Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

SUSE Linux 16.0 Tomcat 11 Major HTTP Request Smuggling Security Issues

suse
Calendar Grey April 28, 2026
Dist Suse Esm H88
SUSE security update for tomcat11 resolves important issues including request smuggling and TLS cipher order.
An update that solves 11 vulnerabilities can now be installed.

Summary

## This update for tomcat11 fixes the following issues: * Update to Tomcat 11.0.21 * CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850). * CVE-2026-25854: Occasionally open redirect (bsc#1261851). * CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852). * CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853). * CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854). * CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855). * CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856). * CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).

References

* bsc#1258371

* bsc#1261850

* bsc#1261851

* bsc#1261852

* bsc#1261853

* bsc#1261854

* bsc#1261855

* bsc#1261856

* bsc#1261857

Cross-

* CVE-2025-66614

* CVE-2026-24880

* CVE-2026-25854

* CVE-2026-29129

* CVE-2026-29145

* CVE-2026-29146

* CVE-2026-32990

* CVE-2026-34483

* CVE-2026-34486

* CVE-2026-34487

* CVE-2026-34500

CVSS scores:

* CVE-2025-66614 ( SUSE ): 8.7

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

* CVE-2025-66614 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

* CVE-2025-66614 ( NVD ): 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L

* CVE-2025-66614 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

* CVE-2026-24880 ( SUSE ): 6.3

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: SUSE-SU-2026:21366-1
Release Date: 2026-04-21T11:33:15Z
Rating: important

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here