[Git][security-tracker-team/security-tracker][master] Add new Apache tomcat issues

Salvatore Bonaccorso (@carnil) Tue, 17 Feb 2026 12:37:59 -0800


Salvatore Bonaccorso pushed to branch master at Debian Security Tracker / 
security-tracker



Commits:
2a0d19ef by Salvatore Bonaccorso at 2026-02-17T21:37:19+01:00
Add new Apache tomcat issues

- - - - -


2 changed files:

- data/CVE/list
- data/DSA/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -23,9 +23,20 @@ CVE-2026-26731 (TOTOLINK A3002RU V2.1.1-B20211108.1455 was 
discovered to contain
 CVE-2026-25903 (Apache NiFi 1.1.0 through 2.7.2 are missing authorization when 
updatin ...)
        NOT-FOR-US: Apache software not packaged in Debian
 CVE-2026-24734 (Improper Input Validation vulnerability in Apache Tomcat 
Native, Apach ...)
-       TODO: check
+       - tomcat11 11.0.18-1
+       - tomcat10 10.1.52-1
+       - tomcat9 9.0.70-2
+       NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server 
stack, using that as the fixed version
+       NOTE: https://lists.apache.org/thread/292dlmx3fz1888v6v16221kpozq56gml
 CVE-2026-24733 (Improper Input Validation vulnerability in Apache Tomcat.   
Tomcat did ...)
-       TODO: check
+       - tomcat11 11.0.15-1
+       - tomcat10 10.1.52-1
+       - tomcat9 9.0.70-2
+       NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server 
stack, using that as the fixed version
+       NOTE: https://lists.apache.org/thread/6xk3t65qpn1myp618krtfotbjn1qt90f
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/6c73d74ff281260d74c836370ff6b82f1da8048b
 (11.0.15)
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/711b465cf22684a1acf0cb43501cdbbce9b6c5f4
 (10.1.50)
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/2e2fa23f2635bbb819759576a2f2f5e64ecf7c5f
 (9.0.113)
 CVE-2026-23861 (Dell Unisphere for PowerMax vApp, version(s) 9.2.4.x, 
contain(s) an Im ...)
        NOT-FOR-US: Dell / EMC
 CVE-2026-23648 (Glory RBG-100 recycler systems using the ISPK-08 software 
component co ...)
@@ -61,7 +72,17 @@ CVE-2025-70397 (jizhicms 2.5.6 is vulnerable to SQL 
Injection in Article/deleteA
 CVE-2025-67905 (Malwarebytes AdwCleaner before v.8.7.0 runs as Administrator 
and perfo ...)
        NOT-FOR-US: Malwarebytes AdwCleaner
 CVE-2025-66614 (Improper Input Validation vulnerability.  This issue affects 
Apache To ...)
-       TODO: check
+       - tomcat11 11.0.15-1
+       - tomcat10 10.1.52-1
+       - tomcat9 9.0.70-2
+       NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server 
stack, using that as the fixed version
+       NOTE: https://lists.apache.org/thread/vw6lxtlh2qbqwpb61wd3sv1flm2nttw7
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/258a591b61f8cf5c22109e21e5a2a38b63454fd2
 (11.0.15)
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/972f9a5e2a07674d92610c478aac1b205d60724e
 (10.1.50)
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/5053fa82a1b2b52756810601227984a8b71888a4
 (10.1.50)
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/152c14885d45f5e0a8b59bd9f93c289cfe20ce30
 (9.0.113)
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/a4aa74232e826028cd2f7ba0445caf8a8b52c509
 (9.0.113)
+       NOTE: Fixed by: 
https://github.com/apache/tomcat/commit/9276b5e783c8cd5b3fe2bb716306b65004bdd940
 (9.0.113)
 CVE-2025-65753 (An issue in the TLS certification mechanism of Guardian 
Gryphon v01.06 ...)
        NOT-FOR-US: Guardian Gryphon
 CVE-2025-59793 (Rocket TRUfusion Enterprise through 7.10.5 exposes the 
endpoint at /ax ...)


=====================================
data/DSA/list
=====================================
@@ -55,10 +55,10 @@
        [bookworm] - chromium 144.0.7559.109-2~deb12u1
        [trixie] - chromium 144.0.7559.109-2~deb13u1
 [05 Feb 2026] DSA-6121-1 tomcat11 - security update
-       {CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 
CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 
CVE-2025-55754 CVE-2025-61795}
+       {CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 
CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 
CVE-2025-55754 CVE-2025-61795 CVE-2025-66614 CVE-2026-24733}
        [trixie] - tomcat11 11.0.15-1~deb13u1
 [05 Feb 2026] DSA-6120-1 tomcat10 - security update
-       {CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 
CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 
CVE-2025-55754 CVE-2025-61795}
+       {CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989 
CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668 CVE-2025-55752 
CVE-2025-55754 CVE-2025-61795  CVE-2025-66614 CVE-2026-24733 CVE-2026-24734}
        [bookworm] - tomcat10 10.1.52-1~deb12u1
        [trixie] - tomcat10 10.1.52-1~deb13u1
 [05 Feb 2026] DSA-6119-1 openjdk-25 - security update



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0d19ef426d948b2cd54a20971685246368546f

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/2a0d19ef426d948b2cd54a20971685246368546f
You're receiving this email because of your account on salsa.debian.org.

_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

[Git][security-tracker-team/security-tracker][master] Add new Apache tomcat issues

Reply via email to