34376 – tomcat new security issues CVE-2025-48988 and CVE-2025-49125

Bug 34376 - tomcat new security issues CVE-2025-48988 and CVE-2025-49125

Summary: tomcat new security issues CVE-2025-48988 and CVE-2025-49125

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2025-06-18 15:52 CEST by Nicolas Salguero
Modified:	2025-06-25 07:32 CEST (History)
CC List:	5 users (show)

See Also:
Source RPM:	tomcat-9.0.105-1.mga9.src.rpm
CVE:	CVE-2025-48988, CVE-2025-49125
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2025-06-18 15:52:45 CEST

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2025/06/16/1
https://www.openwall.com/lists/oss-security/2025/06/16/2

Nicolas Salguero 2025-06-18 15:53:31 CEST

Status comment: (none) => Fixed upstream in 9.0.106
CVE: (none) => CVE-2025-48988, CVE-2025-49125
Source RPM: (none) => tomcat-9.0.105-1.mga10.src.rpm, tomcat-9.0.105-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Marja Van Waes 2025-06-18 21:17:20 CEST

Assigning to our registered tomcat maintainer, CC'ing daviddavid, who pushed tomcat a lot of times.

CC: (none) => geiger.david68210, marja11
Assignee: bugsquad => mageia

Comment 2 Nicolas Salguero 2025-06-23 11:33:09 CEST

Suggested advisory:
========================

The updated packages fix security vulnerabilities:

FileUpload large number of parts with headers DoS. (CVE-2025-48988)

Security constraint bypass for pre/post-resources. (CVE-2025-49125)

References:
https://www.openwall.com/lists/oss-security/2025/06/16/1
https://www.openwall.com/lists/oss-security/2025/06/16/2
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.106-1.mga9
tomcat-admin-webapps-9.0.106-1.mga9
tomcat-docs-webapp-9.0.106-1.mga9
tomcat-el-3.0-api-9.0.106-1.mga9
tomcat-jsp-2.3-api-9.0.106-1.mga9
tomcat-lib-9.0.106-1.mga9
tomcat-servlet-4.0-api-9.0.106-1.mga9
tomcat-webapps-9.0.106-1.mga9

from SRPM:
tomcat-9.0.106-1.mga9.src.rpm

Source RPM: tomcat-9.0.105-1.mga10.src.rpm, tomcat-9.0.105-1.mga9.src.rpm => tomcat-9.0.105-1.mga9.src.rpm
Assignee: mageia => qa-bugs
Status comment: Fixed upstream in 9.0.106 => (none)
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2025-06-23 19:20:09 CEST

Keywords: (none) => advisory

Comment 3 Herman Viaene 2025-06-24 11:15:16 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34332 for testing:
# systemctl start httpd
[root@mach3 ~]# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Tue 2025-06-24 11:06:06 CEST; 14s ago
   Main PID: 52742 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 8806)
     Memory: 43.0M
        CPU: 1.260s
     CGroup: /system.slice/httpd.service
             ├─52742 /usr/sbin/httpd -DFOREGROUND
             ├─52748 /usr/sbin/httpd -DFOREGROUND
             ├─52749 /usr/sbin/httpd -DFOREGROUND
             ├─52750 /usr/sbin/httpd -DFOREGROUND
             ├─52751 /usr/sbin/httpd -DFOREGROUND
             └─52752 /usr/sbin/httpd -DFOREGROUND

Jun 24 11:06:06 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
Jun 24 11:06:06 mach3.hviaene.thuis systemd[1]: Started httpd.service.
[root@mach3 ~]# systemctl restart tomcat.service
[root@mach3 ~]# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled)
     Active: active (running) since Tue 2025-06-24 11:06:47 CEST; 29s ago
   Main PID: 52875 (java)
      Tasks: 37 (limit: 8806)
     Memory: 197.5M
        CPU: 33.168s
     CGroup: /system.slice/tomcat.service
             └─52875 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/tomcat/bi>

Jun 24 11:07:09 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:09.416 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was s>
Jun 24 11:07:09 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:09.455 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of>
Jun 24 11:07:09 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:09.460 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web>
Jun 24 11:07:10 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:10.931 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was s>
Jun 24 11:07:10 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:10.953 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of>
Jun 24 11:07:10 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:10.966 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web>
Jun 24 11:07:12 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:12.888 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR was s>
Jun 24 11:07:12 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:12.910 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of>
Jun 24 11:07:12 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:12.965 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler [">
Jun 24 11:07:13 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:13.121 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in [14565]>


Then I could connect to http://localhost:8080 to exercise the the manager app
 and display the  samples.
Good to go.

Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 4 katnatek 2025-06-24 20:49:40 CEST

(In reply to Herman Viaene from comment #3)
> MGA9-64 server Plasma Wayland on Compaq H000SB
> No installation issues.
> Ref bug 34332 for testing:
> # systemctl start httpd
> [root@mach3 ~]# systemctl -l status httpd
> ● httpd.service - The Apache HTTP Server
>      Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled;
> preset: disabled)
>      Active: active (running) since Tue 2025-06-24 11:06:06 CEST; 14s ago
>    Main PID: 52742 (/usr/sbin/httpd)
>      Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0;
> Bytes served/sec:   0 B/sec"
>       Tasks: 6 (limit: 8806)
>      Memory: 43.0M
>         CPU: 1.260s
>      CGroup: /system.slice/httpd.service
>              ├─52742 /usr/sbin/httpd -DFOREGROUND
>              ├─52748 /usr/sbin/httpd -DFOREGROUND
>              ├─52749 /usr/sbin/httpd -DFOREGROUND
>              ├─52750 /usr/sbin/httpd -DFOREGROUND
>              ├─52751 /usr/sbin/httpd -DFOREGROUND
>              └─52752 /usr/sbin/httpd -DFOREGROUND
> 
> Jun 24 11:06:06 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
> Jun 24 11:06:06 mach3.hviaene.thuis systemd[1]: Started httpd.service.
> [root@mach3 ~]# systemctl restart tomcat.service
> [root@mach3 ~]# systemctl -l status tomcat.service
> ● tomcat.service - Apache Tomcat Web Application Container
>      Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled;
> preset: disabled)
>      Active: active (running) since Tue 2025-06-24 11:06:47 CEST; 29s ago
>    Main PID: 52875 (java)
>       Tasks: 37 (limit: 8806)
>      Memory: 197.5M
>         CPU: 33.168s
>      CGroup: /system.slice/tomcat.service
>              └─52875 /usr/lib/jvm/jre/bin/java
> -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.
> BasicDataSourceFactory -classpath /usr/share/tomcat/bi>
> 
> Jun 24 11:07:09 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:09.416
> INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR
> was s>
> Jun 24 11:07:09 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:09.455
> INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory
> Deployment of>
> Jun 24 11:07:09 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:09.460
> INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying
> web>
> Jun 24 11:07:10 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:10.931
> INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR
> was s>
> Jun 24 11:07:10 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:10.953
> INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory
> Deployment of>
> Jun 24 11:07:10 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:10.966
> INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying
> web>
> Jun 24 11:07:12 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:12.888
> INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one JAR
> was s>
> Jun 24 11:07:12 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:12.910
> INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory
> Deployment of>
> Jun 24 11:07:12 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:12.965
> INFO [main] org.apache.coyote.AbstractProtocol.start Starting
> ProtocolHandler [">
> Jun 24 11:07:13 mach3.hviaene.thuis server[52875]: 24-Jun-2025 11:07:13.121
> INFO [main] org.apache.catalina.startup.Catalina.start Server startup in
> [14565]>
> 
> 
> Then I could connect to http://localhost:8080 to exercise the the manager app
>  and display the  samples.
> Good to go.

Thank you for your test

CC: (none) => andrewsfarm

Comment 5 Thomas Andrews 2025-06-25 01:02:53 CEST

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 6 Mageia Robot 2025-06-25 07:32:46 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2025-0191.html

Status: ASSIGNED => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.