tomcat-9.0.82-2.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13382 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z tomcat-9.0.82-2.1 on GA media These are all security issues fixed in the tomcat-9.0.82-2.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13382 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13382 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2023-42794/ SUSE CVE CVE-2023-42794 page https://www.suse.com/security/cve/CVE-2023-42795/ SUSE CVE CVE-2023-42795 page https://www.suse.com/security/cve/CVE-2023-45648/ SUSE CVE CVE-2023-45648 page openSUSE Tumbleweed tomcat-9.0.82-2.1 tomcat-admin-webapps-9.0.82-2.1 tomcat-docs-webapp-9.0.82-2.1 tomcat-el-3_0-api-9.0.82-2.1 tomcat-embed-9.0.82-2.1 tomcat-javadoc-9.0.82-2.1 tomcat-jsp-2_3-api-9.0.82-2.1 tomcat-jsvc-9.0.82-2.1 tomcat-lib-9.0.82-2.1 tomcat-servlet-4_0-api-9.0.82-2.1 tomcat-webapps-9.0.82-2.1 tomcat-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-admin-webapps-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-docs-webapp-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-el-3_0-api-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-embed-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-javadoc-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-jsp-2_3-api-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-jsvc-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-lib-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-servlet-4_0-api-9.0.82-2.1 as a component of openSUSE Tumbleweed tomcat-webapps-9.0.82-2.1 as a component of openSUSE Tumbleweed Incomplete Cleanup vulnerability in Apache Tomcat. The internal fork of Commons FileUpload packaged with Apache Tomcat 9.0.70 through 9.0.80 and 8.5.85 through 8.5.93 included an unreleased, in progress refactoring that exposed a potential denial of service on Windows if a web application opened a stream for an uploaded file but failed to close the stream. The file would never be deleted from disk creating the possibility of an eventual denial of service due to the disk being full. Users are recommended to upgrade to version 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. CVE-2023-42794 openSUSE Tumbleweed:tomcat-9.0.82-2.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.82-2.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.82-2.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-embed-9.0.82-2.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.82-2.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.82-2.1 openSUSE Tumbleweed:tomcat-lib-9.0.82-2.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-webapps-9.0.82-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-42794.html CVE-2023-42794 https://bugzilla.suse.com/1216120 SUSE Bug 1216120 Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from 8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to information leaking from the current request/response to the next. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue. CVE-2023-42795 openSUSE Tumbleweed:tomcat-9.0.82-2.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.82-2.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.82-2.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-embed-9.0.82-2.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.82-2.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.82-2.1 openSUSE Tumbleweed:tomcat-lib-9.0.82-2.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-webapps-9.0.82-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-42795.html CVE-2023-42795 https://bugzilla.suse.com/1216119 SUSE Bug 1216119 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.81 and from 8.5.0 through 8.5.93 did not correctly parse HTTP trailer headers. A specially crafted, invalid trailer header could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fix the issue. CVE-2023-45648 openSUSE Tumbleweed:tomcat-9.0.82-2.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.82-2.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.82-2.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-embed-9.0.82-2.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.82-2.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.82-2.1 openSUSE Tumbleweed:tomcat-lib-9.0.82-2.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.82-2.1 openSUSE Tumbleweed:tomcat-webapps-9.0.82-2.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2023-45648.html CVE-2023-45648 https://bugzilla.suse.com/1216118 SUSE Bug 1216118