{
  "schema_version": "1.7.0",
  "id": "MGASA-2026-0139",
  "published": "2026-05-15T06:17:07Z",
  "modified": "2026-05-15T05:26:44Z",
  "summary": "Updated tomcat packages fix security vulnerability",
  "details": "Unbounded read in WebDAV LOCK and PROPFIND handling. (CVE-2026-41284)\nHTTP/2 request headers not validated. (CVE-2026-41293)\nWebSocket authentication header exposure. (CVE-2026-42498)\nDigest authenticator will authenticate any unknown user.\n(CVE-2026-43512)\nLockOutRealm treats user names as case-sensitive. (CVE-2026-43513)\nAJP secret compared in non-constant time. (CVE-2026-43514)\nSecurity constraints not correctly applied. (CVE-2026-43515)\n",
  "upstream": [
    "CVE-2026-41284",
    "CVE-2026-41293",
    "CVE-2026-42498",
    "CVE-2026-43512",
    "CVE-2026-43513",
    "CVE-2026-43514",
    "CVE-2026-43515"
  ],
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://advisories.mageia.org/MGASA-2026-0139.html"
    },
    {
      "type": "REPORT",
      "url": "https://bugs.mageia.org/show_bug.cgi?id=35523"
    },
    {
      "type": "WEB",
      "url": "https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.118"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/12/8"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/12/9"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/12/10"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/12/11"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/12/12"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/12/13"
    },
    {
      "type": "WEB",
      "url": "https://www.openwall.com/lists/oss-security/2026/05/12/14"
    }
  ],
  "affected": [
    {
      "package": {
        "ecosystem": "Mageia:9",
        "name": "tomcat",
        "purl": "pkg:rpm/mageia/tomcat?arch=source&distro=mageia-9"
      },
      "ranges": [
        {
          "type": "ECOSYSTEM",
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.118-1.mga9"
            }
          ]
        }
      ],
      "ecosystem_specific": {
        "section": "core"
      }
    }
  ],
  "credits": [
    {
      "name": "Mageia",
      "type": "COORDINATOR",
      "contact": [
        "https://wiki.mageia.org/en/Packages_Security_Team"
      ]
    }
  ]
}