Stay Secure with the Latest Linux Advisories
Refine advisories
X Clear Filters
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Loading...
Explore Latest Linux Security advisories
We found 13 articles for you...
203
security advisoryremote code executionrace conditionMageia 2025-0105: tomcat tomcat Security Advisory Updates
Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled . MGASA-2025-0105 - Updated tomcat tomcat packages fix security vulnerabilities Publication date: 19 Mar 2025 URL: https://advisories.mageia.org/MGASA-2025-0105.html Type: security Affected Mageia releases: 9 CVE: CVE-2004-56337, CVE-2025-24813 Time-of-check Time-of-use (TOCTOU) Race Condition vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.1, from 10.1.0-M1 through 10.1.33, from 9.0.0.M1 through 9.0.97. The mitigation for CVE-2024-50379 was incomplete. Users running Tomcat on a case insensitive file system with the default servlet write enabled (readonly initialisation parameter set to the non-default value of false) may need additional configuration to fully mitigate CVE-2024-50379 depending on which version of Java they are using with Tomcat: - running on Java 8 or Java 11: the system property sun.io.useCanonCaches must be explicitly set to false (it defaults to true) - running on Java 17: the system property sun.io.useCanonCaches, if set, must be set to false (it defaults to false) - running on Java 21 onwards: no further configuration is required (the system property and the problematic cache have been removed) Tomcat 11.0.3, 10.1.35 and 9.0.99 onwards will include checks that sun.io.useCanonCaches is set appropriately before allowing the default servlet to be write enabled on a case insensitive file system. Tomcat will also set sun.io.useCanonCaches to false by default where it can. (CVE-2004-56337) Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in ApacheTomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue (CVE-2025-24813). References: - https://bugs.mageia.org/show_bug.cgi?id=34112 - - https://www.cve.org/CVERecord?id=CVE-2004-56337 - https://www.cve.org/CVERecord?id=CVE-2025-24813 SRPMS: - 9/core/tomcat-9.0.102-1.mga9 . Apache Tomcat on Mageia faces TOCTOU race condition leading to potential remote code execution and unauthorized access issues.. time-of-check, time-of-use, (toctou), condition, vulnerability, apache, tomcat, affects. . Severity: Important. LinuxSecurity.com Team
Mar 19, 2025
•Important
Mageia
89
security advisorysecurity issueupdateFedora 39: FEDORA-2024-2bf73514cd Moderate: Apache Tomcat DoS Issues
This update includes a rebase from 9.0.83 to 9.0.89. #2269611 CVE-2024-24549 tomcat: CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS #2269612 CVE-2024-23672 tomcat: Apache Tomcat: WebSocket DoS with incomplete closing handshake. -------------------------------------------------------------------------------- Fedora Update Notification FEDORA-2024-2bf73514cd 2024-06-13 03:03:09.807769 -------------------------------------------------------------------------------- Name : tomcat Product : Fedora 39 Version : 9.0.89 Release : 1.fc39 URL : http://tomcat.apache.org/ Summary : Apache Servlet/JSP Engine, RI for Servlet 4.0/JSP 2.3 API Description : Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. -------------------------------------------------------------------------------- Update Information: This update includes a rebase from 9.0.83 to 9.0.89. #2269611 CVE-2024-24549 tomcat: CVE-2024-24549: Apache Tomcat: HTTP/2 header handling DoS #2269612 CVE-2024-23672 tomcat: Apache Tomcat: WebSocket DoS with incomplete closing handshake -------------------------------------------------------------------------------- ChangeLog: * Mon May 27 2024 Dimitris Soumis - 1:9.0.89-1 - Update to 9.0.89 -------------------------------------------------------------------------------- This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2024-2bf73514cd' at the command line. For more information, refer to the dnf documentation availableat http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at https://fedoraproject.org/keys -------------------------------------------------------------------------------- -- _______________________________________________ package-announce mailing list --
Jun 13, 2024
Fedora
197
security advisorycriticaldebianDebian 10: DLA-3707-1 critical: Apache Tomcat 9 request smuggling
Apache Tomcat 9, a Servlet and JSP engine, was vulnerable. An Improper Input Validation vulnerability was present. and Tomcat did not correctly parse HTTP trailer headers. . - ------------------------------------------------------------------------- Debian LTS Advisory DLA-3707-1
Jan 05, 2024
•Critical
Debian LTS
203
security advisoryinformation leaksoftware updateMageia: 2023-0319 Critical Advisory for Tomcat Input Issues
The updated packages fix security vulnerabilities: Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from . MGASA-2023-0319 - Updated tomcat packages fix security vulnerabilities Publication date: 15 Nov 2023 URL: https://advisories.mageia.org/MGASA-2023-0319.html Type: security Affected Mageia releases: 8, 9 CVE: CVE-2023-42795, CVE-2023-45648 The updated packages fix security vulnerabilities: Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. (CVE-2023-42795) Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. (CVE-2023-45648) References: - https://bugs.mageia.org/show_bug.cgi?id=32377 - https://www.openwall.com/lists/oss-security/2023/10/10/9 - https://www.openwall.com/lists/oss-security/2023/10/10/10 - https://www.cve.org/CVERecord?id=CVE-2023-42795 - https://www.cve.org/CVERecord?id=CVE-2023-45648 SRPMS: - 8/core/tomcat-9.0.82-1.mga8 - 9/core/tomcat-9.0.82-1.mga9 . Revised Nginx components in Fedora tackle significant vulnerabilities such as inadequate data sanitation and exposure of sensitive information.. Tomcat Security Update, Mageia Advisory, Apache Tomcat Risk, Information Leak Fixes. . Severity: Critical. LinuxSecurity.com Team
Nov 15, 2023
•Critical
Mageia
91
security advisorydenial of servicegentooGentoo: GLSA-202305-37 Low Severity: Apache Tomcat DoS Issue
Multiple vulnerabilities have been found in Apache Tomcat, the worst of which could result in denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202305-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache Tomcat: Multiple Vulnerabilities Date: May 30, 2023 Bugs: #878911, #889596, #896370, #907387 ID: 202305-37 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been found in Apache Tomcat, the worst of which could result in denial of service. Background ========= Apache Tomcat is a Servlet-3.0/JSP-2.2 Container. Affected packages ================ Package Vulnerable Unaffected ------------------ ------------ ------------ www-servers/tomcat < 10.1.8 > = 10.1.8 Description ========== Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Apache Tomcat users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/tomcat-10.1.8" References ========= [ 1 ] CVE-2022-42252 https://nvd.nist.gov/vuln/detail/CVE-2022-42252 [ 2 ] CVE-2022-45143 https://nvd.nist.gov/vuln/detail/CVE-2022-45143 [ 3 ] CVE-2023-24998 https://nvd.nist.gov/vuln/detail/CVE-2023-24998 [ 4 ] CVE-2023-28709 https://nvd.nist.gov/vuln/detail/CVE-2023-28709 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202305-37 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
May 30, 2023
•Low
Gentoo
91
security advisorydenial of servicegentooGentoo: GLSA-202208-34 Low Severity: Apache Tomcat Denial Of Service
Multiple vulnerabilities have been discovered in Apache Tomcat, the worst of which could result in denial of service.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202208-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache Tomcat: Multiple Vulnerabilities Date: August 21, 2022 Bugs: #773571, #801916, #818160, #855971 ID: 202208-34 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= Multiple vulnerabilities have been discovered in Apache Tomcat, the worst of which could result in denial of service. Background ========= Apache Tomcat is a Servlet-3.0/JSP-2.2 Container. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/tomcat < 8.5.82:8.5 > = 8.5.82:8.5 < 9.0.65:9 > = 9.0.65:9 < 10.0.23:10 > = 10.0.23:10 Description ========== Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact ===== Please review the referenced CVE identifiers for details. Workaround ========= There is no known workaround at this time. Resolution ========= All Apache Tomcat 10.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/tomcat-10.0.23:10" All Apache Tomcat 9.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/tomcat-9.0.65:9" All Apache Tomcat 8.5.x usersshould upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/tomcat-8.5.82:8.5" References ========= [ 1 ] CVE-2021-25122 https://nvd.nist.gov/vuln/detail/CVE-2021-25122 [ 2 ] CVE-2021-25329 https://nvd.nist.gov/vuln/detail/CVE-2021-25329 [ 3 ] CVE-2021-30639 https://nvd.nist.gov/vuln/detail/CVE-2021-30639 [ 4 ] CVE-2021-30640 https://nvd.nist.gov/vuln/detail/CVE-2021-30640 [ 5 ] CVE-2021-33037 https://nvd.nist.gov/vuln/detail/CVE-2021-33037 [ 6 ] CVE-2021-42340 https://nvd.nist.gov/vuln/detail/CVE-2021-42340 [ 7 ] CVE-2022-34305 https://nvd.nist.gov/vuln/detail/CVE-2022-34305 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202208-34 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Aug 21, 2022
•Low
Gentoo
203
security advisorysecurity issueinformation leakMageia 7: 2021:0020 Critical: Apache Tomcat HTTP/2 Information Leak
While investigating Apache issue 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests . MGASA-2021-0020 - Updated tomcat packages fix security vulnerability Publication date: 10 Jan 2021 URL: https://advisories.mageia.org/MGASA-2021-0020.html Type: security Affected Mageia releases: 7 CVE: CVE-2020-17527 While investigating Apache issue 64830 it was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak between requests (CVE-2020-17527). The tomcat package has been updated to version 9.0.39, and patched to fix this issue. References: - https://bugs.mageia.org/show_bug.cgi?id=27739 - https://tomcat.apache.org/security-9.html - https://www.cve.org/CVERecord?id=CVE-2020-17527 SRPMS: - 7/core/tomcat-9.0.39-1.mga7 . Apache Tomcat's latest enhancement addresses a vulnerability linked to HTTP/2 streams; learn about the implications it has for Mageia 7 concerning CVE-2020-17527.. Apache Tomcat Security,Mageia Security Advisory,Tomcat Update,HTTP Connection Security. . Severity: Critical. LinuxSecurity.com Team
Jan 10, 2021
•Critical
Mageia
91
security advisorysecurity issueinformation leakGentoo: GLSA 202012-23 Low Severity: Apache Tomcat Information Leak
A vulnerability has been discovered in Apache Tomcat that allows for the disclosure of sensitive information.. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Gentoo Linux Security Advisory GLSA 202012-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - https://security.gentoo.org/ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Severity: Low Title: Apache Tomcat: Information disclosure Date: December 24, 2020 Bugs: #758338 ID: 202012-23 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Synopsis ======= A vulnerability has been discovered in Apache Tomcat that allows for the disclosure of sensitive information. Background ========= Apache Tomcat is a Servlet-3.0/JSP-2.2 Container. Affected packages ================ ------------------------------------------------------------------- Package / Vulnerable / Unaffected ------------------------------------------------------------------- 1 www-servers/tomcat < 8.5.60:8.5 > = 8.5.60:8.5 < 9.0.40:9 > = 9.0.40:9 Description ========== It was discovered that Apache Tomcat could re-use an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream. Impact ===== A remote attacker, by sending well-timed HTTP/2 requests, could possibly obtain sensitive information. Workaround ========= Disable HTTP/2 support. Resolution ========= All Apache Tomcat 8.5.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/tomcat-8.5.60:8.5" All Apache Tomcat 9.x users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose "> =www-servers/tomcat-9.0.40:9" References ========= [ 1 ] CVE-2020-17527 https://nvd.nist.gov/vuln/detail/CVE-2020-17527 Availability =========== This GLSA and any updates to it are available for viewing at the Gentoo Security Website: https://security.gentoo.org/glsa/202012-23 Concerns? ======== Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to
Dec 24, 2020
•Low
Gentoo
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Community Poll
What got you started with Linux?
Search Topics
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!