RESOLVES: RHEL-150720 tomcat9: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation

* Add java-25-headless to the BuildRequires & Requires lists & set JAVA_HOME to java-25 to always use it for compiling with java-25
* Add build-with-java-25.patch that replaces the  attribute with explicit  and  attributes in javac tasks to support building with Java 25 JDK while generating appropriate bytecode versions. This enables the build to use Java 25 APIs while producing different bytecode targets, required for PQC support via FFM in Tomcat 9.0.110.
* Drop the JmxRemoteLifecycleListener patch is it's no longer necessary
* Use tar.gz instead of zip for the sources due to line ending issues
* Add rm for commons-daemon.jar from bin

.gitignore

@@ -1,3 +1,9 @@
-/tomcat-9.0.87.redhat-00005-src.zip
+results_tomcat9
-/tomcat-9.0.87.redhat-00006-src.zip
+*.rpm
-/tomcat-9.0.87.redhat-00008-src.zip
+/tomcat-9.0.87.redhat-*-src.zip
+/apache-tomcat-9*-src.tar.gz
+apache-tomcat-*-src
+/tomcat9.iml
+/.idea/.gitignore
+/.idea/modules.xml
+/.idea/vcs.xml

JmxRemoteLifecycleListener.patch

@@ -1,40 +0,0 @@
-diff --git a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
-index f62f8d1..db19960 100644
---- a/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
-+++ b/java/org/apache/catalina/mbeans/JmxRemoteLifecycleListener.java
-@@ -611,34 +611,28 @@ public class JmxRemoteLifecycleListener extends SSLHostConfig implements Lifecyc
-      * Better to use the internal API than re-invent the wheel.
-      */
-     @SuppressWarnings("restriction")
--    private static class JmxRegistry extends sun.rmi.registry.RegistryImpl {
-+    private static class JmxRegistry {
-         private static final long serialVersionUID = -3772054804656428217L;
-         private final String jmxName;
-         private final Remote jmxServer;
-         public JmxRegistry(int port, RMIClientSocketFactory csf,
-                 RMIServerSocketFactory ssf, String jmxName, Remote jmxServer) throws RemoteException {
--            super(port, csf, ssf);
-             this.jmxName = jmxName;
-             this.jmxServer = jmxServer;
-         }
--        @Override
-         public Remote lookup(String name)
-                 throws RemoteException, NotBoundException {
-             return (jmxName.equals(name)) ? jmxServer : null;
-         }
--        @Override
-         public void bind(String name, Remote obj)
-                 throws RemoteException, AlreadyBoundException, AccessException {
-         }
--        @Override
-         public void unbind(String name)
-                 throws RemoteException, NotBoundException, AccessException {
-         }
--        @Override
-         public void rebind(String name, Remote obj)
-                 throws RemoteException, AccessException {
-         }
--        @Override
-         public String[] list() throws RemoteException {
-             return new String[] { jmxName };
-         }

build-with-java-25.patch

@@ -0,0 +1,76 @@
+--- build.xml.orig	2026-02-12 14:28:31.466893106 -0500
++++ build.xml	2026-02-12 14:28:44.320933346 -0500
+@@ -968,7 +968,7 @@
+     <javac srcdir="java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="8" target="8"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true" >
+       <!-- Uncomment this to show unchecked warnings:
+@@ -1021,7 +1021,7 @@
+     <javac srcdir="java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="8" target="8"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true" >
+       <!-- Uncomment this to show unchecked warnings:
+@@ -1038,7 +1038,7 @@
+     <javac srcdir="java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${release.java.version}"
++           source="22" target="22"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true"
+            if:set="has-ffm" >
+@@ -1577,7 +1577,7 @@
+     <javac   srcdir="webapps/examples/WEB-INF/classes"
+              destdir="${tomcat.build}/webapps/examples/WEB-INF/classes"
+              debug="${compile.debug}" deprecation="${compile.deprecation}"
+-             release="${compile.release}"
++             source="8" target="8"
+              classpath="${tomcat.classes}"
+              encoding="ISO-8859-1"
+              includeantruntime="false">
+@@ -1806,7 +1806,7 @@
+            destdir="${xreflect.directory}/classes"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="8" target="8"
+            encoding="ISO-8859-1"
+            includeAntRuntime="true" >
+       <compilerarg value="-XDignore.symbol.file"/>
+@@ -1892,7 +1892,7 @@
+     <javac srcdir="test" destdir="${test.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="8" target="8"
+            encoding="ISO-8859-1"
+            includeantruntime="true">
+       <classpath refid="tomcat.test.classpath" />
+--- modules/jdbc-pool/build.xml.orig	2026-02-12 14:28:31.469893115 -0500
++++ modules/jdbc-pool/build.xml	2026-02-12 14:28:44.327503027 -0500
+@@ -163,7 +163,7 @@
+     <javac srcdir="${basedir}/src/main/java" destdir="${tomcat.classes}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="8" target="8"
+            encoding="ISO-8859-1"
+            includeantruntime="false">
+       <classpath refid="tomcat.jdbc.classpath"/>
+@@ -201,7 +201,7 @@
+     <javac srcdir="${basedir}/src/test/java" destdir="${tomcat.testclasses}"
+            debug="${compile.debug}"
+            deprecation="${compile.deprecation}"
+-           release="${compile.release}"
++           source="8" target="8"
+            encoding="ISO-8859-1"
+            includeantruntime="false">
+       <classpath refid="tomcat.jdbc.classpath"/>

rhbz-1857043.patch

@@ -1,7 +1,6 @@
-diff -up ./build.xml.orig ./build.xml
+--- build.xml.orig	2026-02-11 15:17:18.947314996 -0500
---- build.xml.orig	2021-07-07 10:53:55.493742841 +0800
++++ build.xml	2026-02-11 15:17:23.675329041 -0500
-+++ build.xml	2021-07-07 11:09:43.107968515 +0800
+@@ -1116,7 +1116,7 @@
-@@ -1020,7 +1020,7 @@
        filesDir="${tomcat.classes}"
        filesId="files.annotations-api"
        manifest="${tomcat.manifests}/annotations-api.jar.manifest"
@@ -10,7 +9,7 @@ diff -up ./build.xml.orig ./build.xml
  
      <!-- Servlet Implementation JAR File -->
      <jarIt jarfile="${servlet-api.jar}"
-@@ -1029,41 +1029,41 @@
+@@ -1125,41 +1125,41 @@
        manifest="${tomcat.manifests}/servlet-api.jar.manifest"
        notice="${tomcat.manifests}/servlet-api.jar.notice"
        license="${tomcat.manifests}/servlet-api.jar.license"
@@ -58,7 +57,7 @@ diff -up ./build.xml.orig ./build.xml
  
      <!-- Bootstrap JAR File -->
      <jarIt jarfile="${bootstrap.jar}"
-@@ -1075,61 +1075,61 @@
+@@ -1171,68 +1171,68 @@
      <jarIt jarfile="${tomcat-util.jar}"
        filesDir="${tomcat.classes}"
        filesId="files.tomcat-util"
@@ -90,6 +89,14 @@ diff -up ./build.xml.orig ./build.xml
        filesDir="${tomcat.classes}"
        filesId="files.tomcat-coyote"
 -      addOSGi="true" />
++      addOSGi="false" />
+
+     <!-- OpenSSL FFM - Coyote -->
+     <jarIt jarfile="${tomcat-coyote-ffm.jar}"
+       filesDir="${tomcat.classes}"
+       filesId="files.tomcat-coyote-ffm"
+       manifest="${tomcat.manifests}/tomcat-coyote-ffm.jar.manifest"
+-      addOSGi="true" />
 +      addOSGi="false" />
  
      <!-- WebSocket implementation JAR File -->
@@ -130,7 +137,7 @@ diff -up ./build.xml.orig ./build.xml
  
      <!-- Catalina Ant Tasks JAR File -->
      <jarIt jarfile="${catalina-ant.jar}"
-@@ -1140,27 +1140,27 @@
+@@ -1243,27 +1243,27 @@
      <jarIt jarfile="${catalina-storeconfig.jar}"
        filesDir="${tomcat.classes}"
        filesId="files.catalina-storeconfig"
@@ -162,7 +169,7 @@ diff -up ./build.xml.orig ./build.xml
  
      <!-- i18n JARs -->
      <jar jarfile="${tomcat.build}/lib/tomcat-i18n-cs.jar"
-@@ -1620,7 +1620,7 @@
+@@ -1716,7 +1716,7 @@
             filesId="files.tomcat-embed-core"
             notice="${tomcat.manifests}/servlet-api.jar.notice"
             license="${tomcat.manifests}/servlet-api.jar.license"
@@ -171,7 +178,7 @@ diff -up ./build.xml.orig ./build.xml
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-core"
             graalFiles="res/graal/tomcat-embed-core/native-image"
-@@ -1628,7 +1628,7 @@
+@@ -1724,7 +1724,7 @@
      <jarIt jarfile="${tomcat-embed-el.jar}"
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-el"
@@ -180,7 +187,7 @@ diff -up ./build.xml.orig ./build.xml
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-el"
             graalFiles="res/graal/tomcat-embed-el/native-image"
-@@ -1637,7 +1637,7 @@
+@@ -1733,7 +1733,7 @@
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-jasper"
             meta-inf="${tomcat.manifests}/jasper.jar"
@@ -189,7 +196,7 @@ diff -up ./build.xml.orig ./build.xml
             addGraal="true"
             graalPrefix="org.apache.tomcat.embed/tomcat-embed-jasper"
             graalFiles="res/graal/tomcat-embed-jasper/native-image"
-@@ -1646,7 +1646,7 @@
+@@ -1742,7 +1742,7 @@
             filesDir="${tomcat.classes}"
             filesId="files.tomcat-embed-websocket"
             meta-inf="${tomcat.manifests}/tomcat-websocket.jar"

sources

@@ -1 +1 @@
-SHA512 (tomcat-9.0.87.redhat-00008-src.zip) = 5863c033928427db91d1ecf92485641aa3de8d0bf38dd23293c6d86667da46df77b592342031f7caf915a52ed87a415a1d88937809a0b799a17b5901ceda03c2
+SHA512 (apache-tomcat-9.0.117-src.tar.gz) = f40854a6ed1f208ccdd3da82527fc806eb9231aebaee86d6987e9699d1d31bb548765241424368708b89bdce01d4558a638532a35932f686d3edabd26951041d

tomcat-server

@@ -10,7 +10,8 @@ OPTIONS="-Dcatalina.base=$CATALINA_BASE \
 -Djava.endorsed.dirs=$JAVA_ENDORSED_DIRS \
 -Djava.io.tmpdir=$CATALINA_TMPDIR \
 -Djava.util.logging.config.file=${LOGGING_PROPERTIES} \
--Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"
+-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager \
+-Dsun.io.useCanonCaches=false"
 
 if [ "$1" = "start" ] ; then
   FLAGS="${FLAGS} $CATALINA_OPTS"

tomcat9.spec

@@ -31,8 +31,8 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 87
+%global micro_version 117
-%global packdname tomcat-%{major_version}.%{minor_version}.%{micro_version}.redhat-00008-src
+%global packdname apache-tomcat-%{major_version}.%{minor_version}.%{micro_version}-src
 %global servletspec 4.0
 %global elspec 3.0
 %global tcuid 53
@@ -53,12 +53,12 @@
 Name:          tomcat9
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       5%{?dist}
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
 URL:           http://tomcat.apache.org/
-Source0:       %{packdname}.zip
+Source0:       %{packdname}.tar.gz
 Source1:       tomcat-%{major_version}.%{minor_version}.conf
 Source3:       tomcat-%{major_version}.%{minor_version}.sysconfig
 Source4:       tomcat-%{major_version}.%{minor_version}.wrapper
@@ -77,20 +77,20 @@ Patch1:        tomcat-%{major_version}.%{minor_version}-tomcat-users-webapp.patc
 Patch3:        tomcat-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch
-Patch7:        JmxRemoteLifecycleListener.patch
+Patch7:        build-with-java-25.patch
 
 BuildArch:     noarch
 
 BuildRequires: ant
 BuildRequires: ecj >= 1:4.10
 BuildRequires: findutils
-BuildRequires: java-devel
 BuildRequires: javapackages-local
 BuildRequires: aqute-bnd
 BuildRequires: aqute-bndlib
 BuildRequires: systemd
+BuildRequires: java-25-devel
 
-Requires:      java-headless
+Requires:      (java-headless or java-25-headless)
 Requires:      javapackages-tools
 Requires:      %{name}-lib = %{epoch}:%{version}-%{release}
 
@@ -199,7 +199,7 @@ Obsoletes: tomcat-webapps < 1:10.0.0-1
 The ROOT web application for Apache Tomcat.
 
 %prep
-%setup -q -n apache-%{packdname}
+%setup -q -n %{packdname}
 # remove pre-built binaries and windows files
 find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "*.gz" -o \
    -name "*.jar" -o -name "*.war" -o -name "*.zip" \) -delete
@@ -209,7 +209,7 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P3 -p0
 %patch -P4 -p0
 %patch -P6 -p0
-%patch -P7 -p1
+%patch -P7 -p0
 
 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@@ -229,8 +229,12 @@ export OPT_JAR_LIST="xalan-j2-serializer"
 # so just create a dummy file for later removal
 touch HACK
 
+# Adding JAVA_HOME to always compile with java-25 instead of autodetecting
+export JAVA_HOME=%{_jvmdir}/java-25-openjdk
+export PATH=$JAVA_HOME/bin:$PATH
+
 # who needs a build.properties file anyway
-%{ant} -Dbase.path="." \
+ant -Dbase.path="." \
   -Dbuild.compiler="modern" \
   -Dcommons-daemon.jar="HACK" \
   -Dcommons-daemon.native.src.tgz="HACK" \
@@ -249,6 +253,9 @@ touch HACK
 
 # remove some jars that we'll replace with symlinks later
 %{__rm} output/build/lib/ecj.jar
+# Cleanup commons-daemon.jar that somehow appeared since last build, but is unnecessary
+%{__rm} -rf output/build/bin/commons-daemon.jar
+
 # Remove the example webapps per Apache Tomcat Security Considerations
 # see https://tomcat.apache.org/tomcat-9.0-doc/security-howto.html
 %{__rm} -rf output/build/webapps/examples
@@ -396,6 +403,9 @@ popd
 %mvn_file org.apache.tomcat:tomcat-coyote tomcat/tomcat-coyote
 %mvn_artifact res/maven/tomcat-coyote.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote.jar
 
+%mvn_file org.apache.tomcat:tomcat-coyote-ffm tomcat/tomcat-coyote-ffm
+%mvn_artifact res/maven/tomcat-coyote-ffm.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-coyote-ffm.jar
+
 %mvn_file org.apache.tomcat:tomcat-dbcp tomcat/tomcat-dbcp
 %mvn_artifact res/maven/tomcat-dbcp.pom ${RPM_BUILD_ROOT}%{libdir}/tomcat-dbcp.jar
 
@@ -622,6 +632,76 @@ fi
 %{appdir}/ROOT
 
 %changelog
+* Thu May 29 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.117-1
+- Resolves: RHEL-150720
+  Tomcat: Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
+- Resolves:
+  Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
+- Resolves:
+  Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
+- Resolves:
+  Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
+- Resolves:
+  Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
+- Resolves:
+  Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
+- Resolves:
+  Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
+- Resolves:
+  Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
+- Resolves:
+  Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
+- Resolves:
+  Tomcat: Occasionally open redirect (CVE-2026-25854)
+- Resolves:
+  Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
+- Resolves:
+  Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
+- Resolves:
+  Tomcat: Security constraint bypass (CVE-2026-24733)
+- Resolves:
+  Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)
+
+* Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
+- Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)
+
+* Mon Mar 23 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-2
+- Resolves: RHEL-158962 NPE in tomcat9 when used with TLS enabled custom connector
+
+* Wed Feb 11 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-1
+- Resolves: RHEL-148687
+  Update to 9.0.110 and compile with Java 25 to enable FFM features for PQC support
+
+* Fri Jan 23 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.87-9
+- Resolves: RHEL-124496
+  tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752)
+- Resolves: RHEL-132559
+  tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651)
+
+* Mon Aug 18 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-8
+- Resolves: RHEL-102186
+  tomcat: http/2 "MadeYouReset" DoS attack through HTTP/2 control frames (CVE-2025-48989)
+
+* Wed Aug 13 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-7
+- Resolves: RHEL-108485
+  tomcat: Apache Commons FileUpload DOS via part headers (CVE-2025-48976)
+- Resolves: RHEL-108493
+  tomcat: Dos in multipart upload (CVE-2025-48988)
+- Resolves: RHEL-108501
+  tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
+- Resolves: RHEL-108509
+  tomcat: Denial of service (CVE-2025-52434)
+- Resolves: RHEL-108522
+  tomcat: Denial of service (CVE-2025-52520)
+- Resolves: RHEL-108517
+  tomcat: Denial of service (CVE-2025-53506)
+
+* Mon May 26 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-5.el10_0.1
+- Resolves: RHEL-91750
+  tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650)
+- Resolves: RHEL-94960
+  tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation (CVE-2024-56337)
+
 * Mon Apr 14 2025 Adam Krajcik <akrajcik@redhat.com> - 1:9.0.87-5
 - Resolves: RHEL-82927
   tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)