import CS tomcat-10.1.49-1.el10.1

.gitignore

@@ -1 +1 @@
-tomcat-10.1.36.redhat-00018-src.zip
+tomcat-10.1.49.redhat-00007-src.zip

build-with-java-25.patch

@@ -0,0 +1,76 @@
+--- build.xml.orig	2026-02-16 10:21:26.627521704 -0500
++++ build.xml	2026-02-16 10:27:47.814614938 -0500
+@@ -977,7 +977,7 @@
+     <javac srcdir="java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="11" target="11"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true" >
+       <!-- Uncomment this to show unchecked warnings:
+@@ -1030,7 +1030,7 @@
+     <javac srcdir="java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="11" target="11"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true" >
+       <!-- Uncomment this to show unchecked warnings:
+@@ -1047,7 +1047,7 @@
+     <javac srcdir="java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${release.java.version}"
++           source="22" target="22"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true"
+            if:set="has-ffm" >
+@@ -1610,7 +1610,7 @@
+     <javac   srcdir="webapps/examples/WEB-INF/classes"
+              destdir="${tomcat.build}/webapps/examples/WEB-INF/classes"
+              debug="${compile.debug}" deprecation="${compile.deprecation}"
+-             release="${compile.release}"
++             source="11" target="11"
+              classpath="${tomcat.classes}"
+              encoding="ISO-8859-1"
+              includeantruntime="false">
+@@ -1839,7 +1839,7 @@
+            destdir="${xreflect.directory}/classes"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="11" target="11"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true" >
+       <compilerarg value="-XDignore.symbol.file"/>
+@@ -1925,7 +1925,7 @@
+     <javac srcdir="test" destdir="${test.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="11" target="11"
+            encoding="ISO-8859-1"
+            includeantruntime="true">
+       <classpath refid="tomcat.test.classpath" />
+--- modules/jdbc-pool/build.xml.orig	2026-02-12 14:28:31.469893115 -0500
++++ modules/jdbc-pool/build.xml	2026-02-12 14:28:44.327503027 -0500
+@@ -163,7 +163,7 @@
+     <javac srcdir="${basedir}/src/main/java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="11" target="11"
+            encoding="ISO-8859-1"
+            includeantruntime="false">
+       <classpath refid="tomcat.jdbc.classpath"/>
+@@ -201,7 +201,7 @@
+     <javac srcdir="${basedir}/src/test/java" destdir="${tomcat.testclasses}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="11" target="11"
+            encoding="ISO-8859-1"
+            includeantruntime="false">
+       <classpath refid="tomcat.jdbc.classpath"/>

sources

@@ -1 +1 @@
-SHA512 (tomcat-10.1.36.redhat-00018-src.zip) = d3ab283de966dbeaa4fec372c2e15347101fc6c435883fc14e443051afbe9cad6e044a8ffe8ac8acd096f4e00c94a25b423871eb7dc81e9d837cc23e7cc703fd
+SHA512 (tomcat-10.1.49.redhat-00007-src.zip) = f72bf5cb755e14a0c4555bcdc3db6bef64c8353339699fc321d6ec2162c72b6999807ddbf3910d9a3217c20df7e94baf5b2c9bb5da7e143c776d01589a41dc4a

tomcat.spec

@@ -31,8 +31,8 @@
 %global jspspec 3.1
 %global major_version 10
 %global minor_version 1
-%global micro_version 36
-%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00018-src
+%global micro_version 49
+%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00007-src
 %global servletspec 6.0
 %global elspec 5.0
 %global tcuid 53
@@ -54,7 +54,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       3%{?dist}.1
+Release:       1%{?dist}.1
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -79,20 +79,22 @@ Patch3:        %{name}-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        %{name}-%{major_version}.%{minor_version}-bnd-annotation.patch
 Patch5:        %{name}-%{major_version}.%{minor_version}-JDTCompiler.patch
 Patch6:        rhbz-1857043.patch
+# Patch 7 can be dropped when ECJ is updated to a newer version
+Patch7:        build-with-java-25.patch
 
 BuildArch:     noarch
 
 BuildRequires: ant >= 1.10.2
 BuildRequires: ecj >= 4.20
 BuildRequires: findutils
-BuildRequires: java-devel
 BuildRequires: javapackages-local
 BuildRequires: aqute-bnd
 BuildRequires: aqute-bndlib
 BuildRequires: systemd
 BuildRequires: tomcat-jakartaee-migration
+BuildRequires: java-25-devel
 
-Requires:      java-headless
+Requires:      (java-headless or java-25-headless)
 Requires:      javapackages-tools
 Requires:      %{name}-lib = %{epoch}:%{version}-%{release}
 
@@ -204,6 +206,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch 4 -p0
 %patch 5 -p0
 %patch 6 -p0
+%patch 7 -p0
 
 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@@ -221,8 +224,12 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 # so just create a dummy file for later removal
 touch HACK
 
+# Adding JAVA_HOME to always compile with java-25 instead of autodetecting
+export JAVA_HOME=%{_jvmdir}/java-25-openjdk
+export PATH=$JAVA_HOME/bin:$PATH
+
 # who needs a build.properties file anyway
-%{ant} -Dbase.path="." \
+ant -Dbase.path="." \
   -Dbuild.compiler="modern" \
   -Dcommons-daemon.jar="HACK" \
   -Dcommons-daemon.native.src.tgz="HACK" \
@@ -384,6 +391,7 @@ popd
 %mvn_file org.apache.tomcat:tomcat-catalina tomcat/catalina
 %mvn_artifact res/maven/tomcat-catalina.pom ${RPM_BUILD_ROOT}%{libdir}/catalina.jar
 %mvn_artifact res/maven/tomcat-coyote.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote.jar
+%mvn_artifact res/maven/tomcat-coyote-ffm.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote-ffm.jar
 %mvn_artifact res/maven/tomcat-dbcp.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-dbcp.jar
 %mvn_artifact res/maven/tomcat-i18n-cs.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-cs.jar
 %mvn_artifact res/maven/tomcat-i18n-de.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-i18n-de.jar
@@ -543,12 +551,19 @@ exit 0
 %{appdir}/ROOT
 
 %changelog
-* Thu Nov 27 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.36-3.el10_1.1
-- Resolves: RHEL-124494
+* Wed Apr 22 2026 Pietro Meloni <pmeloni@redhat.com> - 1:10.1.36-3.el10_1.1
+- Resolves: RHEL-150719
+  Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
+
+* Mon Feb 16 2026 Coty Sutherland <csutherl@redhat.com> - 1:10.1.49-1
+- Resolves: RHEL-150099 Rebase tomcat package to enable PQC features
+
+* Fri Jan 23 2026 Pietro Meloni <pmeloni@redhat.com> - 1:10.1.36-4
+- Resolves: RHEL-124493
   tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752)
-- Resolves: RHEL-91729
+- Resolves: RHEL-132560
   tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651)
-- Resolves: RHEL-132527
+- Resolves: RHEL-132526
   tomcat: Denial of service (CVE-2025-61795)
 
 * Thu Aug 14 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.36-3