UbuntuUpdates.org

Package "tomcat9"

Name: tomcat9

Description:

This package is just an umbrella for a group of other packages, it has no description.
Description samples from packages in group:

  • Apache Tomcat 9 - Servlet and JSP engine -- core libraries
Latest version: 9.0.95-1ubuntu1.1
Release: questing (25.10)
Level: updates
Repository: universe

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Other versions of "tomcat9" in Questing

Repository Area Version
base universe 9.0.95-1ubuntu1
security universe 9.0.95-1ubuntu1.1

Packages in group

Deleted packages are displayed in grey.


Changelog

Version: 9.0.95-1ubuntu1.1 2026-06-10 10:07:45 UTC

  tomcat9 (9.0.95-1ubuntu1.1) questing-security; urgency=medium

  * SECURITY UPDATE: denial of service via unbounded WebDAV request body
    - debian/patches/CVE-2026-41284.patch: add BoundedByteArrayOutputStream
      to limit LOCK and PROPFIND request body size
    - CVE-2026-41284
  * SECURITY UPDATE: HTTP/2 header field validation bypass
    - debian/patches/CVE-2026-41293-pre.patch: add header validation
      infrastructure for HTTP/2 field names and values
    - debian/patches/CVE-2026-41293.patch: improve header field name and
      value validation in HpackDecoder and HPackHuffman
    - CVE-2026-41293
  * SECURITY UPDATE: exposure of HTTP auth header to unexpected hosts
    - debian/patches/CVE-2026-42498.patch: clear authentication headers
      after use and fix digest auth method handling
    - CVE-2026-42498
  * SECURITY UPDATE: authorization bypass via multiple method constraints
    - debian/patches/CVE-2026-43515.patch: check all matching
      SecurityCollection entries in RealmBase
    - CVE-2026-43515
  * SECURITY UPDATE: NullPointerException in digest authentication with
    invalid user
    - debian/patches/CVE-2026-43512.patch: add null check for password
      in RealmBase.getDigest()
    - CVE-2026-43512
  * SECURITY UPDATE: account lockout bypass via case-variant usernames
    - debian/patches/CVE-2026-43513.patch: normalize username case in
      LockOutRealm when caseSensitive is false
    - CVE-2026-43513

 -- Vyom Yadav <email address hidden> Thu, 04 Jun 2026 16:56:12 +0530
CVE-2026-41284 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2
CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 1
CVE-2026-42498 Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache
CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affe
CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 t
CVE-2026-43513 Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.


About   -   Send Feedback to @ubuntu_updates