SUSE-SU-2026:2299-1: important: Security update for tomcat
SLE-UPDATES
null at suse.de
Mon Jun 8 16:30:18 UTC 2026
# Security update for tomcat
Announcement ID: SUSE-SU-2026:2299-1
Release Date: 2026-06-08T10:55:17Z
Rating: important
References:
* bsc#1265145
* bsc#1265162
* bsc#1265163
* bsc#1265165
* bsc#1265166
* bsc#1265167
* bsc#1265168
Cross-References:
* CVE-2026-41284
* CVE-2026-41293
* CVE-2026-42498
* CVE-2026-43512
* CVE-2026-43513
* CVE-2026-43514
* CVE-2026-43515
CVSS scores:
* CVE-2026-41284 ( SUSE ): 7.1
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41284 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41284 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41293 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
* CVE-2026-41293 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
* CVE-2026-41293 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-42498 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-42498 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-42498 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-43512 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N
* CVE-2026-43512 ( SUSE ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
* CVE-2026-43512 ( NVD ): 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-43513 ( SUSE ): 5.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43513 ( SUSE ): 5.4 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
* CVE-2026-43513 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
* CVE-2026-43514 ( SUSE ): 6.9
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-43514 ( NVD ): 3.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-43515 ( SUSE ): 8.7
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
* CVE-2026-43515 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
* CVE-2026-43515 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:
* SUSE Linux Enterprise High Performance Computing 12 SP5
* SUSE Linux Enterprise Server 12 SP5
* SUSE Linux Enterprise Server 12 SP5 LTSS
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
* SUSE Linux Enterprise Server for SAP Applications 12 SP5
An update that solves seven vulnerabilities can now be installed.
## Description:
This update for tomcat fixes the following issues
Update to Tomcat 9.0.118:
* CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling
(bsc#1265162).
* CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).
* CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).
* CVE-2026-43512: digest authenticator will authenticate any unknown user
(bsc#1265145).
* CVE-2026-43513: LockOutRealm treats user names as case-sensitive
(bsc#1265166).
* CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).
* CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).
Changes:
* Catalina
* Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and
OpenSSL version information (both APR and FFM implementations), along with
version compatibility warnings and third-party library version information.
(csutherl)
* Code: Refactor generation of the remote user element in the access log to
remove unnecessary code. (markt)
* Fix: Fix a regression in the previous release that meant ?- could appear in
the access log rather than ? when the query string was present but empty.
(markt)
* Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by
Mahmoud Alarby. (remm)
* Fix: Align the escaping in ExtendedAccessLogValve with the other
AccessLogValve implementations. (markt)
* Fix: 70000: fix duplication of special headers in the response after commit,
following fix for 69967. (remm)
* Fix: Correct the handling of URIs mapped to a security constraint that only
specifies the special ** role for all authenticated users. Requests without
authentication were receiving 403 responses rather than 401 responses.
(markt)
* Fix: Fix a race condition in StandardContext.getServletContext() that could
cause the jakarta.servlet.context.tempdir attribute to be lost during a
context reload. Make the context field volatile and use locking to ensure
only one ApplicationContext instance is created. (dsoumis)
* Fix: Update the Windows authentication (kerberos) documentation to reflect
that both Java and Windows are removing / have removed support for RC4-HMAC.
The guide now uses AES256-SHA1. (markt)
* Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize which
limits the size of a WebDAV request body for LOCK and PROPFIND. The default
value is 4096 bytes. (markt)
* Add: Add a new caseSensitive attribute to the LockOutRealm that controls the
manner in which user names are treated when making locking decisions. The
default is false, meaning user names are treated in a case insensitive
manner. (markt)
* Fix: Correct the handling of invalid users with DIGEST authentication.
(markt)
* Fix: Ensure RealmBase finds all matching extension based security
constraints. (markt)
* Coyote
* Fix: Avoid various edge cases if Content-Length is set via
setHeader(String,String) or addHeader(String,String) with an invalid value
by always clearing the previous value whether the new value is valid or not
and ignoring any invalid new value. (markt)
* Code: Refactor the calculation of the real index in the HPACK dynamic header
table implementation to reduce code duplication. (markt)
* Fix: Fix various minor issues with some HTTP/2 stream error messages for
HTTP/2. (markt)
* Fix: Consistently reject URIs containing NULL bytes when normalizing.
* Fix: Fix a few minor memory leaks on error paths reading TLS keys and
certificates when using FFM. (markt)
* Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC
after a stream reset. (markt)
* Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields not
permitted in trailers. (markt)
* Fix: Free private keys after use in FFM based connector configuration.
* Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header
decoding that could result in a valid header triggering an unexpected
connection close. (markt)
* Fix: Refactor HTTP/2 HPACK encoding so header field names are only converted
to lower case once during the encoding process. (markt)
* Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend
validation to check for disallowed characters as well as upper case
characters. (markt)
* Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm)
* Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent with
the use (or not) of TLS. (markt)
* Fix: Correct the validation of pseudo headers and CONNECT requests to align
Tomcat's behaviour with RFC 9113, section 8.5. (markt)
* Fix: Fix a potential integer overflow when allocating capacity from a
connection level window update to individual HTTP/2 streams. Based on #996
by Mike Tingey Jr. (markt)
* Fix: Switch AJP secret comparison to a constant time algorithm. (markt)
* WebSocket
* Fix: Fix the initial connection to a WebSocket end point where the
connection is made via a proxy that requires DIGEST authentication.
* Other
* Fix: 69993: Update the URL to the CDDL 1.0 license. (markt)
* Add: Add warning when OpenSSL binary is not found. (csutherl)
* Add: Add check for Tomcat Native library, and log warning when it's not
found to make it easier to see when it's not used by the suite. (csutherl)
* Update: Update Byte Buddy to 1.18.8. (markt)
* Update: Update Bouncy Castle to 1.84. (markt)
* Update: Improvements to French translations. (remm)
* Update: Improvements to Japanese translations provided by tak7iji. (markt)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 12 SP5 LTSS
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2026-2299=1
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2299=1
## Package List:
* SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
* tomcat-servlet-4_0-api-9.0.118-3.166.1
* tomcat-admin-webapps-9.0.118-3.166.1
* tomcat-lib-9.0.118-3.166.1
* tomcat-9.0.118-3.166.1
* tomcat-javadoc-9.0.118-3.166.1
* tomcat-el-3_0-api-9.0.118-3.166.1
* tomcat-jsp-2_3-api-9.0.118-3.166.1
* tomcat-docs-webapp-9.0.118-3.166.1
* tomcat-webapps-9.0.118-3.166.1
* SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
* tomcat-servlet-4_0-api-9.0.118-3.166.1
* tomcat-admin-webapps-9.0.118-3.166.1
* tomcat-lib-9.0.118-3.166.1
* tomcat-9.0.118-3.166.1
* tomcat-javadoc-9.0.118-3.166.1
* tomcat-el-3_0-api-9.0.118-3.166.1
* tomcat-jsp-2_3-api-9.0.118-3.166.1
* tomcat-docs-webapp-9.0.118-3.166.1
* tomcat-webapps-9.0.118-3.166.1
## References:
* https://www.suse.com/security/cve/CVE-2026-41284.html
* https://www.suse.com/security/cve/CVE-2026-41293.html
* https://www.suse.com/security/cve/CVE-2026-42498.html
* https://www.suse.com/security/cve/CVE-2026-43512.html
* https://www.suse.com/security/cve/CVE-2026-43513.html
* https://www.suse.com/security/cve/CVE-2026-43514.html
* https://www.suse.com/security/cve/CVE-2026-43515.html
* https://bugzilla.suse.com/show_bug.cgi?id=1265145
* https://bugzilla.suse.com/show_bug.cgi?id=1265162
* https://bugzilla.suse.com/show_bug.cgi?id=1265163
* https://bugzilla.suse.com/show_bug.cgi?id=1265165
* https://bugzilla.suse.com/show_bug.cgi?id=1265166
* https://bugzilla.suse.com/show_bug.cgi?id=1265167
* https://bugzilla.suse.com/show_bug.cgi?id=1265168
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260608/887b9360/attachment.htm>
More information about the sle-updates
mailing list