[Git][security-tracker-team/security-tracker][master] new tomcat issues

[Moritz Muehlenhoff (@jmm)]

Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / security-tracker


Commits:
aefce3b2 by Moritz Muehlenhoff at 2026-05-13T11:32:30+02:00
new tomcat issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -557,13 +557,41 @@ CVE-2026-43892 (AntSword is a cross-platform website management toolkit. Prior t
 CVE-2026-43891 (changedetection.io is a free open source web page change detection too ...)
 	TODO: check
 CVE-2026-43515 (Improper Authorization vulnerability when multiple method constraints  ...)
-	TODO: check
+	- tomcat11 11.0.22-1
+	- tomcat10 <unfixed>
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/276087d9c7abbcecc6c4fb4e4b08cf64780c6e36 (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/c621317382682206fb58ab92ebd3e1b6fdd10ce9 (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/db919ff9912b4d61d1b702a1342b8bde39270031 (9.0.118)
+	NOTE: https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb
 CVE-2026-43514 (Observable Timing Discrepancy vulnerabilitywhen comparing AJP secret i ...)
-	TODO: check
+	- tomcat11 11.0.22-1
+	- tomcat10 <unfixed>
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/d35d9d23263c8e4af561f615c960c91697ff200e (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/a102a2a157868ca51d83eaf5a119ccd9976a113e (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/933dcdbf2515972280002929e7e597dead2e9ffa (9.0.118)
+	NOTE: https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m
 CVE-2026-43513 (Improper Handling of Case Sensitivity vulnerability in LockOutRealm in ...)
-	TODO: check
+	- tomcat11 11.0.22-1
+	- tomcat10 <unfixed>
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/83f3e51df7b87f5f6e626951c575ded1a512e8ef (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/4a90d3fa93988c447cd5bb7482f76ff70d7f15c2 (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/6dd75beb55bd42fc5f78e929596b25018cd17717 (9.0.118)
+	NOTE: https://lists.apache.org/thread/ytjcgldshj73lcnd1sh95od5hrghwogp
 CVE-2026-43512 (DEPRECATED: Authentication Bypass Issues vulnerability in digest authe ...)
-	TODO: check
+	- tomcat11 11.0.22-1
+	- tomcat10 <unfixed>
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/a99c355e8199adbfd67c9a1fffbd85b810b196cd (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/3d4d3fae07a6cd9c2eb193c5491001740ec64448 (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/6565a6cb6499e56fe2f34457cec99f9d1c4f39e9 (9.0.118)
+	NOTE: https://lists.apache.org/thread/7x09x7o12solvclslw3sz0288xc8wx73
 CVE-2026-42899 (Loop with unreachable exit condition ('infinite loop') in ASP.NET Core ...)
 	NOT-FOR-US: Microsoft
 CVE-2026-42898 (Improper control of generation of code ('code injection') in Microsoft ...)
@@ -595,7 +623,14 @@ CVE-2026-42741 (Improper Neutralization of Special Elements used in an SQL Comma
 CVE-2026-42541 (Kubewarden is a policy engine for Kubernetes. Prior to , An attacker w ...)
 	TODO: check
 CVE-2026-42498 (Exposure of HTTP Authentication Header to unexpected hosts during WebS ...)
-	TODO: check
+	- tomcat11 11.0.22-1
+	- tomcat10 <unfixed>
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/b7b173694d588ddcfa432f079baf763cbbbaa5c4 (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/6cbe274592ef2d11607b5b188e1df649de52f8d5 (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/169d725788ea6aec217ecac70fe4161c837ba423 (9.0.118)
+	NOTE: https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb
 CVE-2026-42348 (OpenTelemetry.OpAmp.Client is the OpAMP client for OpenTelemetry .NET. ...)
 	TODO: check
 CVE-2026-42303 (Fides is an open-source privacy engineering platform. From 2.75.0 to b ...)
@@ -638,9 +673,29 @@ CVE-2026-41551 (A vulnerability has been identified in ROS# (All versions < V2.2
 CVE-2026-41513 (Horilla is an HR and CRM software. In 1.5.0, the notification endpoint ...)
 	TODO: check
 CVE-2026-41293 (Improper Input Validation vulnerability in Apache Tomcat.  This issue  ...)
-	TODO: check
+	- tomcat11 11.0.22-1
+	- tomcat10 <unfixed>
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/e5cef9618c3f4fd31bd6fb1e83f0f18022280dac (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/3915fd27e6810b14ccd21e3d900bd8faef44d3df (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/c2925554c677da57390f940d856871e18daaacab (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/19f17a257797e8d139b33ff9c88d362a273be148 (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/f72a6174ab1f0f5a053435f80448b4f6837fe6d7 (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/2a2476460e823789f530a22207873ea8cd6eff3b (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/cf9452443bcbf3b1a4b435ef7d624364f1b65ca3 (9.0.118)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/1c70480466572c9192ed412ebefcd43fc63137fd (9.0.118)
+	NOTE: Fixed by: (9.0.118)
+	NOTE: https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r
 CVE-2026-41284 (Allocation of Resources Without Limits or Throttling vulnerability in  ...)
-	TODO: check
+	- tomcat11 11.0.22-1
+	- tomcat10 <unfixed>
+	- tomcat9 9.0.70-2
+	NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server stack, using that as the fixed version
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/a96fffd18487a29c0a30d36f00cb2b2d91f6d42c (11.0.22)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/b3d1c1c239142e806be0b7329d304b94a58913ed (10.1.55)
+	NOTE: Fixed by: https://github.com/apache/tomcat/commit/17dacd9aa48628da2eba37a9ab743c0b6c71685c (9.0.118)
+	NOTE: https://lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qc
 CVE-2026-41125 (A vulnerability has been identified in blueplanet 100 NX3 M8 (All vers ...)
 	NOT-FOR-US: Siemens
 CVE-2026-41109 (Improper neutralization of special elements in output used by a downst ...)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aefce3b2d1e777954cf72d1ba9f173abd1846bd0

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aefce3b2d1e777954cf72d1ba9f173abd1846bd0
You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20260513/446b2c0f/attachment.htm>