Source: tomcat11 Version: 11.0.22-1 Severity: grave Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerabilities were published for tomcat11. CVE-2026-50229[0]: | Improper Neutralization of Script-Related HTML Tags in a Web Page | (Basic XSS) vulnerability in the number guess example for Apache | Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through | 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through | 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. | Other versions that have reached end of support may also be | affected. Users are recommended to upgrade to version 11.0.23, | 10.1.56 or 9.0.119, which fix the issue. CVE-2026-53404[1]: | Always-Incorrect Control Flow Implementation vulnerability in Apache | Tomcat's rewrite valve meant that if the first condition in an OR | chain matched, subsequent non-OR conditions were skipped. This | issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from | 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 | through 8.5.100. Other versions that have reached end of support may | also be affected. Users are recommended to upgrade to version | 11.0.23, 10.1.56 or 9.0.119, which fix the issue. CVE-2026-53434[2]: | Detection of Error Condition Without Action vulnerability in Apache | Tomcat when configuring CRLs for a FFM based connector. This issue | affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from | 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118. Users are | recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which | fixes the issue. CVE-2026-55276[3]: | Always-Incorrect Control Flow Implementation vulnerability in Apache | Tomcat meant that special roles and empty authorisation constraints | were not included when the effective web.xml was logged. This issue | affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from | 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0 | through 8.5.100. Other versions that have reached end of support may | also be affected. Users are recommended to upgrade to version | 11.0.23, 10.1.56 or 9.0.119 which fixes the issue. CVE-2026-55955[4]: | Improper Authentication vulnerability in Apache Tomcat allowed a | replay attack against the EncryptionInterceptor in the cluster | component. This issue affects Apache Tomcat: from 11.0.0-M1 through | 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18, | from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109. Users | are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119, | which fixes the issue. CVE-2026-55956[5]: | Improper Authorization vulnerability in Apache Tomcat leads to | security constraints specified for the default servlet ignoring any | method or method omission configured as part of the constraint. | This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, | from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from | 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions | that have reached end of support may also be affected. Users are | recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which | fix the issue. If you fix the vulnerabilities please also make sure to include the CVE (Common Vulnerabilities & Exposures) ids in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-50229 https://www.cve.org/CVERecord?id=CVE-2026-50229 [1] https://security-tracker.debian.org/tracker/CVE-2026-53404 https://www.cve.org/CVERecord?id=CVE-2026-53404 [2] https://security-tracker.debian.org/tracker/CVE-2026-53434 https://www.cve.org/CVERecord?id=CVE-2026-53434 [3] https://security-tracker.debian.org/tracker/CVE-2026-55276 https://www.cve.org/CVERecord?id=CVE-2026-55276 [4] https://security-tracker.debian.org/tracker/CVE-2026-55955 https://www.cve.org/CVERecord?id=CVE-2026-55955 [5] https://security-tracker.debian.org/tracker/CVE-2026-55956 https://www.cve.org/CVERecord?id=CVE-2026-55956 Regards, Salvatore __ This is the maintainer address of Debian's Java team <https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>. Please use [email protected] for discussions and questions.
