Alerts This Week
Warning Icon 1 1,154
Alerts This Week
Warning Icon 1 1,154

openSUSE Leap 16.0 Tomcat11 Important Client Verification Flaw 2026-20414-1

opensuse
Calendar Grey March 28, 2026
Dist Opensuse Esm H88
OpenSUSE update resolves important security flaws in Tomcat 11, including client verification bypass. Install updates immediately.
An update that solves 3 vulnerabilities and has 4 bug fixes can now be installed.

Description

This update for tomcat11 fixes the following issues:

Update to Tomcat 11.0.18:

- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).

- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).

- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).

Changelog:

+ Fix: 69932: Fix request end access log pattern regression, which would log

the start time of the request instead. (remm)

+ Fix: 69623: Additional fix for the long standing regression that meant

that calls to ClassLoader.getResource().getContent() failed when made from

within a web application with resource caching enabled if the target

resource was packaged in a JAR file. (markt)

+ Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the

CsrfPreventionFilter. (schultz)

+ Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2

requests when the content-length header is...

Read the Full Advisory

Patch

Package List

- openSUSE Leap 16.0:

tomcat11-11.0.18-160000.1.1

tomcat11-admin-webapps-11.0.18-160000.1.1

tomcat11-doc-11.0.18-160000.1.1

tomcat11-docs-webapp-11.0.18-160000.1.1

tomcat11-el-6_0-api-11.0.18-160000.1.1

tomcat11-embed-11.0.18-160000.1.1

tomcat11-jsp-4_0-api-11.0.18-160000.1.1

tomcat11-jsvc-11.0.18-160000.1.1

tomcat11-lib-11.0.18-160000.1.1

tomcat11-servlet-6_1-api-11.0.18-160000.1.1

tomcat11-webapps-11.0.18-160000.1.1

References

* bsc#1253460

* bsc#1258371

* bsc#1258385

* bsc#1258387

References:

* https://www.suse.com/security/cve/CVE-2025-66614.html

* https://www.suse.com/security/cve/CVE-2026-24733.html

* https://www.suse.com/security/cve/CVE-2026-24734.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:20414-1
Rating: important
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here