Mageia 9 Tomcat Security Advisory MGASA-2026-0095 - Request Smuggling

mageia

April 12, 2026

MGASA-2026-0095 - Updated tomcat packages fix security vulnerabilities

Summary

Description: Request smuggling via invalid chunk extension. (CVE-2026-24880) Occasionally open redirect. (CVE-2026-25854) TLS cipher order is not preserved. (CVE-2026-29129) OCSP checks sometimes soft-fail even when soft-fail is disabled. (CVE-2026-29145) EncryptInterceptor vulnerable to padding oracle attack by default. (CVE-2026-29146) Fix for CVE-2025-66614 is incomplete. (CVE-2026-32990) Incomplete escaping of JSON access logs. (CVE-2026-34483) Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor. (CVE-2026-34486) Cloud membership for clustering component exposed the Kubernetes bearer token. (CVE-2026-34487) OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled. (CVE-2026-34500)

References

- https://bugs.mageia.org/show_bug.cgi?id=35341

- https://www.openwall.com/lists/oss-security/2026/04/09/20

- https://www.openwall.com/lists/oss-security/2026/04/09/21

- https://www.openwall.com/lists/oss-security/2026/04/09/22

- https://www.openwall.com/lists/oss-security/2026/04/09/23

- https://www.openwall.com/lists/oss-security/2026/04/09/24

- https://www.openwall.com/lists/oss-security/2026/04/09/25

- https://www.openwall.com/lists/oss-security/2026/04/09/26

- https://www.openwall.com/lists/oss-security/2026/04/09/27

- https://www.openwall.com/lists/oss-security/2026/04/09/28

- https://www.openwall.com/lists/oss-security/2026/04/09/29

- https://www.cve.org/CVERecord?id=CVE-2026-24880

- https://www.cve.org/CVERecord?id=CVE-2026-25854

- https://www.cve.org/CVERecord?id=CVE-2026-29129

- https://www.cve.org/CVERecord?id=CVE-2026-29145

- https://www.cve.org/CVERecord?id=CVE-2026-29146

- https://www.cve.org/CVERecord?id=CVE-2026-32990

- https://www.cve.org/CVERecord?id=CVE-2026-34483

- https://www.cve.org/CVERecord?id=CVE-2026-34486

- https://www.cve.org/CVERecord?id=CVE-2026-34487

- https://www.cve.org/CVERecord?id=CVE-2026-34500

Topics Covered

security advisory security issue request smuggling importance padding oracle attack Mageia

Resolution

SRPMS

- 9/core/tomcat-9.0.117-1.mga9

Severity

important

Lowest

Low

Medium

High

Critical

Publication date: 12 Apr 2026

URL: https://advisories.mageia.org/MGASA-2026-0095.html

Type: security

CVE: CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145, CVE-2026-29146, CVE-2026-32990, CVE-2026-34483, CVE-2026-34486, CVE-2026-34487, CVE-2026-34500

Topics Covered

security advisory security issue request smuggling importance padding oracle attack Mageia

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Like staying secure? So do we.
Sign up for updates, tips, and alerts!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia 9 Tomcat Security Advisory MGASA-2026-0095 - Request Smuggling

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!

Topics Covered

Topics Covered

Search News & Updates

Recent Searches

Search Advisories & Updates

Recent Searches

Get the latest News and Insights

Our Top Picks

Mageia 9 Tomcat Security Advisory MGASA-2026-0095 - Request Smuggling

Summary

References

Topics Covered

Resolution

SRPMS

Topics Covered

Get the latest News and Insights

Related Articles

Related News

Powered By

Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases

QUICK LINKS

subscribe to newsletters!