Bug 35523 - tomcat new security issues CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-4351[2-5]
Summary: tomcat new security issues CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CV...
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2026-05-12 17:12 CEST by Nicolas Salguero
Modified: 2026-05-15 08:18 CEST (History)
3 users (show)

See Also:
Source RPM: tomcat-9.0.117-1.mga9.src.rpm
CVE: CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-43512, CVE-2026-43513, CVE-2026-43514, CVE-2026-43515
Status comment:
herman.viaene: test_passed_mga9_64+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2026-05-12 17:13:28 CEST

Whiteboard: (none) => MGA9TOO
Flags: (none) => affects_mga9+
Status comment: (none) => Fixed upstream in 9.0.118
Source RPM: (none) => tomcat-9.0.117-1.mga10.src.rpm, tomcat-9.0.117-1.mga9.src.rpm
CVE: (none) => CVE-2026-41284, CVE-2026-41293, CVE-2026-42498, CVE-2026-43512, CVE-2026-43513, CVE-2026-43514, CVE-2026-43515

Comment 1 Lewis Smith 2026-05-12 21:47:21 CEST 
Assigning back to you, Nicolas, as you are the only visible packager for tomcat.

Assignee: bugsquad => nicolas.salguero

Comment 3 Nicolas Salguero 2026-05-13 09:15:59 CEST 
For Cauldron, I asked for a freeze move.


Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Unbounded read in WebDAV LOCK and PROPFIND handling. (CVE-2026-41284)

HTTP/2 request headers not validated. (CVE-2026-41293)

WebSocket authentication header exposure. (CVE-2026-42498)

Digest authenticator will authenticate any unknown user. (CVE-2026-43512)

LockOutRealm treats user names as case-sensitive. (CVE-2026-43513)

AJP secret compared in non-constant time. (CVE-2026-43514)

Security constraints not correctly applied. (CVE-2026-43515)

References:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.118
https://www.openwall.com/lists/oss-security/2026/05/12/8
https://www.openwall.com/lists/oss-security/2026/05/12/9
https://www.openwall.com/lists/oss-security/2026/05/12/10
https://www.openwall.com/lists/oss-security/2026/05/12/11
https://www.openwall.com/lists/oss-security/2026/05/12/12
https://www.openwall.com/lists/oss-security/2026/05/12/13
https://www.openwall.com/lists/oss-security/2026/05/12/14
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.118-1.mga9
tomcat-admin-webapps-9.0.118-1.mga9
tomcat-docs-webapp-9.0.118-1.mga9
tomcat-el-3.0-api-9.0.118-1.mga9
tomcat-jsp-2.3-api-9.0.118-1.mga9
tomcat-lib-9.0.118-1.mga9
tomcat-servlet-4.0-api-9.0.118-1.mga9
tomcat-webapps-9.0.118-1.mga9

from SRPM:
tomcat-9.0.118-1.mga9.src.rpm

Whiteboard: MGA9TOO => (none)
Source RPM: tomcat-9.0.117-1.mga10.src.rpm, tomcat-9.0.117-1.mga9.src.rpm => tomcat-9.0.117-1.mga9.src.rpm
Flags: affects_mga9+ => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 9.0.118 => (none)
Assignee: nicolas.salguero => qa-bugs
Version: Cauldron => 9

katnatek 2026-05-14 01:31:03 CEST

Keywords: (none) => advisory

Comment 4 Herman Viaene 2026-05-14 14:21:22 CEST 
MGA9-64 server Plasma Wayland on Compaq H000SB
No installation issues.
Ref bug 34231 for testing.
Copied following lines to /etc/tomcat/tomcat-users.xml from /etc/tomcat/tomcat-users.xml.rpmsave before the end line:
<user name="tester9" password="tester" roles="manager-gui" />
I had sample.war from previous updates.

# systemctl start httpd
# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Thu 2026-05-14 14:13:14 CEST; 13s ago
   Main PID: 12024 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 13 (limit: 8728)
     Memory: 102.3M
        CPU: 2.195s
     CGroup: /system.slice/httpd.service
             ├─12024 /usr/sbin/httpd -DFOREGROUND
             ├─12026 /usr/libexec/nss_pcache 0 off
             ├─12032 /usr/sbin/httpd -DFOREGROUND
             ├─12034 /usr/sbin/httpd -DFOREGROUND
             ├─12037 /usr/sbin/httpd -DFOREGROUND
             ├─12039 /usr/sbin/httpd -DFOREGROUND
             └─12041 /usr/sbin/httpd -DFOREGROUND

May 14 14:13:10 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
May 14 14:13:14 mach3.hviaene.thuis systemd[1]: Started httpd.service.
# systemctl restart tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled)
     Active: active (running) since Thu 2026-05-14 14:13:51 CEST; 15s ago
   Main PID: 12116 (java)
      Tasks: 23 (limit: 8728)
     Memory: 153.7M
        CPU: 19.977s
     CGroup: /system.slice/tomcat.service
             └─12116 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath /usr/share/t>

Then I could connect to http://localhost:8080 to exercise the the manager app, used that to declare the location of the sample.war file.And connect to http://localhost:8080/sample to display the  samples.
OK for me.

CC: (none) => herman.viaene
Flags: (none) => test_passed_mga9_64+
Whiteboard: (none) => MGA9-64-OK

Comment 5 Thomas Andrews 2026-05-15 04:13:07 CEST 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 6 Mageia Robot 2026-05-15 08:18:02 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2026-0139.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.