Exclude i686 architecture from build

.fmf/version

@@ -1 +0,0 @@
-1

.gitignore

@@ -1,9 +1 @@
-results_tomcat9
-*.rpm
-/tomcat-9.0.87.redhat-*-src.zip
-/apache-tomcat-9*-src.tar.gz
-apache-tomcat-*-src
-/tomcat9.iml
-/.idea/.gitignore
-/.idea/modules.xml
-/.idea/vcs.xml
+apache-tomcat-9.0.110-src.tar.gz

ci.fmf

@@ -1 +0,0 @@
-resultsdb-testcase: separate

gating.yaml

@@ -1,6 +0,0 @@
---- !Policy
-product_versions:
-  - rhel-10
-decision_context: osci_compose_gate
-rules:
-  - !PassingTestCaseRule {test_case_name: osci.brew-build./plans/tier1-internal.functional}

plans/smoke.fmf

@@ -1,9 +0,0 @@
-summary: Basic smoke test
-prepare:
-  - name: packages
-    how: install
-    package:
-      - tomcat9
-execute:
-    how: tmt
-    script: which tomcat

plans/tier1-internal.fmf

@@ -1,11 +0,0 @@
-summary: Internal Tier1 beakerlib tests.
-discover:
-  - name: rhel
-    how: fmf
-    url: git://pkgs.devel.redhat.com/tests/tomcat9
-    filter: 'tier: 1'
-execute:
-    how: tmt
-adjust:
-    enabled: false
-    when: distro == centos-stream-10

rhel-158962.patch

@@ -0,0 +1,46 @@
+From 93fc51176bbcf643a46cc271b85ff49cbb01f1a6 Mon Sep 17 00:00:00 2001
+From: remm <remm@apache.org>
+Date: Wed, 3 Dec 2025 21:22:54 +0100
+Subject: [PATCH] Avoid possible NPEs when using a TLS enabled custom connector
+
+---
+ .../org/apache/tomcat/util/net/AbstractJsseEndpoint.java | 9 +++++++++
+ webapps/docs/changelog.xml                               | 7 +++++++
+ 2 files changed, 16 insertions(+)
+
+diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+index 1d639176eb17..9a4b8fa37fb5 100644
+--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
++++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+@@ -127,8 +127,17 @@ protected void createSSLContext(SSLHostConfig sslHostConfig) throws IllegalArgum
+     protected SSLEngine createSSLEngine(String sniHostName, List<Cipher> clientRequestedCiphers,
+             List<String> clientRequestedApplicationProtocols) {
+         List<String> clientRequestedProtocols = clientRequestedProtocolsThreadLocal.get();
++        if (clientRequestedProtocols == null) {
++            clientRequestedProtocols = new ArrayList<String>();
++        }
+         List<Group> clientSupportedGroups = clientSupportedGroupsThreadLocal.get();
++        if (clientSupportedGroups == null) {
++            clientSupportedGroups = new ArrayList<Group>();
++        }
+         List<SignatureScheme> clientSignatureSchemes = clientSignatureSchemesThreadLocal.get();
++        if (clientSignatureSchemes == null) {
++            clientSignatureSchemes = new ArrayList<SignatureScheme>();
++        }
+
+         SSLHostConfig sslHostConfig = getSSLHostConfig(sniHostName);
+
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 9ef3d9b04912..03be8d1358ae 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -155,6 +155,9 @@
+         Store HTTP request headers using the original case for the header name
+         rather than forcing it to lower case. (markt)
+       </fix>
++      <fix>
++        Avoid possible NPEs when using a TLS enabled custom connector. (remm)
++      </fix>
+     </changelog>
+   </subsection>
+   <subsection name="Cluster">

rhel-168243.patch

@@ -0,0 +1,54 @@
+diff -up ./java/org/apache/coyote/ajp/Constants.java ./java/org/apache/coyote/ajp/Constants.java
+--- ./java/org/apache/coyote/ajp/Constants.java	2025-10-01 04:36:05.000000000 -0400
++++ ./java/org/apache/coyote/ajp/Constants.java	2026-04-14 15:27:50.820988961 -0400
+@@ -105,7 +105,7 @@
+
+     // Translates integer codes to names of HTTP methods
+     private static final String[] methodTransArray =
+-            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.OPTIONS, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
++            { Method.OPTIONS, Method.GET, Method.HEAD, Method.POST, Method.PUT, Method.DELETE, Method.TRACE, Method.TRACE, Method.PROPPATCH, Method.MKCOL, Method.COPY,
+                     Method.MOVE, Method.LOCK, Method.UNLOCK, "ACL", "REPORT", "VERSION-CONTROL", "CHECKIN", "CHECKOUT", "UNCHECKOUT",
+                     "SEARCH", "MKWORKSPACE", "UPDATE", "LABEL", "MERGE", "BASELINE-CONTROL", "MKACTIVITY" };
+
+diff -up ./test/org/apache/catalina/realm/TestRealmBase.java ./test/org/apache/catalina/realm/TestRealmBase.java
+--- ./test/org/apache/catalina/realm/TestRealmBase.java	2025-10-01 04:36:05.000000000 -0400
++++ ./test/org/apache/catalina/realm/TestRealmBase.java	2026-04-14 15:27:50.821211035 -0400
+@@ -660,7 +660,7 @@
+         SecurityConstraint deleteConstraint = new SecurityConstraint();
+         deleteConstraint.addAuthRole(ROLE1);
+         SecurityCollection deleteCollection = new SecurityCollection();
+-        deleteCollection.addMethod(Method.OPTIONS);
++        deleteCollection.addMethod(Method.DELETE);
+         deleteCollection.addPatternDecoded("/*");
+         deleteConstraint.addCollection(deleteCollection);
+
+@@ -772,7 +772,7 @@
+
+         // Only user1 should be able to perform a DELETE as only that user has
+         // role1.
+-        request.setMethod(Method.OPTIONS);
++        request.setMethod(Method.DELETE);
+
+         SecurityConstraint[] constraintsDelete =
+                 mapRealm.findSecurityConstraints(request, context);
+diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
+--- ./webapps/docs/changelog.xml.orig	2026-04-14 15:48:53.192243701 -0400
++++ ./webapps/docs/changelog.xml	2026-04-14 15:49:48.893470762 -0400
+@@ -104,6 +104,17 @@
+   They eventually become mixed with the numbered issues (i.e., numbered
+   issues do not "pop up" wrt. others).
+ -->
++<section name="Tomcat 9.0.110-redhat (csutherl)" rtext="">
++  <subsection name="Coyote">
++    <changelog>
++      <fix>
++        <bug>69848</bug>: Fix copy/paste error that meant DELETE
++        requests received via the AJP connector were processed as OPTIONS
++        requests. (markt)
++      </fix>
++    </changelog>
++  </subsection>
++</section>
+ <section name="Tomcat 9.0.110 (remm)" rtext="">
+   <subsection name="Catalina">
+     <changelog>

sources

@@ -1 +1 @@
-SHA512 (apache-tomcat-9.0.117-src.tar.gz) = f40854a6ed1f208ccdd3da82527fc806eb9231aebaee86d6987e9699d1d31bb548765241424368708b89bdce01d4558a638532a35932f686d3edabd26951041d
+SHA512 (apache-tomcat-9.0.110-src.tar.gz) = a8fe2c59a801d6fb16ea74019c6fc58c34543d4d25a16d64e929e67c7736f6e16d08ec2061b37f1783ebfa0b1dacfff991e46ed5d24d89300a140cb94449f570

tomcat9.spec

@@ -31,7 +31,7 @@
 %global jspspec 2.3
 %global major_version 9
 %global minor_version 0
-%global micro_version 117
+%global micro_version 110
 %global packdname apache-tomcat-%{major_version}.%{minor_version}.%{micro_version}-src
 %global servletspec 4.0
 %global elspec 3.0
@@ -53,7 +53,7 @@
 Name:          tomcat9
 Epoch:         1
 Version:       %{major_version}.%{minor_version}.%{micro_version}
-Release:       1%{?dist}
+Release:       3%{?dist}.alma.1
 Summary:       Apache Servlet/JSP Engine, RI for Servlet %{servletspec}/JSP %{jspspec} API
 
 License:       Apache-2.0
@@ -78,9 +78,13 @@ Patch3:        tomcat-%{major_version}.%{minor_version}-catalina-policy.patch
 Patch4:        rhbz-1857043.patch
 Patch6:        tomcat-%{major_version}.%{minor_version}-bnd-annotation.patch
 Patch7:        build-with-java-25.patch
+Patch8:        rhel-158962.patch
+Patch9:        rhel-168243.patch
 
 BuildArch:     noarch
 
+ExcludeArch: i686
+
 BuildRequires: ant
 BuildRequires: ecj >= 1:4.10
 BuildRequires: findutils
@@ -210,6 +214,8 @@ find . -type f \( -name "*.bat" -o -name "*.class" -o -name Thumbs.db -o -name "
 %patch -P4 -p0
 %patch -P6 -p0
 %patch -P7 -p0
+%patch -P8 -p1
+%patch -P9 -p1
 
 # Remove webservices naming resources as it's generally unused
 %{__rm} -rf java/org/apache/naming/factory/webservices
@@ -632,35 +638,8 @@ fi
 %{appdir}/ROOT
 
 %changelog
-* Thu May 29 2026 Pietro Meloni <pmeloni@redhat.com> - 1:9.0.117-1
-- Resolves: RHEL-150720
-  Tomcat: Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)
-- Resolves:
-  Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
-- Resolves:
-  Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
-- Resolves:
-  Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
-- Resolves:
-  Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
-- Resolves:
-  Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
-- Resolves:
-  Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
-- Resolves:
-  Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
-- Resolves:
-  Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
-- Resolves:
-  Tomcat: Occasionally open redirect (CVE-2026-25854)
-- Resolves:
-  Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
-- Resolves:
-  Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
-- Resolves:
-  Tomcat: Security constraint bypass (CVE-2026-24733)
-- Resolves:
-  Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)
+* Tue May 19 2026 Eduard Abdullin <eabdullin@almalinux.org> - 1:9.0.110-3.alma.1
+- Exclude i686 architecture from build
 
 * Tue Apr 14 2026 Coty Sutherland <csutherl@redhat.com> - 1:9.0.110-3
 - Resolves: RHEL-168243 Fix copy/paste error in AJP connector that caused DELETE requests to be processed as OPTIONS requests (BZ#69848)