openSUSE Security Update: update for tomcat ______________________________________________________________________________ Announcement ID: openSUSE-SU-2012:1701-1 Rating: moderate References: #779538 #789406 #791423 #791424 #791426 #791679 #793391 #793394 Cross-References: CVE-2009-2693 CVE-2009-2901 CVE-2009-2902 CVE-2012-2733 CVE-2012-3546 CVE-2012-4431 CVE-2012-5568 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 Affected Products: openSUSE 12.2 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: - fix bnc#793394 - bypass of security constraints (CVE-2012-3546) * tomcat-CVE-2012-3546.patch http://svn.apache.org/viewvc?view=revision&revision=1377892 - fix bnc#793391 - bypass of CSRF prevention filter (CVE-2012-4431) * tomcat-CVE-2012-4431.patch http://svn.apache.org/viewvc?view=revision&revision=1393088 - document how to protect against slowloris DoS (CVE-2012-5568/bnc#791679) in README.SUSE - fixes bnc#791423 - cnonce tracking weakness (CVE-2012-5885) bnc#791424 - authentication caching weakness (CVE-2012-5886) bnc#791426 - stale nonce weakness (CVE-2012-5887) * tomcat-dont-parse-user-name-twice.patch http://svn.apache.org/viewvc?view=revision&revision=1366723 * tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patch http://svn.apache.org/viewvc?view=revision&revision=1377807 - fix bnc#789406: HTTP NIO connector OOM DoS via a request with large headers (CVE-2012-2733) * http://svn.apache.org/viewvc?view=revision&revision=1350301 - fix bnc#779538 - Tomcat7 default current workdir isn't /usr/share/tomcat Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 12.2: zypper in -t patch openSUSE-2012-883 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 12.2 (noarch): tomcat-7.0.27-2.9.1 tomcat-admin-webapps-7.0.27-2.9.1 tomcat-docs-webapp-7.0.27-2.9.1 tomcat-el-2_2-api-7.0.27-2.9.1 tomcat-javadoc-7.0.27-2.9.1 tomcat-jsp-2_2-api-7.0.27-2.9.1 tomcat-jsvc-7.0.27-2.9.1 tomcat-lib-7.0.27-2.9.1 tomcat-servlet-3_0-api-7.0.27-2.9.1 tomcat-webapps-7.0.27-2.9.1 References: http://support.novell.com/security/cve/CVE-2009-2693.html http://support.novell.com/security/cve/CVE-2009-2901.html http://support.novell.com/security/cve/CVE-2009-2902.html http://support.novell.com/security/cve/CVE-2012-2733.html http://support.novell.com/security/cve/CVE-2012-3546.html http://support.novell.com/security/cve/CVE-2012-4431.html http://support.novell.com/security/cve/CVE-2012-5568.html http://support.novell.com/security/cve/CVE-2012-5885.html http://support.novell.com/security/cve/CVE-2012-5886.html http://support.novell.com/security/cve/CVE-2012-5887.html https://bugzilla.novell.com/779538 https://bugzilla.novell.com/789406 https://bugzilla.novell.com/791423 https://bugzilla.novell.com/791424 https://bugzilla.novell.com/791426 https://bugzilla.novell.com/791679 https://bugzilla.novell.com/793391 https://bugzilla.novell.com/793394