* SECURITY UPDATE: Authentication Bypass in digest authentication - debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest() - CVE-2026-43512 * SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names - debian/patches/CVE-2026-43513.patch: add a caseSensitive attribute to LockOutRealm and treat user names case-insensitively by default - CVE-2026-43513 * SECURITY UPDATE: Observable timing discrepancy in AJP secret comparison - debian/patches/CVE-2026-43514.patch: add ConstantTime helper and switch the AJP secret comparison to a constant time algorithm - CVE-2026-43514 * SECURITY UPDATE: Improper authorisation when multiple method constraints define an HTTP method for the same extension - debian/patches/CVE-2026-43515.patch: evaluate findMethod() against every matching SecurityCollection rather than only the last one - CVE-2026-43515 * SECURITY UPDATE: Exposure of HTTP authorisation header to unexpected hosts during WebSocket authentication - debian/patches/CVE-2026-42498.patch: drop the cached Authorization header from userProperties before following a WebSocket upgrade redirect so it is not sent to the host named in Location - CVE-2026-42498 * SECURITY UPDATE: HTTP/2 header values were not validated for control characters and other illegal bytes - debian/patches/CVE-2026-41293.patch: validate field names and values in HpackDecoder and HPackHuffman using the new HttpParser isFieldVChar / isFieldContent tables - CVE-2026-41293 * SECURITY UPDATE: Allocation of resources without limits in WebDAV LOCK and PROPFIND request bodies - debian/patches/CVE-2026-41284.patch: read PROPFIND and LOCK bodies through a new BoundedByteArrayOutputStream limited by the new maxRequestBodySize init parameter (default 4096 bytes) - CVE-2026-41284