Tomcat 10.1.50 security issues

f.zehnder · February 6, 2026, 6:12am

Debian Security Advisory DSA-6120-1 security@debian.org
Debian -- Security Information Markus Koschany
February 05, 2026 Debian -- Debian security FAQ

@krivopustov

Package : tomcat10
CVE ID : CVE-2025-46701 CVE-2025-48976 CVE-2025-48988 CVE-2025-48989
CVE-2025-49125 CVE-2025-52520 CVE-2025-53506 CVE-2025-55668
CVE-2025-55752 CVE-2025-55754 CVE-2025-61795 CVE-2025-31650
CVE-2025-31651
Debian Bug : 1106820 1108119 1108117 1111097 1108115 1109112 1109114 1111099 1119294

Several security vulnerabilities have been found in Tomcat 10, a Java web
server and servlet engine. This update improves the handling of HTTP/2
connections and corrects various flaws which can lead to uncontrolled resource
consumption and a denial of service.

For the oldstable distribution (bookworm), these problems have been fixed
in version 10.1.52-1~deb12u1.

For the stable distribution (trixie), these problems have been fixed in
version 10.1.52-1~deb13u1.

We recommend that you upgrade your tomcat10 packages.

https://security-tracker.debian.org/tracker/source-package/tomcat10

krivopustov · February 6, 2026, 10:12am

Thank you for the information.
The embedded Tomcat is usually updated with the next Spring Boot patch, which in turn is updated in every Jmix patch. The next Jmix 2.7 patch will be available in the beginning of March.

Regards,
Konstantin

f.zehnder · February 6, 2026, 10:37am

Thank you for your attention to this matter.

I wish to clarify that I do not want to pressure any development, but I remain interested in the anticipated release of Jmix 3.x, which was announced for the end of February 2026.

Is this timeline still feasible?