SUSE alert openSUSE-SU-2026:20611-1 (tomcat)

From:
             
 
null@suse.de
To:
             
 
security-announce@lists.opensuse.org
Subject:
             
 
openSUSE-SU-2026:20611-1: important: Security update for tomcat
Date:
             
 
Thu, 23 Apr 2026 11:14:13 +0200
Message-ID:
             
 
<20260423091413.A7E91FB96@maintenance.suse.de>
Archive-link:
             
 
Article
openSUSE security update: security update for tomcat
-------------------------------------------------------------

Announcement ID: openSUSE-SU-2026:20611-1
Rating: important
References:

  * bsc#1258371
  * bsc#1261850
  * bsc#1261851
  * bsc#1261852
  * bsc#1261853
  * bsc#1261854
  * bsc#1261855
  * bsc#1261856
  * bsc#1261857



Cross-References:

  * CVE-2025-66614
  * CVE-2026-24880
  * CVE-2026-25854
  * CVE-2026-29129
  * CVE-2026-29145
  * CVE-2026-29146
  * CVE-2026-32990
  * CVE-2026-34483
  * CVE-2026-34486
  * CVE-2026-34487
  * CVE-2026-34500



CVSS scores:

  * CVE-2025-66614 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
  * CVE-2025-66614 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-24880 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-24880 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-25854 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-25854 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-29129 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-29129 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-29145 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-29145 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-29146 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2026-29146 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-34483 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-34483 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-34486 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2026-34486 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-34487 ( SUSE ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
  * CVE-2026-34487 ( SUSE ): 8.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
  * CVE-2026-34500 ( SUSE ): 4.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
  * CVE-2026-34500 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Affected Products:

         openSUSE Leap 16.0

-------------------------------------------------------------

An update that solves 11 vulnerabilities and has 9 bug fixes can now be installed.

Description:

This update for tomcat fixes the following issues:

- CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
- CVE-2026-25854: Occasionally open redirect (bsc#1261851).
- CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
- CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
- CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
- CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
- CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token
(bsc#1261856).
- CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
(bsc#1261857).
- CVE-2026-32990: The fix for CVE-2025-66614 was incomplete. (bsc#1258371)


Patch instructions:

   To install this openSUSE security update use the suse recommended installation methods
   like YaST online_update or "zypper patch".
   Alternatively you can run the command listed for your product:

- openSUSE Leap 16.0

   zypper in -t patch openSUSE-Leap-16.0-623=1

Package List:

- openSUSE Leap 16.0:

  tomcat-9.0.117-160000.1.1
  tomcat-admin-webapps-9.0.117-160000.1.1
  tomcat-docs-webapp-9.0.117-160000.1.1
  tomcat-el-3_0-api-9.0.117-160000.1.1
  tomcat-embed-9.0.117-160000.1.1
  tomcat-javadoc-9.0.117-160000.1.1
  tomcat-jsp-2_3-api-9.0.117-160000.1.1
  tomcat-jsvc-9.0.117-160000.1.1
  tomcat-lib-9.0.117-160000.1.1
  tomcat-servlet-4_0-api-9.0.117-160000.1.1
  tomcat-webapps-9.0.117-160000.1.1

References:

  * https://www.suse.com/security/cve/CVE-2025-66614.html
  * https://www.suse.com/security/cve/CVE-2026-24880.html
  * https://www.suse.com/security/cve/CVE-2026-25854.html
  * https://www.suse.com/security/cve/CVE-2026-29129.html
  * https://www.suse.com/security/cve/CVE-2026-29145.html
  * https://www.suse.com/security/cve/CVE-2026-29146.html
  * https://www.suse.com/security/cve/CVE-2026-32990.html
  * https://www.suse.com/security/cve/CVE-2026-34483.html
  * https://www.suse.com/security/cve/CVE-2026-34486.html
  * https://www.suse.com/security/cve/CVE-2026-34487.html
  * https://www.suse.com/security/cve/CVE-2026-34500.html