<div class="container">
<h1>Security update for tomcat</h1>
<table class="table table-striped table-bordered">
<tbody>
<tr>
<th>Announcement ID:</th>
<td>SUSE-SU-2023:4129-1</td>
</tr>
<tr>
<th>Rating:</th>
<td>important</td>
</tr>
<tr>
<th>References:</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1214666">bsc#1214666</a>
</li>
<li style="display: inline;">
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1216182">bsc#1216182</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-6376">jsc#PED-6376</a>
</li>
<li style="display: inline;">
<a href="https://jira.suse.com/browse/PED-6377">jsc#PED-6377</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>
Cross-References:
</th>
<td>
<ul>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-41080.html">CVE-2023-41080</a>
</li>
<li style="display: inline;">
<a href="https://www.suse.com/security/cve/CVE-2023-44487.html">CVE-2023-44487</a>
</li>
</ul>
</td>
</tr>
<tr>
<th>CVSS scores:</th>
<td>
<ul class="list-group">
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-41080</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">6.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-41080</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">6.1</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-44487</span>
<span class="cvss-source">
(
SUSE
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
<li class="list-group-item">
<span class="cvss-reference">CVE-2023-44487</span>
<span class="cvss-source">
(
NVD
):
</span>
<span class="cvss-score">7.5</span>
<span class="cvss-vector">CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H</span>
</li>
</ul>
</td>
</tr>
<tr>
<th>Affected Products:</th>
<td>
<ul class="list-group">
<li class="list-group-item">SUSE Enterprise Storage 7.1</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise High Performance Computing LTSS 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server 15 SP5</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP2</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP3</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP4</li>
<li class="list-group-item">SUSE Linux Enterprise Server for SAP Applications 15 SP5</li>
<li class="list-group-item">SUSE Manager Proxy 4.3</li>
<li class="list-group-item">SUSE Manager Retail Branch Server 4.3</li>
<li class="list-group-item">SUSE Manager Server 4.2</li>
<li class="list-group-item">SUSE Manager Server 4.3</li>
<li class="list-group-item">Web and Scripting Module 15-SP4</li>
<li class="list-group-item">Web and Scripting Module 15-SP5</li>
</ul>
</td>
</tr>
</tbody>
</table>
<p>An update that solves two vulnerabilities and contains two features can now be installed.</p>
<h2>Description:</h2>
<p>This update for tomcat fixes the following issues:</p>
<p>Tomcat was updated to version 9.0.82 (jsc#PED-6376, jsc#PED-6377):</p>
<ul>
<li>
<p>Security issues fixed:</p>
</li>
<li>
<p>CVE-2023-41080: Avoid protocol relative redirects in FORM authentication. (bsc#1214666)</p>
</li>
<li>
<p>CVE-2023-44487: Fix HTTP/2 Rapid Reset Attack. (bsc#1216182)</p>
</li>
<li>
<p>Update to Tomcat 9.0.82:</p>
</li>
<li>
<p>Catalina</p>
<ul>
<li>Add: 65770: Provide a lifecycle listener that will
automatically reload TLS configurations a set time before the
certificate is due to expire. This is intended to be used with
third-party tools that regularly renew TLS certificates.</li>
<li>Fix: Fix handling of an error reading a context descriptor on
deployment.</li>
<li>Fix: Fix rewrite rule qsd (query string discard) being ignored
if qsa was also use, while it should instead take precedence.</li>
<li>Fix: 67472: Send fewer CORS-related headers when CORS is not
actually being engaged.</li>
<li>Add: Improve handling of failures within recycle() methods.</li>
</ul>
</li>
<li>
<p>Coyote</p>
<ul>
<li>Fix: 67670: Fix regression with HTTP compression after code
refactoring.</li>
<li>Fix: 67198: Ensure that the AJP connector attribute
tomcatAuthorization takes precedence over the
tomcatAuthentication attribute when processing an auth_type
attribute received from a proxy server.</li>
<li>Fix: 67235: Fix a NullPointerException when an AsyncListener
handles an error with a dispatch rather than a complete.</li>
<li>Fix: When an error occurs during asynchronous processing,
ensure that the error handling process is only triggered once
per asynchronous cycle.</li>
<li>Fix: Fix logic issue trying to match no argument method in
IntropectionUtil.</li>
<li>Fix: Improve thread safety around readNotify and writeNotify
in the NIO2 endpoint.</li>
<li>Fix: Avoid rare thread safety issue accessing message digest
map.</li>
<li>Fix: Improve statistics collection for upgraded connections
under load.</li>
<li>Fix: Align validation of HTTP trailer fields with standard
fields.</li>
<li>Fix: Improvements to HTTP/2 overhead protection (bsc#1216182,
CVE-2023-44487)</li>
</ul>
</li>
<li>
<p>jdbc-pool</p>
<ul>
<li>Fix: 67664: Correct a regression in the clean-up of
unnecessary use of fully qualified class names in 9.0.81
that broke the jdbc-pool.</li>
</ul>
</li>
<li>
<p>Jasper</p>
<ul>
<li>Fix: 67080: Improve performance of EL expressions in JSPs that
use implicit objects</li>
</ul>
</li>
<li>
<p>Update to Tomcat 9.0.80 (jsc#PED-6376, jsc#PED-6377):</p>
</li>
<li>
<p>Catalina:</p>
<ul>
<li>Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks</li>
<li>Move the management of the utility executor from the init()/destroy() methods of components to the start()/stop()
methods.</li>
<li>Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual thread based executor that may be used with
one or more Connectors to process requests received by those Connectors using virtual threads. This Executor
requires a minimum Java version of Java 21.</li>
<li>Add a per session Semaphore to the PersistentValve that ensures that, within a single Tomcat instance, there is no
more than one concurrent request per session. Also expand the debug logging to include whether a request bypasses
the Valve and the reason if a request fails to obtain the per session Semaphore.</li>
<li>Ensure that the default servlet correctly escapes file names in directory listings when using XML output.</li>
<li>Add a numeric last modified field to the XML directory listings produced by the default servlet to enable sorting
in the XSLT.</li>
<li>Attempts to lock a collection with WebDAV may incorrectly fail if a child collection has an expired lock.</li>
<li>Deprecate the xssProtectionEnabled setting from the HttpHeaderSecurityFilter and change the default value to false
as support for the associated HTTP header has been removed from all major browsers.</li>
<li>Add org.apache.catalina.core.ContextNamingInfoListener, a listener which creates context naming information
environment entries.</li>
<li>Add org.apache.catalina.core.PropertiesRoleMappingListener, a listener which populates the context's role mapping
from a properties file.</li>
<li>Fix an edge case where intra-web application symlinks would be followed if the web applications were deliberately
crafted to allow it even when allowLinking was set to false.</li>
<li>Add utility config file resource lookup on Context to allow looking up resources from the webapp
(prefixed with webapp:) and make the resource lookup API more visible.</li>
<li>Fix potential database connection leaks in DataSourceUserDatabase identified by Coverity Scan.</li>
<li>Make parsing of ExtendedAccessLogValve patterns more robust.</li>
<li>Fix failure trying to persist configuration for an internal credential handler.</li>
<li>When serializing a session during the session presistence process, do not log a warning that null Principals are
not serializable.</li>
<li>Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up to 17 to signal closed connections.</li>
<li>Use the same naming format in log messages for Connector instances as the associated ProtocolHandler instance.</li>
<li>The parts count should also lower the actual maxParameterCount used for parsing parameters if parts are parsed
first.</li>
<li>If an application or library sets both a non-500 error code and the javax.servlet.error.exception request
attribute, use the provided error code during error page processing rather than assuming an error code of 500.</li>
<li>Update code comments and Tomcat output to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and
kB.</li>
</ul>
</li>
<li>
<p>Coyote:</p>
<ul>
<li>Update the HTTP/2 implementation to use the prioritization scheme defined in RFC 9218 rather than the one defined
in RFC 7540.</li>
<li>Fix not sending WINDOW_UPDATE when dataLength is ZERO on call SwallowedDataFramePayload.</li>
<li>Restore the documented behaviour of MessageBytes.getType() that it returns the type of the original content rather
than reflecting the most recent conversion.</li>
<li>Correct certificate logging on start-up so it differentiates between keystore based keys/certificates:
PEM file based keys/certificates and logs the relevant information for each.</li>
<li>Refactor blocking reads and writes for the NIO connector to remove code paths that could allow a notification from
the Poller to be missed resuting in a timeout rather than the expected read or write.</li>
<li>Refactor waiting for an HTTP/2 stream or connection window update to handle spurious wake-ups during the wait.</li>
<li>Correct a regression introduced in 9.0.78 and use the correct constant when constructing the default value for the
certificateKeystoreFile attribute of an SSLHostConfigCertificate instance.</li>
<li>Refactor HTTP/2 implementation to reduce pinning when using virtual threads.</li>
<li>Pass through ciphers referring to an OpenSSL profile, such as PROFILE=SYSTEM instead of producing an error trying
to parse it.</li>
<li>Ensure that AsyncListener.onError() is called after an error during asynchronous processing with HTTP/2.</li>
<li>When using asynchronous I/O (the default for NIO and NIO2), include DATA frames when calculating the HTTP/2
overhead count to ensure that connections are not prematurely terminated.</li>
<li>Correct a race condition that could cause spurious RST messages to be sent after the response had been written to
an HTTP/2 stream.</li>
</ul>
</li>
<li>
<p>WebSocket:</p>
<ul>
<li>Expand the validation of the value of the Sec-Websocket-Key header in the HTTP upgrade request that initiates a
WebSocket connection. The value is not decoded but it is checked for the correct length and that only valid
characters from the base64 alphabet are used.</li>
<li>Improve handling of error conditions for the WebSocket server, particularly during Tomcat shutdown.</li>
<li>Correct a regression in the fix for 66574 that meant the WebSocket session could return false for onOpen() before
the onClose() event had been completed.</li>
<li>Fix a NullPointerException when flushing batched messages with compression enabled using permessage-deflate.</li>
</ul>
</li>
<li>
<p>Web applications:</p>
<ul>
<li>Add RateLimitFilter which can be used to mitigate DoS and Brute Force attacks attribute in the configuration
section for the Digest authentication value.</li>
<li>Documentation: Expand the security guidance to cover the embedded use case and add notes on the uses made of the
java.io.tmpdir system property.</li>
<li>Documentation: Fix a typo in the name of the algorithms</li>
<li>Documentation: Update documentation to use MiB for 1024 * 1024 bytes and KiB for 1024 bytes rather than MB and kB.</li>
</ul>
</li>
<li>
<p>jdbc-pool:</p>
<ul>
<li>Fix the releaseIdleCounter does not increment when testAllIdle releases them.</li>
<li>Fix the ConnectionState state will be inconsistent with actual state on the connection when an exception occurs
while writing.</li>
</ul>
</li>
<li>
<p>Other:</p>
<ul>
<li>Update to Commons Daemon 1.3.4.</li>
<li>Improvements to French translations.</li>
<li>Update Checkstyle to 10.12.0.</li>
<li>Update the packaged version of the Apache Tomcat Native Library to 1.2.37 to pick up the Windows binaries built
with with OpenSSL 1.1.1u.</li>
<li>Include the Windows specific binary distributions in the files uploaded to Maven Central.</li>
<li>Improvements to French translations.</li>
<li>Improvements to Japanese translations.</li>
<li>Update UnboundID to 6.0.9.</li>
<li>Update Checkstyle to 10.12.1.</li>
<li>Update BND to 6.4.1.66665:</li>
<li>Update JSign to 5.0.</li>
<li>Correct properties for JSign dependency.</li>
<li>Align documentation for maxParameterCount to match hard-coded defaults.</li>
<li>Update NSIS to 3.0.9.</li>
<li>Update Checkstyle to 10.12.2.</li>
<li>Improvements to French translations.</li>
<li>Improvements to Japanese translations.</li>
<li>Fix quoting so users can use the _RUNJAVA environment variable as intended on Windows when the path to the Java
executable contains spaces.</li>
<li>Update Tomcat Native to 1.2.38 to pick up Windows binaries built with OpenSSL 1.1.1v.</li>
<li>Improvements to Chinese translations.</li>
<li>Improvements to French translations.</li>
<li>Improvements to Japanese translations</li>
</ul>
</li>
</ul>
<h2>Patch Instructions:</h2>
<p>
To install this SUSE update use the SUSE recommended
installation methods like YaST online_update or "zypper patch".<br/>
Alternatively you can run the command listed for your product:
</p>
<ul class="list-group">
<li class="list-group-item">
Web and Scripting Module 15-SP5
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP5-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP2-LTSS-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-ESPOS-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP2-LTSS-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP2-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Linux Enterprise Server for SAP Applications 15 SP3
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Manager Server 4.2
<br/>
<code>zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.2-2023-4129=1</code>
</li>
<li class="list-group-item">
SUSE Enterprise Storage 7.1
<br/>
<code>zypper in -t patch SUSE-Storage-7.1-2023-4129=1</code>
</li>
<li class="list-group-item">
Web and Scripting Module 15-SP4
<br/>
<code>zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP4-2023-4129=1</code>
</li>
</ul>
<h2>Package List:</h2>
<ul>
<li>
Web and Scripting Module 15-SP5 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP2 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Manager Server 4.2 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
SUSE Enterprise Storage 7.1 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
<li>
Web and Scripting Module 15-SP4 (noarch)
<ul>
<li>tomcat-jsp-2_3-api-9.0.82-150200.46.1</li>
<li>tomcat-9.0.82-150200.46.1</li>
<li>tomcat-servlet-4_0-api-9.0.82-150200.46.1</li>
<li>tomcat-webapps-9.0.82-150200.46.1</li>
<li>tomcat-admin-webapps-9.0.82-150200.46.1</li>
<li>tomcat-el-3_0-api-9.0.82-150200.46.1</li>
<li>tomcat-lib-9.0.82-150200.46.1</li>
</ul>
</li>
</ul>
<h2>References:</h2>
<ul>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-41080.html">https://www.suse.com/security/cve/CVE-2023-41080.html</a>
</li>
<li>
<a href="https://www.suse.com/security/cve/CVE-2023-44487.html">https://www.suse.com/security/cve/CVE-2023-44487.html</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1214666">https://bugzilla.suse.com/show_bug.cgi?id=1214666</a>
</li>
<li>
<a href="https://bugzilla.suse.com/show_bug.cgi?id=1216182">https://bugzilla.suse.com/show_bug.cgi?id=1216182</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-6376">https://jira.suse.com/browse/PED-6376</a>
</li>
<li>
<a href="https://jira.suse.com/browse/PED-6377">https://jira.suse.com/browse/PED-6377</a>
</li>
</ul>
</div>