UbuntuUpdates.org

Package "tomcat10-admin"

Name: tomcat10-admin

Description:

Apache Tomcat 10 - Servlet and JSP engine -- admin web applications
Latest version: 10.1.40-1ubuntu1.25.10.1
Release: questing (25.10)
Level: security
Repository: universe
Head package: tomcat10
Homepage: http://tomcat.apache.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "tomcat10-admin"

All arch deb package
APT INSTALL

Other versions of "tomcat10-admin" in Questing

Repository Area Version
base universe 10.1.40-1ubuntu1
updates universe 10.1.40-1ubuntu1.25.10.1

Changelog

Version: 10.1.40-1ubuntu1.25.10.1 2026-06-10 08:07:26 UTC

  tomcat10 (10.1.40-1ubuntu1.25.10.1) questing-security; urgency=medium

  * SECURITY UPDATE: WebDAV resource exhaustion via unbounded
    request body
    - debian/patches/CVE-2026-41284.patch: limit LOCK and PROPFIND
      request body size using BoundedByteArrayOutputStream
    - CVE-2026-41284
  * SECURITY UPDATE: HTTP/2 header field validation bypass
    - debian/patches/CVE-2026-41293-pre.patch: add header validation
      infrastructure for HTTP/2 field names and values
    - debian/patches/CVE-2026-41293.patch: improve field-vchar
      validation and simplify error handling in HPackHuffman
    - CVE-2026-41293
  * SECURITY UPDATE: WebSocket authentication header leakage
    - debian/patches/CVE-2026-42498.patch: clear authentication
      headers after use and fix digest auth method handling
    - CVE-2026-42498
  * SECURITY UPDATE: digest authentication NPE bypass
    - debian/patches/CVE-2026-43512.patch: add null check for
      password in RealmBase.getDigest()
    - CVE-2026-43512
  * SECURITY UPDATE: LockOutRealm case sensitivity bypass
    - debian/patches/CVE-2026-43513.patch: normalize username case
      in LockOutRealm when caseSensitive is false
    - CVE-2026-43513
  * SECURITY UPDATE: authorization bypass via multiple method
    constraints
    - debian/patches/CVE-2026-43515.patch: check all matching
      SecurityCollection entries in RealmBase
    - CVE-2026-43515

 -- Vyom Yadav <email address hidden> Tue, 09 Jun 2026 17:38:20 +0530
CVE-2026-41284 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2
CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 1
CVE-2026-42498 Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache
CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 t
CVE-2026-43513 Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.
CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affe


About   -   Send Feedback to @ubuntu_updates