[Git][security-tracker-team/security-tracker][master] tomcat10 fixed in sid

Moritz Muehlenhoff (@jmm) jmm at debian.org
Tue Jun 2 17:00:09 BST 2026 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
56404044 by Moritz Muehlenhoff at 2026-06-02T16:29:41+02:00
tomcat10 fixed in sid

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -13226,7 +13226,7 @@ CVE-2026-43891 (changedetection.io is a free open source web page change detecti
 	NOT-FOR-US: changedetection.io
 CVE-2026-43515 (Improper Authorization vulnerability when multiple method constraints  ...)
 	- tomcat11 11.0.22-1
-	- tomcat10 <unfixed>
+	- tomcat10 10.1.55-1
 	- tomcat9 9.0.70-2
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/276087d9c7abbcecc6c4fb4e4b08cf64780c6e36 (11.0.22)
@@ -13235,7 +13235,7 @@ CVE-2026-43515 (Improper Authorization vulnerability when multiple method constr
 	NOTE: https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb
 CVE-2026-43514 (Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ...)
 	- tomcat11 11.0.22-1
-	- tomcat10 <unfixed>
+	- tomcat10 10.1.55-1
 	- tomcat9 9.0.70-2
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/d35d9d23263c8e4af561f615c960c91697ff200e (11.0.22)
@@ -13244,7 +13244,7 @@ CVE-2026-43514 (Observable Timing Discrepancy vulnerabilitywhen comparing AJP se
 	NOTE: https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m
 CVE-2026-43513 (Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...)
 	- tomcat11 11.0.22-1
-	- tomcat10 <unfixed>
+	- tomcat10 10.1.55-1
 	- tomcat9 9.0.70-2
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/83f3e51df7b87f5f6e626951c575ded1a512e8ef (11.0.22)
@@ -13253,7 +13253,7 @@ CVE-2026-43513 (Improper Handling of Case Sensitivity vulnerability in LockOutRe
 	NOTE: https://lists.apache.org/thread/ytjcgldshj73lcnd1sh95od5hrghwogp
 CVE-2026-43512 (DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...)
 	- tomcat11 11.0.22-1
-	- tomcat10 <unfixed>
+	- tomcat10 10.1.55-1
 	- tomcat9 9.0.70-2
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/a99c355e8199adbfd67c9a1fffbd85b810b196cd (11.0.22)
@@ -13292,7 +13292,7 @@ CVE-2026-42541 (Kubewarden is a policy engine for Kubernetes. Prior to , An atta
 	NOT-FOR-US: Kubewarden
 CVE-2026-42498 (Exposure of HTTP Authentication Header to unexpected hosts during WebS ...)
 	- tomcat11 11.0.22-1
-	- tomcat10 <unfixed>
+	- tomcat10 10.1.55-1
 	- tomcat9 9.0.70-2
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/b7b173694d588ddcfa432f079baf763cbbbaa5c4 (11.0.22)
@@ -13345,7 +13345,7 @@ CVE-2026-41513 (Horilla is an HR and CRM software. In 1.5.0, the notification en
 	NOT-FOR-US: Horilla
 CVE-2026-41293 (Improper Input Validation vulnerability in Apache Tomcat.  This issue  ...)
 	- tomcat11 11.0.22-1
-	- tomcat10 <unfixed>
+	- tomcat10 10.1.55-1
 	- tomcat9 9.0.70-2
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/e5cef9618c3f4fd31bd6fb1e83f0f18022280dac (11.0.22)
@@ -13360,7 +13360,7 @@ CVE-2026-41293 (Improper Input Validation vulnerability in Apache Tomcat.  This
 	NOTE: https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r
 CVE-2026-41284 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
 	- tomcat11 11.0.22-1
-	- tomcat10 <unfixed>
+	- tomcat10 10.1.55-1
 	- tomcat9 9.0.70-2
 	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
 	NOTE: Fixed by: https://github.com/apache/tomcat/commit/a96fffd18487a29c0a30d36f00cb2b2d91f6d42c (11.0.22)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5640404450ed7a5112243158d25d97aba42fa49c

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/5640404450ed7a5112243158d25d97aba42fa49c
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260602/d4db3e54/attachment.htm>

More information about the debian-security-tracker-commits mailing list