tomcat-9.0.87-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:13832 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z tomcat-9.0.87-1.1 on GA media These are all security issues fixed in the tomcat-9.0.87-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-13832 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:13832 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2024-23672/ SUSE CVE CVE-2024-23672 page https://www.suse.com/security/cve/CVE-2024-24549/ SUSE CVE CVE-2024-24549 page openSUSE Tumbleweed tomcat-9.0.87-1.1 tomcat-admin-webapps-9.0.87-1.1 tomcat-docs-webapp-9.0.87-1.1 tomcat-el-3_0-api-9.0.87-1.1 tomcat-embed-9.0.87-1.1 tomcat-javadoc-9.0.87-1.1 tomcat-jsp-2_3-api-9.0.87-1.1 tomcat-jsvc-9.0.87-1.1 tomcat-lib-9.0.87-1.1 tomcat-servlet-4_0-api-9.0.87-1.1 tomcat-webapps-9.0.87-1.1 tomcat-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-admin-webapps-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-docs-webapp-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-el-3_0-api-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-embed-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-javadoc-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-jsp-2_3-api-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-jsvc-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-lib-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-servlet-4_0-api-9.0.87-1.1 as a component of openSUSE Tumbleweed tomcat-webapps-9.0.87-1.1 as a component of openSUSE Tumbleweed Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. CVE-2024-23672 openSUSE Tumbleweed:tomcat-9.0.87-1.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.87-1.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.87-1.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.87-1.1 openSUSE Tumbleweed:tomcat-embed-9.0.87-1.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.87-1.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.87-1.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.87-1.1 openSUSE Tumbleweed:tomcat-lib-9.0.87-1.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.87-1.1 openSUSE Tumbleweed:tomcat-webapps-9.0.87-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-23672.html CVE-2024-23672 https://bugzilla.suse.com/1221385 SUSE Bug 1221385 Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98. Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue. CVE-2024-24549 openSUSE Tumbleweed:tomcat-9.0.87-1.1 openSUSE Tumbleweed:tomcat-admin-webapps-9.0.87-1.1 openSUSE Tumbleweed:tomcat-docs-webapp-9.0.87-1.1 openSUSE Tumbleweed:tomcat-el-3_0-api-9.0.87-1.1 openSUSE Tumbleweed:tomcat-embed-9.0.87-1.1 openSUSE Tumbleweed:tomcat-javadoc-9.0.87-1.1 openSUSE Tumbleweed:tomcat-jsp-2_3-api-9.0.87-1.1 openSUSE Tumbleweed:tomcat-jsvc-9.0.87-1.1 openSUSE Tumbleweed:tomcat-lib-9.0.87-1.1 openSUSE Tumbleweed:tomcat-servlet-4_0-api-9.0.87-1.1 openSUSE Tumbleweed:tomcat-webapps-9.0.87-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2024-24549.html CVE-2024-24549 https://bugzilla.suse.com/1221386 SUSE Bug 1221386