Source: tomcat11
Version: 11.0.18-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerabilities were published for tomcat11.
CVE-2026-24880[0]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response
| Smuggling') vulnerability in Apache Tomcat via invalid chunk
| extension. This issue affects Apache Tomcat: from 11.0.0-M1 through
| 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through
| 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
| Other, unsupported versions may also be affected. Users are
| recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which
| fix the issue.
CVE-2026-25854[1]:
| Occasional URL redirection to untrusted Site ('Open Redirect')
| vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
| This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18,
| from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from
| 8.5.30 through 8.5.100. Other, unsupported versions may also be
| affected Users are recommended to upgrade to version 11.0.20,
| 10.1.53 or 9.0.116, which fix the issue.
CVE-2026-29129[2]:
| Configured cipher preference order not preserved vulnerability in
| Apache Tomcat. This issue affects Apache Tomcat: from 11.0.16
| through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through
| 9.0.115. Users are recommended to upgrade to version 11.0.20,
| 10.1.53 or 9.0.116, which fix the issue.
CVE-2026-29145[3]:
| CLIENT_CERT authentication does not fail as expected for some
| scenarios when soft fail is disabled vulnerability in Apache Tomcat,
| Apache Tomcat Native. This issue affects Apache Tomcat: from
| 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from
| 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through
| 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from
| 2.0.0 through 2.0.13. Users are recommended to upgrade to version
| Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and
| 9.0.116, which fix the issue.
CVE-2026-29146[4]:
| Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor
| with default configuration. This issue affects Apache Tomcat: from
| 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from
| 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100
| through 7.0.109. Users are recommended to upgrade to version
| 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.
CVE-2026-32990[5]:
| Improper Input Validation vulnerability in Apache Tomcat due to an
| incomplete fix of CVE-2025-66614. This issue affects Apache Tomcat:
| from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from
| 9.0.113 through 9.0.115. Users are recommended to upgrade to
| version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.
CVE-2026-34483[6]:
| Improper Encoding or Escaping of Output vulnerability in the
| JsonAccessLogValve component of Apache Tomcat. This issue affects
| Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1
| through 10.1.53, from 9.0.40 through 9.0.116. Users are recommended
| to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the
| issue.
CVE-2026-34487[7]:
| Insertion of Sensitive Information into Log File vulnerability in
| the cloud membership for clustering component of Apache Tomcat
| exposed the Kubernetes bearer token. This issue affects Apache
| Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through
| 10.1.53, from 9.0.13 through 9.0.116. Users are recommended to
| upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.
CVE-2026-34500[8]:
| CLIENT_CERT authentication does not fail as expected for some
| scenarios when soft fail is disabled and FFM is used in Apache
| Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through
| 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
| Users are recommended to upgrade to version 11.0.21, 10.1.54 or
| 9.0.117, which fixes the issue.
If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-24880
https://www.cve.org/CVERecord?id=CVE-2026-24880
[1] https://security-tracker.debian.org/tracker/CVE-2026-25854
https://www.cve.org/CVERecord?id=CVE-2026-25854
[2] https://security-tracker.debian.org/tracker/CVE-2026-29129
https://www.cve.org/CVERecord?id=CVE-2026-29129
[3] https://security-tracker.debian.org/tracker/CVE-2026-29145
https://www.cve.org/CVERecord?id=CVE-2026-29145
[4] https://security-tracker.debian.org/tracker/CVE-2026-29146
https://www.cve.org/CVERecord?id=CVE-2026-29146
[5] https://security-tracker.debian.org/tracker/CVE-2026-32990
https://www.cve.org/CVERecord?id=CVE-2026-32990
[6] https://security-tracker.debian.org/tracker/CVE-2026-34483
https://www.cve.org/CVERecord?id=CVE-2026-34483
[7] https://security-tracker.debian.org/tracker/CVE-2026-34487
https://www.cve.org/CVERecord?id=CVE-2026-34487
[8] https://security-tracker.debian.org/tracker/CVE-2026-34500
https://www.cve.org/CVERecord?id=CVE-2026-34500
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
