ELA-1771-1 tomcat9 security update

denial of service

2026-07-12
Packagetomcat9
Version9.0.118-0+deb10u1 (buster)
Related CVEs CVE-2026-24880 CVE-2026-25854 CVE-2026-29129 CVE-2026-29145 CVE-2026-29146 CVE-2026-32990 CVE-2026-34483 CVE-2026-34487 CVE-2026-34500 CVE-2026-41284 CVE-2026-41293 CVE-2026-42498 CVE-2026-43512 CVE-2026-43513 CVE-2026-43514 CVE-2026-43515


Multiple security vulnerabilities have been discovered in Tomcat 9, a Java based web server, servlet and JSP engine which may result in a denial of service, authentication bypass or the disclosure of sensitive information.

In order to address certain vulnerabilities and restore the compatibility with Tomcat 9, an upgrade of the Tomcat native library, libtcnative-1, was required as well.

Although we are not aware of any problems, new upstream versions may introduce new options, limits or code changes which may or may not affect your existing web applications. We recommend to consult the Tomcat 9 documentation for further information.



For Debian 10 buster, these problems have been fixed in version 9.0.118-0+deb10u1.

We recommend that you upgrade your tomcat9 packages.

Further information about Extended LTS security advisories can be found in the dedicated section of our website.