Fix multiple CVES

Resolves: RHEL-108486 - CVE-2025-48976 Resolves: RHEL-108494 - CVE-2025-48988 Resolves: RHEL-108502 - CVE-2025-49125 Resolves: RHEL-108510 - CVE-2025-52434 Resolves: RHEL-108524 - CVE-2025-52520 Resolves: RHEL-108518 - CVE-2025-53506
2025-08-12 15:48:56 +02:00 · 2025-08-12 15:48:56 +02:00 · d99e72d1d2
commit d99e72d1d2
parent 252c30ce53
3 changed files with 18 additions and 3 deletions
--- a/.gitignore
+++ b/.gitignore
@ -7,3 +7,4 @@
 /tomcat-9.0.87.redhat-00005-src.zip
 /tomcat-9.0.87.redhat-00008-src.zip
 /tomcat-9.0.87.redhat-00010-src.zip
+/tomcat-9.0.87.redhat-00011-src.zip
--- a/2
+++ b/2
@ -1 +1 @@
-SHA512 (tomcat-9.0.87.redhat-00010-src.zip) = fd65e91c2fd11d48396692e0e88fbba8c2025ec35cbefb29b9b192c516af958ad357a1232e21abd262187d14add45b1441c34d3fa76ac40ba0866febbbfb341d
+SHA512 (tomcat-9.0.87.redhat-00011-src.zip) = a5cd593edb6925ab9bc123faa2476815e61f31a3d22962149c041861bacfeba15fff77d3c56565e8283177fcdc84cf2d1b70b6a60732e9bab154f36cf438912a
--- a/tomcat.spec
+++ b/tomcat.spec
@ -32,7 +32,7 @@
 %global major_version 9
 %global minor_version 0
 %global micro_version 87
-%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00010-src
+%global packdname %{name}-%{major_version}.%{minor_version}.%{micro_version}.redhat-00011-src
 %global servletspec 4.0
 %global elspec 3.0
 %global tcuid 53
@ -56,7 +56,7 @@
 Name:          tomcat
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}.4
+Release:       1%{?dist}.5
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API

 License:       ASL 2.0
@ -556,6 +556,20 @@ fi


 %changelog
+* Tue Aug 12 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-1.el8_10.5
+- Resolves: RHEL-108486
+  tomcat: Apache Commons FileUpload DOS via part headers (CVE-2025-48976)
+- Resolves: RHEL-108494
+  tomcat: Dos in multipart upload (CVE-2025-48988)
+- Resolves: RHEL-108502
+  tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
+- Resolves: RHEL-108510
+  tomcat: Denial of service (CVE-2025-52434)
+- Resolves: RHEL-108524
+  tomcat: Denial of service (CVE-2025-52520)
+- Resolves: RHEL-108518
+  tomcat: Denial of service (CVE-2025-53506)
+
 * Mon May 26 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-1.el8_10.4
 - Resolves: RHEL-91761
  tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)