Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat for openSUSE:Factory checked in at 2026-06-01 18:03:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat (Old) and /work/SRC/openSUSE:Factory/.tomcat.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat" Mon Jun 1 18:03:04 2026 rev:127 rq:1356260 version:9.0.118 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat/tomcat.changes 2026-04-14 17:49:36.638741730 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat.new.1937/tomcat.changes 2026-06-01 18:04:30.635561404 +0200 @@ -1,0 +2,103 @@ +Thu May 28 14:51:21 UTC 2026 - mbussolotto <[email protected]> + +- Update to Tomcat 9.0.118 + * Fixed CVEs: + + CVE-2026-43515: Security constraints not correctly applied (bsc#1265168) + + CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167) + + CVE-2026-43513: LockOutRealm treats user names as case-sensitive + (bsc#1265166) + + CVE-2026-43512: Digest authenticator will authenticate any unknown user + (bsc#1265145) + + CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165) + + CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163) + + CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling + (bsc#1265162) + * Catalina + + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and + OpenSSL version information (both APR and FFM implementations), along with + version compatibility warnings and third-party library version + information. (csutherl) + + Code: Refactor generation of the remote user element in the access log to + remove unnecessary code. (markt) + + Fix: Fix a regression in the previous release that meant ?- could appear + in the access log rather than ? when the query string was present but + empty. (markt) + + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by + Mahmoud Alarby. (remm) + + Fix: Align the escaping in ExtendedAccessLogValve with the other + AccessLogValve implementations. (markt) + + Fix: 70000: fix duplication of special headers in the response after + commit, following fix for 69967. (remm) + + Fix: Correct the handling of URIs mapped to a security constraint that + only specifies the special ** role for all authenticated users. Requests + without authentication were receiving 403 responses rather than 401 + responses. (markt) + + Fix: Fix a race condition in StandardContext.getServletContext() that + could cause the jakarta.servlet.context.tempdir attribute to be lost + during a context reload. Make the context field volatile and use locking + to ensure only one ApplicationContext instance is created. (dsoumis) + + Fix: Update the Windows authentication (kerberos) documentation to reflect + that both Java and Windows are removing / have removed support for + RC4-HMAC. The guide now uses AES256-SHA1. (markt) + + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize + which limits the size of a WebDAV request body for LOCK and PROPFIND. The + default value is 4096 bytes. (markt) + + Add: Add a new caseSensitive attribute to the LockOutRealm that controls + the manner in which user names are treated when making locking decisions. + The default is false, meaning user names are treated in a case insensitive + manner. (markt) + + Fix: Correct the handling of invalid users with DIGEST authentication. + (markt) + + Fix: Ensure RealmBase finds all matching extension based security + constraints. (markt) + * Coyote + + Fix: Avoid various edge cases if Content-Length is set via + setHeader(String,String) or addHeader(String,String) with an invalid value + by always clearing the previous value whether the new value is valid or + not and ignoring any invalid new value. (markt) + + Code: Refactor the calculation of the real index in the HPACK dynamic + header table implementation to reduce code duplication. (markt) + + Fix: Fix various minor issues with some HTTP/2 stream error messages for + HTTP/2. (markt) + + Fix: Consistently reject URIs containing NULL bytes when normalizing. + (markt) + + Fix: Fix a few minor memory leaks on error paths reading TLS keys and + certificates when using FFM. (markt) + + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC + after a stream reset. (markt) + + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields + not permitted in trailers. (markt) + + Fix: Free private keys after use in FFM based connector configuration. + (markt) + + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header + decoding that could result in a valid header triggering an unexpected + connection close. (markt) + + Fix: Refactor HTTP/2 HPACK encoding so header field names are only + converted to lower case once during the encoding process. (markt) + + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend + validation to check for disallowed characters as well as upper case + characters. (markt) + + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) + + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent + with the use (or not) of TLS. (markt) + + Fix: Correct the validation of pseudo headers and CONNECT requests to + align Tomcat's behaviour with RFC 9113, section 8.5. (markt) + + Fix: Fix a potential integer overflow when allocating capacity from a + connection level window update to individual HTTP/2 streams. Based on #996 + by Mike Tingey Jr. (markt) + + Fix: Switch AJP secret comparison to a constant time algorithm. (markt) + * WebSocket + + Fix: Fix the initial connection to a WebSocket end point where the + connection is made via a proxy that requires DIGEST authentication. + (markt) + * Other + + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt) + + Add: Add warning when OpenSSL binary is not found. (csutherl) + + Add: Add check for Tomcat Native library, and log warning when it's not + found to make it easier to see when it's not used by the suite. (csutherl) + + Update: Update Byte Buddy to 1.18.8. (markt) + + Update: Update Bouncy Castle to 1.84. (markt) + + Update: Improvements to French translations. (remm) + + Update: Improvements to Japanese translations provided by tak7iji. (markt) + +------------------------------------------------------------------- Old: ---- apache-tomcat-9.0.117-src.tar.gz apache-tomcat-9.0.117-src.tar.gz.asc New: ---- apache-tomcat-9.0.118-src.tar.gz apache-tomcat-9.0.118-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat.spec ++++++ --- /var/tmp/diff_new_pack.TbnFMJ/_old 2026-06-01 18:04:32.295630121 +0200 +++ /var/tmp/diff_new_pack.TbnFMJ/_new 2026-06-01 18:04:32.299630287 +0200 @@ -22,7 +22,7 @@ %define elspec 3.0 %define major_version 9 %define minor_version 0 -%define micro_version 117 +%define micro_version 118 %define packdname apache-tomcat-%{version}-src # FHS 2.3 compliant tree structure - http://www.pathname.com/fhs/2.3/ %global basedir /srv/%{name} ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.TbnFMJ/_old 2026-06-01 18:04:32.351632444 +0200 +++ /var/tmp/diff_new_pack.TbnFMJ/_new 2026-06-01 18:04:32.355632610 +0200 @@ -1,6 +1,6 @@ -mtime: 1776085373 -commit: 6bdb1ea23c3667ccfc3df14b49398934ad3d7c54d06e3555a0ee315fe91f7395 -url: https://src.opensuse.org/java-packages/tomcat.git -revision: 6bdb1ea23c3667ccfc3df14b49398934ad3d7c54d06e3555a0ee315fe91f7395 +mtime: 1779979977 +commit: 33632c93209b7432d5c5b286b32723f874c2a77107690c4ae491afd1c9155e07 +url: https://src.opensuse.org/java-packages/tomcat +revision: 33632c93209b7432d5c5b286b32723f874c2a77107690c4ae491afd1c9155e07 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ apache-tomcat-9.0.117-src.tar.gz -> apache-tomcat-9.0.118-src.tar.gz ++++++ /work/SRC/openSUSE:Factory/tomcat/apache-tomcat-9.0.117-src.tar.gz /work/SRC/openSUSE:Factory/.tomcat.new.1937/apache-tomcat-9.0.118-src.tar.gz differ: char 16, line 1 ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-28 16:52:57.000000000 +0200 @@ -0,0 +1,5 @@ +.osc +*.obscpio +*.osc +_build.* +.pbuild ++++++ tomcat-9.0.75-secretRequired-default.patch ++++++ --- /var/tmp/diff_new_pack.TbnFMJ/_old 2026-06-01 18:04:32.619643559 +0200 +++ /var/tmp/diff_new_pack.TbnFMJ/_new 2026-06-01 18:04:32.623643725 +0200 @@ -1,12 +1,12 @@ ---- apache-tomcat-9.0.75-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2023-05-22 18:12:16.907658477 +0200 -+++ apache-tomcat-9.0.75-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2023-05-22 18:31:07.969096813 +0200 -@@ -177,7 +177,7 @@ +--- apache-tomcat-9.0.118-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2026-05-28 15:56:33.000000000 +0200 ++++ apache-tomcat-9.0.118-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java 2026-05-28 15:56:33.000000000 +0200 +@@ -207,7 +207,7 @@ } - private boolean secretRequired = true; + private boolean secretRequired = false; - public void setSecretRequired(boolean secretRequired) { - this.secretRequired = secretRequired; + /** + * Sets whether a secret is required with every request.
