Add upstream commits for CVE-2020-1938/tomcat8

Important note for reviewers, from the list one commit is missing which
is listed in the
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.51
page (but does not seem valid).

Thus this needs another check.