This update for tomcat11 fixes the following issues:
Update to Tomcat 11.0.18:
- CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371).
- CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385).
- CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387).
Changelog:
- Fix: 69932: Fix request end access log pattern regression, which would log
the start time of the request instead. (remm)
- Fix: 69623: Additional fix for the long standing regression that meant
that calls to ClassLoader.getResource().getContent() failed when made from
within a web application with resource caching enabled if the target
resource was packaged in a JAR file. (markt)
- Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the
CsrfPreventionFilter. (schultz)
- Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2
requests when the content-length header is not set. (dsoumis)
- Update: Enable minimum and recommended Tomcat Native versions to be set
separately for Tomcat Native 1.x and 2.x. Update the minimum and
recommended versions for Tomcat Native 1.x to 1.3.4. Update the minimum
and recommended versions for Tomcat Native 2.x to 2.0.12. (markt)
- Add: Add a new ssoReauthenticationMode to the Tomcat provided
Authenticators that provides a per Authenticator override of the SSO Valve
requireReauthentication attribute. (markt)
- Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception
rather than silently using a replacement character. (markt)
- Fix: 69871: Increase log level to INFO for missing configuration for the
rewrite valve. (remm)
- Fix: Add log warnings for additional Host appBase suspicious values.
(remm)
- Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar.
org.apache.catalina.Connector no longer requires
org.apache.tomcat.jni.AprStatus to be present. (markt)
- Add: Add...