[From nobody Mon Apr 13 18:05:05 2026
Received: (at submit) by bugs.debian.org; 12 Apr 2026 12:26:26 +0000
X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02
 (2024-03-25) on buxtehude.debian.org
X-Spam-Level: 
X-Spam-Status: No, score=-9.9 required=4.0 tests=BAYES_00, FOURLA,
 FROMDEVELOPER, 
 NO_RELAYS,XMAILER_REPORTBUG autolearn=ham autolearn_force=no
 version=4.0.1-bugs.debian.org_2005_01_02
X-Spam-Bayes: score:0.0000 Tokens: new, 136; hammy, 150; neutral, 115; spammy,
 0. spammytokens: hammytokens:0.000-+--H*F:U*carnil,
 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian,
 0.000-+--H*Ad:N*Bug
Return-path: &lt;carnil@debian.org&gt;
Received: via submission by buxtehude.debian.org with esmtp (Exim 4.96)
 (envelope-from &lt;carnil@debian.org&gt;) id 1wBttR-00HQIl-2x
 for submit@bugs.debian.org; Sun, 12 Apr 2026 12:26:26 +0000
Content-Type: text/plain; charset=&quot;us-ascii&quot;
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
From: Salvatore Bonaccorso &lt;carnil@debian.org&gt;
To: Debian Bug Tracking System &lt;submit@bugs.debian.org&gt;
Subject: tomcat10: CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145
 CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487 CVE-2026-34500
Message-ID: &lt;177599678489.992980.9554169425576862031.reportbug@eldamar.lan&gt;
X-Mailer: reportbug 13.2.0
Date: Sun, 12 Apr 2026 14:26:24 +0200
Delivered-To: submit@bugs.debian.org

Source: tomcat10
Version: 10.1.52-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team &lt;team@security.debian.org&gt;

Hi,

The following vulnerabilities were published for tomcat10.

CVE-2026-24880[0]:
| Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response
| Smuggling') vulnerability in Apache Tomcat via invalid chunk
| extension.  This issue affects Apache Tomcat: from 11.0.0-M1 through
| 11.0.18, from 10.1.0-M1 through 10.1.52, from 9.0.0.M1 through
| 9.0.115, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
| Other, unsupported versions may also be affected.  Users are
| recommended to upgrade to version 11.0.20, 10.1.52 or 9.0.116, which
| fix the issue.


CVE-2026-25854[1]:
| Occasional URL redirection to untrusted Site ('Open Redirect')
| vulnerability in Apache Tomcat via the LoadBalancerDrainingValve.
| This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18,
| from 10.1.0-M1 through 10.1.52, from 9.0.0.M23 through 9.0.115, from
| 8.5.30 through 8.5.100. Other, unsupported versions may also be
| affected  Users are recommended to upgrade to version 11.0.20,
| 10.1.53 or 9.0.116, which fix the issue.


CVE-2026-29129[2]:
| Configured cipher preference order not preserved vulnerability in
| Apache Tomcat.  This issue affects Apache Tomcat: from 11.0.16
| through 11.0.18, from 10.1.51 through 10.1.52, from 9.0.114 through
| 9.0.115.  Users are recommended to upgrade to version 11.0.20,
| 10.1.53 or 9.0.116, which fix the issue.


CVE-2026-29145[3]:
| CLIENT_CERT authentication does not fail as expected for some
| scenarios when soft fail is disabled vulnerability in Apache Tomcat,
| Apache Tomcat Native.  This issue affects Apache Tomcat: from
| 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from
| 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through
| 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from
| 2.0.0 through 2.0.13.  Users are recommended to upgrade to version
| Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and
| 9.0.116, which fix the issue.


CVE-2026-29146[4]:
| Padding Oracle vulnerability in Apache Tomcat's EncryptInterceptor
| with default configuration.  This issue affects Apache Tomcat: from
| 11.0.0-M1 through 11.0.18, from 10.0.0-M1 through 10.1.52, from
| 9.0.13 through 9..115, from 8.5.38 through 8.5.100, from 7.0.100
| through 7.0.109.  Users are recommended to upgrade to version
| 11.0.19, 10.1.53 and 9.0.116, which fixes the issue.


CVE-2026-32990[5]:
| Improper Input Validation vulnerability in Apache Tomcat due to an
| incomplete fix of CVE-2025-66614.  This issue affects Apache Tomcat:
| from 11.0.15 through 11.0.19, from 10.1.50 through 10.1.52, from
| 9.0.113 through 9.0.115.  Users are recommended to upgrade to
| version 11.0.20, 10.1.53 or 9.0.116, which fix the issue.


CVE-2026-34483[6]:
| Improper Encoding or Escaping of Output vulnerability in the
| JsonAccessLogValve component of Apache Tomcat.  This issue affects
| Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1
| through 10.1.53, from 9.0.40 through 9.0.116.  Users are recommended
| to upgrade to version 11.0.21, 10.1.54 or 9.0.117 , which fix the
| issue.


CVE-2026-34487[7]:
| Insertion of Sensitive Information into Log File vulnerability in
| the cloud membership for clustering component of Apache Tomcat
| exposed the Kubernetes bearer token.  This issue affects Apache
| Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through
| 10.1.53, from 9.0.13 through 9.0.116.  Users are recommended to
| upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the issue.


CVE-2026-34500[8]:
| CLIENT_CERT authentication does not fail as expected for some
| scenarios when soft fail is disabled and FFM is used in Apache
| Tomcat.  This issue affects Apache Tomcat: from 11.0.0-M14 through
| 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116.
| Users are recommended to upgrade to version 11.0.21, 10.1.54 or
| 9.0.117, which fixes the issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities &amp; Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-24880
    https://www.cve.org/CVERecord?id=CVE-2026-24880
[1] https://security-tracker.debian.org/tracker/CVE-2026-25854
    https://www.cve.org/CVERecord?id=CVE-2026-25854
[2] https://security-tracker.debian.org/tracker/CVE-2026-29129
    https://www.cve.org/CVERecord?id=CVE-2026-29129
[3] https://security-tracker.debian.org/tracker/CVE-2026-29145
    https://www.cve.org/CVERecord?id=CVE-2026-29145
[4] https://security-tracker.debian.org/tracker/CVE-2026-29146
    https://www.cve.org/CVERecord?id=CVE-2026-29146
[5] https://security-tracker.debian.org/tracker/CVE-2026-32990
    https://www.cve.org/CVERecord?id=CVE-2026-32990
[6] https://security-tracker.debian.org/tracker/CVE-2026-34483
    https://www.cve.org/CVERecord?id=CVE-2026-34483
[7] https://security-tracker.debian.org/tracker/CVE-2026-34487
    https://www.cve.org/CVERecord?id=CVE-2026-34487
[8] https://security-tracker.debian.org/tracker/CVE-2026-34500
    https://www.cve.org/CVERecord?id=CVE-2026-34500

Regards,
Salvatore
]