Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > linux.debian.bugs.dist > #1289316 > unrolled thread
| Started by | Salvatore Bonaccorso <carnil@debian.org> |
|---|---|
| First post | 2026-04-12 14:30 +0200 |
| Last post | 2026-04-13 19:10 +0200 |
| Articles | 2 — 1 participant |
Back to article view | Back to linux.debian.bugs.dist
Bug#1133356: tomcat10: CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145 CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487 CVE-2026-34500 Salvatore Bonaccorso <carnil@debian.org> - 2026-04-12 14:30 +0200
Bug#1133356: Accepted tomcat10 10.1.54-1 (source) into unstable Salvatore Bonaccorso <carnil@debian.org> - 2026-04-13 19:10 +0200
| From | Salvatore Bonaccorso <carnil@debian.org> |
|---|---|
| Date | 2026-04-12 14:30 +0200 |
| Subject | Bug#1133356: tomcat10: CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145 CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487 CVE-2026-34500 |
| Message-ID | <MJ26R-eA4N-9@gated-at.bofh.it> |
Source: tomcat10
Version: 10.1.52-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerabilities were published for tomcat10.
CVE-2026-24880[0]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response
| Smuggling') vulnerability in Apache Tomcat via invalid chunk
| extension. This issue affects Apache Tomcat: from 11.0.0-M1 through
| 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through
| 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
| Other, unsupported versions may also be affected. Users are
| recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which
| fix the issue.
CVE-2026-25854[1]:
| Occasional URL redirection to untrusted Site ('Open Redirect')
| vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
| This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18,
| from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from
| 8.5.30 through 8.5.100. Other, unsupported versions may also be
| affected Users are recommended to upgrade to version 11.0.20,
| 10.1.53 or 9.0.116, which fix the issue.
CVE-2026-29129[2]:
| Configured cipher preference order not preserved vulnerability in
| Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16
| through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through
| 9.0.115. Users are recommended to upgrade to version 11.0.20,
| 10.1.53 or 9.0.116, which fix the issue.
CVE-2026-29145[3]:
| CLIENT_CERT authentication does not fail as expected for some
| scenarios when soft fail is disabled vulnerability in Apache Tomcat,
| Apache Tomcat Native. This issue affects Apache Tomcat: from
| 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from
| 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through
| 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from
| 2.0.0 through 2.0.13. Users are recommended to upgrade to version
| Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and
| 9.0.116, which fix the issue.
CVE-2026-29146[4]:
| Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor
| with default configuration. This issue affects Apache Tomcat: from
| 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from
| 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100
| through 7.0.109. Users are recommended to upgrade to version
| 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
CVE-2026-32990[5]:
| Improper Input Validation vulnerability in Apache Tomcat due to an
| incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat:
| from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from
| 9.0.113 through 9.0.115. Users are recommended to upgrade to
| version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
CVE-2026-34483[6]:
| Improper Encoding or Escaping of Output vulnerability in the
| JsonAccessLogValve component of Apache Tomcat. This issue affects
| Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1
| through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended
| to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the
| issue.
CVE-2026-34487[7]:
| Insertion of Sensitive Information into Log File vulnerability in
| the cloud membership for clustering component of Apache Tomcat
| exposed the Kubernetes bearer token. This issue affects Apache
| Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through
| 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to
| upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
CVE-2026-34500[8]:
| CLIENT_CERT authentication does not fail as expected for some
| scenarios when soft fail is disabled and FFM is used in Apache
| Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through
| 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
| Users are recommended to upgrade to version 11.0.21, 10.1.54 or
| 9.0.117, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24880
https://www.cve.org/CVERecord?id=CVE-2026-24880
[1] https://security-tracker.debian.org/tracker/CVE-2026-25854
https://www.cve.org/CVERecord?id=CVE-2026-25854
[2] https://security-tracker.debian.org/tracker/CVE-2026-29129
https://www.cve.org/CVERecord?id=CVE-2026-29129
[3] https://security-tracker.debian.org/tracker/CVE-2026-29145
https://www.cve.org/CVERecord?id=CVE-2026-29145
[4] https://security-tracker.debian.org/tracker/CVE-2026-29146
https://www.cve.org/CVERecord?id=CVE-2026-29146
[5] https://security-tracker.debian.org/tracker/CVE-2026-32990
https://www.cve.org/CVERecord?id=CVE-2026-32990
[6] https://security-tracker.debian.org/tracker/CVE-2026-34483
https://www.cve.org/CVERecord?id=CVE-2026-34483
[7] https://security-tracker.debian.org/tracker/CVE-2026-34487
https://www.cve.org/CVERecord?id=CVE-2026-34487
[8] https://security-tracker.debian.org/tracker/CVE-2026-34500
https://www.cve.org/CVERecord?id=CVE-2026-34500
Regards,
Salvatore
[toc] | [next] | [standalone]
| From | Salvatore Bonaccorso <carnil@debian.org> |
|---|---|
| Date | 2026-04-13 19:10 +0200 |
| Subject | Bug#1133356: Accepted tomcat10 10.1.54-1 (source) into unstable |
| Message-ID | <MJsXn-eSsW-9@gated-at.bofh.it> |
| In reply to | #1289316 |
Source: tomcat10 Source-Version: 10.1.54-1 On Mon, Apr 13, 2026 at 11:33:51AM +0000, Debian FTP Masters wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA512 > > Format: 1.8 > Date: Mon, 13 Apr 2026 13:23:26 +0200 > Source: tomcat10 > Architecture: source > Version: 10.1.54-1 > Distribution: unstable > Urgency: medium > Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org> > Changed-By: Emmanuel Bourg <ebourg@apache.org> > Changes: > tomcat10 (10.1.54-1) unstable; urgency=medium > . > * New upstream release > - Refreshed the patches > - New build dependency on Bouncy Castle > Checksums-Sha1: > f8cdd6a3978aa8c4ef08063594e9ead31e8e1f11 2570 tomcat10_10.1.54-1.dsc > 5d99da42940da9ef59d2f6e245c54bef7c7a326d 4993744 tomcat10_10.1.54.orig.tar.xz > d89f025bf729e0dbf7b5c887f629167f9c215f19 23492 tomcat10_10.1.54-1.debian.tar.xz > 223f8b664a1f538cf1eba1c198d77f1132bb8114 17492 tomcat10_10.1.54-1_source.buildinfo > Checksums-Sha256: > a6d28b7b121f6f2ff78332ee3516e11f97c4f6604017dd6a1286fbdd390ff88d 2570 tomcat10_10.1.54-1.dsc > 43855683f779138d72d09f3bf99103274622a4f9d520f0a27d82363e76250919 4993744 tomcat10_10.1.54.orig.tar.xz > 05bbc666bddce47c81bb8cc9c83de4ab0ecb3de00e0f270327948969aef9b0a1 23492 tomcat10_10.1.54-1.debian.tar.xz > 7e803f4f908baf8d733f9abe3a404a36364e859e7885ec568d8a4db541fd61fa 17492 tomcat10_10.1.54-1_source.buildinfo > Files: > e591b0ef27aeda8d1662d9d4dfc35543 2570 java optional tomcat10_10.1.54-1.dsc > 0a7f5d2de3bc4f75127b5a9e08eb33e4 4993744 java optional tomcat10_10.1.54.orig.tar.xz > e03a0f371b0f700ccd4d0907d8fb6be5 23492 java optional tomcat10_10.1.54-1.debian.tar.xz > 030c25b543985d524456d652a76519b3 17492 java optional tomcat10_10.1.54-1_source.buildinfo > > -----BEGIN PGP SIGNATURE----- > > iQJGBAEBCgAwFiEEuM5N4hCA3PkD4WxA9RPEGeS50KwFAmnc0kMSHGVib3VyZ0Bh > cGFjaGUub3JnAAoJEPUTxBnkudCsysMP/R+GoyCdONeDACS4YDlEfXrNxhysxbll > zHCx7escxBAPPA5tSpVLudM13qnJodYk7LT3aEgYmUVRDP36KjT2bdlBYgD/tPg0 > hSrh6NxXRzZyJRNyV+HLRZ9Ylz/BDFw0fToHf5OjOhQHVceFkmiLDGFa8kKkAn/i > xVaZfSNQPK7iUfWH+AFsq79wk7sWymb40gC3mFm7W9TlVpxxnpPM38kfRbxtQCCg > 6mNKnYHJXUE89OKQpSAIYJMBYsi0jbSzsuvE4JRjU58DvRcNDTeIuID2w09nyyN3 > XWBkW/N/pBi8KyiAZKcZ/Y54BrkvJITtPe4LLbu0FBQqGUxOu8dipP/Ozl5QeaV/ > u7dVk52lpQE3Yrhz1wwpYuyWzFnKLio99rPfLMm7ERczP9d5U5DMboNCPuxW/F5I > ewePP3VU1gm/XlSaq8PaTjEjn66cS6+ntYD7bCMQA4Q1fNzr1ln8hjxp3b/KQgGt > /BLAMhq1SViWPZyUhkoTFiTTPoa8bHa94bpe1qx6b7dCzoOE81cSIvx3ulrr0smx > k5N0czokvrbfYG7QR8ZSamIXXJcG901QQspDUwTXxlOvfO3PpL0JsfasS2V3Sywx > VR9G6dWN3UJihBc4mzhZRV+vC7SsDjhMMNhz0m//xEHjNdZDqnb/KZ1AOXh6kkbh > +zQn++2ztBuz > =oWCP > -----END PGP SIGNATURE-----
[toc] | [prev] | [standalone]
Back to top | Article view | linux.debian.bugs.dist
csiph-web