SOLVES RHEL-150720 tomcat9: Apache Tomcat: Certificate revocation bypass due to improper OCSP response validation

.gitignore

@@ -1,10 +1,9 @@
 results_tomcat9
 *.rpm
-/tomcat-9.0.87.redhat-00005-src.zip
-/tomcat-9.0.87.redhat-00006-src.zip
-/tomcat-9.0.87.redhat-00008-src.zip
-/tomcat-9.0.87.redhat-00010-src.zip
-/tomcat-9.0.87.redhat-00011-src.zip
-/tomcat-9.0.87.redhat-00012-src.zip
-/tomcat-9.0.87.redhat-00013-src.zip
-/apache-tomcat-9.0.110-src.tar.gz
+/tomcat-9.0.87.redhat-*-src.zip
+/apache-tomcat-9*-src.tar.gz
+apache-tomcat-*-src
+/tomcat9.iml
+/.idea/.gitignore
+/.idea/modules.xml
+/.idea/vcs.xml

rhel-168243.patch

@@ -0,0 +1,34 @@
+diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java
+--- ./java/org/apache/coyote/ajp/Constants.java	2025-10-01 04:36:05.000000000 -0400
++++ ./java/org/apache/coyote/ajp/Constants.java	2026-04-14 15:27:50.820988961 -0400
+@@ -105,7 +105,7 @@
+
+     // Translates integer codes to names of HTTP methods
+     private static final String[] methodTransArray =
+-            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
++            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
+                     Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT",
+                     "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" };
+
+diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java
+--- ./test/org/apache/catalina/realm/TestRealmBase.java	2025-10-01 04:36:05.000000000 -0400
++++ ./test/org/apache/catalina/realm/TestRealmBase.java	2026-04-14 15:27:50.821211035 -0400
+@@ -660,7 +660,7 @@
+         SecurityConstraint deleteConstraint = new SecurityConstraint();
+         deleteConstraint.addAuthRole(ROLE1);
+         SecurityCollection deleteCollection = new SecurityCollection();
+-        deleteCollection.addMethod(Method.OPTIONS);
++        deleteCollection.addMethod(Method.DELETE);
+         deleteCollection.addPatternDecoded("/*");
+         deleteConstraint.addCollection(deleteCollection);
+
+@@ -772,7 +772,7 @@
+
+         // Only user1 should be able to perform a DELETE as only that user has
+         // role1.
+-        request.setMethod(Method.OPTIONS);
++        request.setMethod(Method.DELETE);
+
+         SecurityConstraint[] constraintsDelete =
+                 mapRealm.findSecurityConstraints(request, context);
+

tomcat9.spec

@@ -53,7 +53,7 @@
 Name:          tomcat9
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       2%{?dist}
+Release:       4%{?dist}
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -79,6 +79,8 @@ Patch4:        rhbz-1857043.patch
 Patch6:        tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch
 Patch7:        build-with-java-25.patch
 Patch8:        rhel-158962.patch
+Patch9:        rhel-168243.patch
+Patch10:        rhel-150720.patch
 
 BuildArch:     noarch
 
@@ -212,6 +214,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P6 -p0
 %patch -P7 -p0
 %patch -P8 -p1
+%patch -P9 -p1
+%patch -P10 -p1
 
 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@@ -634,6 +638,13 @@ fi
 %{appdir}/ROOT
 
 %changelog
+* Thu Apr 16 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.110-4
+- Resolves: RHEL-150720
+  Tomcat: Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
+
+* Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
+- Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)
+
 * Mon Mar 23 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-2
 - Resolves: RHEL-158962 NPE in tomcat9 when used with TLS enabled custom connector