Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat10 for openSUSE:Factory checked in at 2026-06-01 18:03:00 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat10 (Old) and /work/SRC/openSUSE:Factory/.tomcat10.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat10" Mon Jun 1 18:03:00 2026 rev:30 rq:1356259 version:10.1.55 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat10/tomcat10.changes 2026-04-14 17:49:39.826873509 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat10.new.1937/tomcat10.changes 2026-06-01 18:04:19.903117253 +0200 @@ -1,0 +2,103 @@ +Thu May 28 11:18:54 UTC 2026 - mbussolotto <[email protected]> + +- Update to Tomcat 10.1.55 + * Fixed CVEs: + + CVE-2026-43515: Security constraints not correctly applied (bsc#1265168) + + CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167) + + CVE-2026-43513: LockOutRealm treats user names as case-sensitive + (bsc#1265166) + + CVE-2026-43512: Digest authenticator will authenticate any unknown user + (bsc#1265145) + + CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165) + + CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163) + + CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling + (bsc#1265162) + * Catalina + + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and + OpenSSL version information (both APR and FFM implementations), along with + version compatibility warnings and third-party library version + information. (csutherl) + + Code: Refactor generation of the remote user element in the access log to + remove unnecessary code. (markt) + + Fix: Fix a regression in the previous release that meant ?- could appear + in the access log rather than ? when the query string was present but + empty. (markt) + + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by + Mahmoud Alarby. (remm) + + Fix: Align the escaping in ExtendedAccessLogValve with the other + AccessLogValve implementations. (markt) + + Fix: 70000: fix duplication of special headers in the response after + commit, following fix for 69967. (remm) + + Fix: Correct the handling of URIs mapped to a security constraint that + only specifies the special ** role for all authenticated users. Requests + without authentication were receiving 403 responses rather than 401 + responses. (markt) + + Fix: Fix a race condition in StandardContext.getServletContext() that + could cause the jakarta.servlet.context.tempdir attribute to be lost + during a context reload. Make the context field volatile and use locking + to ensure only one ApplicationContext instance is created. (dsoumis) + + Fix: Update the Windows authentication (kerberos) documentation to reflect + that both Java and Windows are removing / have removed support for + RC4-HMAC. The guide now uses AES256-SHA1. (markt) + + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize + which limits the size of a WebDAV request body for LOCK and PROPFIND. The + default value is 4096 bytes. (markt) + + Add: Add a new caseSensitive attribute to the LockOutRealm that controls + the manner in which user names are treated when making locking decisions. + The default is false, meaning user names are treated in a case insensitive + manner. (markt) + + Fix: Correct the handling of invalid users with DIGEST authentication. + (markt) + + Fix: Ensure RealmBase finds all matching extension based security + constraints. (markt) + * Coyote + + Fix: Avoid various edge cases if Content-Length is set via + setHeader(String,String) or addHeader(String,String) with an invalid value + by always clearing the previous value whether the new value is valid or + not and ignoring any invalid new value. (markt) + + Code: Refactor the calculation of the real index in the HPACK dynamic + header table implementation to reduce code duplication. (markt) + + Fix: Fix various minor issues with some HTTP/2 stream error messages for + HTTP/2. (markt) + + Fix: Consistently reject URIs containing NULL bytes when normalizing. + (markt) + + Fix: Fix a few minor memory leaks on error paths reading TLS keys and + certificates when using FFM. (markt) + + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC + after a stream reset. (markt) + + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields + not permitted in trailers. (markt) + + Fix: Free private keys after use in FFM based connector configuration. + (markt) + + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header + decoding that could result in a valid header triggering an unexpected + connection close. (markt) + + Fix: Refactor HTTP/2 HPACK encoding so header field names are only + converted to lower case once during the encoding process. (markt) + + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend + validation to check for disallowed characters as well as upper case + characters. (markt) + + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) + + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent + with the use (or not) of TLS. (markt) + + Fix: Correct the validation of pseudo headers and CONNECT requests to + align Tomcat's behaviour with RFC 9113, section 8.5. (markt) + + Fix: Fix a potential integer overflow when allocating capacity from a + connection level window update to individual HTTP/2 streams. Based on #996 + by Mike Tingey Jr. (markt) + + Fix: Switch AJP secret comparison to a constant time algorithm. (markt) + * WebSocket + + Fix: Fix the initial connection to a WebSocket end point where the + connection is made via a proxy that requires DIGEST authentication. + (markt) + * Other + + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt) + + Add: Add warning when OpenSSL binary is not found. (csutherl) + + Add: Add check for Tomcat Native library, and log warning when it's not + found to make it easier to see when it's not used by the suite. (csutherl) + + Update: Update Byte Buddy to 1.18.8. (markt) + + Update: Update Bouncy Castle to 1.84. (markt) + + Update: Improvements to French translations. (remm) + + Update: Improvements to Japanese translations provided by tak7iji. (markt) + +------------------------------------------------------------------- Old: ---- apache-tomcat-10.1.54-src.tar.gz apache-tomcat-10.1.54-src.tar.gz.asc New: ---- apache-tomcat-10.1.55-src.tar.gz apache-tomcat-10.1.55-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat10.spec ++++++ --- /var/tmp/diff_new_pack.iB2Bzk/_old 2026-06-01 18:04:21.831197045 +0200 +++ /var/tmp/diff_new_pack.iB2Bzk/_new 2026-06-01 18:04:21.835197210 +0200 @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 10 %define minor_version 1 -%define micro_version 54 +%define micro_version 55 %define java_major 1 %define java_minor 11 %define java_version %{java_major}.%{java_minor} ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.iB2Bzk/_old 2026-06-01 18:04:21.903200025 +0200 +++ /var/tmp/diff_new_pack.iB2Bzk/_new 2026-06-01 18:04:21.907200190 +0200 @@ -1,6 +1,6 @@ -mtime: 1776085043 -commit: 29cb98cfa9bc1c4cd964f257127f67d239489d404f33c8336099f128e15e3079 -url: https://src.opensuse.org/java-packages/tomcat10.git -revision: 29cb98cfa9bc1c4cd964f257127f67d239489d404f33c8336099f128e15e3079 +mtime: 1779979206 +commit: 35a684533dd28ccd9c79e7db990f0810c3b2c87da0fc00ce0d06aa2ec3bcd5af +url: https://src.opensuse.org/java-packages/tomcat10 +revision: 35a684533dd28ccd9c79e7db990f0810c3b2c87da0fc00ce0d06aa2ec3bcd5af projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ apache-tomcat-10.1.54-src.tar.gz -> apache-tomcat-10.1.55-src.tar.gz ++++++ /work/SRC/openSUSE:Factory/tomcat10/apache-tomcat-10.1.54-src.tar.gz /work/SRC/openSUSE:Factory/.tomcat10.new.1937/apache-tomcat-10.1.55-src.tar.gz differ: char 13, line 1 ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-28 16:40:06.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ tomcat-secretRequired-default.patch ++++++ --- /var/tmp/diff_new_pack.iB2Bzk/_old 2026-06-01 18:04:22.363219062 +0200 +++ /var/tmp/diff_new_pack.iB2Bzk/_new 2026-06-01 18:04:22.371219394 +0200 @@ -1,14 +1,14 @@ -Index: apache-tomcat-10.1.14-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +Index: apache-tomcat-10.1.55-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java =================================================================== ---- apache-tomcat-10.1.14-src.orig/java/org/apache/coyote/ajp/AbstractAjpProtocol.java -+++ apache-tomcat-10.1.14-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java -@@ -177,7 +177,7 @@ public abstract class AbstractAjpProtoco +--- apache-tomcat-10.1.55-src.orig/java/org/apache/coyote/ajp/AbstractAjpProtocol.java ++++ apache-tomcat-10.1.55-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +@@ -207,7 +207,7 @@ } - private boolean secretRequired = true; + private boolean secretRequired = false; - public void setSecretRequired(boolean secretRequired) { - this.secretRequired = secretRequired; + /** + * Sets whether a secret is required with every request.
