35341 – tomcat new security issues CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145, CVE-2026-29146, CVE-2026-32990, CVE-2026-34483, CVE-2026-34486, CVE-2026-34487, CVE-2026-34500

Bug 35341 - tomcat new security issues CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145, CVE-2026-29146, CVE-2026-32990, CVE-2026-34483, CVE-2026-34486, CVE-2026-34487, CVE-2026-34500

Summary: tomcat new security issues CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CV...

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	9
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA9-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2026-04-10 09:04 CEST by Nicolas Salguero
Modified:	2026-04-12 07:24 CEST (History)
CC List:	3 users (show)

See Also:
Source RPM:	tomcat-9.0.115-1.mga9.src.rpm
CVE:	CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145, CVE-2026-29146, CVE-2026-32990, CVE-2026-34483, CVE-2026-34486, CVE-2026-34487, CVE-2026-34500
Status comment:

Flags:	herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2026-04-10 09:04:17 CEST

References:
https://www.openwall.com/lists/oss-security/2026/04/09/20
https://www.openwall.com/lists/oss-security/2026/04/09/21
https://www.openwall.com/lists/oss-security/2026/04/09/22
https://www.openwall.com/lists/oss-security/2026/04/09/23
https://www.openwall.com/lists/oss-security/2026/04/09/24
https://www.openwall.com/lists/oss-security/2026/04/09/25
https://www.openwall.com/lists/oss-security/2026/04/09/26
https://www.openwall.com/lists/oss-security/2026/04/09/27
https://www.openwall.com/lists/oss-security/2026/04/09/28
https://www.openwall.com/lists/oss-security/2026/04/09/29

Nicolas Salguero 2026-04-10 09:05:00 CEST

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145, CVE-2026-29146, CVE-2026-32990, CVE-2026-34483, CVE-2026-34486, CVE-2026-34487, CVE-2026-34500
Source RPM: (none) => tomcat-9.0.115-1.mga10.src.rpm, tomcat-9.0.115-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 9.0.117
Flags: (none) => affects_mga9+

Comment 1 Nicolas Salguero 2026-04-10 10:26:51 CEST

For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Request smuggling via invalid chunk extension. (CVE-2026-24880)

Occasionally open redirect. (CVE-2026-25854)

TLS cipher order is not preserved. (CVE-2026-29129)

OCSP checks sometimes soft-fail even when soft-fail is disabled. (CVE-2026-29145)

EncryptInterceptor vulnerable to padding oracle attack by default. (CVE-2026-29146)

Fix for CVE-2025-66614 is incomplete. (CVE-2026-32990)

Incomplete escaping of JSON access logs. (CVE-2026-34483)

Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor. (CVE-2026-34486)

Cloud membership for clustering component exposed the Kubernetes bearer token. (CVE-2026-34487)

OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled. (CVE-2026-34500)

References:
https://www.openwall.com/lists/oss-security/2026/04/09/20
https://www.openwall.com/lists/oss-security/2026/04/09/21
https://www.openwall.com/lists/oss-security/2026/04/09/22
https://www.openwall.com/lists/oss-security/2026/04/09/23
https://www.openwall.com/lists/oss-security/2026/04/09/24
https://www.openwall.com/lists/oss-security/2026/04/09/25
https://www.openwall.com/lists/oss-security/2026/04/09/26
https://www.openwall.com/lists/oss-security/2026/04/09/27
https://www.openwall.com/lists/oss-security/2026/04/09/28
https://www.openwall.com/lists/oss-security/2026/04/09/29
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.117-1.mga9
tomcat-admin-webapps-9.0.117-1.mga9
tomcat-docs-webapp-9.0.117-1.mga9
tomcat-el-3.0-api-9.0.117-1.mga9
tomcat-jsp-2.3-api-9.0.117-1.mga9
tomcat-lib-9.0.117-1.mga9
tomcat-servlet-4.0-api-9.0.117-1.mga9
tomcat-webapps-9.0.117-1.mga9

from SRPM:
tomcat-9.0.117-1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Flags: affects_mga9+ => (none)
Status: NEW => ASSIGNED
Assignee: bugsquad => qa-bugs
Source RPM: tomcat-9.0.115-1.mga10.src.rpm, tomcat-9.0.115-1.mga9.src.rpm => tomcat-9.0.115-1.mga9.src.rpm
Status comment: Fixed upstream in 9.0.117 => (none)

Comment 2 Herman Viaene 2026-04-10 14:45:10 CEST

MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34231 for testing.
Copied following lines to /etc/tomcat/tomcat-users.xml from /etc/tomcat/tomcat-users.xml.rpmsave before the end line:
<user name="tester9" password="tester" roles="manager-gui" />
I had sample.war from previous updates.

# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Fri 2026-04-10 14:31:52 CEST; 43s ago
   Main PID: 4933 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 13 (limit: 8728)
     Memory: 102.3M
        CPU: 2.030s
     CGroup: /system.slice/httpd.service
             ├─4933 /usr/sbin/httpd -DFOREGROUND
             ├─4934 /usr/libexec/nss_pcache 0 off
             ├─4940 /usr/sbin/httpd -DFOREGROUND
             ├─4942 /usr/sbin/httpd -DFOREGROUND
             ├─4944 /usr/sbin/httpd -DFOREGROUND
             ├─4946 /usr/sbin/httpd -DFOREGROUND
             └─4948 /usr/sbin/httpd -DFOREGROUND

Apr 10 14:31:48 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
Apr 10 14:31:52 mach3.hviaene.thuis systemd[1]: Started httpd.service.
# systemctl restart tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled)
     Active: active (running) since Fri 2026-04-10 14:33:08 CEST; 20s ago
   Main PID: 5035 (java)
      Tasks: 23 (limit: 8728)
     Memory: 194.7M
        CPU: 26.391s
     CGroup: /system.slice/tomcat.service
             └─5035 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/to>

Then I could connect to http://localhost:8080 to exercise the the manager app, used that to declare the location of the sample.war file.And connect to http://localhost:8080/sample to display the  samples.
OK for me.

Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK
CC: (none) => herman.viaene

Comment 3 Thomas Andrews 2026-04-11 23:50:36 CEST

Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

katnatek 2026-04-12 02:57:52 CEST

Keywords: (none) => advisory

Comment 4 Mageia Robot 2026-04-12 07:24:15 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0095.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.