CVE-2025-52434: https://www.openwall.com/lists/oss-security/2025/07/10/11 CVE-2025-52520: https://www.openwall.com/lists/oss-security/2025/07/10/12 CVE-2025-53506: https://www.openwall.com/lists/oss-security/2025/07/10/13
Source RPM: (none) => tomcat-9.0.106-1.mga10.src.rpm, tomcat-9.0.106-1.mga9.src.rpmStatus comment: (none) => Fixed upstream in 9.0.107CVE: (none) => CVE-2025-52434, CVE-2025-52520, CVE-2025-53506Whiteboard: (none) => MGA9TOO
Assigning to you, Nicolas, as you did the most recent version/CVE updates.
Assignee: bugsquad => nicolas.salguero
CVE-2025-48989: https://www.openwall.com/lists/oss-security/2025/08/13/2
Summary: tomcat new security issues CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 => tomcat new security issues CVE-2025-52434, CVE-2025-52520, CVE-2025-53506, CVE-2025-48989CVE: CVE-2025-52434, CVE-2025-52520, CVE-2025-53506 => CVE-2025-52434, CVE-2025-52520, CVE-2025-53506, CVE-2025-48989Status comment: Fixed upstream in 9.0.107 => Fixed upstream in 9.0.108
Suggested advisory: ======================== The updated packages fix security vulnerabilities: APR/Native Connector crash leading to DoS. (CVE-2025-52434) DoS via integer overflow in multipart file upload. (CVE-2025-52520) DoS via excessive h2 streams at connection start. (CVE-2025-53506) H2 DoS - Made You Reset. (CVE-2025-48989) References: https://www.openwall.com/lists/oss-security/2025/07/10/11 https://www.openwall.com/lists/oss-security/2025/07/10/12 https://www.openwall.com/lists/oss-security/2025/07/10/13 https://www.openwall.com/lists/oss-security/2025/08/13/2 ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.108-1.mga9 tomcat-admin-webapps-9.0.108-1.mga9 tomcat-docs-webapp-9.0.108-1.mga9 tomcat-el-3.0-api-9.0.108-1.mga9 tomcat-jsp-2.3-api-9.0.108-1.mga9 tomcat-lib-9.0.108-1.mga9 tomcat-servlet-4.0-api-9.0.108-1.mga9 tomcat-webapps-9.0.108-1.mga9 from SRPM: tomcat-9.0.108-1.mga9.src.rpm
Whiteboard: MGA9TOO => (none)Version: Cauldron => 9Status comment: Fixed upstream in 9.0.108 => (none)Status: NEW => ASSIGNEDSource RPM: tomcat-9.0.106-1.mga10.src.rpm, tomcat-9.0.106-1.mga9.src.rpm => tomcat-9.0.106-1.mga9.src.rpmAssignee: nicolas.salguero => qa-bugs
Keywords: (none) => advisory
Source RPM: tomcat-9.0.106-1.mga9.src.rpm => tomcat-9.0.106-1.mga9
MGA9-64 server Plasma Wayland on Compaq H000SB No installation issues. Ref bug 34231 Made changes to /etc/tomcat/tomcat-users.xml then at cli: # systemctl start httpd [root@mach3 ~]# systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: active (running) since Mon 2025-09-01 14:38:55 CEST; 21s ago Main PID: 22379 (/usr/sbin/httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 6 (limit: 8805) Memory: 10.2M CPU: 441ms CGroup: /system.slice/httpd.service ├─22379 /usr/sbin/httpd -DFOREGROUND ├─22383 /usr/sbin/httpd -DFOREGROUND ├─22384 /usr/sbin/httpd -DFOREGROUND ├─22385 /usr/sbin/httpd -DFOREGROUND ├─22386 /usr/sbin/httpd -DFOREGROUND └─22387 /usr/sbin/httpd -DFOREGROUND Sep 01 14:38:55 mach3.hviaene.thuis systemd[1]: Starting httpd.service... Sep 01 14:38:55 mach3.hviaene.thuis systemd[1]: Started httpd.service. # systemctl restart tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled) Active: active (running) since Mon 2025-09-01 14:39:38 CEST; 23s ago Main PID: 22443 (java) Tasks: 37 (limit: 8805) Memory: 180.0M CPU: 30.295s CGroup: /system.slice/tomcat.service └─22443 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/t> Sep 01 14:39:57 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:39:57.084 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one J> Sep 01 14:39:57 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:39:57.184 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deplo> Sep 01 14:39:57 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:39:57.187 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deplo> Sep 01 14:39:58 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:39:58.809 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one J> Sep 01 14:39:58 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:39:58.831 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deplo> Sep 01 14:39:58 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:39:58.833 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deplo> Sep 01 14:40:00 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:40:00.412 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At least one J> Sep 01 14:40:00 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:40:00.431 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deplo> Sep 01 14:40:00 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:40:00.459 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHa> Sep 01 14:40:00 mach3.hviaene.thuis server[22443]: 01-Sep-2025 14:40:00.544 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in> Then I could connect to http://localhost:8080 to exercise the the manager app, used it to locate the file sample.war and then http://localhost:8080/sample to display the samples. OK for me.
Whiteboard: (none) => MGA9-64-OKCC: (none) => herman.viaene
Validating.
CC: (none) => andrewsfarm, sysadmin-bugsKeywords: (none) => validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2025-0223.html
Resolution: (none) => FIXEDStatus: ASSIGNED => RESOLVED