* SECURITY UPDATE: fix the handling of invalid users with DIGEST authentication - debian/patches/CVE-2026-43512.patch: fix the handling of invalid users with DIGEST authentication - CVE-2026-43512 * SECURITY UPDATE: add case sensitive attribute to LockOutRealm - debian/patches/CVE-2026-43513.patch: add case sensitive attribute to LockOutRealm - CVE-2026-43513 * SECURITY UPDATE: switch AJP secret comparison to a constant time algorithm - debian/patches/CVE-2026-43514.patch: switch AJP secret comparison to a constant time algorithm - CVE-2026-43514 * SECURITY UPDATE: ensure RealmBase finds all matching extension based constraints - debian/patches/CVE-2026-43515.patch: ensure RealmBase finds all matching extension based constraints - CVE-2026-43515 * SECURITY UPDATE: add a configurable limit for WebDAV XML request bodies - debian/patches/CVE-2026-41284.patch: add a configurable limit for WebDAV XML request bodies - CVE-2026-41284 * SECURITY UPDATE: fix WebSocket + proxy + DIGEST auth on proxy - debian/patches/CVE-2026-42498.patch: fix WebSocket + proxy + DIGEST auth on proxy - CVE-2026-42498 * SECURITY UPDATE: HTTP/2 header filtering - validate decoded HPACK names/values against RFC 7230 token/field-vchar/field-content rules - debian/patches/CVE-2026-41293.patch: HTTP/2 header filtering - validate decoded HPACK names/values against RFC 7230 token/field-vchar/field-content rules - CVE-2026-41293 * Build: refresh debian/test_certs/ test fixtures (CA + RSA/EC server certs + client cert) — upstream localhost-rsa.jks is expired since 2025-02-16 and 8.5.x is no longer rotated; new fixtures are signed by a fresh self-signed CA with 10-year validity, applied via the existing TEST_CERTS_DIR overlay in debian/rules.