Description of the patch:
This update for tomcat10 fixes the following issues
Update to Tomcat 10.1.55:
- CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162).
- CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
- CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
- CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145).
- CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166).
- CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
- CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).
Changes:
- Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and
OpenSSL version information (both APR and FFM implementations), along with
version compatibility warnings and third-party library version
information. (csutherl)
- Code: Refactor generation of the remote user element in the access log to
remove unnecessary code. (markt)
- Fix: Fix a regression in the previous release that meant ?- could appear
in the access log rather than ? when the query string was present but
empty. (markt)
- Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by
Mahmoud Alarby. (remm)
- Fix: Align the escaping in ExtendedAccessLogValve with the other
AccessLogValve implementations. (markt)
- Fix: 70000: fix duplication of special headers in the response after
commit, following fix for 69967. (remm)
- Fix: Correct the handling of URIs mapped to a security constraint that
only specifies the special ** role for all authenticated users. Requests
without authentication were receiving 403 responses rather than 401
responses. (markt)
- Fix: Fix a race condition in StandardContext.getServletContext() that
could cause the jakarta.servlet.context.tempdir attribute to be lost
during a context reload. Make the context field volatile and use locking
to ensure only one...