Moritz Muehlenhoff pushed to branch master at Debian Security Tracker /
security-tracker
Commits:
aefce3b2 by Moritz Muehlenhoff at 2026-05-13T11:32:30+02:00
new tomcat issues
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -557,13 +557,41 @@ CVE-2026-43892 (AntSword is a cross-platform website
management toolkit. Prior t
CVE-2026-43891 (changedetection.io is a free open source web page change
detection too ...)
TODO: check
CVE-2026-43515 (Improper Authorization vulnerability when multiple method
constraints ...)
- TODO: check
+ - tomcat11 11.0.22-1
+ - tomcat10 <unfixed>
+ - tomcat9 9.0.70-2
+ NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server
stack, using that as the fixed version
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/276087d9c7abbcecc6c4fb4e4b08cf64780c6e36
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/c621317382682206fb58ab92ebd3e1b6fdd10ce9
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/db919ff9912b4d61d1b702a1342b8bde39270031
(9.0.118)
+ NOTE: https://lists.apache.org/thread/746nxfxod0wsocxtmv8pb8nkgmwpc6bb
CVE-2026-43514 (Observable Timing Discrepancy vulnerabilitywhen comparing AJP
secret i ...)
- TODO: check
+ - tomcat11 11.0.22-1
+ - tomcat10 <unfixed>
+ - tomcat9 9.0.70-2
+ NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server
stack, using that as the fixed version
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/d35d9d23263c8e4af561f615c960c91697ff200e
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/a102a2a157868ca51d83eaf5a119ccd9976a113e
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/933dcdbf2515972280002929e7e597dead2e9ffa
(9.0.118)
+ NOTE: https://lists.apache.org/thread/2k654v5cq123npfsd1b2kk1y30owqb1m
CVE-2026-43513 (Improper Handling of Case Sensitivity vulnerability in
LockOutRealm in ...)
- TODO: check
+ - tomcat11 11.0.22-1
+ - tomcat10 <unfixed>
+ - tomcat9 9.0.70-2
+ NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server
stack, using that as the fixed version
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/83f3e51df7b87f5f6e626951c575ded1a512e8ef
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/4a90d3fa93988c447cd5bb7482f76ff70d7f15c2
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/6dd75beb55bd42fc5f78e929596b25018cd17717
(9.0.118)
+ NOTE: https://lists.apache.org/thread/ytjcgldshj73lcnd1sh95od5hrghwogp
CVE-2026-43512 (DEPRECATED: Authentication Bypass Issues vulnerability in
digest authe ...)
- TODO: check
+ - tomcat11 11.0.22-1
+ - tomcat10 <unfixed>
+ - tomcat9 9.0.70-2
+ NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server
stack, using that as the fixed version
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/a99c355e8199adbfd67c9a1fffbd85b810b196cd
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/3d4d3fae07a6cd9c2eb193c5491001740ec64448
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/6565a6cb6499e56fe2f34457cec99f9d1c4f39e9
(9.0.118)
+ NOTE: https://lists.apache.org/thread/7x09x7o12solvclslw3sz0288xc8wx73
CVE-2026-42899 (Loop with unreachable exit condition ('infinite loop') in
ASP.NET Core ...)
NOT-FOR-US: Microsoft
CVE-2026-42898 (Improper control of generation of code ('code injection') in
Microsoft ...)
@@ -595,7 +623,14 @@ CVE-2026-42741 (Improper Neutralization of Special
Elements used in an SQL Comma
CVE-2026-42541 (Kubewarden is a policy engine for Kubernetes. Prior to , An
attacker w ...)
TODO: check
CVE-2026-42498 (Exposure of HTTP Authentication Header to unexpected hosts
during WebS ...)
- TODO: check
+ - tomcat11 11.0.22-1
+ - tomcat10 <unfixed>
+ - tomcat9 9.0.70-2
+ NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server
stack, using that as the fixed version
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/b7b173694d588ddcfa432f079baf763cbbbaa5c4
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/6cbe274592ef2d11607b5b188e1df649de52f8d5
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/169d725788ea6aec217ecac70fe4161c837ba423
(9.0.118)
+ NOTE: https://lists.apache.org/thread/n61zwf75jrv09rz90j4jssncm244bwdb
CVE-2026-42348 (OpenTelemetry.OpAmp.Client is the OpAMP client for
OpenTelemetry .NET. ...)
TODO: check
CVE-2026-42303 (Fides is an open-source privacy engineering platform. From
2.75.0 to b ...)
@@ -638,9 +673,29 @@ CVE-2026-41551 (A vulnerability has been identified in
ROS# (All versions < V2.2
CVE-2026-41513 (Horilla is an HR and CRM software. In 1.5.0, the notification
endpoint ...)
TODO: check
CVE-2026-41293 (Improper Input Validation vulnerability in Apache Tomcat.
This issue ...)
- TODO: check
+ - tomcat11 11.0.22-1
+ - tomcat10 <unfixed>
+ - tomcat9 9.0.70-2
+ NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server
stack, using that as the fixed version
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/e5cef9618c3f4fd31bd6fb1e83f0f18022280dac
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/3915fd27e6810b14ccd21e3d900bd8faef44d3df
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/c2925554c677da57390f940d856871e18daaacab
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/19f17a257797e8d139b33ff9c88d362a273be148
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/f72a6174ab1f0f5a053435f80448b4f6837fe6d7
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/2a2476460e823789f530a22207873ea8cd6eff3b
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/cf9452443bcbf3b1a4b435ef7d624364f1b65ca3
(9.0.118)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/1c70480466572c9192ed412ebefcd43fc63137fd
(9.0.118)
+ NOTE: Fixed by: (9.0.118)
+ NOTE: https://lists.apache.org/thread/qwg0q16z7xkb2qrr853wdll5531mvl1r
CVE-2026-41284 (Allocation of Resources Without Limits or Throttling
vulnerability in ...)
- TODO: check
+ - tomcat11 11.0.22-1
+ - tomcat10 <unfixed>
+ - tomcat9 9.0.70-2
+ NOTE: Starting with 9.0.70-2 src:tomcat9 no longer ships the server
stack, using that as the fixed version
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/a96fffd18487a29c0a30d36f00cb2b2d91f6d42c
(11.0.22)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/b3d1c1c239142e806be0b7329d304b94a58913ed
(10.1.55)
+ NOTE: Fixed by:
https://github.com/apache/tomcat/commit/17dacd9aa48628da2eba37a9ab743c0b6c71685c
(9.0.118)
+ NOTE: https://lists.apache.org/thread/2nvqjr7ovjmvx2vbhb7s61ycd5msc8qc
CVE-2026-41125 (A vulnerability has been identified in blueplanet 100 NX3 M8
(All vers ...)
NOT-FOR-US: Siemens
CVE-2026-41109 (Improper neutralization of special elements in output used by
a downst ...)
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aefce3b2d1e777954cf72d1ba9f173abd1846bd0
--
View it on GitLab:
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/aefce3b2d1e777954cf72d1ba9f173abd1846bd0
You're receiving this email because of your account on salsa.debian.org. Manage
all notifications: https://salsa.debian.org/-/profile/notifications | Help:
https://salsa.debian.org/help
_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits
