CLSA-2026-1779968889

See a problem?
Import Source
https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json
JSON Data
https://api.test.osv.dev/v1/vulns/CLSA-2026-1779968889
Upstream
Published
2026-05-28T14:02:01Z
Modified
2026-06-04T10:05:01.041214218Z
Summary
Fix of 7 CVEs
Details
  • SECURITY UPDATE: Authentication Bypass in digest authentication
    • debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest()
    • CVE-2026-43512
  • SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names
    • debian/patches/CVE-2026-43513.patch: add a caseSensitive attribute to LockOutRealm and treat user names case-insensitively by default
    • CVE-2026-43513
  • SECURITY UPDATE: Observable timing discrepancy in AJP secret comparison
    • debian/patches/CVE-2026-43514.patch: add ConstantTime helper and switch the AJP secret comparison to a constant time algorithm
    • CVE-2026-43514
  • SECURITY UPDATE: Improper authorisation when multiple method constraints define an HTTP method for the same extension
    • debian/patches/CVE-2026-43515.patch: evaluate findMethod() against every matching SecurityCollection rather than only the last one
    • CVE-2026-43515
  • SECURITY UPDATE: Exposure of HTTP authorisation header to unexpected hosts during WebSocket authentication
    • debian/patches/CVE-2026-42498.patch: drop the cached Authorization header from userProperties before following a WebSocket upgrade redirect so it is not sent to the host named in Location
    • CVE-2026-42498
  • SECURITY UPDATE: HTTP/2 header values were not validated for control characters and other illegal bytes
    • debian/patches/CVE-2026-41293.patch: validate field names and values in HpackDecoder and HPackHuffman using the new HttpParser isFieldVChar / isFieldContent tables
    • CVE-2026-41293
  • SECURITY UPDATE: Allocation of resources without limits in WebDAV LOCK and PROPFIND request bodies
    • debian/patches/CVE-2026-41284.patch: read PROPFIND and LOCK bodies through a new BoundedByteArrayOutputStream limited by the new maxRequestBodySize init parameter (default 4096 bytes)
    • CVE-2026-41284
References

Affected packages

TuxCare:Debian:10
libtomcat9-embed-java

Package

Name
libtomcat9-embed-java
Purl
pkg:deb/tuxcare/libtomcat9-embed-java?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"
libtomcat9-java

Package

Name
libtomcat9-java
Purl
pkg:deb/tuxcare/libtomcat9-java?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"
tomcat9

Package

Name
tomcat9
Purl
pkg:deb/tuxcare/tomcat9?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"
tomcat9-admin

Package

Name
tomcat9-admin
Purl
pkg:deb/tuxcare/tomcat9-admin?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"
tomcat9-common

Package

Name
tomcat9-common
Purl
pkg:deb/tuxcare/tomcat9-common?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"
tomcat9-docs

Package

Name
tomcat9-docs
Purl
pkg:deb/tuxcare/tomcat9-docs?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"
tomcat9-examples

Package

Name
tomcat9-examples
Purl
pkg:deb/tuxcare/tomcat9-examples?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"
tomcat9-user

Package

Name
tomcat9-user
Purl
pkg:deb/tuxcare/tomcat9-user?distro=debian-10

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.31-1~deb10u12+tuxcare.els5

Database specific

source 
"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"