diff --git a/.gitignore b/.gitignore
index d347a63..ad2b66c 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-tomcat-10.1.49.redhat-00007-src.zip
+tomcat-10.1.49.redhat-00011-src.zip
diff --git a/rhbz-1857043.patch b/rhbz-1857043.patch
index 31ca1df..055d918 100644
--- a/rhbz-1857043.patch
+++ b/rhbz-1857043.patch
@@ -1,21 +1,21 @@
--- build.xml.orig
+++ build.xml
-@@ -1124,7 +1124,7 @@
+@@ -1138,7 +1138,7 @@
filesDir="${tomcat.classes}"
filesId="files.annotations-api"
manifest="${tomcat.manifests}/annotations-api.jar.manifest"
- addOSGi="true" />
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
-
-
-+ addOSGi="false" />
-
-
+
+
+
+@@ -1258,7 +1258,7 @@
+ addOSGi="false" />
-
-
-
-+ addOSGi="false" />
-
-
+
+
+
+@@ -1279,7 +1279,7 @@
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
+ addOSGi="false" />
-
+
= 1.10.2
BuildRequires: ecj >= 4.20
@@ -220,6 +221,9 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
%mvn_alias "org.apache.tomcat:tomcat-jsp-api" "jakarta.servlet:jakarta.servlet.jsp"
%mvn_package ":tomcat-servlet-api" tomcat-servlet-api
+%pom_remove_dep org.apache.tomcat:tomcat-tribes res/maven/tomcat-storeconfig.pom
+%pom_remove_dep org.apache.tomcat:tomcat-catalina-ha res/maven/tomcat-storeconfig.pom
+
%build
# we don't care about the tarballs and we're going to replace jars
@@ -287,6 +291,10 @@ pushd output/build
%{__cp} -a webapps/* ${RPM_BUILD_ROOT}%{appdir}
popd
+# Clustering is unsupported in RHEL
+rm -f ${RPM_BUILD_ROOT}%{libdir}/catalina-ha.jar
+rm -f ${RPM_BUILD_ROOT}%{libdir}/catalina-tribes.jar
+
%{__sed} -e "s|\@\@\@TCHOME\@\@\@|%{homedir}|g" \
-e "s|\@\@\@TCTEMP\@\@\@|%{tempdir}|g" \
-e "s|\@\@\@LIBDIR\@\@\@|%{_libdir}|g" %{SOURCE1} \
@@ -388,8 +396,6 @@ popd
%mvn_artifact res/maven/tomcat-api.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-api.jar
%mvn_file org.apache.tomcat:tomcat-catalina-ant tomcat/catalina-ant
%mvn_artifact res/maven/tomcat-catalina-ant.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ant.jar
-%mvn_file org.apache.tomcat:tomcat-catalina-ha tomcat/catalina-ha
-%mvn_artifact res/maven/tomcat-catalina-ha.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ha.jar
%mvn_file org.apache.tomcat:tomcat-catalina tomcat/catalina
%mvn_artifact res/maven/tomcat-catalina.pom ${RPM_BUILD_ROOT}%{libdir}/catalina.jar
%mvn_artifact res/maven/tomcat-coyote.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote.jar
@@ -417,8 +423,6 @@ popd
%mvn_artifact res/maven/tomcat-ssi.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-ssi.jar
%mvn_file org.apache.tomcat:tomcat-storeconfig tomcat/catalina-storeconfig
%mvn_artifact res/maven/tomcat-storeconfig.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-storeconfig.jar
-%mvn_file org.apache.tomcat:tomcat-tribes tomcat/catalina-tribes
-%mvn_artifact res/maven/tomcat-tribes.pom ${RPM_BUILD_ROOT}%{libdir}/catalina-tribes.jar
%mvn_artifact res/maven/tomcat-util-scan.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util-scan.jar
%mvn_artifact res/maven/tomcat-util.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-util.jar
%mvn_file org.apache.tomcat:tomcat-websocket-api tomcat/websocket-api
@@ -553,9 +557,20 @@ exit 0
%{appdir}/ROOT
%changelog
-* Tue May 19 2026 Eduard Abdullin - 1:10.1.49-1.1.alma.1
+* Fri Jul 10 2026 Eduard Abdullin - 1:10.1.49-3.alma.1
- Exclude i686 architecture from build
+* Mon Jul 6 2026 Pietro Meloni - 1:10.1.49-3
+- Related: RHEL-168577 Remove unnecessary patch
+
+* Thu Jun 4 2026 Pietro Meloni - 1:10.1.49-2
+- Resolves: RHEL-168577 Remove tomcat clustering JAR from RPM builds
+ Resolves: CVE-2026-29146
+ tomcat: Apache Tomcat: Information disclosure via Padding Oracle vulnerability in EncryptInterceptor
+ Resolves: CVE-2026-34486
+ tomcat: Apache Tomcat: Missing Encryption of Sensitive Data due to EncryptInterceptor bypass
+
+
* Wed Apr 22 2026 Pietro Meloni - 1:10.1.36-3.el10_1.1
- Resolves: RHEL-150719
Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
@@ -571,6 +586,9 @@ exit 0
- Resolves: RHEL-132526
tomcat: Denial of service (CVE-2025-61795)
+* Mon Dec 15 2025 Eduard Abdullin - 1:10.1.36-4
+- Exclude i686 architecture from build
+
* Thu Aug 14 2025 Adam Krajcik - 1:10.1.36-3
- Resolves: RHEL-102184
tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)