This update for tomcat11 fixes the following issues:
Update to Tomcat 11.0.18:
- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).
- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).
- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).
Changelog:
+ Fix: 69932: Fix request end access log pattern regression, which would log
the start time of the request instead. (remm)
+ Fix: 69623: Additional fix for the long standing regression that meant
that calls to ClassLoader.getResource().getContent() failed when made from
within a web application with resource caching enabled if the target
resource was packaged in a JAR file. (markt)
+ Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the
CsrfPreventionFilter. (schultz)
+ Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2
requests when the content-length header is...
Read the Full Advisory- openSUSE Leap 16.0:
tomcat11-11.0.18-160000.1.1
tomcat11-admin-webapps-11.0.18-160000.1.1
tomcat11-doc-11.0.18-160000.1.1
tomcat11-docs-webapp-11.0.18-160000.1.1
tomcat11-el-6_0-api-11.0.18-160000.1.1
tomcat11-embed-11.0.18-160000.1.1
tomcat11-jsp-4_0-api-11.0.18-160000.1.1
tomcat11-jsvc-11.0.18-160000.1.1
tomcat11-lib-11.0.18-160000.1.1
tomcat11-servlet-6_1-api-11.0.18-160000.1.1
tomcat11-webapps-11.0.18-160000.1.1
* bsc#1253460
* bsc#1258371
* bsc#1258385
* bsc#1258387
References:
* https://www.suse.com/security/cve/CVE-2025-66614.html
* https://www.suse.com/security/cve/CVE-2026-24733.html
* https://www.suse.com/security/cve/CVE-2026-24734.html
Get the latest Linux and open source security news straight to your inbox.