SUSE-SU-2025:02261-1: important: Security update for tomcat10
SLE-UPDATES
null at suse.de
Wed Jul 9 20:30:12 UTC 2025
# Security update for tomcat10
Announcement ID: SUSE-SU-2025:02261-1
Release Date: 2025-07-09T17:40:51Z
Rating: important
References:
* bsc#1242722
* bsc#1243815
* bsc#1244649
* bsc#1244656
Cross-References:
* CVE-2025-46701
* CVE-2025-48988
* CVE-2025-49125
CVSS scores:
* CVE-2025-46701 ( SUSE ): 6.3
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2025-46701 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
* CVE-2025-46701 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2025-48988 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2025-48988 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-48988 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2025-49125 ( SUSE ): 9.1
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2025-49125 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
* CVE-2025-49125 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products:
* openSUSE Leap 15.6
* SUSE Linux Enterprise High Performance Computing 15 SP5
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
* SUSE Linux Enterprise Server 15 SP5
* SUSE Linux Enterprise Server 15 SP5 LTSS
* SUSE Linux Enterprise Server 15 SP6
* SUSE Linux Enterprise Server 15 SP7
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
* SUSE Linux Enterprise Server for SAP Applications 15 SP6
* SUSE Linux Enterprise Server for SAP Applications 15 SP7
* Web and Scripting Module 15-SP6
* Web and Scripting Module 15-SP7
An update that solves three vulnerabilities and has one security fix can now be
installed.
## Description:
This update for tomcat10 fixes the following issues:
* Fixed refactor CGI servlet to access resources via WebResources
(bsc#1243815).
* Fixed limits the total number of parts in a multi-part request and limits
the size of the headers provided with each part (bsc#1244656).
* Fixed expand checks for webAppMount (bsc#1244649).
* Hardening permissions (bsc#1242722)
Update to Tomcat 10.1.42:
* Fixed CVEs:
* CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815)
* CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656)
* CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
* Catalina:
* Add: Support for the java:module namespace which mirrors the java:comp namespace.
* Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp.
* Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters.
* Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite.
* Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp.
* Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts.
* Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application.
* Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve.
* Fix: Process possible path parameters rewrite production in the rewrite valve.
* Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources.
* Add: 69633: Support for Filters using context root mappings.
* Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier.
* Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp.
* Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer.
* Refactor: GCI servlet to access resources via the WebResource API.
* Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith.
* Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts.
* Add: Provide a content type based on file extension when web application resources are accessed via a URL.
* Coyote
* Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida.
* Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve.
* Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied.
* Jasper:
* Fix: 69696: Mark the JSP wrapper for reload after a failed compilation.
* Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes.
* Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations.
* Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635.
* Web applications:
* Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails.
* Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram.
* Other:
* Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang.
* Update: Tomcat Native to 2.0.9.
* Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05).
* Update: EasyMock to 5.6.0.
* Update: Checkstyle to 10.25.0.
* Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions.
* Update: Improvements to Japanese translations provided by tak7iji.
* Fix: Set sun.io.useCanonCaches in service.bat Based on pull request #841 by Paul Lodge.
* Update: Jacoco to 0.8.13.
* Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds.
* Update: Byte Buddy to 1.17.5.
* Update: Checkstyle to 10.23.1.
* Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd).
* Update: Improvements to French translations.
* Update: Improvements to Japanese translations provided by tak7iji.
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* openSUSE Leap 15.6
zypper in -t patch openSUSE-SLE-15.6-2025-2261=1
* Web and Scripting Module 15-SP6
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2261=1
* Web and Scripting Module 15-SP7
zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2261=1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-2261=1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-2261=1
* SUSE Linux Enterprise Server 15 SP5 LTSS
zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-2261=1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5
zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-2261=1
## Package List:
* openSUSE Leap 15.6 (noarch)
* tomcat10-admin-webapps-10.1.42-150200.5.45.1
* tomcat10-jsvc-10.1.42-150200.5.45.1
* tomcat10-webapps-10.1.42-150200.5.45.1
* tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1
* tomcat10-10.1.42-150200.5.45.1
* tomcat10-docs-webapp-10.1.42-150200.5.45.1
* tomcat10-lib-10.1.42-150200.5.45.1
* tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1
* tomcat10-embed-10.1.42-150200.5.45.1
* tomcat10-doc-10.1.42-150200.5.45.1
* tomcat10-el-5_0-api-10.1.42-150200.5.45.1
* Web and Scripting Module 15-SP6 (noarch)
* tomcat10-admin-webapps-10.1.42-150200.5.45.1
* tomcat10-webapps-10.1.42-150200.5.45.1
* tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1
* tomcat10-10.1.42-150200.5.45.1
* tomcat10-lib-10.1.42-150200.5.45.1
* tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1
* tomcat10-el-5_0-api-10.1.42-150200.5.45.1
* Web and Scripting Module 15-SP7 (noarch)
* tomcat10-admin-webapps-10.1.42-150200.5.45.1
* tomcat10-webapps-10.1.42-150200.5.45.1
* tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1
* tomcat10-10.1.42-150200.5.45.1
* tomcat10-lib-10.1.42-150200.5.45.1
* tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1
* tomcat10-el-5_0-api-10.1.42-150200.5.45.1
* SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
* tomcat10-admin-webapps-10.1.42-150200.5.45.1
* tomcat10-webapps-10.1.42-150200.5.45.1
* tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1
* tomcat10-10.1.42-150200.5.45.1
* tomcat10-lib-10.1.42-150200.5.45.1
* tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1
* tomcat10-el-5_0-api-10.1.42-150200.5.45.1
* SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
* tomcat10-admin-webapps-10.1.42-150200.5.45.1
* tomcat10-webapps-10.1.42-150200.5.45.1
* tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1
* tomcat10-10.1.42-150200.5.45.1
* tomcat10-lib-10.1.42-150200.5.45.1
* tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1
* tomcat10-el-5_0-api-10.1.42-150200.5.45.1
* SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
* tomcat10-admin-webapps-10.1.42-150200.5.45.1
* tomcat10-webapps-10.1.42-150200.5.45.1
* tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1
* tomcat10-10.1.42-150200.5.45.1
* tomcat10-lib-10.1.42-150200.5.45.1
* tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1
* tomcat10-el-5_0-api-10.1.42-150200.5.45.1
* SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
* tomcat10-admin-webapps-10.1.42-150200.5.45.1
* tomcat10-webapps-10.1.42-150200.5.45.1
* tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1
* tomcat10-10.1.42-150200.5.45.1
* tomcat10-lib-10.1.42-150200.5.45.1
* tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1
* tomcat10-el-5_0-api-10.1.42-150200.5.45.1
## References:
* https://www.suse.com/security/cve/CVE-2025-46701.html
* https://www.suse.com/security/cve/CVE-2025-48988.html
* https://www.suse.com/security/cve/CVE-2025-49125.html
* https://bugzilla.suse.com/show_bug.cgi?id=1242722
* https://bugzilla.suse.com/show_bug.cgi?id=1243815
* https://bugzilla.suse.com/show_bug.cgi?id=1244649
* https://bugzilla.suse.com/show_bug.cgi?id=1244656
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20250709/11ff7950/attachment.htm>
More information about the sle-updates
mailing list