MGASA-2026-0095 Updated tomcat packages fix security vulnerabilities

Request smuggling via invalid chunk extension. CVE-2026-24880 Occasionally open redirect. CVE-2026-25854 TLS cipher order is not preserved. CVE-2026-29129 OCSP checks sometimes soft-fail even when soft-fail is disabled. CVE-2026-29145 EncryptInterceptor vulnerable to padding oracle attack by...

org.apache.tomee.bom:tomee-microprofile (>=10.0.0 <=10.0.0-M3), org.apache.tomee.bom:tomee-plume (>=10.0.0 <=10.0.0-M3) +2 more potentially affected by CVE-2026-34500 via org.apache.tomcat:tomcat-coyote-ffm (>=10.1.30 <=10.1.52)

org.apache.tomcat:tomcat-coyote-ffm MAVEN version =10.1.30, =10.0.0, =10.0.0, =10.0.0, =10.0.0, =10.1.4 Source cves: CVE-2026-34500 Source advisory: OSV:GHSA-24J9-X2WG-9QV6...

org.apache.tomee.bom:tomee-microprofile (>=10.0.0 <=10.0.0-M3), org.apache.tomee.bom:tomee-plume (>=10.0.0 <=10.0.0-M3) +2 more potentially affected by CVE-2026-29145 via org.apache.tomcat:tomcat-coyote-ffm (>=10.1.30 <=10.1.52)

org.apache.tomcat:tomcat-coyote-ffm MAVEN version =10.1.30, =10.0.0, =10.0.0, =10.0.0, =10.0.0, =10.1.4 Source cves: CVE-2026-29145 Source advisory: SNYK:JAVA-ORGAPACHETOMCAT-15989807...

CVE-2026-24734

A flaw was found in Apache Tomcat. When an Online Certificate Status Protocol OCSP responder is used, the Tomcat Native component, and Tomcat's FFM port of the Tomcat Native code, does not properly verify or check the freshness of the OCSP response. This improper input validation vulnerability...

org.apache.tomee.bom:tomee-microprofile (>=10.0.0 <=10.0.0-M3), org.apache.tomee.bom:tomee-plume (>=10.0.0 <=10.0.0-M3) +2 more potentially affected by CVE-2026-24734 via org.apache.tomcat:tomcat-coyote-ffm (>=10.1.30 <=10.1.49)

org.apache.tomcat:tomcat-coyote-ffm MAVEN version =10.1.30, =10.0.0, =10.0.0, =10.0.0, =10.0.0, =10.1.3 Source cves: CVE-2026-24734 Source advisory: SNYK:JAVA-ORGAPACHETOMCAT-15307823...

Fixed in Apache Tomcat 10.1.52

Moderate: Incomplete OCSP verification checks CVE-2026-24734 When using an OCSP responder, Tomcat's FFM integration with OpenSSL did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. Affects: 10.1.0-M7 to 10.1.51 This issue...

Fixed in Apache Tomcat 9.0.115

Moderate: Incomplete OCSP verification checks CVE-2026-24734 When using an OCSP responder, Tomcat's FFM integration with OpenSSL did not complete verification or freshness checks on the OCSP response which could allow certificate revocation to be bypassed. Affects: 9.0.83 to 9.0.114 This issue wa...

FFM (Freedom Fighting Mode) - Open Source Hacking Harness

FFM is a hacking harness that you can use during the post-exploitation phase of a red-teaming engagement. The idea of the tool was derived from a 2007 conference from @thegrugq. It was presented at SSTIC 2018 and the accompanying slide deck is available at this url. If you're not familiar with th...

CVE-2007-6519

Unspecified vulnerability in the File-on-File Mounting File System FFM in HP Tru64 UNIX 5.1B-4 and 5.1B-3 allows local users to cause a denial of service system crash via unspecified vectors...

CVE-2007-6519

The CVE concerns HP Tru64 UNIX, specifically the File-on-File Mounting File System (FFM) in versions 5.1B-4 and 5.1B-3. The vulnerability is described as unspecified and locally exploitable, causing a denial of service (system crash) via unspecified vectors. The connected documents do not provide...

[security bulletin] HPSBTU02300 SSRT071452 rev.1 - HP Tru64 UNIX running FFM, Local Denial of Service &#40;Dos&#41;

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01310389 Version: 1 HPSBTU02300 SSRT071452 rev.1 - HP Tru64 UNIX running FFM, Local Denial of Service Dos NOTICE: The information in this Security Bulletin should be acted upon as soon as possibl...