Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package tomcat11 for openSUSE:Factory checked in at 2025-11-07 18:22:12 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/tomcat11 (Old) and /work/SRC/openSUSE:Factory/.tomcat11.new.1980 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "tomcat11" Fri Nov 7 18:22:12 2025 rev:8 rq:1316082 version:11.0.13 Changes: -------- --- /work/SRC/openSUSE:Factory/tomcat11/tomcat11.changes 2025-10-07 18:28:59.311027260 +0200 +++ /work/SRC/openSUSE:Factory/.tomcat11.new.1980/tomcat11.changes 2025-11-07 18:24:11.631822337 +0100 @@ -1,0 +2,113 @@ +Thu Nov 6 16:11:41 UTC 2025 - Ricardo Mestre <[email protected]> + +- Update to Tomcat 11.0.13 + * Fixed CVEs: + + CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT + is enabled (bsc#1252753) + + CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control + Sequences vulnerability in Apache Tomcat (bsc#1252905) + + CVE-2025-61795: temporary copies during the processing of multipart + upload can lead to a denial of service (bsc#1252756) + * Catalina + + Add: Add CIDR support for the configuration of internal and trusted + proxies for the RemoteIpFilter and RemoteIpValve. Configuration via + regular expression has been deprecated and will be removed in Tomcat 12. + (markt) + + Fix: Log warnings when the SSO configuration does not comply with the + documentation. (remm) + + Update: Deprecate the RemoteAddrFilter and RemoteAddValve in favour of the + RemoteCIDRFilter and RemoteCIDRValve. (markt) + + Fix: 69837: Fix corruption of the class path generated by the Loader when + running on Windows. (markt) + + Fix: Reject requests that map to invalid Windows file names earlier. + (markt) + + Fix: 69839: Ensure that changes to session IDs (typically after + authentication) are promulgated to the SSO Valve to ensure that SSO + entries are fully clean-up on session expiration. Patch provided by Kim + Johan Andersson. (markt) + + Fix: Fix a race condition in the creation of the storage location for the + FileStore. (markt) + + Update: Change the digest used to calculate strong ETags (if enabled) for + the default Servlet from SHA-1 to SHA-256 to align with the recommendation + in RFC 9110 that hash functions used to generate strong ETags should be + collision resistant. (markt) + + Fix: HTTP methods are case-sensitive so always use case sensitive + comparisons when comparing HTTP methods. (markt) + + Fix: 69814: Ensure that HttpSession.isNew() returns false once the client + has joined the session. (markt) + + Fix: Further performance improvements for ParameterMap. (jengebr/markt) + + Code: Refactor access log time stamps to be based on the Instant request + processing starts. (markt) + + Fix: Fix a case-sensitivity issue in the trailer header allow list. + (markt) + + Fix: Be proactive in cleaning up temporary files after a failed multi-part + upload rather than waiting for GC to do it. (markt) + + Code: Remove a number of unnecessary packages from the + catalina-deployer.jar. (markt) + + Fix: 69781: Fix concurrent access issues in the session FileStore + implementation that were causing lost sessions when the store was used + with the PersistentValve. Based on pull request #882 by Aaron Ogburn. + (markt) + + Code: Refactor WebResource locking to use the new + KeyedReentrantReadWriteLock. (markt) + + Fix: Fix handling of QSA and QSD flags in RewriteValve. (markt) + * Cluster + + Fix: Prevent the channel configuration (sender, receiver, membership + service) from being changed unless the channel is fully stopped. (markt) + + Fix: Handle spurious wake-ups during leader election for + NonBlockingCoordinator. (markt) + + Fix: Handle spurious wake-ups during sending of messages by RpcChannel. + (markt) + * Coyote + + Fix: 69836: Incorrect processing of partitioned setting when generating + session cookie. Patch submitted by Marc Pynaert. (remm) + + Fix: 69848: Fix copy/paste errors in 11.0.12 that meant DELETE requests + received via the AJP connector were processed as OPTIONS requests and + PROPFIND requests were processed as TRACE. (markt) + + Update: Add specific certificate selection code for TLS 1.3 supporting + post quantum cryptography. Certificates defined with type MLDSA will be + selected depending on the TLS client hello. (remm) + + Update: Add groups attribute on SSLHostConfig allowing to restrict which + groups can be enabled on the SSL engine. (remm) + + Add: Optimize the conversion of HTTP method from byte form to String form. + (markt) + + Fix: Store HTTP request headers using the original case for the header + name rather than forcing it to lower case. (markt) + + Fix: 69762: Additional overflow fix for HPACK decoding of integers. Pull + request #880 by Chenjp. (markt) + + Fix: Ensure keys are handed out to OpenSSL even if PEMFile fails to + process it, with appropriate logging. (remm) + + Fix: Add new ML-DSA key algorithm to PEMFile and improve reporting when + reading a key fails. (remm) + + Fix: Fix possible early timeouts for network operations caused by a + spurious wake-up of a waiting thread. Found by Coverity Scan. (markt) + * Web applications + + Fix: Documentation. Clarify the purpose of the maxPostSize attribute of + the Connector element. (markt) + + Fix: Avoid NPE in manager webapp displaying certificate information. + (remm) + * Websocket + + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the + underlying Inflater and/or Deflater throwing IllegalStateException when + closed rather than NullPointerException as they do in Java 24 and earlier. + (markt) + * Other + + Fix: 69847: Remove remaining references to the + org.apache.tomcat.util.codec.binary package which has been deleted. + (markt) + + Update: Update Byte Buddy to 1.17.7. (markt) + + Update: Update Checkstyle to 11.1.0. (markt) + + Update: Update SpotBugs to 4.9.6. (markt) + + Update: Update Jsign to 7.2. (markt) + + Add: Improvements to Russian translations provided by usmazat. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations provided by tak7iji. (markt) + + Update: Minor refactoring in JULI loggers. Patch provided by minjund. + (schultz) + + Code: Review logging and include the full stack trace and exception + message by default rather then just the exception message when logging an + error or warning in response to an exception. (markt) + + Add: Add escaping to log formatters to align with JSON formatter. (markt) + + Update: Update Checkstyle to 11.0.0. (markt) + +------------------------------------------------------------------- Old: ---- apache-tomcat-11.0.10-src.tar.gz apache-tomcat-11.0.10-src.tar.gz.asc New: ---- apache-tomcat-11.0.13-src.tar.gz apache-tomcat-11.0.13-src.tar.gz.asc ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ tomcat11.spec ++++++ --- /var/tmp/diff_new_pack.HhpZpM/_old 2025-11-07 18:24:12.643864843 +0100 +++ /var/tmp/diff_new_pack.HhpZpM/_new 2025-11-07 18:24:12.647865012 +0100 @@ -29,7 +29,7 @@ %define elspec %{elspec_major}.%{elspec_minor} %define major_version 11 %define minor_version 0 -%define micro_version 10 +%define micro_version 13 %define java_major 1 %define java_minor 17 %define java_version %{java_major}.%{java_minor} ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.HhpZpM/_old 2025-11-07 18:24:12.691866859 +0100 +++ /var/tmp/diff_new_pack.HhpZpM/_new 2025-11-07 18:24:12.695867028 +0100 @@ -1,6 +1,6 @@ -mtime: 1759321481 -commit: 62f6427ea9a280955634ef64b6d52a1e5f186dee5c772975eaac897dcf06b023 +mtime: 1762446219 +commit: 8aa75efa04c8731a1e7930c576628854a98b2d785d7785cb33a9431ddb7a6349 url: https://src.opensuse.org/java-packages/tomcat11.git -revision: 62f6427ea9a280955634ef64b6d52a1e5f186dee5c772975eaac897dcf06b023 +revision: 8aa75efa04c8731a1e7930c576628854a98b2d785d7785cb33a9431ddb7a6349 projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ apache-tomcat-11.0.10-src.tar.gz -> apache-tomcat-11.0.13-src.tar.gz ++++++ /work/SRC/openSUSE:Factory/tomcat11/apache-tomcat-11.0.10-src.tar.gz /work/SRC/openSUSE:Factory/.tomcat11.new.1980/apache-tomcat-11.0.13-src.tar.gz differ: char 45, line 1 ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-11-06 19:03:12.000000000 +0100 @@ -0,0 +1 @@ +.osc
