Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2026:0922-1 Final 1 1 2026-03-18T09:15:06Z current 2026-03-18T09:15:06Z 2026-03-18T09:15:06Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: - CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2026-922,SUSE-SLE-SERVER-12-SP5-LTSS-EXTENDED-SECURITY-2026-922 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2026/suse-su-20260922-1/ Link for SUSE-SU-2026:0922-1 https://lists.suse.com/pipermail/sle-security-updates/2026-March/024713.html E-Mail link for SUSE-SU-2026:0922-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1258385 SUSE Bug 1258385 https://www.suse.com/security/cve/CVE-2026-24733/ SUSE CVE CVE-2026-24733 page SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-9.0.36-3.156.1 tomcat-admin-webapps-9.0.36-3.156.1 tomcat-docs-webapp-9.0.36-3.156.1 tomcat-el-3_0-api-9.0.36-3.156.1 tomcat-embed-9.0.36-3.156.1 tomcat-javadoc-9.0.36-3.156.1 tomcat-jsp-2_3-api-9.0.36-3.156.1 tomcat-jsvc-9.0.36-3.156.1 tomcat-lib-9.0.36-3.156.1 tomcat-servlet-4_0-api-9.0.36-3.156.1 tomcat-webapps-9.0.36-3.156.1 tomcat-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-admin-webapps-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-docs-webapp-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-el-3_0-api-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-javadoc-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-jsp-2_3-api-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-lib-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-servlet-4_0-api-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 tomcat-webapps-9.0.36-3.156.1 as a component of SUSE Linux Enterprise Server LTSS Extended Security 12 SP5 Improper Input Validation vulnerability in Apache Tomcat. Tomcat did not limit HTTP/0.9 requests to the GET method. If a security constraint was configured to allow HEAD requests to a URI but deny GET requests, the user could bypass that constraint on GET requests by sending a (specification invalid) HEAD request using HTTP/0.9. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.14, from 10.1.0-M1 through 10.1.49, from 9.0.0.M1 through 9.0.112. Older, EOL versions are also affected. Users are recommended to upgrade to version 11.0.15 or later, 10.1.50 or later or 9.0.113 or later, which fixes the issue. CVE-2026-24733 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-admin-webapps-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-docs-webapp-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-el-3_0-api-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-javadoc-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-jsp-2_3-api-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-lib-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-servlet-4_0-api-9.0.36-3.156.1 SUSE Linux Enterprise Server LTSS Extended Security 12 SP5:tomcat-webapps-9.0.36-3.156.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2026/suse-su-20260922-1/ https://www.suse.com/security/cve/CVE-2026-24733.html CVE-2026-24733 https://bugzilla.suse.com/1258385 SUSE Bug 1258385