[El-errata] ELSA-2026-18916 Important: Oracle Linux 9 tomcat security update

Errata Announcements for Oracle Linux el-errata at oss.oracle.com
Tue Jun 30 12:24:50 UTC 2026


Oracle Linux Security Advisory ELSA-2026-18916

http://linux.oracle.com/errata/ELSA-2026-18916.html

The following updated rpms for Oracle Linux 9 have been uploaded to the Unbreakable Linux Network:

x86_64:
tomcat-9.0.117-1.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm
tomcat-lib-9.0.117-1.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-webapps-9.0.117-1.el9_8.noarch.rpm

aarch64:
tomcat-9.0.117-1.el9_8.noarch.rpm
tomcat-admin-webapps-9.0.117-1.el9_8.noarch.rpm
tomcat-docs-webapp-9.0.117-1.el9_8.noarch.rpm
tomcat-el-3.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-jsp-2.3-api-9.0.117-1.el9_8.noarch.rpm
tomcat-lib-9.0.117-1.el9_8.noarch.rpm
tomcat-servlet-4.0-api-9.0.117-1.el9_8.noarch.rpm
tomcat-webapps-9.0.117-1.el9_8.noarch.rpm


SRPMS:
http://oss.oracle.com/ol9/SRPMS-updates/tomcat-9.0.117-1.el9_8.src.rpm

Related CVEs:

CVE-2025-46701
CVE-2025-55668
CVE-2025-55754




Description of changes:

[1:9.0.117-1]
- Resolves: RHEL-150714 Certificate revocation bypass due to improper OCSP response validation
- Resolves:
  Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (CVE-2026-34500)
- Resolves:
  Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token (CVE-2026-34487)
- Resolves:
  Tomcat: The fix for CVE-2026-29146 allowed the bypass of the EncryptInterceptor (CVE-2026-34486)
- Resolves:
  Tomcat: Incomplete escaping of JSON access logs (CVE-2026-34483)
- Resolves:
  Tomcat: The fix for CVE-2025-66614 was incomplete (CVE-2026-32990)
- Resolves:
  Tomcat: EncryptInterceptor vulnerable to padding oracle attack by default (CVE-2026-29146)
- Resolves:
  Tomcat: OCSP checks sometimes soft-fail even when soft-fail is disabled (CVE-2026-29145)
- Resolves:
  Tomcat: Configured TLS cipher preference order not preserved (CVE-2026-29129)
- Resolves:
  Tomcat: Occasionally open redirect (CVE-2026-25854)
- Resolves:
  Tomcat: Request smuggling via invalid chunk extension (CVE-2026-24880)
- Resolves:
  Tomcat: Incomplete OCSP verification checks (CVE-2026-24734)
- Resolves:
  Tomcat: Security constraint bypass (CVE-2026-24733)
- Resolves:
  Tomcat: Client certificate verification bypass due to virtual host mapping (CVE-2025-66614)




More information about the El-errata mailing list