SUSE-SLE-Module-Web-Scripting-15-SP7-2025-1521 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat fixes the following issues: Update to Tomcat 9.0.104 - CVE-2025-31650: invalid priority field values should be ignored (bsc#1242008) - CVE-2025-31651: Better handling of URLs with literal ';' and '?' (bsc#1242009) Full changelog: https://tomcat.apache.org/tomcat-9.0-doc/changelog.htm tomcat-9.0.104-150200.81.1.noarch.rpm tomcat-9.0.104-150200.81.1.src.rpm tomcat-admin-webapps-9.0.104-150200.81.1.noarch.rpm tomcat-el-3_0-api-9.0.104-150200.81.1.noarch.rpm tomcat-jsp-2_3-api-9.0.104-150200.81.1.noarch.rpm tomcat-lib-9.0.104-150200.81.1.noarch.rpm tomcat-servlet-4_0-api-9.0.104-150200.81.1.noarch.rpm tomcat-webapps-9.0.104-150200.81.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-1537 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: Update to Tomcat 10.1.40 - CVE-2025-31650: invalid priority field values should be ignored (bsc#1242008) - CVE-2025-31651: Better handling of URLs with literal ';' and '?' (bsc#1242009) Full changelog: https://tomcat.apache.org/tomcat-10.1-doc/changelog.html tomcat10-10.1.40-150200.5.40.1.noarch.rpm tomcat10-10.1.40-150200.5.40.1.src.rpm tomcat10-admin-webapps-10.1.40-150200.5.40.1.noarch.rpm tomcat10-el-5_0-api-10.1.40-150200.5.40.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.40-150200.5.40.1.noarch.rpm tomcat10-lib-10.1.40-150200.5.40.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.40-150200.5.40.1.noarch.rpm tomcat10-webapps-10.1.40-150200.5.40.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-1815 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for apache-commons-beanutils fixes the following issues: Update to 1.11.0 - CVE-2025-48734: Fixed possible arbitrary code execution vulnerability (bsc#1243793) Full changelog: https://commons.apache.org/proper/commons-beanutils/changes.html#a1.11.0 apache-commons-beanutils-1.11.0-150200.3.9.1.noarch.rpm apache-commons-beanutils-1.11.0-150200.3.9.1.src.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-1879 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for nodejs22 fixes the following issues: Update to version 22.15.1. Security issues fixed: - CVE-2025-23166: remotely triggerable process crash due to improper error handling in async cryptographic operations (bsc#1243218). - CVE-2025-23165: memory leak and unbounded memory growth due to corrupted pointer in `node::fs::ReadFileUtf8(const FunctionCallbackInfo<Value>& args)` when `args[0]` is a string (bsc#1243217). Other changes and issues fixed: - Changes from version 22.15.0 * dns: add TLSA record query and parsing * assert: improve partialDeepStrictEqual * process: add execve * tls: implement tls.getCACertificates() * v8: add v8.getCppHeapStatistics() method - Changes from version 22.14.0 * fs: allow exclude option in globs to accept glob patterns * lib: add typescript support to STDIN eval * module: add ERR_UNSUPPORTED_TYPESCRIPT_SYNTAX * module: add findPackageJSON util * process: add process.ref() and process.unref() methods * sqlite: support TypedArray and DataView in StatementSync * src: add --disable-sigusr1 to prevent signal i/o thread * src,worker: add isInternalWorker * test_runner: add TestContext.prototype.waitFor() * test_runner: add t.assert.fileSnapshot() * test_runner: add assert.register() API * worker: add eval ts input - Build with PIE (bsc#1239949). - Fix builds with OpenSSL 3.5.0 (bsc#1241050). nodejs22-22.15.1-150700.3.3.1.src.rpm nodejs22-22.15.1-150700.3.3.1.x86_64.rpm nodejs22-devel-22.15.1-150700.3.3.1.x86_64.rpm nodejs22-docs-22.15.1-150700.3.3.1.noarch.rpm npm22-22.15.1-150700.3.3.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2280 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat fixes the following issues: - CVE-2025-46701: Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815). - CVE-2025-48988: Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656). - CVE-2025-49125: Fixed expand checks for webAppMount (bsc#1244649). Other bugfixes: - Made permissions more secure (bsc#1242722) tomcat-9.0.106-150200.86.1.noarch.rpm tomcat-9.0.106-150200.86.1.src.rpm tomcat-admin-webapps-9.0.106-150200.86.1.noarch.rpm tomcat-el-3_0-api-9.0.106-150200.86.1.noarch.rpm tomcat-jsp-2_3-api-9.0.106-150200.86.1.noarch.rpm tomcat-lib-9.0.106-150200.86.1.noarch.rpm tomcat-servlet-4_0-api-9.0.106-150200.86.1.noarch.rpm tomcat-webapps-9.0.106-150200.86.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2261 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: - Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815). - Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656). - Fixed expand checks for webAppMount (bsc#1244649). - Hardening permissions (bsc#1242722) Update to Tomcat 10.1.42: * Fixed CVEs: + CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815) + CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656) + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649) * Catalina: + Add: Support for the java:module namespace which mirrors the java:comp namespace. + Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. + Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. + Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. + Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. + Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts. + Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. + Fix: Use of SSS in SimpleDateFormat pattern for AccessLogValve. + Fix: Process possible path parameters rewrite production in the rewrite valve. + Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. + Add: 69633: Support for Filters using context root mappings. + Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. + Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. + Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer. + Refactor: GCI servlet to access resources via the WebResource API. + Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. + Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. + Add: Provide a content type based on file extension when web application resources are accessed via a URL. * Coyote + Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. + Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. + Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied. * Jasper: + Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. + Fix: 69635: Add support to jakarta.el.ImportHandler for resolving inner classes. + Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. + Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. * Web applications: + Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. + Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. * Other: + Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. + Update: Tomcat Native to 2.0.9. + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). + Update: EasyMock to 5.6.0. + Update: Checkstyle to 10.25.0. + Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. + Update: Improvements to Japanese translations provided by tak7iji. + Fix: Set sun.io.useCanonCaches in service.bat Based on pull request #841 by Paul Lodge. + Update: Jacoco to 0.8.13. + Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. + Update: Byte Buddy to 1.17.5. + Update: Checkstyle to 10.23.1. + Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd). + Update: Improvements to French translations. + Update: Improvements to Japanese translations provided by tak7iji. tomcat10-10.1.42-150200.5.45.1.noarch.rpm tomcat10-10.1.42-150200.5.45.1.src.rpm tomcat10-admin-webapps-10.1.42-150200.5.45.1.noarch.rpm tomcat10-el-5_0-api-10.1.42-150200.5.45.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.42-150200.5.45.1.noarch.rpm tomcat10-lib-10.1.42-150200.5.45.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.42-150200.5.45.1.noarch.rpm tomcat10-webapps-10.1.42-150200.5.45.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2159 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for apache-commons-fileupload fixes the following issues: Upgrade to upstream version 1.6.0 - CVE-2025-48976: Fixed allocation of resources for multipart headers with insufficient limits can lead to a DoS (bsc#1244657). Full changelog: https://commons.apache.org/proper/commons-fileupload/changes.html#a1.6.0 apache-commons-fileupload-1.6.0-150200.3.12.1.noarch.rpm apache-commons-fileupload-1.6.0-150200.3.12.1.src.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2715 moderate SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat11 fixes the following issues: - New implementation of Tomcat 11 (jsc#PED-12830) tomcat11-11.0.8-150600.13.3.2.noarch.rpm tomcat11-11.0.8-150600.13.3.2.src.rpm tomcat11-admin-webapps-11.0.8-150600.13.3.2.noarch.rpm tomcat11-el-6_0-api-11.0.8-150600.13.3.2.noarch.rpm tomcat11-jsp-4_0-api-11.0.8-150600.13.3.2.noarch.rpm tomcat11-lib-11.0.8-150600.13.3.2.noarch.rpm tomcat11-servlet-6_1-api-11.0.8-150600.13.3.2.noarch.rpm tomcat11-webapps-11.0.8-150600.13.3.2.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2462 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for php8 fixes the following issues: Version update to 8.3.23: - CVE-2025-1220: Fixed null byte termination in hostnames (bsc#1246167) - CVE-2025-1735: Fixed pgsql extension does not check for errors during escaping (bsc#1246146) - CVE-2025-6491: Fixed NULL Pointer Dereference in PHP SOAP Extension via Large XML Namespace Prefix (bsc#1246148) apache2-mod_php8-8.3.23-150700.3.3.1.src.rpm apache2-mod_php8-8.3.23-150700.3.3.1.x86_64.rpm php8-8.3.23-150700.3.3.1.src.rpm php8-8.3.23-150700.3.3.1.x86_64.rpm php8-bcmath-8.3.23-150700.3.3.1.x86_64.rpm php8-bz2-8.3.23-150700.3.3.1.x86_64.rpm php8-calendar-8.3.23-150700.3.3.1.x86_64.rpm php8-cli-8.3.23-150700.3.3.1.x86_64.rpm php8-ctype-8.3.23-150700.3.3.1.x86_64.rpm php8-curl-8.3.23-150700.3.3.1.x86_64.rpm php8-dba-8.3.23-150700.3.3.1.x86_64.rpm php8-devel-8.3.23-150700.3.3.1.x86_64.rpm php8-dom-8.3.23-150700.3.3.1.x86_64.rpm php8-embed-8.3.23-150700.3.3.1.src.rpm php8-embed-8.3.23-150700.3.3.1.x86_64.rpm php8-enchant-8.3.23-150700.3.3.1.x86_64.rpm php8-exif-8.3.23-150700.3.3.1.x86_64.rpm php8-fastcgi-8.3.23-150700.3.3.1.src.rpm php8-fastcgi-8.3.23-150700.3.3.1.x86_64.rpm php8-fileinfo-8.3.23-150700.3.3.1.x86_64.rpm php8-fpm-8.3.23-150700.3.3.1.src.rpm php8-fpm-8.3.23-150700.3.3.1.x86_64.rpm php8-ftp-8.3.23-150700.3.3.1.x86_64.rpm php8-gd-8.3.23-150700.3.3.1.x86_64.rpm php8-gettext-8.3.23-150700.3.3.1.x86_64.rpm php8-gmp-8.3.23-150700.3.3.1.x86_64.rpm php8-iconv-8.3.23-150700.3.3.1.x86_64.rpm php8-intl-8.3.23-150700.3.3.1.x86_64.rpm php8-ldap-8.3.23-150700.3.3.1.x86_64.rpm php8-mbstring-8.3.23-150700.3.3.1.x86_64.rpm php8-mysql-8.3.23-150700.3.3.1.x86_64.rpm php8-odbc-8.3.23-150700.3.3.1.x86_64.rpm php8-opcache-8.3.23-150700.3.3.1.x86_64.rpm php8-openssl-8.3.23-150700.3.3.1.x86_64.rpm php8-pcntl-8.3.23-150700.3.3.1.x86_64.rpm php8-pdo-8.3.23-150700.3.3.1.x86_64.rpm php8-pgsql-8.3.23-150700.3.3.1.x86_64.rpm php8-phar-8.3.23-150700.3.3.1.x86_64.rpm php8-posix-8.3.23-150700.3.3.1.x86_64.rpm php8-readline-8.3.23-150700.3.3.1.x86_64.rpm php8-shmop-8.3.23-150700.3.3.1.x86_64.rpm php8-snmp-8.3.23-150700.3.3.1.x86_64.rpm php8-soap-8.3.23-150700.3.3.1.x86_64.rpm php8-sockets-8.3.23-150700.3.3.1.x86_64.rpm php8-sodium-8.3.23-150700.3.3.1.x86_64.rpm php8-sqlite-8.3.23-150700.3.3.1.x86_64.rpm php8-sysvmsg-8.3.23-150700.3.3.1.x86_64.rpm php8-sysvsem-8.3.23-150700.3.3.1.x86_64.rpm php8-sysvshm-8.3.23-150700.3.3.1.x86_64.rpm php8-test-8.3.23-150700.3.3.2.src.rpm php8-test-8.3.23-150700.3.3.2.x86_64.rpm php8-tidy-8.3.23-150700.3.3.1.x86_64.rpm php8-tokenizer-8.3.23-150700.3.3.1.x86_64.rpm php8-xmlreader-8.3.23-150700.3.3.1.x86_64.rpm php8-xmlwriter-8.3.23-150700.3.3.1.x86_64.rpm php8-xsl-8.3.23-150700.3.3.1.x86_64.rpm php8-zip-8.3.23-150700.3.3.1.x86_64.rpm php8-zlib-8.3.23-150700.3.3.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2979 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat11 fixes the following issues: Updated to Tomcat 11.0.9 - CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload (bsc#1246388) - CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability (bsc#1246318) Other: - Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. tomcat11-11.0.9-150600.13.6.1.noarch.rpm tomcat11-11.0.9-150600.13.6.1.src.rpm tomcat11-admin-webapps-11.0.9-150600.13.6.1.noarch.rpm tomcat11-el-6_0-api-11.0.9-150600.13.6.1.noarch.rpm tomcat11-jsp-4_0-api-11.0.9-150600.13.6.1.noarch.rpm tomcat11-lib-11.0.9-150600.13.6.1.noarch.rpm tomcat11-servlet-6_1-api-11.0.9-150600.13.6.1.noarch.rpm tomcat11-webapps-11.0.9-150600.13.6.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-3024 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat fixes the following issues: Updated to 9.0.108: - CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload (bsc#1246388) - CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability (bsc#1246318) - CVE-2025-52434: Fixed race condition on connection close when using the APR/Native connector leading to a JVM crash (bsc#1246389) - CVE-2025-48989: Fixed "MadeYouReset" DoS in HTTP/2 due to client triggered stream reset (bsc#1243895) Other: - Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. tomcat-9.0.108-150200.91.1.noarch.rpm tomcat-9.0.108-150200.91.1.src.rpm tomcat-admin-webapps-9.0.108-150200.91.1.noarch.rpm tomcat-el-3_0-api-9.0.108-150200.91.1.noarch.rpm tomcat-jsp-2_3-api-9.0.108-150200.91.1.noarch.rpm tomcat-lib-9.0.108-150200.91.1.noarch.rpm tomcat-servlet-4_0-api-9.0.108-150200.91.1.noarch.rpm tomcat-webapps-9.0.108-150200.91.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2978 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: Updated to Tomcat 10.1.43i: - CVE-2025-52520: Fixed integer overflow can lead to DoS for some unlikely configurations of multipart upload (bsc#1246388) - CVE-2025-53506: Fixed uncontrolled resource HTTP/2 client consumption vulnerability (bsc#1246318) Other: - Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. tomcat10-10.1.43-150200.5.48.1.noarch.rpm tomcat10-10.1.43-150200.5.48.1.src.rpm tomcat10-admin-webapps-10.1.43-150200.5.48.1.noarch.rpm tomcat10-el-5_0-api-10.1.43-150200.5.48.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.43-150200.5.48.1.noarch.rpm tomcat10-lib-10.1.43-150200.5.48.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.43-150200.5.48.1.noarch.rpm tomcat10-webapps-10.1.43-150200.5.48.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2992 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat11 fixes the following issues: Updated to Tomcat 11.0.10 - CVE-2025-48989: Fixed "MadeYouReset" DoS in HTTP/2 due to client triggered stream reset (bsc#1243895) Other fixes: * Catalina + Fix: Fix bloom filter population for archive indexing when using a packed WAR containing one or more JAR files. (markt) * Coyote + Fix: 69748: Add missing call to set keep-alive timeout when using HTTP/1.1 following an async request, which was present for AJP. (remm/markt) + Fix: 69762: Fix possible overflow during HPACK decoding of integers. Note that the maximum permitted value of an HPACK decoded integer is Integer.MAX_VALUE. (markt) + Fix: Update the HTTP/2 overhead documentation - particularly the code comments - to reflect the deprecation of the PRIORITY frame and clarify that a stream reset always triggers an overhead increase. (markt) * Cluster + Update: Add enableStatistics configuration attribute for the DeltaManager, defaulting to true. (remm) * WebSocket + Fix: Align the WebSocket extension handling for WebSocket client connections with WebSocket server connections. The WebSocket client now only includes an extension requested by an endpoint in the opening handshake if the WebSocket client supports that extension. (markt) * Web applications + Fix: Manager and Host Manager. Provide the Manager and Host Manager web applications with a dedicated favicon file rather than using the one from the ROOT web application which might not be present or may represent something entirely different. Pull requests #876 and #878 by Simon Arame. * Other + Update: Update Checkstyle to 10.26.1. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) tomcat11-11.0.10-150600.13.9.1.noarch.rpm tomcat11-11.0.10-150600.13.9.1.src.rpm tomcat11-admin-webapps-11.0.10-150600.13.9.1.noarch.rpm tomcat11-el-6_0-api-11.0.10-150600.13.9.1.noarch.rpm tomcat11-jsp-4_0-api-11.0.10-150600.13.9.1.noarch.rpm tomcat11-lib-11.0.10-150600.13.9.1.noarch.rpm tomcat11-servlet-6_1-api-11.0.10-150600.13.9.1.noarch.rpm tomcat11-webapps-11.0.10-150600.13.9.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-3006 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: Updated to Tomcat 10.1.44: - CVE-2025-48989: Fixed "MadeYouReset" DoS in HTTP/2 due to client triggered stream reset (bsc#1243895) Other fixes: - Catalina + Fix: Fix bloom filter population for archive indexing when using a packed WAR containing one or more JAR files. (markt) - Coyote + Fix: 69748: Add missing call to set keep-alive timeout when using HTTP/1.1 following an async request, which was present for AJP. (remm/markt) + Fix: 69762: Fix possible overflow during HPACK decoding of integers. Note that the maximum permitted value of an HPACK decoded integer is Integer.MAX_VALUE. (markt) + Fix: Update the HTTP/2 overhead documentation - particularly the code comments - to reflect the deprecation of the PRIORITY frame and clarify that a stream reset always triggers an overhead increase. (markt) + Fix: 69762: Additional overflow fix for HPACK decoding of integers. Pull request #880 by Chenjp. (markt) - Cluster + Update: Add enableStatistics configuration attribute for the DeltaManager, defaulting to true. (remm) - WebSocket + Fix: Align the WebSocket extension handling for WebSocket client connections with WebSocket server connections. The WebSocket client now only includes an extension requested by an endpoint in the opening handshake if the WebSocket client supports that extension. (markt) - Web applications + Fix: Manager and Host Manager. Provide the Manager and Host Manager web applications with a dedicated favicon file rather than using the one from the ROOT web application which might not be present or may represent something entirely different. Pull requests #876 and #878 by Simon Arame. - Other + Update: Update Checkstyle to 10.26.1. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) tomcat10-10.1.44-150200.5.51.1.noarch.rpm tomcat10-10.1.44-150200.5.51.1.src.rpm tomcat10-admin-webapps-10.1.44-150200.5.51.1.noarch.rpm tomcat10-el-5_0-api-10.1.44-150200.5.51.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.44-150200.5.51.1.noarch.rpm tomcat10-lib-10.1.44-150200.5.51.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.44-150200.5.51.1.noarch.rpm tomcat10-webapps-10.1.44-150200.5.51.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-4159 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat fixes the following issues: Update to Tomcat 9.0.111: - CVE-2025-55752: Fixed directory traversal via rewrite with possible RCE if PUT is enabled (bsc#1252753) - CVE-2025-55754: Fixed improper neutralization of escape, meta, or control sequences vulnerability (bsc#1252905) - CVE-2025-61795: Fixed denial of service due to temporary copies during the processing of multipart upload (bsc#1252756) tomcat-9.0.111-150200.96.1.noarch.rpm tomcat-9.0.111-150200.96.1.src.rpm tomcat-admin-webapps-9.0.111-150200.96.1.noarch.rpm tomcat-el-3_0-api-9.0.111-150200.96.1.noarch.rpm tomcat-jsp-2_3-api-9.0.111-150200.96.1.noarch.rpm tomcat-lib-9.0.111-150200.96.1.noarch.rpm tomcat-servlet-4_0-api-9.0.111-150200.96.1.noarch.rpm tomcat-webapps-9.0.111-150200.96.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-4103 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: Update to Tomcat 10.1.48 - CVE-2025-55752: Fixed directory traversal via rewrite with possible RCE if PUT is enabled (bsc#1252753) - CVE-2025-55754: Fixed improper neutralization of escape, meta, or control sequences vulnerability (bsc#1252905) - CVE-2025-61795: Fixed denial of service due to temporary copies during the processing of multipart upload (bsc#1252756) tomcat10-10.1.48-150200.5.54.1.noarch.rpm tomcat10-10.1.48-150200.5.54.1.src.rpm tomcat10-admin-webapps-10.1.48-150200.5.54.1.noarch.rpm tomcat10-el-5_0-api-10.1.48-150200.5.54.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.48-150200.5.54.1.noarch.rpm tomcat10-lib-10.1.48-150200.5.54.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.48-150200.5.54.1.noarch.rpm tomcat10-webapps-10.1.48-150200.5.54.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-4086 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat11 fixes the following issues: Update to Tomcat 11.0.13 - CVE-2025-55752: Fixed directory traversal via rewrite with possible RCE if PUT is enabled (bsc#1252753) - CVE-2025-55754: Fixed improper neutralization of escape, meta, or control sequences vulnerability (bsc#1252905) - CVE-2025-61795: Fixed denial of service due to temporary copies during the processing of multipart upload (bsc#1252756) tomcat11-11.0.13-150600.13.12.1.noarch.rpm tomcat11-11.0.13-150600.13.12.1.src.rpm tomcat11-admin-webapps-11.0.13-150600.13.12.1.noarch.rpm tomcat11-el-6_0-api-11.0.13-150600.13.12.1.noarch.rpm tomcat11-jsp-4_0-api-11.0.13-150600.13.12.1.noarch.rpm tomcat11-lib-11.0.13-150600.13.12.1.noarch.rpm tomcat11-servlet-6_1-api-11.0.13-150600.13.12.1.noarch.rpm tomcat11-webapps-11.0.13-150600.13.12.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-4286 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: - make catalina.sh %config(noreplace) (bsc#1253460) tomcat10-10.1.48-150200.5.58.1.noarch.rpm tomcat10-10.1.48-150200.5.58.1.src.rpm tomcat10-admin-webapps-10.1.48-150200.5.58.1.noarch.rpm tomcat10-el-5_0-api-10.1.48-150200.5.58.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.48-150200.5.58.1.noarch.rpm tomcat10-lib-10.1.48-150200.5.58.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.48-150200.5.58.1.noarch.rpm tomcat10-webapps-10.1.48-150200.5.58.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2025-4304 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat fixes the following issues: - make catalina.sh %config(noreplace) (bsc#1253460) tomcat-9.0.111-150200.99.1.noarch.rpm tomcat-9.0.111-150200.99.1.src.rpm tomcat-admin-webapps-9.0.111-150200.99.1.noarch.rpm tomcat-el-3_0-api-9.0.111-150200.99.1.noarch.rpm tomcat-jsp-2_3-api-9.0.111-150200.99.1.noarch.rpm tomcat-lib-9.0.111-150200.99.1.noarch.rpm tomcat-servlet-4_0-api-9.0.111-150200.99.1.noarch.rpm tomcat-webapps-9.0.111-150200.99.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-35 moderate SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for php8 fixes the following issues: - main package require wwwrun:www user as it assumes it in filelist (bsc#1255043) apache2-mod_php8-8.3.23-150700.3.6.1.src.rpm apache2-mod_php8-8.3.23-150700.3.6.1.x86_64.rpm php8-8.3.23-150700.3.6.1.src.rpm php8-8.3.23-150700.3.6.1.x86_64.rpm php8-bcmath-8.3.23-150700.3.6.1.x86_64.rpm php8-bz2-8.3.23-150700.3.6.1.x86_64.rpm php8-calendar-8.3.23-150700.3.6.1.x86_64.rpm php8-cli-8.3.23-150700.3.6.1.x86_64.rpm php8-ctype-8.3.23-150700.3.6.1.x86_64.rpm php8-curl-8.3.23-150700.3.6.1.x86_64.rpm php8-dba-8.3.23-150700.3.6.1.x86_64.rpm php8-devel-8.3.23-150700.3.6.1.x86_64.rpm php8-dom-8.3.23-150700.3.6.1.x86_64.rpm php8-embed-8.3.23-150700.3.6.1.src.rpm php8-embed-8.3.23-150700.3.6.1.x86_64.rpm php8-enchant-8.3.23-150700.3.6.1.x86_64.rpm php8-exif-8.3.23-150700.3.6.1.x86_64.rpm php8-fastcgi-8.3.23-150700.3.6.1.src.rpm php8-fastcgi-8.3.23-150700.3.6.1.x86_64.rpm php8-fileinfo-8.3.23-150700.3.6.1.x86_64.rpm php8-fpm-8.3.23-150700.3.6.1.src.rpm php8-fpm-8.3.23-150700.3.6.1.x86_64.rpm php8-ftp-8.3.23-150700.3.6.1.x86_64.rpm php8-gd-8.3.23-150700.3.6.1.x86_64.rpm php8-gettext-8.3.23-150700.3.6.1.x86_64.rpm php8-gmp-8.3.23-150700.3.6.1.x86_64.rpm php8-iconv-8.3.23-150700.3.6.1.x86_64.rpm php8-intl-8.3.23-150700.3.6.1.x86_64.rpm php8-ldap-8.3.23-150700.3.6.1.x86_64.rpm php8-mbstring-8.3.23-150700.3.6.1.x86_64.rpm php8-mysql-8.3.23-150700.3.6.1.x86_64.rpm php8-odbc-8.3.23-150700.3.6.1.x86_64.rpm php8-opcache-8.3.23-150700.3.6.1.x86_64.rpm php8-openssl-8.3.23-150700.3.6.1.x86_64.rpm php8-pcntl-8.3.23-150700.3.6.1.x86_64.rpm php8-pdo-8.3.23-150700.3.6.1.x86_64.rpm php8-pgsql-8.3.23-150700.3.6.1.x86_64.rpm php8-phar-8.3.23-150700.3.6.1.x86_64.rpm php8-posix-8.3.23-150700.3.6.1.x86_64.rpm php8-readline-8.3.23-150700.3.6.1.x86_64.rpm php8-shmop-8.3.23-150700.3.6.1.x86_64.rpm php8-snmp-8.3.23-150700.3.6.1.x86_64.rpm php8-soap-8.3.23-150700.3.6.1.x86_64.rpm php8-sockets-8.3.23-150700.3.6.1.x86_64.rpm php8-sodium-8.3.23-150700.3.6.1.x86_64.rpm php8-sqlite-8.3.23-150700.3.6.1.x86_64.rpm php8-sysvmsg-8.3.23-150700.3.6.1.x86_64.rpm php8-sysvsem-8.3.23-150700.3.6.1.x86_64.rpm php8-sysvshm-8.3.23-150700.3.6.1.x86_64.rpm php8-test-8.3.23-150700.3.6.1.src.rpm php8-test-8.3.23-150700.3.6.1.x86_64.rpm php8-tidy-8.3.23-150700.3.6.1.x86_64.rpm php8-tokenizer-8.3.23-150700.3.6.1.x86_64.rpm php8-xmlreader-8.3.23-150700.3.6.1.x86_64.rpm php8-xmlwriter-8.3.23-150700.3.6.1.x86_64.rpm php8-xsl-8.3.23-150700.3.6.1.x86_64.rpm php8-zip-8.3.23-150700.3.6.1.x86_64.rpm php8-zlib-8.3.23-150700.3.6.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-86 moderate SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for php8 fixes the following issues: Security fixes: - CVE-2025-14177: getimagesize() function may leak uninitialized heap memory into the APPn segments when reading images in multi-chunk mode (bsc#1255710). - CVE-2025-14178: heap buffer overflow occurs in array_merge() when the total element count of packed arrays exceeds 32-bit limits or HT_MAX_SIZE (bsc#1255711). - CVE-2025-14180: null pointer dereference in pdo_parse_params() function when using the PDO PostgreSQL driver with PDO::ATTR_EMULATE_PREPARES enabled (bsc#1255712). Other fixes: Version 8.3.29 Core: Sync all boost.context files with release 1.86.0. Fixed bug GH-20435 (SensitiveParameter doesn't work for named argument passing to variadic parameter). Fixed bug GH-20286 (use-after-destroy during userland stream_close()). Bz2: Fix assertion failures resulting in crashes with stream filter object parameters. Date: Fix crashes when trying to instantiate uninstantiable classes via date static constructors. DOM: Fix missing NUL byte check on C14NFile(). Fibers: Fixed bug GH-20483 (ASAN stack overflow with fiber.stack_size INI small value). FTP: Fixed bug GH-20601 (ftp_connect overflow on timeout). GD: Fixed bug GH-20511 (imagegammacorrect out of range input/output values). Fixed bug GH-20602 (imagescale overflow with large height values). Intl: Fixed bug GH-20426 (Spoofchecker::setRestrictionLevel() error message suggests missing constants). LibXML: Fix some deprecations on newer libxml versions regarding input buffer/parser handling. MbString: Fixed bug GH-20491 (SLES15 compile error with mbstring oniguruma). Fixed bug GH-20492 (mbstring compile warning due to non-strings). MySQLnd: Fixed bug GH-20528 (Regression breaks mysql connexion using an IPv6 address enclosed in square brackets). Opcache: Fixed bug GH-20329 (opcache.file_cache broken with full interned string buffer). PDO: Fixed GHSA-8xr5-qppj-gvwj (PDO quoting result null deref). (CVE-2025-14180) Phar: Fixed bug GH-20442 (Phar does not respect case-insensitiveness of __halt_compiler() when reading stub). Fix broken return value of fflush() for phar file entries. Fix assertion failure when fseeking a phar file out of bounds. PHPDBG: Fixed ZPP type violation in phpdbg_get_executable() and phpdbg_end_oplog(). SPL: Fixed bug GH-20614 (SplFixedArray incorrectly handles references in deserialization). Standard: Fix memory leak in array_diff() with custom type checks. Fixed bug GH-20583 (Stack overflow in http_build_query via deep structures). Fixed GHSA-www2-q4fc-65wf (Null byte termination in dns_get_record()). Fixed GHSA-h96m-rvf9-jgm2 (Heap buffer overflow in array_merge()). (CVE-2025-14178) Fixed GHSA-3237-qqm7-mfv7 (Information Leak of Memory in getimagesize). (CVE-2025-14177) Tidy: Fixed bug GH-20374 (PHP with tidy and custom-tags). XML: Fixed bug GH-20439 (xml_set_default_handler() does not properly handle special characters in attributes when passing data to callback). Zip: Fix crash in property existence test. Don't truncate return value of zip_fread() with user sizes. Zlib: Fix assertion failures resulting in crashes with stream filter object parameters. Version 8.3.28 Core: Fixed bug GH-19934 (CGI with auto_globals_jit=0 causes uouv). Fixed bug GH-20073 (Assertion failure in WeakMap offset operations on reference). Fixed bug GH-19844 (Don't bail when closing resources on shutdown). Fixed bug GH-20177 (Accessing overridden private property in get_object_vars() triggers assertion error). Fixed bug GH-20183 (Stale EG(opline_before_exception) pointer through eval). DOM: Partially fixed bug GH-16317 (DOM classes do not allow __debugInfo() overrides to work). Exif: Fix possible memory leak when tag is empty. FPM: Fixed bug GH-19974 (fpm_status_export_to_zval segfault for parallel execution). FTP: Fixed bug GH-20240 (FTP with SSL: ftp_fput(): Connection timed out on successful writes). GD: Fixed bug GH-20070 (Return type violation in imagefilter when an invalid filter is provided). Intl: Fix memory leak on error in locale_filter_matches(). LibXML: Fix not thread safe schema/relaxng calls. MySQLnd: Fixed bug GH-8978 (SSL certificate verification fails (port doubled)). Fixed bug GH-20122 (getColumnMeta() for JSON-column in MySQL). Opcache: Fixed bug GH-20081 (access to uninitialized vars in preload_load()). Fixed bug GH-20121 (JIT broken in ZTS builds on MacOS 15). PgSql: Fix memory leak when first string conversion fails. Fix segfaults when attempting to fetch row into a non-instantiable class name. Phar: Fix memory leak of argument in webPhar. Fix memory leak when setAlias() fails. Fix a bunch of memory leaks in phar_parse_zipfile() error handling. Fix file descriptor/memory leak when opening central fp fails. Fix memleak+UAF when opening temp stream in buildFromDirectory() fails. Fix potential buffer length truncation due to usage of type int instead of type size_t. Fix memory leak when openssl polyfill returns garbage. Fix file descriptor leak in phar_zip_flush() on failure. Fix memory leak when opening temp file fails while trying to open gzip-compressed archive. Fixed bug GH-20302 (Freeing a phar alias may invalidate PharFileInfo objects). Random: Fix Randomizer::__serialize() w.r.t. INDIRECTs. SimpleXML: Partially fixed bug GH-16317 (SimpleXML does not allow __debugInfo() overrides to work). Standard: Fix shm corruption with coercion in options of unserialize(). Streams: Fixed bug GH-19798: XP_SOCKET XP_SSL (Socket stream modules): Incorrect condition for Win32/Win64. Tidy: Fixed GH-19021 (improved tidyOptGetCategory detection). Fix UAF in tidy when tidySetErrorBuffer() fails. XMLReader: Fix arginfo/zpp violations when LIBXML_SCHEMAS_ENABLED is not available. Windows: Fix GH-19722 (_get_osfhandle asserts in debug mode when given a socket). Zip: Fix memory leak when passing enc_method/enc_password is passed as option for ZipArchive::addGlob()/addPattern() and with consecutive calls. Version 8.3.27 Core: Fixed bug GH-19765 (object_properties_load() bypasses readonly property checks). Fixed hard_timeout with --enable-zend-max-execution-timers. Fixed bug GH-19792 (SCCP causes UAF for return value if both warning and exception are triggered). Fixed bug GH-19653 (Closure named argument unpacking between temporary closures can cause a crash). Fixed bug GH-19839 (Incorrect HASH_FLAG_HAS_EMPTY_IND flag on userland array). Fixed bug GH-19480 (error_log php.ini cannot be unset when open_basedir is configured). Fixed bug GH-20002 (Broken build on *BSD with MSAN). CLI: Fix useless "Failed to poll event" error logs due to EAGAIN in CLI server with PHP_CLI_SERVER_WORKERS. Curl: Fix cloning of CURLOPT_POSTFIELDS when using the clone operator instead of the curl_copy_handle() function to clone a CurlHandle. Fix curl build and test failures with version 8.16. Date: Fixed GH-17159: "P" format for ::createFromFormat swallows string literals. DBA: Fixed GH-19885 (dba_fetch() overflow on skip argument). GD: Fixed GH-19955 (imagefttext() memory leak). MySQLnd: Fixed bug #67563 (mysqli compiled with mysqlnd does not take ipv6 adress as parameter). Phar: Fix memory leak and invalid continuation after tar header writing fails. Fix memory leaks when creating temp file fails when applying zip signature. SimpleXML: Fixed bug GH-19988 (zend_string_init with NULL pointer in simplexml (UB)). Soap: Fixed bug GH-19784 (SoapServer memory leak). Fixed bug GH-20011 (Array of SoapVar of unknown type causes crash). Standard: Fixed bug GH-12265 (Cloning an object breaks serialization recursion). Fixed bug GH-19701 (Serialize/deserialize loses some data). Fixed bug GH-19801 (leaks in var_dump() and debug_zval_dump()). Fixed bug GH-20043 (array_unique assertion failure with RC1 array causing an exception on sort). Fixed bug GH-19926 (reset internal pointer earlier while splicing array while COW violation flag is still set). Fixed bug GH-19570 (unable to fseek in /dev/zero and /dev/null). Streams: Fixed bug GH-19248 (Use strerror_r instead of strerror in main). Fixed bug GH-17345 (Bug #35916 was not completely fixed). Fixed bug GH-19705 (segmentation when attempting to flush on non seekable stream. XMLReader: Fixed bug GH-20009 (XMLReader leak on RelaxNG schema failure). Zip: Fixed bug GH-19688 (Remove pattern overflow in zip addGlob()). Fixed bug GH-19932 (Memory leak in zip setEncryptionName()/setEncryptionIndex()). Zlib: Fixed bug GH-19922 (Double free on gzopen). Version 8.3.26 Core: Fixed bug GH-18850 (Repeated inclusion of file with __halt_compiler() triggers "Constant already defined" warning). Partially fixed bug GH-19542 (Scanning of string literals >=2GB will fail due to signed int overflow). Fixed bug GH-19544 (GC treats ZEND_WEAKREF_TAG_MAP references as WeakMap references). Fixed bug GH-19613 (Stale array iterator pointer). Fixed bug GH-19679 (zend_ssa_range_widening may fail to converge). Fixed bug GH-19681 (PHP_EXPAND_PATH broken with bash 5.3.0). Fixed bug GH-19720 (Assertion failure when error handler throws when accessing a deprecated constant). CLI: Fixed bug GH-19461 (Improve error message on listening error with IPv6 address). Date: Fixed date_sunrise() and date_sunset() with partial-hour UTC offset. DOM: Fixed bug GH-19612 (Mitigate libxml2 tree dictionary bug). FPM: Fixed failed debug assertion when php_admin_value setting fails. GD: Fixed bug GH-19579 (imagefilledellipse underflow on width argument). Intl: Fixed bug GH-11952 (Fix locale strings canonicalization for IntlDateFormatter and NumberFormatter). OpenSSL: Fixed bug GH-19245 (Success error message on TLS stream accept failure). PGSQL: Fixed bug GH-19485 (potential use after free when using persistent pgsql connections). Phar: Fixed memory leaks when verifying OpenSSL signature. Fix memory leak in phar tar temporary file error handling code. Fix metadata leak when phar convert logic fails. Fix memory leak on failure in phar_convert_to_other(). Fixed bug GH-19752 (Phar decompression with invalid extension can cause UAF). Standard: Fixed bug GH-16649 (UAF during array_splice). Fixed bug GH-19577 (Avoid integer overflow when using a small offset and PHP_INT_MAX with LimitIterator). Streams: Remove incorrect call to zval_ptr_dtor() in user_wrapper_metadata(). Fix OSS-Fuzz #385993744. Tidy: Fixed GH-19021 build issue with libtidy in regard of tidyOptIsReadonly deprecation and TidyInternalCategory being available later than tidyOptGetCategory. Zip: Fix memory leak in zip when encountering empty glob result. Version 8.3.25 Core: Fixed GH-19169 build issue with C++17 and ZEND_STATIC_ASSERT macro. Fixed bug GH-18581 (Coerce numeric string keys from iterators when argument unpacking). Fixed OSS-Fuzz #434346548 (Failed assertion with throwing __toString in binary const expr). Fixed bug GH-19305 (Operands may be being released during comparison). Fixed bug GH-19303 (Unpacking empty packed array into uninitialized array causes assertion failure). Fixed bug GH-19306 (Generator can be resumed while fetching next value from delegated Generator). Fixed bug GH-19326 (Calling Generator::throw() on a running generator with a non-Generator delegate crashes). Fixed bug GH-18736 (Circumvented type check with return by ref + finally). Fixed zend call stack size for macOs/arm64. Fixed bug GH-19065 (Long match statement can segfault compiler during recursive SSA renaming). Calendar: Fixed bug GH-19371 (integer overflow in calendar.c). FTP: Fix theoretical issues with hrtime() not being available. GD: Fix incorrect comparison with result of php_stream_can_cast(). Hash: Fix crash on clone failure. Intl: Fixed GH-19261: msgfmt_parse_message leaks on message creation failure. Fix return value on failure for resourcebundle count handler. LDAP: Fixed bug GH-18529 (additional inheriting of TLS int options). LibXML: Fixed bug GH-19098 (libxml<2.13 segmentation fault caused by php_libxml_node_free). MbString: Fixed bug GH-19397 (mb_list_encodings() can cause crashes on shutdown). Opcache: Reset global pointers to prevent use-after-free in zend_jit_status(). OpenSSL: Fixed bug GH-18986 (OpenSSL backend: incorrect RAND_{load,write}_file() return value check). Fix error return check of EVP_CIPHER_CTX_ctrl(). Fixed bug GH-19428 (openssl_pkey_derive segfaults for DH derive with low key_length param). PDO Pgsql: Fixed dangling pointer access on _pdo_pgsql_trim_message helper. Readline: Fixed bug GH-19250 and bug #51360 (Invalid conftest for rl_pending_input). SOAP: Fixed bug GH-18640 (heap-use-after-free ext/soap/php_encoding.c:299:32 in soap_check_zval_ref). Sockets: Fix some potential crashes on incorrect argument value. Standard: Fixed OSS Fuzz #433303828 (Leak in failed unserialize() with opcache). Fix theoretical issues with hrtime() not being available. Fixed bug GH-19300 (Nested array_multisort invocation with error breaks). Windows: Free opened_path when opened_path_len >= MAXPATHLEN. Version 8.3.24 Calendar: Fixed jewishtojd overflow on year argument. Core: Fixed bug GH-18833 (Use after free with weakmaps dependent on destruction order). Fix OSS-Fuzz #427814456. Fix OSS-Fuzz #428983568 and #428760800. Fixed bug GH-17204 -Wuseless-escape warnings emitted by re2c. Curl: Fix memory leaks when returning refcounted value from curl callback. Remove incorrect string release. LDAP: Fixed GH-18902 ldap_exop/ldap_exop_sync assert triggered on empty request OID. MbString: Fixed bug GH-18901 (integer overflow mb_split). OCI8: Fixed bug GH-18873 (OCI_RETURN_LOBS flag causes oci8 to leak memory). Opcache: Fixed bug GH-18639 (Internal class aliases can break preloading + JIT). Fixed bug GH-14082 (Segmentation fault on unknown address 0x600000000018 in ext/opcache/jit/zend_jit.c). OpenSSL: Fixed bug #80770 (It is not possible to get client peer certificate with stream_socket_server). PCNTL: Fixed bug GH-18958 (Fatal error during shutdown after pcntl_rfork() or pcntl_forkx() with zend-max-execution-timers). Phar: Fix stream double free in phar. Fix phar crash and file corruption with SplFileObject. SOAP: Fixed bug GH-18990, bug #81029, bug #47314 (SOAP HTTP socket not closing on object destruction). Fix memory leak when URL parsing fails in redirect. SPL: Fixed bug GH-19094 (Attaching class with no Iterator implementation to MultipleIterator causes crash). Standard: Fix misleading errors in printf(). Fix RCN violations in array functions. Fixed GH-18976 pack() overflow with h/H format and INT_MAX repeater value. Streams: Fixed GH-13264 (fgets() and stream_get_line() do not return false on filter fatal error). Zip: Fix leak when path is too long in ZipArchive::extractTo(). apache2-mod_php8-8.3.29-150700.3.9.1.src.rpm apache2-mod_php8-8.3.29-150700.3.9.1.x86_64.rpm php8-8.3.29-150700.3.9.1.src.rpm php8-8.3.29-150700.3.9.1.x86_64.rpm php8-bcmath-8.3.29-150700.3.9.1.x86_64.rpm php8-bz2-8.3.29-150700.3.9.1.x86_64.rpm php8-calendar-8.3.29-150700.3.9.1.x86_64.rpm php8-cli-8.3.29-150700.3.9.1.x86_64.rpm php8-ctype-8.3.29-150700.3.9.1.x86_64.rpm php8-curl-8.3.29-150700.3.9.1.x86_64.rpm php8-dba-8.3.29-150700.3.9.1.x86_64.rpm php8-devel-8.3.29-150700.3.9.1.x86_64.rpm php8-dom-8.3.29-150700.3.9.1.x86_64.rpm php8-embed-8.3.29-150700.3.9.1.src.rpm php8-embed-8.3.29-150700.3.9.1.x86_64.rpm php8-enchant-8.3.29-150700.3.9.1.x86_64.rpm php8-exif-8.3.29-150700.3.9.1.x86_64.rpm php8-fastcgi-8.3.29-150700.3.9.1.src.rpm php8-fastcgi-8.3.29-150700.3.9.1.x86_64.rpm php8-fileinfo-8.3.29-150700.3.9.1.x86_64.rpm php8-fpm-8.3.29-150700.3.9.1.src.rpm php8-fpm-8.3.29-150700.3.9.1.x86_64.rpm php8-ftp-8.3.29-150700.3.9.1.x86_64.rpm php8-gd-8.3.29-150700.3.9.1.x86_64.rpm php8-gettext-8.3.29-150700.3.9.1.x86_64.rpm php8-gmp-8.3.29-150700.3.9.1.x86_64.rpm php8-iconv-8.3.29-150700.3.9.1.x86_64.rpm php8-intl-8.3.29-150700.3.9.1.x86_64.rpm php8-ldap-8.3.29-150700.3.9.1.x86_64.rpm php8-mbstring-8.3.29-150700.3.9.1.x86_64.rpm php8-mysql-8.3.29-150700.3.9.1.x86_64.rpm php8-odbc-8.3.29-150700.3.9.1.x86_64.rpm php8-opcache-8.3.29-150700.3.9.1.x86_64.rpm php8-openssl-8.3.29-150700.3.9.1.x86_64.rpm php8-pcntl-8.3.29-150700.3.9.1.x86_64.rpm php8-pdo-8.3.29-150700.3.9.1.x86_64.rpm php8-pgsql-8.3.29-150700.3.9.1.x86_64.rpm php8-phar-8.3.29-150700.3.9.1.x86_64.rpm php8-posix-8.3.29-150700.3.9.1.x86_64.rpm php8-readline-8.3.29-150700.3.9.1.x86_64.rpm php8-shmop-8.3.29-150700.3.9.1.x86_64.rpm php8-snmp-8.3.29-150700.3.9.1.x86_64.rpm php8-soap-8.3.29-150700.3.9.1.x86_64.rpm php8-sockets-8.3.29-150700.3.9.1.x86_64.rpm php8-sodium-8.3.29-150700.3.9.1.x86_64.rpm php8-sqlite-8.3.29-150700.3.9.1.x86_64.rpm php8-sysvmsg-8.3.29-150700.3.9.1.x86_64.rpm php8-sysvsem-8.3.29-150700.3.9.1.x86_64.rpm php8-sysvshm-8.3.29-150700.3.9.1.x86_64.rpm php8-test-8.3.29-150700.3.9.1.src.rpm php8-test-8.3.29-150700.3.9.1.x86_64.rpm php8-tidy-8.3.29-150700.3.9.1.x86_64.rpm php8-tokenizer-8.3.29-150700.3.9.1.x86_64.rpm php8-xmlreader-8.3.29-150700.3.9.1.x86_64.rpm php8-xmlwriter-8.3.29-150700.3.9.1.x86_64.rpm php8-xsl-8.3.29-150700.3.9.1.x86_64.rpm php8-zip-8.3.29-150700.3.9.1.x86_64.rpm php8-zlib-8.3.29-150700.3.9.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-301 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for nodejs22 fixes the following issues: Security fixes: - CVE-2026-22036: Fixed unbounded decompression chain in HTTP response leading to resource exhaustion (bsc#1256848) - CVE-2026-21637: Fixed synchronous exceptions thrown during callbacks that bypass TLS error handling and causing denial of service (bsc#1256576) - CVE-2025-55132: Fixed futimes() ability to acces file even if process has read permissions only (bsc#1256571) - CVE-2025-55131: Fixed race condition that allowed allocations with leftover data leading to in-process secrets exposure (bsc#1256570) - CVE-2025-55130: Fixed filesystem permissions bypass via crafted symlinks (bsc#1256569) - CVE-2025-59465: Fixed malformed HTTP/2 HEADERS frame with invalid HPACK leading to crash (bsc#1256573) - CVE-2025-59466: Fixed uncatchable "Maximum call stack size exceeded" error leading to crash (bsc#1256574) Other fixes: - Update to 22.22.0: * deps: updated undici to 6.23.0 * deps: updated bundled c-ares to 1.34.6 (if used) * add TLSSocket default error handler * disable futimes when permission model is enabled * require full read and write to symlink APIs * rethrow stack overflow exceptions in async_hooks * refactor unsafe buffer creation to remove zero-fill toggle * route callback exceptions through error handlers - Update to 22.21.1: * src: avoid unnecessary string -> char* -> string round trips * src: remove unnecessary shadowed functions on Utf8Value & BufferValue * process: fix hrtime fast call signatures * http: improve writeEarlyHints by avoiding for-of loop - Update to 22.21.0: * cli: add --use-env-proxy * http: support http proxy for fetch under NODE_USE_ENV_PROXY * http: add shouldUpgradeCallback to let servers control HTTP upgrades * http,https: add built-in proxy support in http/https.request and Agent * src: add percentage support to --max-old-space-size - Update to 22.20.0 * doc: stabilize --disable-sigusr1 * doc: mark path.matchesGlob as stable * http: add Agent.agentKeepAliveTimeoutBuffer option * http2: add support for raw header arrays in h2Stream.respond() * inspector: add http2 tracking support * sea: implement execArgvExtension * sea: support execArgv in sea config * stream: add brotli support to CompressionStream and DecompressionStream * test_runner: support object property mocking * worker: add cpu profile APIs for worker - Update to 22.19.0 * cli: add NODE_USE_SYSTEM_CA=1 * cli: support ${pid} placeholder in --cpu-prof-name * crypto: add tls.setDefaultCACertificates() * dns: support max timeout * doc: update the instruction on how to verify releases * esm: unflag --experimental-wasm-modules * http: add server.keepAliveTimeoutBuffer option * lib: docs deprecate _http_* * net: update net.blocklist to allow file save and file management * process: add threadCpuUsage * zlib: add dictionary support to zstdCompress and zstdDecompress - Update to 22.18.0: * deps: update amaro to 1.1.0 * doc: add all watch-mode related flags to node.1 * doc: add islandryu to collaborators * esm: implement import.meta.main * fs: allow correct handling of burst in fs-events with AsyncIterator * permission: propagate permission model flags on spawn * sqlite: add support for readBigInts option in db connection level * src,permission: add support to permission.has(addon) * url: add fileURLToPathBuffer API * watch: add --watch-kill-signal flag * worker: make Worker async disposable nodejs22-22.22.0-150700.3.6.1.src.rpm nodejs22-22.22.0-150700.3.6.1.x86_64.rpm nodejs22-devel-22.22.0-150700.3.6.1.x86_64.rpm nodejs22-docs-22.22.0-150700.3.6.1.noarch.rpm npm22-22.22.0-150700.3.6.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-825 low SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for php-composer2 fixes the following issues: CVE-2025-67746: Fixed ANSI control characters injection in the terminal output of various Composer commands via attacker controlled remote sources. (bsc#1255768) php-composer2-2.6.4-150600.3.6.1.noarch.rpm php-composer2-2.6.4-150600.3.6.1.src.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-454 moderate SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for nodejs24 fixes the following issues: NodeJS is shipped in version 24.13.0. nodejs24-24.13.0-150700.15.3.1.src.rpm nodejs24-24.13.0-150700.15.3.1.x86_64.rpm nodejs24-devel-24.13.0-150700.15.3.1.x86_64.rpm nodejs24-docs-24.13.0-150700.15.3.1.noarch.rpm npm24-24.13.0-150700.15.3.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-754 moderate SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for php8-memcached ships it to Web and Scripting Module for 15 SP7. php8-memcached-3.2.0-150700.18.2.1.src.rpm php8-memcached-3.2.0-150700.18.2.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-932 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat fixes the following issues: Update to Tomcat 9.0.115: - CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371). - CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385). - CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387). Changelog: * Catalina + Fix: 69623: Additional fix for the long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled if the target resource was packaged in a JAR file. (markt) + Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the CsrfPreventionFilter. (schultz) + Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2 requests when the content-length header is not set. (dsoumis) + Update: Update the minimum and recommended versions for Tomcat Native to 1.3.4. (markt) + Add: Add a new ssoReauthenticationMode to the Tomcat provided Authenticators that provides a per Authenticator override of the SSO Valve requireReauthentication attribute. (markt) + Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception rather than silently using a replacement character. (markt) + Fix: 69871: Increase log level to INFO for missing configuration for the rewrite valve. (remm) + Fix: Add log warnings for additional Host appBase suspicious values. (remm) + Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar. org.apache.catalina.Connector no longer requires org.apache.tomcat.jni.AprStatus to be present. (markt) + Add: Add the ability to use a custom function to generate the client identifier in the CrawlerSessionManagerValve. This is only available programmatically. Pull request #902 by Brian Matzon. (markt) + Fix: Change the SSO reauthentication behaviour for SPNEGO authentication so that a normal SPNEGO authentication is performed if the SSL Valve is configured with reauthentication enabled. This is so that the delegated credentials will be available to the web application. (markt) + Fix: When generating the class path in the Loader, re-order the check on individual class path components to avoid a potential NullPointerException. Identified by Coverity Scan. (markt) + Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull request #915 by Joshua Rogers. (remm) + Update: Add an attribute, digestInRfc3112Order, to MessageDigestCredentialHandler to control the order in which the credential and salt are digested. By default, the current, non-RFC 3112 compliant, order of salt then credential will be used. This default will change in Tomcat 12 to the RFC 3112 compliant order of credential then salt. (markt) * Cluster + Add: 62814: Document that human-readable names maybe used for mapSendOptions and align documentation with channelSendOptions. Based on pull request #929 by archan0621. (markt) * Clustering + Fix: Correct a regression introduced in 9.0.109 that broke some clustering configurations. (markt) * Coyote + Fix: Prevent concurrent release of OpenSSLEngine resources and the termination of the Tomcat Native library as it can cause crashes during Tomcat shutdown. (markt) + Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm) + Fix: Improve warnings when setting ciphers lists in the FFM code, mirroring the tomcat-native changes. (remm) + Fix: 69910: Dereference TLS objects right after closing a socket to improve memory efficiency. (remm) + Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig to reflect the existing implementation that allows one configuration style to be used for the trust attributes and a different style for all the other attributes. (markt) + Fix: Better warning message when OpenSSLConf configuration elements are used with a JSSE TLS implementation. (markt) + Fix: When using OpenSSL via FFM, don't log a warning about missing CA certificates unless CA certificates were configured and the configuration failed. (markt) + Add: For configuration consistency between OpenSSL and JSSE TLS implementations, TLSv1.3 cipher suites included in the ciphers attribute of an SSLHostConfig are now always ignored (previously they would be ignored with OpenSSL implementations and used with JSSE implementations) and a warning is logged that the cipher suite has been ignored. (markt) + Add: Add the ciphersuite attribute to SSLHostConfig to configure the TLSv1.3 cipher suites. (markt) + Add: Add OCSP support to JSSE based TLS connectors and make the use of OCSP configurable per connector for both JSSE and OpenSSL based TLS implementations. Align the checks performed by OpenSSL with those performed by JSSE. (markt) + Add: Add support for soft failure of OCSP checks with soft failure support disabled by default. (markt) + Add: Add support for configuring the verification flags passed to OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt) + Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5. + Fix: Don't log an incorrect certificate KeyStore location when creating a TLS connector if the KeyStore instance has been set directly on the connector. (markt) + Fix: HTTP/0.9 only allows GET as the HTTP method. (remm) + Add: Add strictSni attribute on the Connector to allow matching the SSLHostConfig configuration associated with the SNI host name to the SSLHostConfig configuration matched from the HTTP protocol host name. Non matching configurations will cause the request to be rejected. The attribute default value is true, enabling the matching. (remm) + Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm) + Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL provider. Pull request #912 by aogburn. (markt) + Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers. * Jasper + Fix: 69333: Correct a regression in the previous fix for 69333 and ensure that reuse() or release() is always called for a tag. (markt) + Fix: 69877: Catch IllegalArgumentException when processing URIs when creating the classpath to handle invalid URIs. (remm) + Fix: Fix populating the classpath with the webapp classloader repositories. (remm) + Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some exception details. Patch submitted by Eric Blanquer. (remm) * Jdbc-pool + Fix: 64083: If the underlying connection has been closed, don't add it to the pool when it is returned. Pull request #235 by Alex Panchenko. (markt) * Web applications + Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server status output if one or more of the web applications failed to start. (schultz) + Add: Manager: Include web application state in the HTML and JSON complete server status output. (markt) + Add: Documentation: Expand the documentation to better explain when OCSP is supported and when it is not. (markt) * Websocket + Fix: 69920: When attempting to write to a closed Writer or OutputStream obtained from a WebSocket session, throw an IOException rather than an IllegalStateExcpetion as required by Writer and strongly suggested by OutputStream. (markt) * Other + Add: Add property "gpg.sign.files" to optionally disable release artefact signing with GPG. (rjung) + Add: Add test.silent property to suppress JUnit console output during test execution. Useful for cleaner console output when running tests with multiple threads. (csutherl) + Update: Update the internal fork of Commons Pool to 2.13.1. (markt) + Update: Update the internal fork of Commons DBCP to 2.14.0. (markt) + Update: Update Commons Daemon to 1.5.1. (markt) + Update: Update ByteBuddy to 1.18.3. (markt) + Update: Update UnboundID to 7.0.4. (markt) + Update: Update Checkstyle to 12.3.1. (markt) + Add: Improvements to French translations. (markt) + Add: Improvements to Japanese translations provided by tak7iji. (markt) + Add: Improvements to Chinese translations provided by Yang. vincent.h and yong hu. (markt) + Update: Update Tomcat Native to 1.3.5. (markt) + Add: Add test profile system for selective test execution. Profiles can be specified via -Dtest.profile=<name> to run specific test subsets without using patterns directly. Profile patterns are defined in test-profiles.properties. (csutherl) + Update: Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt) + Update: Update Commons Daemon to 1.5.0. (markt) + Update: Update Byte Buddy to 1.18.2. (markt) + Update: Update Checkstyle to 12.2.0. (markt) + Add: Improvements to Spanish translations provided by White Vogel. (markt) + Add: Improvements to French translations. (remm) + Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt) + Update: Update to Byte Buddy 1.17.8. (markt) + Update: Update to Checkstyle 12.1.1. (markt) + Update: Update to Jacoco 0.8.14. (markt) + Update: Update to SpotBugs 4.9.8. (markt) + Update: Update to JSign 7.4. (markt) + Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung) tomcat-9.0.115-150200.102.1.noarch.rpm tomcat-9.0.115-150200.102.1.src.rpm tomcat-admin-webapps-9.0.115-150200.102.1.noarch.rpm tomcat-el-3_0-api-9.0.115-150200.102.1.noarch.rpm tomcat-jsp-2_3-api-9.0.115-150200.102.1.noarch.rpm tomcat-lib-9.0.115-150200.102.1.noarch.rpm tomcat-servlet-4_0-api-9.0.115-150200.102.1.noarch.rpm tomcat-webapps-9.0.115-150200.102.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-890 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: Update to Tomcat 10.1.52: - CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371). - CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385). - CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387). Changelog: * Catalina + Fix: 69623: Additional fix for the long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled if the target resource was packaged in a JAR file. (markt) + Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the CsrfPreventionFilter. (schultz) + Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2 requests when the content-length header is not set. (dsoumis) + Update: Enable minimum and recommended Tomcat Native versions to be set separately for Tomcat Native 1.x and 2.x. Update the minimum and recommended versions for Tomcat Native 1.x to 1.3.4. Update the minimum and recommended versions for Tomcat Native 2.x to 2.0.12. (markt) + Add: Add a new ssoReauthenticationMode to the Tomcat provided Authenticators that provides a per Authenticator override of the SSO Valve requireReauthentication attribute. (markt) + Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception rather than silently using a replacement character. (markt) + Fix: 69932: Fix request end access log pattern regression, which would log the start time of the request instead. (remm) + Fix: 69871: Increase log level to INFO for missing configuration for the rewrite valve. (remm) + Fix: Add log warnings for additional Host appBase suspicious values. (remm) + Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar. org.apache.catalina.Connector no longer requires org.apache.tomcat.jni.AprStatus to be present. (markt) + Add: Add the ability to use a custom function to generate the client identifier in the CrawlerSessionManagerValve. This is only available programmatically. Pull request #902 by Brian Matzon. (markt) + Fix: Change the SSO reauthentication behaviour for SPNEGO authentication so that a normal SPNEGO authentication is performed if the SSL Valve is configured with reauthentication enabled. This is so that the delegated credentials will be available to the web application. (markt) + Fix: When generating the class path in the Loader, re-order the check on individual class path components to avoid a potential NullPointerException. Identified by Coverity Scan. (markt) + Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull request #915 by Joshua Rogers. (remm) + Update: Add an attribute, digestInRfc3112Order, to MessageDigestCredentialHandler to control the order in which the credential and salt are digested. By default, the current, non-RFC 3112 compliant, order of salt then credential will be used. This default will change in Tomcat 12 to the RFC 3112 compliant order of credential then salt. (markt) + Fix: Log warnings when the SSO configuration does not comply with the documentation. (remm) + Update: Deprecate the RemoteAddrFilter and RemoteAddrValve in favour of the RemoteCIDRFilter and RemoteCIDRValve. (markt) + Fix: 69837: Fix corruption of the class path generated by the Loader when running on Windows. (markt) + Fix: Reject requests that map to invalid Windows file names earlier. (markt) + Fix: 69839: Ensure that changes to session IDs (typically after authentication) are promulgated to the SSO Valve to ensure that SSO entries are fully clean-up on session expiration. Patch provided by Kim Johan Andersson. (markt) + Fix: Fix a race condition in the creation of the storage location for the FileStore. (markt) * Cluster + Add: 62814: Document that human-readable names may be used for mapSendOptions and align documentation with channelSendOptions. Based on pull request #929 by archan0621. (markt) * Clustering + Fix: Correct a regression introduced in 10.1.45 that broke some clustering configurations. (markt) * Coyote + Fix: 69936: Fix bug in previous fix for Tomcat Native crashes on shutdown that triggered a significant memory leak. Patch provided by Wes. (markt) + Fix: Avoid possible NPEs when using a TLS enabled custom connector. (remm) + Fix: Improve warnings when setting ciphers lists in the FFM code, mirroring the tomcat-native changes. (remm) + Fix: 69910: Dereference TLS objects right after closing a socket to improve memory efficiency. (remm) + Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig to reflect the existing implementation that allows one configuration style to be used for the trust attributes and a different style for all the other attributes. (markt) + Fix: Better warning message when OpenSSLConf configuration elements are used with a JSSE TLS implementation. (markt) + Fix: When using OpenSSL via FFM, don't log a warning about missing CA certificates unless CA certificates were configured and the configuration failed. (markt) + Add: For configuration consistency between OpenSSL and JSSE TLS implementations, TLSv1.3 cipher suites included in the ciphers attribute of an SSLHostConfig are now always ignored (previously they would be ignored with OpenSSL implementations and used with JSSE implementations) and a warning is logged that the cipher suite has been ignored. (markt) + Add: Add the ciphersuite attribute to SSLHostConfig to configure the TLSv1.3 cipher suites. (markt) + Add: Add OCSP support to JSSE based TLS connectors and make the use of OCSP configurable per connector for both JSSE and OpenSSL based TLS implementations. Align the checks performed by OpenSSL with those performed by JSSE. (markt) + Add: Add support for soft failure of OCSP checks with soft failure support disabled by default. (markt) + Add: Add support for configuring the verification flags passed to OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt) + Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5. + Fix: Prevent concurrent release of OpenSSLEngine resources and the termination of the Tomcat Native library as it can cause crashes during Tomcat shutdown. (markt) + Fix: Don't log an incorrect certificate KeyStore location when creating a TLS connector if the KeyStore instance has been set directly on the connector. (markt) + Fix: HTTP/0.9 only allows GET as the HTTP method. (remm) + Add: Add strictSni attribute on the Connector to allow matching the SSLHostConfig configuration associated with the SNI host name to the SSLHostConfig configuration matched from the HTTP protocol host name. Non matching configurations will cause the request to be rejected. The attribute default value is true, enabling the matching. (remm) + Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm) + Fix: Fix use of deferAccept attribute in JMX, since it is normally only removed in Tomcat 11. (remm) + Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL provider. Pull request #912 by aogburn. (markt) + Fix: Fix potential crash on shutdown when a Connector depends on the Tomcat Native library. (markt) + Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers. + Fix: 69848: Fix copy/paste errors in 10.1.47 that meant DELETE requests received via the AJP connector were processed as OPTIONS requests and PROPFIND requests were processed as TRACE. (markt) + Fix: Various OCSP processing issues in the OpenSSL FFM code. (dsoumis) * General + Add: Add test.silent property to suppress JUnit console output during test execution. Useful for cleaner console output when running tests with multiple threads. (csutherl) * Jasper + Fix: 69333: Correct a regression in the previous fix for 69333 and ensure that reuse() or release() is always called for a tag. (markt) + Fix: 69877: Catch IllegalArgumentException when processing URIs when creating the classpath to handle invalid URIs. (remm) + Fix: Fix populating the classpath with the webapp classloader repositories. (remm) + Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some exception details. Patch submitted by Eric Blanquer. (remm) * Jdbc-pool + Fix: 64083: If the underlying connection has been closed, don't add it to the pool when it is returned. Pull request #235 by Alex Panchenko. (markt) * Web applications + Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server status output if one or more of the web applications failed to start. (schultz) + Add: Manager: Include web application state in the HTML and JSON complete server status output. (markt) + Add: Documentation: Expand the documentation to better explain when OCSP is supported and when it is not. (markt) * Websocket + Fix: 69920: When attempting to write to a closed Writer or OutputStream obtained from a WebSocket session, throw an IOException rather than an IllegalStateExcpetion as required by Writer and strongly suggested by OutputStream. (markt) + Fix: 69845: When using permessage-deflate with Java 25 onwards, handle the underlying Inflater and/or Deflater throwing IllegalStateException when closed rather than NullPointerException as they do in Java 24 and earlier. * Other + Update: Update the internal fork of Commons Pool to 2.13.1. (markt) + Update: Update the internal fork of Commons DBCP to 2.14.0. (markt) + Update: Update Commons Daemon to 1.5.1. (markt) + Update: Update ByteBuddy to 1.18.3. (markt) + Update: Update UnboundID to 7.0.4. (markt) + Update: Update Checkstyle to 12.3.1. (markt) + Add: Improvements to French translations. (markt) + Add: Improvements to Japanese translations provided by tak7iji. (markt) + Add: Improvements to Chinese translations provided by Yang. vincent.h and yong hu. (markt) + Update: Update Tomcat Native to 2.0.12. (markt) + Add: Add property "gpg.sign.files" to optionally disable release artefact signing with GPG. (rjung) + Add: Add test profile system for selective test execution. Profiles can be specified via -Dtest.profile=<name> to run specific test subsets without using patterns directly. Profile patterns are defined in test-profiles.properties. (csutherl) + Update: Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt) + Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.10. (markt) + Update: Update Commons Daemon to 1.5.0. (markt) + Update: Update Byte Buddy to 1.18.2. (markt) + Update: Update Checkstyle to 12.2.0. (markt) + Add: Improvements to Spanish translations provided by White Vogel. (markt) + Add: Improvements to French translations. (remm) + Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt) + Update: Update to Byte Buddy 1.17.8. (markt) + Update: Update to Checkstyle 12.1.1. (markt) + Update: Update to Jacoco 0.8.14. (markt) + Update: Update to SpotBugs 4.9.8. (markt) + Update: Update to JSign 7.4. (markt) + Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung) tomcat10-10.1.52-150200.5.61.1.noarch.rpm tomcat10-10.1.52-150200.5.61.1.src.rpm tomcat10-admin-webapps-10.1.52-150200.5.61.1.noarch.rpm tomcat10-el-5_0-api-10.1.52-150200.5.61.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.52-150200.5.61.1.noarch.rpm tomcat10-lib-10.1.52-150200.5.61.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.52-150200.5.61.1.noarch.rpm tomcat10-webapps-10.1.52-150200.5.61.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-877 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat11 fixes the following issues: Update to Tomcat 11.0.18: - CVE-2025-66614: client certificate verification bypass due to virtual host mapping (bsc#1258371). - CVE-2026-24733: improper input validation on HTTP/0.9 requests (bsc#1258385). - CVE-2026-24734: certificate revocation bypass due to incomplete OCSP verification checks (bsc#1258387). Changelog: * Catalina + Fix: 69932: Fix request end access log pattern regression, which would log the start time of the request instead. (remm) + Fix: 69623: Additional fix for the long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled if the target resource was packaged in a JAR file. (markt) + Fix: Pull request #923: Avoid adding multiple CSRF tokens to a URL in the CsrfPreventionFilter. (schultz) + Fix: 69918: Ensure request parameters are correctly parsed for HTTP/2 requests when the content-length header is not set. (dsoumis) + Update: Enable minimum and recommended Tomcat Native versions to be set separately for Tomcat Native 1.x and 2.x. Update the minimum and recommended versions for Tomcat Native 1.x to 1.3.4. Update the minimum and recommended versions for Tomcat Native 2.x to 2.0.12. (markt) + Add: Add a new ssoReauthenticationMode to the Tomcat provided Authenticators that provides a per Authenticator override of the SSO Valve requireReauthentication attribute. (markt) + Fix: Ensure URL encoding errors in the Rewrite Valve trigger an exception rather than silently using a replacement character. (markt) + Fix: 69871: Increase log level to INFO for missing configuration for the rewrite valve. (remm) + Fix: Add log warnings for additional Host appBase suspicious values. (remm) + Fix: Remove hard dependency on tomcat-jni.jar for catalina.jar. org.apache.catalina.Connector no longer requires org.apache.tomcat.jni.AprStatus to be present. (markt) + Add: Add the ability to use a custom function to generate the client identifier in the CrawlerSessionManagerValve. This is only available programmatically. Pull request #902 by Brian Matzon. (markt) + Fix: Change the SSO reauthentication behaviour for SPNEGO authentication so that a normal SPNEGO authentication is performed if the SSL Valve is configured with reauthentication enabled. This is so that the delegated credentials will be available to the web application. (markt) + Fix: When generating the class path in the Loader, re-order the check on individual class path components to avoid a potential NullPointerException. Identified by Coverity Scan. (markt) + Fix: Fix SSL socket factory configuration in the JNDI realm. Based on pull request #915 by Joshua Rogers. (remm) + Update: Add an attribute, digestInRfc3112Order, to MessageDigestCredentialHandler to control the order in which the credential and salt are digested. By default, the current, non-RFC 3112 compliant, order of salt then credential will be used. This default will change in Tomcat 12 to the RFC 3112 compliant order of credential then salt. (markt) * Cluster + Add: 62814: Document that human-readable names may be used for mapSendOptions and align documentation with channelSendOptions. Based on pull request #929 by archan0621. (markt) * Clustering + Fix: Correct a regression introduced in 11.0.11 that broke some clustering configurations. (markt) * Coyote + Fix: 69936: Fix bug in previous fix for Tomcat Native crashes on shutdown that triggered a significant memory leak. Patch provided by Wes. (markt) + Fix: Prevent concurrent release of OpenSSLEngine resources and the termination of the Tomcat Native library as it can cause crashes during Tomcat shutdown. (markt) + Fix: Improve warnings when setting ciphers lists in the FFM code, mirroring the tomcat-native changes. (remm) + Fix: 69910: Dereference TLS objects right after closing a socket to improve memory efficiency. (remm) + Fix: Relax the JSSE vs OpenSSL configuration style checks on SSLHostConfig to reflect the existing implementation that allows one configuration style to be used for the trust attributes and a different style for all the other attributes. (markt) + Fix: Better warning message when OpenSSLConf configuration elements are used with a JSSE TLS implementation. (markt) + Fix: When using OpenSSL via FFM, don't log a warning about missing CA certificates unless CA certificates were configured and the configuration failed. (markt) + Add: For configuration consistency between OpenSSL and JSSE TLS implementations, TLSv1.3 cipher suites included in the ciphers attribute of an SSLHostConfig are now always ignored (previously they would be ignored with OpenSSL implementations and used with JSSE implementations) and a warning is logged that the cipher suite has been ignored. (markt) + Add: Add the ciphersuite attribute to SSLHostConfig to configure the TLSv1.3 cipher suites. (markt) + Add: Add OCSP support to JSSE based TLS connectors and make the use of OCSP configurable per connector for both JSSE and OpenSSL based TLS implementations. Align the checks performed by OpenSSL with those performed by JSSE. (markt) + Add: Add support for soft failure of OCSP checks with soft failure support disabled by default. (markt) + Add: Add support for configuring the verification flags passed to OCSP_basic_verify when using an OpenSSL based TLS implementation. (markt) + Fix: Fix OpenSSL FFM code compatibility with LibreSSL versions below 3.5. + Fix: Don't log an incorrect certificate KeyStore location when creating a TLS connector if the KeyStore instance has been set directly on the connector. (markt) + Fix: HTTP/0.9 only allows GET as the HTTP method. (remm) + Add: Add strictSni attribute on the Connector to allow matching the SSLHostConfig configuration associated with the SNI host name to the SSLHostConfig configuration matched from the HTTP protocol host name. Non matching configurations will cause the request to be rejected. The attribute default value is true, enabling the matching. (remm) + Fix: Graceful failure for OCSP on BoringSSL in the FFM code. (remm) + Fix: 69866: Fix a memory leak when using a trust store with the OpenSSL provider. Pull request #912 by aogburn. (markt) + Fix: Fix potential crash on shutdown when a Connector depends on the Tomcat Native library. (markt) + Fix: Fix AJP message length check. Pull request #916 by Joshua Rogers. * Jasper + Fix: 69333: Correct a regression in the previous fix for 69333 and ensure that reuse() or release() is always called for a tag. (markt) + Fix: 69877: Catch IllegalArgumentException when processing URIs when creating the classpath to handle invalid URIs. (remm) + Fix: Fix populating the classpath with the webapp classloader repositories. (remm) + Fix: 69862: Avoid NPE unwrapping Servlet exception which would hide some exception details. Patch submitted by Eric Blanquer. (remm) * Jdbc-pool + Fix: 64083: If the underlying connection has been closed, don't add it to the pool when it is returned. Pull request #235 by Alex Panchenko. (markt) * Web applications + Fix: Manager: Fix abrupt truncation of the HTML and JSON complete server status output if one or more of the web applications failed to start. (schultz) + Add: Manager: Include web application state in the HTML and JSON complete server status output. (markt) + Add: Documentation: Expand the documentation to better explain when OCSP is supported and when it is not. (markt) * Websocket + Fix: 69920: When attempting to write to a closed Writer or OutputStream obtained from a WebSocket session, throw an IOException rather than an IllegalStateExcpetion as required by Writer and strongly suggested by OutputStream. (markt) * Other + Add: Add property "gpg.sign.files" to optionally disable release artefact signing with GPG. (rjung) + Add: Add test.silent property to suppress JUnit console output during test execution. Useful for cleaner console output when running tests with multiple threads. (csutherl) + Update: Update the internal fork of Commons Pool to 2.13.1. (markt) + Update: Update the internal fork of Commons DBCP to 2.14.0. (markt) + Update: Update Commons Daemon to 1.5.1. (markt) + Update: Update to the Eclipse JDT compiler 4.37. (markt) + Update: Update ByteBuddy to 1.18.3. (markt) + Update: Update UnboundID to 7.0.4. (markt) + Update: Update Checkstyle to 12.3.1. (markt) + Add: Improvements to French translations. (markt) + Add: Improvements to Japanese translations provided by tak7iji. (markt) + Add: Improvements to Chinese translations provided by Yang. vincent.h and yong hu. (markt) + Update: Update Tomcat Native to 2.0.12. (markt) + Add: Add test profile system for selective test execution. Profiles can be specified via -Dtest.profile=<name> to run specific test subsets without using patterns directly. Profile patterns are defined in test-profiles.properties. (csutherl) + Update: Update file extension to media type mappings to align with the current list used by the Apache Web Server (httpd). (markt) + Update: Update the packaged version of the Tomcat Migration Tool for Jakarta EE to 1.0.10. (markt) + Update: Update Commons Daemon to 1.5.0. (markt) + Update: Update Byte Buddy to 1.18.2. (markt) + Update: Update Checkstyle to 12.2.0. (markt) + Add: Improvements to Spanish translations provided by White Vogel. (markt) + Add: Improvements to French translations. (remm) + Update: Update the internal fork of Apache Commons BCEL to 6.11.0. (markt) + Update: Update to Byte Buddy 1.17.8. (markt) + Update: Update to Checkstyle 12.1.1. (markt) + Update: Update to Jacoco 0.8.14. (markt) + Update: Update to SpotBugs 4.9.8. (markt) + Update: Update to JSign 7.4. (markt) + Update: Update Maven Resolver Ant Tasks to 1.6.0. (rjung) tomcat11-11.0.18-150600.13.15.1.noarch.rpm tomcat11-11.0.18-150600.13.15.1.src.rpm tomcat11-admin-webapps-11.0.18-150600.13.15.1.noarch.rpm tomcat11-el-6_0-api-11.0.18-150600.13.15.1.noarch.rpm tomcat11-jsp-4_0-api-11.0.18-150600.13.15.1.noarch.rpm tomcat11-lib-11.0.18-150600.13.15.1.noarch.rpm tomcat11-servlet-6_1-api-11.0.18-150600.13.15.1.noarch.rpm tomcat11-webapps-11.0.18-150600.13.15.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1299 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for nodejs24 fixes the following issues: - Update to 24.14.1 - CVE-2026-21637: synchronous exceptions thrown during certain callbacks bypass the standard TLS error handling paths and can cause a denial of service (bsc#1256576). - CVE-2026-21710: uncaught TypeError exception can cause a denial of service (bsc#1260455). - CVE-2026-21712: malformed URL format can lead to a crash (bsc#1260460). - CVE-2026-21713: timing side-channel in HMAC verification via memcmp can lead to potential MAC forgery (bsc#1260463). - CVE-2026-21714: WINDOW_UPDATE frames on stream 0 can lead to memory leak (bsc#1260480). - CVE-2026-21715: permission model bypass in realpathSync.native can allow file existence disclosure (bsc#1260482). - CVE-2026-21716: promise-based FileHandle methods can be used to modify file permissions and ownership (bsc#1260462). - CVE-2026-21717: crafted request can lead to trivially predictable hash collisions (bsc#1260494). nodejs24-24.14.1-150700.15.8.1.src.rpm nodejs24-24.14.1-150700.15.8.1.x86_64.rpm nodejs24-devel-24.14.1-150700.15.8.1.x86_64.rpm nodejs24-docs-24.14.1-150700.15.8.1.noarch.rpm npm24-24.14.1-150700.15.8.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1377 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for libtcnative-1-0 fixes the following issues: Update to 1.3.7: [bsc#1260322] 1.3.7: * Code: Refactor access to ASN1_OCTET_STRING to use setters to fix errors when building against the latest OpenSSL 4.0.x code. (markt) * Fix: Fix the handling of OCSP requests with multiple responder URIs. (jfclere) * Fix: Fix the handling of TRY_AGAIN responses to OCSP requests when soft fail is disabled. (jfclere) 1.3.6: * Code: Refactor the SSL_CONF_CTX clean-up to align it with SSL and SSL_CTX clean-up. (markt) * Fix: Fix unnecessarily large buffer allocation when filtering out NULL and export ciphers. Pull requests #35 and #37 provided by chenjp. (markt) * Fix: Fix a potential memory leak if an invalid OpenSSLConf is provided. Pull request #36 provided by chenjp. (markt) * Fix: Refactor setting of OCSP configuration defaults as they were only applied if the SSL_CONF_CTX was used. While one was always used with Tomcat versions aware of the OCSP configuration options, one was not always used with Tomcat versions unaware of the OCSP configuration options leading to OCSP verification being enabled by default when the expected behaviour was disabled by default. (markt) * Code: Improve performance for the rare case of handling large OCSP responses. (markt) 1.3.5: * Fix: Remove group write permissions from the files in the tar.gz source archive. (markt) * Fix: Clear an additional error in OCSP processing that was preventing OCSP soft fail working with Tomcat's APR/native connector. (markt) 1.3.4: * Fix: Correct logic error that prevented the configuration of TLS 1.3 cipher suites. (markt) 1.3.3; * Fix: Refactor the addition of TLS 1.3 cipher suite configuration to avoid a regression when running a version of Tomcat that pre-dates this change. (markt) 1.3.2: * Update: Rename configure.in to modern autotools style configure.ac. (rjung) * Update: Fix incomplete updates for autotools generated files during "buildconf" execution. (rjung) * Update: Improve quoting in tcnative.m4. (rjung) * Update: Update the minimum version of autoconf for releasing to 2.68. (rjung) * Fix: Fix the autoconf warnings when creating a release. (markt) * Update: The Windows binaries are now built with OCSP support enabled by default. (markt) * Add: Include a nonce with OCSP requests and check the nonce, if any, in the OCSP response. (markt) * Add: Expand verification of OCSP responses. (markt) * Add: Add the ability to configure the OCSP checks to soft-fail - i.e. if the responder cannot be contacted or fails to respond in a timely manner the OCSP check will not fail. (markt) * Add: Add a configurable timeout to the writing of OCSP requests and reading of OCSP responses. (markt) * Add: Add the ability to control the OCSP verification flags. (markt) * Add: Configure TLS 1.3 connections from the provided ciphers list as well as connections using TLS 1.2 and earlier. Pull request provided by gastush. (markt) * Update: Update the Windows build environment to use Visual Studio 2022. (markt) 1.3.1: * Fix: Fix a crash on Windows when SSLContext.setCACertificate() is invoked with a null value for caCertificateFile and a non-null value for caCertificatePath until properly addressed with https://github.com/openssl/openssl/issues/24416. (michaelo) * Add: Use ERR_error_string_n with a definite buffer length as a named constant. (schultz) * Add: Ensure local reference capacity is available when creating new arrays and Strings. (schultz) * Update: Update the recommended minimum version of OpenSSL to 3.0.14. (markt) 1.3.0: * Update: Drop useless compile.optimize option. (michaelo) * Update: Align Java source compile configuration with Tomcat. (michaelo) * Fix: Fix version set in DLL header on Windows. (michaelo) * Update: Remove an unreachable if condition around CRLs in sslcontext.c. (michaelo) * Fix: 67818: When calling SSL.setVerify() or SSLContext.setVerify(), the default verify paths are no longer set. Only the explicitly configured trust store, if any, will be used. (michaelo) * Update: Update the minimum supported version of LibreSSL to 3.5.2. (markt) * Design: Remove NPN support as NPN was never standardised and browser support was removed in 2019. (markt) * Update: Update the recommended minimum version of OpenSSL to 3.0.13. (markt) Update to 1.2.39: * Fix: 67061: If the insecure optionalNoCA certificate verification mode is used, disable OCSP if enabled else client certificates from unknown certificate authorities will be rejected. * Update: Update the recommended minimum version of OpenSSL to 3.0.11. * Change the hardcoded libopenssl-1_1-devel to libopenssl-devel for distributions that have the right version libtcnative-1-0-1.3.7-150600.16.3.1.src.rpm libtcnative-1-0-devel-1.3.7-150600.16.3.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1478 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for nodejs22 fixes the following issues: Update to version 22.22.2. - CVE-2026-21717: trivially predictable hash collisions due to flaw in V8's string hashing mechanism allows for performance degradation via a crafted request (bsc#1260494). - CVE-2026-21716: incomplete fix for CVE-2024-36137 allows promise-based FileHandle methods to be used to modify file permissions and ownership on already-open file descriptors (bsc#1260462). - CVE-2026-21715: flaw in the Permission Model filesystem enforcement allows for file existence disclosure and filesystem path enumeration via `fs.realpathSync.native()` (bsc#1260482). - CVE-2026-21714: memory leak in Node.js HTTP/2 server allows for resource exhaustion via `WINDOW_UPDATE` frames sent on stream 0 (bsc#1260480). - CVE-2026-21713: timing side-channel due to flaw in Node.js HMAC verification allows for discovery of HMAC values and potential MAC forgery (bsc#1260463). - CVE-2026-21710: uncaught `TypeError` when handling HTTP requests allows for a process crash via requests with a header named `__proto__` when the application accesses `req.headersDistinct` (bsc#1260455). - CVE-2026-21637: flaw in TLS error handling allows for resource exhaustion and crash when `pskCallback` or `ALPNCallback` are in use (bsc#1256576). nodejs22-22.22.2-150700.3.9.1.src.rpm nodejs22-22.22.2-150700.3.9.1.x86_64.rpm nodejs22-devel-22.22.2-150700.3.9.1.x86_64.rpm nodejs22-docs-22.22.2-150700.3.9.1.noarch.rpm npm22-22.22.2-150700.3.9.1.x86_64.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1604 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat fixes the following issues: Security fixes: - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850). - CVE-2026-25854: Occasionally open redirect (bsc#1261851). - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852). - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853). - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854). - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855). - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856). - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857). - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371). Other fixes: - Update to Tomcat 9.0.117 tomcat-9.0.117-150200.105.1.noarch.rpm tomcat-9.0.117-150200.105.1.src.rpm tomcat-admin-webapps-9.0.117-150200.105.1.noarch.rpm tomcat-el-3_0-api-9.0.117-150200.105.1.noarch.rpm tomcat-jsp-2_3-api-9.0.117-150200.105.1.noarch.rpm tomcat-lib-9.0.117-150200.105.1.noarch.rpm tomcat-servlet-4_0-api-9.0.117-150200.105.1.noarch.rpm tomcat-webapps-9.0.117-150200.105.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1603 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat10 fixes the following issues: Security fixes: - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850). - CVE-2026-25854: Occasionally open redirect (bsc#1261851). - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852). - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853). - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854). - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855). - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856). - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857). - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371). Other fixes: - Update to Tomcat 10.1.54 tomcat10-10.1.54-150200.5.64.1.noarch.rpm tomcat10-10.1.54-150200.5.64.1.src.rpm tomcat10-admin-webapps-10.1.54-150200.5.64.1.noarch.rpm tomcat10-el-5_0-api-10.1.54-150200.5.64.1.noarch.rpm tomcat10-jsp-3_1-api-10.1.54-150200.5.64.1.noarch.rpm tomcat10-lib-10.1.54-150200.5.64.1.noarch.rpm tomcat10-servlet-6_0-api-10.1.54-150200.5.64.1.noarch.rpm tomcat10-webapps-10.1.54-150200.5.64.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1558 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for tomcat11 fixes the following issues: Security fixes: - CVE-2026-24880: Request smuggling via invalid chunk extension (bsc#1261850). - CVE-2026-25854: Occasionally open redirect (bsc#1261851). - CVE-2026-29129: TLS cipher order is not preserved (bsc#1261852). - CVE-2026-29145: OCSP checks sometimes soft-fail even when soft-fail is disabled (bsc#1261853). - CVE-2026-29146,CVE-2026-34486: Fix for allowed bypass of EncryptInterceptor (bsc#1261854). - CVE-2026-34483: Incomplete escaping of JSON access logs (bsc#1261855). - CVE-2026-34487: Cloud membership for clustering component exposed the Kubernetes bearer token (bsc#1261856). - CVE-2026-34500: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled (bsc#1261857). - CVE-2026-32990: The fix for CVE-2025-66614 was incomplete, so this CVE completes it (bsc#1258371). Other fixes: - Update to Tomcat 11.0.21 tomcat11-11.0.21-150600.13.18.1.noarch.rpm tomcat11-11.0.21-150600.13.18.1.src.rpm tomcat11-admin-webapps-11.0.21-150600.13.18.1.noarch.rpm tomcat11-el-6_0-api-11.0.21-150600.13.18.1.noarch.rpm tomcat11-jsp-4_0-api-11.0.21-150600.13.18.1.noarch.rpm tomcat11-lib-11.0.21-150600.13.18.1.noarch.rpm tomcat11-servlet-6_1-api-11.0.21-150600.13.18.1.noarch.rpm tomcat11-webapps-11.0.21-150600.13.18.1.noarch.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1784 important SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for php-composer2 fixes the following issues: - CVE-2026-40176: arbitrary command injection via malicious Perforce repository definition (bsc#1262254). - CVE-2026-40261: arbitrary command injection via malicious Perforce source reference/url (bsc#1262255). php-composer2-2.6.4-150600.3.9.1.noarch.rpm php-composer2-2.6.4-150600.3.9.1.src.rpm SUSE-SLE-Module-Web-Scripting-15-SP7-2026-1958 critical SUSE Updates SLE-Module-Web-Scripting 15-SP7 x86 64 This update for php8 fixes the following issues - CVE-2025-14179: improper handling of NULL bytes by the PDO Firebird driver when preparing SQL queries can lead to SQL injection (bsc#1264778). - CVE-2026-6722: use-after-free in SOAP using Apache map can lead to remote code execution (bsc#1264776). - CVE-2026-6735: improper validation of the request URI within the PHP-FPM status page can lead to XSS (bsc#1264775). - CVE-2026-7258: signed `char` values passed to `ctype` functions like `isxdigit` can lead to OOB access and denial of service (bsc#1264774). - CVE-2026-7259: NULL pointer dereference in `php_mb_check_encoding()` via `mb_ereg_search_init()` can lead to a denial of service (bsc#1264773). - CVE-2026-7261: use-after-free due to incorrectly handled persistence of handler objects when SOAP_PERSISTENCE_SESSION is configured can lead to memory corruption, information disclosure and process crashes (bsc#1264772). - CVE-2026-7262: NULL pointer dereference caused by mistake in the SOAP decoding process when a typemap is configured can lead to a denial of service (bsc#1264771). - CVE-2026-7568: integer overflow in the `metaphone` function can lead to undefined behavior and affect the availability of the PHPprocess (bsc#1264769). Other updates: - Updated to 8.3.31. apache2-mod_php8-8.3.31-150700.3.12.1.src.rpm apache2-mod_php8-8.3.31-150700.3.12.1.x86_64.rpm php8-8.3.31-150700.3.12.1.src.rpm php8-8.3.31-150700.3.12.1.x86_64.rpm php8-bcmath-8.3.31-150700.3.12.1.x86_64.rpm php8-bz2-8.3.31-150700.3.12.1.x86_64.rpm php8-calendar-8.3.31-150700.3.12.1.x86_64.rpm php8-cli-8.3.31-150700.3.12.1.x86_64.rpm php8-ctype-8.3.31-150700.3.12.1.x86_64.rpm php8-curl-8.3.31-150700.3.12.1.x86_64.rpm php8-dba-8.3.31-150700.3.12.1.x86_64.rpm php8-devel-8.3.31-150700.3.12.1.x86_64.rpm php8-dom-8.3.31-150700.3.12.1.x86_64.rpm php8-embed-8.3.31-150700.3.12.1.src.rpm php8-embed-8.3.31-150700.3.12.1.x86_64.rpm php8-enchant-8.3.31-150700.3.12.1.x86_64.rpm php8-exif-8.3.31-150700.3.12.1.x86_64.rpm php8-fastcgi-8.3.31-150700.3.12.1.src.rpm php8-fastcgi-8.3.31-150700.3.12.1.x86_64.rpm php8-fileinfo-8.3.31-150700.3.12.1.x86_64.rpm php8-fpm-8.3.31-150700.3.12.1.src.rpm php8-fpm-8.3.31-150700.3.12.1.x86_64.rpm php8-ftp-8.3.31-150700.3.12.1.x86_64.rpm php8-gd-8.3.31-150700.3.12.1.x86_64.rpm php8-gettext-8.3.31-150700.3.12.1.x86_64.rpm php8-gmp-8.3.31-150700.3.12.1.x86_64.rpm php8-iconv-8.3.31-150700.3.12.1.x86_64.rpm php8-intl-8.3.31-150700.3.12.1.x86_64.rpm php8-ldap-8.3.31-150700.3.12.1.x86_64.rpm php8-mbstring-8.3.31-150700.3.12.1.x86_64.rpm php8-mysql-8.3.31-150700.3.12.1.x86_64.rpm php8-odbc-8.3.31-150700.3.12.1.x86_64.rpm php8-opcache-8.3.31-150700.3.12.1.x86_64.rpm php8-openssl-8.3.31-150700.3.12.1.x86_64.rpm php8-pcntl-8.3.31-150700.3.12.1.x86_64.rpm php8-pdo-8.3.31-150700.3.12.1.x86_64.rpm php8-pgsql-8.3.31-150700.3.12.1.x86_64.rpm php8-phar-8.3.31-150700.3.12.1.x86_64.rpm php8-posix-8.3.31-150700.3.12.1.x86_64.rpm php8-readline-8.3.31-150700.3.12.1.x86_64.rpm php8-shmop-8.3.31-150700.3.12.1.x86_64.rpm php8-snmp-8.3.31-150700.3.12.1.x86_64.rpm php8-soap-8.3.31-150700.3.12.1.x86_64.rpm php8-sockets-8.3.31-150700.3.12.1.x86_64.rpm php8-sodium-8.3.31-150700.3.12.1.x86_64.rpm php8-sqlite-8.3.31-150700.3.12.1.x86_64.rpm php8-sysvmsg-8.3.31-150700.3.12.1.x86_64.rpm php8-sysvsem-8.3.31-150700.3.12.1.x86_64.rpm php8-sysvshm-8.3.31-150700.3.12.1.x86_64.rpm php8-test-8.3.31-150700.3.12.1.src.rpm php8-test-8.3.31-150700.3.12.1.x86_64.rpm php8-tidy-8.3.31-150700.3.12.1.x86_64.rpm php8-tokenizer-8.3.31-150700.3.12.1.x86_64.rpm php8-xmlreader-8.3.31-150700.3.12.1.x86_64.rpm php8-xmlwriter-8.3.31-150700.3.12.1.x86_64.rpm php8-xsl-8.3.31-150700.3.12.1.x86_64.rpm php8-zip-8.3.31-150700.3.12.1.x86_64.rpm php8-zlib-8.3.31-150700.3.12.1.x86_64.rpm