SUSE-SU-2026:1604-1

See a problem?
Please try reporting it to the source first.
Source
https://www.suse.com/support/update/announcement/2026/suse-su-20261604-1/
Import Source
https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json
JSON Data
https://api.test.osv.dev/v1/vulns/SUSE-SU-2026:1604-1
Upstream
  • CVE-2025-66614
Related
Published
2026-04-24T11:48:42Z
Modified
2026-04-25T07:45:56.699281Z
Summary
Security update for tomcat
Details

This update for tomcat fixes the following issues:

Security fixes:

  • CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850).
  • CVE-2026-25854: Occasionally open redirect (bsc#1261851).
  • CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852).
  • CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853).
  • CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854).
  • CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855).
  • CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856).
  • CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857).
  • CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371).

Other fixes:

  • Update to Tomcat 9.0.117
References

Affected packages

SUSE:Linux Enterprise High Performance Computing 15 SP4-ESPOS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise High Performance Computing 15 SP4-LTSS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise High Performance Computing 15 SP5-ESPOS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise High Performance Computing 15 SP5-LTSS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise Module for Web and Scripting 15 SP7
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Web%20and%20Scripting%2015%20SP7

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise Server 15 SP4-LTSS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise Server 15 SP5-LTSS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise Server 15 SP6-LTSS
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP6-LTSS

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise Server for SAP Applications 15 SP4
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise Server for SAP Applications 15 SP5
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"
SUSE:Linux Enterprise Server for SAP Applications 15 SP6
tomcat

Package

Name
tomcat
Purl
pkg:rpm/suse/tomcat&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP6

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
9.0.117-150200.105.1

Ecosystem specific 

{
    "binaries": [
        {
            "tomcat": "9.0.117-150200.105.1",
            "tomcat-el-3_0-api": "9.0.117-150200.105.1",
            "tomcat-admin-webapps": "9.0.117-150200.105.1",
            "tomcat-jsp-2_3-api": "9.0.117-150200.105.1",
            "tomcat-lib": "9.0.117-150200.105.1",
            "tomcat-servlet-4_0-api": "9.0.117-150200.105.1",
            "tomcat-webapps": "9.0.117-150200.105.1"
        }
    ]
}

Database specific

source 
"https://ftp.suse.com/pub/projects/security/osv/SUSE-SU-2026:1604-1.json"