Fix CVE-2025-31651, CVE-2025-55752 and CVE-2025-61795

Resolves: RHEL-124493 - tomcat: Directory traversal via rewrite with possible RCE
Resolves: RHEL-132560 - tomcat: Bypass of rules in Rewrite Valve
Resolves: RHEL-132525 - tomcat: Denial of service

sources

@@ -1 +1 @@
-SHA512 (tomcat-10.1.36.redhat-00009-src.zip) = d1a9f6ef73d5ce3df746decd6033bbdc7e81a0a37e01c530e8658cb9dbf8742ca1ddb7916534a0e07572b514f8bfe557314aae61aa577c09a356ac399d653974
+SHA512 (tomcat-10.1.36.redhat-00018-src.zip) = d3ab283de966dbeaa4fec372c2e15347101fc6c435883fc14e443051afbe9cad6e044a8ffe8ac8acd096f4e00c94a25b423871eb7dc81e9d837cc23e7cc703fd

tomcat.spec

@@ -32,7 +32,7 @@
 %global major_version 10
 %global minor_version 1
 %global micro_version 36
-%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00009-src
+%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00018-src
 %global servletspec 6.0
 %global elspec 5.0
 %global tcuid 53
@@ -54,7 +54,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       3%{?dist}
+Release:       4%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -543,6 +543,14 @@ exit 0
 %{appdir}/ROOT
 
 %changelog
+* Fri Jan 23 2026 Pietro Meloni - 1:10.1.36-4
+- Resolves: RHEL-124493
+  tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752)
+- Resolves: RHEL-132560
+  tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651)
+- Resolves: RHEL-132526
+  tomcat: Denial of service (CVE-2025-61795)
+
 * Thu Aug 14 2025 Adam Krajcik <akrajcik@redhat.com> - 1:10.1.36-3
 - Resolves: RHEL-102184
   tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)