[Git][java-team/tomcat9][buster] 10 commits: Drop bnd-adjustments.patch.
Markus Koschany (@apo)
gitlab at salsa.debian.org
Fri Feb 6 22:41:53 GMT 2026
Markus Koschany pushed to branch buster at Debian Java Maintainers / tomcat9
Commits:
9e8682e6 by Markus Koschany at 2026-02-06T14:16:52+01:00
Drop bnd-adjustments.patch.
bnd 5 is now available
- - - - -
f4d14afc by Markus Koschany at 2026-02-06T14:17:21+01:00
Update JDTCompiler.patch
because we also have a new version of eclipse-jdt-core now.
- - - - -
a32123c4 by Markus Koschany at 2026-02-06T14:18:24+01:00
Remove jars again.
- - - - -
f92aff21 by Markus Koschany at 2026-02-06T14:19:28+01:00
Fix CVE-2025-55752, CVE-2025-55754, CVE-2025-61795
- - - - -
60765b6c by Markus Koschany at 2026-02-06T18:48:59+01:00
Update changelog
- - - - -
5db65d06 by Markus Koschany at 2026-02-06T18:53:21+01:00
Tighten build-dependencies on bnd and libeclipse-jdt-core-java
- - - - -
d1b7fed7 by Markus Koschany at 2026-02-06T19:10:49+01:00
Update JDTCompiler.patch
- - - - -
06560624 by Markus Koschany at 2026-02-06T19:12:32+01:00
Fix debian/rules
- - - - -
ecebfbbe by Markus Koschany at 2026-02-06T23:33:43+01:00
Update changelog
- - - - -
6d22e41d by Markus Koschany at 2026-02-06T23:41:11+01:00
Merge branch 'buster' of salsa.debian.org:java-team/tomcat9 into buster
- - - - -
12 changed files:
- debian/changelog
- debian/control
- + debian/patches/CVE-2025-55752.patch
- + debian/patches/CVE-2025-55754.patch
- + debian/patches/CVE-2025-61795.patch
- debian/patches/JDTCompiler.patch
- − debian/patches/bnd-adjustments.patch
- debian/patches/series
- debian/rules
- − debian/source/include-binaries
- − debian/tomcat9-embed-el.jar
- − debian/tomcat9-jasper-el.jar
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,18 @@
+tomcat9 (9.0.107-0+deb10u3) buster-security; urgency=medium
+
+ * Non-maintainer upload by the ELTS team.
+ * Drop bnd-adjustments.patch because bnd 5 is available now.
+ * Update JDTCompiler.patch because we also have a new version
+ of eclipse-jdt-core now.
+ * Fix CVE-2025-61795: denial of service due to incorrect processing of
+ multipart uploads
+ * Fix CVE-2025-55754: insufficient escape of ANSI escape sequences in log
+ messages
+ * Fix CVE-2025-55752: path traversal vulnerability due to a bug in rewrite
+ rules
+
+ -- Markus Koschany <apo at debian.org> Fri, 06 Feb 2026 18:48:53 +0100
+
tomcat9 (9.0.107-0+deb10u2) buster-security; urgency=medium
* Non-maintainer upload by the ELTS team.
=====================================
debian/control
=====================================
@@ -7,14 +7,14 @@ Uploaders:
Emmanuel Bourg <ebourg at apache.org>
Build-Depends:
ant-optional,
- bnd,
+ bnd (>= 5),
debhelper (>= 11),
default-jdk,
javahelper,
junit4 (>= 4.11),
libcglib-nodep-java,
libeasymock-java (>= 3.0),
- libeclipse-jdt-core-java (>= 3.14.0),
+ libeclipse-jdt-core-java (>= 3.18.0),
libhamcrest-java (>= 1.3),
libjaxrpc-api-java,
libobjenesis-java,
@@ -91,7 +91,7 @@ Description: Apache Tomcat 9 - Servlet and JSP engine -- tools to create user in
Package: libtomcat9-java
Architecture: all
-Depends: libeclipse-jdt-core-java (>= 3.14.0), ${misc:Depends}
+Depends: libeclipse-jdt-core-java (>= 3.18.0), ${misc:Depends}
Suggests: tomcat9 (>= ${source:Version})
Description: Apache Tomcat 9 - Servlet and JSP engine -- core libraries
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
@@ -103,7 +103,7 @@ Description: Apache Tomcat 9 - Servlet and JSP engine -- core libraries
Package: libtomcat9-embed-java
Architecture: all
-Depends: libeclipse-jdt-core-java (>= 3.14.0), ${misc:Depends}
+Depends: libeclipse-jdt-core-java (>= 3.18.0), ${misc:Depends}
Description: Apache Tomcat 9 - Servlet and JSP engine -- embed libraries
Apache Tomcat implements the Java Servlet and the JavaServer Pages (JSP)
specifications from Oracle, and provides a "pure Java" HTTP web
=====================================
debian/patches/CVE-2025-55752.patch
=====================================
@@ -0,0 +1,272 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 4 Feb 2026 11:55:32 +0100
+Subject: CVE-2025-55752
+
+Origin: https://github.com/apache/tomcat/commit/b5042622b8b78340ae65403c55dcb9c7416924df
+---
+ .../catalina/valves/rewrite/RewriteValve.java | 35 ++++---
+ .../apache/catalina/startup/TomcatBaseTest.java | 2 +-
+ .../catalina/valves/rewrite/TestRewriteValve.java | 107 ++++++++++++++++++++-
+ webapps/docs/changelog.xml | 4 +
+ 4 files changed, 131 insertions(+), 17 deletions(-)
+
+diff --git a/java/org/apache/catalina/valves/rewrite/RewriteValve.java b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
+index a3f95b2..358d72b 100644
+--- a/java/org/apache/catalina/valves/rewrite/RewriteValve.java
++++ b/java/org/apache/catalina/valves/rewrite/RewriteValve.java
+@@ -326,7 +326,7 @@ public class RewriteValve extends ValveBase {
+
+ // As long as MB isn't a char sequence or affiliated, this has to be converted to a string
+ Charset uriCharset = request.getConnector().getURICharset();
+- String originalQueryStringEncoded = request.getQueryString();
++ String queryStringOriginalEncoded = request.getQueryString();
+ MessageBytes urlMB = context ? request.getRequestPathMB() : request.getDecodedRequestURIMB();
+ urlMB.toChars();
+ CharSequence urlDecoded = urlMB.getCharChunk();
+@@ -427,10 +427,10 @@ public class RewriteValve extends ValveBase {
+ StringBuilder urlStringEncoded =
+ new StringBuilder(REWRITE_DEFAULT_ENCODER.encode(urlStringRewriteEncoded, uriCharset));
+
+- if (!qsd && originalQueryStringEncoded != null && !originalQueryStringEncoded.isEmpty()) {
++ if (!qsd && queryStringOriginalEncoded != null && !queryStringOriginalEncoded.isEmpty()) {
+ if (rewrittenQueryStringRewriteEncoded == null) {
+ urlStringEncoded.append('?');
+- urlStringEncoded.append(originalQueryStringEncoded);
++ urlStringEncoded.append(queryStringOriginalEncoded);
+ } else {
+ if (qsa) {
+ // if qsa is specified append the query
+@@ -438,7 +438,7 @@ public class RewriteValve extends ValveBase {
+ urlStringEncoded.append(
+ REWRITE_QUERY_ENCODER.encode(rewrittenQueryStringRewriteEncoded, uriCharset));
+ urlStringEncoded.append('&');
+- urlStringEncoded.append(originalQueryStringEncoded);
++ urlStringEncoded.append(queryStringOriginalEncoded);
+ } else if (index == urlStringEncoded.length() - 1) {
+ // if the ? is the last character delete it, its only purpose was to
+ // prevent the rewrite module from appending the query string
+@@ -553,24 +553,31 @@ public class RewriteValve extends ValveBase {
+
+ // Step 3. Complete the 2nd stage to encoding.
+ chunk.append(REWRITE_DEFAULT_ENCODER.encode(urlStringRewriteEncoded, uriCharset));
+- // Decoded and normalized URI
+- // Rewriting may have denormalized the URL
+- urlStringRewriteEncoded = RequestUtil.normalize(urlStringRewriteEncoded);
++ // Rewriting may have denormalized the URL and added encoded characters
++ // Decode then normalize
++ String urlStringRewriteDecoded = URLDecoder.decode(urlStringRewriteEncoded, uriCharset.name());
++ urlStringRewriteDecoded = RequestUtil.normalize(urlStringRewriteDecoded);
+ request.getCoyoteRequest().decodedURI().setChars(MessageBytes.EMPTY_CHAR_ARRAY, 0, 0);
+ chunk = request.getCoyoteRequest().decodedURI().getCharChunk();
+ if (context) {
+ // This is decoded and normalized
+ chunk.append(request.getServletContext().getContextPath());
+ }
+- chunk.append(URLDecoder.decode(urlStringRewriteEncoded, uriCharset.name()));
+- // Set the new Query if there is one
+- if (queryStringRewriteEncoded != null) {
++ chunk.append(urlStringRewriteDecoded);
++ // Set the new Query String
++ if (queryStringRewriteEncoded == null) {
++ // No new query string. Therefore the original is retained unless QSD is defined.
++ if (qsd) {
++ request.getCoyoteRequest().queryString().setChars(MessageBytes.EMPTY_CHAR_ARRAY, 0, 0);
++ }
++ } else {
++ // New query string. Therefore the original is dropped unless QSA is defined (and QSD is not).
+ request.getCoyoteRequest().queryString().setChars(MessageBytes.EMPTY_CHAR_ARRAY, 0, 0);
+ chunk = request.getCoyoteRequest().queryString().getCharChunk();
+ chunk.append(REWRITE_QUERY_ENCODER.encode(queryStringRewriteEncoded, uriCharset));
+- if (qsa && originalQueryStringEncoded != null && !originalQueryStringEncoded.isEmpty()) {
++ if (qsa && queryStringOriginalEncoded != null && !queryStringOriginalEncoded.isEmpty()) {
+ chunk.append('&');
+- chunk.append(originalQueryStringEncoded);
++ chunk.append(queryStringOriginalEncoded);
+ }
+ }
+ // Set the new host if it changed
+@@ -665,6 +672,10 @@ public class RewriteValve extends ValveBase {
+ while (flagsTokenizer.hasMoreElements()) {
+ parseRuleFlag(line, rule, flagsTokenizer.nextToken());
+ }
++ // If QSD and QSA are present, QSD always takes precedence
++ if (rule.isQsdiscard()) {
++ rule.setQsappend(false);
++ }
+ }
+ return rule;
+ } else if (token.equals("RewriteMap")) {
+diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java b/test/org/apache/catalina/startup/TomcatBaseTest.java
+index 160360d..6839387 100644
+--- a/test/org/apache/catalina/startup/TomcatBaseTest.java
++++ b/test/org/apache/catalina/startup/TomcatBaseTest.java
+@@ -553,7 +553,7 @@ public abstract class TomcatBaseTest extends LoggingBaseTest {
+ value.append(';');
+ }
+ }
+- out.println("PARAM/" + name + ": " + value);
++ out.println("PARAM:" + name + ": " + value);
+ }
+
+ out.println("SESSION-REQUESTED-ID: " +
+diff --git a/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java b/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java
+index 458349c..7c81e93 100644
+--- a/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java
++++ b/test/org/apache/catalina/valves/rewrite/TestRewriteValve.java
+@@ -301,17 +301,112 @@ public class TestRewriteValve extends TomcatBaseTest {
+ }
+
+ @Test
+- public void testQueryString() throws Exception {
++ public void testQueryStringTargetOnly() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?je=2", "/b/id=1", "/c/id=1", "je=2");
++ }
++
++ @Test
++ public void testQueryStringTargetOnlyQSA() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?je=2 [QSA]", "/b/id=1", "/c/id=1", "je=2");
++ }
++
++ @Test
++ public void testQueryStringTargetOnlyQSD() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?je=2 [QSD]", "/b/id=1", "/c/id=1", "je=2");
++ }
++
++ @Test
++ public void testQueryStringTargetOnlyQSAQSD() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?je=2 [QSA,QSD]", "/b/id=1", "/c/id=1", "je=2");
++ }
++
++ @Test
++ public void testQueryStringTargetOnlyQS() throws Exception {
+ doTestRewrite("RewriteRule ^/b/(.*) /c?$1", "/b/id=1", "/c", "id=1");
+ }
+
++ @Test
++ public void testQueryStringTargetOnlyQSAQS() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c?$1 [QSA]", "/b/id=1", "/c", "id=1");
++ }
++
++ @Test
++ public void testQueryStringTargetOnlyQSDQS() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c?$1 [QSD]", "/b/id=1", "/c", "id=1");
++ }
++
++ @Test
++ public void testQueryStringTargetOnlyQSAQSDQS() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c?$1 [QSA,QSD]", "/b/id=1", "/c", "id=1");
++ }
++
++ @Test
++ public void testQueryStringSourceOnly() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1", "/b/d?id=1", "/c/d", "id=1");
++ }
++
++ @Test
++ public void testQueryStringSourceOnlyQSA() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1 [QSA]", "/b/d?id=1", "/c/d", "id=1");
++ }
++
++ @Test
++ public void testQueryStringSourceOnlyQSD() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1 [QSD]", "/b/d?id=1", "/c/d", null);
++ }
++
++ @Test
++ public void testQueryStringSourceOnlyQSAQSD() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1 [QSA,QSD]", "/b/d?id=1", "/c/d", null);
++ }
++
++ @Test
++ public void testQueryStringSourceAndTarget() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?id=1", "/b/d?je=2", "/c/d", "id=1");
++ }
++
++ @Test
++ public void testQueryStringSourceAndTargetQSA() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?id=1 [QSA]", "/b/d?je=2", "/c/d", "id=1&je=2");
++ }
++
++ @Test
++ public void testQueryStringSourceAndTargetQSD() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?id=1 [QSD]", "/b/d?je=2", "/c/d", "id=1");
++ }
++
++ @Test
++ public void testQueryStringSourceAndTargetQSAQSD() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?id=1 [QSA,QSD]", "/b/d?je=2", "/c/d", "id=1");
++ }
++
++ @Test
++ public void testQueryStringEncoded01() throws Exception {
++ doTestRewrite("RewriteCond %{QUERY_STRING} a=(.*)\nRewriteRule ^/b.*$ /%1 [QSD]", "/b?a=c", "/c", null);
++ }
++
++ @Test
++ public void testQueryStringEncoded02() throws Exception {
++ doTestRewrite("RewriteCond %{QUERY_STRING} a=(.*)\nRewriteRule ^/b.*$ /z/%1 [QSD]", "/b?a=%2e%2e%2fc%2faAbB", "/z/%2e%2e%2fc%2faAbB", null);
++ }
++
+ @Test
+ public void testQueryStringRemove() throws Exception {
+- doTestRewrite("RewriteRule ^/b/(.*) /c/$1?", "/b/d?=1", "/c/d", null);
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?", "/b/d?id=1", "/c/d", null);
+ }
+
+ @Test
+ public void testQueryStringRemove02() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1 [QSD]", "/b/d?id=1", "/c/d", null);
++ }
++
++ @Test
++ public void testQueryStringRemoveInvalid() throws Exception {
++ doTestRewrite("RewriteRule ^/b/(.*) /c/$1?", "/b/d?=1", "/c/d", null);
++ }
++
++ @Test
++ public void testQueryStringRemoveInvalid02() throws Exception {
+ doTestRewrite("RewriteRule ^/b/(.*) /c/$1 [QSD]", "/b/d?=1", "/c/d", null);
+ }
+
+@@ -616,7 +711,7 @@ public class TestRewriteValve extends TomcatBaseTest {
+ public void testFlagsNC() throws Exception {
+ // https://bz.apache.org/bugzilla/show_bug.cgi?id=60116
+ doTestRewrite("RewriteCond %{QUERY_STRING} a=([a-z]*) [NC]\n" + "RewriteRule .* - [E=X-Test:%1]", "/c?a=aAa",
+- "/c", null, "aAa");
++ "/c", "a=aAa", "aAa");
+ }
+
+ @Test
+@@ -806,12 +901,16 @@ public class TestRewriteValve extends TomcatBaseTest {
+ // were written into the request target
+ Assert.assertEquals(400, rc);
+ } else {
++ // If there is an expected URI, the request should be successful
++ Assert.assertEquals(200, rc);
+ String body = res.toString();
+ RequestDescriptor requestDesc = SnoopResult.parse(body);
+ String requestURI = requestDesc.getRequestInfo("REQUEST-URI");
+ Assert.assertEquals(expectedURI, requestURI);
+
+- if (expectedQueryString != null) {
++ if (expectedQueryString == null) {
++ Assert.assertTrue(requestDesc.getParams().isEmpty());
++ } else {
+ String queryString = requestDesc.getRequestInfo("REQUEST-QUERY-STRING");
+ Assert.assertEquals(expectedQueryString, queryString);
+ }
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 4fc968d..c05b0ed 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -132,6 +132,10 @@
+ Align size tracking for multipart requests with FileUpload's use of
+ <code>long</code>. (schultz)
+ </fix>
++ <fix>
++ Fix handling of <code>QSA</code> and <code>QSD</code> flags in
++ <code>RewriteValve</code>. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Coyote">
=====================================
debian/patches/CVE-2025-55754.patch
=====================================
@@ -0,0 +1,267 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 4 Feb 2026 11:56:34 +0100
+Subject: CVE-2025-55754
+
+Origin: https://github.com/apache/tomcat/commit/a03cabf3a36a42d27d8d997ed31f034f50ba6cd5
+---
+ java/org/apache/juli/JdkLoggerFormatter.java | 4 +-
+ java/org/apache/juli/LogUtil.java | 64 +++++++++++++++++++
+ java/org/apache/juli/OneLineFormatter.java | 4 +-
+ java/org/apache/juli/VerbatimFormatter.java | 7 +--
+ test/org/apache/juli/TestLogUtil.java | 93 ++++++++++++++++++++++++++++
+ webapps/docs/changelog.xml | 3 +
+ 6 files changed, 167 insertions(+), 8 deletions(-)
+ create mode 100644 java/org/apache/juli/LogUtil.java
+ create mode 100644 test/org/apache/juli/TestLogUtil.java
+
+diff --git a/java/org/apache/juli/JdkLoggerFormatter.java b/java/org/apache/juli/JdkLoggerFormatter.java
+index 80ba904..65d44a4 100644
+--- a/java/org/apache/juli/JdkLoggerFormatter.java
++++ b/java/org/apache/juli/JdkLoggerFormatter.java
+@@ -100,7 +100,7 @@ public class JdkLoggerFormatter extends Formatter {
+ }
+
+ // Append the message
+- buf.append(message);
++ buf.append(LogUtil.escape(message));
+
+ // Append stack trace if not null
+ if (t != null) {
+@@ -110,7 +110,7 @@ public class JdkLoggerFormatter extends Formatter {
+ java.io.PrintWriter pw = new java.io.PrintWriter(sw);
+ t.printStackTrace(pw);
+ pw.close();
+- buf.append(sw);
++ buf.append(LogUtil.escape(sw.toString()));
+ }
+
+ buf.append(System.lineSeparator());
+diff --git a/java/org/apache/juli/LogUtil.java b/java/org/apache/juli/LogUtil.java
+new file mode 100644
+index 0000000..c7eb098
+--- /dev/null
++++ b/java/org/apache/juli/LogUtil.java
+@@ -0,0 +1,64 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.juli;
++
++public class LogUtil {
++
++ private LogUtil() {
++ // Utility class. Hide default constructor
++ }
++
++
++ /**
++ * Escape a string so it can be displayed in a readable format. Characters that may not be printable in some/all of
++ * the contexts in which log messages will be viewed will be escaped using Java \\uNNNN escaping.
++ * <p>
++ * All control characters are escaped apart from horizontal tab (\\u0009), new line (\\u000a) and carriage return
++ * (\\u000d).
++ *
++ * @param input The string to escape
++ *
++ * @return The escaped form of the input string
++ */
++ @SuppressWarnings("null") // sb is not null when used
++ public static String escape(final String input) {
++ final int len = input.length();
++ int i = 0;
++ int lastControl = -1;
++ StringBuilder sb = null;
++ while (i < len) {
++ char c = input.charAt(i);
++ if (Character.getType(c) == Character.CONTROL) {
++ if (!(c == '\t' || c == '\n' || c == '\r')) {
++ if (lastControl == -1) {
++ sb = new StringBuilder(len + 20);
++ }
++ sb.append(input.substring(lastControl + 1, i));
++ sb.append(String.format("\\u%1$04x", Integer.valueOf(c)));
++ lastControl = i;
++ }
++ }
++ i++;
++ }
++ if (lastControl == -1) {
++ return input;
++ } else {
++ sb.append(input.substring(lastControl + 1, len));
++ return sb.toString();
++ }
++ }
++}
+diff --git a/java/org/apache/juli/OneLineFormatter.java b/java/org/apache/juli/OneLineFormatter.java
+index 4ad3680..3c54de4 100644
+--- a/java/org/apache/juli/OneLineFormatter.java
++++ b/java/org/apache/juli/OneLineFormatter.java
+@@ -147,7 +147,7 @@ public class OneLineFormatter extends Formatter {
+
+ // Message
+ sb.append(' ');
+- sb.append(formatMessage(record));
++ sb.append(LogUtil.escape(formatMessage(record)));
+
+ // New line for next record
+ sb.append(System.lineSeparator());
+@@ -158,7 +158,7 @@ public class OneLineFormatter extends Formatter {
+ PrintWriter pw = new IndentingPrintWriter(sw);
+ record.getThrown().printStackTrace(pw);
+ pw.close();
+- sb.append(sw.getBuffer());
++ sb.append(LogUtil.escape(sw.toString()));
+ }
+
+ return sb.toString();
+diff --git a/java/org/apache/juli/VerbatimFormatter.java b/java/org/apache/juli/VerbatimFormatter.java
+index 88efa4d..2653b18 100644
+--- a/java/org/apache/juli/VerbatimFormatter.java
++++ b/java/org/apache/juli/VerbatimFormatter.java
+@@ -20,9 +20,9 @@ import java.util.logging.Formatter;
+ import java.util.logging.LogRecord;
+
+ /**
+- * Outputs just the log message with no additional elements. Stack traces are not logged. Log messages are separated by
+- * <code>System.lineSeparator()</code>. This is intended for use by access logs and the like that need complete control
+- * over the output format.
++ * Outputs just the log message with no additional elements and no escaping. Stack traces are not logged. Log messages
++ * are separated by <code>System.lineSeparator()</code>. This is intended for use by access logs and the like that need
++ * complete control over the output format.
+ */
+ public class VerbatimFormatter extends Formatter {
+
+@@ -31,5 +31,4 @@ public class VerbatimFormatter extends Formatter {
+ // Timestamp + New line for next record
+ return record.getMessage() + System.lineSeparator();
+ }
+-
+ }
+diff --git a/test/org/apache/juli/TestLogUtil.java b/test/org/apache/juli/TestLogUtil.java
+new file mode 100644
+index 0000000..12360c2
+--- /dev/null
++++ b/test/org/apache/juli/TestLogUtil.java
+@@ -0,0 +1,93 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.juli;
++
++import org.junit.Assert;
++import org.junit.Test;
++
++public class TestLogUtil {
++
++ @Test
++ public void testEscapeForLoggingEmptyString() {
++ doTestEscapeForLogging("");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingNone() {
++ doTestEscapeForLogging("No escaping");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlStart() {
++ doTestEscapeForLogging("\u0006Text", "\\u0006Text");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlMiddle() {
++ doTestEscapeForLogging("Text\u0006Text", "Text\\u0006Text");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlEnd() {
++ doTestEscapeForLogging("Text\u0006", "Text\\u0006");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlOnly() {
++ doTestEscapeForLogging("\u0006", "\\u0006");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlsStart() {
++ doTestEscapeForLogging("\u0006\u0007Text", "\\u0006\\u0007Text");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlsMiddle() {
++ doTestEscapeForLogging("Text\u0006\u0007Text", "Text\\u0006\\u0007Text");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlsEnd() {
++ doTestEscapeForLogging("Text\u0006\u0007", "Text\\u0006\\u0007");
++ }
++
++
++ @Test
++ public void testEscapeForLoggingControlsOnly() {
++ doTestEscapeForLogging("\u0006\u0007", "\\u0006\\u0007");
++ }
++
++
++ private void doTestEscapeForLogging(String input) {
++ doTestEscapeForLogging(input, input);
++ }
++
++
++ private void doTestEscapeForLogging(String input, String expected) {
++ String result = LogUtil.escape(input);
++ Assert.assertEquals(expected, result);
++ }
++}
+\ No newline at end of file
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index c05b0ed..8e78763 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -184,6 +184,9 @@
+ Remove the <code>INSTANCEOF</code> and <code>FUNCTIONSUFFIX</code>
+ definitions from the EL grammar as both are unused. (markt)
+ </scode>
++ <add>
++ Add escaping to log formatters to align with JSON formatter. (markt)
++ </add>
+ </changelog>
+ </subsection>
+ <subsection name="Web applications">
=====================================
debian/patches/CVE-2025-61795.patch
=====================================
@@ -0,0 +1,78 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 4 Feb 2026 11:57:33 +0100
+Subject: CVE-2025-61795
+
+Origin: https://github.com/apache/tomcat/commit/afa422bd7ca1eef0f507259c682fd876494d9c3b
+---
+ .../catalina/connector/LocalStrings.properties | 1 +
+ java/org/apache/catalina/connector/Request.java | 21 ++++++++++++++++++++-
+ webapps/docs/changelog.xml | 4 ++++
+ 3 files changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/java/org/apache/catalina/connector/LocalStrings.properties b/java/org/apache/catalina/connector/LocalStrings.properties
+index de2de4a..74b021e 100644
+--- a/java/org/apache/catalina/connector/LocalStrings.properties
++++ b/java/org/apache/catalina/connector/LocalStrings.properties
+@@ -94,6 +94,7 @@ request.asyncNotSupported=A filter or servlet of the current chain does not supp
+ request.fragmentInDispatchPath=The fragment in dispatch path [{0}] has been removed
+ request.illegalWrap=The request wrapper must wrap the request obtained from getRequest()
+ request.notAsync=It is illegal to call this method if the current request is not in asynchronous mode (i.e. isAsyncStarted() returns false)
++request.partCleanup.failed=Unable to delete temporary file for uploaded part after multi-part processing failed
+ request.session.failed=Failed to load session [{0}] due to [{1}]
+
+ requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade
+diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
+index c25ac6b..ed6f8be 100644
+--- a/java/org/apache/catalina/connector/Request.java
++++ b/java/org/apache/catalina/connector/Request.java
+@@ -2712,8 +2712,9 @@ public class Request implements HttpServletRequest {
+ upload.setFileCountMax(partLimit);
+
+ parts = new ArrayList<>();
++ List<FileItem> items = null;
+ try {
+- List<FileItem> items = upload.parseRequest(new ServletRequestContext(this));
++ items = upload.parseRequest(new ServletRequestContext(this));
+ int maxPostSize = getConnector().getMaxPostSize();
+ long postSize = 0;
+ Charset charset = getCharset();
+@@ -2766,6 +2767,24 @@ public class Request implements HttpServletRequest {
+ // addParameters() will set parseFailedReason
+ checkSwallowInput();
+ partsParseException = e;
++ } finally {
++ /*
++ * GC will delete any temporary copies of uploaded files left in the work directory but if we know that the
++ * upload has failed then explicitly clean up now.
++ */
++ if (!success) {
++ parts.clear();
++ if (items != null) {
++ for (FileItem item : items) {
++ try {
++ item.delete();
++ } catch (Throwable t) {
++ ExceptionUtils.handleThrowable(t);
++ log.warn(sm.getString("request.partCleanup.failed"), t);
++ }
++ }
++ }
++ }
+ }
+ } finally {
+ // This might look odd but is correct. setParseFailedReason() only
+diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
+index 8e78763..7a98ef9 100644
+--- a/webapps/docs/changelog.xml
++++ b/webapps/docs/changelog.xml
+@@ -136,6 +136,10 @@
+ Fix handling of <code>QSA</code> and <code>QSD</code> flags in
+ <code>RewriteValve</code>. (markt)
+ </fix>
++ <fix>
++ Be proactive in cleaning up temporary files after a failed multi-part
++ upload rather than waiting for GC to do it. (markt)
++ </fix>
+ </changelog>
+ </subsection>
+ <subsection name="Coyote">
=====================================
debian/patches/JDTCompiler.patch
=====================================
@@ -3,148 +3,57 @@ Date: Thu, 10 Jul 2025 16:51:05 +0200
Subject: JDTCompiler
---
- java/org/apache/jasper/compiler/JDTCompiler.java | 123 -----------------------
- 1 file changed, 123 deletions(-)
+ java/org/apache/jasper/compiler/JDTCompiler.java | 27 ++++++++++--------------
+ 1 file changed, 11 insertions(+), 16 deletions(-)
diff --git a/java/org/apache/jasper/compiler/JDTCompiler.java b/java/org/apache/jasper/compiler/JDTCompiler.java
-index 4771dbd..23fd554 100644
+index 4771dbd..5d3b504 100644
--- a/java/org/apache/jasper/compiler/JDTCompiler.java
+++ b/java/org/apache/jasper/compiler/JDTCompiler.java
-@@ -309,61 +309,6 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
+@@ -308,17 +308,15 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
+ } else if (opt.equals("10")) {
settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_10);
} else if (opt.equals("11")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_11);
-- } else if (opt.equals("12")) {
+- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_11);
++ settings.put(CompilerOptions.OPTION_Source, "11");
+ } else if (opt.equals("12")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_12);
-- } else if (opt.equals("13")) {
++ settings.put(CompilerOptions.OPTION_Source, "12");
+ } else if (opt.equals("13")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_13);
-- } else if (opt.equals("14")) {
++ settings.put(CompilerOptions.OPTION_Source, "13");
+ } else if (opt.equals("14")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_14);
-- } else if (opt.equals("15")) {
++ settings.put(CompilerOptions.OPTION_Source, "14");
+ } else if (opt.equals("15")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_15);
- } else if (opt.equals("16")) {
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_16);
-- } else if (opt.equals("17")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "17");
-- } else if (opt.equals("18")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "18");
-- } else if (opt.equals("19")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "19");
-- } else if (opt.equals("20")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "20");
-- } else if (opt.equals("21")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "21");
-- } else if (opt.equals("22")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "22");
-- } else if (opt.equals("23")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "23");
-- } else if (opt.equals("24")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "24");
-- } else if (opt.equals("25")) {
-- // Constant not available in latest ECJ version shipped with
-- // Tomcat. May be supported in a snapshot build.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_Source, "25");
- } else {
- log.warn(Localizer.getMessage("jsp.warning.unknown.sourceVM", opt));
- settings.put(CompilerOptions.OPTION_Source, CompilerOptions.VERSION_1_8);
-@@ -407,75 +352,7 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
- } else if (opt.equals("11")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_11);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_11);
-- } else if (opt.equals("12")) {
-- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_12);
-- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_12);
-- } else if (opt.equals("13")) {
++ settings.put(CompilerOptions.OPTION_Source, "15");
+ } else if (opt.equals("17")) {
+ // Constant not available in latest ECJ version that runs on
+ // Java 8.
+@@ -411,17 +409,14 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
+ settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_12);
+ settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_12);
+ } else if (opt.equals("13")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_13);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_13);
-- } else if (opt.equals("14")) {
++ settings.put(CompilerOptions.OPTION_TargetPlatform, "13");
++ settings.put(CompilerOptions.OPTION_Compliance, "13");
+ } else if (opt.equals("14")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_14);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_14);
-- } else if (opt.equals("15")) {
++ settings.put(CompilerOptions.OPTION_TargetPlatform, "14");
++ settings.put(CompilerOptions.OPTION_Compliance, "14");
+ } else if (opt.equals("15")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_15);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
+- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
- } else if (opt.equals("16")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_16);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_16);
-- } else if (opt.equals("17")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "17");
-- settings.put(CompilerOptions.OPTION_Compliance, "17");
-- } else if (opt.equals("18")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "18");
-- settings.put(CompilerOptions.OPTION_Compliance, "18");
-- } else if (opt.equals("19")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "19");
-- settings.put(CompilerOptions.OPTION_Compliance, "19");
-- } else if (opt.equals("20")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "20");
-- settings.put(CompilerOptions.OPTION_Compliance, "20");
-- } else if (opt.equals("21")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "21");
-- settings.put(CompilerOptions.OPTION_Compliance, "21");
-- } else if (opt.equals("22")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "22");
-- settings.put(CompilerOptions.OPTION_Compliance, "22");
-- } else if (opt.equals("23")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "23");
-- settings.put(CompilerOptions.OPTION_Compliance, "23");
-- } else if (opt.equals("24")) {
-- // Constant not available in latest ECJ version that runs on
-- // Java 8.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "24");
-- settings.put(CompilerOptions.OPTION_Compliance, "24");
-- } else if (opt.equals("25")) {
-- // Constant not available in latest ECJ version shipped with
-- // Tomcat. May be supported in a snapshot build.
-- // This is checked against the actual version below.
-- settings.put(CompilerOptions.OPTION_TargetPlatform, "25");
-- settings.put(CompilerOptions.OPTION_Compliance, "25");
- } else {
- log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt));
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_1_8);
++ settings.put(CompilerOptions.OPTION_TargetPlatform, "15");
++ settings.put(CompilerOptions.OPTION_Compliance, "15");
+ } else if (opt.equals("17")) {
+ // Constant not available in latest ECJ version that runs on
+ // Java 8.
=====================================
debian/patches/bnd-adjustments.patch deleted
=====================================
@@ -1,85 +0,0 @@
-From: Markus Koschany <apo at debian.org>
-Date: Thu, 10 Jul 2025 17:47:56 +0200
-Subject: bnd adjustments
-
----
- java/org/apache/el/ExpressionFactoryImpl.java | 2 +-
- java/org/apache/jasper/compiler/JDTCompiler.java | 1 -
- java/org/apache/juli/logging/LogFactory.java | 4 +---
- java/org/apache/tomcat/websocket/WsContainerProvider.java | 2 +-
- .../tomcat/websocket/server/DefaultServerEndpointConfigurator.java | 2 +-
- 5 files changed, 4 insertions(+), 7 deletions(-)
-
-diff --git a/java/org/apache/el/ExpressionFactoryImpl.java b/java/org/apache/el/ExpressionFactoryImpl.java
-index 8ac4f3f..d06165b 100644
---- a/java/org/apache/el/ExpressionFactoryImpl.java
-+++ b/java/org/apache/el/ExpressionFactoryImpl.java
-@@ -34,7 +34,7 @@ import org.apache.el.util.MessageFactory;
- *
- * @author Jacob Hookom [jacob at hookom.net]
- */
-- at aQute.bnd.annotation.spi.ServiceProvider(value = ExpressionFactory.class)
-+//@aQute.bnd.annotation.spi.ServiceProvider(value = ExpressionFactory.class)
- public class ExpressionFactoryImpl extends ExpressionFactory {
-
- static {
-diff --git a/java/org/apache/jasper/compiler/JDTCompiler.java b/java/org/apache/jasper/compiler/JDTCompiler.java
-index 23fd554..9736628 100644
---- a/java/org/apache/jasper/compiler/JDTCompiler.java
-+++ b/java/org/apache/jasper/compiler/JDTCompiler.java
-@@ -352,7 +352,6 @@ public class JDTCompiler extends org.apache.jasper.compiler.Compiler {
- } else if (opt.equals("11")) {
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_11);
- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_11);
-- settings.put(CompilerOptions.OPTION_Compliance, CompilerOptions.VERSION_15);
- } else {
- log.warn(Localizer.getMessage("jsp.warning.unknown.targetVM", opt));
- settings.put(CompilerOptions.OPTION_TargetPlatform, CompilerOptions.VERSION_1_8);
-diff --git a/java/org/apache/juli/logging/LogFactory.java b/java/org/apache/juli/logging/LogFactory.java
-index 327f0ec..1df372c 100644
---- a/java/org/apache/juli/logging/LogFactory.java
-+++ b/java/org/apache/juli/logging/LogFactory.java
-@@ -21,8 +21,6 @@ import java.nio.file.FileSystems;
- import java.util.ServiceLoader;
- import java.util.logging.LogManager;
-
--import aQute.bnd.annotation.spi.ServiceConsumer;
--
- /**
- * This is a modified LogFactory that uses a simple {@link ServiceLoader} based discovery mechanism with a default of
- * using JDK based logging. An implementation that uses the full Commons Logging discovery mechanism is available as
-@@ -56,7 +54,7 @@ import aQute.bnd.annotation.spi.ServiceConsumer;
- * @author Costin Manolache
- * @author Richard A. Sitze
- */
-- at ServiceConsumer(value = Log.class)
-+//@ServiceConsumer(value = Log.class)
- public class LogFactory {
-
- private static final LogFactory singleton = new LogFactory();
-diff --git a/java/org/apache/tomcat/websocket/WsContainerProvider.java b/java/org/apache/tomcat/websocket/WsContainerProvider.java
-index 4b0577c..e383290 100644
---- a/java/org/apache/tomcat/websocket/WsContainerProvider.java
-+++ b/java/org/apache/tomcat/websocket/WsContainerProvider.java
-@@ -19,7 +19,7 @@ package org.apache.tomcat.websocket;
- import javax.websocket.ContainerProvider;
- import javax.websocket.WebSocketContainer;
-
-- at aQute.bnd.annotation.spi.ServiceProvider(value = ContainerProvider.class)
-+//@aQute.bnd.annotation.spi.ServiceProvider(value = ContainerProvider.class)
- public class WsContainerProvider extends ContainerProvider {
-
- @Override
-diff --git a/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java b/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java
-index 00f492e..fe5c34d 100644
---- a/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java
-+++ b/java/org/apache/tomcat/websocket/server/DefaultServerEndpointConfigurator.java
-@@ -26,7 +26,7 @@ import javax.websocket.HandshakeResponse;
- import javax.websocket.server.HandshakeRequest;
- import javax.websocket.server.ServerEndpointConfig;
-
-- at aQute.bnd.annotation.spi.ServiceProvider(value = ServerEndpointConfig.Configurator.class)
-+//@aQute.bnd.annotation.spi.ServiceProvider(value = ServerEndpointConfig.Configurator.class)
- public class DefaultServerEndpointConfigurator extends ServerEndpointConfig.Configurator {
-
- @Override
=====================================
debian/patches/series
=====================================
@@ -15,4 +15,6 @@ Bundle-Version.patch
0026-easymock4-compatibility.patch
JDTCompiler.patch
openssl.patch
-bnd-adjustments.patch
+CVE-2025-55752.patch
+CVE-2025-55754.patch
+CVE-2025-61795.patch
=====================================
debian/rules
=====================================
@@ -25,8 +25,6 @@ endif
override_dh_install-indep:
dh_install -i --exclude=.bat --exclude=Thumbs.db
- cp debian/tomcat9-embed-el.jar output/embed/tomcat-embed-el.jar
- cp debian/tomcat9-jasper-el.jar output/build/lib/jasper-el.jar
# update the checksum for the root webapp
unset rwmd5sum \
=====================================
debian/source/include-binaries deleted
=====================================
@@ -1,2 +0,0 @@
-debian/tomcat9-jasper-el.jar
-debian/tomcat9-embed-el.jar
=====================================
debian/tomcat9-embed-el.jar deleted
=====================================
Binary files a/debian/tomcat9-embed-el.jar and /dev/null differ
=====================================
debian/tomcat9-jasper-el.jar deleted
=====================================
Binary files a/debian/tomcat9-jasper-el.jar and /dev/null differ
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/eafe755ded6f13febc96a0fcd738323febcdc54e...6d22e41df22d3b50aecddff6804ef191102b7eaa
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/eafe755ded6f13febc96a0fcd738323febcdc54e...6d22e41df22d3b50aecddff6804ef191102b7eaa
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20260206/36223fbb/attachment.htm>
More information about the pkg-java-commits
mailing list