Updated tomcat packages fix security vulnerabilities
Publication date: 12 Apr 2026Modification date: 12 Apr 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-24880 , CVE-2026-25854 , CVE-2026-29129 , CVE-2026-29145 , CVE-2026-29146 , CVE-2026-32990 , CVE-2026-34483 , CVE-2026-34486 , CVE-2026-34487 , CVE-2026-34500
Description
Request smuggling via invalid chunk extension. (CVE-2026-24880)
Occasionally open redirect. (CVE-2026-25854)
TLS cipher order is not preserved. (CVE-2026-29129)
OCSP checks sometimes soft-fail even when soft-fail is disabled.
(CVE-2026-29145)
EncryptInterceptor vulnerable to padding oracle attack by default.
(CVE-2026-29146)
Fix for CVE-2025-66614 is incomplete. (CVE-2026-32990)
Incomplete escaping of JSON access logs. (CVE-2026-34483)
Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor.
(CVE-2026-34486)
Cloud membership for clustering component exposed the Kubernetes bearer
token. (CVE-2026-34487)
OCSP checks sometimes soft-fail with FFM even when soft-fail is
disabled. (CVE-2026-34500)
References
- https://bugs.mageia.org/show_bug.cgi?id=35341
- https://www.openwall.com/lists/oss-security/2026/04/09/20
- https://www.openwall.com/lists/oss-security/2026/04/09/21
- https://www.openwall.com/lists/oss-security/2026/04/09/22
- https://www.openwall.com/lists/oss-security/2026/04/09/23
- https://www.openwall.com/lists/oss-security/2026/04/09/24
- https://www.openwall.com/lists/oss-security/2026/04/09/25
- https://www.openwall.com/lists/oss-security/2026/04/09/26
- https://www.openwall.com/lists/oss-security/2026/04/09/27
- https://www.openwall.com/lists/oss-security/2026/04/09/28
- https://www.openwall.com/lists/oss-security/2026/04/09/29
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-24880
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25854
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29129
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29145
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-29146
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32990
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34483
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34486
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34487
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34500
SRPMS
9/core
- tomcat-9.0.117-1.mga9