{"id":"MGASA-2026-0095","summary":"Updated tomcat packages fix security vulnerabilities","details":"Request smuggling via invalid chunk extension. (CVE-2026-24880)\nOccasionally open redirect. (CVE-2026-25854)\nTLS cipher order is not preserved. (CVE-2026-29129)\nOCSP checks sometimes soft-fail even when soft-fail is disabled.\n(CVE-2026-29145)\nEncryptInterceptor vulnerable to padding oracle attack by default.\n(CVE-2026-29146)\nFix for CVE-2025-66614 is incomplete. (CVE-2026-32990)\nIncomplete escaping of JSON access logs. (CVE-2026-34483)\nFix for CVE-2026-29146 allowed bypass of EncryptInterceptor.\n(CVE-2026-34486)\nCloud membership for clustering component exposed the Kubernetes bearer\ntoken. (CVE-2026-34487)\nOCSP checks sometimes soft-fail with FFM even when soft-fail is\ndisabled. (CVE-2026-34500)\n","modified":"2026-04-16T04:41:56.116698475Z","published":"2026-04-12T05:23:15Z","upstream":["CVE-2026-24880","CVE-2026-25854","CVE-2026-29129","CVE-2026-29145","CVE-2026-29146","CVE-2026-32990","CVE-2026-34483","CVE-2026-34486","CVE-2026-34487","CVE-2026-34500"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2026-0095.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=35341"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/20"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/21"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/22"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/23"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/24"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/25"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/26"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/27"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/28"},{"type":"WEB","url":"https://www.openwall.com/lists/oss-security/2026/04/09/29"}],"affected":[{"package":{"name":"tomcat","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/tomcat?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"9.0.117-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2026-0095.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}