Amazon Linux 2023 Security Advisory: ALAS2023-2026-1595
Advisory Released Date: 2026-04-30
Advisory Updated Date: 2026-04-30
Severity:
Medium
Issue Overview:
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled vulnerability in Apache Tomcat, Apache Tomcat Native.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.18, from 10.1.0-M7 through 10.1.52, from 9.0.83 through 9.0.115; Apache Tomcat Native: from 1.1.23 through 1.1.34, from 1.2.0 through 1.2.39, from 1.3.0 through 1.3.6, from 2.0.0 through 2.0.13.
Users are recommended to upgrade to version Tomcat Native 1.3.7 or 2.0.14 and Tomcat 11.0.20, 10.1.53 and 9.0.116, which fix the issue. (CVE-2026-29145)
Affected Packages:
tomcat-native
Issue Correction:
Run dnf update tomcat-native --releasever 2023.11.20260427 or dnf update --advisory ALAS2023-2026-1595 --releasever 2023.11.20260427 to update your system.
More information on how to update your system can be found on this page: Amazon Linux 2023 documentation
New Packages:
aarch64:
tomcat-native-debuginfo-2.0.14-4.amzn2023.0.1.aarch64
tomcat-native-2.0.14-4.amzn2023.0.1.aarch64
tomcat-native-debugsource-2.0.14-4.amzn2023.0.1.aarch64
src:
tomcat-native-2.0.14-4.amzn2023.0.1.src
x86_64:
tomcat-native-debuginfo-2.0.14-4.amzn2023.0.1.x86_64
tomcat-native-debugsource-2.0.14-4.amzn2023.0.1.x86_64
tomcat-native-2.0.14-4.amzn2023.0.1.x86_64