Описание
Security update for tomcat
This update for tomcat fixes the following issues:
- CVE-2025-46701: Fixed refactor CGI servlet to access resources via WebResources (bsc#1243815).
- CVE-2025-48988: Fixed limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656).
- CVE-2025-49125: Fixed expand checks for webAppMount (bsc#1244649).
Other bugfixes:
- Made permissions more secure (bsc#1242722)
Список пакетов
SUSE Enterprise Storage 7.1
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise High Performance Computing 15 SP3-LTSS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP6
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Module for Web and Scripting 15 SP7
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Server 15 SP3-LTSS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Server 15 SP4-LTSS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Server 15 SP5-LTSS
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Server for SAP Applications 15 SP4
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Linux Enterprise Server for SAP Applications 15 SP5
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
SUSE Manager Server 4.3
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
openSUSE Leap 15.6
tomcat-9.0.106-150200.86.1
tomcat-admin-webapps-9.0.106-150200.86.1
tomcat-docs-webapp-9.0.106-150200.86.1
tomcat-el-3_0-api-9.0.106-150200.86.1
tomcat-embed-9.0.106-150200.86.1
tomcat-javadoc-9.0.106-150200.86.1
tomcat-jsp-2_3-api-9.0.106-150200.86.1
tomcat-jsvc-9.0.106-150200.86.1
tomcat-lib-9.0.106-150200.86.1
tomcat-servlet-4_0-api-9.0.106-150200.86.1
tomcat-webapps-9.0.106-150200.86.1
Ссылки
- Link for SUSE-SU-2025:02280-1
- E-Mail link for SUSE-SU-2025:02280-1
- SUSE Security Ratings
- SUSE Bug 1242722
- SUSE Bug 1243815
- SUSE Bug 1244649
- SUSE Bug 1244656
- SUSE CVE CVE-2025-46701 page
- SUSE CVE CVE-2025-48988 page
- SUSE CVE CVE-2025-49125 page
Описание
Improper Handling of Case Sensitivity vulnerability in Apache Tomcat's GCI servlet allows security constraint bypass of security constraints that apply to the pathInfo component of a URI mapped to the CGI servlet. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.6, from 10.1.0-M1 through 10.1.40, from 9.0.0.M1 through 9.0.104. Users are recommended to upgrade to version 11.0.7, 10.1.41 or 9.0.105, which fixes the issue.
Затронутые продукты
SUSE Enterprise Storage 7.1:tomcat-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-admin-webapps-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-el-3_0-api-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-jsp-2_3-api-9.0.106-150200.86.1
Ссылки
- CVE-2025-46701
- SUSE Bug 1243815
Описание
Allocation of Resources Without Limits or Throttling vulnerability in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Затронутые продукты
SUSE Enterprise Storage 7.1:tomcat-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-admin-webapps-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-el-3_0-api-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-jsp-2_3-api-9.0.106-150200.86.1
Ссылки
- CVE-2025-48988
- SUSE Bug 1244656
Описание
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Tomcat. When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue.
Затронутые продукты
SUSE Enterprise Storage 7.1:tomcat-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-admin-webapps-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-el-3_0-api-9.0.106-150200.86.1
SUSE Enterprise Storage 7.1:tomcat-jsp-2_3-api-9.0.106-150200.86.1
Ссылки
- CVE-2025-49125
- SUSE Bug 1244649