RESOLVES: RHEL-150720 tomcat9: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation

* Add java-25-headless to the BuildRequires & Requires lists & set JAVA_HOME to java-25 to always use it for compiling with java-25
* Add build-with-java-25.patch that replaces the  attribute with explicit  and  attributes in javac tasks to support building with Java 25 JDK while generating appropriate bytecode versions. This enables the build to use Java 25 APIs while producing different bytecode targets, required for PQC support via FFM in Tomcat 9.0.110.
* Drop the JmxRemoteLifecycleListener patch is it's no longer necessary
* Use tar.gz instead of zip for the sources due to line ending issues
* Add rm for commons-daemon.jar from bin

.fmf/version

@@ -0,0 +1 @@
+1

.gitignore

@@ -1 +1,9 @@
-apache-tomcat-9.0.110-src.tar.gz
+results_tomcat9
+*.rpm
+/tomcat-9.0.87.redhat-*-src.zip
+/apache-tomcat-9*-src.tar.gz
+apache-tomcat-*-src
+/tomcat9.iml
+/.idea/.gitignore
+/.idea/modules.xml
+/.idea/vcs.xml

ci.fmf

@@ -0,0 +1 @@
+resultsdb-testcase: separate

gating.yaml

@@ -0,0 +1,6 @@
+--- !Policy
+product_versions:
+  - rhel-10
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

plans/smoke.fmf

@@ -0,0 +1,9 @@
+summary: Basic smoke test
+prepare:
+  - name: packages
+    how: install
+    package:
+      - tomcat9
+execute:
+    how: tmt
+    script: which tomcat

plans/tier1-internal.fmf

@@ -0,0 +1,11 @@
+summary: Internal Tier1 beakerlib tests.
+discover:
+  - name: rhel
+    how: fmf
+    url: git://pkgs.devel.redhat.com/tests/tomcat9
+    filter: 'tier: 1'
+execute:
+    how: tmt
+adjust:
+    enabled: false
+    when: distro == centos-stream-10

rhel-158962.patch

@@ -1,46 +0,0 @@
-From 93fc51176bbcf643a46cc271b85ff49cbb01f1a6 Mon Sep 17 00:00:00 2001
-From: remm <remm@apache.org>
-Date: Wed, 3 Dec 2025 21:22:54 +0100
-Subject: [PATCH] Avoid possible NPEs when using a TLS enabled custom connector
-
----
- .../org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 +++++++++
- webapps/docs/changelog.xml                               | 7 +++++++
- 2 files changed, 16 insertions(+)
-
-diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
-index 1d639176eb17..9a4b8fa37fb5 100644
---- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
-+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
-@@ -127,8 +127,17 @@ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgum
-     protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
-             List<String> clientRequestedApplicationProtocols) {
-         List<String> clientRequestedProtocols = clientRequestedProtocolsThreadLocal.get();
-+        if (clientRequestedProtocols == null) {
-+            clientRequestedProtocols = new ArrayList<String>();
-+        }
-         List<Group> clientSupportedGroups = clientSupportedGroupsThreadLocal.get();
-+        if (clientSupportedGroups == null) {
-+            clientSupportedGroups = new ArrayList<Group>();
-+        }
-         List<SignatureScheme> clientSignatureSchemes = clientSignatureSchemesThreadLocal.get();
-+        if (clientSignatureSchemes == null) {
-+            clientSignatureSchemes = new ArrayList<SignatureScheme>();
-+        }
-
-         SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
-
-diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
-index 9ef3d9b04912..03be8d1358ae 100644
---- a/webapps/docs/changelog.xml
-+++ b/webapps/docs/changelog.xml
-@@ -155,6 +155,9 @@
-         Store HTTP request headers using the original case for the header name
-         rather than forcing it to lower case. (markt)
-       </fix>
-+      <fix>
-+        Avoid possible NPEs when using a TLS enabled custom connector. (remm)
-+      </fix>
-     </changelog>
-   </subsection>
-   <subsection name="Cluster">

rhel-168243.patch

@@ -1,54 +0,0 @@
-diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java
---- ./java/org/apache/coyote/ajp/Constants.java	2025-10-01 04:36:05.000000000 -0400
-+++ ./java/org/apache/coyote/ajp/Constants.java	2026-04-14 15:27:50.820988961 -0400
-@@ -105,7 +105,7 @@
-
-     // Translates integer codes to names of HTTP methods
-     private static final String[] methodTransArray =
--            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
-+            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
-                     Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT",
-                     "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" };
-
-diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java
---- ./test/org/apache/catalina/realm/TestRealmBase.java	2025-10-01 04:36:05.000000000 -0400
-+++ ./test/org/apache/catalina/realm/TestRealmBase.java	2026-04-14 15:27:50.821211035 -0400
-@@ -660,7 +660,7 @@
-         SecurityConstraint deleteConstraint = new SecurityConstraint();
-         deleteConstraint.addAuthRole(ROLE1);
-         SecurityCollection deleteCollection = new SecurityCollection();
--        deleteCollection.addMethod(Method.OPTIONS);
-+        deleteCollection.addMethod(Method.DELETE);
-         deleteCollection.addPatternDecoded("/*");
-         deleteConstraint.addCollection(deleteCollection);
-
-@@ -772,7 +772,7 @@
-
-         // Only user1 should be able to perform a DELETE as only that user has
-         // role1.
--        request.setMethod(Method.OPTIONS);
-+        request.setMethod(Method.DELETE);
-
-         SecurityConstraint[] constraintsDelete =
-                 mapRealm.findSecurityConstraints(request, context);
-diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
---- ./webapps/docs/changelog.xml.orig	2026-04-14 15:48:53.192243701 -0400
-+++ ./webapps/docs/changelog.xml	2026-04-14 15:49:48.893470762 -0400
-@@ -104,6 +104,17 @@
-   They eventually become mixed with the numbered issues (i.e., numbered
-   issues do not "pop up" wrt. others).
- -->
-+<section name="Tomcat 9.0.110-redhat (csutherl)" rtext="">
-+  <subsection name="Coyote">
-+    <changelog>
-+      <fix>
-+        <bug>69848</bug>: Fix copy/paste error that meant DELETE
-+        requests received via the AJP connector were processed as OPTIONS
-+        requests. (markt)
-+      </fix>
-+    </changelog>
-+  </subsection>
-+</section>
- <section name="Tomcat 9.0.110 (remm)" rtext="">
-   <subsection name="Catalina">
-     <changelog>

sources

@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.110-src.tar.gz) = a8fe2c59a801d6fb16ea74019c6fc58c34543d4d25a16d64e929e67c7736f6e16d08ec2061b37f1783ebfa0b1dacfff991e46ed5d24d89300a140cb94449f570
+SHA512 (apache-tomcat-9.0.117-src.tar.gz) = f40854a6ed1f208ccdd3da82527fc806eb9231aebaee86d6987e9699d1d31bb548765241424368708b89bdce01d4558a638532a35932f686d3edabd26951041d

tomcat9.spec

@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 110
+%global micro_version 117
 %global packdname apache-tomcat-%{major_version}.%{minor_version}.%{micro_version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -53,7 +53,7 @@
 Name:          tomcat9
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       3%{?dist}.alma.1
+Release:       1%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -78,13 +78,9 @@ Patch3:        tomcat-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch
 Patch7:        build-with-java-25.patch
-Patch8:        rhel-158962.patch
-Patch9:        rhel-168243.patch
 
 BuildArch:     noarch
 
-ExcludeArch: i686
-
 BuildRequires: ant
 BuildRequires: ecj >= 1:4.10
 BuildRequires: findutils
@@ -214,8 +210,6 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P4 -p0
 %patch -P6 -p0
 %patch -P7 -p0
-%patch -P8 -p1
-%patch -P9 -p1
 
 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@@ -638,8 +632,35 @@ fi
 %{appdir}/ROOT
 
 %changelog
-* Tue May 19 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:9.0.110-3.alma.1
-- Exclude i686 architecture from build
+* Thu May 29 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.117-1
+- Resolves: RHEL-150720
+  Tomcat: Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
+- Resolves:
+  Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
+- Resolves:
+  Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
+- Resolves:
+  Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
+- Resolves:
+  Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
+- Resolves:
+  Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
+- Resolves:
+  Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
+- Resolves:
+  Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
+- Resolves:
+  Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
+- Resolves:
+  Tomcat: Occasionally open redirect (CVE-2026-25854)
+- Resolves:
+  Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
+- Resolves:
+  Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
+- Resolves:
+  Tomcat: Security constraint bypass (CVE-2026-24733)
+- Resolves:
+  Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)
 
 * Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
 - Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)