Security update for tomcat6
SUSE Patch
security@suse.de
SUSE Security Team
SUSE-SU-2016:2229-1
Final
1
1
2016-09-02T15:32:51Z
current
2016-09-02T15:32:51Z
2016-09-02T15:32:51Z
cve-database/bin/generate-cvrf.pl
2017-02-24T01:00:00Z
Security update for tomcat6
This update for tomcat6 fixes the following issue:
- CVE-2016-5388 Setting HTTP_PROXY environment variable via Proxy header (bsc#988489)
The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
slessp4-tomcat-12727
Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0)
https://www.suse.com/support/update/announcement/2016/suse-su-20162229-1/
Link for SUSE-SU-2016:2229-1
https://lists.suse.com/pipermail/sle-security-updates/2016-September/002253.html
E-Mail link for SUSE-SU-2016:2229-1
https://www.suse.com/support/security/rating/
SUSE Security Ratings
https://bugzilla.suse.com/988489
SUSE Bug 988489
https://www.suse.com/security/cve/CVE-2016-5388/
SUSE CVE CVE-2016-5388 page
SUSE Linux Enterprise Server 11 SP4
SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-6.0.45-0.53.2
tomcat6-admin-webapps-6.0.45-0.53.2
tomcat6-docs-webapp-6.0.45-0.53.2
tomcat6-javadoc-6.0.45-0.53.2
tomcat6-jsp-2_1-api-6.0.45-0.53.2
tomcat6-lib-6.0.45-0.53.2
tomcat6-servlet-2_5-api-6.0.45-0.53.2
tomcat6-webapps-6.0.45-0.53.2
tomcat6-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-admin-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-docs-webapp-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-javadoc-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-jsp-2_1-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-lib-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-servlet-2_5-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4
tomcat6-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-admin-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-docs-webapp-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-javadoc-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-jsp-2_1-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-lib-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-servlet-2_5-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
tomcat6-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
CVE-2016-5388
SUSE Linux Enterprise Server 11 SP4:tomcat6-6.0.45-0.53.2
SUSE Linux Enterprise Server 11 SP4:tomcat6-admin-webapps-6.0.45-0.53.2
SUSE Linux Enterprise Server 11 SP4:tomcat6-docs-webapp-6.0.45-0.53.2
SUSE Linux Enterprise Server 11 SP4:tomcat6-javadoc-6.0.45-0.53.2
SUSE Linux Enterprise Server 11 SP4:tomcat6-jsp-2_1-api-6.0.45-0.53.2
SUSE Linux Enterprise Server 11 SP4:tomcat6-lib-6.0.45-0.53.2
SUSE Linux Enterprise Server 11 SP4:tomcat6-servlet-2_5-api-6.0.45-0.53.2
SUSE Linux Enterprise Server 11 SP4:tomcat6-webapps-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-admin-webapps-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-docs-webapp-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-javadoc-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-jsp-2_1-api-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-lib-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-servlet-2_5-api-6.0.45-0.53.2
SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-webapps-6.0.45-0.53.2
moderate
5
AV:N/AC:L/Au:N/C:N/I:P/A:N
To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
https://www.suse.com/support/update/announcement/2016/suse-su-20162229-1/
https://www.suse.com/security/cve/CVE-2016-5388.html
CVE-2016-5388
https://bugzilla.suse.com/988484
SUSE Bug 988484
https://bugzilla.suse.com/988486
SUSE Bug 988486
https://bugzilla.suse.com/988487
SUSE Bug 988487
https://bugzilla.suse.com/988488
SUSE Bug 988488
https://bugzilla.suse.com/988489
SUSE Bug 988489
https://bugzilla.suse.com/988491
SUSE Bug 988491
https://bugzilla.suse.com/988492
SUSE Bug 988492
https://bugzilla.suse.com/989125
SUSE Bug 989125
https://bugzilla.suse.com/989174
SUSE Bug 989174