CLSA-2026-1779374454

See a problem?
Import Source
https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json
JSON Data
https://api.test.osv.dev/v1/vulns/CLSA-2026-1779374454
Upstream
Published
2026-05-21T14:41:06Z
Modified
2026-06-04T09:46:12.843051132Z
Summary
Fix of 7 CVEs
Details
  • SECURITY UPDATE: multiple security fixes
    • debian/patches/CVE-2026-41284.patch: add a configurable maxRequestBodySize init-param to the WebDAV servlet to bound LOCK/PROPFIND XML request bodies; reject oversized bodies with 413 Request Entity Too Long. Includes the upstream BoundedByteArrayOutputStream helper and associated tests
    • CVE-2026-41284
    • debian/patches/CVE-2026-41293.patch: filter invalid HTTP/2 header names in HpackDecoder / HPackHuffman / Stream / Http2Parser using a new HttpParser.isToken-based check; folds upstream follow-up (HttpParser i>32 hex/decimal fix, additional LocalStrings keys, HpackHuffman field-name branch simplification) and ships the new TestHPackHuffman / TestHttp2Section82 tests.
    • debian/patches/CVE-2026-41293-tests.patch: adapt TestHttp2Section82 to the 9.0.31 readFrame(boolean) signature
    • CVE-2026-41293
    • debian/patches/CVE-2026-42498.patch: strip Authorization and Proxy-Authorization headers from WebSocket client userProperties after the proxy CONNECT, HTTP redirect, and successful upgrade paths so credentials are not leaked to redirect or proxy targets
    • CVE-2026-42498
    • debian/patches/CVE-2026-43512.patch: fix DIGEST authentication handling of unknown users and users with a null password so they cannot authenticate; adds regression tests to TestDigestAuthenticator
    • CVE-2026-43512
    • debian/patches/CVE-2026-43513.patch: add caseSensitive attribute to LockOutRealm and route usernames through a null-safe normalizeUsername helper so case-insensitive realms cannot be brute-forced by varying the case of the username. Folds the upstream Coverity NPE follow-up and adds the new TestLockoutRealm JUnit tests
    • CVE-2026-43513
    • debian/patches/CVE-2026-43514.patch: switch the AJP secret comparison in AjpProcessor to a constant-time comparison using the new ConstantTime utility; includes the upstream ByteChunk start-offset follow-up
    • CVE-2026-43514
    • debian/patches/CVE-2026-43515.patch: ensure RealmBase finds all matching extension-based security constraints by moving the match bookkeeping inside the inner extension-pattern loop; adds the upstream TestRealmBase.testUncoveredMethods regression test and a TesterRequest.getRequestPathMB() helper
    • CVE-2026-43515
References

Affected packages

TuxCare:Ubuntu:20.04
libtomcat9-embed-java

Package

Name
libtomcat9-embed-java
Purl
pkg:deb/tuxcare/libtomcat9-embed-java?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"
libtomcat9-java

Package

Name
libtomcat9-java
Purl
pkg:deb/tuxcare/libtomcat9-java?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/tuxcare/tomcat9?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"
tomcat9-admin

Package

Name
tomcat9-admin
Purl
pkg:deb/tuxcare/tomcat9-admin?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"
tomcat9-common

Package

Name
tomcat9-common
Purl
pkg:deb/tuxcare/tomcat9-common?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"
tomcat9-docs

Package

Name
tomcat9-docs
Purl
pkg:deb/tuxcare/tomcat9-docs?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"
tomcat9-examples

Package

Name
tomcat9-examples
Purl
pkg:deb/tuxcare/tomcat9-examples?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"
tomcat9-user

Package

Name
tomcat9-user
Purl
pkg:deb/tuxcare/tomcat9-user?distro=ubuntu-20.04

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1ubuntu0.9+tuxcare.els4

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu20.04els/CLSA-2026-1779374454.json"