Explore top 10 tips to secure your open-source projects now. Read More
×
Multiple security vulnerabilities have been discovered in Tomcat 9, a Java based web server, servlet and JSP engine which may result in a denial of service, authentication bypass or the disclosure of sensitive information. In order to address certain vulnerabilities and restore the compatibility with Tomcat 9, an upgrade of the Tomcat native library, libtcnative-1, was required. ------------------------------------------------------------------------- Debian LTS Advisory DLA-4619-1
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-23052 http://linux.oracle.com/errata/ELSA-2025-23052.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: tomcat9-9.0.87-8.el10_1.1.noarch.rpm tomcat9-admin-webapps-9.0.87-8.el10_1.1.noarch.rpm tomcat9-docs-webapp-9.0.87-8.el10_1.1.noarch.rpm tomcat9-el-3.0-api-9.0.87-8.el10_1.1.noarch.rpm tomcat9-jsp-2.3-api-9.0.87-8.el10_1.1.noarch.rpm tomcat9-lib-9.0.87-8.el10_1.1.noarch.rpm tomcat9-servlet-4.0-api-9.0.87-8.el10_1.1.noarch.rpm tomcat9-webapps-9.0.87-8.el10_1.1.noarch.rpm aarch64: tomcat9-9.0.87-8.el10_1.1.noarch.rpm tomcat9-admin-webapps-9.0.87-8.el10_1.1.noarch.rpm tomcat9-docs-webapp-9.0.87-8.el10_1.1.noarch.rpm tomcat9-el-3.0-api-9.0.87-8.el10_1.1.noarch.rpm tomcat9-jsp-2.3-api-9.0.87-8.el10_1.1.noarch.rpm tomcat9-lib-9.0.87-8.el10_1.1.noarch.rpm tomcat9-servlet-4.0-api-9.0.87-8.el10_1.1.noarch.rpm tomcat9-webapps-9.0.87-8.el10_1.1.noarch.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/tomcat9-9.0.87-8.el10_1.1.src.rpm Related CVEs: CVE-2025-31651 CVE-2025-55752 Description of changes: [1:9.0.87-8.1] - Resolves: RHEL-124497 tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752) - Resolves: RHEL-91732 tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651) _______________________________________________ El-errata mailing list
Several security vulnerabilities have been found in Tomcat 9, a Java web server and servlet engine. Most notably the update improves the handling of HTTP/2 connections and corrects various flaws which can lead to uncontrolled resource consumption and a denial of service. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-4244-1
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-11332 http://linux.oracle.com/errata/ELSA-2025-11332.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: tomcat9-9.0.87-5.el10_0.1.noarch.rpm tomcat9-admin-webapps-9.0.87-5.el10_0.1.noarch.rpm tomcat9-docs-webapp-9.0.87-5.el10_0.1.noarch.rpm tomcat9-el-3.0-api-9.0.87-5.el10_0.1.noarch.rpm tomcat9-jsp-2.3-api-9.0.87-5.el10_0.1.noarch.rpm tomcat9-lib-9.0.87-5.el10_0.1.noarch.rpm tomcat9-servlet-4.0-api-9.0.87-5.el10_0.1.noarch.rpm tomcat9-webapps-9.0.87-5.el10_0.1.noarch.rpm aarch64: tomcat9-9.0.87-5.el10_0.1.noarch.rpm tomcat9-admin-webapps-9.0.87-5.el10_0.1.noarch.rpm tomcat9-docs-webapp-9.0.87-5.el10_0.1.noarch.rpm tomcat9-el-3.0-api-9.0.87-5.el10_0.1.noarch.rpm tomcat9-jsp-2.3-api-9.0.87-5.el10_0.1.noarch.rpm tomcat9-lib-9.0.87-5.el10_0.1.noarch.rpm tomcat9-servlet-4.0-api-9.0.87-5.el10_0.1.noarch.rpm tomcat9-webapps-9.0.87-5.el10_0.1.noarch.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/tomcat9-9.0.87-5.el10_0.1.src.rpm Related CVEs: CVE-2024-56337 CVE-2025-31650 Description of changes: [1:9.0.87-5.1] - Resolves: RHEL-91765 tomcat: DoS via malformed HTTP/2 PRIORITY_UPDATE frame (CVE-2025-31650) - Resolves: RHEL-71981 tomcat: Incomplete fix for CVE-2024-50379 - RCE due to TOCTOU issue in JSP compilation (CVE-2024-56337) _______________________________________________ El-errata mailing list
The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: . Oracle Linux Security Advisory ELSA-2025-7494 http://linux.oracle.com/errata/ELSA-2025-7494.html The following updated rpms for Oracle Linux 10 have been uploaded to the Unbreakable Linux Network: x86_64: tomcat9-9.0.87-5.el10_0.noarch.rpm tomcat9-admin-webapps-9.0.87-5.el10_0.noarch.rpm tomcat9-docs-webapp-9.0.87-5.el10_0.noarch.rpm tomcat9-el-3.0-api-9.0.87-5.el10_0.noarch.rpm tomcat9-jsp-2.3-api-9.0.87-5.el10_0.noarch.rpm tomcat9-lib-9.0.87-5.el10_0.noarch.rpm tomcat9-servlet-4.0-api-9.0.87-5.el10_0.noarch.rpm tomcat9-webapps-9.0.87-5.el10_0.noarch.rpm aarch64: tomcat9-9.0.87-5.el10_0.noarch.rpm tomcat9-admin-webapps-9.0.87-5.el10_0.noarch.rpm tomcat9-docs-webapp-9.0.87-5.el10_0.noarch.rpm tomcat9-el-3.0-api-9.0.87-5.el10_0.noarch.rpm tomcat9-jsp-2.3-api-9.0.87-5.el10_0.noarch.rpm tomcat9-lib-9.0.87-5.el10_0.noarch.rpm tomcat9-servlet-4.0-api-9.0.87-5.el10_0.noarch.rpm tomcat9-webapps-9.0.87-5.el10_0.noarch.rpm SRPMS: http://oss.oracle.com/ol10/SRPMS-updates/tomcat9-9.0.87-5.el10_0.src.rpm Related CVEs: CVE-2025-24813 Description of changes: [1:9.0.87-5] - Resolves: RHEL-82927 tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813) _______________________________________________ El-errata mailing list
Tomcat could be made to consume resources if it received specially crafted network traffic.. ========================================================================== Ubuntu Security Notice USN-7410-1 April 07, 2025 tomcat9 vulnerability ========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 22.04 LTS - Ubuntu 20.04 LTS - Ubuntu 18.04 LTS Summary: Tomcat could be made to consume resources if it received specially crafted network traffic. Software Description: - tomcat9: Servlet and JSP engine Details: It was discovered that Tomcat incorrectly handled request cancellation. A remote attacker could possibly use this issue to cause tomcat9 to consume resources, leading to a denial of service. Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 22.04 LTS tomcat9-common 9.0.58-1ubuntu0.2 Ubuntu 20.04 LTS tomcat9-common 9.0.31-1ubuntu0.9 Ubuntu 18.04 LTS tomcat9-common 9.0.16-3ubuntu0.18.04.2+esm5 Available with Ubuntu Pro In general, a standard system update will make all the necessary changes. References: https://ubuntu.com/security/notices/USN-7410-1 CVE-2023-44487 Package Information: https://launchpad.net/ubuntu/+source/tomcat9/9.0.58-1ubuntu0.2 https://launchpad.net/ubuntu/+source/tomcat9/9.0.31-1ubuntu0.9 . Debian Security Notice DSN-2547-2 outlines a Nginx performance degradation problem resulting from manipulated incoming data.. Tomcat, Ubuntu Security, Resource Management, Denial of Service, Network Handling. . Severity: Critical. LinuxSecurity.com Team
A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early. . ------------------------------------------------------------------------- Debian LTS Advisory DLA-3617-2
A regression was discovered in the Http2UpgradeHandler class of Tomcat 9 introduced by the patch to fix CVE-2023-44487 (Rapid Reset Attack). A wrong value for the overheadcount variable forced HTTP2 connections to close early. . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-5522-3
Get the latest Linux and open source security news straight to your inbox.