From 20cf6bbd1baaf82a4894adbdd2a277d5a5c464a0 Mon Sep 17 00:00:00 2001
From: Adam Krajcik <akrajcik@redhat.com>
Date: Wed, 13 Aug 2025 17:40:42 +0200
Subject: [PATCH] Fix multiple CVES

Resolves: RHEL-108900 - CVE-2025-48976
Resolves: RHEL-108902 - CVE-2025-48988
Resolves: RHEL-108904 - CVE-2025-49125
Resolves: RHEL-108908 - CVE-2025-53506
---
 sources     |  2 +-
 tomcat.spec | 14 ++++++++++++--
 2 files changed, 13 insertions(+), 3 deletions(-)

diff --git a/sources b/sources
index c7fa86f..aff5a82 100644
--- a/sources
+++ b/sources
@@ -1 +1 @@
-SHA512 (tomcat-10.1.36.redhat-00007-src.zip) = 2b40fad4c984278a4fa4e25e2ff9ac16866edf49f8b026531f491af1392f3e9315fde24c4fc07d4f4fe12f2ae8d1fa402bf3b4f02ce2a14f448d7076f4cdaa33
+SHA512 (tomcat-10.1.36.redhat-00008-src.zip) = cdfcacf770c4c2f265b33fb88299ea98994fc79d1eb0eb20c7b2b166937179c8690bb4706208311e57c15e08b96809b97b6ca5d99b2182741b106edb46e81bec
diff --git a/tomcat.spec b/tomcat.spec
index ed30461..1bafdc9 100644
--- a/tomcat.spec
+++ b/tomcat.spec
@@ -32,7 +32,7 @@
 %global major_version 10
 %global minor_version 1
 %global micro_version 36
-%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00007-src
+%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00008-src
 %global servletspec 6.0
 %global elspec 5.0
 %global tcuid 53
@@ -54,7 +54,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       2%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -543,6 +543,16 @@ exit 0
 %{appdir}/ROOT
 
 %changelog
+* Wed Aug 13 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.36-2
+- Resolves: RHEL-108900
+  tomcat: Apache  FileUpload DOS via part headers (CVE-2025-48976)
+- Resolves: RHEL-108902
+  tomcat: Dos in multipart upload (CVE-2025-48988)
+- Resolves: RHEL-108904
+  tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
+- Resolves: RHEL-108908
+  tomcat: Denial of service (CVE-2025-53506)
+
 * Mon Apr 14 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.36-1
 - Rebase tomcat to 10.1.36
 - Resolves: RHEL-82925