From ea883e63b79f2949beae6ed3d13e22db333a539e Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Thu, 19 Sep 2024 06:25:24 -0600
Subject: [PATCH 1/2] If the Jakarta Authentication fails with an exception,
 set a 500 status

Depending on what fails where, the status may not be set or may be set
incorrectly.
---
 .../org/apache/catalina/authenticator/AuthenticatorBase.java | 2 ++
 webapps/docs/changelog.xml                                   | 5 +++++
 2 files changed, 7 insertions(+)

diff --git a/java/org/apache/catalina/authenticator/AuthenticatorBase.java b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
index b4eb94ebfd9c..7a9f3b4269cd 100644
--- a/java/org/apache/catalina/authenticator/AuthenticatorBase.java
+++ b/java/org/apache/catalina/authenticator/AuthenticatorBase.java
@@ -806,6 +806,8 @@ private boolean authenticateJaspic(Request request, Response response, JaspicSta
             authStatus = state.serverAuthContext.validateRequest(state.messageInfo, client, null);
         } catch (AuthException e) {
             log.debug(sm.getString("authenticator.loginFail"), e);
+            // Need to explicitly set the return code as the ServerAuthContext may not have done.
+            response.setStatus(HttpServletResponse.SC_INTERNAL_SERVER_ERROR);
             return false;
         }
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 839eaf8b92b3..bb8154ec25a1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -145,6 +145,11 @@
         <code>NullPointerException</code>, if an attempt is made to use the
         <code>AsyncContext</code> after it has been recycled. (markt)
       </fix>
+      <fix>
+        If the Jakarta Authentication process fails with an Exception,
+        explicitly set the HTTP response status to 500 as the
+        <code>ServerAuthContext</code> may not have set it. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

From 558d020f813f698fc6fe348cfdb63be63bf53dfa Mon Sep 17 00:00:00 2001
From: Cesar Hernandez <cfhernan123@gmail.com>
Date: Wed, 20 Nov 2024 15:44:00 -0600
Subject: [PATCH 2/2] Backport 7532f9d to mitigate CVE-2024-52316 and updated
 version to 8.5.100-TT.4

---
 build.properties.default | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build.properties.default b/build.properties.default
index 5665dde93a95..5ab731ceb6d4 100644
--- a/build.properties.default
+++ b/build.properties.default
@@ -33,7 +33,7 @@ version.major=8
 version.minor=5
 version.build=100
 version.patch=0
-version.suffix=-TT.3
+version.suffix=-TT.4
 version.dev=
 
 # ----- Build tools -----