tomcat-9.0.104-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:15048-1 Final 1 1 2025-05-02T00:00:00Z current 2025-05-02T00:00:00Z 2025-05-02T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z tomcat-9.0.104-1.1 on GA media These are all security issues fixed in the tomcat-9.0.104-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-15048 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-31650/ SUSE CVE CVE-2025-31650 page https://www.suse.com/security/cve/CVE-2025-31651/ SUSE CVE CVE-2025-31651 page openSUSE Tumbleweed tomcat-9.0.104-1.1 tomcat-admin-webapps-9.0.104-1.1 tomcat-docs-webapp-9.0.104-1.1 tomcat-el-3_0-api-9.0.104-1.1 tomcat-embed-9.0.104-1.1 tomcat-javadoc-9.0.104-1.1 tomcat-jsp-2_3-api-9.0.104-1.1 tomcat-jsvc-9.0.104-1.1 tomcat-lib-9.0.104-1.1 tomcat-servlet-4_0-api-9.0.104-1.1 tomcat-webapps-9.0.104-1.1 tomcat-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-admin-webapps-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-docs-webapp-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-el-3_0-api-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-embed-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-javadoc-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-jsp-2_3-api-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-jsvc-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-lib-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-servlet-4_0-api-9.0.104-1.1 as a component of openSUSE Tumbleweed tomcat-webapps-9.0.104-1.1 as a component of openSUSE Tumbleweed Improper Input Validation vulnerability in Apache Tomcat. Incorrect error handling for some invalid HTTP priority headers resulted in incomplete clean-up of the failed request which created a memory leak. A large number of such requests could trigger an OutOfMemoryException resulting in a denial of service. This issue affects Apache Tomcat: from 9.0.76 through 9.0.102, from 10.1.10 through 10.1.39, from 11.0.0-M2 through 11.0.5. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.90 though 8.5.100. Users are recommended to upgrade to version 9.0.104, 10.1.40 or 11.0.6 which fix the issue. CVE-2025-31650 openSUSE Tumbleweed:tomcat-9.0.104-1.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.104-1.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.104-1.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.104-1.1 openSUSE Tumbleweed:tomcat-embed-9.0.104-1.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.104-1.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.104-1.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.104-1.1 openSUSE Tumbleweed:tomcat-lib-9.0.104-1.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.104-1.1 openSUSE Tumbleweed:tomcat-webapps-9.0.104-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-31650.html CVE-2025-31650 https://bugzilla.suse.com/1242008 SUSE Bug 1242008 Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely rewrite rule configurations, it was possible for a specially crafted request to bypass some rewrite rules. If those rewrite rules effectively enforced security constraints, those constraints could be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.5, from 10.1.0-M1 through 10.1.39, from 9.0.0.M1 through 9.0.102. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 though 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue. CVE-2025-31651 openSUSE Tumbleweed:tomcat-9.0.104-1.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.104-1.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.104-1.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.104-1.1 openSUSE Tumbleweed:tomcat-embed-9.0.104-1.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.104-1.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.104-1.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.104-1.1 openSUSE Tumbleweed:tomcat-lib-9.0.104-1.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.104-1.1 openSUSE Tumbleweed:tomcat-webapps-9.0.104-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-31651.html CVE-2025-31651 https://bugzilla.suse.com/1242009 SUSE Bug 1242009