# Security update for tomcat10 Announcement ID: SUSE-SU-2025:02261-1 Release Date: 2025-07-09T17:40:51Z Rating: important References: * bsc#1242722 * bsc#1243815 * bsc#1244649 * bsc#1244656 Cross-References: * CVE-2025-46701 * CVE-2025-48988 * CVE-2025-49125 CVSS scores: * CVE-2025-46701 ( SUSE ): 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N * CVE-2025-46701 ( SUSE ): 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N * CVE-2025-46701 ( NVD ): 7.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L * CVE-2025-48988 ( SUSE ): 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N * CVE-2025-48988 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-48988 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H * CVE-2025-49125 ( SUSE ): 9.1 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N * CVE-2025-49125 ( SUSE ): 7.4 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N * CVE-2025-49125 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Affected Products: * openSUSE Leap 15.6 * SUSE Linux Enterprise High Performance Computing 15 SP5 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 * SUSE Linux Enterprise Server 15 SP5 * SUSE Linux Enterprise Server 15 SP5 LTSS * SUSE Linux Enterprise Server 15 SP6 * SUSE Linux Enterprise Server 15 SP7 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 * SUSE Linux Enterprise Server for SAP Applications 15 SP6 * SUSE Linux Enterprise Server for SAP Applications 15 SP7 * Web and Scripting Module 15-SP6 * Web and Scripting Module 15-SP7 An update that solves three vulnerabilities and has one security fix can now be installed. ## Description: This update for tomcat10 fixes the following issues: * Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815). * Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656). * Fixed expand checks for webAppMount (bsc#1244649). * Hardening permissions (bsc#1242722) Update to Tomcat 10.1.42: * Fixed CVEs: * CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815) * CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656) * CVE-2025-49125: Expand checks for webAppMount (bsc#1244649) * Catalina: * Add: Support for the java:module namespace which mirrors the java:comp namespace. * Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. * Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. * Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. * Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. * Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts. * Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. * Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve. * Fix: Process possible path parameters rewrite production in the rewrite valve. * Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. * Add: 69633: Support for Filters using context root mappings. * Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. * Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. * Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer. * Refactor: GCI servlet to access resources via the WebResource API. * Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. * Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. * Add: Provide a content type based on file extension when web application resources are accessed via a URL. * Coyote * Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. * Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. * Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied. * Jasper: * Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. * Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes. * Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. * Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. * Web applications: * Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. * Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. * Other: * Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. * Update: Tomcat Native to 2.0.9. * Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). * Update: EasyMock to 5.6.0. * Update: Checkstyle to 10.25.0. * Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. * Update: Improvements to Japanese translations provided by tak7iji. * Fix: Set sun.io.useCanonCaches in service.bat Based on pull request #841 by Paul Lodge. * Update: Jacoco to 0.8.13. * Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. * Update: Byte Buddy to 1.17.5. * Update: Checkstyle to 10.23.1. * Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd). * Update: Improvements to French translations. * Update: Improvements to Japanese translations provided by tak7iji. ## Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: * openSUSE Leap 15.6 zypper in -t patch openSUSE-SLE-15.6-2025-2261=1 * Web and Scripting Module 15-SP6 zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2261=1 * Web and Scripting Module 15-SP7 zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2261=1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-2261=1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-2261=1 * SUSE Linux Enterprise Server 15 SP5 LTSS zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-2261=1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-2261=1 ## Package List: * openSUSE Leap 15.6 (noarch) * tomcat10-admin-webapps-10.1.42-150200.5.45.1 * tomcat10-jsvc-10.1.42-150200.5.45.1 * tomcat10-webapps-10.1.42-150200.5.45.1 * tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1 * tomcat10-10.1.42-150200.5.45.1 * tomcat10-docs-webapp-10.1.42-150200.5.45.1 * tomcat10-lib-10.1.42-150200.5.45.1 * tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1 * tomcat10-embed-10.1.42-150200.5.45.1 * tomcat10-doc-10.1.42-150200.5.45.1 * tomcat10-el-5_0-api-10.1.42-150200.5.45.1 * Web and Scripting Module 15-SP6 (noarch) * tomcat10-admin-webapps-10.1.42-150200.5.45.1 * tomcat10-webapps-10.1.42-150200.5.45.1 * tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1 * tomcat10-10.1.42-150200.5.45.1 * tomcat10-lib-10.1.42-150200.5.45.1 * tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1 * tomcat10-el-5_0-api-10.1.42-150200.5.45.1 * Web and Scripting Module 15-SP7 (noarch) * tomcat10-admin-webapps-10.1.42-150200.5.45.1 * tomcat10-webapps-10.1.42-150200.5.45.1 * tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1 * tomcat10-10.1.42-150200.5.45.1 * tomcat10-lib-10.1.42-150200.5.45.1 * tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1 * tomcat10-el-5_0-api-10.1.42-150200.5.45.1 * SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5 (noarch) * tomcat10-admin-webapps-10.1.42-150200.5.45.1 * tomcat10-webapps-10.1.42-150200.5.45.1 * tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1 * tomcat10-10.1.42-150200.5.45.1 * tomcat10-lib-10.1.42-150200.5.45.1 * tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1 * tomcat10-el-5_0-api-10.1.42-150200.5.45.1 * SUSE Linux Enterprise High Performance Computing LTSS 15 SP5 (noarch) * tomcat10-admin-webapps-10.1.42-150200.5.45.1 * tomcat10-webapps-10.1.42-150200.5.45.1 * tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1 * tomcat10-10.1.42-150200.5.45.1 * tomcat10-lib-10.1.42-150200.5.45.1 * tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1 * tomcat10-el-5_0-api-10.1.42-150200.5.45.1 * SUSE Linux Enterprise Server 15 SP5 LTSS (noarch) * tomcat10-admin-webapps-10.1.42-150200.5.45.1 * tomcat10-webapps-10.1.42-150200.5.45.1 * tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1 * tomcat10-10.1.42-150200.5.45.1 * tomcat10-lib-10.1.42-150200.5.45.1 * tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1 * tomcat10-el-5_0-api-10.1.42-150200.5.45.1 * SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch) * tomcat10-admin-webapps-10.1.42-150200.5.45.1 * tomcat10-webapps-10.1.42-150200.5.45.1 * tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1 * tomcat10-10.1.42-150200.5.45.1 * tomcat10-lib-10.1.42-150200.5.45.1 * tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1 * tomcat10-el-5_0-api-10.1.42-150200.5.45.1 ## References: * https://www.suse.com/security/cve/CVE-2025-46701.html * https://www.suse.com/security/cve/CVE-2025-48988.html * https://www.suse.com/security/cve/CVE-2025-49125.html * https://bugzilla.suse.com/show_bug.cgi?id=1242722 * https://bugzilla.suse.com/show_bug.cgi?id=1243815 * https://bugzilla.suse.com/show_bug.cgi?id=1244649 * https://bugzilla.suse.com/show_bug.cgi?id=1244656