<div class="container">
<h1>Security update for tomcat</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2026:2299-1</td>
</tr>
<tr>
<th>Release Date:</th>
<td>2026-06-08T10:55:17Z</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265145">bsc#1265145</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265162">bsc#1265162</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265163">bsc#1265163</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265165">bsc#1265165</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265166">bsc#1265166</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265167">bsc#1265167</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265168">bsc#1265168</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-41284.html">CVE-2026-41284</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-41293.html">CVE-2026-41293</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-42498.html">CVE-2026-42498</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-43512.html">CVE-2026-43512</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-43513.html">CVE-2026-43513</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-43514.html">CVE-2026-43514</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2026-43515.html">CVE-2026-43515</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-41284</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.1</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-41284</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-41284</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-41293</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-41293</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-41293</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-42498</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-42498</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-42498</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43512</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43512</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43512</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.8</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43513</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43513</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.4</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43513</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43514</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.9</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43514</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">5.3</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43514</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">3.7</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43515</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">8.7</span>
<span class="cvss-vector">CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43515</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2026-43515</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">9.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS</li>
<li class="list-group-item">SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 12 SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves seven vulnerabilities can now be installed.</p>
<h2>Description:</h2>
<p>This update for tomcat fixes the following issues</p>
<p>Update to Tomcat 9.0.118:</p>
<ul>
<li>CVE-2026-41284: Unbounded read in WebDAV LOCK and PROPFIND handling (bsc#1265162).</li>
<li>CVE-2026-41293: HTTP/2 request headers not validated (bsc#1265163).</li>
<li>CVE-2026-42498: WebSocket authentication header exposure (bsc#1265165).</li>
<li>CVE-2026-43512: digest authenticator will authenticate any unknown user (bsc#1265145).</li>
<li>CVE-2026-43513: LockOutRealm treats user names as case-sensitive (bsc#1265166).</li>
<li>CVE-2026-43514: AJP secret compared in non-constant time (bsc#1265167).</li>
<li>CVE-2026-43515: Security constraints not correctly applied (bsc#1265168).</li>
</ul>
<p>Changes:</p>
<ul>
<li>Catalina</li>
<li>Add: Enhance version.sh and version.bat to display APR, Tomcat Native, and
OpenSSL version information (both APR and FFM implementations), along with
version compatibility warnings and third-party library version
information. (csutherl)</li>
<li>Code: Refactor generation of the remote user element in the access log to
remove unnecessary code. (markt)</li>
<li>Fix: Fix a regression in the previous release that meant ?- could appear
in the access log rather than ? when the query string was present but
empty. (markt)</li>
<li>Fix: Failed precondition should make WebDAV DELETE fail. #982 submitted by
Mahmoud Alarby. (remm)</li>
<li>Fix: Align the escaping in ExtendedAccessLogValve with the other
AccessLogValve implementations. (markt)</li>
<li>Fix: 70000: fix duplication of special headers in the response after
commit, following fix for 69967. (remm)</li>
<li>Fix: Correct the handling of URIs mapped to a security constraint that
only specifies the special ** role for all authenticated users. Requests
without authentication were receiving 403 responses rather than 401
responses. (markt)</li>
<li>Fix: Fix a race condition in StandardContext.getServletContext() that
could cause the jakarta.servlet.context.tempdir attribute to be lost
during a context reload. Make the context field volatile and use locking
to ensure only one ApplicationContext instance is created. (dsoumis)</li>
<li>Fix: Update the Windows authentication (kerberos) documentation to reflect
that both Java and Windows are removing / have removed support for
RC4-HMAC. The guide now uses AES256-SHA1. (markt)</li>
<li>Fix: Add a new initialisation parameter for WebDAV, maxRequestBodySize
which limits the size of a WebDAV request body for LOCK and PROPFIND. The
default value is 4096 bytes. (markt)</li>
<li>Add: Add a new caseSensitive attribute to the LockOutRealm that controls
the manner in which user names are treated when making locking decisions.
The default is false, meaning user names are treated in a case insensitive
manner. (markt)</li>
<li>Fix: Correct the handling of invalid users with DIGEST authentication.
(markt)</li>
<li>Fix: Ensure RealmBase finds all matching extension based security
constraints. (markt)</li>
<li>Coyote</li>
<li>Fix: Avoid various edge cases if Content-Length is set via
setHeader(String,String) or addHeader(String,String) with an invalid value
by always clearing the previous value whether the new value is valid or
not and ignoring any invalid new value. (markt)</li>
<li>Code: Refactor the calculation of the real index in the HPACK dynamic
header table implementation to reduce code duplication. (markt)</li>
<li>Fix: Fix various minor issues with some HTTP/2 stream error messages for
HTTP/2. (markt)</li>
<li>Fix: Consistently reject URIs containing NULL bytes when normalizing.</li>
<li>Fix: Fix a few minor memory leaks on error paths reading TLS keys and
certificates when using FFM. (markt)</li>
<li>Fix: Refactor clean-up after HTTP/2 headers have been processed to aid GC
after a stream reset. (markt)</li>
<li>Fix: Align HTTP/2 trailer fields with HTTP/1.1 and filter out any fields
not permitted in trailers. (markt)</li>
<li>Fix: Free private keys after use in FFM based connector configuration.</li>
<li>Fix: Correct an unlikely edge-case parsing bug in the HTTP/2 HPACK header
decoding that could result in a valid header triggering an unexpected
connection close. (markt)</li>
<li>Fix: Refactor HTTP/2 HPACK encoding so header field names are only
converted to lower case once during the encoding process. (markt)</li>
<li>Fix: Refactor HTTP/2 header field validation so it occurs earlier. Extend
validation to check for disallowed characters as well as upper case
characters. (markt)</li>
<li>Fix: Add TLS 1.3 groups added in OpenSSL 4.0. (remm)</li>
<li>Fix: Add validation that the HTTP/2 :scheme pseudo-header is consistent
with the use (or not) of TLS. (markt)</li>
<li>Fix: Correct the validation of pseudo headers and CONNECT requests to
align Tomcat's behaviour with RFC 9113, section 8.5. (markt)</li>
<li>Fix: Fix a potential integer overflow when allocating capacity from a
connection level window update to individual HTTP/2 streams. Based on #996
by Mike Tingey Jr. (markt)</li>
<li>Fix: Switch AJP secret comparison to a constant time algorithm. (markt)</li>
<li>WebSocket</li>
<li>Fix: Fix the initial connection to a WebSocket end point where the
connection is made via a proxy that requires DIGEST authentication.</li>
<li>Other</li>
<li>Fix: 69993: Update the URL to the CDDL 1.0 license. (markt)</li>
<li>Add: Add warning when OpenSSL binary is not found. (csutherl)</li>
<li>Add: Add check for Tomcat Native library, and log warning when it's not
found to make it easier to see when it's not used by the suite. (csutherl)</li>
<li>Update: Update Byte Buddy to 1.18.8. (markt)</li>
<li>Update: Update Bouncy Castle to 1.84. (markt)</li>
<li>Update: Improvements to French translations. (remm)</li>
<li>Update: Improvements to Japanese translations provided by tak7iji. (markt)</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-2026-2299=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security
<br/>
<code>zypper in -t patch SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-2299=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS (noarch)
<ul>
<li>tomcat-servlet-4_0-api-9.0.118-3.166.1</li>
<li>tomcat-admin-webapps-9.0.118-3.166.1</li>
<li>tomcat-lib-9.0.118-3.166.1</li>
<li>tomcat-9.0.118-3.166.1</li>
<li>tomcat-javadoc-9.0.118-3.166.1</li>
<li>tomcat-el-3_0-api-9.0.118-3.166.1</li>
<li>tomcat-jsp-2_3-api-9.0.118-3.166.1</li>
<li>tomcat-docs-webapp-9.0.118-3.166.1</li>
<li>tomcat-webapps-9.0.118-3.166.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 12 SP5 LTSS Extended Security (noarch)
<ul>
<li>tomcat-servlet-4_0-api-9.0.118-3.166.1</li>
<li>tomcat-admin-webapps-9.0.118-3.166.1</li>
<li>tomcat-lib-9.0.118-3.166.1</li>
<li>tomcat-9.0.118-3.166.1</li>
<li>tomcat-javadoc-9.0.118-3.166.1</li>
<li>tomcat-el-3_0-api-9.0.118-3.166.1</li>
<li>tomcat-jsp-2_3-api-9.0.118-3.166.1</li>
<li>tomcat-docs-webapp-9.0.118-3.166.1</li>
<li>tomcat-webapps-9.0.118-3.166.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-41284.html">https://www.suse.com/security/cve/CVE-2026-41284.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-41293.html">https://www.suse.com/security/cve/CVE-2026-41293.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-42498.html">https://www.suse.com/security/cve/CVE-2026-42498.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-43512.html">https://www.suse.com/security/cve/CVE-2026-43512.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-43513.html">https://www.suse.com/security/cve/CVE-2026-43513.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-43514.html">https://www.suse.com/security/cve/CVE-2026-43514.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2026-43515.html">https://www.suse.com/security/cve/CVE-2026-43515.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265145">https://bugzilla.suse.com/show_bug.cgi?id=1265145</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265162">https://bugzilla.suse.com/show_bug.cgi?id=1265162</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265163">https://bugzilla.suse.com/show_bug.cgi?id=1265163</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265165">https://bugzilla.suse.com/show_bug.cgi?id=1265165</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265166">https://bugzilla.suse.com/show_bug.cgi?id=1265166</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265167">https://bugzilla.suse.com/show_bug.cgi?id=1265167</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1265168">https://bugzilla.suse.com/show_bug.cgi?id=1265168</a>
</li>
</ul>
</div>