Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2026-03-07 20:09:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.8177 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat10" Sat Mar 7 20:09:32 2026 rev:28 rq:1337368 version:10.1.52 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes 2025-11-19 15:00:36.253055959 +0100 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.8177/tomcat10.changes 2026-03-07 20:14:17.982712412 +0100 @@ -1,0 +2,207 @@ +Fri Mar 6 13:46:39 UTC 2026 - Ricardo Mestre <[email protected]> + +- Update to Tomcat 10.1.52 + * Fixed CVEs: + + CVE-2025-66614: client certificate verification bypass due to virtual + host mapping (bsc#1258371) + + CVE-2026-24733: improper input validation on HTTP/0.9 requests + (bsc#1258385) + + CVE-2026-24734: certificate revocation bypass due to incomplete OCSP + verification checks (bsc#1258387) + * Catalina + + Fix: 69623: Additional fix for the long standing regression that meant + that calls to ClassLoader.getResource().getContent() failed when made from + within a web application with resource caching enabled if the target + resource was packaged in a JAR file. (markt) + + Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the + CsrfPreventionFilter. (schultz) + + Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2 + requests when the content-length header is not set. (dsoumis) + + Update: Enable minimum and recommended Tomcat Native versions to be set + separately for Tomcat Native 1.x and 2.x. Update the minimum and + recommended versions for Tomcat Native 1.x to 1.3.4. Update the minimum + and recommended versions for Tomcat Native 2.x to 2.0.12. (markt) + + Add: Add a new ssoReauthenticationMode to the Tomcat provided + Authenticators that provides a per Authenticator override of the SSO Valve + requireReauthentication attribute. (markt) + + Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception + rather than silently using a replacement character. (markt) + + Fix: 69932: Fix request end access log pattern regression, which would log + the start time of the request instead. (remm) + + Fix: 69871: Increase log level to INFO for missing configuration for the + rewrite valve. (remm) + + Fix: Add log warnings for additional Host appBase suspicious values. + (remm) + + Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar. + org.apache.catalina.Connector no longer requires + org.apache.tomcat.jni.AprStatus to be present. (markt) + + Add: Add the ability to use a custom function to generate the client + identifier in the CrawlerSessionManagerValve. This is only available + programmatically. Pull request #902 by Brian Matzon. (markt) + + Fix: Change the SSO reauthentication behaviour for SPNEGO authentication + so that a normal SPNEGO authentication is performed if the SSL Valve is + configured with reauthentication enabled. This is so that the delegated + credentials will be available to the web application. (markt) + + Fix: When generating the class path in the Loader, re-order the check on + individual class path components to avoid a potential + NullPointerException. Identified by Coverity Scan. (markt) + + Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull + request #915 by Joshua Rogers. (remm) + + Update: Add an attribute, digestInRfc3112Order, to + MessageDigestCredentialHandler to control the order in which the + credential and salt are digested. By default, the current, non-RFC 3112 + compliant, order of salt then credential will be used. This default will + change in Tomcat 12 to the RFC 3112 compliant order of credential then + salt. (markt) + + Fix: Log warnings when the SSO configuration does not comply with the + documentation. (remm) + + Update: Deprecate the RemoteAddrFilter and RemoteAddrValve in favour of + the RemoteCIDRFilter and RemoteCIDRValve. (markt) + + Fix: 69837: Fix corruption of the class path generated by the Loader when + running on Windows. (markt) + + Fix: Reject requests that map to invalid Windows file names earlier. + (markt) + + Fix: 69839: Ensure that changes to session IDs (typically after + authentication) are promulgated to the SSO Valve to ensure that SSO + entries are fully clean-up on session expiration. Patch provided by Kim + Johan Andersson. (markt) + + Fix: Fix a race condition in the creation of the storage location for the + FileStore. (markt) + * Cluster + + Add: 62814: Document that human-readable names may be used for + mapSendOptions and align documentation with channelSendOptions. Based on + pull request #929 by archan0621. (markt) + * Clustering + + Fix: Correct a regression introduced in 10.1.45 that broke some clustering + configurations. (markt) + * Coyote + + Fix: 69936: Fix bug in previous fix for Tomcat Native crashes on shutdown + that triggered a significant memory leak. Patch provided by Wes. (markt) + + Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm) + + Fix: Improve warnings when setting ciphers lists in the FFM code, + mirroring the tomcat-native changes. (remm) + + Fix: 69910: Dereference TLS objects right after closing a socket to + improve memory efficiency. (remm) + + Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig + to reflect the existing implementation that allows one configuration style + to be used for the trust attributes and a different style for all the + other attributes. (markt) + + Fix: Better warning message when OpenSSLConf configuration elements are + used with a JSSE TLS implementation. (markt) + + Fix: When using OpenSSL via FFM, don't log a warning about missing CA + certificates unless CA certificates were configured and the configuration + failed. (markt) + + Add: For configuration consistency between OpenSSL and JSSE TLS + implementations, TLSv1.3 cipher suites included in the ciphers attribute + of an SSLHostConfig are now always ignored (previously they would be + ignored with OpenSSL implementations and used with JSSE implementations) + and a warning is logged that the cipher suite has been ignored. (markt) + + Add: Add the ciphersuite attribute to SSLHostConfig to configure the + TLSv1.3 cipher suites. (markt) + + Add: Add OCSP support to JSSE based TLS connectors and make the use of + OCSP configurable per connector for both JSSE and OpenSSL based TLS + implementations. Align the checks performed by OpenSSL with those + performed by JSSE. (markt) + + Add: Add support for soft failure of OCSP checks with soft failure support + disabled by default. (markt) + + Add: Add support for configuring the verification flags passed to + OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt) + + Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5. + (remm) + + Fix: Prevent concurrent release of OpenSSLEngine resources and the + termination of the Tomcat Native library as it can cause crashes during + Tomcat shutdown. (markt) + + Fix: Don't log an incorrect certificate KeyStore location when creating a + TLS connector if the KeyStore instance has been set directly on the + connector. (markt) + + Fix: HTTP/0.9 only allows GET as the HTTP method. (remm) + + Add: Add strictSni attribute on the Connector to allow matching the + SSLHostConfig configuration associated with the SNI host name to the + SSLHostConfig configuration matched from the HTTP protocol host name. Non + matching configurations will cause the request to be rejected. The + attribute default value is true, enabling the matching. (remm) + + Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm) + + Fix: Fix use of deferAccept attribute in JMX, since it is normally only + removed in Tomcat 11. (remm) + + Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL + provider. Pull request #912 by aogburn. (markt) + + Fix: Fix potential crash on shutdown when a Connector depends on the + Tomcat Native library. (markt) + + Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers. + (remm) + + Fix: 69848: Fix copy/paste errors in 10.1.47 that meant DELETE requests + received via the AJP connector were processed as OPTIONS requests and + PROPFIND requests were processed as TRACE. (markt) + + Fix: Various OCSP processing issues in the OpenSSL FFM code. (dsoumis) + * General + + Add: Add test.silent property to suppress JUnit console output during test + execution. Useful for cleaner console output when running tests with + multiple threads. (csutherl) + * Jasper + + Fix: 69333: Correct a regression in the previous fix for 69333 and ensure + that reuse() or release() is always called for a tag. (markt) + + Fix: 69877: Catch IllegalArgumentException when processing URIs when + creating the classpath to handle invalid URIs. (remm) + + Fix: Fix populating the classpath with the webapp classloader + repositories. (remm) + + Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some + exception details. Patch submitted by Eric Blanquer. (remm) + * Jdbc-pool + + Fix: 64083: If the underlying connection has been closed, don't add it to + the pool when it is returned. Pull request #235 by Alex Panchenko. (markt) + * Web applications + + Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server + status output if one or more of the web applications failed to start. + (schultz) + + Add: Manager: Include web application state in the HTML and JSON complete + server status output. (markt) + + Add: Documentation: Expand the documentation to better explain when OCSP + is supported and when it is not. (markt) + * Websocket + + Fix: 69920: When attempting to write to a closed Writer or OutputStream + obtained from a WebSocket session, throw an IOException rather than an + IllegalStateExcpetion as required by Writer and strongly suggested by + OutputStream. (markt) + + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the + underlying Inflater and/or Deflater throwing IllegalStateException when + closed rather than NullPointerException as they do in Java 24 and earlier. + (markt) + * Other + + Update: Update the internal fork of Commons Pool to 2.13.1. (markt) + + Update: Update the internal fork of Commons DBCP to 2.14.0. (markt) + + Update: Update Commons Daemon to 1.5.1. (markt) + + Update: Update ByteBuddy to 1.18.3. (markt) + + Update: Update UnboundID to 7.0.4. (markt) + + Update: Update Checkstyle to 12.3.1. (markt) + + Add: Improvements to French translations. (markt) + + Add: Improvements to Japanese translations provided by tak7iji. (markt) + + Add: Improvements to Chinese translations provided by Yang. vincent.h and + yong hu. (markt) + + Update: Update Tomcat Native to 2.0.12. (markt) + + Add: Add property "gpg.sign.files" to optionally disable release artefact + signing with GPG. (rjung) + + Add: Add test profile system for selective test execution. Profiles can be + specified via -Dtest.profile=<name> to run specific test subsets without + using patterns directly. Profile patterns are defined in + test-profiles.properties. (csutherl) + + Update: Update file extension to media type mappings to align with the + current list used by the Apache Web Server (httpd). (markt) + + Update: Update the packaged version of the Tomcat Migration Tool for + Jakarta EE to 1.0.10. (markt) + + Update: Update Commons Daemon to 1.5.0. (markt) + + Update: Update Byte Buddy to 1.18.2. (markt) + + Update: Update Checkstyle to 12.2.0. (markt) + + Add: Improvements to Spanish translations provided by White Vogel. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations provided by tak7iji. (markt) + + Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt) + + Update: Update to Byte Buddy 1.17.8. (markt) + + Update: Update to Checkstyle 12.1.1. (markt) + + Update: Update to Jacoco 0.8.14. (markt) + + Update: Update to SpotBugs 4.9.8. (markt) + + Update: Update to JSign 7.4. (markt) + + Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations provided by tak7iji. (markt) + +------------------------------------------------------------------- Old: ---- apache-tomcat-10.1.48-src.tar.gz apache-tomcat-10.1.48-src.tar.gz.asc New: ---- apache-tomcat-10.1.52-src.tar.gz apache-tomcat-10.1.52-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat10.spec ++++++ --- /var/tmp/diff_new_pack.nJMmpV/_old 2026-03-07 20:14:19.022755435 +0100 +++ /var/tmp/diff_new_pack.nJMmpV/_new 2026-03-07 20:14:19.022755435 +0100 @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 10 %define minor_version 1 -%define micro_version 48 +%define micro_version 52 %define java_major 1 %define java_minor 11 %define java_version %{java_major}.%{java_minor} ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.nJMmpV/_old 2026-03-07 20:14:19.094758414 +0100 +++ /var/tmp/diff_new_pack.nJMmpV/_new 2026-03-07 20:14:19.102758745 +0100 @@ -1,6 +1,6 @@ -mtime: 1763491136 -commit: 50827f4294d2e0d7abee032d0b2f3d4ace05e1c3e325884f8f464a13c0d858cb +mtime: 1772805250 +commit: 4a902256a458a2955b6a61608f8872157ce9386b6146eada9b8f9e5461f5e712 url: https://src.opensuse.org/java-packages/tomcat10.git -revision: 50827f4294d2e0d7abee032d0b2f3d4ace05e1c3e325884f8f464a13c0d858cb +revision: 4a902256a458a2955b6a61608f8872157ce9386b6146eada9b8f9e5461f5e712 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ apache-tomcat-10.1.48-src.tar.gz -> apache-tomcat-10.1.52-src.tar.gz ++++++ /work/SRC/openSUSE:Factory/tomcat10/apache-tomcat-10.1.48-src.tar.gz /work/SRC/openSUSE:Factory/.tomcat10.new.8177/apache-tomcat-10.1.52-src.tar.gz differ: char 14, line 1 ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-03-06 20:00:56.000000000 +0100 @@ -0,0 +1 @@ +.osc
