ELSA-2026-19054

ELSA-2026-19054 - tomcat security update

Type:SECURITY
Impact:IMPORTANT
Release Date:2026-07-08

Description


[1:10.1.36-3.el10_1.1]
- Resolves: RHEL-150719
Certificate revocation bypass due to improper OCSP response validation (CVE-2026-24734)

[1:10.1.49-1]
- Resolves: RHEL-150099 Rebase tomcat package to enable PQC features

[1:10.1.36-4]
- Resolves: RHEL-124493
tomcat: Directory traversal via rewrite with possible RCE (CVE-2025-55752)
- Resolves: RHEL-132560
tomcat: Bypass of rules in Rewrite Valve (CVE-2025-31651)
- Resolves: RHEL-132526
tomcat: Denial of service (CVE-2025-61795)

[1:10.1.36-3]
- Resolves: RHEL-102184
tomcat: http/2 'MadeYouReset' DoS attack through HTTP/2 control frames (CVE-2025-48989)
- Resolves: RHEL-108906
tomcat: Denial of service (CVE-2025-52520)

[1:10.1.36-2]
- Resolves: RHEL-108900
tomcat: Apache FileUpload DOS via part headers (CVE-2025-48976)
- Resolves: RHEL-108902
tomcat: Dos in multipart upload (CVE-2025-48988)
- Resolves: RHEL-108904
tomcat: Security constraint bypass for pre/post-resources (CVE-2025-49125)
- Resolves: RHEL-108908
tomcat: Denial of service (CVE-2025-53506)

[1:10.1.36-1]
- Rebase tomcat to 10.1.36
- Resolves: RHEL-82925
tomcat: Potential RCE and/or information disclosure and/or information corruption with partial PUT (CVE-2025-24813)
- Resolves: RHEL-87272
tomcat: DoS in examples web application (CVE-2024-54677)
- Resolves: RHEL-87273
tomcat: Authentication bypass when using Jakarta Authentication API (CVE-2024-52316)
- Resolves: RHEL-85343 - NoClassDefFoundError when using migration tool

[1:10.1.8-2]
- Resolves: RHEL-78899 Add missing Obsoletes

[1:10.1.8-1]
- Resolves: RHEL-51222 Upgrade tomcat to 10.1.8

[1:9.0.87-3]
- Bump release for October 2024 mass rebuild:
Resolves: RHEL-64018

[1:9.0.87-2]
- Resolves: RHEL-50166 - Rebase tomcat to version 9.0.87
- Resolves: RHEL-12274 - Use src.zip file as a Source0 instead of tar.gz
- Resolves: RHEL-51277 - Prune changelog to remove non-relevant history
- Resolves: RHEL-52906 - tomcat: Switch to using Java 21 as the default JDK
- Resolves: RHEL-55194 - Fix changelog version
- Resolves: RHEL-46156
tomcat: Improper Handling of Exceptional Conditions (CVE-2024-34750)


Related CVEs


CVE-2026-24734

Updated Packages


Release/ArchitectureFilenamesha256Superseded By AdvisoryChannel Label
Oracle Linux 10 (aarch64) tomcat-10.1.49-1.el10_2.1.src.rpme2bb5d4ddfb266a15f53ae5e7f766123cd91146453cfff6c5128f67d3f6ea6e7-ol10_aarch64_appstream
tomcat-10.1.49-1.el10_2.1.noarch.rpm07b52c8a521f9611e5b9baf3a4863a3d7170f7226c1097588b017f43af715136-ol10_aarch64_appstream
tomcat-admin-webapps-10.1.49-1.el10_2.1.noarch.rpm4005619d96a8d8a430c82a2769f36104336a0e206b40fcdd81c217e5ff0c5fb0-ol10_aarch64_appstream
tomcat-docs-webapp-10.1.49-1.el10_2.1.noarch.rpmaaa1777a8a7d903869b7a8a0f26935dd9c63589cd30a0ec472da4a89840bba66-ol10_aarch64_appstream
tomcat-el-5.0-api-10.1.49-1.el10_2.1.noarch.rpma0b2e0b3067e481e5542d37ffcc99e6981533440dfe9e49ab21f82f6e7029ff7-ol10_aarch64_appstream
tomcat-jsp-3.1-api-10.1.49-1.el10_2.1.noarch.rpm2e0382b167a6ee94e859f281a3131e9ee4f5f11f1e6b16a2f3028cc1a0322a21-ol10_aarch64_appstream
tomcat-lib-10.1.49-1.el10_2.1.noarch.rpm653bed917dc4e451ef1807e2668c2ce3d21a9e248d2058012bdecfda6352fe8a-ol10_aarch64_appstream
tomcat-servlet-6.0-api-10.1.49-1.el10_2.1.noarch.rpm657ad273e48bae164beac16ea812498d6eae52a0fc0896bc96875fdd326eb0fb-ol10_aarch64_appstream
tomcat-webapps-10.1.49-1.el10_2.1.noarch.rpm636f332200a7e8c01578e3419ed5909021a20f5d41eaeed8d3826b184f8e1041-ol10_aarch64_appstream
Oracle Linux 10 (x86_64) tomcat-10.1.49-1.el10_2.1.src.rpme2bb5d4ddfb266a15f53ae5e7f766123cd91146453cfff6c5128f67d3f6ea6e7-ol10_x86_64_appstream
tomcat-10.1.49-1.el10_2.1.noarch.rpm07b52c8a521f9611e5b9baf3a4863a3d7170f7226c1097588b017f43af715136-ol10_x86_64_appstream
tomcat-admin-webapps-10.1.49-1.el10_2.1.noarch.rpm4005619d96a8d8a430c82a2769f36104336a0e206b40fcdd81c217e5ff0c5fb0-ol10_x86_64_appstream
tomcat-docs-webapp-10.1.49-1.el10_2.1.noarch.rpmaaa1777a8a7d903869b7a8a0f26935dd9c63589cd30a0ec472da4a89840bba66-ol10_x86_64_appstream
tomcat-el-5.0-api-10.1.49-1.el10_2.1.noarch.rpma0b2e0b3067e481e5542d37ffcc99e6981533440dfe9e49ab21f82f6e7029ff7-ol10_x86_64_appstream
tomcat-jsp-3.1-api-10.1.49-1.el10_2.1.noarch.rpm2e0382b167a6ee94e859f281a3131e9ee4f5f11f1e6b16a2f3028cc1a0322a21-ol10_x86_64_appstream
tomcat-lib-10.1.49-1.el10_2.1.noarch.rpm653bed917dc4e451ef1807e2668c2ce3d21a9e248d2058012bdecfda6352fe8a-ol10_x86_64_appstream
tomcat-servlet-6.0-api-10.1.49-1.el10_2.1.noarch.rpm657ad273e48bae164beac16ea812498d6eae52a0fc0896bc96875fdd326eb0fb-ol10_x86_64_appstream
tomcat-webapps-10.1.49-1.el10_2.1.noarch.rpm636f332200a7e8c01578e3419ed5909021a20f5d41eaeed8d3826b184f8e1041-ol10_x86_64_appstream



This page is generated automatically and has not been checked for errors or omissions. For clarification or corrections please contact the Oracle Linux ULN team

software.hardware.complete