tomcat10-docs-webapp-10.1.52-150200.5.61.1<>,܉ip9|P`ވmZWiXONIt5p^f9PM?7,5;fbutD8øIku &K)zMp? iv˿"XgbZlXiXq R 3jYgf|,W:N]E:Q~Jȉ4'^㇨ wZˠi>^DcKh: )llv!<]yUPaDRX>@_?_d - Z 'AGN B    4 5\8H;??BB C C CCD(D8D 9F$:P>:qF:yG:H=|I@hXA$YA,\AL]D8^ObTcUdV!eV&fV)lV+uV@vY,z_ _0_4_:_|Ctomcat10-docs-webapp10.1.52150200.5.61.1The "docs" web application for Apache TomcatThe documentation of web application for Apache Tomcat.ih01-ch4dA{jSUSE Linux Enterprise 15SUSE LLC Apache-2.0https://www.suse.com/Productivity/Networking/Web/Servershttps://tomcat.apache.orglinuxnoarchchown -R tomcat:tomcat /usr/share/tomcat/tomcat-webapps/docs/META-INF runuser -u tomcat -g tomcat -- xsltproc --output /usr/share/tomcat/tomcat-webapps/docs/META-INF/context.xml /etc/tomcat/allowLinking.xslt /usr/share/tomcat/tomcat-webapps/docs/META-INF/context.xml if [ ! -e /usr/share/tomcat/webapps/docs ]; then ln -sf /usr/share/tomcat/tomcat-webapps/docs /usr/share/tomcat/webapps/docs fi`rx>D@l5SW8@lHw rO>c ] % \$G _1 |$}  q 7dI ^^2 -E]i ۞RL' fba!S37?B6W$J38{)=Zf@i+s#/0"| LU#3 $ =]rJPz48/m R`YURdXLSXRs+9o=6jl~Q^{]'+*sen1F T \B% T r D P'5%Qd-A큤A큤AA큤A큤A큤A큤A큤A큤AA큤AA큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤A큤iidididieididididididididididieidieieieieieiididididididididididididididieididieieieidieidididididididididieididididididididididididididididididididididieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieieididididididididididiidieididididididididididididididididididididididididididididididididididididididididididieieieieieieieieieieieieieididieie287c27ed94ce40f5fe74150e12d283cd971b77d22db61bb137875a2bf391e8f145fa455e93d4f927b0f7c3c2fdf19a4bf6211e0d18a4ef26e740e645412e97c5fe48b5aebb97d1d2075694e3bc9d3840b36584fe94322551c07fd9d39ffdab13987034c5dce122d5bdd4ea6f2367aa9dda85f34491549c7b2652e856ec7a178f18ae0f6852f87a9f6a9720b19ed633a67d38caf7dfaea2fcd0ff2f1c7efc7576aa103a04a71295e67700d064b1d4bb8033969b44fe6fe3c5d3c076db5c7cb25d514e6a20fb0258c48a60a99618123ec057e8ab5af29bb441d987f2675a80b6f3372821f4337d03bbe74059942085aa9db147d8d36cc41b456f22847f17af252c326e358c02efbe1e2317782d22265d23788bfb293f5053106f7b2f9e1398ce5dff7fdb1c70875875216ee3a18630a52140eab628d9cce7bcd7f69f56b5e4d0945e81c3b0f80abd7f9e00486e140308d333f980767c5af30b61e9c688a54c7dbd71ce8f320072e4519b51f01f1ff77793824c40d5ebc886e62b3fe1e12648bc9bb42495266c9eb791d8f6cf57d6fab38e7307fc3081346480291a46559290ac807a2208b4af6be2e792ce52a17cd8438b843d9dcbf877218e7e5a97ca606d5795458be916ddc3d7286013b4e3cc269053486148d056e6abeaf835236ce920dc53ff7fdb1c70875875216ee3a18630a52140eab628d9cce7bcd7f69f56b5e4d09477f84b68ac01984d8566203b324eae905f1883f5dcffd6d8c7a6342a76547458a05d968fecb7e74fe0cb7665f18e9d127546c9840a65dbc7c2c95ebdc51b032377f4c7ea8e630cc9cb6c816f9cd979062d649aa93f938ebb1c16b745ac175aa5ab2459f0743cff421e724fe243454ffbeb472452d7f09d98e37982ec6d1ffc117b8134b028f5b8c206e18075b05790d27cc29c431bb9575033b37319751036f8dc5d18af5aebf5ad183db10b5d17d0caabb65a1b5371af6d4c2e1160c16649d6d9fdacbd36cf39f746e789faee0d09e629b6051395bae804fc88d309fdc8d50d4747aaa76f3d5ee18e6fec6f31b33b495d4fa28303a0a2ca95d4fdf0c0cc8eef6ea9933b82e315fdea8859be28962fb497abe90186fceac3290758fe1f2a5547bff3b4c23be3f14898dd1cf77967ba72102d1957dadc1ea0175e68510ae2ca05c82439b10aeebbd62f6682f78a251749ca46bdf8866165a5e14aab6c6ff85c5d71d4bb2bf2713fecc0e0709f58e2fa2d33ec64e589eff75137600ca89743d579f7e6cff2c8e4eedfd9b2631b911d05f8c9ee2529dab0ee6ef871cbdcfcbbb77aec007a843223aa63a2483e40091ae507318da426b5a30e5111150c816f3decb93f385dbbc96805470d94119ebbea7e8211561210cb552dee9911325a24ac5654def4bfd6e7e24278bebe53f9e8978cd355cb37ca690af954bcd62b1a916efe833d3bc07b6a5da6388b53cec382bcc4b835db6c96b3b125e507b250a0c8b631d02c910f874154b2e77a62f53aab58d4426e034d9a77916f2a22d5dde493d8c46acf7d01218753f067f6756fd434befccbae666efd65e5d758c215e72d57767393d6cda73e3ec9ac742e82509e56a48a93f5c2d49fcce6c7f4d02e5ee92f5a3afc907d48c381e0c5094487ebb0a19518779e053eff43e769d1740b7ad41100e09724aa6eceb8e14955d8e6a765d620fa63909f3b3258671ff70b3a8198a31b01d3a8b2caf28b6c341e358d185baf3c962bcde101524b1d88e06812b1b1d796ff99f1baacc0d7c4295b44b3a61d418b7a53f588a02523c41d3c001568172bbab186e76038dbfa316896f98e786a42c4cd13b6b9e999f5269750725566fc08bc4ced04eb276fc6d892504d24158dabc05deaf3c00fcea20d6146894b00f48fe48def1cb500c4581c5e8288d4226e9eebbc9969f8dd5949724b069a4288e5fb381e679580734c9326fe2b4f882def757a464560b1c1c6f6917c10bc1c78171acee0a0aad8d01e257417a129b06b7cdd700d5a57b67fae96b4acc61a3b4a720b4683e349247aa32331ebf65688e7a5ee48a069f9a6fbb7c214c1eb2cb773048cb98b6cb2f74cf3df1073d291a19b45a6884e92ffc52b4acb04d553a37a995e2de37f98c8821a1f767b0a6f7295c75f716c7f2a6b9992455195d556b83f93816805d49bb98386d928d47a84751ba90af3eacb9e8950f10404584db56bb5c137e27f85b597d04670dca1875d30c89c999c1fd1886065d9ab91ca16acdf6cd8c27a6ae96640e0488663e1bc0d1bdbbbad6ea94e834e29570e9c2326b8b5c50c6fc5f71bb83b58b60b3603d11aa4a8f3e7cf75213a6f67275e0c3dbb37233eb9eb06efe98e5e45b4e1ebd7dd2bec18eaf7f4ce23893b0c5d90e4d0249726768708b391c42193144875e29d285c86ba76beb6cfbd4780c8c8a803eea786dc43efc3afb3eae25b58fc3eb35ecc6491acde300a8c16cb290ebedb29b52c89e32b66d55ba87b32f18f8f446758ddfc112cbe7325a6549e6c65d5dde2f3652189ea343abd5d7a5ced4be754741cbb11c80dd691c385111341e60bdad929eede64d377c6b90a329d30d2d43732693535d062f1b28914b782fbc6d69b01e77ecc2680936fe77ff26dd794cf02be4501d1707faabdfc644faff56dde296c70c04cb88bf94ac09bd37739e9051b5cf49ff2769d6c7e46f2f0e4c91a2d2ede0c532b4ddf144c77d91b52b80c5c2e181b9e0a4fc8702e3f7ba171b8bebca68c9109a9cb57fbe58f3bd6f6f433839f3ceaa7b0b24ff53b8e359de460e5639ffee0e4b17ccc4910477ecf4fccf192b72f24ac109c13c0986403bf90af8bc7afabcd8505b6f8a28db5dc4ae307b4ad9c829272230293e837603345b5dad2a0c84037ec3b6b090460a855df9403f2f6459821ab4ba13d683b9d195995bd6969b11041385cf10571539aafc22a073691fe5d9d608e1f0b15b8feecda3558823a52d1656f40a24b4274a692a5c9ad1ff4bca08ff87390283bb28eeb75423be0d517381609168cb99d4858883aaaeb660cc07acb57db5761cb28ab69606c87099c0404cfd243d185e101dec2a31086b88432c80600a1e8e20416c6d3df5b11a8ffd079105a6d5d400f1fe34efae408ba44a76902535b4cbdcb0b2ba8c07c8d2b1345d253777f16a3b6411fcee9c4458e33f138ee671be92b5fc4d38543e95263382fc1cb1287bbfee59b2104aa3e99341a21fe1154811010684c46467fcab14795b494b09c4531c8542bb1edd1ba3c045ef4f736ff72bc9f1b75e2fd607e3c16f3fce7fa454371c1d7898ee53b78b374c160328e31dce4d6ef603fc6426bc6b7a01f18f9bdb6d3d3e19fff8d2e9ddd0be940f523f527ac6215922dd5f85ae687e592e2ab4a7325f21d96d18d89c11cc24fbd81ae0dc1b51ccf4794b5392f68da6dedd0d795cbfaa3eb94a67421be5618e8b923a6da58b2b6ecfc520ddfd9256c8541d7850f059803724d28cdfd218734ced3fb8bc51fe81ffb4c6f7c19996d390225b87e00fe24cb282f35be9b8b90a7977dcd2912f63bf631af8e1f59d2ca7fa027e9d2cb1ee95ac28c43d57840e958bbbe68f09b4f76f26ccca8c04676d3257d9796405bc0e7f284146f9f6416ae745bb3860ac449461d28a8377d77824bd597649545785232c0460be40d8f04589853b5d1396967f865ef2980d9bd9b840920da166bd70e6d3e91fe2f270c63489931c7de0405c0b4b4f0af5fe7764aacf4436e2e9da4b68eb792a92ef84a2bdd9e0f58f44622a8ca48e57f02cc359eb9af063a00cdd8c54dbd63c23ea95810c340fc0a9e6d897aeae72a5342bdf47782f879b5aebc82d4e5bddfa70c5950c83bd2167d82008d6a1df8cb184ab6db354eb791678324e9a641455a18ee957800f2bd23e6dc821f7445112c66df2ef86abbb043aabdc6c438ea890a707e61dfdddc2d4304d04f95bf709775cf28f021ed3e135aae3c6294dde1b14e3dda2e9fd3f7107acc43469833f6fc04b7a222be2a830b1779ee265281d810eaa4c86234096c968f504d6269f74b21277a855c035de0d76044b0fc63472d02cfff88bf4446e2732c4ed26a59b2db82b6ef89b067c1619c8ac0535a443327faebf7aebd6f05af5b33f2b7d91f9e50f3a8dfb1c405b54075d78475eda919eb9e6f8a402f34c8e4688f91372531b4f4f150168d3915c638b3b211b5ada51e91765d3496f946a40a8d1f065131b68ac14277afbac66d363dcdf3e98ba1294dc2d229ae8c2fee795f88a27790db64fd5f8997cfe62d8ae6fa4897d65845144016c5cd9a26aa56f0fb3de61517dee4e27dbd7a7329af79f159b6fd53d53050876f964a526dacd0988029efa48ab1468686c89064d91db869f9e128463c150b7b1d8bb7013d341380a8f3829cd34a517118c4679e3f3718880961216989b4f931bf6c90de1a3f69306f907413cbe4269819bcde6b8814bc8f3c2772572fd9b1724ec8fb775446705fd979f89ef2ba33b6824fad6002d753f9a0e139c8d41b1beea9494cd4d197be4649558c257163d9cea3ae2bca958d857f102eac8d51352ebdd98392b9ab9a2a5aa91ad296bf07103c9d6e5e573fdbbef3672b01491ba8ad7b5486f1c4510d623590e66c80963dda425bbbe69025a22037568a4d96299484d30138b269af29c5ccdb9b14f690b972f521857bc3c7c2f81a433376a15f833fd1a0dc63678bbe6c224253ece9260695369a216ab22726a4e06126ee3e98e531f4f9d611149b9762e40983f12ab0181c50bd6b661971c51e11a8c2e6df7123ae5a14d61e99a377e61ad52112c36fa422d381aec5ffb57c31912b60ca0e47b56634beaae1a4eb8c826fdea1e12410bcade84f35a04c6e35aa3314a9b13d475fdae2856a6c82b7d6017fcac0dba2ac0d6abdb2d037f07499a84df7f9a949e5e76a4d89dd3913b96e3ec691568f1581537f57b4e62863524bd1511017e7f252f23ac6c125160c39b14a2a0410d16b47d3901eee99d0090e19fdb28ab78e3fff49f571c5ece6cca5eaa4ca9bff421ce09b2021f4e4bc64a8264732de30b162cb05943d9b2e92bf27138de083e056ba73609403a3ef0ac82395a4fccae251ecef1878c569a3a5ee2f4e94f2b56e19054224482be0aa7b444ab8324ed0b0c25e3abacbd87be29732356c9bb890556675373ea9ed1d0e9b5678426d69296b6801c906ca378bb426aa3d6acdc3ba392abf7aa1d006749331fa8e97ac2202596a819dd382b46d051a28dca74875a851d97fcc71c78ca279754fabc2289a600aabecec4d9e4387cab9c7400aa2d0868a21c493df0e5da1622b319e915303b1aa2b72f3cb836057eed5699f522693cd0e6f9fbe497b6a0346fde3934cbcbd7c557a334c27bb34e69c7ed430ed4a4588c27f2a933b428f5a13403157e395a9d869d176c8dd256a5f28a042e4f863b42117f27a13e776a0e6ee6d54739b08b35741f43f5776bf51a193810b51d60285dc5d18af5aebf5ad183db10b5d17d0caabb65a1b5371af6d4c2e1160c16649d65d4dbfc82ee715a653291fb987dd565b6fc567ffee828d9e4c5f181c75eca0be63b93e248018e9520b508c50c9f61fb190bb7ed7c057598111baf79d07c3ad14afe0dcfca292a0fae8bce08a48c14d3e59c9d82c6052ab6d48a22ecc6c48f2771de0312421dda86b1912d14fa66d01fe3ef0b2415c808a4b32d321cd469ce7b643558cdf8f644cfb1bc393546e76283a9d4e17ba3fe6ee33ef259e04b497e30d63e8949215adf6407964367688f5c11f07d89bb60f8e280ee56e3923f3b2105b175fb4ec771511cd3b3383413ab2fa080f979bf8feb3924f7f9feb43a0b7ab7a549000dbac378e3ac544e1406fbfe82219e15e612130e817285d60bf34882f3c21d115033fe7f5137531744b378089f63afd3745d31750a47e0be1ce6576dcf1f3c1d788a9f3e6b06eb7ec646cacddf400acf3dbd76dcf9b04e0c459410d95b5f590f993e0be9ee85c272f73f7f5487e2acc15e343e230d27d57d65f0798d264c75e9fe50640b2b2f92e03f95bfa8337d0f4d5788b38b1d77d5216cd38624ec8cb9bf3a487c52fc6ba92d06b162c0b8470e99b88026f752236b5dc81300edf2ca498ccd45f5fa99fdfd14607febbcb4af3b5630e8054f3dd4aefd51b7ed50a066819a165a972cee7dbec0def016e4b21acdafb68c3ccbfa7d0e4ff35942d877f5ddbd3c1ac87bcf2df87bc93c0dd903a2467ced795dcd5c0d746f5c133a8123ebd6c323af7f50cfb4dab3957c5111ba07288b4e969cd391b95a88839a98002064a552e6857c18ea14b321406db3cb42b79c0ef2d0a5d1805b3066d17d2a2e1aaaeada594e0fad9daafbd267b5c159e02e3cffdfd404ebe3c707c53ae7d1a40088856c387cd9d13722aeb2cb1636a771f9087654b0dc8262e2f8835567702232864f94dfcb1a3252be0040d7bbfa27c1e1712f810d4ff6d646d1aa9795e8b31c9c06322365ac7926dcd17967553c1020f32d30d7c70c40df35efd748328ef56840bb27fab60ad353b73560abf260ff7d62df0fa14603c923bef550672757f86f397c7cfc557f8a1f258a92d960f4b7cc1707138d4dfb6530cba00dc6d57cbc2ce34a379e51d1b6bb6c6b1527d251ac0682d94e0df9b356e72791d209061227a667de5a333f4ea3b8b114f35888502a83a05435c41eaef0479226581c25935ee348664891f2d72f240c0a574987b8e2eff8633273212791b519939552d0221ee511de2d0cba7f7a6157cfecad1e976412c9a462f470896d95abb8caeca54d9ee0ace0fb98a048f5e4875b9c4f4ac4ff2f5b98e7180a2157761147d2e35e0d2daae6c3b99f0faecf0148914f40c2cb9fbc5b020d070cfeb60f78dfb520ebd4f3b6c9c25612ecbe4894cbef587838541dc64850b6e233a142bb57f114172059c6de897bc32c075650f576c77e3924a8de705d03d19f1c38dca1d7b96dce69e1ca6334bb14c1961bf8a145b3df1fcd730cef34ff85ca4364b48a80ade4983ac6fde139ddd1604970d3f615e049a5dfc7ce80733cd5abfc0a74d59d0136f5fdd1ec28b2fcd6ab86a87f4265cb5cb729d8250c3b68fc41284de76ea8f4f0515e4f3eee06e6341be6b4f3eb2131c835665f35e2c8fc6fd9aea1b4ad1c838785ebd741fb120773e15051ac90f0bdbce12ab462c50c79a2fb020600e561f9c2dd3424d5d41af62ef5d4f6fcb4a4813caf693c6f49ca0e7fa7fd6b6820932e952ee40f00f0f3b2d27c87b87de60e848ac031a51859bc0a5bbb2f5a000f4ebbc87c98647edd5rootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootrootroottomcat10-10.1.52-150200.5.61.1.src.rpmtomcat-implementation-docs-webapptomcat10-docs-webapp     /bin/shlibxslt-toolsrpmlib(CompressedFileNames)rpmlib(FileDigests)rpmlib(PartialHardlinkSets)rpmlib(PayloadFilesHavePrefix)rpmlib(PayloadIsXz)tomcat10util-linux3.0.4-14.6.0-14.0.4-14.0-15.2-110.1.52-150200.5.61.1tomcat-implementation-docs-webapp4.14.1ii_i hhP@hChZ@hH@hhg`@gw@gw@gAf@fA@f&@feZeeПe@ee@e@eoedeSa@e)1@e 0@e 0@e;eRdld0d?@cc@c@c{h@cQ8@bγbbN@b!b@aaaA@a@a{@azamaamaama`X`Q@`OL@`OL@`3__F@_@___FN_!d^@^^_^@^Y^U @^1s^%@^!^@]҇]Γ@]4@]?]V]@\\\r@\k\j@\Yz\X)@\LK\?\8@\'a\[v[u[@[@[ug@ZZ_:Z!D@Z@YYYY:Y@Y@XZnW@WiW|W'A@WWKV@V2V`VA@UlI@UlI@UlI@UQU hU hTTи@ricardo.mestre@suse.commichele.bussolotto@suse.comricardo.mestre@suse.comfstrba@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.comfstrba@suse.commichele.bussolotto@suse.comricardo.mestre@suse.comricardo.mestre@suse.comricardo.mestre@suse.commichele.bussolotto@suse.comfstrba@suse.comfstrba@suse.comricardo.mestre@suse.commichele.bussolotto@suse.comdcermak@suse.comfstrba@suse.comfstrba@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.comricardo.mestre@suse.commichele.bussolotto@suse.comfstrba@suse.comfstrba@suse.commichele.bussolotto@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.comfstrba@suse.comfstrba@suse.commichele.bussolotto@suse.comfstrba@suse.comfstrba@suse.commichele.bussolotto@suse.comolaf@aepfle.demichele.bussolotto@suse.comfstrba@suse.commichele.bussolotto@suse.commichele.bussolotto@suse.comwittemar@googlemail.comwittemar@googlemail.comwittemar@googlemail.comamehmood@suse.comamehmood@suse.comwittemar@googlemail.comwittemar@googlemail.comwittemar@googlemail.comamehmood@suse.commalbu@suse.commalbu@suse.commalbu@suse.comjengelh@inai.defstrba@suse.commalbu@suse.comfstrba@suse.commalbu@suse.comjavier@opensuse.orgmalbu@suse.commalbu@suse.comfstrba@suse.commalbu@suse.comfstrba@suse.commalbu@suse.commalbu@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.comfstrba@suse.comdimstar@opensuse.orgmalbu@suse.commalbu@suse.comfstrba@suse.commalbu@suse.commalbu@suse.commalbu@suse.commalbu@suse.comfstrba@suse.commalbu@suse.commalbu@suse.comecsos@opensuse.orgfstrba@suse.comsean@suspend.netmalbu@suse.comecsos@opensuse.orgmalbu@suse.commalbu@suse.commalbu@suse.defstrba@suse.commalbu@suse.comrbrown@suse.commalbu@suse.comecsos@opensuse.orgfstrba@suse.comecsos@opensuse.orgdziolkowski@suse.commalbu@suse.comastieger@suse.comtchvatal@suse.commalbu@suse.commalbu@suse.comdmacvicar@suse.dejcnengel@gmail.comtchvatal@suse.comdmacvicar@suse.dedmacvicar@suse.detchvatal@suse.comdmacvicar@suse.detchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comtchvatal@suse.comwittemar@googlemail.combmaryniuk@suse.com- Update to Tomcat 10.1.52 * Fixed CVEs: + CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371) + CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385) + CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387) * Catalina + Fix: 69623: Additional fix for the long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled if the target resource was packaged in a JAR file. (markt) + Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the CsrfPreventionFilter. (schultz) + Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2 requests when the content-length header is not set. (dsoumis) + Update: Enable minimum and recommended Tomcat Native versions to be set separately for Tomcat Native 1.x and 2.x. Update the minimum and recommended versions for Tomcat Native 1.x to 1.3.4. Update the minimum and recommended versions for Tomcat Native 2.x to 2.0.12. (markt) + Add: Add a new ssoReauthenticationMode to the Tomcat provided Authenticators that provides a per Authenticator override of the SSO Valve requireReauthentication attribute. (markt) + Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception rather than silently using a replacement character. (markt) + Fix: 69932: Fix request end access log pattern regression, which would log the start time of the request instead. (remm) + Fix: 69871: Increase log level to INFO for missing configuration for the rewrite valve. (remm) + Fix: Add log warnings for additional Host appBase suspicious values. (remm) + Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar. org.apache.catalina.Connector no longer requires org.apache.tomcat.jni.AprStatus to be present. (markt) + Add: Add the ability to use a custom function to generate the client identifier in the CrawlerSessionManagerValve. This is only available programmatically. Pull request #902 by Brian Matzon. (markt) + Fix: Change the SSO reauthentication behaviour for SPNEGO authentication so that a normal SPNEGO authentication is performed if the SSL Valve is configured with reauthentication enabled. This is so that the delegated credentials will be available to the web application. (markt) + Fix: When generating the class path in the Loader, re-order the check on individual class path components to avoid a potential NullPointerException. Identified by Coverity Scan. (markt) + Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull request #915 by Joshua Rogers. (remm) + Update: Add an attribute, digestInRfc3112Order, to MessageDigestCredentialHandler to control the order in which the credential and salt are digested. By default, the current, non-RFC 3112 compliant, order of salt then credential will be used. This default will change in Tomcat 12 to the RFC 3112 compliant order of credential then salt. (markt) + Fix: Log warnings when the SSO configuration does not comply with the documentation. (remm) + Update: Deprecate the RemoteAddrFilter and RemoteAddrValve in favour of the RemoteCIDRFilter and RemoteCIDRValve. (markt) + Fix: 69837: Fix corruption of the class path generated by the Loader when running on Windows. (markt) + Fix: Reject requests that map to invalid Windows file names earlier. (markt) + Fix: 69839: Ensure that changes to session IDs (typically after authentication) are promulgated to the SSO Valve to ensure that SSO entries are fully clean-up on session expiration. Patch provided by Kim Johan Andersson. (markt) + Fix: Fix a race condition in the creation of the storage location for the FileStore. (markt) * Cluster + Add: 62814: Document that human-readable names may be used for mapSendOptions and align documentation with channelSendOptions. Based on pull request #929 by archan0621. (markt) * Clustering + Fix: Correct a regression introduced in 10.1.45 that broke some clustering configurations. (markt) * Coyote + Fix: 69936: Fix bug in previous fix for Tomcat Native crashes on shutdown that triggered a significant memory leak. Patch provided by Wes. (markt) + Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm) + Fix: Improve warnings when setting ciphers lists in the FFM code, mirroring the tomcat-native changes. (remm) + Fix: 69910: Dereference TLS objects right after closing a socket to improve memory efficiency. (remm) + Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig to reflect the existing implementation that allows one configuration style to be used for the trust attributes and a different style for all the other attributes. (markt) + Fix: Better warning message when OpenSSLConf configuration elements are used with a JSSE TLS implementation. (markt) + Fix: When using OpenSSL via FFM, don't log a warning about missing CA certificates unless CA certificates were configured and the configuration failed. (markt) + Add: For configuration consistency between OpenSSL and JSSE TLS implementations, TLSv1.3 cipher suites included in the ciphers attribute of an SSLHostConfig are now always ignored (previously they would be ignored with OpenSSL implementations and used with JSSE implementations) and a warning is logged that the cipher suite has been ignored. (markt) + Add: Add the ciphersuite attribute to SSLHostConfig to configure the TLSv1.3 cipher suites. (markt) + Add: Add OCSP support to JSSE based TLS connectors and make the use of OCSP configurable per connector for both JSSE and OpenSSL based TLS implementations. Align the checks performed by OpenSSL with those performed by JSSE. (markt) + Add: Add support for soft failure of OCSP checks with soft failure support disabled by default. (markt) + Add: Add support for configuring the verification flags passed to OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt) + Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5. (remm) + Fix: Prevent concurrent release of OpenSSLEngine resources and the termination of the Tomcat Native library as it can cause crashes during Tomcat shutdown. (markt) + Fix: Don't log an incorrect certificate KeyStore location when creating a TLS connector if the KeyStore instance has been set directly on the connector. (markt) + Fix: HTTP/0.9 only allows GET as the HTTP method. (remm) + Add: Add strictSni attribute on the Connector to allow matching the SSLHostConfig configuration associated with the SNI host name to the SSLHostConfig configuration matched from the HTTP protocol host name. Non matching configurations will cause the request to be rejected. The attribute default value is true, enabling the matching. (remm) + Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm) + Fix: Fix use of deferAccept attribute in JMX, since it is normally only removed in Tomcat 11. (remm) + Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL provider. Pull request #912 by aogburn. (markt) + Fix: Fix potential crash on shutdown when a Connector depends on the Tomcat Native library. (markt) + Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers. (remm) + Fix: 69848: Fix copy/paste errors in 10.1.47 that meant DELETE requests received via the AJP connector were processed as OPTIONS requests and PROPFIND requests were processed as TRACE. (markt) + Fix: Various OCSP processing issues in the OpenSSL FFM code. (dsoumis) * General + Add: Add test.silent property to suppress JUnit console output during test execution. Useful for cleaner console output when running tests with multiple threads. (csutherl) * Jasper + Fix: 69333: Correct a regression in the previous fix for 69333 and ensure that reuse() or release() is always called for a tag. (markt) + Fix: 69877: Catch IllegalArgumentException when processing URIs when creating the classpath to handle invalid URIs. (remm) + Fix: Fix populating the classpath with the webapp classloader repositories. (remm) + Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some exception details. Patch submitted by Eric Blanquer. (remm) * Jdbc-pool + Fix: 64083: If the underlying connection has been closed, don't add it to the pool when it is returned. Pull request #235 by Alex Panchenko. (markt) * Web applications + Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server status output if one or more of the web applications failed to start. (schultz) + Add: Manager: Include web application state in the HTML and JSON complete server status output. (markt) + Add: Documentation: Expand the documentation to better explain when OCSP is supported and when it is not. (markt) * Websocket + Fix: 69920: When attempting to write to a closed Writer or OutputStream obtained from a WebSocket session, throw an IOException rather than an IllegalStateExcpetion as required by Writer and strongly suggested by OutputStream. (markt) + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the underlying Inflater and/or Deflater throwing IllegalStateException when closed rather than NullPointerException as they do in Java 24 and earlier. (markt) * Other + Update: Update the internal fork of Commons Pool to 2.13.1. (markt) + Update: Update the internal fork of Commons DBCP to 2.14.0. (markt) + Update: Update Commons Daemon to 1.5.1. (markt) + Update: Update ByteBuddy to 1.18.3. (markt) + Update: Update UnboundID to 7.0.4. (markt) + Update: Update Checkstyle to 12.3.1. (markt) + Add: Improvements to French translations. (markt) + Add: Improvements to Japanese translations provided by tak7iji. (markt) + Add: Improvements to Chinese translations provided by Yang. vincent.h and yong hu. (markt) + Update: Update Tomcat Native to 2.0.12. (markt) + Add: Add property "gpg.sign.files" to optionally disable release artefact signing with GPG. (rjung) + Add: Add test profile system for selective test execution. Profiles can be specified via -Dtest.profile= to run specific test subsets without using patterns directly. Profile patterns are defined in test-profiles.properties. (csutherl) + Update: Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt) + Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.10. (markt) + Update: Update Commons Daemon to 1.5.0. (markt) + Update: Update Byte Buddy to 1.18.2. (markt) + Update: Update Checkstyle to 12.2.0. (markt) + Add: Improvements to Spanish translations provided by White Vogel. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations provided by tak7iji. (markt) + Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt) + Update: Update to Byte Buddy 1.17.8. (markt) + Update: Update to Checkstyle 12.1.1. (markt) + Update: Update to Jacoco 0.8.14. (markt) + Update: Update to SpotBugs 4.9.8. (markt) + Update: Update to JSign 7.4. (markt) + Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations provided by tak7iji. (markt)- make catalina.sh %config(noreplace) (bsc#1253460)- Update to Tomcat 10.1.48 * Fixed CVEs: + CVE-2025-55752: directory traversal via rewrite with possible RCE if PUT is enabled (bsc#1252753) + CVE-2025-55754: Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat (bsc#1252905) + CVE-2025-61795: temporary copies during the processing of multipart upload can lead to a denial of service (bsc#1252756) * Catalina + Fix: Log warnings when the SSO configuration does not comply with the documentation. (remm) + Update: Deprecate the RemoteAddrFilter and RemoteAddValve in favour of the RemoteCIDRFilter and RemoteCIDRValve. (markt) + Fix: 69837: Fix corruption of the class path generated by the Loader when running on Windows. (markt) + Fix: Reject requests that map to invalid Windows file names earlier. (markt) + Fix: 69839: Ensure that changes to session IDs (typically after authentication) are promulgated to the SSO Valve to ensure that SSO entries are fully clean-up on session expiration. Patch provided by Kim Johan Andersson. (markt) + Fix: Fix a race condition in the creation of the storage location for the FileStore. (markt) + Fix: HTTP methods are case-sensitive so always use case sensitive comparisons when comparing HTTP methods. (markt) + Fix: 69814: Ensure that HttpSession.isNew() returns false once the client has joined the session. (markt) + Fix: Further performance improvements for ParameterMap. (jengebr/markt) + Code: Refactor access log time stamps to be based on the Instant request processing starts. (markt) + Fix: Fix a case-sensitivity issue in the trailer header allow list. (markt) + Fix: Be proactive in cleaning up temporary files after a failed multi-part upload rather than waiting for GC to do it. (markt) + Update: Change the digest used to calculate strong ETags (if enabled) for the default Servlet from SHA-1 to SHA-256 to align with the recommendation in RFC 9110 that hash functions used to generate strong ETags should be collision resistant. (markt) + Fix: Correct a regression in the fix for 69781 that broke FileStore. (markt) + Code: Remove a number of unnecessary packages from the catalina-deployer.jar. (markt) + Fix: 69781: Fix concurrent access issues in the session FileStore implementation that were causing lost sessions when the store was used with the PersistentValve. Based on pull request #882 by Aaron Ogburn. (markt) + Fix: Fix handling of QSA and QSD flags in RewriteValve. (markt) * Cluster + Fix: Prevent the channel configuration (sender, receiver, membership service) from being changed unless the channel is fully stopped. (markt) + Fix: Handle spurious wake-ups during leader election for NonBlockingCoordinator. (markt) + Fix: Handle spurious wake-ups during sending of messages by RpcChannel. (markt) * Coyote + Fix: 69848: Fix copy/paste errors in 10.1.47 that meant DELETE requests received via the AJP connector were processed as OPTIONS requests and PROPFIND requests were processed as TRACE. (markt) + Update: Add specific certificate selection code for TLS 1.3 supporting post quantum cryptography. Certificates defined with type MLDSA will be selected depending on the TLS client hello. (remm) + Update: Add groups attribute on SSLHostConfig allowing to restrict which groups can be enabled on the SSL engine. (remm) + Add: Optimize the conversion of HTTP method from byte form to String form. (markt) + Fix: Store HTTP request headers using the original case for the header name rather than forcing it to lower case. (markt) + Update: Add hybrid PQC support to OpenSSL, based on code from mod_ssl. Using this OpenSSL specific code path, additional PQC certificates defined with type MLDSA are added to contexts which use classic certificates. (jfclere/remm) + Fix: Ensure keys are handed out to OpenSSL even if PEMFile fails to process it, with appropriate logging. (remm) + Fix: Add new ML-DSA key algorithm to PEMFile and improve reporting when reading a key fails. (remm) + Fix: Fix possible early timeouts for network operations caused by a spurious wake-up of a waiting thread. Found by Coverity Scan. (markt) * Web applications + Fix: Documentation. Clarify the purpose of the maxPostSize attribute of the Connector element. (markt) + Fix: Avoid NPE in manager webapp displaying certificate information. (remm) * Websocket + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the underlying Inflater and/or Deflater throwing IllegalStateException when closed rather than NullPointerException as they do in Java 24 and earlier. (markt) * Other + Update: Update Byte Buddy to 1.17.7. (markt) + Update: Update Checkstyle to 11.1.0. (markt) + Update: Update SpotBugs to 4.9.6. (markt) + Update: Update Jsign to 7.2. (markt) + Add: Improvements to Russian translations provided by usmazat. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations provided by tak7iji. (markt) + Update: Minor refactoring in JULI loggers. Patch provided by minjund. (schultz) + Code: Review logging and include the full stack trace and exception message by default rather then just the exception message when logging an error or warning in response to an exception. (markt) + Add: Add escaping to log formatters to align with JSON formatter. (markt) + Update: Update Checkstyle to 11.0.0. (markt)- Do not use update-alternatives- Update to Tomcat 10.1.44 * Fixed CVEs: + CVE-2025-48989: Update the HTTP/2 overhead documentation (bsc#1243895) * Catalina + Fix: Fix bloom filter population for archive indexing when using a packed WAR containing one or more JAR files. (markt) * Coyote + Fix: 69748: Add missing call to set keep-alive timeout when using HTTP/1.1 following an async request, which was present for AJP. (remm/markt) + Fix: 69762: Fix possible overflow during HPACK decoding of integers. Note that the maximum permitted value of an HPACK decoded integer is Integer.MAX_VALUE. (markt) + Fix: Update the HTTP/2 overhead documentation - particularly the code comments - to reflect the deprecation of the PRIORITY frame and clarify that a stream reset always triggers an overhead increase. (markt) + Fix: 69762: Additional overflow fix for HPACK decoding of integers. Pull request #880 by Chenjp. (markt) * Cluster + Update: Add enableStatistics configuration attribute for the DeltaManager, defaulting to true. (remm) * WebSocket + Fix: Align the WebSocket extension handling for WebSocket client connections with WebSocket server connections. The WebSocket client now only includes an extension requested by an endpoint in the opening handshake if the WebSocket client supports that extension. (markt) * Web applications + Fix: Manager and Host Manager. Provide the Manager and Host Manager web applications with a dedicated favicon file rather than using the one from the ROOT web application which might not be present or may represent something entirely different. Pull requests #876 and #878 by Simon Arame. * Other + Update: Update Checkstyle to 10.26.1. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt)- Update to Tomcat 10.1.43 * Fixed CVEs: + CVE-2025-52520: Align size tracking for multipart requests with FileUpload's use of long. (bsc#1246388) + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier. (bsc#1246318) * Catalina + Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt) + Fix: Allow the default servlet to set the content length when the content length is known, no content has been written and a Writer is being used. (markt) + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt) + Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt) + Fix: Align size tracking for multipart requests with FileUpload's use of long. (schultz) * Coyote + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt) + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt) + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt) + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm) + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt) + Fix: When setting the initial HTTP/2 connection limit, apply those limits earlier. (markt) * Jasper + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt) + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt) * Web applications + Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV, HTTP PUT requests or similar. (markt) + Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt) * Other + Update: Update UnboundID to 7.0.3. (markt) + Update: Update Checkstyle to 10.25.1. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)- Update to Tomcat 10.1.42 * Fixed CVEs: + CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815) + CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656) + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649) * Catalina + Add: Support for the java:module namespace which mirrors the java:comp namespace. + Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. + Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. + Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. + Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. + Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts. + Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. + Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve. + Fix: Process possible path parameters rewrite production in the rewrite valve. + Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. + Add: 69633: Support for Filters using context root mappings. + Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. + Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. + Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer. + Refactor: GCI servlet to access resources via the WebResource API. + Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. + Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. + Add: Provide a content type based on file extension when web application resources are accessed via a URL. * Coyote + Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. + Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. + Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied. * Jasper + Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes. + Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. + Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. * Web applications + Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. + Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. * Other + Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. + Update: Tomcat Native to 2.0.9. + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). + Update: EasyMock to 5.6.0. + Update: Checkstyle to 10.25.0. + Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. + Update: Improvements to Japanese translations provided by tak7iji. + Fix: Set sun.io.useCanonCaches in service.bat Based on pull request [#841] by Paul Lodge. + Update: Jacoco to 0.8.13. + Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. + Update: Byte Buddy to 1.17.5. + Update: Checkstyle to 10.23.1. + Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd). + Update: Improvements to French translations. + Update: Improvements to Japanese translations provided by tak7iji.- Hardening permissions (bsc#1242722)- Make conflicts and provides more generic- Update to Tomcat 10.1.40 * Fixed CVEs: + CVE-2025-31650: invalid priority field values should be ignored (bsc#1242008) + CVE-2025-31651: Better handling of URLs with literal ';' and '?' (bsc#1242009) * Catalina + Fix: Return 400 if the amount of content sent for a partial PUT is inconsistent with the range that was specified. (remm) + Add: Add a new RateLimiter implementation, org.apache.catalina.util.ExactRateLimiter, that can be used with org.apache.catalina.filters.RateLimitFilter to provide rate limit based on the exact values configured. Based on pull request #794 by Chenjp. (markt) + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve. (remm) + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and FIPS mode. (remm) + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the default internal proxies for the RemoteIpFilter and RemoteIpValve. (markt) + Fix: 69615: Improve integration with the not found class resources cache for users who are using a custom web application class loader and/or using reflection to dynamically add external repositories to the web application class loader. (markt) + Add: Add a new initialisation parameter to the Default servlet - allowPostAsGet - which controls whether a direct request (i.e. not a forward or an include) for a static resource using the POST method will be processed as if the GET method had been used. If not allowed, the request will be rejected. The default behaviour of processing the request as if the GET method had been used is unchanged. (markt) + Fix: 69623: Correct a long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled. (markt) + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm) + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent to the one from ErrorReportValve. (remm) + Fix: Improve the handling of %nn URL encoding in the RewriteValve and document how %nn URL encoding may be used with rewrite rules. (markt) + Fix: Fix a potential exception when calling WebappClassLoaderBase.getResource(""). (markt) * Coyote + Fix: 69607: Allow failed initialization of MD5. Based on code submitted by Shivam Verma. (remm) + Fix: 69614: HTTP/2 priority frames with an invalid priority field value should be ignored. (markt) + Fix: Improve handling of unexpected errors during HTTP/2 processing. (markt) + Fix: Add missing code to process an OpenSSL profile, such as PROFILE=SYSTEM, using FFM. (remm) + Add: Simplify the process of using a custom SSLContext for an HTTPS enabled connector. Based on pull request #805 by Hakky54. (markt) * Jasper + Code: Replace custom URL encoding provided by the JSP runtime library with calls to java.net.URLEncoder.encode(). (markt) + Add: Add compiler using the Java Compiler API, supporting exploded web applications. The compilerClassName to use is org.apache.jasper.compiler.JavaCompiler. (remm) + Add: Add support for specifying Java 25 (with the value 25) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will be used. (markt) * Cluster + Fix: Fix resetting cross context sessions in the ReplicationValve. (remm) * Web applications + Add: Documentation. Add a link to the Log4j documentation that describes how to use Log4j rather than JULI for Tomcat's internal logging. (markt) + Add: Documentation. Document the runtime attributes available to web applications via the Request or the ServletContext. Based on pull request [#832] by usmazat. (markt) * Other + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt) + Update: Update to NSIS 3.11. (markt) + Update: Update to ByteBuddy 1.17.4. (markt) + Update: Update to Checkstyle 10.21.4. (markt) + Update: Update to SpotBugs to 4.9.3. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)- Update to Tomcat 10.1.39 * Fixes: + launch with java 17 (bsc#1239676) * Catalina + Fix: 69602: Fix regression in releases from 12-2024 that were too strict and rejected weak etags in the If-Range header with a 400 response. Instead will consider it as a failed match since strong etags are required for If-Range. (remm) + Fix: When looking up class loader resources by resource name, the resource name should not start with '/'. If the resource name does start with '/', Tomcat is lenient and looks it up as if the '/' was not present. When the web application class loader was configured with external repositories and names starting with '/' were used for lookups, it was possible that cached 'not found' results could effectively hide lookup results using the correct resource name. (markt) + Fix: Enable the JNDIRealm to validate credentials provided to HttpServletRequest.login(String username, String password) when the realm is configured to use GSSAPI authentication. (markt) + Fix: Fix a bug in the JRE compatibility detection that incorrectly identified Java 19 and Java 20 as supporting Java 21 features. (markt) + Fix: Improve the checks for exposure to and protection against CVE-2024-56337 so that reflection is not used unless required. The checks for whether the file system is case sensitive or not have been removed. (markt) + Add: Add support for logging the connection ID (as returned by ServletRequest.getServletConnection().getConnectionId()) with the AccessLogValve and ExtendedAccessLogValve. Based on pull request #814 by Dmole. (markt) + Fix: Avoid scenarios where temporary files used for partial PUT would not be deleted. (remm) + Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught exception introduced for the check for CVE-2024-56337. (remm) * Cluster + Add: 69598: Add detection of service account token changes to the KubernetesMembershipProvider implementation and reload the token if it changes. Based on a patch by Miroslav Jezbera. (markt) * Coyote + Fix: 69575: Avoid using compression if a response is already compressed using compress, deflate or zstd. (remm) + Update: Use Transfer-Encoding for compression rather than Content-Encoding if the client submits a TE header containing gzip. (remm) + Fix: Fix a race condition in the handling of HTTP/2 stream reset that could cause unexpected 500 responses. (markt) * Other + Add: Add makensis as an option for building the Installer for Windows on non-Windows platforms. (rjung/markt) + Update: Update Byte Buddy to 1.17.1. (markt) + Update: Update Checkstyle to 10.21.3. (markt) + Update: Update SpotBugs to 4.9.1. (markt) + Update: Update JSign to 7.1. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Add: Add org.apache.juli.JsonFormatter to format log as one line JSON documents. (remm)- Update to Tomcat 10.1.35 * Fixed CVE: + CVE-2025-24813: potential RCE and/or information disclosure/corruption with partial PUT (bsc#1239302) * Catalina + Update: Add tableName configuration on the DataSourcePropertyStore that may be used by the WebDAV Servlet. (remm) + Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request #796 by Chenjp. (remm/markt) + Update: Allow readOnly attribute configuration on the Resources element and allow configure the readOnly attribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm) + Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt) + Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm) + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm) + Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategy of the Resources. (remm) + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based on a patch submitted by Chenjp. (remm) + Fix: Remove unused session to client map from CrawlerSessionManagerValve. Submitted by Brian Matzon. (remm) + Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2024-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impacted web applications from starting. (markt) + Fix: When using the WebDAV servlet with serveSubpathOnly set to true, ensure that the destination for any requested WebDAV operation is also restricted to the sub-path. (markt) + Fix: Generate an appropriate Allow HTTP header when the Default servlet returns a 405 (method not allowed) response in response to a DELETE request because the target resource cannot be deleted. Pull request #802 provided by Chenjp. (markt) + Code: Refactor creation of RequestDispatcher instances so that the processing of the provided path is consistent with normal request processing. (markt) + Add: Add encodedReverseSolidusHandling and encodedSolidusHandling attributes to Context to provide control over the handling of the path used to created a RequestDispatcher. (markt) + Fix: Handle a potential NullPointerException after an IOException occurs on a non-container thread during asynchronous processing. (markt) + Fix: Enhance lifecycle of temporary files used by partial PUT. (remm) * Coyote + Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does not support. These settings are now silently ignored. (markt) + Fix: Avoid a rare NullPointerException when recycling the Http11InputBuffer. (markt) + Fix: Lower the log level to debug for logging an invalid socket channel when processing poller events for the NIO Connector as this may occur in normal usage. (markt) + Code: Clean-up references to the HTTP/2 stream once request processing has completed to aid GC and reduce the size of the HTTP/2 recycled request and response cache. (markt) + Add: Add a new Connector configuration attribute, encodedReverseSolidusHandling, to control how %5c sequences in URLs are handled. The default behaviour is unchanged (decode) keeping in mind that the allowBackslash attribute determines how the decoded URI is processed. (markt) + Fix: 69545: Improve CRLF skipping for the available method of the ChunkedInputFilter. (remm) + Fix: Improve the performance of repeated calls to getHeader(). Pull request #813 provided by Adwait Kumar Singh. (markt) + Fix: 69559: Ensure that the Java 24 warning regarding the use of sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code will be used. (markt) * Jasper + Fix: 69508: Correct a regression in the fix for 69382 that broke JSP include actions if both the page attribute and the body contained parameters. Pull request #803 provided by Chenjp. (markt) + Fix: Update the identifier validation in the Expression Language parser to reflect that, as of Java 9, _ is also a Java keyword and may not be used as an identifier. (markt) + Fix: 69521: Update the EL Parser to allow the full range of valid characters in an EL identifier as defined by the Java Language Specification. (markt) + Fix: 69532: Optimise the creation of ExpressionFactory instances. Patch provided by John Engebretson. (markt) * Web applications + Add: Documentation. Expand the description of the security implications of setting mapperContextRootRedirectEnabled and/or mapperDirectoryRedirectEnabled to true. (markt) + Fix: Documentation. Better document the default for the truststoreProvider attribute of a SSLHostConfig element. (markt) * Other + Update: Update to Commons Daemon 1.4.1. (markt) + Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.9. (markt) + Update: Update the internal fork of Commons Pool to 2.12.1. (markt) + Update: Update Byte Buddy to 1.16.1. (markt) + Update: Update UnboundID to 7.0.2. (markt) + Update: Update Checkstyle to 10.21.2. (markt) + Update: Update SpotBugs to 4.9.0. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Chinese translations by leeyazhou. (markt) + Add: Improvements to Japanese translations by tak7iji. (markt)- Update to Tomcat 10.1.34 * Fixed CVEs: + CVE-2024-54677: DoS in examples web application (bsc#1234664) + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) + CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435) * Catalina + Add: Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo) + Fix: Add special handling for the protocols attribute of SSLHostConfig in storeconfig. (remm) + Fix: 69442: Fix case sensitive check on content-type when parsing request parameters. (remm) + Code: Refactor duplicate code for extracting media type and subtype from content-type into a single method. (markt) + Fix: Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm) + Fix: The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt) + Fix: #780: Fix content-range header length. Submitted by Chenjp. (remm) + Fix: 69444: Ensure that the jakarta.servlet.error.message request attribute is set when an application defined error page is called. (markt) + Fix: Avoid quotes for numeric values in the JSON generated by the status servlet. (remm) + Add: Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETags init parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm) + Fix: Use client locale for directory listings. (remm) + Fix: 69439: Improve the handling of multiple Cache-Control headers in the ExpiresFilter. Based on pull request #777 by Chenjp. (markt) + Fix: 69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from external repositories. Prior to this fix, these classes could be incorrectly marked as not found. (markt) + Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by users will not be removed and any header present in a HEAD request will also be present in the equivalent GET request. There may be some headers, as per RFC 9110, section 9.3.2, that are present in a GET request that are not present in the equivalent HEAD request. (markt) + Fix: 69471: Log instances of CloseNowException caught by ApplicationDispatcher.invoke() at debug level rather than error level as they are very likely to have been caused by a client disconnection or similar I/O issue. (markt) + Add: Add a test case for the fix for 69442. Also refactor references to application/x-www-form-urlencoded. Based on pull request #779 by Chenjp. (markt) + Fix: 69476: Catch possible ISE when trying to report PUT failure in the DefaultServlet. (remm) + Add: Add support for RateLimit header fields for HTTP (draft) in the RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt) + Add: #787: Add regression tests for 69478. Pull request provided by Thomas Krisch. (markt) + Fix: The default servlet now rejects HTTP range requests when two or more of the requested ranges overlap. Based on pull request #782 provided by Chenjp. (markt) + Fix: Enhance Content-Range verification for partial PUT requests handled by the default servlet. Provided by Chenjp in pull request #778. (markt) + Fix: Harmonize DataSourceStore lookup in the global resources to optionally avoid the comp/env prefix which is usually not used there. (remm) + Fix: As required by RFC 9110, the HTTP Range header will now only be processed for GET requests. Based on pull request #790 provided by Chenjp. (markt) + Fix: Deprecate the useAcceptRanges initialisation parameter for the default servlet. It will be removed in Tomcat 12 onwards where it will effectively be hard coded to true. (markt) + Add: Add DataSource based property storage for the WebdavServlet. (remm) * Coyote + Fix: Align encodedSolidusHandling with the Servlet specification. If the pass-through mode is used, any %25 sequences will now also be passed through to avoid errors and/or corruption when the application decodes the path. (markt) * Jasper + Fix: Follow-up to the fix for 69381. Apply the optimisation for method lookup performance in expression language to an additional location. (markt) * Web applications + Fix: Documentation. Remove references to the ResourceParams element. Support for ResourceParams was removed in Tomcat 5.5.x. (markt) + Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter. The attribute is internalProxies rather than allowedInternalProxies. Pull request #786 provided by Jorge Díaz. (markt) + Fix: Examples. Fix broken links when Servlet Request Info example is called via a URL that includes a pathInfo component. (markt) + Fix: Examples. Expand the obfuscation of session cookie values in the request header example to JSON responses. (markt) + Add: Examples. Add the ability to delete session attributes in the servlet session example. (markt) + Add: Examples. Add a hard coded limit of 10 attributes per session for the servlet session example. (markt) + Add: Examples. Add the ability to delete session attributes and add a hard coded limit of 10 attributes per session for the JSP form authentication example. (markt) + Add: Examples. Limit the shopping cart example to only allow adding the pre-defined items to the cart. (markt) + Fix: Examples. Remove JSP calendar example. (markt) * Other + Fix: 69465: Fix warnings during native image compilation using the Tomcat embedded JARs. (markt) + Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt) + Update: Update EasyMock to 5.5.0. (markt) + Update: Update Checkstyle to 10.20.2. (markt) + Update: Update BND to 7.1.0. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Korean translations. (markt) + Add: Improvements to Chinese translations. (markt) + Add: Improvements to Japanese translations by tak7iji. (markt)- Update to Tomcat 10.1.33 * Fixed CVEs: + CVE-2024-52316: If the Jakarta Authentication fails with an exception, set a 500 status (bsc#1233434) * Catalina + Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt) + Add: 55470: Add debug logging that reports the class path when a ClassNotFoundException occurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt) + Update: 69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo) + Update: 69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo) + Update: Improve HTML output of DefaultServlet. (michaelo) + Code: Refactor RateLimitFilter to use FilterBase as the base class. The primary advantage is less code to process init-param values. (markt) + Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo) + Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm) + Fix: Add missing WebDAV Lock-Token header in the response when locking a folder. (remm) + Fix: Invalid WebDAV lock requests should be rejected with 400. (remm) + Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm) + Fix: Verify that destination is not locked for a WebDAV copy operation. (remm) + Fix: Send 415 response to WebDAV MKCOL operations that include a request body since this is optional and unsupported. (remm) + Fix: Enforce DAV: namespace on WebDAV XML elements. (remm) + Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm) + Fix: WebDAV DELETE should remove any existing lock on successfully deleted resources. (remm) + Update: Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead, a lock on a non-existing resource will create an empty file locked with a regular lock. (remm) + Update: Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm) + Update: Implement WebDAV If header using code from the Apache Jackrabbit project. (remm) + Add: Add PropertyStore interface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the propertyStore init parameter of the WebDAV servlet by specifying the class name of the store. A simple non-persistent implementation is used if no custom store is configured. (remm) + Update: Implement WebDAV PROPPATCH method using the newly added PropertyStore, and update PROPFIND to support it. (remm) + Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems caused by components such as java.sql.DriverManager, which in some circumstances will search for the same class repeatedly. The size of the cache can be controlled via the new notFoundClassResourceCacheSize on the StandardContext. (markt) + Fix: Stop after INITIALIZED state should be a noop since it is possible for subcomponents to be in FAILED after init. (remm) + Fix: Fix incorrect web resource cache size calculations when there are concurrent PUT and DELETE requests for the same resource. (markt) + Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt) + Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens with urn:uuid: as recommended by RFC 4918, and remove secret init parameter. (remm) + Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the same path caused corruption of the FileResource where some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt) + Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on GET and HEAD requests. Also, skip requests where the application has set Cache-Control: no-store. (markt) + Fix: 69419: Improve the performance of ServletRequest.getAttribute() when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt) + Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError() with a status code of 103. (schultz) + Fix: Ensure that ServerAuthModule.initialize() is called when a Jakarta Authentication module is configured via registerServerAuthModule(). (markt) + Fix: Ensure that the Jakarta Authentication CallbackHandler only creates one GenericPrincipal in the Subject. (markt) + Fix: If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContext may not have set it. (markt) + Fix: When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt) + Fix: Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt) + Fix: When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallback with null if the CallerPrincipalCallback does not provide a Principal. (markt) + Fix: Avoid store config backup loss when storing one configuration more than once per second. (remm) + Fix: 69359: WebdavServlet duplicates getRelativePath() method from super class with incorrect Javadoc. (michaelo) + Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and DefaultServlet. (michaelo) + Fix: Make WebdavServlet properly return the Allow header when deletion of a resource is not allowed. (michaelo) + Fix: Add log warning if non-wildcard mappings are used with the WebdavServlet. (remm) + Fix: 69361: Ensure that the order of entries in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt) + Fix: 69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt) + Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt) + Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing was likely to be broken for all clients once any client sent an HTTP/2 reset frame. (markt) + Fix: Improve performance of ApplicationHttpRequest.parseParameters(). Based on sample code and test cases provided by John Engebretson. (markt) + Fix: Correct regressions in the refactoring that added recycling of the coyote request and response to the HTTP/2 processing. (markt) + Add: Add support for RFC 8297 (Early Hints). Applications can use this feature by casting the HttpServletResponse to org.apache.catalina.connector. Response and then calling the method void sendEarlyHints(). This method will be added to the Servlet API (removing the need for the cast) in Servlet 6.2 onwards. (markt) + Fix: 69214: Do not reject a CORS request that uses POST but does not include a content-type header. Tomcat now correctly processes this as a simple CORS request. Based on a patch suggested by thebluemountain. (markt) + Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than Subject.doAs() when available. (markt) + Fix: Allow JAASRealm to use the configuration source to load a configured configFile, for easier use with testing. (remm) + Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm) + Fix: Add the OpenSSL version number on the APR and OpenSSL status classes. (remm) + Fix: 69131: Expand the implementation of the filter value of the Authenticator attribute allowCorsPreflight, so that it applies to all requests that match the configured URL patterns for the CORS filter, rather than only applying if the CORS filter is mapped to /*. (markt) + Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL if available. (remm) * Coyote + Fix: Return null SSL session id on zero-length byte array returned from the SSL implementation. (remm) + Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm) + Fix: Create the HttpParser in Http11Processor if it is not present on the AbstractHttp11Protocol to provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced in a previous refactoring to improve HTTP/2 performance. (remm) + Fix: OpenSSLContext will now throw a KeyManagementException if something is known to have gone wrong in the init method, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm) + Fix: 69379: The default HEAD response no longer includes the payload HTTP header fields as per section 9.3.2 of RFC 9110. (markt) + Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to generate Date headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have been wrong by one second in some cases. Pull request #751 provided by Chenjp. (markt) + Fix: Request start time may not have been accurately recorded for HTTP/1.1 requests preceded by a large number of blank lines. (markt) + Add: Add server and serverRemoveAppProvidedValues to the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt) + Fix: Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm) + Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be received before the headers of the subsequent stream, nor are trailer fields for an in-progress stream swallowed if the Connector is paused before the trailer fields are received. (markt) + Fix: Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream-level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt) + Fix: Correct a regression in the fix for non-blocking reads of chunked request bodies that caused InputStream.available() to return a non-zero value when there was no data to read. In some circumstances this could cause a blocking read to block waiting for more data rather than return the data it had already received. (markt) + Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. The default behaviour is unchanged. (markt) + Fix: Ensure that Tomcat sends a TLS close_notify message after receiving one from the client when using the OpenSSLImplementation. (markt) + Fix: 69301: Fix trailer headers replacing non-trailer headers when writing response headers to the access log. Based on a patch and test case provided by hypnoce. (markt) + Fix: 69302: If an HTTP/2 client resets a stream before the request body is fully written, ensure that any ReadListener is notified via a call to ReadListener.onError(). (markt) + Fix: Ensure that HTTP/2 stream input buffers are only created when there is a request body to be read. (markt) + Code: Refactor creation of HttpParser instances from the Processor level to the Protocol level since the parser configuration depends on the protocol and the parser is, otherwise, stateless. (markt) + Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request and response processing objects by default. This behaviour can be controlled via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. (markt) + Fix: Clean and log OpenSSL errors before processing of OpenSSL conf commands in the FFM code. (remm) + Fix: 69121: Ensure that the onComplete() event is triggered if AsyncListener. onError() dispatches to a target that throws an exception. (markt) + Fix: Following the trailer header field refactoring, -1 is no longer an allowed value for maxTrailerSize. Adjust documentation accordingly. (remm) + Update: Move OpenSSL support using FFM to a separate JAR named tomcat-coyote-ffm. jar that advertises Java 22 in its manifest. (remm) + Fix: Fix search for OpenSSL library for FFM on Mac OS so that java.library.path is searched. (markt) + Update: Add FFM compatibility methods for LibreSSL support. Renegotiation is not supported at the moment. (remm) + Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the name of the library to load) and org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY (set to true to use System.loadLibrary rather than the FFM library loading code) to configure the OpenSSL library loading using FFM. (remm) + Update: Add FFM compatibility methods for BoringSSL support. Renegotiation is not supported in many cases. (remm) * Jasper + Fix: Add back tag release method as deprecated in the runtime for compatibility with old generated code. (remm) + Fix: 69399: Fix regression caused by improvement 69333, which caused the tag release to be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm) + Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments, there is no need to consider casting or coercion, and the method lookup process can be simplified. Based on a pull request by John Engebretson. (markt) + Fix: 69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt) + Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt) + Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentException when an invalid Enum is encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt) + Fix: 69429: Optimize EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt) + Fix: Further optimize EL evaluation of method parameters. Patch provided by Paolo B. (markt) + Fix: 69333: Remove unnecessary code from generated JSPs. (markt) + Fix: 69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt) + Fix: 69348: Reduce memory consumption in ELContext by using lazy initialization for the data structure used to track lambda arguments. (markt) + Fix: Switch the TldScanner back to logging detailed scan results at debug level rather than trace level. (markt) + Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of new classes added to the java.lang package in Java 23. (markt) + Fix: Ensure that an exception in toString() still results in an ELException when an object is coerced to a String using ExpressionFactory.coerceToType(). (markt) + Add: Add support for specifying Java 24 (with the value 24) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will be used. (markt) + Fix: 69135: When using include directives in a tag file packaged in a JAR file, ensure that context relative includes are processed correctly. (markt) + Fix: 69135: When using include directives in a tag file packaged in a JAR file, ensure that file relative includes are processed correctly. (markt) + Fix: 69135: When using include directives in a tag file packaged in a JAR file, ensure that file relative includes are not permitted to access files outside of the /META_INF/tags/ directory nor outside of the JAR file. (markt) * WebSocket + Fix: If a blocking message write exceeds the timeout, don't attempt the write again before throwing the exception. (markt) + Fix: An EncodeException being thrown during a message write should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection. (markt) * Web applications + Fix: The manager webapp will now be able to access certificates again when OpenSSL is used. (remm) + Fix: Documentation. Align the logging configuration documentation with the current defaults. (markt) + Fix: Fix status servlet detailed view of the connectors when using automatic port. (remm) * jdbc-pool + Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException rather than the application seeing the original SQLException. Fixed by pull request #744 provided by Michael Clarke. (markt) + Fix: 69279: Correct a regression in the fix for 69206 that meant that methods that previously returned a null ResultSet were returning a proxy with a null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt) + Fix: 69206: Ensure statements returned from Statement methods executeQuery(), getResultSet() and getGeneratedKeys() are correctly wrapped before being returned to the caller. Based on pull request #742 provided by Michael Clarke. (markt) * Other + Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt) + Update: Update Byte Buddy to 1.15.10. (markt) + Update: Update CheckStyle to 10.20.0. (markt) + Add: Improvements to German translations. (remm) + Update: Update Byte Buddy to 1.15.3. (markt) + Update: Update CheckStyle to 10.18.2. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Add: Improvements to Chinese translations by Ch_jp. (markt) + Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt) + Fix: Change the default log handler level to ALL so log messages are not dropped by default if a logger is configured to use trace (FINEST) level logging. (markt) + Update: Update Hamcrest to 3.0. (markt) + Update: Update EasyMock to 5.4.0. (markt) + Update: Update Byte Buddy to 1.15.0. (markt) + Update: Update CheckStyle to 10.18.0. (markt) + Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt) + Add: Improvements to Spanish translations by Fernando. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Fix: Fix packaging regression with missing osgi information following addition of the test-only build target. (remm) + Update: Update Tomcat Native to 2.0.8. (markt) + Update: Update Byte Buddy to 1.14.18. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Update: Add test-only build target to allow running only the testsuite, supporting Java versions down to the minimum supported to run Tomcat. (rjung) + Update: Update UnboundID to 7.0.1. (markt) + Update: Update to SpotBugs 4.8.6. (markt) + Update: Remove cglib dependency as it is not required by the version of EasyMock used by the unit tests. (markt) + Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy 1.14.17. (markt) + Add: Improvements to Czech translations by Vladimír Chlup. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Add: Improvements to Chinese translations by fangzheng. (markt)- Adapt the scripts to run also with javapackages-tools >= 6.3- Fix build after removal of the default %%{java_home} define- Update to Tomcat 10.1.25 * Fixed CVEs: + CVE-2024-34750: Improper handling of exceptional conditions (bsc#1227399) * Catalina + Add: Add support for shallow copies when using WebDAV. (markt) + Code: Deprecate the WebdavFixFilter as it is no longer required. (markt) + Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64. Submitted by Daniel Lyko. (remm) + Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for retrieving extended/additional information from an established GSS context. (michaelo) + Fix: Correct a regression in the fix for 68721 that caused some instances of LinkageError to be reported as ClassNotFoundException. (markt) + Fix: Ensure that static resources deployed via a JAR file remain accessible when the context is configured to use a bloom filter. Based on pull request #730 provided by bergander. (markt) + Add: Introduce reference counting so the AprLifecycleListener is more robust. This particularly targets more complex embedded configurations with multiple server instances with independent lifecycles where more than one server instance requires the AprLifecycleListener. (markt) + Add: Small performance optimization when logging cookies with no values. (schultz) + Fix: Correct error handling for asynchronous requests. If the application performs an dispatch during AsyncListener.onError() the dispatch is now performed rather than completing the request using the error page mechanism. (markt) + Add: Re-factor ElapsedTimeElement in AbstractAccessLogValve to use a customizable style. (schultz) + Add: Add more timescale options to AccessLogValve and ExtendedAccessLogValve. Allow timescales to apply to "time-taken" token in ExtendedAccessLogValve. (schultz) + Fix: Fix WebDAV lock null (locks for non existing resources) thread safety and removal. (remm) + Fix: Add periodic checking for WebDAV locks expiration. (remm) + Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo) + Fix: Remove MBean metadata for attibutes that have been removed. Based on pull request #719 by Shawn Q. (markt) + Update: Deprecate and remove sessionCounter (replaced by the addition of the active session count and the expired session count, as a reasonable approximation) and duplicates (which does not represent a possible event in current implementations) statistics from the session manager. (remm) + Fix: 68890 Align output encoding of JSPs in the Manager webapp with the XML declarations in those same files. (schultz) + Fix: Update Basic authentication to implement the requirements of RFC 7617 including the changing of the trimCredentials setting which is now defaults to false. Note that the trimCredentials setting will be removed in Tomcat 11. (markt) + Fix: Change the thread-safety mechanism for protecting StandardServer.services from a simple synchronized lock to a ReentrantReadWriteLock to allow multiple readers to operate simultaneously. Based upon a suggestion by Markus Wolfe. (schultz) + Fix: Improve Service connectors, Container children and Service executors access sync using a ReentrantReadWriteLock. (remm) + Fix: Improve handling of integer overflow if an attempt is made to upload a file via the Servlet API and the file is larger than Integer.MAX_VALUE. (markt) + Fix: 68862: Handle possible response commit when processing read errors. (remm) * Jasper + Fix: 68546: Small additional optimisation for initial loading of Servlet code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt) + Add: Add support for specifying Java 23 (with the value 23) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt) * Web applications + Add: Add the ability to set a sub-title for the Manager web application main page. This is intended to allow users with lots of instances to easily distinguish them. Based on pull request #724 by Simon Arame. (markt) + Fix: Examples: Improve performance of WebSocket chat application when multiple clients disconnect at the same time. (markt) + Update: Examples: Increase the number of previous messages displayed when using the WebSocket chat application. (markt) + Fix: Examples: Improve performance of WebSocket snake application when multiple clients disconnect at the same time. (markt) * Coyote + Fix: Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer, and use ERR_error_string_n instead. (remm) + Fix: Fix a crash on Windows setting CA certificate on null path. (remm) + Fix: 69068: Ensure read timouts are triggered for asynchronous, non-blocking reads when using HTTP/2. (markt) + Update: 69133: Add task queue size configuration on the Connector element, similar to the Executor element, for consistency. (remm) + Fix: Make counting of active HTTP/2 streams per connection more robust. (markt) + Add: Add support for TLS 1.3 client initiated re-keying. (markt) + Fix: Improve the algorithm used to identify the IP address to use to unlock the acceptor thread when a Connector is listening on all local addresses. Interfaces that are configured for point to point connections or are not currently up are now skipped. (markt) + Fix: Align non-secure and secure writes with NIO and skip the write attempt when there are no bytes to be written. (markt) + Fix: Allow any positive value for socket.unlockTimeout. If a negative or zero value is configured, the default of 250ms will be used. (mark) + Fix: Reduce the time spent waiting for the connector to unlock. The previous default of 10s was noticeably too long for cases where the unlock has failed. The wait time is now 100ms plus twice socket.unlockTimeout. (markt) + Fix: Ensure that the onAllDataRead() event is triggered when the request body uses chunked encoding and is read using non-blocking IO. (markt) + Fix: 68934: Add debug logging in the latch object when exceeding maxConnections. (remm) + Fix: Refactor trailer field handling to use a MimeHeaders instance to store trailer fields. (markt) + Fix: Ensure that multiple instances of the same trailer field are handled correctly. (markt) + Fix: Fix non-blocking reads of chunked request bodies. (markt) + Fix: When an invalid HTTP response header was dropped, an off-by-one error meant that the first header in the response was also dropped. Fix based on pull request #710 by foremans. (markt) + Fix: Fix bnd jar descriptor to include the OpenSSL FFM support. (remm) + Fix: Add OpenSSL FFM classes to tomcat-embed-core.jar. (remm) + Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 or later. (remm) * WebSocket + Fix: 68884: Reduce the write timeout when writing WebSocket close messages for abnormal closes. The timeout defaults to 50 milliseconds and may be controlled using the org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property in the user properties collection associated with the WebSocket session. (markt) * Other + Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby that runs on Java 17. (markt) + Update: Update to Commons Daemon 1.4.0. (markt) + Update: Update to Objenesis 3.4. (markt) + Update: Update to Checkstyle 10.17.0. (markt) + Update: Update to SpotBugs 4.8.5. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Update: Switch to using the Base64 encoder and decoder provided by the JRE rather than the version provided by Commons Codec. The internal fork of Commons Codec has been deprecated and will be removed in Tomcat 11. (markt) + Update: Update NSIS to 3.10. (mark0t) + Update: Update UnboundID to 7.0.0. (markt) + Update: Update Checkstyle to 10.16.0. (markt) + Update: Update JaCoCo to 0.8.12. (markt) + Update: Update SpotBugs to 4.8.4. (markt) + Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt) + Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Fix: Release re-built using correct JDK version. + Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt) + Update: Update the internal fork of Apache Commons Codec to 1.16.1. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (remm) + Add: Improvements to Chinese translations by leeyazhou. (remm) - Modified patch: * tomcat-10.1-build-with-java-11.patch + rediff to changed context- Update to Tomcat 10.1.20 * Fixed CVEs: + CVE-2024-24549: Improved request header validation for HTTP/2 stream (bsc#1221386) + CVE-2024-23672: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection (bsc#1221385) * Catalina + Fix: Minor performance improvement for building filter chains. Based on ideas from #702 by Luke Miao. (remm) + Fix: Align error handling for Writer and OutputStream. Ensure use of either once the response has been recycled triggers a NullPointerException provided that discardFacades is configured with the default value of true. (markt) + Fix: 68692: The standard thread pool implementations that are configured using the Executor element now implement ExecutorService for better support NIO2. (remm) + Fix: 68495: When restoring a saved POST request after a successful FORM authentication, ensure that neither the URI, the query string nor the protocol are corrupted when restoring the request body. (markt) + Fix: After forwarding a request, attempt to unwrap the response in order to suspend it, instead of simply closing it if it was wrapped. Add a new suspendWrappedResponseAfterForward boolean attribute on Context to control the bahavior, defaulting to false. (remm) + Fix: 68721: Workaround a possible cause of duplicate class definitions when using ClassFileTransformers and the transformation of a class also triggers the loading of the same class. (markt) + Fix: The rewrite valve should not do a rewrite if the output is identical to the input. (remm) + Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow skipping over the next valve in the Catalina pipeline. (remm) + Update: Add highConcurrencyStatus attribute to the SemaphoreValve to optionally allow the valve to return an error status code to the client when a permit cannot be acquired from the semaphore. (remm) + Add: Add checking of the "age" of the running Tomcat instance since its build-date to the SecurityListener, and log a warning if the server is old. (schultz) + Fix: When using the AsyncContext, throw an IllegalStateException, rather than allowing an NullPointerException, if an attempt is made to use the AsyncContext after it has been recycled. (markt) + Fix: Correct JPMS and OSGi meta-data for tomcat-embed-core.jar by removing reference to org.apache.catalina.ssi package that is no longer included in the JAR. Based on pull request #684 by Jendrik Johannes. (markt) + Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are correctly removed from files containing property values when configured to do so. Bug identified by Coverity Scan. (markt) + Add: Add improvements to the CSRF prevention filter including the ability to skip adding nonces for resource name and subtree URL patterns. (schultz) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) + Fix: 68089: Further improve the performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt) + Fix: 68559: Allow asynchronous error handling to write to the response after an error during asynchronous processing. (markt) * Coyote + Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all of the connection windows and still has content to write, it will now be added to the backlog immediately rather than waiting until the write attempt for the remaining content. (markt) + Fix: Add threadsMaxIdleTime attribute to the endpoint, to allow configuring the amount of time before an internal executor will scale back to the configured minSpareThreads size. (remm) + Fix: Correct a regression in the support for user provided SSLContext instances that broke the org.apache.catalina.security.TLSCertificateReloadListener. (markt) + Fix: Setting a null value for a cookie attribute should remove the attribute. (markt) + Fix: Make asynchronous error handling more robust. Ensure that once a connection is marked to be closed, further asynchronous processing cannot change that. (markt) + Fix: Make asynchronous error handling more robust. Ensure that once the call to AsyncListener.onError() has returned to the container, only container threads can access the AsyncContext. This protects against various race conditions that woudl otherwise occur if application threads continued to access the AsyncContext. + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. In particular, most of the HTTP/2 debug logging has been changed to trace level. (remm) + Fix: Add support for user provided SSLContext instances configured on SSLHostConfigCertificate instances. Based on pull request #673 provided by Hakan Altındağ. (markt) + Fix: Partial fix for 68558: Cache the result of converting to String for request URI, HTTP header names and the request Content-Type value to improve performance by reducing repeated byte[] to String conversions. (markt) + Fix: Improve error reporting to HTTP/2 clients for header processing errors by reporting problems at the end of the frame where the error was detected rather than at the end of the headers. (markt) + Fix: Remove the remaining reference to a stream once the stream has been recycled. This makes the stream eligible for garbage collection earlier and thereby improves scalability. (markt) * Jasper + Add: Add support for specifying Java 22 (with the value 22) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt) + Fix: Handle the case where the JSP engine forwards a request/response to a Servlet that uses an OutputStream rather than a Writer. This was triggering an IllegalStateException on code paths where there was a subsequent attempt to obtain a Writer. (markt) + Fix: Correctly handle the case where a tag library is packaged in a JAR file and the web application is deployed as a WAR file rather than an unpacked directory. (markt) + Fix: 68546: Generate optimal size and types for JSP imports maps, as suggested by John Engebretson. (remm) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) * Cluster + Fix: Avoid updating request count stats on async. (remm) * WebSocket + Fix: Correct a regression in the fix for 66508 that could cause an UpgradeProcessor leak in some circumstances. (markt) + Fix: Review usage of debug logging and downgrade trace or data dumping operations from debug level to trace. (remm) + Fix: Ensure that WebSocket connection closure completes if the connection is closed when the server side has used the proprietary suspend/resume feature to suspend the connection. (markt) * Web applications Add: Add support for responses in JSON format from the examples application RequestHeaderExample. (schultz) * Other + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Fix: 57130: Allow digest.(sh|bat) to accept password from a file or stdin. (csutherl/schultz) + Update: Update Checkstyle to 10.14.1. (markt) + Fix: Correct the remaining OSGi contract references in the manifest files to refer to the Jakarta EE contract names rather than the Java EE contract names. Based on pull request #685 provided by Paul A. Nicolucci. (markt) + Update: Update Checkstyle to 10.13.0. (markt) + Update: Update JSign to 6.0. (markt) + Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.7. (markt) + Update: Update Tomcat Native to 2.0.7. (markt) + Update: Add strings for debug level messages. (remm) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) - Regenerated patch: tomcat-jdt.patch- Add missing Requires(post): util-linux to have runuser into post- Add %%systemd_ordering to packages with systemd unit files, so that the order is the right one if those packages find themselves in the same transaction with systemd- Link ecj.jar into the install instead of copying it- rpm 4.19 requires dependencies on tomcat user and group (bsc#1219530)- Fixed CVEs: * CVE-2024-22029: run xsltproc as tomcat group (bsc#1219208)- Update to Tomcat 10.1.18 * Fixed CVEs: + CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to incorrect headers parsing (bsc#1217649) * Catalina + Update: 68378: Align extension to MIME type mappings in the global web.xml with those in httpd by adding application/vnd.geogebra.slides for ggs, text/javascript for mjs and audio/ogg for opus. (markt) + Fix: Background processes should not be run concurrently with lifecycle operations of a container. (remm) + Fix: Correct unintended escaping of XML in some WebDAV responses. The XML list of support locks when provided in response to a PROPFIND request was incorrectly XML escaped. (markt) + Fix: 68227: Ensure that AsyncListener.onComplete() is called if AsyncListener.onError() calls AsyncContext.dispatch(). (markt) + Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP request processing. Includes a test case based on code provided by adwsingh. (markt) + Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of X509Certificate#getNotAfter(). (michaelo) + Update: The status servlet included in the manager webapp can now output statistics as JSON, using the JSON=true URL parameter. (remm) + Update: Optionally allow ServiceBindingPropertySource to trim a trailing newline from a file containing a property-value. (schultz) + Fix: 67793: Ensure the original session timeout is restored after FORM authentication if the user refreshes a page during the FORM authentication process. Based on a suggestion by Mircea Butmalai. (markt) + Update: 67926: PEMFile prints unidentifiable string representation of ASN.1 OIDs. (michaelo) + Fix: 66875: Ensure that setting the request attribute jakarta.servlet.error.exception is not sufficient to trigger error handling for the current request and response. (markt) + Fix: 68054: Avoid some file canonicalization calls introduced by the fix for 65433. (remm) + Fix: 68089: Improve performance of request attribute access for ApplicationHttpRequest and ApplicationRequest. (markt) + Fix: Use a 400 status code to report an error due to a bad request (e.g. an invalid trailer header) rather than a 500 status code. (markt) + Fix: Ensure that an IOException during the reading of the request triggers always error handling, regardless of whether the application swallows the exception. (markt) * Coyote + Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2 connector which was using platform threads even when configured to use virtual threads. (markt) + Fix: Correct a regression in the fix for 67675 that broke TLS key file parsing for PKCS#8 format keys that do not specify an explicit pseudo-random function and rely on the default. This typically affects keys generated by OpenSSL 1.0.2. (markt) + Fix: Allow multiple operations with the same name on introspected mbeans, fixing a regression caused by the introduction of a second addSslHostConfig method. (remm) + Fix: Relax the check that the HTTP Host header is consistent with the host used in the request line, if any, to make the check case insensitive since host names are case insensitive. (markt) + Add: 68348: Add support for the partitioned attribute for cookies. (markt) + Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#certificateKeystorePasswordFile. (michaelo) + Add: When calling SSLHostConfigCertificate.setCertificateKeystore(ks), automatically call setCertificateKeystoreType(ks.getType()). (markt) + Fix: 67628: Clarify how the ciphers attribute of the SSLHostConfig is used. (markt) + Fix: 67666: Ensure TLS connectors using PEM files either work with the TLSCertificateReloadListener or, in the rare case that they do not, log a warning on Connector start. (markt) + Fix: 67675: Support a wider range of KDF and ciphers for PEM files than the combinations supported by the JVM by default. Specifically, support the OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt) + Fix: 67927: Reloading TLS configuration can cause the Connector to refuse new connections or the JVM to crash. (markt) + Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are available, prefer 1.2.x since it supports the APR/Native connector whereas 2.0.x does not. (markt) + Fix: 67938: Correct handling of large TLS client hello messages that were causing the TLS handshake to fail. (markt) + Fix: 68026: Convert selected MessageByte values to String when first accessed to speed up subsequent accesses and reduce garbage collection. (markt) * Jasper + Code: 68119: Refactor the CompositeELResolver to improve performance during type conversion operations. (markt) + Fix: 68068: Performance improvement for EL. Based on a suggestion by John Engebretson. (markt) * Web Applications + Fix: 68035: Additional fix to the Manager application to enable the deployment of a web application located in a Host's appBase where the web application is specified by a bare (no path) WAR or directory name as shown in the documentation. (markt) + Fix: Examples. Improve the error handling so snakes associated with a user that drops from the network are removed from the game. (markt) + Fix: 68035: Correct a regression in the fix for 56248 that prevented deployment via the Manager of a WAR or directory that was already present in the appBase or a context file that was already present in the xmlBase. (markt) * Other + Update: Update Checkstyle to 10.12.7. (markt) + Update: Update SpotBugs to 4.8.3. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Update: Update UnboundID to 6.0.11. (markt) + Update: Update Checkstyle to 10.12.5. (markt) + Update: Update SpotBugs to 4.8.2. (markt) + Update: Update Derby to 10.17.1. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Add: Improvements to Brazilian Portuguese translations by John William Vicente. (markt) + Add: Improvements to Russian translations by usmazat and remm. (markt) + Add: 67538: Make use of Ant's task to enfore the mininum Java build version. (michaelo) + Update: Update Checkstyle to 10.12.4. (markt) + Update: Update JaCoCo to 0.8.11. (markt) + Update: Update SpotBugs to 4.8.0. (markt) + Update: Update BND to 7.0.0. (markt) + Update: The minimum Java version required to build Tomcat has been raised to Java 17. (markt) + Update: Update the OWB module to Apache OpenWebBeans 4.0.0. (remm) - Added patches: * tomcat-10.1-build-with-java-11.patch- change server.xml during %post instead of %posttrans - add libxslt-tools requirement- Fix server.xml permission (bsc#1217768, bsc#1217402) - remove serverxmltool and use xsltproc- replace prep setup and patches macro with autosetup- Initial packaging of Tomcat 10.1.14- Update to Tomcat 9.0.82 * Catalina + Add: 65770: Provide a lifecycle listener that will automatically reload TLS configurations a set time before the certificate is due to expire. This is intended to be used with third-party tools that regularly renew TLS certificates. + Fix: Fix handling of an error reading a context descriptor on deployment. + Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was also use, while it should instead take precedence. + Fix: 67472: Send fewer CORS-related headers when CORS is not actually being engaged. + Add: Improve handling of failures within recycle() methods. * Coyote + Fix: 67670: Fix regression with HTTP compression after code refactoring. + Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization takes precedence over the tomcatAuthentication attribute when processing an auth_type attribute received from a proxy server. + Fix: 67235: Fix a NullPointerException when an AsyncListener handles an error with a dispatch rather than a complete. + Fix: When an error occurs during asynchronous processing, ensure that the error handling process is only triggered once per asynchronous cycle. + Fix: Fix logic issue trying to match no argument method in IntropectionUtil. + Fix: Improve thread safety around readNotify and writeNotify in the NIO2 endpoint. + Fix: Avoid rare thread safety issue accessing message digest map. + Fix: Improve statistics collection for upgraded connections under load. + Fix: Align validation of HTTP trailer fields with standard fields. + Fix: Improvements to HTTP/2 overhead protection (bsc#1216182, CVE-2023-44487) * jdbc-pool + Fix: 67664: Correct a regression in the clean-up of unnecessary use of fully qualified class names in 9.0.81 that broke the jdbc-pool. * Jasper + Fix: 67080: Improve performance of EL expressions in JSPs that use implicit objects- Update to Tomcat 9.0.80 * Catalina + Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks + Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop() methods. + Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with one or more Connectors to process requests received by those Connectors using virtual threads. This Executor requires a minimum Java version of Java 21. + 66513: Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses the Valve and the reason if a request fails to obtain the per session Semaphore. + 66609: Ensure that the default servlet correctly escapes file names in directory listings when using XML output. + 66618: Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting in the XSLT. + 66621: Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock. + 66622: Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false as support for the associated HTTP header has been removed from all major browsers. + 59232: Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information environment entries. + 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping from a properties file. + Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately crafted to allow it even when allowLinking was set to false. + Add utility config file resource lookup on Context to allow looking up resources from the webapp (prefixed with webapp:) and make the resource lookup API more visible. + Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan. + Make parsing of ExtendedAccessLogValve patterns more robust. + Fix failure trying to persist configuration for an internal credential handler. + 66680: When serializing a session during the session presistence process, do not log a warning that null Principals are not serializable. + Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections. + 66822: Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance. + The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed first. + If an application or library sets both a non-500 error code and the javax.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. + Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. + Avoid protocol relative redirects in FORM authentication (CVE-2023-41080, bsc#1214666). * Coyote + Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined in RFC 7540. + 66602: not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload. + 66627: Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather than reflecting the most recent conversion. + 66635: Correct certificate logging on start-up so it differentiates between keystore based keys/certificates and PEM file based keys/certificates and logs the relevant information for each. + Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from the Poller to be missed resuting in a timeout rather than the expected read or write. + Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait. + Correct a regression introduced in 9.0.78 and use the correct constant when constructing the default value for the certificateKeystoreFile attribute of an SSLHostConfigCertificate instance. + Refactor HTTP/2 implementation to reduce pinning when using virtual threads. + Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying to parse it. + 66841: Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2. + 66842: When using asynchronous I/O (the default for NIO and NIO2), include DATA frames when calculating the HTTP/2 overhead count to ensure that connections are not prematurely terminated. + Correct a race condition that could cause spurious RST messages to be sent after the response had been written to an HTTP/2 stream. * WebSocket + 66548: Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid characters from the base64 alphabet are used. + Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown. + Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before the onClose() event had been completed. + 66681: Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate. * Web applications + Documentation. Expand the security guidance to cover the embedded use case and add notes on the uses made of the java.io.tmpdir system property. + 66662: Documentation. Fix a typo in the name of the algorithms attribute in the configuration section for the Digest authentication value. + Documentation. Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB. * jdbc-pool + Fix the releaseIdleCounter does not increment when testAllIdle releases them. + Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs while writing. * Other + Update to Commons Daemon 1.3.4. + Improvements to French translations. + Update Checkstyle to 10.12.0. + Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built with with OpenSSL 1.1.1u. + Include the Windows specific binary distributions in the files uploaded to Maven Central. + Improvements to French translations. + Improvements to Japanese translations. + Update UnboundID to 6.0.9. + Update Checkstyle to 10.12.1. + Update BND to 6.4.1. + Update JSign to 5.0. + Correct properties for JSign dependency. + Align documentation for maxParameterCount to match hard-coded defaults. + Update NSIS to 3.0.9. + Update Checkstyle to 10.12.2. + Improvements to French translations. + Improvements to Japanese translations. + 66829: Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java executable contains spaces. + Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v. + Improvements to Chinese translations. + Improvements to French translations. + Improvements to Japanese translations - Removed patch: * tomcat-9.0.75-CVE-2023-41080.patch + integrated in this version- Fixed CVEs: * CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666) - Added patches: * tomcat-9.0.75-CVE-2023-41080.patch- Modified patch: * tomcat-9.0-osgi-build.patch + make it more robust to change in number of artifacts in bnd + do not enumerate jars, just take all jars from the aqute-bnd directory into the classpath- Require(pre) shadow because groupadd is needed early- Update to Tomcat 9.0.75. * See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.75_(markt) * Fixes: + bsc#1211608, CVE-2023-28709 + bsc#1208513, CVE-2023-24998 (previous incomplete fix) - Remove patches: * tomcat-9.0-CVE-2021-30640.patch * tomcat-9.0-CVE-2021-33037.patch * tomcat-9.0-CVE-2021-41079.patch * tomcat-9.0-CVE-2022-23181.patch * tomcat-9.0-NPE-JNDIRealm.patch * tomcat-9.0-hardening_getResources.patch * tomcat-9.0.43-CVE-2021-43980.patch * tomcat-9.0.43-CVE-2022-42252.patch * tomcat-9.0.43-CVE-2022-45143.patch * tomcat-9.0.43-CVE-2023-24998.patch * tomcat-9.0.43-CVE-2023-28708.patch + integrated in this version * tomcat-9.0.43-java8compat.patch + problem with Java 8 compatibility solved in this version - Modified patch: * tomcat-9.0.31-secretRequired-default.patch - > tomcat-9.0.75-secretRequired-default.patch + rediffed to changed context * tomcat-9.0-javadoc.patch + drop integrated hunks * tomcat-9.0-osgi-build.patch + fix to work with current version - Added patch: * tomcat-9.0-jdt.patch + fix build against our ecj- Fixed CVEs: * CVE-2022-45143: JsonErrorReportValve: add escape for type, message or description (bsc#1206840) - Added patches: * tomcat-9.0.43-CVE-2022-45143.patch- Fixed CVEs: * CVE-2023-28708: tomcat: not including the secure attribute causes information disclosure (bsc#1209622) - Added patches: * tomcat-9.0.43-CVE-2023-28708.patch- Fixed CVEs: * CVE-2023-24998: tomcat,tomcat6: FileUpload DoS with excessive parts (bsc#1208513) - Added patches: * tomcat-9.0.43-CVE-2023-24998.patch- set logrotate for localhost.log, manager.log, host-manager.log and localhost_access_log.txt - use logrotate for catalina.out * update tomcat-serverxml-tool and spec to configure server.xml - Added patch: * tomcat-9.0-logrotate_everything.patch * tomcat-serverxml-tool.tar.gz - Removed: * tomcat-serverxml-tool-1.0.tar.gz- Use catalina.out for logging (bsc#1205647) - Added patches: * tomcat-9.0-fix_catalina.patch- Fixed CVEs: * CVE-2022-42252: reject invalid content-length requests. (bsc#1204918) - Added patches: * tomcat-9.0.43-CVE-2022-42252.patch- Fixed CVEs: * CVE-2021-43980: Improve the recycling of Processor objects to make it more robust. (bsc#1203868) - Added patches: * tomcat-9.0.43-CVE-2021-43980.patch- Do not hardcode /usr/libexec but use %%_libexecdir during the build * Fixes for platforms, where /usr/libexec and %%_libexecdir are different- Fix bsc#1201081 by building with release=8 all files that can be built this way. The one file remaining, build it with source=8 and target=8 - Modified patch: * tomcat-9.0.43-java8compat.patch + Do not cast ByteBuffer to Buffer to call the Java 8 compatible methods. Build with release=8 instead- Security hardening. Deprecate getResources() and always return null. (bsc#1198136) - Added patch: tomcat-9.0-hardening_getResources.patch- Remove dependency on log4j/reload4j completely (bsc#1196137)- Do not build against the log4j12 packages, use the new reload4j- Fixed CVEs: * CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255) - Added patches: * tomcat-9.0-CVE-2022-23181.patch- remove instance units from post scripts, they can not be reloaded- Fix NPE in JNDIRealm, when userRoleAttribute is not set (bsc#1193569) - Added patch: * tomcat-9.0-NPE-JNDIRealm.patch- Modified patch: * tomcat-9.0-osgi-build.patch + account for biz.aQute.bnd.ant artifact in aqute-bnd >= 5.2.0- Fixed CVEs: * CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279) * CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278) - Added patches: * tomcat-9.0-CVE-2021-30640.patch * tomcat-9.0-CVE-2021-33037.patch- Fixed CVEs: * CVE-2021-41079: Validate incoming TLS packet (bsc#1190558) - Added patches: * tomcat-9.0-CVE-2021-41079.patch- Update to Tomcat 9.0.43. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.43_(markt) - Removed Patches because fixed upstream now: * tomcat-9.0-CVE-2021-25122.patch * tomcat-9.0-CVE-2021-25329.patch - Rebased patch: tomcat-9.0.39-java8compat.patch -> tomcat-9.0.43-java8compat.patch- Update to Tomcat 9.0.41. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.41_(markt)- Update to Tomcat 9.0.40. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.40_(markt) - Removed Patches because fixed upstream now: * tomcat-9.0-CVE-2020-17527.patch * tomcat-9.0-CVE-2021-24122.patch- Fixed CVEs: * CVE-2021-25122: Apache Tomcat h2c request mix-up (bsc#1182912) * CVE-2021-25329: Complete fix for CVE-2020-9484 (bsc#1182909) - Added patches: * tomcat-9.0-CVE-2021-25122.patch * tomcat-9.0-CVE-2021-25329.patch- Log if file access is blocked due to symlinks: CVE-2021-24122 (bsc#1180947) - Added patch: * tomcat-9.0-CVE-2021-24122.patch- Update to Tomcat 9.0.39. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.39_(markt) - Rebased patches: * tomcat-9.0.38-java8compat.patch -> tomcat-9.0.39-java8compat.patch- Update to Tomcat 9.0.38. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.38_(markt) - Rebased patches: * tomcat-9.0.37-java8compat.patch -> tomcat-9.0.38-java8compat.patch - Removed tomcat-9.0-CVE-2020-13943.patch because that fix is upstream now- Update to Tomcat 9.0.37. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.37_(markt) - Fixed CVEs: * CVE-2020-13934 (bsc#1174121) * CVE-2020-13935 (bsc#1174117) - Rebased patches: * tomcat-9.0-osgi-build.patch * tomcat-9.0.31-java8compat.patch -> tomcat-9.0.37-java8compat.patch- Fix HTTP/2 request header mix-up: CVE-2020-17527 (bsc#1179602) - Added patch: * tomcat-9.0-CVE-2020-17527.patch- Add source url for tomcat-serverxml-tool - Fix typo in tomcat-webapps %postun that caused /examples context to remain in server.xml when package was removed - Remove tomcat-9.0.init and /usr/lib/tmpfiles.d/tomcat.conf from package. They're not used anymore becuse of systemd (bsc#1178396)- Fix tomcat-servlet-4_0-api package alternatives to use /usr/share/java/servlet.jar instead of /usr/share/java/tomcat-servlet.jar. Keep /usr/share/java/tomcat-servlet.jar symlink for compatibility. (bsc#1092163) - Change default file ownership in tomcat-webapps from tomcat:tomcat to root:tomcat- Fix CVE-2020-13943 (bsc#1177582) - Added patch: * tomcat-9.0-CVE-2020-13943.patch - Change /usr/lib/tomcat to /usr/libexec/tomcat in startup scripts (bsc#1177601)- Replace old specfile constructs. Remove support for SUSE 11.x. - Drop %systemd_requires, which is considered a no-op. - Trim redundant license mention from description. - Make documentation noarch. - Do not suppress errors from useradd.- Avoid hardcoding /usr/lib as libexecdir- Don't give write permissions for the tomcat group on files and directories where it's not needed (bsc#1172562) - Change tomcat.pid location from /var/run to /run (bsc#1173103) - Use the /sbin/nologin shell when creating the tomcat user - Use %tmpfiles_create macro in %post instead of calling systemd-tmpfiles directly- Update to Tomcat 9.0.36. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.36_(markt) - Fixed CVEs: CVE-2020-11996 (bsc#1173389)- Update to Tomcat 9.0.35. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.35_(markt) - Fixed CVEs: - CVE-2020-9484 (bsc#1171928) - Rebased patches: * tomcat-9.0-javadoc.patch * tomcat-9.0-osgi-build.patch * tomcat-9.0.31-java8compat.patch- Update to Tomcat 9.0.34. See changelog at https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.34_(markt) - Notable changes: * Add support for default values when using ${...} property replacement in configuration files. Based on a pull request provided by Bernd Bohmann. * When configuring an HTTP Connector, warn if the encoding specified for URIEncoding is not a superset of US-ASCII as required by RFC 7230. * Replace the system property org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector attribute encodedSolidusHandling that adds an additional option to pass the %2f sequence through to the application without decoding it in addition to rejecting such sequences and decoding such sequences.- Update to Tomcat 9.0.33. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.33_(markt) - Notable fix: corrected a regression in the improvements to HTTP header parsing (bsc#1167438) - Rebased patches: * tomcat-9.0-javadoc.patch * tomcat-9.0-osgi-build.patch * tomcat-9.0.31-java8compat.patch- Change default value of AJP connector secretRequired to false - Added patch: * tomcat-9.0.31-secretRequired-default.patch- Update to Tomcat 9.0.31. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.30_(markt) - Fixed CVEs: * CVE-2019-17569 (bsc#1164825) * CVE-2020-1935 (bsc#1164860) * CVE-2020-1938 (bsc#1164692) - Modified patch * tomcat-9.0.30-java8compat.patch - > tomcat-9.0.31-java8compat.patch + Adapt to changed context- Modified patch: * tomcat-9.0.30-java8compat.patch + add missing casts (bsc#1162081)- Change back the build to build with any Java >= 1.8 - Added patch: * tomcat-9.0.30-java8compat.patch + Cast java.nio.ByteBuffer and java.nio.CharBuffer to java.nio.Buffer in order to avoid calling Java 9+ APIs (functions with co-variant return types) - Renamed patch: * tomcat-9.0-disable-osgi-build.patch - > tomcat-9.0-osgi-build.patch + Do not disable, but fix OSGi build since we have now aqute-bnd- Change build to always use Java 1.8 (bsc#1161025).- Update to Tomcat 9.0.30. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.30_(markt) - Fixed CVEs: - CVE-2019-0221 (bsc#1136085) - CVE-2019-10072 (bsc#1139924) - CVE-2019-12418 (bsc#1159723) - CVE-2019-17563 (bsc#1159729) - Removed patch: * tomcat-9.0-JDTCompiler-java.patch + It was not applied- Update to Tomcat 9.0.27. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.27_(markt) - Uset aqute-bnd to generate OSGi manifest, since we have that package now in openSUSE:Factory - Removed patch: * tomcat-9.0-disable-osgi-build.patch + not needed- Add maven pom files for tomcat-jni and tomcat-jaspic-api- Distribute the pom file also for tomcat-util-scan artifact- Build against compatibility log4j12 package- Adapt to the new ecj directory layout- BuildRequire pkgconfig(systemd) instead of systemd: allow OBS to shortcut the build queues by allowing usage of systemd-mini- Update to Tomcat 9.0.20. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.20_(markt) - increase maximum number of threads and open files for tomcat (bsc#1111966)- Update to Tomcat 9.0.19. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.19_(markt) Notable packaging changes: - File /usr/share/java/tomcat/catalina-jmx-remote.jar was removed. The classes contained in this jar were merged into /usr/share/java/tomcat/catalina.jar. - Fixed CVEs: - CVE-2019-0199 (bsc#1131055) - Rebased patch: - tomcat-9.0-JDTCompiler-java.patch - tomcat-9.0-javadoc.patch- Build classpath directly with the geronimo jars instead of with symlinks to them- Don't overwrite changes made to server.xml contexts when updating bundled webapps.- Set javac target to 1.8 when building docs samples and serverxmltool- Move webapps bundled with Tomcat to /usr/share/tomcat/tomcat-webapps (bsc#1092341). Affected packages: - tomcat-webapps - tomcat-admin-webapps - tomcat-docs-webapp - Remove %doc directive from tomcat-docs-webapps files section so that zypper installs files even if rpm.install.excludedocs is set to yes.- Require Java 1.8 or later (bsc#1123407)- Clean up OSGi manifest injection - Put embed maven metadata into embed subpackage - Use the .mfiles* lists generated by %%add_maven_depmap macro- Fix tomcat-tool-wrapper classpath error (bsc#1120745)- Fix tomcat-digest classpath error (bsc#1120745)- Update to Tomcat 9.0.14. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.14_(markt)- Add pom files for tomcat-jdbc and tomcat-dbcp - Add org.eclipse.jetty.orbit* aliases to correspondant artifacts- Update to Tomcat 9.0.13. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.13_(markt)- Update to Tomcat 9.0.12. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.12_(markt) - Fixed CVEs: - CVE-2018-11784 (bsc#1110850) - Rebased patches: - tomcat-9.0-disable-osgi-build.patch - tomcat-9.0-javadoc.patch - tomcat-9.0-sle.catalina.policy.patch - tomcat-9.0-tomcat-users-webapp.patch- Declare following files to config(noreplace) to prevent override access rights: - host-manager/META-INF/context.xml - manager/META-INF/context.xml- Empty tomcat-9.0.sysconfig to avoid overwriting of customer's configuration during update (bsc#1067720)- Update to Tomcat 9.0.10. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.10_(markt) - Fixed CVEs: - CVE-2018-1336 (bsc#1102400) - CVE-2018-8014 (bsc#1093697) - CVE-2018-8034 (bsc#1102379) - CVE-2018-8037 (bsc#1102410) - Rebased patch tomcat-9.0-JDTCompiler-java.patch - Added patch tomcat-9.0-disable-osgi-build.patch to disable adding OSGi metadata to JAR files- Update to Tomcat 9.0.5. See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.5_(markt)- Modified patch: * tomcat-9.0-javadoc.patch + Don't append to javadoc --add-modules since we are building with source=8 + Avoid accessing Internet URLs from build environment- Update to Tomcat 9.0.2: * Major update for tomcat8 from tomcat9 * For full changelog please read upstream changes at: + http://tomcat.apache.org/tomcat-9.0-doc/changelog.html * Rename all tomcat-8.0-* files to tomcat-9.0-* - Changed patches: * Deleted: tomcat-8.0-bootstrap-MANIFEST.MF.patch * Deleted: tomcat-8.0-sle.catalina.policy.patch * Deleted: tomcat-8.0-tomcat-users-webapp.patch * Deleted: tomcat-8.0.33-JDTCompiler-java.patch * Deleted: tomcat-8.0.44-javadoc.patch * Deleted: tomcat-8.0.9-property-build.windows.patch * Added: tomcat-9.0-JDTCompiler-java.patch * Added: tomcat-9.0-bootstrap-MANIFEST.MF.patch * Added: tomcat-9.0-javadoc.patch * Added: tomcat-9.0-sle.catalina.policy.patch * Added: tomcat-9.0-tomcat-users-webapp.patch - Renamed subpackage tomcat-3_1-api to tomcat-4_0-api to reflect the new Servlet API version. - Commented out JAVA_HOME in /etc/tomcat/tomcat.conf - Added "tomcat-" prefix to lib symlinks under /usr/share/java to avoid file conflicts with servletapi5 and geronimo-specs - Fixed wrong %ghost file paths for alternatives symlinks- Replace references to /var/adm/fillup-templates with new %_fillupdir macro (boo#1069468)- Build with JDK 8 to fix runtime errors when running with JDK 7 and 8 - Fix tomcat-digest classpath error (bsc#977410) - Fix packaged /etc/alternatives symlinks for api libs that caused rpm -V to report link mismatch (bsc#1019016)- update to 8.0.47 http://tomcat.apache.org/tomcat-8.0-doc/changelog.html * Fixed CVE: - CVE-2017-12617 - rebase tomcat-8.0-sle.catalina.policy.patch- Added patch: * tomcat-8.0.44-javadoc.patch - generate documentation with the same source level as class files - fixes build with jdk9- Version update to 8.0.44: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html * Fixed CVE: - CVE-2017-5664 (bsc#1042910)- New build dependency: javapackages-local- Version update to 8.0.43: * Another bugfix release, for full details see: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html * Fixed CVEs: - CVE-2017-5647 (bnc#1033448) - CVE-2017-5648 (bnc#1033447) - CVE-2016-8745 - Renamed and rebased patches: * tomcat-7.0-sle.catalina.policy.patch -> tomcat-8.0-sle.catalina.policy.patch - Enable optional setenv.sh script. See section "(3.4) Using the "setenv" script (optional, recommended)" in http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt (bnc#1002662) - Fix file conflicts when upgrading from SLES 12 to SLES 12 SP1 (bnc#1023412). Added explicit obsoletes for tomcat-el-2_2-api, tomcat-jsp-2_2-api, tomcat-servlet-3_0-api- update to 8.0.39: (boo#1003911) * Improve handling of I/O errors with async processing * Fail earlier on invalid HTTP request - includes changes from 8.0.38: * Refactoring the non-container thread Async complete()/dispatch() handling to remove the possibility of deadlock * Improved UTF-8 handling for the RewriteValve - includes changes from 8.0.37: * Treat paths used to obtain a request dispatcher as encoded (configurable) * Various jdbc-pool fixes - drop tomcat-8.0.36-jar-scanner-loop.patch, upstream- Switch to commons-dbcp2 fate#321029- Backport fix for inifinite loop in the jar scanner for 8.0.36. (bnc#993862) Added: tomcat-8.0.36-jar-scanner-loop.patch- Version update to 8.0.36: * Another bugfix release for the 8.0 series. Full details: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.36_(markt) - CVE fixed by the version update: - CVE-2016-3092 (bnc#986359) - Fixed a deployment error in the examples webapp by changing the context.xml format to the new one introduced by Tomcat 8. See http://tomcat.apache.org/migration-8.html#Web_application_resources- fix maven fragments paths to build in multiple distribution versions- Version update to 8.0.33: * Another bugfix release for 8.0 series, full details: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.33_(markt) - Rebase tomcat-8.0-tomcat-users-webapp.patch - Rebase tomcat-7.0.53-JDTCompiler-java.patch to tomcat-8.0.33-JDTCompiler-java.patch- Fix fixme for the prereq preamble value - It seems systemd prints error on adding the @ services to macros so do not do that- package was partly merged with the scripts used in the Fedora distribution - support running multiple tomcat instances on the same server (fate#317783) - add catalina-jmx-remote.jar (fate#318403) - remove sysvinit support: systemd is required- update changes file for CVE information - Fixed CVEs: - CVE-2015-5346 (bnc#967814) in 8.0.32 - CVE-2015-5351 (bnc#967812) in 8.0.32 - CVE-2016-0706 (bnc#967815) in 8.0.32 - CVE-2016-0714 (bnc#967964) in 8.0.32 - CVE-2016-0763 (bnc#967966) in 8.0.32 - CVE-2015-5345 (bnc#967965) in 8.0.30 - CVE-2015-5174 (bnc#967967) in 8.0.27- Version update to 8.0.32: * Another bugfix release for 8.0 series, full details: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.32_(markt) - Rebase patch: * tomcat-8.0.9-property-build.windows.patch- update to Tomcat 8.0.28 * Multiple fixes, read upstream changelog at: https://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.28_(markt)- Some whitespace cleanups- Remove pointless conflicts on provide/obsolete symbols- Version bump to 8.0.23 fate#318913: * Multiple testfixes all around, read upstream changelog at: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html#Tomcat_8.0.23_(markt)- Fix previous commit. Fix one rpmlint warning- Drop gpg verification from spec, it is done by obs- Fix build with new jpackage-tools- update to Tomcat 8.0.18: * Major update for tomcat8 from tomcat7 * For full changelog please read upstream changes at: + http://tomcat.apache.org/tomcat-8.0-doc/changelog.html * Rename all tomcat-7.0-* files to tomcat-8.0-* * Update keyring file - Update windows patch to apply again: * Deleted: tomcat-7.0.52-property-build.windows.patch * Added: tomcat-8.0.9-property-build.windows.patch * Added:tomcat-8.0-tomcat-users-webapp.patch * Deleted: tomcat-7.0-tomcat-users-webapp.patch * Added: tomcat-8.0-bootstrap-MANIFEST.MF.patch * Deleted: tomcat-7.0-bootstrap-MANIFEST.MF.patch- Version 1.1.30 or higher is required for APR listener (bnc#914725)/bin/shh01-ch4d 1773077647  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~$10.1.5210.1.52-150200.5.61.1    docsBUILDING.txtMETA-INFcontext.xmlRELEASE-NOTES.txtRUNNING.txtWEB-INFjsp403.jspweb.xmlaio.htmlannotationapiindex.htmlapiindex.htmlappdevbuild.xml.txtdeployment.htmlindex.htmlinstallation.htmlintroduction.htmlprocesses.htmlsamplebuild.xmldocsREADME.txtindex.htmlsrcmypackageHello.javawebWEB-INFweb.xmlhello.jspimagestomcat.gifindex.htmlsource.htmlweb.xml.txtapr.htmlarchitectureindex.htmloverview.htmlrequestProcessrequestProcess.html11_nio.plantuml11_nio.png21_http11.plantuml21_http11.png31_synchronous.plantuml31_synchronous.png41_basic.plantuml41_basic.pngstartupstartup.html1_overview.plantuml1_overview.png2_catalina_init.plantuml2_catalina_init.png3_catalina_start_1.plantuml3_catalina_start_1.png4_catalina_start_2.plantuml4_catalina_start_2.png5_catalina_start_3.plantuml5_catalina_start_3.png6_catalina_host_config.plantuml6_catalina_host_config.png7_catalina_context_config.plantuml7_catalina_context_config.pngbalancer-howto.htmlbuilding.htmlcdi.htmlcgi-howto.htmlchangelog.htmlclass-loader-howto.htmlcluster-howto.htmlcomments.htmlconfigajp.htmlautomatic-deployment.htmlcluster-channel.htmlcluster-deployer.htmlcluster-interceptor.htmlcluster-listener.htmlcluster-manager.htmlcluster-membership.htmlcluster-receiver.htmlcluster-sender.htmlcluster-valve.htmlcluster.htmlcontext.htmlcookie-processor.htmlcredentialhandler.htmlengine.htmlexecutor.htmlfilter.htmlglobalresources.htmlhost.htmlhttp.htmlhttp2.htmlindex.htmljar-scan-filter.htmljar-scanner.htmljaspic.htmllisteners.htmlloader.htmlmanager.htmlrealm.htmlresources.htmlruntime-attributes.htmlserver.htmlservice.htmlsessionidgenerator.htmlsystemprops.htmlvalve.htmlconnectors.htmldefault-servlet.htmldeployer-howto.htmldevelopers.htmlelapiindex.htmlgraal.htmlhost-manager-howto.htmlhtml-host-manager-howto.htmlhtml-manager-howto.htmlimagesadd.gifasf-logo.svgcode.gifcors-flowchart.pngdesign.gifdocs-stylesheet.cssdocs.giffix.giffontsOpenSans400.woffOpenSans400italic.woffOpenSans600.woffOpenSans600italic.woffOpenSans700.woffOpenSans700italic.wofffonts.csstomcat.giftomcat.pngupdate.gifvoid.gifindex.htmlintroduction.htmljasper-howto.htmljaspicapiindex.htmljdbc-pool.htmljndi-datasource-examples-howto.htmljndi-resources-howto.htmljspapiindex.htmllogging.htmlmanager-howto.htmlmaven-jars.htmlmbeans-descriptors-howto.htmlmbeans-descriptors.dtdmonitoring.htmlproxy-howto.htmlrealm-howto.htmlrewrite.htmlsecurity-howto.htmlsecurity-manager-howto.htmlservletapiindex.htmlsetup.htmlssi-howto.htmlssl-howto.htmltribesdevelopers.htmlfaq.htmlinterceptors.htmlintroduction.htmlmembership.htmlsetup.htmlstatus.htmltransport.htmlvirtual-hosting-howto.htmlweb-socket-howto.htmlwebsocketapiindex.htmlwindows-auth-howto.htmlwindows-service-howto.html/usr/share/tomcat/tomcat-webapps//usr/share/tomcat/tomcat-webapps/docs//usr/share/tomcat/tomcat-webapps/docs/META-INF//usr/share/tomcat/tomcat-webapps/docs/WEB-INF//usr/share/tomcat/tomcat-webapps/docs/WEB-INF/jsp//usr/share/tomcat/tomcat-webapps/docs/annotationapi//usr/share/tomcat/tomcat-webapps/docs/api//usr/share/tomcat/tomcat-webapps/docs/appdev//usr/share/tomcat/tomcat-webapps/docs/appdev/sample//usr/share/tomcat/tomcat-webapps/docs/appdev/sample/docs//usr/share/tomcat/tomcat-webapps/docs/appdev/sample/src//usr/share/tomcat/tomcat-webapps/docs/appdev/sample/src/mypackage//usr/share/tomcat/tomcat-webapps/docs/appdev/sample/web//usr/share/tomcat/tomcat-webapps/docs/appdev/sample/web/WEB-INF//usr/share/tomcat/tomcat-webapps/docs/appdev/sample/web/images//usr/share/tomcat/tomcat-webapps/docs/architecture//usr/share/tomcat/tomcat-webapps/docs/architecture/requestProcess//usr/share/tomcat/tomcat-webapps/docs/architecture/startup//usr/share/tomcat/tomcat-webapps/docs/config//usr/share/tomcat/tomcat-webapps/docs/elapi//usr/share/tomcat/tomcat-webapps/docs/images//usr/share/tomcat/tomcat-webapps/docs/images/fonts//usr/share/tomcat/tomcat-webapps/docs/jaspicapi//usr/share/tomcat/tomcat-webapps/docs/jspapi//usr/share/tomcat/tomcat-webapps/docs/servletapi//usr/share/tomcat/tomcat-webapps/docs/tribes//usr/share/tomcat/tomcat-webapps/docs/websocketapi/-fmessage-length=0 -grecord-gcc-switches -O2 -Wall -D_FORTIFY_SOURCE=2 -fstack-protector-strong -funwind-tables -fasynchronous-unwind-tables -fstack-clash-protection -gobs://build.suse.de/SUSE:Maintenance:43100/SUSE_SLE-15-SP2_Update/ba6ee65a2ca76e13bdfb09ac76beb8b4-tomcat10.SUSE_SLE-15-SP2_Updatedrpmxz5noarch-suse-linux     directoryASCII textXML 1.0 document, ASCII textHTML document, ASCII textHTML document, ASCII text, with very long linesexported SGML document, ASCII textPerl5 module source, ASCII textGIF image data, version 89a, 146 x 92PNG image data, 1682 x 1495, 8-bit/color RGB, non-interlacedPNG image data, 546 x 401, 8-bit/color RGB, non-interlacedPNG image data, 2974 x 2013, 8-bit/color RGB, non-interlacedPNG image data, 1948 x 1360, 8-bit/color RGB, non-interlacedPNG image data, 574 x 1324, 8-bit/color RGB, non-interlacedPNG image data, 1585 x 1915, 8-bit/color RGB, non-interlacedPNG image data, 1667 x 2547, 8-bit/color RGB, non-interlacedPNG image data, 1476 x 2047, 8-bit/color RGB, non-interlacedPNG image data, 2312 x 3480, 8-bit/color RGB, non-interlacedPNG image data, 807 x 1177, 8-bit/color RGB, non-interlacedPNG image data, 786 x 1567, 8-bit/color RGB, non-interlacedHTML document, UTF-8 Unicode text, with very long linesGIF image data, version 89a, 20 x 20SVG Scalable Vector Graphics imagePNG image data, 976 x 756, 8-bit/color RGB, non-interlacedWeb Open Font Format, TrueType, length 21956, version 1.1Web Open Font Format, TrueType, length 21092, version 1.1Web Open Font Format, TrueType, length 22604, version 1.1Web Open Font Format, TrueType, length 21252, version 1.1Web Open Font Format, TrueType, length 22748, version 1.1Web Open Font Format, TrueType, length 21184, version 1.1PNG image data, 146 x 92, 8-bit/color RGBA, non-interlacedGIF image data, version 89a, 1 x 1Eo&l/utf-8f995dbb2893a651565796ef636b960c1a5ba0c07519d4b368de20d225030b691?7zXZ !t/)]"k%3fhn?Q ό$܈ʹZ*kG%HF;ځ":ч3ICNzL}p)r8^7oYo%0-ly[w^y(~+.xVi#3b\A v;a3 FJH|' Tīb>:]DXZlXia:}Rm.hjC9W@&,Epp bkhOϤ-j E*\I0=ݗVck2F"]/ FoG*{σu4qXu<އp7!XEiBo(8NlVs)X>趥;L~P[݆#[\;GW`H8QqmzJ:f<_\ g);pEI!bY㉪,ɏ<ƉʈJOM;|DB'\ n.Bgq:If6+s86:Iz/GZc3{6ű w6a\L[``o:~E)Qܕ; @`ː[)ӁA>0,zt.[):HS؏kϨWq!ϨqXEIٌݡjDKlPm i_)j.*k5~//?i`mR=d߽d>;@DV5ky 3k-TDDr b^.( aM}_7xe"=0A`}+( (a FRZ^pǴ,Zx-|-hx^ct ' x2 k'}ǜ^yVŪHGMDD\)"}VPgKˌ\%?m>MtD_SXSƷ0$]:eǪM6XOo=bX(Aɷ×r){t&%`wTq< {S9f>[yB4Ѫ V]Ӕ GiE1/)WKMh{GǥN`q*BSB{<ik=U!{j)N7ЎGvkvkqPzUE67UmWྨb6E9V{͆w付@5-N6G@C]n YΆtCN {-#genJBM$4 ^RƱc(N^Ww5;3_U?s˩ k|:e%THȳ8Iݏ'a<Ս[ D(s6y;&jPt heyr[ p̐e CDeڔJvlh%XP"YC!cpmdR2Vwf Eu=ܧ랤i;zKſ̾:Rr0IJEۡۄt` %2E({_) ɮ^vsulG˒M@eP~ݨY2ы`0 T o 8Ԛ}q46V9⯹=G٠b=T I-+9&S%^<` !&}"ցd "nhZnjc,jEg+_/Ya?DBQPo?C$¯ Q VSQmVD^Ys QCH4%e?k5a^/WÖ# O?@%;НɆT4re/{bh&, ^?e͟m@9~Q-7(utȁۅYw^xUs5B c H]S@̕8Ǒp3,p1U\VlF\ī2UG*Qg] t;PKrv)ur`)4>Z='`F,)nmX%?wAORmND@`!Pl/jli+_SR;f^~: %vQ>Ͳ1&!kew))yv ,4 V?v9+r5֦X@zW~D #3Qk|N~7SX21Y`m٤\P*w.||`JFG]C$o˜ڜKP@4)wyLA[_7KxWsS|*%`7̔.'z(uqk=2s+ Nx"`K.7siIǏEύ?K4DQ?a(1 n6W*!;LGp{CJDELy3+zRhghQY΁ٖQ%`x<UF8Ӵ lx 8guH*hs%Ɋm]'ܔ*XNnVVǰ6K]G4d:FP:Gp^zg%\ݟk8b@k 7Z NBKF/B'#i !mnu$ಚbji)^mʩqKȡKQCHE/ _m&&?bz;'Z0^)q,q`ݴ3mȟJ u q#Bmoð2:!5\b*ElݵAue@m:yJ6J+9*zWd=% 2TWgAFa׸㴳eō  33S#Gls\wu )^K3[et'b;5*R<+:{ǡ-ʌpo~kedˎd\@^v@ Щ)0XѨCM\"y0֦1A<"b?j@%u<#^`GR>59BRk횰P0^w'N[!y幂i밗E5;"mj+,r]bE-G:z|o ot2h%:x9[ǬU#p"~H-lňhP`#Fơ I w prD&g5W! `u#]6z(dղYy.]L90S-nt9<7:N Xh;$KFvq&N,~Lf_,6*ޅKENNN3 09~HMk,yFsWT?ȴ/iYV@Gaՙ/I"yuϳ,W%hu.>m2|JԽunYrPk3H[ER(YE" yY{.,yC'wc/ #q2eA@Ov_+9(Щc8[ͯtr,4U>+VaQ{?ǮJ#v`^YFApd:3TJyj=M )=۳H s-/m0Gdo~hwtXf!:rimE!Sa:o3'0E<7͇ٸreu\b}젴VKO^v, \nקtA!w֔$wɟKOt;B=ݎ tn'?6氖+-Wl)r rEŏh[{K#6FBXk6jeorK3:#L|&:8nGmM,q5|GwSycly{8`>ќё7#e=䄁m}ﵩU2 *pVC/4ۇ ލ9ojm&M:A6@HHCel5Cz<&eBjYIx m|j\\MI. C̀6I'鷌&7CK-2G(1?7Dg+gY=[#cɶwVOw6fRhlҺ7tU1Y{5I{S"Z,Յ'I1KGAX@=PA=1jSm]b"iyF.A;Y#UxzWN8Z$ۖ~2'02nq!k)m5Q{F+ zr3A,و.2:6M }ue쌔^(~2`1m#F0Qҁ1ۉ؉vxo{i*s mq-%7NĔp- ~Ƴ꾻I1&yZ|edyoq5%HgWF]+yIңk "} 6kܠMˎVTm%>95~Ҝď)5Ř2pzs!+c5on$ /́ <@an,Iwaxŭɬwۅa6!RB=&ɬ37@ț X7uWP\V>c/Qed@  NvTQGg"kz9v^\ CPl*0[чA&x*Hjxcem^^X0NCgvig>eR.zfHHRxt]qy r~3] &V%1̵'B{ T߼fP:b^aYLҫ!w U <3ٳ.cjgn,3;W9F;X3K ٛ:۽VYg9 ~U Vt>@԰?,KzPg-2e6!ebË`r > D88 9_Mnf侰%\U z2n LñZTd9*A(SZ1 Z9`,T(] R<{%QN@ 6i~-TQZM  o& "?z! "˲@8wփ!ШC6[B Ó L%{b%)wj b``s) =Oeghw!o俘|T !dB]o jwf>& !CZCL ϣѴ$J%V:~g%x ^8,kEy',^#Em6ҩJˁw߇J]K+`@v2(YaO3!"=j*(StËYk6}^C0c 4.ZT86m'mf'$T/D.+y^70c*2|bd%C 0k┌{Vpxs 5v|V!#9'0{BEY PKaVxp8{gl@y[VbH^ H|ʵ>?u<#<kE|;{PeQQ:&p'=>a7wO_&SH@ʀCKxt[s8T~(,h.K+lL.ҳ\Vywc1= ϊ"wB4+J |l ;4jqwџe;E~7n(t7>/S,-lsG:3cE%$Kj\a'67X&MFxd{0t%E.zܜm7^vnbjO9W5/y&:>vE+|5c_T{4=,V_? oEj\n:4 ^Tp ңL;)1?>>u0r70jr-Dtw@UwdruTJ;-h*p93jT9~쁔h~kD֊}cor;hЂߎwjUdLĦf)=6Կ[VL/3}l2(#p̖y"5BPyZ ,hs[=! Z`vNLY HU^'98*=uY=a2+Oz+4֜~ YQ4D0NJQ t:vpd]9oͭWJh5ulJ-vF&p ץkVkDȚo}9n`8P?hl+mWXBӓ~i;L; f@WRX~CR'pKDJy~stYiq,!{\(Ay}Y'aK}NB =#$͠m+l@xq)w)]Y\Ѭ!2z5?ˊK-jHy`hb6.,-%{owE(/I`jш`_>׬^u{Fwizw?%4/Ysuk8l&0-]YMt>d]Hq,~sbq!̫lnXj˹ca] !gkqOpt5P%];62@?°)kOտ1Xa4A˅VAp0lw]7Mc$٣;+ܖR4 Ztr?h*g6MI_Sgܡ ;ʀyX.Gnj`8?;r3= QV]ZL'J*t rKy. Jo.&~G߁h6I>s-CU%V͍窵 `K%Oz-e5(),]D6~gXm%<jHn?hasᅼ4ǰ6ҊmLa:-JZ:1|npT/m z;_QU;ëcK/S^R\ԧ#us<O4HFqdۥr?`u{!h&ey=$߫U|DD?pn ,2ݤi Hq57 8?1 .o[3g71(uCm~):seE5?Lݕ#0*@F$x״ 8OnQWS3R[)sCO"0!F|#d;mCɼ[xUyĀx];< F4ĭuOld @fKhQ`,l1˫_$vը8 ]yl~P20j6РO~]k2!;z~7.B"|,4ksʍ ā]jG q)>Op>uojn6˗8e'$0v9w!&bc(^CED>=ŀChkzZ ҝoʪK>f , {8VZ- lshPq$}*BG2" g"?N2hCGUFf8d]La؆^t#l2y]qc<Twdg- jsІUڧl #"UDZ.13η64ӵ q?JRw= ԵvJnO!ˈ*+w;0g?*@)n!~RbLPK>ϿjX154%a۔W oD[r>QC+5S |j\{,[߮|0y`׍م;9" qvSŦڐ,>4A Lc۱+;Gk÷fc;MRu6"%bT~߱#B$0![ĩz.-р.?I`aJ_uuX/lLP*BԐzTEFPՁKcO[ q|זYLpY=`&eF[́w z G`F8dVN̐?T-"h!aݑ{=:qOЅh4ݨb S᜴Rʈ5%u~r'M:,puE;4=WL4Yf>pC%)x&8[J+`Txu$Ɉs2 "aR: &d|0kx.0T=?6ψBO*ER~}tm'!b(~hp==e;))J.UgF_Y|w[|2Q 򭤐{K`X4qgҞcu~6"Yl ߡȯ.j}rd,B;-6[<'c{5CސR`Fx)jYX˂#GԯݭMz SEoǏIq6(4"eTO#;wN*l'R'E0o5]}j3zcc+.AA:%F 97Z(ck]`^eN `W۟_:_21 ?)Vd19F;E3ˈ1$mB'P!?L&Yw:~UڋKyQ_RQj:V$#o8Y?m*!dҴNhQie â-I6ױ2YIƁ.F$eG@gK0e;NAL@"Ay{N VSI&tK0p{{nl(ƨ?5q.I_@!;駟k!W^^p!nT*釶 YZ