Описание
ELSA-2025-7497: tomcat security update (MODERATE)
[1:10.1.36-1]
- Rebase tomcat to 10.1.36
- Resolves: RHEL-82925 tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)
- Resolves: RHEL-87272 tomcat: DoS in examples web application (CVE-2024-54677)
- Resolves: RHEL-87273 tomcat: Authentication bypass when using Jakarta Authentication API (CVE-2024-52316)
- Resolves: RHEL-85343 - NoClassDefFoundError when using migration tool
Обновленные пакеты
Oracle Linux 10
Oracle Linux aarch64
tomcat
10.1.36-1.el10_0
tomcat-admin-webapps
10.1.36-1.el10_0
tomcat-docs-webapp
10.1.36-1.el10_0
tomcat-el-5.0-api
10.1.36-1.el10_0
tomcat-jsp-3.1-api
10.1.36-1.el10_0
tomcat-lib
10.1.36-1.el10_0
tomcat-servlet-6.0-api
10.1.36-1.el10_0
tomcat-webapps
10.1.36-1.el10_0
Oracle Linux x86_64
tomcat
10.1.36-1.el10_0
tomcat-admin-webapps
10.1.36-1.el10_0
tomcat-docs-webapp
10.1.36-1.el10_0
tomcat-el-5.0-api
10.1.36-1.el10_0
tomcat-jsp-3.1-api
10.1.36-1.el10_0
tomcat-lib
10.1.36-1.el10_0
tomcat-servlet-6.0-api
10.1.36-1.el10_0
tomcat-webapps
10.1.36-1.el10_0
Связанные CVE
Связанные уязвимости
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is configured to use a custom Jakarta Authentication (formerly JASPIC) ServerAuthContext component which may throw an exception during the authentication process without explicitly setting an HTTP status to indicate failure, the authentication may not fail, allowing the user to bypass the authentication process. There are no known Jakarta Authentication components that behave in this way. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M26, from 10.1.0-M1 through 10.1.30, from 9.0.0-M1 through 9.0.95. Users are recommended to upgrade to version 11.0.0, 10.1.31 or 9.0.96, which fix the issue.
Unchecked Error Condition vulnerability in Apache Tomcat. If Tomcat is ...
