[Git][security-tracker-team/security-tracker][master] Add new Apache tomcat issues

Salvatore Bonaccorso (@carnil) carnil at debian.org
Tue Feb 17 20:37:48 GMT 2026 


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / security-tracker


Commits:
2a0d19ef by Salvatore Bonaccorso at 2026-02-17T21:37:19+01:00
Add new Apache tomcat issues

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -23,9 +23,20 @@ CVE-2026-26731 (TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain
 CVE-2026-25903 (Apache NiFi 1.1.0 through 2.7.2 are missing authorization when updatin ...)
 	NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-24734 (Improper Input Validation vulnerability in Apache Tomcat Native, Apach ...)
-	TODO: check
+	- tomcat11 11.0.18-1
+	- tomcat10 10.1.52-1
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
 CVE-2026-24733 (Improper Input Validation vulnerability in Apache Tomcat.   Tomcat did ...)
-	TODO: check
+	- tomcat11 11.0.15-1
+	- tomcat10 10.1.52-1
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/6c73d74ff281260d74c836370ff6b82f1da8048b (11.0.15)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/711b465cf22684a1acf0cb43501cdbbce9b6c5f4 (10.1.50)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/2e2fa23f2635bbb819759576a2f2f5e64ecf7c5f (9.0.113)
 CVE-2026-23861 (Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, contain(s) an Im ...)
 	NOT-FOR-US: Dell / EMC
 CVE-2026-23648 (Glory RBG-100 recycler systems using the ISPK-08 software component co ...)
@@ -61,7 +72,17 @@ CVE-2025-70397 (jizhicms 2.5.6 is vulnerable to SQL Injection in Article/deleteA
 CVE-2025-67905 (Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator and perfo ...)
 	NOT-FOR-US: Malwarebytes AdwCleaner
 CVE-2025-66614 (Improper Input Validation vulnerability.  This issue affects Apache To ...)
-	TODO: check
+	- tomcat11 11.0.15-1
+	- tomcat10 10.1.52-1
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2 (11.0.15)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e (10.1.50)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4 (10.1.50)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30 (9.0.113)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509 (9.0.113)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940 (9.0.113)
 CVE-2025-65753 (An issue in the TLS certification mechanism of Guardian Gryphon v01.06 ...)
 	NOT-FOR-US: Guardian Gryphon
 CVE-2025-59793 (Rocket TRUfusion Enterprise through 7.10.5 exposes the endpoint at /ax ...)


=====================================
data/DSA/list
=====================================
@@ -55,10 +55,10 @@
 	[bookworm] - chromium 144.0.7559.109-2~deb12u1
 	[trixie] - chromium 144.0.7559.109-2~deb13u1
 [05 Feb 2026] DSA-6121-1 tomcat11 - security update
-	{CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 CVE-2025-55754 CVE-2025-61795}
+	{CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 CVE-2025-55754 CVE-2025-61795 CVE-2025-66614 CVE-2026-24733}
 	[trixie] - tomcat11 11.0.15-1~deb13u1
 [05 Feb 2026] DSA-6120-1 tomcat10 - security update
-	{CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 CVE-2025-55754 CVE-2025-61795}
+	{CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 CVE-2025-55754 CVE-2025-61795  CVE-2025-66614 CVE-2026-24733 CVE-2026-24734}
 	[bookworm] - tomcat10 10.1.52-1~deb12u1
 	[trixie] - tomcat10 10.1.52-1~deb13u1
 [05 Feb 2026] DSA-6119-1 openjdk-25 - security update



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0d19ef426d948b2cd54a20971685246368546f

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0d19ef426d948b2cd54a20971685246368546f
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260217/2459a09c/attachment-0001.htm>

More information about the debian-security-tracker-commits mailing list