tomcat-9.0.107-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16502 Final 1 1 2025-08-14T00:00:00Z current 2025-08-14T00:00:00Z 2025-08-14T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z tomcat-9.0.107-1.1 on GA media These are all security issues fixed in the tomcat-9.0.107-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16502 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-52434/ SUSE CVE CVE-2025-52434 page https://www.suse.com/security/cve/CVE-2025-52520/ SUSE CVE CVE-2025-52520 page https://www.suse.com/security/cve/CVE-2025-53506/ SUSE CVE CVE-2025-53506 page openSUSE Tumbleweed tomcat-9.0.107-1.1 tomcat-admin-webapps-9.0.107-1.1 tomcat-docs-webapp-9.0.107-1.1 tomcat-el-3_0-api-9.0.107-1.1 tomcat-embed-9.0.107-1.1 tomcat-javadoc-9.0.107-1.1 tomcat-jsp-2_3-api-9.0.107-1.1 tomcat-jsvc-9.0.107-1.1 tomcat-lib-9.0.107-1.1 tomcat-servlet-4_0-api-9.0.107-1.1 tomcat-webapps-9.0.107-1.1 tomcat-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-admin-webapps-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-docs-webapp-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-el-3_0-api-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-embed-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-javadoc-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-jsp-2_3-api-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-jsvc-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-lib-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-servlet-4_0-api-9.0.107-1.1 as a component of openSUSE Tumbleweed tomcat-webapps-9.0.107-1.1 as a component of openSUSE Tumbleweed Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') vulnerability in Apache Tomcat when using the APR/Native connector. This was particularly noticeable with client initiated closes of HTTP/2 connections. This issue affects Apache Tomcat: from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 9.0.107, which fixes the issue. CVE-2025-52434 openSUSE Tumbleweed:tomcat-9.0.107-1.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.107-1.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.107-1.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-embed-9.0.107-1.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.107-1.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.107-1.1 openSUSE Tumbleweed:tomcat-lib-9.0.107-1.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-webapps-9.0.107-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52434.html CVE-2025-52434 https://bugzilla.suse.com/1246389 SUSE Bug 1246389 For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. CVE-2025-52520 openSUSE Tumbleweed:tomcat-9.0.107-1.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.107-1.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.107-1.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-embed-9.0.107-1.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.107-1.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.107-1.1 openSUSE Tumbleweed:tomcat-lib-9.0.107-1.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-webapps-9.0.107-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-52520.html CVE-2025-52520 https://bugzilla.suse.com/1246388 SUSE Bug 1246388 Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. CVE-2025-53506 openSUSE Tumbleweed:tomcat-9.0.107-1.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.107-1.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.107-1.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-embed-9.0.107-1.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.107-1.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.107-1.1 openSUSE Tumbleweed:tomcat-lib-9.0.107-1.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.107-1.1 openSUSE Tumbleweed:tomcat-webapps-9.0.107-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-53506.html CVE-2025-53506 https://bugzilla.suse.com/1246318 SUSE Bug 1246318