Security update for tomcat

Announcement ID:	SUSE-SU-2016:3079-1
Rating:	important
References:	bsc#1002639 bsc#1004728 bsc#1007853 bsc#1007854 bsc#1007855 bsc#1007857 bsc#1007858 bsc#1010893 bsc#1011805 bsc#1011812 bsc#974407
Cross-References:	CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735
CVSS scores:	CVE-2016-0762 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-0762 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-5018 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2016-5018 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2016-6794 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2016-6794 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2016-6796 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2016-6796 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2016-6797 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-6797 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-6816 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVE-2016-8735 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected Products:	SUSE Linux Enterprise Server 12 SP1 SUSE Linux Enterprise Server for SAP Applications 12 SP1

An update that solves seven vulnerabilities and has four security fixes can now be installed.

Description:

This update for Tomcat provides the following fixes:

Feature changes:

The embedded Apache Commons DBCP component was updated to version 2.0. (bsc#1010893 fate#321029)

Security fixes: - CVE-2016-0762: Realm Timing Attack (bsc#1007854) - CVE-2016-5018: Security Manager Bypass (bsc#1007855) - CVE-2016-6794: System Property Disclosure (bsc#1007857) - CVE-2016-6796: Manager Bypass (bsc#1007858) - CVE-2016-6797: Unrestricted Access to Global Resources (bsc#1007853) - CVE-2016-8735: Remote code execution vulnerability in JmxRemoteLifecycleListener (bsc#1011805) - CVE-2016-6816: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests (bsc#1011812)

Bugs fixed: - Fixed StringIndexOutOfBoundsException in WebAppClassLoaderBase.filter(). (bsc#974407) - Fixed a deployment error in the examples webapp by changing the context.xml format to the new one introduced by Tomcat 8. (bsc#1004728) - Enabled optional setenv.sh script. See section '(3.4) Using the "setenv" script' in http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt. (bsc#1002639) - Fixed regression caused by CVE-2016-6816.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Server for SAP Applications 12 SP1
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1791=1
SUSE Linux Enterprise Server 12 SP1
zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-1791=1

Package List:

SUSE Linux Enterprise Server for SAP Applications 12 SP1 (noarch)
- tomcat-javadoc-8.0.32-10.13.2
- tomcat-el-3_0-api-8.0.32-10.13.2
- tomcat-lib-8.0.32-10.13.2
- tomcat-webapps-8.0.32-10.13.2
- tomcat-jsp-2_3-api-8.0.32-10.13.2
- tomcat-docs-webapp-8.0.32-10.13.2
- tomcat-servlet-3_1-api-8.0.32-10.13.2
- tomcat-admin-webapps-8.0.32-10.13.2
- tomcat-8.0.32-10.13.2
SUSE Linux Enterprise Server 12 SP1 (noarch)
- tomcat-javadoc-8.0.32-10.13.2
- tomcat-el-3_0-api-8.0.32-10.13.2
- tomcat-lib-8.0.32-10.13.2
- tomcat-webapps-8.0.32-10.13.2
- tomcat-jsp-2_3-api-8.0.32-10.13.2
- tomcat-docs-webapp-8.0.32-10.13.2
- tomcat-servlet-3_1-api-8.0.32-10.13.2
- tomcat-admin-webapps-8.0.32-10.13.2
- tomcat-8.0.32-10.13.2

Security update for tomcat

Description:

Patch Instructions:

Package List:

References: