Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

suse-cvrf логотип

SUSE-SU-2021:3602-1

Опубликовано: 03 нояб. 2021
Источник: suse-cvrf

Описание

Security update for tomcat

This update for tomcat, javapackages-tools fixes the following issue:

Security issue fixed:

  • CVE-2021-30640: Escape parameters in JNDI Realm queries (bsc#1188279).
  • CVE-2021-33037: Process T-E header from both HTTP 1.0 and HTTP 1.1. clients (bsc#1188278).
  • CVE-2021-41079: Fixed a denial of service caused by an unexpected TLS packet (bsc#1190558).

Non-security issues fixed:

  • Add requires and conflicts to avoid the usage of the incompatible 'Java 11' with 'Tomcat'. (bsc#1185476)
  • Rebuild javapackages-tools to fix a missing package on s390.

Список пакетов

SUSE Linux Enterprise Server 12 SP4-LTSS
javapackages-tools-2.0.1-13.1
tomcat-9.0.36-3.71.1
tomcat-admin-webapps-9.0.36-3.71.1
tomcat-docs-webapp-9.0.36-3.71.1
tomcat-el-3_0-api-9.0.36-3.71.1
tomcat-javadoc-9.0.36-3.71.1
tomcat-jsp-2_3-api-9.0.36-3.71.1
tomcat-lib-9.0.36-3.71.1
tomcat-servlet-4_0-api-9.0.36-3.71.1
tomcat-webapps-9.0.36-3.71.1
SUSE Linux Enterprise Server 12 SP5
javapackages-tools-2.0.1-13.1
tomcat-9.0.36-3.71.1
tomcat-admin-webapps-9.0.36-3.71.1
tomcat-docs-webapp-9.0.36-3.71.1
tomcat-el-3_0-api-9.0.36-3.71.1
tomcat-javadoc-9.0.36-3.71.1
tomcat-jsp-2_3-api-9.0.36-3.71.1
tomcat-lib-9.0.36-3.71.1
tomcat-servlet-4_0-api-9.0.36-3.71.1
tomcat-webapps-9.0.36-3.71.1
SUSE Linux Enterprise Server for SAP Applications 12 SP4
javapackages-tools-2.0.1-13.1
tomcat-9.0.36-3.71.1
tomcat-admin-webapps-9.0.36-3.71.1
tomcat-docs-webapp-9.0.36-3.71.1
tomcat-el-3_0-api-9.0.36-3.71.1
tomcat-javadoc-9.0.36-3.71.1
tomcat-jsp-2_3-api-9.0.36-3.71.1
tomcat-lib-9.0.36-3.71.1
tomcat-servlet-4_0-api-9.0.36-3.71.1
tomcat-webapps-9.0.36-3.71.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5
javapackages-tools-2.0.1-13.1
tomcat-9.0.36-3.71.1
tomcat-admin-webapps-9.0.36-3.71.1
tomcat-docs-webapp-9.0.36-3.71.1
tomcat-el-3_0-api-9.0.36-3.71.1
tomcat-javadoc-9.0.36-3.71.1
tomcat-jsp-2_3-api-9.0.36-3.71.1
tomcat-lib-9.0.36-3.71.1
tomcat-servlet-4_0-api-9.0.36-3.71.1
tomcat-webapps-9.0.36-3.71.1
SUSE OpenStack Cloud 9
javapackages-tools-2.0.1-13.1
tomcat-9.0.36-3.71.1
tomcat-admin-webapps-9.0.36-3.71.1
tomcat-docs-webapp-9.0.36-3.71.1
tomcat-el-3_0-api-9.0.36-3.71.1
tomcat-javadoc-9.0.36-3.71.1
tomcat-jsp-2_3-api-9.0.36-3.71.1
tomcat-lib-9.0.36-3.71.1
tomcat-servlet-4_0-api-9.0.36-3.71.1
tomcat-webapps-9.0.36-3.71.1
SUSE OpenStack Cloud Crowbar 9
javapackages-tools-2.0.1-13.1
tomcat-9.0.36-3.71.1
tomcat-admin-webapps-9.0.36-3.71.1
tomcat-docs-webapp-9.0.36-3.71.1
tomcat-el-3_0-api-9.0.36-3.71.1
tomcat-javadoc-9.0.36-3.71.1
tomcat-jsp-2_3-api-9.0.36-3.71.1
tomcat-lib-9.0.36-3.71.1
tomcat-servlet-4_0-api-9.0.36-3.71.1
tomcat-webapps-9.0.36-3.71.1

Ссылки

Описание

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP4-LTSS:javapackages-tools-2.0.1-13.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-9.0.36-3.71.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-admin-webapps-9.0.36-3.71.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-docs-webapp-9.0.36-3.71.1
Ссылки

Описание

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP4-LTSS:javapackages-tools-2.0.1-13.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-9.0.36-3.71.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-admin-webapps-9.0.36-3.71.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-docs-webapp-9.0.36-3.71.1
Ссылки

Описание

Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

Затронутые продукты
SUSE Linux Enterprise Server 12 SP4-LTSS:javapackages-tools-2.0.1-13.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-9.0.36-3.71.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-admin-webapps-9.0.36-3.71.1
SUSE Linux Enterprise Server 12 SP4-LTSS:tomcat-docs-webapp-9.0.36-3.71.1
Ссылки
Уязвимость SUSE-SU-2021:3602-1