<div class="container">
<h1>Security update for tomcat10</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2025:02261-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2025-07-09T17:40:51Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242722">bsc#1242722</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243815">bsc#1243815</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244649">bsc#1244649</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244656">bsc#1244656</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-46701.html">CVE-2025-46701</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-48988.html">CVE-2025-48988</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2025-49125.html">CVE-2025-49125</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-46701</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-46701</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-46701</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48988</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48988</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-48988</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-49125</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">9.1</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-49125</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2025-49125</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">openSUSE Leap 15.6</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP7</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP6</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP7</li>
<li class="list-group-item">Web and Scripting Module 15-SP6</li>
<li class="list-group-item">Web and Scripting Module 15-SP7</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves three vulnerabilities and has one security fix can now be installed.</p>
<h2>Description:</h2>
<p>This update for tomcat10 fixes the following issues:</p>
<ul>
<li>Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815).</li>
<li>Fixed limits the total number of parts in a multi-part request and
limits the size of the headers provided with each part (bsc#1244656).</li>
<li>Fixed expand checks for webAppMount (bsc#1244649).</li>
<li>Hardening permissions (bsc#1242722)</li>
</ul>
<p>Update to Tomcat 10.1.42:</p>
<ul>
<li>
<p>Fixed CVEs:</p>
<ul>
<li>CVE-2025-46701: refactor CGI servlet to access resources via
WebResources (bsc#1243815)</li>
<li>CVE-2025-48988: limits the total number of parts in a
multi-part request and limits the size of
the headers provided with each part (bsc#1244656)</li>
<li>CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)</li>
</ul>
</li>
<li>
<p>Catalina:</p>
<ul>
<li>Add: Support for the java:module namespace which mirrors the
java:comp namespace.</li>
<li>Add: Support parsing of multiple path parameters separated by ; in a
single URL segment. Based on pull request #860 by Chenjp.</li>
<li>Add: Support for limiting the number of parameters in HTTP requests
through the new ParameterLimitValve. The valve allows configurable
URL-specific limits on the number of parameters.</li>
<li>Fix: 69699: Encode redirect URL used by the rewrite valve with the
session id if appropriate, and handle cross context with different
session configuration when using rewrite.</li>
<li>Add: #863: Support for comments at the end of lines in text rewrite
map files to align behaviour with Apache httpd. Pull request
provided by Chenjp.</li>
<li>Fix: 69706: Saved request serialization issue in FORM introduced
when allowing infinite session timeouts.</li>
<li>Fix: Expand the path checks for Pre-Resources and Post-Resources
mounted at a path within the web application.</li>
<li>Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve.</li>
<li>Fix: Process possible path parameters rewrite production in the
rewrite valve.</li>
<li>Fix: 69588: Enable allowLinking to be set on PreResources,
JarResources and PostResources. If not set explicitly, the setting
will be inherited from the Resources.</li>
<li>Add: 69633: Support for Filters using context root mappings.</li>
<li>Fix: 69643: Optimize directory listing for large amount of files.
Patch submitted by Loic de l'Eprevier.</li>
<li>Fix: #843: Off by one validation logic for partial PUT ranges and
associated test case. Submitted by Chenjp.</li>
<li>Refactor: Replace the unused buffer in
org.apache.catalina.connector.InputBuffer with a static, zero
length buffer.</li>
<li>Refactor: GCI servlet to access resources via the WebResource API.</li>
<li>Fix: 69662: Report name in exception message when a naming lookup
failure occurs. Based on code submitted by Donald Smith.</li>
<li>Fix: Ensure that the FORM authentication attribute
authenticationSessionTimeout works correctly when sessions have an
infinite timeout when authentication starts.</li>
<li>Add: Provide a content type based on file extension when web
application resources are accessed via a URL.</li>
<li>Coyote</li>
<li>Refactor: #861: TaskQueue to use the new interface RetryableQueue
which enables better integration of custom Executors which provide
their own BlockingQueue implementation. Pull request provided by
Paulo Almeida.</li>
<li>Add: Finer grained control of multi-part request processing via two
new attributes on the Connector element. maxPartCount limits the
total number of parts in a multi-part request and maxPartHeaderSize
limits the size of the headers provided with each part. Add support
for these new attributes to the ParameterLimitValve.</li>
<li>Refactor: The SavedRequestInputFilter so the buffered data is used
directly rather than copied.</li>
</ul>
</li>
<li>
<p>Jasper:</p>
<ul>
<li>Fix: 69696: Mark the JSP wrapper for reload after a failed
compilation.</li>
<li>Fix: 69635: Add support to jakarta.el.ImportHandler for resolving
inner classes.</li>
<li>Add: #842: Support for optimized execution of c:set and c:remove
tags, when activated via JSP servlet param
useNonstandardTagOptimizations.</li>
<li>Fix: An edge case compilation bug for JSP and tag files on case
insensitive file systems that was exposed by the test case for
69635.</li>
</ul>
</li>
<li>
<p>Web applications:</p>
<ul>
<li>Fix: 69694: Improve error reporting of deployment tasks done using
the manager webapp when a copy operation fails.</li>
<li>Add: 68876: Documentation. Update the UML diagrams for server
start-up, request processing and authentication using PlantUML and
include the source files for each diagram.</li>
</ul>
</li>
<li>
<p>Other:</p>
<ul>
<li>Add: Thread name to webappClassLoader.stackTraceRequestThread
message. Patch provided by Felix Zhang.</li>
<li>Update: Tomcat Native to 2.0.9.</li>
<li>Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
(2025-06-05).</li>
<li>Update: EasyMock to 5.6.0.</li>
<li>Update: Checkstyle to 10.25.0.</li>
<li>Fix: Use the full path when the installer for Windows sets calls
icacls.exe to set file permissions.</li>
<li>Update: Improvements to Japanese translations provided by tak7iji.</li>
<li>Fix: Set sun.io.useCanonCaches in service.bat Based on pull request
#841 by Paul Lodge.</li>
<li>Update: Jacoco to 0.8.13.</li>
<li>Code: Explicitly set the locale to be used for Javadoc. For
official releases, this locale will be English (US) to support
reproducible builds.</li>
<li>Update: Byte Buddy to 1.17.5.</li>
<li>Update: Checkstyle to 10.23.1.</li>
<li>Update: File extension to media type mappings to align with the
current list used by the Apache Web Server (httpd).</li>
<li>Update: Improvements to French translations.</li>
<li>Update: Improvements to Japanese translations provided by tak7iji.</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
openSUSE Leap 15.6
<br/>
<code>zypper in -t patch openSUSE-SLE-15.6-2025-2261=1</code>
</li>
<li class="list-group-item">
Web and Scripting Module 15-SP6
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2261=1</code>
</li>
<li class="list-group-item">
Web and Scripting Module 15-SP7
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2261=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-2261=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-2261=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-2261=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-2261=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
openSUSE Leap 15.6 (noarch)
<ul>
<li>tomcat10-admin-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsvc-10.1.42-150200.5.45.1</li>
<li>tomcat10-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-10.1.42-150200.5.45.1</li>
<li>tomcat10-docs-webapp-10.1.42-150200.5.45.1</li>
<li>tomcat10-lib-10.1.42-150200.5.45.1</li>
<li>tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-embed-10.1.42-150200.5.45.1</li>
<li>tomcat10-doc-10.1.42-150200.5.45.1</li>
<li>tomcat10-el-5_0-api-10.1.42-150200.5.45.1</li>
</ul>
</li>
<li>
Web and Scripting Module 15-SP6 (noarch)
<ul>
<li>tomcat10-admin-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-10.1.42-150200.5.45.1</li>
<li>tomcat10-lib-10.1.42-150200.5.45.1</li>
<li>tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-el-5_0-api-10.1.42-150200.5.45.1</li>
</ul>
</li>
<li>
Web and Scripting Module 15-SP7 (noarch)
<ul>
<li>tomcat10-admin-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-10.1.42-150200.5.45.1</li>
<li>tomcat10-lib-10.1.42-150200.5.45.1</li>
<li>tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-el-5_0-api-10.1.42-150200.5.45.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch)
<ul>
<li>tomcat10-admin-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-10.1.42-150200.5.45.1</li>
<li>tomcat10-lib-10.1.42-150200.5.45.1</li>
<li>tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-el-5_0-api-10.1.42-150200.5.45.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch)
<ul>
<li>tomcat10-admin-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-10.1.42-150200.5.45.1</li>
<li>tomcat10-lib-10.1.42-150200.5.45.1</li>
<li>tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-el-5_0-api-10.1.42-150200.5.45.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
<ul>
<li>tomcat10-admin-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-10.1.42-150200.5.45.1</li>
<li>tomcat10-lib-10.1.42-150200.5.45.1</li>
<li>tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-el-5_0-api-10.1.42-150200.5.45.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
<ul>
<li>tomcat10-admin-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-webapps-10.1.42-150200.5.45.1</li>
<li>tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-10.1.42-150200.5.45.1</li>
<li>tomcat10-lib-10.1.42-150200.5.45.1</li>
<li>tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1</li>
<li>tomcat10-el-5_0-api-10.1.42-150200.5.45.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-46701.html">https://www.suse.com/security/cve/CVE-2025-46701.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-48988.html">https://www.suse.com/security/cve/CVE-2025-48988.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2025-49125.html">https://www.suse.com/security/cve/CVE-2025-49125.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1242722">https://bugzilla.suse.com/show_bug.cgi?id=1242722</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1243815">https://bugzilla.suse.com/show_bug.cgi?id=1243815</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244649">https://bugzilla.suse.com/show_bug.cgi?id=1244649</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1244656">https://bugzilla.suse.com/show_bug.cgi?id=1244656</a>
</li>
</ul>
</div>