Security update for tomcat11 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2025:02979-1 Final 1 1 2025-08-25T13:46:18Z current 2025-08-25T13:46:18Z 2025-08-25T13:46:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat11 This update for tomcat11 fixes the following issues: Updated to Tomcat 11.0.9 - CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload (bsc#1246388) - CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability (bsc#1246318) Other: - Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-2025-2979,SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2979,SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2979,openSUSE-SLE-15.6-2025-2979 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2025/suse-su-202502979-1/ Link for SUSE-SU-2025:02979-1 https://lists.suse.com/pipermail/sle-updates/2025-August/041357.html E-Mail link for SUSE-SU-2025:02979-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1246318 SUSE Bug 1246318 https://bugzilla.suse.com/1246388 SUSE Bug 1246388 https://www.suse.com/security/cve/CVE-2025-49125/ SUSE CVE CVE-2025-49125 page https://www.suse.com/security/cve/CVE-2025-52520/ SUSE CVE CVE-2025-52520 page https://www.suse.com/security/cve/CVE-2025-53506/ SUSE CVE CVE-2025-53506 page SUSE Linux Enterprise Module for Web and Scripting 15 SP6 SUSE Linux Enterprise Module for Web and Scripting 15 SP7 openSUSE Leap 15.6 tomcat11-11.0.9-150600.13.6.1 tomcat11-admin-webapps-11.0.9-150600.13.6.1 tomcat11-doc-11.0.9-150600.13.6.1 tomcat11-docs-webapp-11.0.9-150600.13.6.1 tomcat11-el-6_0-api-11.0.9-150600.13.6.1 tomcat11-embed-11.0.9-150600.13.6.1 tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 tomcat11-jsvc-11.0.9-150600.13.6.1 tomcat11-lib-11.0.9-150600.13.6.1 tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 tomcat11-webapps-11.0.9-150600.13.6.1 tomcat11-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 tomcat11-admin-webapps-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 tomcat11-el-6_0-api-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 tomcat11-lib-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 tomcat11-webapps-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP6 tomcat11-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 tomcat11-admin-webapps-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 tomcat11-el-6_0-api-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 tomcat11-lib-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 tomcat11-webapps-11.0.9-150600.13.6.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP7 tomcat11-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-admin-webapps-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-doc-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-docs-webapp-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-el-6_0-api-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-embed-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-jsvc-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-lib-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 tomcat11-webapps-11.0.9-150600.13.6.1 as a component of openSUSE Leap 15.6 Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. CVE-2025-49125 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-admin-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-lib-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-admin-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-lib-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-webapps-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-admin-webapps-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-doc-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-docs-webapp-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-embed-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-jsvc-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-lib-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-webapps-11.0.9-150600.13.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502979-1/ https://www.suse.com/security/cve/CVE-2025-49125.html CVE-2025-49125 https://bugzilla.suse.com/1244649 SUSE Bug 1244649 For some unlikely configurations of multipart upload, an Integer Overflow vulnerability in Apache Tomcat could lead to a DoS via bypassing of size limits. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Other, older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. CVE-2025-52520 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-admin-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-lib-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-admin-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-lib-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-webapps-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-admin-webapps-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-doc-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-docs-webapp-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-embed-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-jsvc-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-lib-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-webapps-11.0.9-150600.13.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502979-1/ https://www.suse.com/security/cve/CVE-2025-52520.html CVE-2025-52520 https://bugzilla.suse.com/1246388 SUSE Bug 1246388 Uncontrolled Resource Consumption vulnerability in Apache Tomcat if an HTTP/2 client did not acknowledge the initial settings frame that reduces the maximum permitted concurrent streams. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.8, from 10.1.0-M1 through 10.1.42, from 9.0.0.M1 through 9.0.106. The following versions were EOL at the time the CVE was created but are known to be affected: 8.5.0 through 8.5.100. Users are recommended to upgrade to version 11.0.9, 10.1.43 or 9.0.107, which fix the issue. CVE-2025-53506 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-admin-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-lib-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP6:tomcat11-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-admin-webapps-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-lib-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP7:tomcat11-webapps-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-admin-webapps-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-doc-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-docs-webapp-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-el-6_0-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-embed-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-jsvc-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-lib-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1 openSUSE Leap 15.6:tomcat11-webapps-11.0.9-150600.13.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2025/suse-su-202502979-1/ https://www.suse.com/security/cve/CVE-2025-53506.html CVE-2025-53506 https://bugzilla.suse.com/1246318 SUSE Bug 1246318