SUSE-SU-2024:0472-1

Description

Security update for tomcat This update for tomcat fixes the following issues: Updated to Tomcat 9.0.85: - CVE-2023-45648: Improve trailer header parsing (bsc#1216118). - CVE-2023-42794: FileUpload: remove tmp files to avoid DoS on Windows (bsc#1216120). - CVE-2023-42795: Improve handling of failures during recycle() methods (bsc#1216119). - CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing (bsc#1217649) - CVE-2024-22029: Fixed escalation to root from tomcat user via %post script. (bsc#1219208) The following non-security issues were fixed: - Fixed the file permissions for server.xml (bsc#1217768, bsc#1217402). Find the full release notes at: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html

Affected Systems

• opensuse•tomcat&distro=openSUSE Leap 15.5

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Enterprise Storage 7.1

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise High Performance Computing 15 SP2-LTSS

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise Module for Web and Scripting 15 SP5

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise Server 15 SP2-LTSS

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise Server 15 SP3-LTSS

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise Server 15 SP4-LTSS

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise Server for SAP Applications 15 SP2

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise Server for SAP Applications 15 SP3

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Linux Enterprise Server for SAP Applications 15 SP4

  < 9.0.85-150200.57.1

• suse•tomcat&distro=SUSE Manager Server 4.3

  < 9.0.85-150200.57.1

References (13)

• https://www.suse.com/support/update/announcement/2024/suse-su-20240472-1/
• https://bugzilla.suse.com/1216118
• https://bugzilla.suse.com/1216119
• https://bugzilla.suse.com/1216120
• https://bugzilla.suse.com/1217402
• https://bugzilla.suse.com/1217649
• https://bugzilla.suse.com/1217768
• https://bugzilla.suse.com/1219208
• https://www.suse.com/security/cve/CVE-2023-42794
• https://www.suse.com/security/cve/CVE-2023-42795
• https://www.suse.com/security/cve/CVE-2023-45648
• https://www.suse.com/security/cve/CVE-2023-46589
• https://www.suse.com/security/cve/CVE-2024-22029