This update for tomcat11 fixes the following issues
Update to Tomcat 11.0.22:
- CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162).
- CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
- CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
- CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145).
- CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166).
- CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
- CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).
Changes:
* Catalina
+ Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and
OpenSSL version information (both APR and FFM implementations), along with
version compatibility warnings and third-party library version
information. (csutherl)
+ Code: Refactor generation of the remote user element in the access log to
remove unnecessary code....
Read the Full Advisory- openSUSE Leap 16.0:
tomcat11-11.0.22-160000.1.1
tomcat11-admin-webapps-11.0.22-160000.1.1
tomcat11-doc-11.0.22-160000.1.1
tomcat11-docs-webapp-11.0.22-160000.1.1
tomcat11-el-6_0-api-11.0.22-160000.1.1
tomcat11-embed-11.0.22-160000.1.1
tomcat11-jsp-4_0-api-11.0.22-160000.1.1
tomcat11-jsvc-11.0.22-160000.1.1
tomcat11-lib-11.0.22-160000.1.1
tomcat11-servlet-6_1-api-11.0.22-160000.1.1
tomcat11-webapps-11.0.22-160000.1.1
* bsc#1265145
* bsc#1265162
* bsc#1265163
* bsc#1265165
* bsc#1265166
* bsc#1265167
* bsc#1265168
References:
* https://www.suse.com/security/cve/CVE-2026-41284.html
* https://www.suse.com/security/cve/CVE-2026-41293.html
* https://www.suse.com/security/cve/CVE-2026-42498.html
* https://www.suse.com/security/cve/CVE-2026-43512.html
* https://www.suse.com/security/cve/CVE-2026-43513.html
* https://www.suse.com/security/cve/CVE-2026-43514.html
* https://www.suse.com/security/cve/CVE-2026-43515.html
Get the latest Linux and open source security news straight to your inbox.