CLSA-2026-1774460133
See a problem?- Import Source
- https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/ubuntu18.04els/CLSA-2026-1774460133.json
- JSON Data
- https://api.osv.dev/v1/vulns/CLSA-2026-1774460133
- Upstream
- Published
- 2026-03-25T17:35:37Z
- Modified
- 2026-06-04T09:47:36.390841363Z
- Summary
- Fix CVE(s): CVE-2025-66614
- Details
-
- SECURITY UPDATE: client certificate authentication bypass through mismatched
SNI and HTTP Host header
- debian/patches/CVE-2025-66614.patch: Add strictSNI connector attribute and implement SNI/protocol host name matching for NIO, NIO2, and APR connectors; prevent requests being served by mismatched SSLHostConfig when SNI host and HTTP Host header differ.
- CVE-2025-66614
- Fix ObjectStreamClass cache clearing for JDK 11.0.16+
- debian/patches/fix-ObjectStreamClass-cache-clearing.patch: Use instanceof guard in WebappClassLoaderBase.clearCache() instead of direct cast to Map, fixing ClassCastException with newer JDK where ObjectStreamClass$Caches fields were changed from Map to ClassValue (JDK-8277072).
- Regenerate expired test SSL certificates
- debian/test_certs/: Regenerated ca.jks, localhost.jks, localhost-copy1.jks, user1.jks and PEM files. The user1 certificate expired on 2025-08-15, causing TestClientCert SSLHandshakeException failures.
- Fix flaky test infrastructure on build farm
- debian/patches/fix-test-hostname-resolution.patch: Skip TestStandardSessionIntegration, TestGroupChannelSenderConnections, TestGroupChannelStartStop, and TestGroupChannelOptionFlag when build node hostname cannot be resolved via DNS (UnknownHostException).
- debian/patches/CVE-2025-66614.patch: Skip testSni on APR connector since it uses JSSE-style SSLHostConfig incompatible with OpenSSL backend.
- SECURITY UPDATE: client certificate authentication bypass through mismatched
SNI and HTTP Host header
- References