From 07107dbc1d26accf3ebc725ac9a5a97b362795a2 Mon Sep 17 00:00:00 2001
From: mbiuki <mkarimib@ece.ubc.ca>
Date: Thu, 21 May 2026 17:08:44 -0400
Subject: [PATCH] security: upgrade Apache Tomcat from 9.0.113 to 9.0.118 (LTS
 backport)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Backport of #35796 to the 24.12.27 LTS line.

Fixes six published Apache Tomcat 9.x CVEs that affect 9.0.113:

- CVE-2026-29146 (Important) — EncryptInterceptor padding oracle
- CVE-2026-34500 (Moderate)  — OCSP soft-fail with FFM
- CVE-2026-34487 (Low)       — Cloud membership exposes K8s bearer token
- CVE-2026-34483 (Low)       — Incomplete escaping of JSON access logs
- CVE-2026-25854 (Low)       — Occasional open redirect
- CVE-2026-24880 (Low)       — Request smuggling via invalid chunk extension

Refs #35793
---
 parent/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parent/pom.xml b/parent/pom.xml
index 191321075090..0e8dd406b73e 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -61,7 +61,7 @@
         </java.module.args>
 
         <maven.deploy.skip>false</maven.deploy.skip>
-        <tomcat.version>9.0.113</tomcat.version>
+        <tomcat.version>9.0.118</tomcat.version>
         <!-- Add any properties here that are to have defaults and overrides set in the environment properties -->
         <!--suppress UnresolvedMavenProperty -->
         <mvn.environment.name>${ext.mvn.environment.name}</mvn.environment.name>