| Package | tomcat9 |
|---|---|
| Version | 9.0.107-0+deb10u3 (buster) |
| Related CVEs | CVE-2025-55752 CVE-2025-55754 CVE-2025-61795 |
Several security vulnerabilities have been found in Tomcat 9, a Java web server and servlet engine. The update corrects various flaws which can lead to a bypass of security constraints or a denial of service.
The regression update announced as ELA-1615-2 was incomplete. Some class files were still missing from jar files which are part of the libtomcat9-java binary package. In order to remedy this problem the following build-dependencies of tomcat9 have been upgraded to a new upstream release:
- bnd
- osgi-core
- osgi-compendium
- osgi-annotation
- eclipse-jdt-core
- felix-resolver
For Debian 10 buster, these problems have been fixed in version 9.0.107-0+deb10u3.
We recommend that you upgrade your tomcat9 packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.