + Fix: Remove unused session to client map from CrawlerSessionManagerValve.
+      Submitted by Brian Matzon. (remm)
+    + Add: Add a check to ensure that, if one or more web applications are
+      potentially vulnerable to CVE-2024-56337, the JVM has been configured to
+      protect against the vulnerability and to configure the JVM correctly if
+      not. Where one or more web applications are potentially vulnerable to
+      CVE-2024-56337 and the JVM cannot be correctly configured or it cannot be
+      confirmed that the JVM has been correctly configured, prevent the impacted
+      web applications from starting. (markt)
+    + Fix: When using the WebDAV servlet with serveSubpathOnly set to true,
+      ensure that the destination for any requested WebDAV operation is also
+      restricted to the sub-path. (markt)
+    + Fix: Generate an appropriate Allow HTTP header when the Default servlet
+      returns a 405 (method not allowed) response in response to a DELETE
+      request because the target resource cannot be deleted. Pull request #802
+      provided by Chenjp. (markt)
+    + Code: Refactor creation of RequestDispatcher instances so that the
+      processing of the provided path is consistent with normal request
+      processing. (markt)
+    + Add: Add encodedReverseSolidusHandling and encodedSolidusHandling
+      attributes to Context to provide control over the handling of the path
+      used to created a RequestDispatcher. (markt)
+    + Fix: Handle a potential NullPointerException after an IOException occurs
+      on a non-container thread during asynchronous processing. (markt)
+    + Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)
+  * Coyote
+    + Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does
+      not support. These settings are now silently ignored. (markt)
+    + Fix: Avoid a rare NullPointerException when recycling the
+      Http11InputBuffer. (markt)
+    + Fix: Lower the log level to debug for logging an invalid socket channel
+      when processing poller events for the NIO Connector as this may occur in
+      normal usage. (markt)
+    + Code: Clean-up references to the HTTP/2 stream once request processing has
+      completed to aid GC and reduce the size of the HTTP/2 recycled request and
+      response cache. (markt)
+    + Add: Add a new Connector configuration attribute,
+      encodedReverseSolidusHandling, to control how %5c sequences in URLs are
+      handled. The default behaviour is unchanged (decode) keeping in mind that
+      the allowBackslash attribute determines how the decoded URI is processed.
+      (markt)
+    + Fix: 69545: Improve CRLF skipping for the available method of the
+      ChunkedInputFilter. (remm)
+    + Fix: Improve the performance of repeated calls to getHeader(). Pull
+      request #813 provided by Adwait Kumar Singh. (markt)
+    + Fix: 69559: Ensure that the Java 24 warning regarding the use of
+      sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code
+      will be used. (markt)
+  * Jasper
+    + Fix: 69508: Correct a regression in the fix for 69382 that broke JSP
+      include actions if both the page attribute and the body contained
+      parameters. Pull request #803 provided by Chenjp. (markt)
+    + Fix: Update the identifier validation in the Expression Language parser to
+      reflect that, as of Java 9, _ is also a Java keyword and may not be used
+      as an identifier. (markt)
+    + Fix: 69521: Update the EL Parser to allow the full range of valid
+      characters in an EL identifier as defined by the Java Language
+      Specification. (markt)
+    + Fix: 69532: Optimise the creation of ExpressionFactory instances. Patch
+      provided by John Engebretson. (markt)
+  * Web applications
+    + Add: Documentation. Expand the description of the security implications of
+      setting mapperContextRootRedirectEnabled and/or
+      mapperDirectoryRedirectEnabled to true. (markt)
+    + Fix: Documentation. Better document the default for the truststoreProvider
+      attribute of a SSLHostConfig element. (markt)
+  * Other
+    + Update: Update to Commons Daemon 1.4.1. (markt)
+    + Update: Update the packaged version of the Tomcat Migration Tool for
+      Jakarta EE to 1.0.9. (markt)
+    + Update: Update the internal fork of Commons Pool to 2.12.1. (markt)
+    + Update: Update Byte Buddy to 1.16.1. (markt)
+    + Update: Update UnboundID to 7.0.2. (markt)
+    + Update: Update Checkstyle to 10.21.2. (markt)
+    + Update: Update SpotBugs to 4.9.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Chinese translations by leeyazhou. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt) 
+
+-------------------------------------------------------------------
+Fri Jan  3 18:33:44 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
+
+- Update to Tomcat 10.1.34
+  * Fixed CVEs:
+    + CVE-2024-54677: DoS in examples web application (bsc#1234664)
+    + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) 
+    + CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
+  * Catalina
+    + Add: Add option to serve resources from subpath only with WebDAV Servlet
+      like with DefaultServlet. (michaelo)
+    + Fix: Add special handling for the protocols attribute of SSLHostConfig in
+      storeconfig. (remm)
+    + Fix: 69442: Fix case sensitive check on content-type when parsing request
+      parameters. (remm)
+    + Code: Refactor duplicate code for extracting media type and subtype from
+      content-type into a single method. (markt)
+    + Fix: Compatibility of generated embedded code with components where
+      constructors or property related methods throw a checked exception. (remm)
+    + Fix: The previous fix for inconsistent resource metadata during concurrent
+      reads and writes was incomplete. (markt)
+    + Fix: #780: Fix content-range header length. Submitted by Chenjp. (remm)
+    + Fix: 69444: Ensure that the jakarta.servlet.error.message request
+      attribute is set when an application defined error page is called. (markt)
+    + Fix: Avoid quotes for numeric values in the JSON generated by the status
+      servlet. (remm)
+    + Add: Add strong ETag support for the WebDAV and default servlet, which can
+      be enabled by using the useStrongETags init parameter with a value set to
+      true. The ETag generated will be a SHA-1 checksum of the resource content.
+      (remm)
+    + Fix: Use client locale for directory listings. (remm)
+    + Fix: 69439: Improve the handling of multiple Cache-Control headers in the
+      ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
+    + Fix: 69447: Update the support for caching classes the web application
+      class loader cannot find to take account of classes loaded from external
+      repositories. Prior to this fix, these classes could be incorrectly marked
+      as not found. (markt)
+    + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
+      users will not be removed and any header present in a HEAD request will
+      also be present in the equivalent GET request. There may be some headers,
+      as per RFC 9110, section 9.3.2, that are present in a GET request that are
+      not present in the equivalent HEAD request. (markt)
+    + Fix: 69471: Log instances of CloseNowException caught by
+      ApplicationDispatcher.invoke() at debug level rather than error level as
+      they are very likely to have been caused by a client disconnection or
+      similar I/O issue. (markt)
+    + Add: Add a test case for the fix for 69442. Also refactor references to
+      application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
+      (markt)
+    + Fix: 69476: Catch possible ISE when trying to report PUT failure in the
+      DefaultServlet. (remm)
+    + Add: Add support for RateLimit header fields for HTTP (draft) in the
+      RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
+    + Add: #787: Add regression tests for 69478. Pull request provided by Thomas
+      Krisch. (markt)
+    + Fix: The default servlet now rejects HTTP range requests when two or more
+      of the requested ranges overlap. Based on pull request #782 provided by
+      Chenjp. (markt)
+    + Fix: Enhance Content-Range verification for partial PUT requests handled
+      by the default servlet. Provided by Chenjp in pull request #778. (markt)
+    + Fix: Harmonize DataSourceStore lookup in the global resources to
+      optionally avoid the comp/env prefix which is usually not used there.
+      (remm)
+    + Fix: As required by RFC 9110, the HTTP Range header will now only be
+      processed for GET requests. Based on pull request #790 provided by Chenjp.
+      (markt)
+    + Fix: Deprecate the useAcceptRanges initialisation parameter for the
+      default servlet. It will be removed in Tomcat 12 onwards where it will
+      effectively be hard coded to true. (markt)
+    + Add: Add DataSource based property storage for the WebdavServlet. (remm)
+
+  * Coyote
+    + Fix: Align encodedSolidusHandling with the Servlet specification. If the
+      pass-through mode is used, any %25 sequences will now also be passed
+      through to avoid errors and/or corruption when the application decodes the
+      path. (markt)
+
+  * Jasper
+    + Fix: Follow-up to the fix for 69381. Apply the optimisation for method
+      lookup performance in expression language to an additional location.
+      (markt)
+
+  * Web applications
+    + Fix: Documentation. Remove references to the ResourceParams element.
+      Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
+    + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
+      The attribute is internalProxies rather than allowedInternalProxies. Pull
+      request #786 provided by Jorge Díaz. (markt)
+    + Fix: Examples. Fix broken links when Servlet Request Info example is
+      called via a URL that includes a pathInfo component. (markt)
+    + Fix: Examples. Expand the obfuscation of session cookie values in the
+      request header example to JSON responses. (markt)
+    + Add: Examples. Add the ability to delete session attributes in the servlet
+      session example. (markt)
+    + Add: Examples. Add a hard coded limit of 10 attributes per session for the
+      servlet session example. (markt)
+    + Add: Examples. Add the ability to delete session attributes and add a hard
+      coded limit of 10 attributes per session for the JSP form authentication
+      example. (markt)
+    + Add: Examples. Limit the shopping cart example to only allow adding the
+      pre-defined items to the cart. (markt)
+    + Fix: Examples. Remove JSP calendar example. (markt)
+
+  * Other
+    + Fix: 69465: Fix warnings during native image compilation using the Tomcat
+      embedded JARs. (markt)
+    + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
+    + Update: Update EasyMock to 5.5.0. (markt)
+    + Update: Update Checkstyle to 10.20.2. (markt)
+    + Update: Update BND to 7.1.0. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Korean translations. (markt)
+    + Add: Improvements to Chinese translations. (markt)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+
+
+-------------------------------------------------------------------
+Sat Nov 23 00:01:04 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
+
+- Update to Tomcat 10.1.33
+  * Fixed CVEs:
+    + CVE-2024-52316: If the Jakarta Authentication fails with an exception,
+      set a 500 status (bsc#1233434)
+  * Catalina
+    + Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt)
+    + Add: 55470: Add debug logging that reports the class path when a 
+      ClassNotFoundException occurs in the digester or the web application class loader. 
+      Based on a patch by Ralf Hauser. (markt)
+    + Update: 69374: Properly separate between table header and body in 
+      DefaultServlet's listing. (michaelo)
+    + Update: 69373: Make DefaultServlet's HTML listing file last modified 
+      rendering better (flexible). (michaelo)
+    + Update: Improve HTML output of DefaultServlet. (michaelo)
+    + Code: Refactor RateLimitFilter to use FilterBase as the base class. 
+      The primary advantage is less code to process init-param values. (markt)
+    + Update: 69370: DefaultServlet's HTML listing uses incorrect labels. 
+      (michaelo)
+    + Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm)
+    + Fix: Add missing WebDAV Lock-Token header in the response when locking 
+      a folder. (remm)
+    + Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
+    + Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm)
+    + Fix: Verify that destination is not locked for a WebDAV copy operation. (remm)
+    + Fix: Send 415 response to WebDAV MKCOL operations that include a request 
+      body since this is optional and unsupported. (remm)
+    + Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
+    + Fix: Do not allow a new WebDAV lock on a child resource if a parent 
+      collection is locked (RFC 4918 section 6.1). (remm)
+    + Fix: WebDAV DELETE should remove any existing lock on successfully 
+      deleted resources. (remm)
+    + Update: Remove WebDAV lock null support in accordance with RFC 4918 
+      section 7.3 and annex D. Instead, a lock on a non-existing resource will 
+      create an empty file locked with a regular lock. (remm)
+    + Update: Rewrite implementation of WebDAV shared locks to comply with 
+      RFC 4918. (remm)
+    + Update: Implement WebDAV If header using code from the Apache Jackrabbit 
+      project. (remm)
+    + Add: Add PropertyStore interface in the WebDAV Servlet, to allow 
+      implementation of dead properties storage. The store used can be configured 
+      using the propertyStore init parameter of the WebDAV servlet by specifying 
+      the class name of the store. A simple non-persistent implementation is 
+      used if no custom store is configured. (remm)
+    + Update: Implement WebDAV PROPPATCH method using the newly added 
+      PropertyStore, and update PROPFIND to support it. (remm)
+    + Fix: Cache not found results when searching for web application class 
+      loader resources. This addresses performance problems caused by components 
+      such as java.sql.DriverManager, which in some circumstances will search 
+      for the same class repeatedly. The size of the cache can be controlled 
+      via the new notFoundClassResourceCacheSize on the StandardContext. (markt)
+    + Fix: Stop after INITIALIZED state should be a noop since it is possible 
+      for subcomponents to be in FAILED after init. (remm)
+    + Fix: Fix incorrect web resource cache size calculations when there are 
+      concurrent PUT and DELETE requests for the same resource. (markt)
+    + Add: Add debug logging for the web resource cache so the current size 
+      can be tracked as resources are added and removed. (markt)
+    + Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens 
+      with urn:uuid: as recommended by RFC 4918, and remove secret init 
+      parameter. (remm)
+    + Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the 
+      same path caused corruption of the FileResource where some of the fields 
+      were set as if the file exists and some as set as if it does not. This 
+      resulted in inconsistent metadata. (markt)
+    + Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on 
+      GET and HEAD requests. Also, skip requests where the application has 
+      set Cache-Control: no-store. (markt)
+    + Fix: 69419: Improve the performance of ServletRequest.getAttribute() 
+      when there are multiple levels of nested includes. Based on a patch 
+      provided by John Engebretson. (markt)
+    + Add: All applications to send an early hints informational response 
+      by calling HttpServletResponse.sendError() with a status code of 103. 
+      (schultz)
+    + Fix: Ensure that ServerAuthModule.initialize() is called when a 
+      Jakarta Authentication module is configured via registerServerAuthModule(). 
+      (markt)
+    + Fix: Ensure that the Jakarta Authentication CallbackHandler only creates 
+      one GenericPrincipal in the Subject. (markt)
+    + Fix: If the Jakarta Authentication process fails with an Exception, 
+      explicitly set the HTTP response status to 500 as the ServerAuthContext 
+      may not have set it. (markt)
+    + Fix: When persisting the Jakarta Authentication provider configuration, 
+      create any necessary parent directories that don't already exist. (markt)
+    + Fix: Correct the logic used to detect errors when deleting temporary files 
+      associated with persisting the Jakarta Authentication provider 
+      configuration. (markt)
+    + Fix: When processing Jakarta Authentication callbacks, don't overwrite 
+      a Principal obtained from the PasswordValidationCallback with null if the 
+      CallerPrincipalCallback does not provide a Principal. (markt)
+    + Fix: Avoid store config backup loss when storing one configuration more 
+      than once per second. (remm)
+    + Fix: 69359: WebdavServlet duplicates getRelativePath() method from 
+      super class with incorrect Javadoc. (michaelo)
+    + Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and 
+      DefaultServlet. (michaelo)
+    + Fix: Make WebdavServlet properly return the Allow header when deletion 
+      of a resource is not allowed. (michaelo)
+    + Fix: Add log warning if non-wildcard mappings are used with the WebdavServlet. 
+      (remm)
+    + Fix: 69361: Ensure that the order of entries in a multi-status response 
+      to a WebDAV is consistent with the order in which resources were processed. 
+      (markt)
+    + Fix: 69362: Provide a better multi-status response when deleting a 
+      collection via WebDAV fails. Empty directories that cannot be deleted 
+      will now be included in the response. (markt)
+    + Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to 
+      ensure that the correct path is used when the WebDAV servlet is mounted 
+      at a sub-path within the web application. (markt)
+    + Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing
+      was likely to be broken for all clients once any client sent an HTTP/2
+      reset frame. (markt)
+    + Fix: Improve performance of ApplicationHttpRequest.parseParameters(). 
+      Based on sample code and test cases provided by John Engebretson. (markt)
+    + Fix:  Correct regressions in the refactoring that added recycling of the coyote
+      request and response to the HTTP/2 processing. (markt)
+    + Add: Add support for RFC 8297 (Early Hints). Applications can use this 
+      feature by casting the HttpServletResponse to org.apache.catalina.connector. 
+      Response and then calling the method void sendEarlyHints(). This method 
+      will be added to the Servlet API (removing the need for the cast) in Servlet 
+      6.2 onwards. (markt)
+    + Fix: 69214: Do not reject a CORS request that uses POST but does not include 
+      a content-type header. Tomcat now correctly processes this as a simple CORS 
+      request. Based on a patch suggested by thebluemountain. (markt)
+    + Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than 
+      Subject.doAs() when available. (markt)
+    + Fix: Allow JAASRealm to use the configuration source to load a configured 
+      configFile, for easier use with testing. (remm)
+    + Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
+    + Fix: Add the OpenSSL version number on the APR and OpenSSL status classes. 
+      (remm)
+    + Fix: 69131: Expand the implementation of the filter value of the Authenticator 
+      attribute allowCorsPreflight, so that it applies to all requests that match 
+      the configured URL patterns for the CORS filter, rather than only applying 
+      if the CORS filter is mapped to /*. (markt)
+    + Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL 
+      if available. (remm)
+
+  * Coyote
+    + Fix: Return null SSL session id on zero-length byte array returned 
+      from the SSL implementation. (remm)
+    + Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
+    + Fix: Create the HttpParser in Http11Processor if it is not present on 
+      the AbstractHttp11Protocol to provide better lifecycle robustness for 
+      regular HTTP/1.1. The new behavior was introduced in a previous refactoring 
+      to improve HTTP/2 performance. (remm)
+    + Fix: OpenSSLContext will now throw a KeyManagementException if something 
+      is known to have gone wrong in the init method, which is the behavior 
+      documented by javax.net.ssl.SSLContext.init. This makes error handling 
+      more consistent. (remm)
+    + Fix: 69379: The default HEAD response no longer includes the payload 
+      HTTP header fields as per section 9.3.2 of RFC 9110. (markt)
+    + Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to 
+      generate Date headers for HTTP responses) generates the correct string 
+      for the given input. Prior to this change, the output may have been 
+      wrong by one second in some cases. Pull request #751 provided by Chenjp. 
+      (markt)
+    + Fix: Request start time may not have been accurately recorded for HTTP/1.1 
+      requests preceded by a large number of blank lines. (markt)
+    + Add: Add server and serverRemoveAppProvidedValues to the list of attributes 
+      the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested 
+      within. (markt)
+    + Fix: Avoid possible crashes when using Apache Tomcat Native, caused by 
+      destroying SSLContext objects through GC after APR has been terminated. 
+      (remm)
+    + Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields 
+      no longer need to be received before the headers of the subsequent stream, 
+      nor are trailer fields for an in-progress stream swallowed if the Connector 
+      is paused before the trailer fields are received. (markt)
+    + Fix: Ensure the request and response are not recycled too soon for an 
+      HTTP/2 stream when a stream-level error is detected during the processing 
+      of incoming HTTP/2 frames. This could lead to incorrect processing times 
+      appearing in the access log. (markt)
+    + Fix: Correct a regression in the fix for non-blocking reads of chunked 
+      request bodies that caused InputStream.available() to return a non-zero 
+      value when there was no data to read. In some circumstances this could 
+      cause a blocking read to block waiting for more data rather than return 
+      the data it had already received. (markt)
+    + Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. 
+      The default behaviour is unchanged. (markt)
+    + Fix: Ensure that Tomcat sends a TLS close_notify message after receiving 
+      one from the client when using the OpenSSLImplementation. (markt)
+    + Fix: 69301: Fix trailer headers replacing non-trailer headers when writing 
+      response headers to the access log. Based on a patch and test case 
+      provided by hypnoce. (markt)
+    + Fix: 69302: If an HTTP/2 client resets a stream before the request body 
+      is fully written, ensure that any ReadListener is notified via a call 
+      to ReadListener.onError(). (markt)
+    + Fix: Ensure that HTTP/2 stream input buffers are only created when there is 
+      a request body to be read. (markt)
+    + Code: Refactor creation of HttpParser instances from the Processor level to 
+      the Protocol level since the parser configuration depends on the protocol 
+      and the parser is, otherwise, stateless. (markt)
+    + Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request 
+      and response processing objects by default. This behaviour can be controlled 
+      via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. 
+      (markt)
+    + Fix: Clean and log OpenSSL errors before processing of OpenSSL conf commands 
+      in the FFM code. (remm)
+    + Fix: 69121: Ensure that the onComplete() event is triggered if AsyncListener.
+      onError() dispatches to a target that throws an exception. (markt)
+    + Fix: Following the trailer header field refactoring, -1 is no longer an allowed 
+      value for maxTrailerSize. Adjust documentation accordingly. (remm)
+    + Update: Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm.
+      jar that advertises Java 22 in its manifest. (remm)
+    + Fix: Fix search for OpenSSL library for FFM on Mac OS so that java.library.path 
+      is searched. (markt)
+    + Update: Add FFM compatibility methods for LibreSSL support. Renegotiation is 
+      not supported at the moment. (remm)
+    + Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name 
+      of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY 
+      (set to true to use System.loadLibrary rather than the FFM library loading code) 
+      to configure the OpenSSL library loading using FFM. (remm)
+    + Update: Add FFM compatibility methods for BoringSSL support. Renegotiation is 
+      not supported in many cases. (remm)
+
+  * Jasper
+    + Fix: Add back tag release method as deprecated in the runtime for 
+      compatibility with old generated code. (remm)
+    + Fix: 69399: Fix regression caused by improvement 69333, which caused 
+      the tag release to be called when using tag pooling, and to be skipped 
+      when not using it. Patch submitted by Michal Sobkiewicz. (remm)
+    + Fix: 69381: Improve method lookup performance in expression language. 
+      When the required method has no arguments, there is no need to consider 
+      casting or coercion, and the method lookup process can be simplified. 
+      Based on a pull request by John Engebretson. (markt)
+    + Fix: 69382: Improve the performance of the JSP include action by re-using 
+      results of relatively expensive method calls in the generated code rather 
+      than repeating them. Patch provided by John Engebretson. (markt)
+    + Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. 
+      Based on a suggestion by John Engebretson. (markt)
+    + Fix: 69406: When using StringInterpreterEnum, do not throw an 
+      IllegalArgumentException when an invalid Enum is encountered. Instead, 
+      resolve the value at runtime. Patch provided by John Engebretson. (markt)
+    + Fix: 69429: Optimize EL evaluation of method parameters for methods 
+      that do not accept any parameters. Patch provided by John Engebretson. (markt)
+    + Fix: Further optimize EL evaluation of method parameters. Patch provided 
+      by Paolo B. (markt)
+    + Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
+    + Fix: 69338: Improve the performance of processing expressions that include 
+      AND or OR operations with more than two operands and expressions that use 
+      not empty. (markt)
+    + Fix: 69348: Reduce memory consumption in ELContext by using lazy 
+      initialization for the data structure used to track lambda arguments. (markt)
+    + Fix: Switch the TldScanner back to logging detailed scan results at debug 
+      level rather than trace level. (markt)
+    + Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of 
+      new classes added to the java.lang package in Java 23. (markt)
+    + Fix: Ensure that an exception in toString() still results in an ELException 
+      when an object is coerced to a String using ExpressionFactory.coerceToType(). 
+      (markt)
+    + Add: Add support for specifying Java 24 (with the value 24) as the compiler 
+      source and/or compiler target for JSP compilation. If used with an Eclipse JDT 
+      compiler version that does not support these values, a warning will be logged 
+      and the default will be used. (markt)
+    + Fix: 69135: When using include directives in a tag file packaged in a JAR file, 
+      ensure that context relative includes are processed correctly. (markt)
+    + Fix: 69135: When using include directives in a tag file packaged in a JAR file, 
+      ensure that file relative includes are processed correctly. (markt)
+    + Fix: 69135: When using include directives in a tag file packaged in a JAR file, 
+      ensure that file relative includes are not permitted to access files outside 
+      of the /META_INF/tags/ directory nor outside of the JAR file. (markt)
+
+  * WebSocket
+    + Fix: If a blocking message write exceeds the timeout, don't attempt the 
+      write again before throwing the exception. (markt)
+    + Fix: An EncodeException being thrown during a message write should not 
+      automatically cause the connection to close. The application should handle 
+      the exception and make the decision whether or not to close the connection. 
+      (markt)
+
+  * Web applications
+    + Fix: The manager webapp will now be able to access certificates again 
+      when OpenSSL is used. (remm)
+    + Fix: Documentation. Align the logging configuration documentation with 
+      the current defaults. (markt)
+    + Fix: Fix status servlet detailed view of the connectors when using automatic 
+      port. (remm)
+
+  * jdbc-pool
+    + Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions 
+      executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException 
+      rather than the application seeing the original SQLException. Fixed by pull 
+      request #744 provided by Michael Clarke. (markt)
+    + Fix: 69279: Correct a regression in the fix for 69206 that meant that methods 
+      that previously returned a null ResultSet were returning a proxy with a 
+      null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt)
+    + Fix: 69206: Ensure statements returned from Statement methods executeQuery(), 
+      getResultSet() and getGeneratedKeys() are correctly wrapped before being returned 
+      to the caller. Based on pull request #742 provided by Michael Clarke. (markt)
+
+  * Other
+    + Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt)
+    + Update: Update Byte Buddy to 1.15.10. (markt)
+    + Update: Update CheckStyle to 10.20.0. (markt)
+    + Add: Improvements to German translations. (remm)
+    + Update: Update Byte Buddy to 1.15.3. (markt)
+    + Update: Update CheckStyle to 10.18.2. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Add: Improvements to Chinese translations by Ch_jp. (markt)
+    + Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt)
+    + Fix: Change the default log handler level to ALL so log messages are not 
+      dropped by default if a logger is configured to use trace (FINEST) level 
+      logging. (markt)
+    + Update: Update Hamcrest to 3.0. (markt)
+    + Update: Update EasyMock to 5.4.0. (markt)
+    + Update: Update Byte Buddy to 1.15.0. (markt)
+    + Update: Update CheckStyle to 10.18.0. (markt)
+    + Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
+    + Add: Improvements to Spanish translations by Fernando. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Fix: Fix packaging regression with missing osgi information following addition 
+      of the test-only build target. (remm)
+    + Update: Update Tomcat Native to 2.0.8. (markt)
+    + Update: Update Byte Buddy to 1.14.18. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Update: Add test-only build target to allow running only the testsuite, 
+      supporting Java versions down to the minimum supported to run Tomcat. (rjung)
+    + Update: Update UnboundID to 7.0.1. (markt)
+    + Update: Update to SpotBugs 4.8.6. (markt)
+    + Update: Remove cglib dependency as it is not required by the version of EasyMock 
+      used by the unit tests. (markt)
+    + Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy 
+      1.14.17. (markt)
+    + Add: Improvements to Czech translations by Vladimír Chlup. (markt)
+    + Add: Improvements to French translations. (remm)
+    + Add: Improvements to Japanese translations by tak7iji. (markt)
+    + Add: Improvements to Chinese translations by fangzheng. (markt)
+
+-------------------------------------------------------------------
+Thu Oct  3 13:17:40 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Adapt the scripts to run also with javapackages-tools >= 6.3
+
+-------------------------------------------------------------------
+Sun Sep 29 19:42:27 UTC 2024 - Fridrich Strba <fstrba@suse.com>
+
+- Fix build after removal of the default %%{java_home} define
+
 -------------------------------------------------------------------
 Tue Jul  9 12:52:37 UTC 2024 - Ricardo Mestre <ricardo.mestre@suse.com>
 

tomcat10.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package tomcat10
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 # Copyright (c) 2000-2009, JPackage Project
 #
 # All modifications and additions to the file contributed by third parties
@@ -29,7 +29,7 @@
 %define elspec %{elspec_major}.%{elspec_minor}
 %define major_version 10
 %define minor_version 1
-%define micro_version 25
+%define micro_version 43
 %define java_major 1
 %define java_minor 11
 %define java_version %{java_major}.%{java_minor}
@@ -138,11 +138,12 @@ Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
 Requires(pre):  shadow
-%systemd_ordering
+Conflicts:      %{app_name}-implementation
-Conflicts:      %{app_name}
+Provides:       %{app_name}-implementation = %{version}
 Provides:       group(tomcat)
 Provides:       user(tomcat)
 BuildArch:      noarch
+%systemd_ordering
 
 %description
 Tomcat is the servlet container that is used in the official Reference
@@ -159,7 +160,8 @@ Requires:       %{name} = %{version}-%{release}
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
-Conflicts:      %{app_name}-admin-webapps
+Conflicts:      %{app_name}-implementation-admin-webapps
+Provides:       %{app_name}-implementation-admin-webapps = %{version}
 
 %description admin-webapps
 The host manager and manager web-based applications for Apache Tomcat.
@@ -167,7 +169,8 @@ The host manager and manager web-based applications for Apache Tomcat.
 %package embed
 Summary:        Libraries for Embedding Apache Tomcat
 Group:          Productivity/Networking/Web/Servers
-Conflicts:      %{app_name}-embed
+Conflicts:      %{app_name}-implementation-embed
+Provides:       %{app_name}-implementation-embed = %{version}
 
 %description embed
 Embeddeding support (various libraries) for Apache Tomcat.
@@ -179,7 +182,8 @@ Requires:       %{name} = %{version}-%{release}
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
-Conflicts:      %{app_name}-docs-webapp
+Conflicts:      %{app_name}-implementation-docs-webapp
+Provides:       %{app_name}-implementation-docs-webapp = %{version}
 
 %description docs-webapp
 The documentation of web application for Apache Tomcat.
@@ -189,8 +193,9 @@ Summary:        Expression Language v%{elspec} API
 Group:          Development/Libraries/Java
 Requires(post): update-alternatives
 Requires(preun): update-alternatives
-Conflicts:      %{app_name}-el-3_0-api < %{version}
+Conflicts:      %{app_name}-implementation-el-api
 Provides:       %{app_name}-el-%{elspec}-api = %{version}-%{release}
+Provides:       %{app_name}-implementation-el-api = %{version}
 Provides:       el_%{elspec_major}_%{elspec_minor}_api = %{version}-%{release}
 Provides:       el_api = %{elspec}
 Obsoletes:      %{app_name}-el-2_2-api < %{version}
@@ -202,7 +207,8 @@ Expression Language API version %{elspec}.
 %package doc
 Summary:        Javadoc generated documentation for Apache Tomcat
 Group:          Documentation/HTML
-Conflicts:      %{app_name}-javadoc
+Conflicts:      %{app_name}-implementation-javadoc
+Provides:       %{app_name}-implementation-javadoc = %{version}
 BuildArch:      noarch
 
 %description doc
@@ -213,7 +219,8 @@ Summary:        Apache Tomcat JSP API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
-Conflicts:      %{app_name}-jsp-2_3-api < %{version}
+Conflicts:      %{app_name}-implementation-jsp-api
+Provides:       %{app_name}-implementation-jsp-api = %{version}
 Provides:       %{app_name}-jsp-%{jspspec}-api
 Provides:       jsp = %{jspspec}
 Provides:       jsp%{jspspec_major}%{jspspec_minor}
@@ -228,7 +235,8 @@ Summary:        Apache jsvc wrapper for Apache Tomcat as separate service
 Group:          Productivity/Networking/Web/Servers
 Requires:       %{name} = %{version}-%{release}
 Requires:       apache-commons-daemon-jsvc
-Conflicts:      %{app_name}-jsvc
+Conflicts:      %{app_name}-implementation-jsvc
+Provides:       %{app_name}-implementation-jsvc = %{version}
 %systemd_ordering
 
 %description jsvc
@@ -245,7 +253,8 @@ Requires:       %{app_name}-servlet-%{servletspec}-api = %{version}-%{release}
 Requires:       mvn(org.apache.tomcat:tomcat-websocket-client-api)
 Requires(post): ecj >= 4.4
 Requires(preun): coreutils
-Conflicts:      %{app_name}-lib
+Conflicts:      %{app_name}-implementation-lib
+Provides:       %{app_name}-implementation-lib = %{version}
 Provides:       jakarta-commons-dbcp-tomcat5 = 1.4
 Obsoletes:      jakarta-commons-dbcp-tomcat5 < 1.4
 
@@ -257,7 +266,8 @@ Summary:        Apache Tomcat Servlet API implementation classes
 Group:          Productivity/Networking/Web/Servers
 Requires(post): update-alternatives
 Requires(postun): update-alternatives
-Conflicts:      %{app_name}-servlet-4_0-api < %{version}
+Conflicts:      %{app_name}-implementation-servlet-api
+Provides:       %{app_name}-implementation-servlet-api = %{version}
 Provides:       %{app_name}-servlet-%{servletspec}-api = %{version}-%{release}
 Provides:       servlet = %{servletspec}
 Provides:       servlet11
@@ -277,7 +287,8 @@ Requires:       jakarta-taglibs-standard >= 1.1
 Requires(post): libxslt-tools
 # for runuser
 Requires(post): util-linux
-Conflicts:      %{app_name}-webapps
+Conflicts:      %{app_name}-implementation-webapps
+Provides:       %{app_name}-implementation-webapps = %{version}
 
 %description webapps
 The ROOT and examples web applications for Apache Tomcat
@@ -337,7 +348,7 @@ ant -Dbase.path="." \
     -Dno.build.dbcp=true \
     -Dversion="%{version}" \
     -Dversion.build="%{micro_version}" \
-    deploy dist-prepare dist-source javadoc package embed-jars
+    deploy javadoc package embed-jars
 
 # remove some jars that we'll replace with symlinks later
 rm output/build/bin/commons-daemon.jar \
@@ -486,7 +497,7 @@ popd
 # install sample webapp
 mkdir -p %{buildroot}%{tomcatappdir}/sample
 pushd %{buildroot}%{tomcatappdir}/sample
-%jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
+jar xf %{buildroot}%{tomcatappdir}/docs/appdev/sample/sample.war
 popd
 
 pushd %{buildroot}%{tomcatappdir}/examples/WEB-INF/lib
@@ -726,22 +737,22 @@ fi
 
 %files
 %doc {LICENSE,NOTICE,RELEASE*}
-%attr(0755,root,root) %{_bindir}/%{app_name}-digest
+%{_bindir}/%{app_name}-digest
-%attr(0755,root,root) %{_bindir}/%{app_name}-tool-wrapper
+%{_bindir}/%{app_name}-tool-wrapper
-%attr(0755,root,root) %{_sbindir}/%{app_name}
+%{_sbindir}/%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}.service
+%{_unitdir}/%{app_name}.service
 %{_sbindir}/rc%{app_name}
-%attr(0644,root,root) %{_unitdir}/%{app_name}@.service
+%{_unitdir}/%{app_name}@.service
-%attr(0755,root,root) %dir %{_libexecdir}/%{app_name}
+%dir %{_libexecdir}/%{app_name}
-%attr(0755,root,root) %dir %{_localstatedir}/lib/%{app_name}s
+%dir %{_localstatedir}/lib/%{app_name}s
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/functions
+%{_libexecdir}/%{app_name}/functions
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/preamble
+%{_libexecdir}/%{app_name}/preamble
-%attr(0755,root,root) %{_libexecdir}/%{app_name}/server
+%{_libexecdir}/%{app_name}/server
 #bnc#565901
 %{bindir}/catalina.sh
-%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
+%config(noreplace) %{_sysconfdir}/logrotate.d/%{app_name}10
-%attr(0755,root,tomcat) %dir %{basedir}
+%dir %{basedir}
-%attr(0755,root,tomcat) %dir %{confdir}
+%dir %{confdir}
 %attr(0775,root,tomcat) %dir %{appdir}
 %attr(0770,tomcat,tomcat) %dir %{logdir}
 %attr(0660,tomcat,tomcat) %{logdir}/catalina.out
@@ -754,29 +765,29 @@ fi
 %attr(0775,root,tomcat) %dir %{tomcatappdir}
 
 %{confdir}/Catalina
-%attr(0755,root,tomcat) %dir %{confdir}/conf.d
+%dir %{confdir}/conf.d
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/conf.d/README
+%config(noreplace) %{confdir}/conf.d/README
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/%{app_name}.conf
+%config(noreplace) %{confdir}/%{app_name}.conf
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.policy
+%config(noreplace) %{confdir}/*.policy
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/*.properties
+%config(noreplace) %{confdir}/*.properties
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/context.xml
+%config(noreplace) %{confdir}/context.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/server.xml
+%config(noreplace) %{confdir}/server.xml
 # keep tomcat-users.xml readable only by root and tomcat group
 %attr(0640,root,tomcat) %config(noreplace) %{confdir}/tomcat-users.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/web.xml
+%config(noreplace) %{confdir}/web.xml
-%attr(0644,root,tomcat) %config(noreplace) %{confdir}/jaspic-providers.xml
+%config(noreplace) %{confdir}/jaspic-providers.xml
-%attr(0755,root,tomcat) %dir %{homedir}
+%dir %{homedir}
-%attr(0644,root,tomcat) %{bindir}/bootstrap.jar
+%{bindir}/bootstrap.jar
-%attr(0644,root,tomcat) %{bindir}/catalina-tasks.xml
+%{bindir}/catalina-tasks.xml
 %{homedir}/lib
 %{homedir}/temp
 %{homedir}/webapps
 %{homedir}/work
 %{homedir}/logs
 %{homedir}/conf
-%attr(0644,root,tomcat) %{_fillupdir}/sysconfig.%{app_name}
+%{_fillupdir}/sysconfig.%{app_name}
-%attr(0644,root,tomcat) %{confdir}/allowLinking.xslt
+%{confdir}/allowLinking.xslt
-%attr(0644,root,tomcat) %{confdir}/valve.xslt
+%{confdir}/valve.xslt
 
 %files admin-webapps
 %defattr(0644,root,tomcat,0755)
@@ -841,7 +852,7 @@ fi
 
 %files jsvc
 %defattr(755,root,root,0755)
-%attr(0644,root,root) %{_unitdir}/%{app_name}-jsvc.service
+%{_unitdir}/%{app_name}-jsvc.service
 %{_sbindir}/rc%{app_name}-jsvc
 
 %changelog