[CLSA-2026:1779374454] Fix of 7 CVEs

Type:

security

Severity:

Low

Release date:

2026-05-21 14:41:06 UTC

Description:

   * SECURITY UPDATE: multiple security fixes
     - debian/patches/CVE-2026-41284.patch: add a configurable
       maxRequestBodySize init-param to the WebDAV servlet to bound
       LOCK/PROPFIND XML request bodies; reject oversized bodies with
       413 Request Entity Too Long. Includes the upstream
       BoundedByteArrayOutputStream helper and associated tests
     - CVE-2026-41284
     - debian/patches/CVE-2026-41293.patch: filter invalid HTTP/2 header
       names in HpackDecoder / HPackHuffman / Stream / Http2Parser using
       a new HttpParser.isToken-based check; folds upstream follow-up
       (HttpParser i>32 hex/decimal fix, additional LocalStrings keys,
       HpackHuffman field-name branch simplification) and ships the new
       TestHPackHuffman / TestHttp2Section_8_2 tests.
     - debian/patches/CVE-2026-41293-tests.patch: adapt
       TestHttp2Section_8_2 to the 9.0.31 readFrame(boolean) signature
     - CVE-2026-41293
     - debian/patches/CVE-2026-42498.patch: strip Authorization and
       Proxy-Authorization headers from WebSocket client userProperties
       after the proxy CONNECT, HTTP redirect, and successful upgrade
       paths so credentials are not leaked to redirect or proxy targets
     - CVE-2026-42498
     - debian/patches/CVE-2026-43512.patch: fix DIGEST authentication
       handling of unknown users and users with a null password so they
       cannot authenticate; adds regression tests to
       TestDigestAuthenticator
     - CVE-2026-43512
     - debian/patches/CVE-2026-43513.patch: add caseSensitive attribute
       to LockOutRealm and route usernames through a null-safe
       normalizeUsername helper so case-insensitive realms cannot be
       brute-forced by varying the case of the username. Folds the
       upstream Coverity NPE follow-up and adds the new TestLockoutRealm
       JUnit tests
     - CVE-2026-43513
     - debian/patches/CVE-2026-43514.patch: switch the AJP secret
       comparison in AjpProcessor to a constant-time comparison using
       the new ConstantTime utility; includes the upstream
       ByteChunk start-offset follow-up
     - CVE-2026-43514
     - debian/patches/CVE-2026-43515.patch: ensure RealmBase finds all
       matching extension-based security constraints by moving the match
       bookkeeping inside the inner extension-pattern loop; adds the
       upstream TestRealmBase.testUncoveredMethods regression test and
       a TesterRequest.getRequestPathMB() helper
     - CVE-2026-43515

Updated packages:

libtomcat9-embed-java_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:5c28a7481d115a5bc07c9cae22ce3eb28e99c297
libtomcat9-java_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:36064a10affce21d570469cf2ad1b0523b410e46
tomcat9_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:3e71cc3e54263488e474a63d0c0fa56ef5618feb
tomcat9-admin_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:b3d1ff914b7e755e95b02f9453e19633612c6ee4
tomcat9-common_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:a80d110833d78291a50d198128c2d46900746c3c
tomcat9-docs_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:e762a2c943ae69804445aa3be60103d509bb83b1
tomcat9-examples_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:13bbe902d2f1e4ccccee0fd0f4dabff4095febda
tomcat9-user_9.0.31-1ubuntu0.9+tuxcare.els4_all.deb
sha:94aed75e0648f6766f9159a486ab0db02ca30d4a

Notes:

This page is generated automatically and has not been checked for errors. For clarification or corrections please contact the CloudLinux Packaging Team.