CLSA-2026-1779968889

See a problem?

Import Source

https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json

JSON Data

https://api.osv.dev/v1/vulns/CLSA-2026-1779968889

Upstream

CVE-2026-41284

CVE-2026-41293

CVE-2026-42498

CVE-2026-43512

CVE-2026-43513

CVE-2026-43514

CVE-2026-43515

Published

2026-05-28T14:02:01Z

Modified

2026-06-04T10:03:26.487800721Z

Summary

Fix of 7 CVEs

Details

SECURITY UPDATE: Authentication Bypass in digest authentication
- debian/patches/CVE-2026-43512.patch: reject digest authentication attempts for unknown users in getDigest()
- CVE-2026-43512
SECURITY UPDATE: Account lockout bypass in LockOutRealm via case variation of user names
- debian/patches/CVE-2026-43513.patch: add a caseSensitive attribute to LockOutRealm and treat user names case-insensitively by default
- CVE-2026-43513
SECURITY UPDATE: Observable timing discrepancy in AJP secret comparison
- debian/patches/CVE-2026-43514.patch: add ConstantTime helper and switch the AJP secret comparison to a constant time algorithm
- CVE-2026-43514
SECURITY UPDATE: Improper authorisation when multiple method constraints define an HTTP method for the same extension
- debian/patches/CVE-2026-43515.patch: evaluate findMethod() against every matching SecurityCollection rather than only the last one
- CVE-2026-43515
SECURITY UPDATE: Exposure of HTTP authorisation header to unexpected hosts during WebSocket authentication
- debian/patches/CVE-2026-42498.patch: drop the cached Authorization header from userProperties before following a WebSocket upgrade redirect so it is not sent to the host named in Location
- CVE-2026-42498
SECURITY UPDATE: HTTP/2 header values were not validated for control characters and other illegal bytes
- debian/patches/CVE-2026-41293.patch: validate field names and values in HpackDecoder and HPackHuffman using the new HttpParser isFieldVChar / isFieldContent tables
- CVE-2026-41293
SECURITY UPDATE: Allocation of resources without limits in WebDAV LOCK and PROPFIND request bodies
- debian/patches/CVE-2026-41284.patch: read PROPFIND and LOCK bodies through a new BoundedByteArrayOutputStream limited by the new maxRequestBodySize init parameter (default 4096 bytes)
- CVE-2026-41284

References

https://errata.tuxcare.com/els_os/debian10els/CLSA-2026-1779968889.html

Affected packages

TuxCare:Debian:10

libtomcat9-embed-java

Package

Name: libtomcat9-embed-java
Purl: pkg:deb/tuxcare/libtomcat9-embed-java?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"

libtomcat9-java

Package

Name: libtomcat9-java
Purl: pkg:deb/tuxcare/libtomcat9-java?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"

tomcat9

Package

Name: tomcat9
Purl: pkg:deb/tuxcare/tomcat9?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"

tomcat9-admin

Package

Name: tomcat9-admin
Purl: pkg:deb/tuxcare/tomcat9-admin?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"

tomcat9-common

Package

Name: tomcat9-common
Purl: pkg:deb/tuxcare/tomcat9-common?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"

tomcat9-docs

Package

Name: tomcat9-docs
Purl: pkg:deb/tuxcare/tomcat9-docs?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"

tomcat9-examples

Package

Name: tomcat9-examples
Purl: pkg:deb/tuxcare/tomcat9-examples?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"

tomcat9-user

Package

Name: tomcat9-user
Purl: pkg:deb/tuxcare/tomcat9-user?distro=debian-10

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

9.0.31-1~deb10u12+tuxcare.els5

Database specific

source

"https://github.com/cloudlinux/tuxcare-osv/tree/main/data/els_os/debian10els/CLSA-2026-1779968889.json"