Accepted tomcat9 9.0.118-0+deb11u1 (source) into oldoldstable-security

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sat,  6 Jun 2026 13:55:08 CEST
Source: tomcat9
Architecture: source
Version: 9.0.118-0+deb11u1
Distribution: bullseye-security
Urgency: medium
Maintainer: Debian Java Maintainers <pkg-java-maintainers@lists.alioth.debian.org>
Changed-By: Markus Koschany <apo@debian.org>
Checksums-Sha1:
 0ecf9ab1862ebe8ff474ed73c1028464c02416c8 3003 tomcat9_9.0.118-0+deb11u1.dsc
 a550b33b2b665bb8c3b9df57f830737a17e9ef40 5138368 tomcat9_9.0.118.orig.tar.xz
 64ddd6260726bfaf11ab732903b19b4c5e7a7afa 96292 tomcat9_9.0.118-0+deb11u1.debian.tar.xz
 d64c0ad1b6a100fb8ae7451e393176e6902e2346 14906 tomcat9_9.0.118-0+deb11u1_amd64.buildinfo
Checksums-Sha256:
 5034ba0888a0d8b71cc6ddee5eeb22dfdb12fb650eb8506d971ed4f1594328c0 3003 tomcat9_9.0.118-0+deb11u1.dsc
 2aede04858cc909f0bda46afce89ede27ee0d41314d31eea9f02209836f5b6f9 5138368 tomcat9_9.0.118.orig.tar.xz
 ed6ba96aeb4fcc2a2a044afbfc23fa83a877fb248db557d45b49d5fbb2d1141c 96292 tomcat9_9.0.118-0+deb11u1.debian.tar.xz
 c9c3a70af2f724df754b907a1892dc2547c14abdf9e55ecd638986f19b682563 14906 tomcat9_9.0.118-0+deb11u1_amd64.buildinfo
Changes:
 tomcat9 (9.0.118-0+deb11u1) bullseye-security; urgency=medium
 .
   * Team upload.
   * New upstream version 9.0.118.
   * Refresh all patches.
   * Build-Depend on libbcpkix-java and libbcprov-java to enable tests
     with bouncycastle.
   * Tighten dependency on tomcat-native.
   * Fix CVE-2026-24880, CVE-2026-25854, CVE-2026-29129, CVE-2026-29145,
     CVE-2026-29146, CVE-2026-32990, CVE-2026-34483, CVE-2026-34487,
     CVE-2026-34500, CVE-2026-41284, CVE-2026-41293, CVE-2026-42498,
     CVE-2026-43512, CVE-2026-43513, CVE-2026-43514, CVE-2026-43515.
     Several security vulnerabilities have been found in Tomcat 9, a Java
     web server and servlet engine.
   * CVE-2026-24880: Request smuggling via invalid chunk extension:
     Tomcat did not validate contents of HTTP/1.1 chunk extensions. This
     enabled a request smuggling attack if a reverse proxy in front of Tomcat
     allowed CRLF sequences in an otherwise valid chunk extension.
   * CVE-2026-25854: Occasionally open redirect
     When a Tomcat node in a cluster with the LoadBalancerDrainingValve was in
     the disabled (draining) state, a specially crafted URL could be used to
     trigger a redirect to a URI of the attackers choice.
   * CVE-2026-29129: Configured TLS cipher preference order not preserved
     The additional of the ability to configure TLS 1.3 cipher suites did not
     preserve the order of the configured cipher suites and ciphers.
   * CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is
     disabled
     CLIENT_CERT authentication did not fail OCSP checks as expected for some
     scenarios when soft fail was disabled.
   * CVE-2026-29146: EncryptInterceptor vulnerable to padding oracle attack
     by default
     The EncryptInterceptor used CBC by default which is vulnerable to a
     padding Oracle attack.
   * CVE-2026-32990: The fix for CVE-2025-66614 was incomplete.
     The validation of SNI name and host name did not take account of possible
     differences in case allowing the strict SNI checks to be bypassed.
   * CVE-2026-34483: Incomplete escaping of JSON access logs
     Incomplete escaping when non-default values were used for the Connector
     attributes relaxedPathChars and/or relaxedQueryChars allowed the injection
     of arbitrary JSON into the JSON access log.
   * CVE-2026-34487: Cloud membership for clustering component exposed the
     Kubernetes bearer token
     The cloud membership for clustering component exposed the Kubernetes bearer
     token in log messages.
   * CVE-2026-34500:
     OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
   * CVE-2026-41284:
     Allocation of Resources Without Limits or Throttling
   * CVE-2026-41293:
     Improper Input Validation vulnerability
   * CVE-2026-42498:
     Exposure of HTTP Authentication Header to unexpected hosts during WebSocket
     authentication
   * CVE-2026-43512:
     Authentication Bypass Issues vulnerability in digest authentication
   * CVE-2026-43513
     Improper Handling of Case Sensitivity vulnerability in LockOutRealm
   * CVE-2026-43514:
     Observable Timing Discrepancy vulnerability when comparing AJP secret
   * CVE-2026-43515:
     Improper Authorization vulnerability when multiple method constraints
     define an HTTP method for the same extension
Files:
 b07e4cc429160b27e14d21bd78def330 3003 java optional tomcat9_9.0.118-0+deb11u1.dsc
 75db977a74e18efcc702fbcff4238e64 5138368 java optional tomcat9_9.0.118.orig.tar.xz
 de484d15d1bfb4a7c5b65e97b3dc650e 96292 java optional tomcat9_9.0.118-0+deb11u1.debian.tar.xz
 b4bceef41967695a84fda3242d7ab8df 14906 java optional tomcat9_9.0.118-0+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKjBAEBCgCNFiEErPPQiO8y7e9qGoNf2a0UuVE7UeQFAmokCqJfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldEFD
RjNEMDg4RUYzMkVERUY2QTFBODM1RkQ5QUQxNEI5NTEzQjUxRTQPHGFwb0BkZWJp
YW4ub3JnAAoJENmtFLlRO1HkFW4P/jxc3fichmz23JVTy+u7gs2mg+urdVTolGx4
Y4lZys3q0clwIaNsI2dF4qYqSxh7Ah+y4TR1E+DfC/GV8wAYA6kBZ1PVRgCjm3s2
3wnTHlg0NXt8JKIQedSVWZNX2vWuAqROoCcBV8tIbLA/F6x0a5D6gn9aYFLgYpZl
sMfPvsz+91NWbfJJGsCjgJ54+EntgJLeYrDeoBOdaRX0KYII4lWaCsTcwp5xlQVV
gg4ADGjVJG6JlW2y4nn34CcxU1mNM1dgWi5oZJ2s6/sBtD8oHv2g03d3ZMWGfUui
QUnaROVYAHZTI+Vy8eaxf65TpuXyYupcYmPL5np5uUJQTuFFJqdyFfcNE5IEDiaJ
VpB/VC9FP1EoYqkU/VjS/Wq29V7eZwWMOjbR2mwlGNVWwrm5HAcJHRd932e6Pjyz
3eyrAzNyB8iVikukvEa+Q0fQhf26nxyJ19Bp8pvxj2Q8UYn9pW4RUZnDPgIM2pwX
qWrBSr8hAol7DYpDcFpVkPjh405xiqKht48ua1+TvI84vRJNUx68zYMXf9dZFl/e
RGj8oCu53UY9m1qEm3AhgDxd+pZYcW3ywCtBCurWEngHOjZj79GSbbo95K1wco8z
Eg/rLKhVL7Crq7E9qdxqWYCbw1kxo2uYnmndWF/eQ8L9BN3lLh2XViCU1obYBJ0O
RcY6JP44
=Bc6Y
-----END PGP SIGNATURE-----