* Fix build process: - debian/keystores/ca-cert.pem, ca.jks: regenerate self-signed test CA using the existing ca-key.pem (previous CA valid only until 21.03.2025). New validity: 21.04.2026 to 18.04.2036. - debian/keystores/localhost-cert.pem, localhost.jks, localhost-copy1.jks: re-issue against the new CA to keep the chain consistent. Existing localhost-key.pem is preserved. - debian/keystores/user1-cert.pem, user1.jks: re-issue against the new CA using the existing user1-key.pem (previous cert valid only until 21.03.2025). - debian/keystores/updating-certs.txt: refresh the procedure notes with current serials and expiry dates. * SECURITY UPDATE: Insecure default configuration of the CORS filter allowed cross-origin requests with credentials from any origin. The default settings enabled supportsCredentials alongside a wildcard allowedOrigins. Affects Apache Tomcat 7.0.41 to 7.0.88. - debian/patches/CVE-2018-8014.patch: Change default allowedOrigins to empty and default supportsCredentials to false in the CORS filter, reject the unsafe combination of supportsCredentials=true with allowedOrigins=* at configuration time, and simplify the handleSimpleCORS logic accordingly. Backport of upstream commit d83a76732e. Note: applications relying on the previous permissive defaults must configure the filter explicitly. - CVE-2018-8014