File _patchinfo of Package patchinfo.40275
<patchinfo incident="40275">
<issue tracker="cve" id="2025-48989"/>
<issue tracker="cve" id="2025-49125"/>
<issue tracker="cve" id="2025-52434"/>
<issue tracker="cve" id="2025-52520"/>
<issue tracker="cve" id="2025-53506"/>
<issue tracker="bnc" id="1246389">VUL-0: CVE-2025-52434: tomcat,tomcat10,tomcat11,tomcat6: race condition on connection close when using the APR/Native connector could lead to a JVM crash</issue>
<issue tracker="bnc" id="1246318">VUL-0: CVE-2025-53506: tomcat,tomcat10,tomcat11: uncontrolled resource HTTP/2 client consumption vulnerability</issue>
<issue tracker="bnc" id="1246388">VUL-0: CVE-2025-52520: tomcat,tomcat10,tomcat11,tomcat6: integer overflow can lead to DoS for some unlikely configurations of multipart upload</issue>
<issue tracker="bnc" id="1243895">VUL-0: CVE-2025-48989: tomcat,tomcat10,tomcat11: HTTP/2 protocol (including DNS over HTTPS) is vulnerable to "MadeYouReset" DoS attack</issue>
<packager>mbussolotto</packager>
<rating>important</rating>
<category>security</category>
<summary>Security update for tomcat</summary>
<description>This update for tomcat fixes the following issues:
Updated to 9.0.108:
- CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload (bsc#1246388)
- CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability (bsc#1246318)
- CVE-2025-52434: Fixed race condition on connection close when using the APR/Native connector leading to a JVM crash (bsc#1246389)
- CVE-2025-48989: Fixed "MadeYouReset" DoS in HTTP/2 due to client triggered stream reset (bsc#1243895)
Other:
- Correct a regression in the fix for CVE-2025-49125 that
prevented access to PreResources and PostResources when mounted below the
web application root with a path that was terminated with a file
separator.
</description>
</patchinfo>
