From ea1fd44b734c67fa098e23e59175dc97b5e0eb22 Mon Sep 17 00:00:00 2001
From: mbiuki <mkarimib@ece.ubc.ca>
Date: Thu, 21 May 2026 16:48:29 -0400
Subject: [PATCH] security: upgrade Apache Tomcat from 9.0.113 to 9.0.118
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Fixes six published Apache Tomcat 9.x CVEs that affect 9.0.113:

- CVE-2026-29146 (Important) — EncryptInterceptor padding oracle
- CVE-2026-34500 (Moderate)  — OCSP soft-fail with FFM
- CVE-2026-34487 (Low)       — Cloud membership exposes K8s bearer token
- CVE-2026-34483 (Low)       — Incomplete escaping of JSON access logs
- CVE-2026-25854 (Low)       — Occasional open redirect
- CVE-2026-24880 (Low)       — Request smuggling via invalid chunk extension

All fixes are present in 9.0.117+; bumping to 9.0.118 (latest 9.0.x patch,
released 2026-05-10) for currency.

Closes #35793
---
 parent/pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/parent/pom.xml b/parent/pom.xml
index 662e8ef3c6e4..7cbf5cc173df 100644
--- a/parent/pom.xml
+++ b/parent/pom.xml
@@ -67,7 +67,7 @@
         </java.module.args>
 
         <maven.deploy.skip>false</maven.deploy.skip>
-        <tomcat.version>9.0.113</tomcat.version>
+        <tomcat.version>9.0.118</tomcat.version>
         <!-- Add any properties here that are to have defaults and overrides set in the environment properties -->
         <!--suppress UnresolvedMavenProperty -->
         <mvn.environment.name>${ext.mvn.environment.name}</mvn.environment.name>