SUSE-SU-2025:02261-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2025/suse-su-202502261-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2025:02261-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2025:02261-1
Upstream
Related
Published
2025-07-09T17:40:32Z
Modified
2025-07-10T16:59:45.612761Z
Summary
Security update for tomcat10
Details

This update for tomcat10 fixes the following issues:

  • Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815).
  • Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656).
  • Fixed expand checks for webAppMount (bsc#1244649).
  • Hardening permissions (bsc#1242722)

Update to Tomcat 10.1.42:

  • Fixed CVEs:

    • CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815)
    • CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656)
    • CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)

  • Catalina:

    • Add: Support for the java:module namespace which mirrors the java:comp namespace.
    • Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp.
    • Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters.
    • Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite.
    • Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp.
    • Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts.
    • Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application.
    • Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve.
    • Fix: Process possible path parameters rewrite production in the rewrite valve.
    • Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources.
    • Add: 69633: Support for Filters using context root mappings.
    • Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier.
    • Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp.
    • Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer.
    • Refactor: GCI servlet to access resources via the WebResource API.
    • Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith.
    • Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts.
    • Add: Provide a content type based on file extension when web application resources are accessed via a URL.

  • Coyote

    • Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida.
    • Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve.
    • Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied.

  • Jasper:

    • Fix: 69696: Mark the JSP wrapper for reload after a failed compilation.
    • Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes.
    • Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations.
    • Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635.

  • Web applications:

    • Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails.
    • Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram.

  • Other:

    • Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang.
    • Update: Tomcat Native to 2.0.9.
    • Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05).
    • Update: EasyMock to 5.6.0.
    • Update: Checkstyle to 10.25.0.
    • Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions.
    • Update: Improvements to Japanese translations provided by tak7iji.
    • Fix: Set sun.io.useCanonCaches in service.bat Based on pull request #841 by Paul Lodge.
    • Update: Jacoco to 0.8.13.
    • Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds.
    • Update: Byte Buddy to 1.17.5.
    • Update: Checkstyle to 10.23.1.
    • Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd).
    • Update: Improvements to French translations.
    • Update: Improvements to Japanese translations provided by tak7iji.
References

Affected packages

SUSE:Linux Enterprise Module for Web and Scripting 15 SP6 / tomcat10

Package

Name
tomcat10
Purl
pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.42-150200.5.45.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat10-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-el-5_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-servlet-6_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-jsp-3_1-api": "10.1.42-150200.5.45.1",
            "tomcat10-lib": "10.1.42-150200.5.45.1",
            "tomcat10-admin-webapps": "10.1.42-150200.5.45.1",
            "tomcat10": "10.1.42-150200.5.45.1"
        }
    ]
}

SUSE:Linux Enterprise Module for Web and Scripting 15 SP7 / tomcat10

Package

Name
tomcat10
Purl
pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.42-150200.5.45.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat10-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-el-5_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-servlet-6_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-jsp-3_1-api": "10.1.42-150200.5.45.1",
            "tomcat10-lib": "10.1.42-150200.5.45.1",
            "tomcat10-admin-webapps": "10.1.42-150200.5.45.1",
            "tomcat10": "10.1.42-150200.5.45.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOS / tomcat10

Package

Name
tomcat10
Purl
pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.42-150200.5.45.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat10-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-el-5_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-servlet-6_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-jsp-3_1-api": "10.1.42-150200.5.45.1",
            "tomcat10-lib": "10.1.42-150200.5.45.1",
            "tomcat10-admin-webapps": "10.1.42-150200.5.45.1",
            "tomcat10": "10.1.42-150200.5.45.1"
        }
    ]
}

SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS / tomcat10

Package

Name
tomcat10
Purl
pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.42-150200.5.45.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat10-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-el-5_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-servlet-6_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-jsp-3_1-api": "10.1.42-150200.5.45.1",
            "tomcat10-lib": "10.1.42-150200.5.45.1",
            "tomcat10-admin-webapps": "10.1.42-150200.5.45.1",
            "tomcat10": "10.1.42-150200.5.45.1"
        }
    ]
}

SUSE:Linux Enterprise Server 15 SP5-LTSS / tomcat10

Package

Name
tomcat10
Purl
pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.42-150200.5.45.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat10-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-el-5_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-servlet-6_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-jsp-3_1-api": "10.1.42-150200.5.45.1",
            "tomcat10-lib": "10.1.42-150200.5.45.1",
            "tomcat10-admin-webapps": "10.1.42-150200.5.45.1",
            "tomcat10": "10.1.42-150200.5.45.1"
        }
    ]
}

SUSE:Linux Enterprise Server for SAP Applications 15 SP5 / tomcat10

Package

Name
tomcat10
Purl
pkg:rpm/suse/tomcat10&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.42-150200.5.45.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat10-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-el-5_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-servlet-6_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-jsp-3_1-api": "10.1.42-150200.5.45.1",
            "tomcat10-lib": "10.1.42-150200.5.45.1",
            "tomcat10-admin-webapps": "10.1.42-150200.5.45.1",
            "tomcat10": "10.1.42-150200.5.45.1"
        }
    ]
}

openSUSE:Leap 15.6 / tomcat10

Package

Name
tomcat10
Purl
pkg:rpm/opensuse/tomcat10&distro=openSUSE%20Leap%2015.6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
10.1.42-150200.5.45.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat10": "10.1.42-150200.5.45.1",
            "tomcat10-el-5_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-docs-webapp": "10.1.42-150200.5.45.1",
            "tomcat10-servlet-6_0-api": "10.1.42-150200.5.45.1",
            "tomcat10-doc": "10.1.42-150200.5.45.1",
            "tomcat10-embed": "10.1.42-150200.5.45.1",
            "tomcat10-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-jsp-3_1-api": "10.1.42-150200.5.45.1",
            "tomcat10-lib": "10.1.42-150200.5.45.1",
            "tomcat10-admin-webapps": "10.1.42-150200.5.45.1",
            "tomcat10-jsvc": "10.1.42-150200.5.45.1"
        }
    ]
}