tomcat11 - Debian Package Tracker

general

source: tomcat11 (main)
version: 11.0.22-2
maintainer: Debian Java Maintainers (archive) (DMD)
uploaders: tony mancill [DMD] – Markus Koschany [DMD] – Emmanuel Bourg [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

stable: 11.0.15-1~deb13u1
stable-sec: 11.0.22-1~deb13u1
stable-p-u: 11.0.22-1~deb13u1
testing: 11.0.21-1
unstable: 11.0.22-2

versioned links

11.0.15-1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.0.21-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.0.22-1~deb13u1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
11.0.22-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libtomcat11-embed-java
libtomcat11-java
tomcat11 (1 bugs: 0, 0, 1, 0)
tomcat11-admin
tomcat11-common
tomcat11-docs
tomcat11-examples
tomcat11-user

action needed

7 security issues in forky high

There are 7 open security issues in forky.

7 important issues:

CVE-2026-41284: Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117. Older, unsupported versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
CVE-2026-41293: Improper Input Validation vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 10.0.0-M1 through 10.0.27. Older, end of support versions may also be affected. Users are recommended to upgrade to version [FIXED_VERSION], which fixes the issue.
CVE-2026-42498: Exposure of HTTP Authentication Header to unexpected hosts during WebSocket authentication vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.2 through 9.0.117, from 8.5.24 through 8.5.100, from 7.0.83 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118, which fix the issue.
CVE-2026-43512: DEPRECATED: Authentication Bypass Issues vulnerability in digest authentication in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from before 7.0.0. Older unsupported versions any also be affect Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
CVE-2026-43513: Improper Handling of Case Sensitivity vulnerability in LockOutRealm in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
CVE-2026-43514: Observable Timing Discrepancy vulnerability when comparing AJP secret in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Older unsupported versions may also be affected. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.
CVE-2026-43515: Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from 7.0.0 through 7.0.109. Users are recommended to upgrade to version 11.0.22, 10.1.55 or 9.0.118 which fix the issue.

Created: 2026-05-13 Last update: 2026-06-08 14:31

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2026-04-21 Last update: 2026-06-13 02:32

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 5-day delay is over. Check why.

Created: 2026-05-26 Last update: 2026-06-13 02:31

2 new commits since last upload, is it time to release? normal

vcswatch reports that this package seems to have new commits in its VCS but has not yet updated debian/changelog. You should consider updating the Debian changelog and uploading this new version into the archive.

Here are the relevant commit logs:

commit c4933709551982192625855c5c0649af6a1956b8
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Thu May 21 09:34:37 2026 +0200

    Upload to unstable

commit 2c87dcbcbd3623191256ded26a101d37aeefdaf0
Author: Emmanuel Bourg <ebourg@apache.org>
Date:   Fri May 15 10:29:25 2026 +0200

    Depend on libtcnative-2 instead of libtcnative-1 (Closes: #1136719)

Created: 2026-05-15 Last update: 2026-06-10 14:00

1 open merge request in Salsa normal

There is 1 open merge request for this package on Salsa. You should consider reviewing and/or merging these merge requests.

Created: 2026-06-03 Last update: 2026-06-03 07:01

lintian reports 14 warnings normal

Lintian reports 14 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-05-21 Last update: 2026-05-21 22:00

debian/patches: 6 patches to forward upstream low

Among the 15 debian patches available in version 11.0.22-2 of the package, we noticed the following issues:

6 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2025-03-17 Last update: 2026-05-21 16:30

testing migrations

excuses:
- Migration status for tomcat11 (11.0.21-1 to 11.0.22-2): Will attempt migration due to a hint (Any information below is purely informational)
- Additional info (not blocking):
- ∙ ∙ Updating tomcat11 will fix bugs in testing: #1136719
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/t/tomcat11.html
- ∙ ∙ Reproducibility regression on amd64: libtomcat11-java
- ∙ ∙ Reproducibility issues ignored for src:tomcat11 as requested by elbrus
- ∙ ∙ Reproducibility regression on arm64: libtomcat11-java
- ∙ ∙ Reproducibility issues ignored for src:tomcat11 as requested by elbrus
- ∙ ∙ Reproducibility regression on armhf: libtomcat11-java
- ∙ ∙ Reproducibility issues ignored for src:tomcat11 as requested by elbrus
- ∙ ∙ Reproducibility regression on i386: libtomcat11-java
- ∙ ∙ Reproducibility issues ignored for src:tomcat11 as requested by elbrus
- ∙ ∙ 23 days old (needed 5 days)

news

[rss feed]

[2026-06-08] Accepted tomcat11 11.0.22-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2026-06-08] Accepted tomcat11 11.0.22-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2026-05-21] Accepted tomcat11 11.0.22-2 (source) into unstable (Emmanuel Bourg)
[2026-05-11] Accepted tomcat11 11.0.22-1 (source) into unstable (Emmanuel Bourg)
[2026-04-20] tomcat11 11.0.21-1 MIGRATED to testing (Debian testing watch)
[2026-04-14] Accepted tomcat11 11.0.21-1 (source) into unstable (Emmanuel Bourg)
[2026-02-08] Accepted tomcat11 11.0.15-1~deb13u1 (source) into proposed-updates (Debian FTP Masters) (signed by: Markus Koschany)
[2026-02-08] tomcat11 11.0.18-1 MIGRATED to testing (Debian testing watch)
[2026-02-05] Accepted tomcat11 11.0.15-1~deb13u1 (source) into stable-security (Debian FTP Masters) (signed by: Markus Koschany)
[2026-02-03] Accepted tomcat11 11.0.18-1 (source) into unstable (Markus Koschany)
[2025-12-24] tomcat11 11.0.15-1 MIGRATED to testing (Debian testing watch)
[2025-12-18] Accepted tomcat11 11.0.15-1 (source) into unstable (Emmanuel Bourg)
[2025-10-04] tomcat11 11.0.11-1 MIGRATED to testing (Debian testing watch)
[2025-09-29] Accepted tomcat11 11.0.11-1 (source) into unstable (Emmanuel Bourg)
[2025-04-09] tomcat11 11.0.6-1 MIGRATED to testing (Debian testing watch)
[2025-04-04] Accepted tomcat11 11.0.6-1 (source) into unstable (Emmanuel Bourg)
[2025-03-22] tomcat11 11.0.5-1 MIGRATED to testing (Debian testing watch)
[2025-03-17] Accepted tomcat11 11.0.5-1 (source) into unstable (Emmanuel Bourg)
[2025-03-16] Accepted tomcat11 11.0.3-1 (source all) into unstable (Debian FTP Masters) (signed by: Emmanuel Bourg)

bugs [bug history graph]

all: 1
RC: 0
I&N: 0
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 14)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 11.0.22-2ubuntu2
patches for 11.0.22-2ubuntu2