Source: tomcat11
Version: 11.0.22-1
Severity: grave
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>

Hi,

The following vulnerabilities were published for tomcat11.

CVE-2026-50229[0]:
| Improper Neutralization of Script-Related HTML Tags in a Web Page
| (Basic XSS) vulnerability in the number guess example for Apache
| Tomcat.  This issue affects Apache Tomcat: from 11.0.0-M1 through
| 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through
| 9.0.118, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109.
| Other versions that have reached end of support may also be
| affected.  Users are recommended to upgrade to version 11.0.23,
| 10.1.56 or 9.0.119, which fix the issue.


CVE-2026-53404[1]:
| Always-Incorrect Control Flow Implementation vulnerability in Apache
| Tomcat's rewrite valve meant that if the first condition in an OR
| chain matched, subsequent non-OR conditions were skipped.  This
| issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from
| 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0
| through 8.5.100. Other versions that have reached end of support may
| also be affected.  Users are recommended to upgrade to version
| 11.0.23, 10.1.56 or 9.0.119, which fix the issue.


CVE-2026-53434[2]:
| Detection of Error Condition Without Action vulnerability in Apache
| Tomcat when configuring CRLs for a FFM based connector.  This issue
| affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from
| 10.1.0-M7 through 10.1.55, from 9.0.83 through 9.0.118.  Users are
| recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which
| fixes the issue.


CVE-2026-55276[3]:
| Always-Incorrect Control Flow Implementation vulnerability in Apache
| Tomcat meant that special roles and empty authorisation constraints
| were not included when the effective web.xml was logged.  This issue
| affects Apache Tomcat: from 11.0.0-M1 through 11.0.22, from
| 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from 8.5.0
| through 8.5.100. Other versions that have reached end of support may
| also be affected.  Users are recommended to upgrade to version
| 11.0.23, 10.1.56 or 9.0.119 which fixes the issue.


CVE-2026-55955[4]:
| Improper Authentication vulnerability in Apache Tomcat allowed a
| replay attack against the EncryptionInterceptor in the cluster
| component.  This issue affects Apache Tomcat: from 11.0.0-M1 through
| 11.0.22, from 10.1.0-M1 through 10.1.55, from 9.0.13 through 9.0.18,
| from 8.5.38 through 8.5.100, from 7.0.100 through 7.0.109.  Users
| are recommended to upgrade to version 11.0.23, 10.1.56, 9.0.119,
| which fixes the issue.


CVE-2026-55956[5]:
| Improper Authorization vulnerability in Apache Tomcat leads to
| security constraints specified for the default servlet ignoring any
| method or method omission configured as part of the constraint.
| This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.22,
| from 10.1.0-M1 through 10.1.55, from 9.0.0.M1 through 9.0.118, from
| 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Other versions
| that have reached end of support may also be affected.  Users are
| recommended to upgrade to version 11.0.23, 10.1.56 or 9.0.119, which
| fix the issue.


If you fix the vulnerabilities please also make sure to include the
CVE (Common Vulnerabilities & Exposures) ids in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-50229
    https://www.cve.org/CVERecord?id=CVE-2026-50229
[1] https://security-tracker.debian.org/tracker/CVE-2026-53404
    https://www.cve.org/CVERecord?id=CVE-2026-53404
[2] https://security-tracker.debian.org/tracker/CVE-2026-53434
    https://www.cve.org/CVERecord?id=CVE-2026-53434
[3] https://security-tracker.debian.org/tracker/CVE-2026-55276
    https://www.cve.org/CVERecord?id=CVE-2026-55276
[4] https://security-tracker.debian.org/tracker/CVE-2026-55955
    https://www.cve.org/CVERecord?id=CVE-2026-55955
[5] https://security-tracker.debian.org/tracker/CVE-2026-55956
    https://www.cve.org/CVERecord?id=CVE-2026-55956

Regards,
Salvatore
__
This is the maintainer address of Debian's Java team
<https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-maintainers>.
 Please use
[email protected] for discussions and questions.

Reply via email to