Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 496
Alerts This Week
Warning Icon 1 496

Stay Secure with the Latest Linux Advisories

Filter%20icon Refine advisories
X Clear Filters
X Clear Filters
View More

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200
Loading...

Explore Latest Linux Security advisories

We found 340 articles for you...
172

Ubuntu Tomcat Important Security Flaws CVE-2026-43515 CVE-2026-50229

Several security issues were fixed in Tomcat.. ========================================================================== Ubuntu Security Notice USN-8551-1 July 15, 2026 tomcat8 vulnerabilities ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 18.04 LTS - Ubuntu 16.04 LTS Summary: Several security issues were fixed in Tomcat. Software Description: - tomcat8: Servlet and JSP engine Details: It was discovered that Tomcat incorrectly handled authorization when multiple method constraints defined the same HTTP method. A remote attacker could possibly use this issue to bypass authorization restrictions. (CVE-2026-43515) It was discovered that the Tomcat number guess example application did not properly sanitize user-supplied input. An attacker could possibly use this issue to inject malicious scripts, resulting in cross-site scripting. (CVE-2026-50229) It was discovered that Tomcat incorrectly evaluated rewrite valve conditions in certain configurations. An attacker could possibly use this issue to bypass rewrite rules, resulting in unauthorized access. (CVE-2026-53404) It was discovered that Tomcat incorrectly omitted certain authorization information when logging the effective web.xml configuration. An attacker could possibly use this issue to hide authorization constraints, resulting in reduced auditability. (CVE-2026-55276) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 18.04 LTS libtomcat8-embed-java 8.5.39-1ubuntu1~18.04.3+esm6 Available with Ubuntu Pro libtomcat8-java 8.5.39-1ubuntu1~18.04.3+esm6 Available with Ubuntu Pro tomcat8-examples 8.5.39-1ubuntu1~18.04.3+esm6 Available with Ubuntu Pro Ubuntu 16.04 LTS libtomcat8-java 8.0.32-1ubuntu1.13+esm2 Available with Ubuntu Pro tomcat8-examples 8.0.32-1ubuntu1.13+esm2 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-8551-1 CVE-2026-43515, CVE-2026-50229, CVE-2026-53404, CVE-2026-55276 . Several security issues in Tomcat on Ubuntu could be exploited, necessitating prompt updates to prevent unauthorized access and script injections.. Tomcat security, Ubuntu patch, Tomcat vulnerabilities, web application security. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 15, 2026 Important Ubuntu
202

openSUSE Tomcat Moderate Security Concern - Advisory 2026-21327-1

An update that solves 6 vulnerabilities and has 6 bug fixes can now be installed.. openSUSE security update: security update for tomcat ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21327-1 Rating: moderate References: * bsc#1269791 * bsc#1269824 * bsc#1269907 * bsc#1269908 * bsc#1269909 * bsc#1269910 Cross-References: * CVE-2026-50229 * CVE-2026-53404 * CVE-2026-53434 * CVE-2026-55276 * CVE-2026-55955 * CVE-2026-55956 CVSS scores: * CVE-2026-50229 ( SUSE ): 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N * CVE-2026-50229 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N * CVE-2026-53404 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-53404 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-53434 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-53434 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-55276 ( SUSE ): 3.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N * CVE-2026-55276 ( SUSE ): 4.8 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-55955 ( SUSE ): 4.2 CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-55955 ( SUSE ): 2.3 CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-55956 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2026-55956 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 6 vulnerabilities and has 6 bug fixes can now be installed. Description: This update for tomcat fixes the following issues Update to Tomcat 9.0.119. Security issues fixed: - CVE-2026-50229: improper neutralization of script-related HTML tags in the number guess example (bsc#1269791). - CVE-2026-53404: always-incorrect control flowimplementation in the rewrite valve caused non-OR conditions to be skipped if the first condition in an OR chain matched (bsc#1269910). - CVE-2026-53434: error condition not handled when configuring CRLs for a FFM based connector (bsc#1269824). - CVE-2026-55276: always-incorrect control flow implementation caused special roles and empty authorization constraints to not be included when the effective web.xml was logged (bsc#1269909). - CVE-2026-55955: improper authentication allows a replay attack against the EncryptionInterceptor in the cluster component (bsc#1269908). - CVE-2026-55956: improper authorization leads to security constraints specified for the default servlet ignoring any method or method omission configured as part of the constraint (bsc#1269907). Other updates and bugfixes: - Tomcat 9.0.119: * Catalina + Add: Add support for literal '%' characters in access log output. Based on pull request #1002 by Fabian Hahn. (markt) + Fix: Prevent duplicate log messages when clustering JARs are not present on startup. (csutherl) + Code: Remove unnecessary code from the SSI processing engine that was duplicating some of the normalisation checks. (markt) + Fix: Cleaner handling of invalid SPNEGO tokens. (remm) + Fix: Avoid some NPEs in the Connector class on an uninitialize protocol. (remm) + Fix: Incorrect session average life calculation. (remm) + Fix: Improve robustness on using Pipeline.setBasic on a running pipeline. (remm) + Fix: Avoid any init parameter updates when conflicts are found for filters, similar to what is done for servlets, as required by the servlet specification. (remm) + Fix: Fix container event cleanups in some edge cases. (remm) + Fix: Check for last-modified header in ExpiresFilter when a servlet uses addDateHeader to avoid wrongly considering it has been set. (remm) + Fix: Fix hour unit used by ExpiresFilter. (remm) + Fix: Remove exception swallowing in DataSourceStore to align itwith FileStore and avoid session loss on errors. (remm) + Fix: Add support for single-quote escaped literal as well as quoted literals in DateFormatCache. (schultz) + Fix: On JAAS logout, clear out role principals on the subject that were added on commit, as recommended by the JAAS specification. (remm) + Fix: MemoryRealm should not add a dummy role when none is specified in the configuration. (remm) + Fix: DataSourceUserDatabase should return a null principal on a non existing user. (remm) + Fix: Fix shared lock expiration in WebDAV. (remm) + Fix: Inaccurate session exipration statistics when using the persistent manager. (remm) + Fix: Skip BOM when serving files with UTF-32 encoding. (remm) + Fix: Mixup of WrapperListener and WrapperLifecycle elements in storeconfig. (remm) + Fix: Incorrect processing of modified users in DataSourceUserDatabase. (remm) + Update: Clarify behavior in the UserDatabase for user, role and group creation that it does not immediately override existing elements. Removal (or update) needs to be used instead. (remm) + Fix: 70049: Align the web application class loader with parent class loaders and swallow any errors caused by invalid paths when looking up resources and behave as if the resources were not found in that case. (markt) + Fix: Improve validation of Range and Content-Range parsers so invalid ranges trigger a 4xx response rather than a 500 response. Pull request #1012 provided by Sahana Surendra Bogar. (markt) + Fix: Fix connection leak in ProxyErrorReportValve. (remm) + Fix: When using the RewriteValve, %{SSL:HTTPS} now returns on or off rather than true or false to align with httpd. (markt) + Fix: Reset the encoding used for query string parameters between requests in case an application changed the encoding in a previous request. (markt) + Fix: When encoding URLs with the CsrfPreventionFilter, don't add thenonce to URLs that are known not to require it. (markt) + Fix: Fix CombinedRealm isAvailable, it allows authentication if at least one sub realm is available. (remm) + Fix: 70048: Correctly handle asynchronous requests in PersistentValve. (markt) + Fix: Improve the detection of cross-context dispatches when using a RequestDispatcher. (markt) + Fix: Fix various instances of double decoding of URL patterns configured either programmatically or in web.xml. (remm/markt) + Fix: Align the rewrite conditions ornext flag processing with mod_rewrite, which follows a purely sequential evaluation strategy. (remm) + Fix: Change the default for the useRedirect attribute of the ProxyErrorReportValve from true to false. (markt) + Add: Add support for the showReport attribute in JsonErrorReportValve and ProxyErrorReportValve. When set to false, detailed error information (message, description, stack trace) is suppressed from error responses. (dsoumis) + Fix: Avoid a NoClassDefFoundError at startup when catalina-tribes.jar is removed but catalina-ha.jar is present and the Cluster element is enabled in server.xml. Cluster digester rules are now fully conditional on both JARs being available. (dsoumis) + Fix: Fix a potential deadlock when copying resources using WebDAV. (markt) + Fix: Add jakarta., org.apache.catalina. and org.apache.tomcat.to the list of reserved prefixes for SSI variables and request attributes. (markt) + Fix: Missing URL decoding when processing addMapping on a Servlet registration. (remm) + Fix: The Timeout WebDAV header allows comma separated values (according to the examples in the RFC). Use the first acceptable value. (remm) + Fix: Fix various issues when logging the effective web.xml for a web application. Empty sections are no longer logged. Special roles and empty authorisation constraints are included. (markt) + Fix: Expand the write lock forthe save process in the MemoryUserDatabase to avoid concurrency issues with the file save operations. (markt) + Fix: Ensure atomic session persistence in FileStore. Based on pull request #1016 by sahvx655-wq. (markt) + Fix: Do not ignore methods configured on security constraints that map to the default servlet. (markt) * Cluster + Fix: Expand wording and increase visibility of log message when cloud membership is configured without a trust store as all certificates will be trusted in this configuration. (markt) + Fix: Ensure listeners are correctly added and removed when configuring the channel coordinator. (markt) + Fix: Fix some concurrency issues in FragmentationInterceptor. (markt) + Fix: Fix some concurrency issues in OrderInterceptor. (markt) + Fix: Fix some concurrency issues in TwoPhaseCommitInterceptor. (markt) + Fix: Fix concurrency issues generating MD5 digests in the CloudMembershipProvider implementations. (markt) + Add: Add replay protection to the EncryptInterceptor. This is a breaking change for the EncryptInterceptor. (markt) * Coyote + Add: Log a suitable warning if an encrypted PEM file is detected using an insecure form for encryption. (markt) + Fix: If TLS groups have been configured, use the configured groups rather than using OpenSSL's default TLS groups when using Tomcat Native with OpenSSL based connectors. (markt) + Fix: For HTTP/2, ensure that any in progress request body reads are cancelled if the container resets the associated stream. This prevents delays waiting for reads to time out when it is known that no more data will be received. (markt) + Fix: Ensure that malformed HTTP/2 messages that should trigger a stream reset do so, rather than triggered a connection close. (markt) + Fix: Improve enforcement of header trailer allow list for HTTP/2. (remm) + Fix: 70050: Avoid NPE when no header frame is processed in HTTP/2, following refactor clean-up of header buffer. (remm) + Fix: Properly use pollerThreadPriority for the NIO poller thread. (remm) + Fix: Fix MessageByte.equals if called on a null MB. (remm) + Fix: Call the delegate key manager in JSSE to retrieve the server key. (remm) + Fix: Avoid overflow scenarios in Asn1Parser. (remm) + Fix: 70091: Add a new attribute, allowSchemeMismatch to Http2Protocol that allows the consistency check for the scheme provided by the user agent to be bypassed. (markt) + Fix: isTrailerFieldsReady was always returning true. (remm) + Fix: Align OpenSSL/Panama TLS implementation with other implementations and throw an exception if there is an error loading the provided CRL(s). (markt) + Fix: Parsing of OpenSSL format cipher expressions incorrectly stopped if @STRENGTH was encountered, ignoring any subsequent expressions. (markt) + Fix: Handle the case where the HTTP/2 payload length is insufficient for the mandatory data required by the flags set in the header. (markt) + Fix: 70102: Correct expected size of ticket keys when calling setSessionTicketKeys with an FFM connector. (markt) + Fix: 69988: Fix post handshake authentication for TLS 1.3. It was broken by a breaking change in OpenSSL between 1.1.1 and 3.0.0. (markt) + Fix: When processing an OpenSSL cipher specification, fully align the order of the resulting ciphers with the order produced by OpenSSL. (markt) + Add: Add support for Brainpool TLS groups. Patch provided by YStankov. (schultz) + Update: Update both the minimum and recommended version for Tomcat Native 1.x to 1.3.8. (markt) * Jasper + Fix: Fix possible EL argument mismatch when it was set to null. (remm) + Fix: Fix thread safety of TagPluginManager. (remm) + Fix: Correctly use flush on JSP include. (remm) * Web applications + Add: Manager: Add checks to ensure that any uploaded files are uploaded to the expected location.(markt) + Add: Manager: Add checks to ensure that the requested context path for a deployed WAR, directory or descriptor file is valid. (markt) + Add: Documentation: Expand the description of some of the attributes of the CrawlerSessionManagerValve. (markt) + Fix: Documentation: Clearer description and correct documented default for ocspSoftFail. (markt) + Fix: Fix double escaping in the context names for the JSON mode of the manager servlet. (remm) + Fix: Manager: Ensure automatic deployment does not trigger an undeployment during a Manager triggered web application reload. (markt) + Fix: Documentation: Provide better documentation for the scheme and secure attributes of a Connector. (markt) * Websocket + Fix: Incorrect Future.isDone() return by AsyncChannelWrapperSecure. (remm) + Fix: Trigger standard WebSocket error handling if a call to Endpoint.onOpen() fails for a programmatic endpoint. (markt) + Fix: 70110: Fix memory leak if a call to Endpoint.onOpen() fails for a programmatic endpoint. Test case provided by uabdur. (markt) + Fix: If a client presents invalid parameters when negotiating a WebSocket extension, decline the negotiation offer that includes the invalid parameters rather than failing the connection. Pull request #1019 provided by sahvx655-wq. (markt) * Other + Fix: Wrong references to jakarta instead of javax. (remm) + Fix: Restore default authenticator to nullafter executing an Ant task. (remm) + Update: Update Commons Daemon to 1.6.1. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt) + Update: Update Tomcat Native to 1.3.8. (markt) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSELeap 16.0 zypper in -t patch openSUSE-Leap-16.0-1231=1 Package List: - openSUSE Leap 16.0: tomcat-9.0.119-160000.1.1 tomcat-admin-webapps-9.0.119-160000.1.1 tomcat-docs-webapp-9.0.119-160000.1.1 tomcat-el-3_0-api-9.0.119-160000.1.1 tomcat-embed-9.0.119-160000.1.1 tomcat-javadoc-9.0.119-160000.1.1 tomcat-jsp-2_3-api-9.0.119-160000.1.1 tomcat-jsvc-9.0.119-160000.1.1 tomcat-lib-9.0.119-160000.1.1 tomcat-servlet-4_0-api-9.0.119-160000.1.1 tomcat-webapps-9.0.119-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-50229.html * https://www.suse.com/security/cve/CVE-2026-53404.html * https://www.suse.com/security/cve/CVE-2026-53434.html * https://www.suse.com/security/cve/CVE-2026-55276.html * https://www.suse.com/security/cve/CVE-2026-55955.html * https://www.suse.com/security/cve/CVE-2026-55956.html . Security update for openSUSE addresses multiple issues in Tomcat. Install patches to mitigate risks.. openSUSE tomcat update security. . Severity: moderate. LinuxSecurity.com Team

Calendar%202 Jul 15, 2026 moderate OpenSUSE
217

Oracle Linux 9 Tomcat Important Bug Fix ELSA-2026-36879

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-36879 http://linux.oracle.com/errata/ELSA-2026-36879.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: tomcat-9.0.117-2.el9_8.noarch.rpm tomcat-admin-webapps-9.0.117-2.el9_8.noarch.rpm tomcat-docs-webapp-9.0.117-2.el9_8.noarch.rpm tomcat-el-3.0-api-9.0.117-2.el9_8.noarch.rpm tomcat-jsp-2.3-api-9.0.117-2.el9_8.noarch.rpm tomcat-lib-9.0.117-2.el9_8.noarch.rpm tomcat-servlet-4.0-api-9.0.117-2.el9_8.noarch.rpm tomcat-webapps-9.0.117-2.el9_8.noarch.rpm aarch64: tomcat-9.0.117-2.el9_8.noarch.rpm tomcat-admin-webapps-9.0.117-2.el9_8.noarch.rpm tomcat-docs-webapp-9.0.117-2.el9_8.noarch.rpm tomcat-el-3.0-api-9.0.117-2.el9_8.noarch.rpm tomcat-jsp-2.3-api-9.0.117-2.el9_8.noarch.rpm tomcat-lib-9.0.117-2.el9_8.noarch.rpm tomcat-servlet-4.0-api-9.0.117-2.el9_8.noarch.rpm tomcat-webapps-9.0.117-2.el9_8.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/tomcat-9.0.117-2.el9_8.src.rpm Related CVEs: CVE-2026-29146 CVE-2026-34486 Description of changes: [1:9.0.117-2] - Resolves: RHEL-183992 Remove tomcat clustering JAR from RPM builds - Exclude i686 architecture from build _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux updates include important bug fixes and security enhancements for Tomcat affecting system security.. Oracle Linux Security, Tomcat Update, Bug Fix Advisory, ELSA-2026-36879. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 13, 2026 Important Oracle
217

Oracle Linux 8 Tomcat Important Bug Fix Advisory ELSA-2026-37137

The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-37137 http://linux.oracle.com/errata/ELSA-2026-37137.html The following updated rpms for Oracle Linux 8 have been uploaded to the Unbreakable Linux Network: x86_64: tomcat-9.0.87-2.el8_10.noarch.rpm tomcat-admin-webapps-9.0.87-2.el8_10.noarch.rpm tomcat-docs-webapp-9.0.87-2.el8_10.noarch.rpm tomcat-el-3.0-api-9.0.87-2.el8_10.noarch.rpm tomcat-jsp-2.3-api-9.0.87-2.el8_10.noarch.rpm tomcat-lib-9.0.87-2.el8_10.noarch.rpm tomcat-servlet-4.0-api-9.0.87-2.el8_10.noarch.rpm tomcat-webapps-9.0.87-2.el8_10.noarch.rpm aarch64: tomcat-9.0.87-2.el8_10.noarch.rpm tomcat-admin-webapps-9.0.87-2.el8_10.noarch.rpm tomcat-docs-webapp-9.0.87-2.el8_10.noarch.rpm tomcat-el-3.0-api-9.0.87-2.el8_10.noarch.rpm tomcat-jsp-2.3-api-9.0.87-2.el8_10.noarch.rpm tomcat-lib-9.0.87-2.el8_10.noarch.rpm tomcat-servlet-4.0-api-9.0.87-2.el8_10.noarch.rpm tomcat-webapps-9.0.87-2.el8_10.noarch.rpm SRPMS: http://oss.oracle.com/ol8/SRPMS-updates/tomcat-9.0.87-2.el8_10.src.rpm Related CVEs: CVE-2026-29146 CVE-2026-34486 Description of changes: [1:9.0.87-2] - Resolves: RHEL-183993 Remove tomcat clustering JAR from RPM builds _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux 8 updates include important bug fixes for Tomcat, addressing vulnerabilities and enhancing security parameters.. Oracle Linux, Tomcat Updates, Security Fixes, Patch, Threat Mitigation. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jul 13, 2026 Important Oracle
217

Oracle Linux 9 Tomcat Important OCSP Security Advisory ELSA-2026-18916

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-18916 http://linux.oracle.com/errata/ELSA-2026-18916.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: tomcat-9.0.117-1.el9_8.noarch.rpm tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm tomcat-lib-9.0.117-1.el9_8.noarch.rpm tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-webapps-9.0.117-1.el9_8.noarch.rpm aarch64: tomcat-9.0.117-1.el9_8.noarch.rpm tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm tomcat-lib-9.0.117-1.el9_8.noarch.rpm tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-webapps-9.0.117-1.el9_8.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/tomcat-9.0.117-1.el9_8.src.rpm Related CVEs: CVE-2025-46701 CVE-2025-55668 CVE-2025-55754 Description of changes: [1:9.0.117-1] - Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation - Resolves: Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500) - Resolves: Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487) - Resolves: Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486) - Resolves: Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483) - Resolves: Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990) - Resolves: Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146) - Resolves: Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145) - Resolves: Tomcat: Configured TLScipher preference order not preserved (CVE-2026-29129) - Resolves: Tomcat: Occasionally open redirect (CVE-2026-25854) - Resolves: Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880) - Resolves: Tomcat: Incomplete OCSP verification checks (CVE-2026-24734) - Resolves: Tomcat: Security constraint bypass (CVE-2026-24733) - Resolves: Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614) _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux Security Advisory ELSA-2026-18916 reveals key updates for Tomcat addressing multiple security issues.. Oracle Linux updates Tomcat security advisory important. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 30, 2026 Important Oracle
202

openSUSE Tomcat Important Update Fixes Issues 2026-21117-1

An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed.. openSUSE security update: security update for tomcat ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:21117-1 Rating: important References: * bsc#1265145 * bsc#1265162 * bsc#1265163 * bsc#1265165 * bsc#1265166 * bsc#1265167 * bsc#1265168 Cross-References: * CVE-2026-41284 * CVE-2026-41293 * CVE-2026-42498 * CVE-2026-43512 * CVE-2026-43513 * CVE-2026-43514 * CVE-2026-43515 CVSS scores: * CVE-2026-41284 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41284 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41293 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41293 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-42498 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-42498 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-43512 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-43512 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-43513 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-43513 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-43514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-43514 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-43515 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-43515 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N Affected Products: openSUSE Leap 16.0 ------------------------------------------------------------- An update that solves 7 vulnerabilities and has 7 bug fixes can now be installed. Description: This update for tomcat fixes the followingissues Update to Tomcat 9.0.118: - CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162). - CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163). - CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165). - CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145). - CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166). - CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167). - CVE-2026-43515: Security constraints not correctly applied (bsc#1265168). Changes: * Catalina + Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and OpenSSL version information (both APR and FFM implementations), along with version compatibility warnings and third-party library version information. (csutherl) + Code: Refactor generation of the remote user element in the access log to remove unnecessary code. (markt) + Fix: Fix a regression in the previous release that meant ?- could appear in the access log rather than ? when the query string was present but empty. (markt) + Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by Mahmoud Alarby. (remm) + Fix: Align the escaping in ExtendedAccessLogValve with the other AccessLogValve implementations. (markt) + Fix: 70000: fix duplication of special headers in the response after commit, following fix for 69967. (remm) + Fix: Correct the handling of URIs mapped to a security constraint that only specifies the special ** role for all authenticated users. Requests without authentication were receiving 403 responses rather than 401 responses. (markt) + Fix: Fix a race condition in StandardContext.getServletContext() that could cause the jakarta.servlet.context.tempdir attribute to be lost during a context reload. Make the context field volatile and use locking to ensure only one ApplicationContext instance is created. (dsoumis) + Fix: Update the Windows authentication (kerberos) documentation toreflect that both Java and Windows are removing / have removed support for RC4-HMAC. The guide now uses AES256-SHA1. (markt) + Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which limits the size of a WebDAV request body for LOCK and PROPFIND. The default value is 4096 bytes. (markt) + Add: Add a new caseSensitive attribute to the LockOutRealm that controls the manner in which user names are treated when making locking decisions. The default is false, meaning user names are treated in a case insensitive manner. (markt) + Fix: Correct the handling of invalid users with DIGEST authentication. (markt) + Fix: Ensure RealmBase finds all matching extension based security constraints. (markt) * Coyote + Fix: Avoid various edge cases if Content-Length is set via setHeader(String,String) or addHeader(String,String) with an invalid value by always clearing the previous value whether the new value is valid or not and ignoring any invalid new value. (markt) + Code: Refactor the calculation of the real index in the HPACK dynamic header table implementation to reduce code duplication. (markt) + Fix: Fix various minor issues with some HTTP/2 stream error messages for HTTP/2. (markt) + Fix: Consistently reject URIs containing NULL bytes when normalizing. + Fix: Fix a few minor memory leaks on error paths reading TLS keys and certificates when using FFM. (markt) + Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC after a stream reset. (markt) + Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not permitted in trailers. (markt) + Fix: Free private keys after use in FFM based connector configuration. + Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header decoding that could result in a valid header triggering an unexpected connection close. (markt) + Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted to lower case once during the encoding process. (markt) + Fix: Refactor HTTP/2header field validation so it occurs earlier. Extend validation to check for disallowed characters as well as upper case characters. (markt) + Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) + Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with the use (or not) of TLS. (markt) + Fix: Correct the validation of pseudo headers and CONNECT requests to align Tomcat's behaviour with RFC 9113, section 8.5. (markt) + Fix: Fix a potential integer overflow when allocating capacity from a connection level window update to individual HTTP/2 streams. Based on #996 by Mike Tingey Jr. (markt) + Fix: Switch AJP secret comparison to a constant time algorithm. (markt) * WebSocket + Fix: Fix the initial connection to a WebSocket end point where the connection is made via a proxy that requires DIGEST authentication. * Other + Fix: 69993: Update the URL to the CDDL 1.0 license. (markt) + Add: Add warning when OpenSSL binary is not found. (csutherl) + Add: Add check for Tomcat Native library, and log warning when it's not found to make it easier to see when it's not used by the suite. (csutherl) + Update: Update Byte Buddy to 1.18.8. (markt) + Update: Update Bouncy Castle to 1.84. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt) Patch instructions: To install this openSUSE security update use the suse recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: - openSUSE Leap 16.0 zypper in -t patch openSUSE-Leap-16.0-982=1 Package List: - openSUSE Leap 16.0: tomcat-9.0.118-160000.1.1 tomcat-admin-webapps-9.0.118-160000.1.1 tomcat-docs-webapp-9.0.118-160000.1.1 tomcat-el-3_0-api-9.0.118-160000.1.1 tomcat-embed-9.0.118-160000.1.1 tomcat-javadoc-9.0.118-160000.1.1 tomcat-jsp-2_3-api-9.0.118-160000.1.1 tomcat-jsvc-9.0.118-160000.1.1 tomcat-lib-9.0.118-160000.1.1 tomcat-servlet-4_0-api-9.0.118-160000.1.1 tomcat-webapps-9.0.118-160000.1.1 References: * https://www.suse.com/security/cve/CVE-2026-41284.html * https://www.suse.com/security/cve/CVE-2026-41293.html * https://www.suse.com/security/cve/CVE-2026-42498.html * https://www.suse.com/security/cve/CVE-2026-43512.html * https://www.suse.com/security/cve/CVE-2026-43513.html * https://www.suse.com/security/cve/CVE-2026-43514.html * https://www.suse.com/security/cve/CVE-2026-43515.html . Critical update for openSUSE to address 7 key vulnerabilities in Tomcat, improving security and stability of your system.. openSUSE security,tomcat update,security fix,linux vulnerabilities,system update. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 30, 2026 Important OpenSUSE
100

SUSE Major Tomcat Security Release Announcement 2026-2675-1 Update

An update that solves seven vulnerabilities can now be installed.. # Security update for tomcat Announcement ID: SUSE-SU-2026:2675-1 Release Date: 2026-06-29T09:45:32Z Rating: important References: * bsc#1265145 * bsc#1265162 * bsc#1265163 * bsc#1265165 * bsc#1265166 * bsc#1265167 * bsc#1265168 Cross-References: * CVE-2026-41284 * CVE-2026-41293 * CVE-2026-42498 * CVE-2026-43512 * CVE-2026-43513 * CVE-2026-43514 * CVE-2026-43515 CVSS scores: * CVE-2026-41284 ( SUSE ): 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41284 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41284 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41293 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2026-41293 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2026-41293 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-42498 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-42498 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-42498 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-43512 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N * CVE-2026-43512 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2026-43512 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H * CVE-2026-43513 ( SUSE ): 5.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2026-43513 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N * CVE-2026-43513 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N * CVE-2026-43514 ( SUSE ): 6.9 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N * CVE-2026-43514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-43514 ( NVD ): 3.7CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N * CVE-2026-43515 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2026-43515 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N * CVE-2026-43515 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Affected Products: * SUSE Linux Enterprise High Performance Computing 15 SP4 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Server 15 SP4 * SUSE Linux Enterprise Server 15 SP4 LTSS * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP6 LTSS * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP4 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * Web and Scripting Module 15-SP7 An update that solves seven vulnerabilities can now be installed. ## Description: This update for tomcat fixes the following issues Update to Tomcat 9.0.118: * CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162). * CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163). * CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165). * CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145). * CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166). * CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167). * CVE-2026-43515: Security constraints not correctly applied (bsc#1265168). Changes: *Catalina * Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and OpenSSL version information (both APR and FFM implementations), along with version compatibility warnings and third-party library version information. (csutherl) * Code: Refactor generation of the remote user element in the access log to remove unnecessary code. (markt) * Fix: Fix a regression in the previous release that meant ?- could appear in the access log rather than ? when the query string was present but empty. (markt) * Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by Mahmoud Alarby. (remm) * Fix: Align the escaping in ExtendedAccessLogValve with the other AccessLogValve implementations. (markt) * Fix: 70000: fix duplication of special headers in the response after commit, following fix for 69967. (remm) * Fix: Correct the handling of URIs mapped to a security constraint that only specifies the special ** role for all authenticated users. Requests without authentication were receiving 403 responses rather than 401 responses. (markt) * Fix: Fix a race condition in StandardContext.getServletContext() that could cause the jakarta.servlet.context.tempdir attribute to be lost during a context reload. Make the context field volatile and use locking to ensure only one ApplicationContext instance is created. (dsoumis) * Fix: Update the Windows authentication (kerberos) documentation to reflect that both Java and Windows are removing / have removed support for RC4-HMAC. The guide now uses AES256-SHA1. (markt) * Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which limits the size of a WebDAV request body for LOCK and PROPFIND. The default value is 4096 bytes. (markt) * Add: Add a new caseSensitive attribute to the LockOutRealm that controls the manner in which user names are treated when making locking decisions. The default is false, meaning user names are treated in a caseinsensitive manner. (markt) * Fix: Correct the handling of invalid users with DIGEST authentication. (markt) * Fix: Ensure RealmBase finds all matching extension based security constraints. (markt) * Coyote * Fix: Avoid various edge cases if Content-Length is set via setHeader(String,String) or addHeader(String,String) with an invalid value by always clearing the previous value whether the new value is valid or not and ignoring any invalid new value. (markt) * Code: Refactor the calculation of the real index in the HPACK dynamic header table implementation to reduce code duplication. (markt) * Fix: Fix various minor issues with some HTTP/2 stream error messages for HTTP/2. (markt) * Fix: Consistently reject URIs containing NULL bytes when normalizing. * Fix: Fix a few minor memory leaks on error paths reading TLS keys and certificates when using FFM. (markt) * Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC after a stream reset. (markt) * Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not permitted in trailers. (markt) * Fix: Free private keys after use in FFM based connector configuration. * Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header decoding that could result in a valid header triggering an unexpected connection close. (markt) * Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted to lower case once during the encoding process. (markt) * Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend validation to check for disallowed characters as well as upper case characters. (markt) * Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm) * Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with the use (or not) of TLS. (markt) * Fix: Correct the validation of pseudo headers and CONNECT requests to align Tomcat's behaviour with RFC 9113, section 8.5. (markt) * Fix:Fix a potential integer overflow when allocating capacity from a connection level window update to individual HTTP/2 streams. Based on #996 by Mike Tingey Jr. (markt) * Fix: Switch AJP secret comparison to a constant time algorithm. (markt) * WebSocket * Fix: Fix the initial connection to a WebSocket end point where the connection is made via a proxy that requires DIGEST authentication. * Other * Fix: 69993: Update the URL to the CDDL 1.0 license. (markt) * Add: Add warning when OpenSSL binary is not found. (csutherl) * Add: Add check for Tomcat Native library, and log warning when it's not found to make it easier to see when it's not used by the suite. (csutherl) * Update: Update Byte Buddy to 1.18.8. (markt) * Update: Update Bouncy Castle to 1.84. (markt) * Update: Improvements to French translations. (remm) * Update: Improvements to Japanese translations provided by tak7iji. (markt) ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2026-2675=1 * Web and Scripting Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2026-2675=1 * SUSE Linux Enterprise Server 15 SP4 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2026-2675=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2026-2675=1 * SUSE Linux Enterprise Server 15 SP6 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP6-LTSS-2026-2675=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2026-2675=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP6-2026-2675=1 * SUSE Linux Enterprise Server for SAPApplications 15 SP4 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2026-2675=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2026-2675=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2026-2675=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2026-2675=1 ## Package List: * SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP4 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux EnterpriseHigh Performance Computing ESPOS 15 SP5 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise Server 15 SP4 LTSS (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * Web and Scripting Module 15-SP7 (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 *tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 * SUSE Linux Enterprise Server 15 SP6 LTSS (noarch) * tomcat-lib-9.0.118-150200.108.1 * tomcat-9.0.118-150200.108.1 * tomcat-webapps-9.0.118-150200.108.1 * tomcat-admin-webapps-9.0.118-150200.108.1 * tomcat-jsp-2_3-api-9.0.118-150200.108.1 * tomcat-servlet-4_0-api-9.0.118-150200.108.1 * tomcat-el-3_0-api-9.0.118-150200.108.1 ## References: * https://www.suse.com/security/cve/CVE-2026-41284.html * https://www.suse.com/security/cve/CVE-2026-41293.html * https://www.suse.com/security/cve/CVE-2026-42498.html * https://www.suse.com/security/cve/CVE-2026-43512.html * https://www.suse.com/security/cve/CVE-2026-43513.html * https://www.suse.com/security/cve/CVE-2026-43514.html * https://www.suse.com/security/cve/CVE-2026-43515.html * https://bugzilla.suse.com/show_bug.cgi?id=1265145 * https://bugzilla.suse.com/show_bug.cgi?id=1265162 * https://bugzilla.suse.com/show_bug.cgi?id=1265163 * https://bugzilla.suse.com/show_bug.cgi?id=1265165 * https://bugzilla.suse.com/show_bug.cgi?id=1265166 * https://bugzilla.suse.com/show_bug.cgi?id=1265167 * https://bugzilla.suse.com/show_bug.cgi?id=1265168 . Seven vulnerabilities are addressed in the important security update for Tomcat on SUSE systems, enhancing security measures.. SUSE Security Update 2026 Tomcat Vulnerabilities Authentication. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 29, 2026 Important SuSE
217

Oracle Linux 9 Tomcat Important OCSP Security Fix ELSA-2026-26323

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:. Oracle Linux Security Advisory ELSA-2026-26323 http://linux.oracle.com/errata/ELSA-2026-26323.html The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network: x86_64: tomcat-9.0.117-1.el9_8.noarch.rpm tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm tomcat-lib-9.0.117-1.el9_8.noarch.rpm tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-webapps-9.0.117-1.el9_8.noarch.rpm aarch64: tomcat-9.0.117-1.el9_8.noarch.rpm tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm tomcat-lib-9.0.117-1.el9_8.noarch.rpm tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm tomcat-webapps-9.0.117-1.el9_8.noarch.rpm SRPMS: http://oss.oracle.com/ol9/SRPMS-updates/tomcat-9.0.117-1.el9_8.src.rpm Related CVEs: CVE-2026-24734 Description of changes: [1:9.0.117-1] - Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation - Resolves: Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500) - Resolves: Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487) - Resolves: Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486) - Resolves: Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483) - Resolves: Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990) - Resolves: Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146) - Resolves: Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145) - Resolves: Tomcat: Configured TLS cipher preference order notpreserved (CVE-2026-29129) - Resolves: Tomcat: Occasionally open redirect (CVE-2026-25854) - Resolves: Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880) - Resolves: Tomcat: Incomplete OCSP verification checks (CVE-2026-24734) - Resolves: Tomcat: Security constraint bypass (CVE-2026-24733) - Resolves: Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614) _______________________________________________ El-errata mailing list This email address is being protected from spambots. You need JavaScript enabled to view it. https://oss.oracle.com/mailman/listinfo/el-errata . Oracle Linux Security Advisory ELSA-2026-26323 addresses important Tomcat updates to resolve multiple CVEs.. Tomcat Security Update, Oracle Linux Advisory, Important Security Fix, OCSP Improvement. . Severity: Important. LinuxSecurity.com Team

Calendar%202 Jun 26, 2026 Important Oracle
News Add Esm H240

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Community Poll

Is continuous patching actually viable?

No answer selected. Please try again.
Please select either existing option or enter your own, however not both.
Please select minimum {0} answer(s).
Please select maximum {0} answer(s).
/main-polls/156-is-continuous-patching-actually-viable?task=poll.vote&format=json
156
radio
0
[{"id":503,"title":"Delayed updates invite catastrophic breaches.","votes":1,"type":"x","order":1,"pct":50,"resources":[]},{"id":504,"title":"Automated fixes break production environments.","votes":1,"type":"x","order":2,"pct":50,"resources":[]},{"id":505,"title":"Manual approvals cannot keep pace.","votes":0,"type":"x","order":3,"pct":0,"resources":[]}] ["#ff5b00","#4ac0f2","#b80028","#eef66c","#60bb22","#b96a9a","#62c2cc"] ["rgba(255,91,0,0.7)","rgba(74,192,242,0.7)","rgba(184,0,40,0.7)","rgba(238,246,108,0.7)","rgba(96,187,34,0.7)","rgba(185,106,154,0.7)","rgba(98,194,204,0.7)"] 350
bottom 200