Release date:
2026-06-10 16:22:18 UTC
Description:
- CVE-2026-29146: change the default EncryptInterceptor cipher to AES/GCM/NoPadding
and reject insecure cipher mode/padding combinations to mitigate the CBC padding
oracle attack (upstream tomcat 9.0.116)
- CVE-2026-34486: restore super.messageReceived() inside the try block so a failed
decryption is not forwarded, closing the EncryptInterceptor fail-open bypass
introduced by the CVE-2026-29146 fix (upstream tomcat 9.0.117)
Updated packages:
-
tomcat-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:f777cc701aff06bcc15d517ef9e06de8b135e40dbdddfc0ee0410ec73f767dbd
-
tomcat-admin-webapps-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:0ff373d57fa53b002f2697841115b4a04ee1a45fe6dc9c8bce17ace3b34b0b8f
-
tomcat-docs-webapp-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:10e0a33e39163db16f7a1964509c6886a446badb1abaff148dd8852dd961d7ab
-
tomcat-el-3.0-api-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:bb4fd91e5d037cfb95bc13514beb740696dfad1e233954e05f5a538fca60529c
-
tomcat-jsp-2.3-api-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:e2f3b747f319f93e5788bd8211af5666636434f6afcb6b3954bbe3742a77a4ca
-
tomcat-lib-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:1f015184bd55818c036eaf69195c67763b645af748951d14d52137d5872dcadf
-
tomcat-servlet-4.0-api-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:b82fc2b71eea986eef701a3d41a12e70f283469956d4336d88b3cd0222fe7a50
-
tomcat-webapps-9.0.87-3.el9_6.3.tuxcare.els8.noarch.rpm
sha:261a2f9be9f48e5763b2cd9490ebdf102d5e97e0e113386310b813ebb1a521b5
Notes:
This page is generated automatically and has not been checked for errors. For clarification or
corrections please contact the
CloudLinux Packaging Team.
