Mailinglist Archive: opensuse-updates (64 mails)

< Previous Next >
openSUSE-SU-2012:1701-1: moderate: update for tomcat
openSUSE Security Update: update for tomcat
______________________________________________________________________________

Announcement ID: openSUSE-SU-2012:1701-1
Rating: moderate
References: #779538 #789406 #791423 #791424 #791426 #791679
#793391 #793394
Cross-References: CVE-2009-2693 CVE-2009-2901 CVE-2009-2902
CVE-2012-2733 CVE-2012-3546 CVE-2012-4431
CVE-2012-5568 CVE-2012-5885 CVE-2012-5886
CVE-2012-5887
Affected Products:
openSUSE 12.2
______________________________________________________________________________

An update that fixes 10 vulnerabilities is now available.

Description:


- fix bnc#793394 - bypass of security constraints
(CVE-2012-3546)
* tomcat-CVE-2012-3546.patch
http://svn.apache.org/viewvc?view=revision&revision=1377892

- fix bnc#793391 - bypass of CSRF prevention filter
(CVE-2012-4431)
* tomcat-CVE-2012-4431.patch
http://svn.apache.org/viewvc?view=revision&revision=1393088


- document how to protect against slowloris DoS
(CVE-2012-5568/bnc#791679) in README.SUSE

- fixes bnc#791423 - cnonce tracking weakness
(CVE-2012-5885) bnc#791424 - authentication caching
weakness (CVE-2012-5886) bnc#791426 - stale nonce
weakness (CVE-2012-5887)
* tomcat-dont-parse-user-name-twice.patch
http://svn.apache.org/viewvc?view=revision&revision=1366723

* tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patch
http://svn.apache.org/viewvc?view=revision&revision=1377807


- fix bnc#789406: HTTP NIO connector OOM DoS via a request
with large headers (CVE-2012-2733)
*
http://svn.apache.org/viewvc?view=revision&revision=1350301

- fix bnc#779538 - Tomcat7 default current workdir isn't
/usr/share/tomcat


Patch Instructions:

To install this openSUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

- openSUSE 12.2:

zypper in -t patch openSUSE-2012-883

To bring your system up-to-date, use "zypper patch".


Package List:

- openSUSE 12.2 (noarch):

tomcat-7.0.27-2.9.1
tomcat-admin-webapps-7.0.27-2.9.1
tomcat-docs-webapp-7.0.27-2.9.1
tomcat-el-2_2-api-7.0.27-2.9.1
tomcat-javadoc-7.0.27-2.9.1
tomcat-jsp-2_2-api-7.0.27-2.9.1
tomcat-jsvc-7.0.27-2.9.1
tomcat-lib-7.0.27-2.9.1
tomcat-servlet-3_0-api-7.0.27-2.9.1
tomcat-webapps-7.0.27-2.9.1


References:

http://support.novell.com/security/cve/CVE-2009-2693.html
http://support.novell.com/security/cve/CVE-2009-2901.html
http://support.novell.com/security/cve/CVE-2009-2902.html
http://support.novell.com/security/cve/CVE-2012-2733.html
http://support.novell.com/security/cve/CVE-2012-3546.html
http://support.novell.com/security/cve/CVE-2012-4431.html
http://support.novell.com/security/cve/CVE-2012-5568.html
http://support.novell.com/security/cve/CVE-2012-5885.html
http://support.novell.com/security/cve/CVE-2012-5886.html
http://support.novell.com/security/cve/CVE-2012-5887.html
https://bugzilla.novell.com/779538
https://bugzilla.novell.com/789406
https://bugzilla.novell.com/791423
https://bugzilla.novell.com/791424
https://bugzilla.novell.com/791426
https://bugzilla.novell.com/791679
https://bugzilla.novell.com/793391
https://bugzilla.novell.com/793394


< Previous Next >
This Thread
  • No further messages