Description of the patch:
This update for tomcat fixes the following issues:
- Update to Tomcat 9.0.97
- Fixed CVEs:
- CVE-2024-52316: If the Jakarta Authentication fails with an exception,
set a 500 status (bsc#1233434)
- Catalina
- Add: Add support for the new Servlet API method
HttpServletResponse.sendEarlyHints(). (markt)
- Add: 55470: Add debug logging that reports the class path when a
ClassNotFoundException occurs in the digester or the web application
class loader. Based on a patch by Ralf Hauser. (markt)
- Update: 69374: Properly separate between table header and body in
DefaultServlet's listing. (michaelo)
- Update: 69373: Make DefaultServlet's HTML listing file last modified
rendering better (flexible). (michaelo)
- Update: Improve HTML output of DefaultServlet. (michaelo)
- Code: Refactor RateLimitFilter to use FilterBase as the base class. The
primary advantage for doing this is less code to process init-param
values. (markt)
- Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
(michaelo)
- Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped
requests. (remm)
- Fix: Add missing WebDAV Lock-Token header in the response when locking
a folder. (remm)
- Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
- Fix: Fix regression in WebDAV when attempting to unlock a collection.
(remm)
- Fix: Verify that destination is not locked for a WebDAV copy operation.
(remm)
- Fix: Send 415 response to WebDAV MKCOL operations that include a
request body since this is optional and unsupported. (remm)
- Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
- Fix: Do not allow a new WebDAV lock on a child resource if a parent
collection is locked (RFC 4918 section 6.1). (remm)
- Fix: WebDAV Delete should remove any existing lock on successfully...