UbuntuUpdates.org

Package "libtomcat9-java"

Name: libtomcat9-java

Description:

Apache Tomcat 9 - Servlet and JSP engine -- core libraries
Latest version: 9.0.115-1ubuntu0.1
Release: resolute (26.04)
Level: security
Repository: universe
Head package: tomcat9
Homepage: http://tomcat.apache.org

Links

All versions of this package
Bug fixes

List of files in package
Repository home page

Download "libtomcat9-java"

All arch deb package
APT INSTALL

Other versions of "libtomcat9-java" in Resolute

Repository Area Version
base universe 9.0.115-1
updates universe 9.0.115-1ubuntu0.1

Changelog

Version: 9.0.115-1ubuntu0.1 2026-06-10 08:07:26 UTC

  tomcat9 (9.0.115-1ubuntu0.1) resolute-security; urgency=medium

  * SECURITY UPDATE: denial of service via unbounded WebDAV request body
    - debian/patches/CVE-2026-41284.patch: add BoundedByteArrayOutputStream
      to limit LOCK and PROPFIND request body size
    - CVE-2026-41284
  * SECURITY UPDATE: HTTP/2 header field validation bypass
    - debian/patches/CVE-2026-41293-pre.patch: add header validation
      infrastructure for HTTP/2 field names and values
    - debian/patches/CVE-2026-41293.patch: improve header field name and
      value validation in HpackDecoder and HPackHuffman
    - CVE-2026-41293
  * SECURITY UPDATE: exposure of HTTP auth header to unexpected hosts
    - debian/patches/CVE-2026-42498.patch: clear authentication headers
      after use and fix digest auth method handling
    - CVE-2026-42498
  * SECURITY UPDATE: authorization bypass via multiple method constraints
    - debian/patches/CVE-2026-43515.patch: check all matching
      SecurityCollection entries in RealmBase
    - CVE-2026-43515
  * SECURITY UPDATE: NullPointerException in digest authentication with
    invalid user
    - debian/patches/CVE-2026-43512.patch: add null check for password
      in RealmBase.getDigest()
    - CVE-2026-43512
  * SECURITY UPDATE: account lockout bypass via case-variant usernames
    - debian/patches/CVE-2026-43513.patch: normalize username case in
      LockOutRealm when caseSensitive is false
    - CVE-2026-43513
  * debian/control: pin Build-Depends to openjdk-21-jdk to ensure the
    package builds against OpenJDK 21 on resolute

 -- Vyom Yadav <email address hidden> Thu, 04 Jun 2026 16:56:09 +0530
CVE-2026-41284 Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2
CVE-2026-41293 Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 1
CVE-2026-42498 Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache
CVE-2026-43515 Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affe
CVE-2026-43512 DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 t
CVE-2026-43513 Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.


About   -   Send Feedback to @ubuntu_updates