Updated tomcat packages fix security vulnerability
Publication date: 15 May 2026Modification date: 15 May 2026
Type: security
Affected Mageia releases : 9
CVE: CVE-2026-41284 , CVE-2026-41293 , CVE-2026-42498 , CVE-2026-43512 , CVE-2026-43513 , CVE-2026-43514 , CVE-2026-43515
Description
Unbounded read in WebDAV LOCK and PROPFIND handling. (CVE-2026-41284)
HTTP/2 request headers not validated. (CVE-2026-41293)
WebSocket authentication header exposure. (CVE-2026-42498)
Digest authenticator will authenticate any unknown user.
(CVE-2026-43512)
LockOutRealm treats user names as case-sensitive. (CVE-2026-43513)
AJP secret compared in non-constant time. (CVE-2026-43514)
Security constraints not correctly applied. (CVE-2026-43515)
References
- https://bugs.mageia.org/show_bug.cgi?id=35523
- https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.118
- https://www.openwall.com/lists/oss-security/2026/05/12/8
- https://www.openwall.com/lists/oss-security/2026/05/12/9
- https://www.openwall.com/lists/oss-security/2026/05/12/10
- https://www.openwall.com/lists/oss-security/2026/05/12/11
- https://www.openwall.com/lists/oss-security/2026/05/12/12
- https://www.openwall.com/lists/oss-security/2026/05/12/13
- https://www.openwall.com/lists/oss-security/2026/05/12/14
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41284
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-41293
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42498
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43512
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43513
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43514
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-43515
SRPMS
9/core
- tomcat-9.0.118-1.mga9