Skip to content

security: upgrade Apache Tomcat from 9.0.113 to 9.0.118 (24.12.27 LTS backport)#35798

Open
mbiuki wants to merge 1 commit into
release-24.12.27_ltsfrom
security/upgrade-tomcat-9.0.118-24.12.27_lts
Open

security: upgrade Apache Tomcat from 9.0.113 to 9.0.118 (24.12.27 LTS backport)#35798
mbiuki wants to merge 1 commit into
release-24.12.27_ltsfrom
security/upgrade-tomcat-9.0.118-24.12.27_lts

Conversation

@mbiuki
Copy link
Copy Markdown
Member

@mbiuki mbiuki commented May 21, 2026

Summary

Backport of #35796 to the 24.12.27 LTS line.

Bumps the bundled Apache Tomcat version from 9.0.113 to 9.0.118 to resolve six published Apache Tomcat CVEs that affect 9.0.113.

Refs #35793. Companion to #35797 (25.07.10 LTS backport).

CVEs addressed

CVE Severity (Apache) Affected range Fixed in
CVE-2026-29146 Important 9.0.13 – 9.0.115 9.0.116
CVE-2026-34500 Moderate 9.0.92 – 9.0.116 9.0.117
CVE-2026-34487 Low 9.0.13 – 9.0.116 9.0.117
CVE-2026-34483 Low 9.0.40 – 9.0.116 9.0.117
CVE-2026-25854 Low 9.0.0.M23 – 9.0.115 9.0.116
CVE-2026-24880 Low 9.0.0.M1 – 9.0.115 9.0.116

Source: https://tomcat.apache.org/security-9.html

Diff

Single-property change in parent/pom.xml:

- <tomcat.version>9.0.113</tomcat.version>
+ <tomcat.version>9.0.118</tomcat.version>

The property propagates to BOM declarations, dotCMS/pom.xml, dotcms-integration/pom.xml, and the docker descriptor — no source-code changes needed; Tomcat 9.0.x is API-stable across patch versions.

Test plan

  • CI build succeeds on the LTS branch
  • Full integration test suite passes
  • Docker base image tomcat:9.0.118-jdk11 resolves and pulls cleanly
  • LTS release pipeline produces a clean 24.12.27_lts_v21 (or whichever the next revision is) artifact
  • Smoke test push-publishing and HTTPS endpoint behavior

🤖 Generated with Claude Code

@mbiuki
security: upgrade Apache Tomcat from 9.0.113 to 9.0.118 (LTS backport)
07107db 
Backport of #35796 to the 24.12.27 LTS line.

Fixes six published Apache Tomcat 9.x CVEs that affect 9.0.113:

- CVE-2026-29146 (Important) — EncryptInterceptor padding oracle
- CVE-2026-34500 (Moderate)  — OCSP soft-fail with FFM
- CVE-2026-34487 (Low)       — Cloud membership exposes K8s bearer token
- CVE-2026-34483 (Low)       — Incomplete escaping of JSON access logs
- CVE-2026-25854 (Low)       — Occasional open redirect
- CVE-2026-24880 (Low)       — Request smuggling via invalid chunk extension

Refs #35793
This was referenced May 21, 2026
Open
Open
Open
Open
@mbiuki mbiuki added Team : Security Issues related to security and privacy QA: Note Included labels May 21, 2026
@mbiuki mbiuki self-assigned this May 21, 2026
@mbiuki mbiuki requested a review from dsilvam May 21, 2026 21:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gortiz-dotcms gortiz-dotcms Awaiting requested review from gortiz-dotcms

@sfreudenthaler sfreudenthaler Awaiting requested review from sfreudenthaler

@Neehakethi Neehakethi Awaiting requested review from Neehakethi

@dsilvam dsilvam Awaiting requested review from dsilvam

Assignees

@mbiuki mbiuki

Labels

dotCMS : Security OKR : Security & Privacy Owned by Mehdi QA: Note Included Team : Security Issues related to security and privacy

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@mbiuki