Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

openSUSE Leap 16.0 Tomcat10 Key Network Attack Vulnerabilities 2026-20612-1

opensuse
Calendar Grey April 23, 2026
Dist Opensuse Esm H88
Update available for openSUSE users fixing 11 issues and 9 bugs for tomcat10. Ensure your systems are secure and updated.
An update that solves 11 vulnerabilities and has 9 bug fixes can now be installed.

Description

This update for tomcat10 fixes the following issues:

- Update to Tomcat 10.1.54

- CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).

- CVE-2026-25854: Occasionally open redirect (bsc#1261851).

- CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).

- CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).

- CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).

- CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).

- CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856).

- CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).

- CVE-2026-32990: The fix for CVE-2025-66614 was incomplete. (bsc#1258371)

Patch instructions:

To install this openSUSE security update use the suse recommended installation methods

like YaST online_update or "zypper...

Read the Full Advisory

Patch

Package List

- openSUSE Leap 16.0:

tomcat10-10.1.54-160000.1.1

tomcat10-admin-webapps-10.1.54-160000.1.1

tomcat10-doc-10.1.54-160000.1.1

tomcat10-docs-webapp-10.1.54-160000.1.1

tomcat10-el-5_0-api-10.1.54-160000.1.1

tomcat10-embed-10.1.54-160000.1.1

tomcat10-jsp-3_1-api-10.1.54-160000.1.1

tomcat10-jsvc-10.1.54-160000.1.1

tomcat10-lib-10.1.54-160000.1.1

tomcat10-servlet-6_0-api-10.1.54-160000.1.1

tomcat10-webapps-10.1.54-160000.1.1

References

* bsc#1258371

* bsc#1261850

* bsc#1261851

* bsc#1261852

* bsc#1261853

* bsc#1261854

* bsc#1261855

* bsc#1261856

* bsc#1261857

References:

* https://www.suse.com/security/cve/CVE-2025-66614.html

* https://www.suse.com/security/cve/CVE-2026-24880.html

* https://www.suse.com/security/cve/CVE-2026-25854.html

* https://www.suse.com/security/cve/CVE-2026-29129.html

* https://www.suse.com/security/cve/CVE-2026-29145.html

* https://www.suse.com/security/cve/CVE-2026-29146.html

* https://www.suse.com/security/cve/CVE-2026-32990.html

* https://www.suse.com/security/cve/CVE-2026-34483.html

* https://www.suse.com/security/cve/CVE-2026-34486.html

* https://www.suse.com/security/cve/CVE-2026-34487.html

* https://www.suse.com/security/cve/CVE-2026-34500.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:20612-1
Rating: important
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here