UbuntuUpdates.org

Package "libtomcat10-java"

Name: libtomcat10-java

Description:

Apache Tomcat 10 - Servlet and JSP engine -- core libraries
Latest version: 10.1.40-1ubuntu1.26.04.1
Release: resolute (26.04)
Level: updates
Repository: universe
Head package: tomcat10
Homepage: http://tomcat.apache.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libtomcat10-java"

All arch deb package
APT INSTALL

Other versions of "libtomcat10-java" in Resolute

Repository Area Version
base universe 10.1.40-1ubuntu1
security universe 10.1.40-1ubuntu1.26.04.1

Changelog

Version: 10.1.40-1ubuntu1.26.04.1 2026-06-10 10:07:46 UTC

  tomcat10 (10.1.40-1ubuntu1.26.04.1) resolute-security; urgency=medium

  * SECURITY UPDATE: WebDAV resource exhaustion via unbounded
    request body
    - debian/patches/CVE-2026-41284.patch: limit LOCK and PROPFIND
      request body size using BoundedByteArrayOutputStream
    - CVE-2026-41284
  * SECURITY UPDATE: HTTP/2 header field validation bypass
    - debian/patches/CVE-2026-41293-pre.patch: add header validation
      infrastructure for HTTP/2 field names and values
    - debian/patches/CVE-2026-41293.patch: improve field-vchar
      validation and simplify error handling in HPackHuffman
    - CVE-2026-41293
  * SECURITY UPDATE: WebSocket authentication header leakage
    - debian/patches/CVE-2026-42498.patch: clear authentication
      headers after use and fix digest auth method handling
    - CVE-2026-42498
  * SECURITY UPDATE: digest authentication NPE bypass
    - debian/patches/CVE-2026-43512.patch: add null check for
      password in RealmBase.getDigest()
    - CVE-2026-43512
  * SECURITY UPDATE: LockOutRealm case sensitivity bypass
    - debian/patches/CVE-2026-43513.patch: normalize username case
      in LockOutRealm when caseSensitive is false
    - CVE-2026-43513
  * SECURITY UPDATE: authorization bypass via multiple method
    constraints
    - debian/patches/CVE-2026-43515.patch: check all matching
      SecurityCollection entries in RealmBase
    - CVE-2026-43515
  * debian/control: pin Build-Depends to openjdk-21-jdk to ensure the
    package builds against OpenJDK 21 on resolute

 -- Vyom Yadav <email address hidden> Tue, 09 Jun 2026 17:38:21 +0530
CVE-2026-41284 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2
CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 1
CVE-2026-42498 Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache
CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 t
CVE-2026-43513 Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.
CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affe


About   -   Send Feedback to @ubuntu_updates