[ubuntu/resolute-updates] tomcat10 10.1.40-1ubuntu1.26.04.1 (Accepted)
Ubuntu Archive Robot
ubuntu-archive-robot at lists.canonical.com
Wed Jun 10 08:03:00 UTC 2026
tomcat10 (10.1.40-1ubuntu1.26.04.1) resolute-security; urgency=medium
* SECURITY UPDATE: WebDAV resource exhaustion via unbounded
request body
- debian/patches/CVE-2026-41284.patch: limit LOCK and PROPFIND
request body size using BoundedByteArrayOutputStream
- CVE-2026-41284
* SECURITY UPDATE: HTTP/2 header field validation bypass
- debian/patches/CVE-2026-41293-pre.patch: add header validation
infrastructure for HTTP/2 field names and values
- debian/patches/CVE-2026-41293.patch: improve field-vchar
validation and simplify error handling in HPackHuffman
- CVE-2026-41293
* SECURITY UPDATE: WebSocket authentication header leakage
- debian/patches/CVE-2026-42498.patch: clear authentication
headers after use and fix digest auth method handling
- CVE-2026-42498
* SECURITY UPDATE: digest authentication NPE bypass
- debian/patches/CVE-2026-43512.patch: add null check for
password in RealmBase.getDigest()
- CVE-2026-43512
* SECURITY UPDATE: LockOutRealm case sensitivity bypass
- debian/patches/CVE-2026-43513.patch: normalize username case
in LockOutRealm when caseSensitive is false
- CVE-2026-43513
* SECURITY UPDATE: authorization bypass via multiple method
constraints
- debian/patches/CVE-2026-43515.patch: check all matching
SecurityCollection entries in RealmBase
- CVE-2026-43515
* debian/control: pin Build-Depends to openjdk-21-jdk to ensure the
package builds against OpenJDK 21 on resolute
Date: 2026-06-09 18:13:45.069279+00:00
Changed-By: Vyom Yadav <vyom.yadav at canonical.com>
Signed-By: Ubuntu Archive Robot <ubuntu-archive-robot at lists.canonical.com>
https://launchpad.net/ubuntu/+source/tomcat10/10.1.40-1ubuntu1.26.04.1
-------------- next part --------------
Sorry, changesfile not available.
More information about the Resolute-changes
mailing list