openSUSE has issued an advisory on March 9: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G27HXAIMRCGPRM6GBYQX7NUKNQS4RLJ4/ CVE-2025-66614 and CVE-2026-24733 are fixed in version 9.113 so Cauldron is only affected by CVE-2026-24734.
Status comment: (none) => Fixed upstream in 9.115Whiteboard: (none) => MGA9TOOCVE: (none) => CVE-2025-66614, CVE-2026-24733, CVE-2026-24734Flags: (none) => affects_mga9+Source RPM: (none) => tomcat-9.0.113-1.mga10.src.rpm, tomcat-9.0.111-1.mga9.src.rpm
For Cauldron, I asked for a freeze move. Suggested advisory: ======================== The updated packages fix security vulnerabilities: Client certificate verification bypass due to virtual host mapping. (CVE-2025-66614) Security constraint bypass with HTTP/0.9. (CVE-2026-24733) OCSP revocation bypass. (CVE-2026-24734) References: https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/G27HXAIMRCGPRM6GBYQX7NUKNQS4RLJ4/ ======================== Updated packages in core/updates_testing: ======================== tomcat-9.0.115-1.mga9 tomcat-admin-webapps-9.0.115-1.mga9 tomcat-docs-webapp-9.0.115-1.mga9 tomcat-el-3.0-api-9.0.115-1.mga9 tomcat-jsp-2.3-api-9.0.115-1.mga9 tomcat-lib-9.0.115-1.mga9 tomcat-servlet-4.0-api-9.0.115-1.mga9 tomcat-webapps-9.0.115-1.mga9 from SRPM: tomcat-9.0.115-1.mga9.src.rpm
Status comment: Fixed upstream in 9.115 => (none)Source RPM: tomcat-9.0.113-1.mga10.src.rpm, tomcat-9.0.111-1.mga9.src.rpm => tomcat-9.0.111-1.mga9.src.rpmVersion: Cauldron => 9Status: NEW => ASSIGNEDWhiteboard: MGA9TOO => (none)Assignee: bugsquad => qa-bugsFlags: affects_mga9+ => (none)
MGA9-64 server Plasma Wayland on Compaq H000SB No installation issues. Ref bug 34699 for testing. # systemctl start httpd systemctl start httpd # systemctl -l status httpd ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled) Active: active (running) since Wed 2026-03-11 14:23:20 CET; 28s ago Main PID: 5010 (/usr/sbin/httpd) Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec: 0 B/sec" Tasks: 13 (limit: 8805) Memory: 102.1M CPU: 2.019s CGroup: /system.slice/httpd.service ├─5010 /usr/sbin/httpd -DFOREGROUND ├─5012 /usr/libexec/nss_pcache 0 off ├─5017 /usr/sbin/httpd -DFOREGROUND ├─5020 /usr/sbin/httpd -DFOREGROUND ├─5022 /usr/sbin/httpd -DFOREGROUND ├─5024 /usr/sbin/httpd -DFOREGROUND └─5026 /usr/sbin/httpd -DFOREGROUND Mar 11 14:23:16 mach3.hviaene.thuis systemd[1]: Starting httpd.service... Mar 11 14:23:20 mach3.hviaene.thuis systemd[1]: Started httpd.service. # systemctl restart tomcat.service # systemctl -l status tomcat.service ● tomcat.service - Apache Tomcat Web Application Container Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled) Active: active (running) since Wed 2026-03-11 14:24:20 CET; 12s ago Main PID: 5193 (java) Tasks: 23 (limit: 8805) Memory: 112.4M CPU: 14.394s CGroup: /system.slice/tomcat.service └─5193 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/to> Then I could connect to http://localhost:8080 to exercise the the manager app, used that to declare the location of the sample.war file.And connect to http://localhost:8080/sample to display the samples. Getting feedback at the CLI: Mar 11 14:24:26 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:26.364 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Command> Mar 11 14:24:26 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:26.389 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > Mar 11 14:24:26 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:26.392 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > Mar 11 14:24:26 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:26.395 INFO [main] org.apache.catalina.core.AprLifecycleListener.lifecycleEvent > Mar 11 14:24:26 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:26.421 INFO [main] org.apache.catalina.core.AprLifecycleListener.initializeSSL O> Mar 11 14:24:30 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:30.560 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing Protocol> Mar 11 14:24:30 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:30.848 INFO [main] org.apache.catalina.startup.Catalina.load Server initializati> Mar 11 14:24:31 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:31.238 INFO [main] org.apache.catalina.core.StandardService.startInternal Starti> Mar 11 14:24:31 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:31.241 INFO [main] org.apache.catalina.core.StandardEngine.startInternal Startin> Mar 11 14:24:31 mach3.hviaene.thuis server[5193]: 11-Mar-2026 14:24:31.433 INFO [main] org.apache.catalina.startup.HostConfig.deployWAR Deploying we> OK for me.
Whiteboard: (none) => MGA9-64-OKFlags: (none) => test_passed_mga9_64+CC: (none) => herman.viaene
Keywords: (none) => advisory
Validating.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2026-0056.html
Status: ASSIGNED => RESOLVEDResolution: (none) => FIXED