Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat11 for openSUSE:Factory checked in at 2026-06-01 18:02:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat11 (Old) and /work/SRC/openSUSE:Factory/.tomcat11.new.1937 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat11" Mon Jun 1 18:02:56 2026 rev:12 rq:1356258 version:11.0.22 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat11/tomcat11.changes 2026-04-14 17:49:42.078966598 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat11.new.1937/tomcat11.changes 2026-06-01 18:04:11.206757365 +0200 @@ -1,0 +2,103 @@ +Thu May 28 11:18:54 UTC 2026 - mbussolotto <[email protected]> + +- Update to Tomcat 11.0.22 + * Fixed CVEs: + + CVE-2026-43515: Security constraints not correctly applied (bsc#1265168) + + CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167) + + CVE-2026-43513: LockOutRealm treats user names as case-sensitive + (bsc#1265166) + + CVE-2026-43512: Digest authenticator will authenticate any unknown user + (bsc#1265145) + + CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165) + + CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163) + + CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling + (bsc#1265162) + * Catalina + + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and + OpenSSL version information (both APR and FFM implementations), along with + version compatibility warnings and third-party library version + information. (csutherl) + + Code: Refactor generation of the remote user element in the access log to + remove unnecessary code. (markt) + + Fix: Fix a regression in the previous release that meant ?- could appear + in the access log rather than ? when the query string was present but + empty. (markt) + + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by + Mahmoud Alarby. (remm) + + Fix: Align the escaping in ExtendedAccessLogValve with the other + AccessLogValve implementations. (markt) + + Fix: 70000: fix duplication of special headers in the response after + commit, following fix for 69967. (remm) + + Fix: Correct the handling of URIs mapped to a security constraint that + only specifies the special ** role for all authenticated users. Requests + without authentication were receiving 403 responses rather than 401 + responses. (markt) + + Fix: Fix a race condition in StandardContext.getServletContext() that + could cause the jakarta.servlet.context.tempdir attribute to be lost + during a context reload. Make the context field volatile and use locking + to ensure only one ApplicationContext instance is created. (dsoumis) + + Fix: Update the Windows authentication (kerberos) documentation to reflect + that both Java and Windows are removing / have removed support for + RC4-HMAC. The guide now uses AES256-SHA1. (markt) + + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize + which limits the size of a WebDAV request body for LOCK and PROPFIND. The + default value is 4096 bytes. (markt) + + Add: Add a new caseSensitive attribute to the LockOutRealm that controls + the manner in which user names are treated when making locking decisions. + The default is false, meaning user names are treated in a case insensitive + manner. (markt) + + Fix: Correct the handling of invalid users with DIGEST authentication. + (markt) + + Fix: Ensure RealmBase finds all matching extension based security + constraints. (markt) + * Coyote + + Fix: Avoid various edge cases if Content-Length is set via + setHeader(String,String) or addHeader(String,String) with an invalid value + by always clearing the previous value whether the new value is valid or + not and ignoring any invalid new value. (markt) + + Code: Refactor the calculation of the real index in the HPACK dynamic + header table implementation to reduce code duplication. (markt) + + Fix: Fix various minor issues with some HTTP/2 stream error messages for + HTTP/2. (markt) + + Fix: Consistently reject URIs containing NULL bytes when normalizing. + (markt) + + Fix: Fix a few minor memory leaks on error paths reading TLS keys and + certificates when using FFM. (markt) + + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC + after a stream reset. (markt) + + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields + not permitted in trailers. (markt) + + Fix: Free private keys after use in FFM based connector configuration. + (markt) + + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header + decoding that could result in a valid header triggering an unexpected + connection close. (markt) + + Fix: Refactor HTTP/2 HPACK encoding so header field names are only + converted to lower case once during the encoding process. (markt) + + Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend + validation to check for disallowed characters as well as upper case + characters. (markt) + + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) + + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent + with the use (or not) of TLS. (markt) + + Fix: Correct the validation of pseudo headers and CONNECT requests to + align Tomcat's behaviour with RFC 9113, section 8.5. (markt) + + Fix: Fix a potential integer overflow when allocating capacity from a + connection level window update to individual HTTP/2 streams. Based on #996 + by Mike Tingey Jr. (markt) + + Fix: Switch AJP secret comparison to a constant time algorithm. (markt) + * WebSocket + + Fix: Fix the initial connection to a WebSocket end point where the + connection is made via a proxy that requires DIGEST authentication. + (markt) + * Other + + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt) + + Add: Add warning when OpenSSL binary is not found. (csutherl) + + Add: Add check for Tomcat Native library, and log warning when it's not + found to make it easier to see when it's not used by the suite. (csutherl) + + Update: Update Byte Buddy to 1.18.8. (markt) + + Update: Update Bouncy Castle to 1.84. (markt) + + Update: Improvements to French translations. (remm) + + Update: Improvements to Japanese translations provided by tak7iji. (markt) + +------------------------------------------------------------------- Old: ---- apache-tomcat-11.0.21-src.tar.gz apache-tomcat-11.0.21-src.tar.gz.asc New: ---- apache-tomcat-11.0.22-src.tar.gz apache-tomcat-11.0.22-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat11.spec ++++++ --- /var/tmp/diff_new_pack.w9RL2A/_old 2026-06-01 18:04:12.846825237 +0200 +++ /var/tmp/diff_new_pack.w9RL2A/_new 2026-06-01 18:04:12.850825403 +0200 @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 11 %define minor_version 0 -%define micro_version 21 +%define micro_version 22 %define java_major 1 %define java_minor 17 %define java_version %{java_major}.%{java_minor} ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.w9RL2A/_old 2026-06-01 18:04:12.910827885 +0200 +++ /var/tmp/diff_new_pack.w9RL2A/_new 2026-06-01 18:04:12.918828217 +0200 @@ -1,6 +1,6 @@ -mtime: 1776086528 -commit: 84444d5529ba2e95551bc530cbebf0b02991b0ae477b4e500fbfa2de98e80858 -url: https://src.opensuse.org/java-packages/tomcat11.git -revision: 84444d5529ba2e95551bc530cbebf0b02991b0ae477b4e500fbfa2de98e80858 +mtime: 1779980286 +commit: 9be1b377d039958783ab2f1a7b20bb4154beacc96732c11537e9aec34528f549 +url: https://src.opensuse.org/java-packages/tomcat11 +revision: 9be1b377d039958783ab2f1a7b20bb4154beacc96732c11537e9aec34528f549 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ apache-tomcat-11.0.21-src.tar.gz -> apache-tomcat-11.0.22-src.tar.gz ++++++ /work/SRC/openSUSE:Factory/tomcat11/apache-tomcat-11.0.21-src.tar.gz /work/SRC/openSUSE:Factory/.tomcat11.new.1937/apache-tomcat-11.0.22-src.tar.gz differ: char 15, line 1 ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-28 16:58:06.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ tomcat-secretRequired-default.patch ++++++ --- /var/tmp/diff_new_pack.w9RL2A/_old 2026-06-01 18:04:13.250841957 +0200 +++ /var/tmp/diff_new_pack.w9RL2A/_new 2026-06-01 18:04:13.254842123 +0200 @@ -1,14 +1,14 @@ -Index: apache-tomcat-11.0.5-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +Index: apache-tomcat-11.0.22-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java =================================================================== ---- apache-tomcat-11.0.5-src.orig/java/org/apache/coyote/ajp/AbstractAjpProtocol.java -+++ apache-tomcat-11.0.5-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java -@@ -155,7 +155,7 @@ public abstract class AbstractAjpProtoco +--- apache-tomcat-11.0.22-src.orig/java/org/apache/coyote/ajp/AbstractAjpProtocol.java ++++ apache-tomcat-11.0.22-src/java/org/apache/coyote/ajp/AbstractAjpProtocol.java +@@ -185,7 +185,7 @@ } - private boolean secretRequired = true; + private boolean secretRequired = false; - public void setSecretRequired(boolean secretRequired) { - this.secretRequired = secretRequired; + /** + * Sets whether a secret is required with every request.
