openSUSE Security Update: tomcat6 ______________________________________________________________________________ Announcement ID: openSUSE-SU-2013:0147-1 Rating: moderate References: #789406 #791423 #791424 #791426 #791679 #793391 #793394 Cross-References: CVE-2009-2693 CVE-2009-2901 CVE-2009-2902 CVE-2012-2733 CVE-2012-3546 CVE-2012-4431 CVE-2012-5568 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 Affected Products: openSUSE 11.4/standard/i586/patchinfo.35 ______________________________________________________________________________ An update that fixes 10 vulnerabilities is now available. Description: - fix bnc#793394 - bypass of security constraints (CVE-2012-3546) * apache-tomcat-CVE-2012-3546.patch http://svn.apache.org/viewvc?view=revision&revision=1381035 - fix bnc#793391 - bypass of CSRF prevention filter (CVE-2012-4431) * apache-tomcat-CVE-2012-4431.patch http://svn.apache.org/viewvc?view=revision&revision=1394456 - document how to protect against slowloris DoS (CVE-2012-5568/bnc#791679) in README.SUSE - fixes bnc#791423 - cnonce tracking weakness (CVE-2012-5885) bnc#791424 - authentication caching weakness (CVE-2012-5886) bnc#791426 - stale nonce weakness (CVE-2012-5887) * apache-tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patc h http://svn.apache.org/viewvc?view=revision&revision=1380829 - fix bnc#789406 - HTTP NIO connector OOM DoS via a request with large headers (CVE-2012-2733) * http://svn.apache.org/viewvc?view=revision&revision=1356208 Patch Instructions: To install this openSUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - openSUSE 11.4/standard/i586/patchinfo.35: zypper in -t patch 2012-24 To bring your system up-to-date, use "zypper patch". Package List: - openSUSE 11.4/standard/i586/patchinfo.35 (noarch): tomcat6-6.0.32-7.34.1 tomcat6-admin-webapps-6.0.32-7.34.1 tomcat6-docs-webapp-6.0.32-7.34.1 tomcat6-el-1_0-api-6.0.32-7.34.1 tomcat6-javadoc-6.0.32-7.34.1 tomcat6-jsp-2_1-api-6.0.32-7.34.1 tomcat6-lib-6.0.32-7.34.1 tomcat6-servlet-2_5-api-6.0.32-7.34.1 tomcat6-webapps-6.0.32-7.34.1 References: http://support.novell.com/security/cve/CVE-2009-2693.html http://support.novell.com/security/cve/CVE-2009-2901.html http://support.novell.com/security/cve/CVE-2009-2902.html http://support.novell.com/security/cve/CVE-2012-2733.html http://support.novell.com/security/cve/CVE-2012-3546.html http://support.novell.com/security/cve/CVE-2012-4431.html http://support.novell.com/security/cve/CVE-2012-5568.html http://support.novell.com/security/cve/CVE-2012-5885.html http://support.novell.com/security/cve/CVE-2012-5886.html http://support.novell.com/security/cve/CVE-2012-5887.html https://bugzilla.novell.com/789406 https://bugzilla.novell.com/791423 https://bugzilla.novell.com/791424 https://bugzilla.novell.com/791426 https://bugzilla.novell.com/791679 https://bugzilla.novell.com/793391 https://bugzilla.novell.com/793394