SUSE-SU-2025:0058-1: important: Security update for tomcat
Robert Martin
2024verobeach at gmail.com
Fri Jan 10 13:40:40 UTC 2025
Remove me from your list immediately and permanently. Robert Martin
On Fri, Jan 10, 2025, 3:34 AM SUSE-MANAGER-UPDATES <null at suse.de> wrote:
> Security update for tomcat
> Announcement ID: SUSE-SU-2025:0058-1
> Release Date: 2025-01-10T07:35:34Z
> Rating: important
> References:
>
> - bsc#1233435 <https://bugzilla.suse.com/show_bug.cgi?id=1233435>
> - bsc#1234663 <https://bugzilla.suse.com/show_bug.cgi?id=1234663>
> - bsc#1234664 <https://bugzilla.suse.com/show_bug.cgi?id=1234664>
>
> Cross-References:
>
> - CVE-2024-50379
> <https://www.suse.com/security/cve/CVE-2024-50379.html>
> - CVE-2024-52317
> <https://www.suse.com/security/cve/CVE-2024-52317.html>
> - CVE-2024-54677
> <https://www.suse.com/security/cve/CVE-2024-54677.html>
>
> CVSS scores:
>
> - CVE-2024-50379 ( SUSE ): 8.5
> CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
> - CVE-2024-50379 ( SUSE ): 7.0
> CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
> - CVE-2024-50379 ( NVD ): 9.8
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
> - CVE-2024-52317 ( SUSE ): 6.9
> CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
> - CVE-2024-52317 ( SUSE ): 6.5
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
> - CVE-2024-52317 ( NVD ): 6.5
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
> - CVE-2024-54677 ( SUSE ): 8.7
> CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
> - CVE-2024-54677 ( SUSE ): 7.5
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
> - CVE-2024-54677 ( NVD ): 5.3
> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
>
> Affected Products:
>
> - openSUSE Leap 15.6
> - SUSE Enterprise Storage 7.1
> - SUSE Linux Enterprise High Performance Computing 15 SP3
> - SUSE Linux Enterprise High Performance Computing 15 SP4
> - SUSE Linux Enterprise High Performance Computing 15 SP5
> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
> - SUSE Linux Enterprise Server 15 SP3
> - SUSE Linux Enterprise Server 15 SP3 LTSS
> - SUSE Linux Enterprise Server 15 SP4
> - SUSE Linux Enterprise Server 15 SP4 LTSS
> - SUSE Linux Enterprise Server 15 SP5
> - SUSE Linux Enterprise Server 15 SP5 LTSS
> - SUSE Linux Enterprise Server 15 SP6
> - SUSE Linux Enterprise Server for SAP Applications 15 SP3
> - SUSE Linux Enterprise Server for SAP Applications 15 SP4
> - SUSE Linux Enterprise Server for SAP Applications 15 SP5
> - SUSE Linux Enterprise Server for SAP Applications 15 SP6
> - SUSE Manager Server 4.3
> - Web and Scripting Module 15-SP6
>
> An update that solves three vulnerabilities can now be installed.
> Description:
>
> This update for tomcat fixes the following issues:
>
> Update to Tomcat 9.0.98
>
> - Fixed CVEs:
> - CVE-2024-54677: DoS in examples web application (bsc#1234664)
> - CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation
> (bsc#1234663)
> - CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
> - Catalina
> - Add: Add option to serve resources from subpath only with WebDAV
> Servlet like with DefaultServlet. (michaelo)
> - Fix: Add special handling for the protocols attribute of
> SSLHostConfig in storeconfig. (remm)
> - Fix: 69442: Fix case sensitive check on content-type when parsing
> request parameters. (remm)
> - Code: Refactor duplicate code for extracting media type and subtype
> from content-type into a single method. (markt)
> - Fix: Compatibility of generated embedded code with components where
> constructors or property related methods throw a checked exception. (remm)
> - Fix: The previous fix for inconsistent resource metadata during
> concurrent reads and writes was incomplete. (markt)
> - Fix: 69444: Ensure that the javax.servlet.error.message request
> attribute is set when an application defined error page is called. (markt)
> - Fix: Avoid quotes for numeric values in the JSON generated by the
> status servlet. (remm)
> - Add: Add strong ETag support for the WebDAV and default servlet,
> which can be enabled by using the useStrongETags init parameter with a
> value set to true. The ETag generated will be a SHA-1 checksum of the
> resource content. (remm)
> - Fix: Use client locale for directory listings. (remm)
> - Fix: 69439: Improve the handling of multiple Cache-Control headers
> in the ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
> - Fix: 69447: Update the support for caching classes the web
> application class loader cannot find to take account of classes loaded from
> external repositories. Prior to this fix, these classes could be
> incorrectly marked as not found. (markt)
> - Fix: 69466: Rework handling of HEAD requests. Headers explicitly set
> by users will not be removed and any header present in a HEAD request will
> also be present in the equivalent GET request. There may be some headers,
> as per RFC 9110, section 9.3.2, that are present in a GET request that are
> not present in the equivalent HEAD request. (markt)
> - Fix: 69471: Log instances of CloseNowException caught by
> ApplicationDispatcher.invoke() at debug level rather than error level as
> they are very likely to have been caused by a client disconnection or
> similar I/O issue. (markt)
> - Add: Add a test case for the fix for 69442. Also refactor references
> to application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
> (markt)
> - Fix: 69476: Catch possible ISE when trying to report PUT failure in
> the DefaultServlet. (remm)
> - Add: Add support for RateLimit header fields for HTTP (draft) in the
> RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
> - Add: #787: Add regression tests for 69478. Pull request provided by
> Thomas Krisch. (markt)
> - Fix: The default servlet now rejects HTTP range requests when two or
> more of the requested ranges overlap. Based on pull request #782 provided
> by Chenjp. (markt)
> - Fix: Enhance Content-Range verification for partial PUT requests
> handled by the default servlet. Provided by Chenjp in pull request #778.
> (markt)
> - Fix: Harmonize DataSourceStore lookup in the global resources to
> optionally avoid the comp/env prefix which is usually not used there. (remm)
> - Fix: As required by RFC 9110, the HTTP Range header will now only be
> processed for GET requests. Based on pull request #790 provided by Chenjp.
> (markt)
> - Fix: Deprecate the useAcceptRanges initialisation parameter for the
> default servlet. It will be removed in Tomcat 12 onwards where it will
> effectively be hard coded to true. (markt)
> - Add: Add DataSource based property storage for the WebdavServlet.
> (remm)
> - Coyote
> - Fix: Align encodedSolidusHandling with the Servlet specification. If
> the pass-through mode is used, any %25 sequences will now also be passed
> through to avoid errors and/or corruption when the application decodes the
> path. (markt)
> - Jasper
> - Fix: Further optimise EL evaluation of method parameters. Patch
> provided by Paolo B. (markt)
> - Fix: Follow-up to the fix for 69381. Apply the optimisation for
> method lookup performance in expression language to an additional location.
> (markt)
> - Web applications
> - Fix: Documentation. Remove references to the ResourceParams element.
> Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
> - Fix: Documentation. 69477: Correct name of attribute for
> RemoteIPFilter. The attribute is internalProxies rather than
> allowedInternalProxies. Pull request #786 (markt)
> - Fix: Examples. Fix broken links when Servlet Request Info example is
> called via a URL that includes a pathInfo component. (markt)
> - Fix: Examples. Expand the obfuscation of session cookie values in
> the request header example to JSON responses. (markt)
> - Add: Examples. Add the ability to delete session attributes in the
> servlet session example. (markt)
> - Add: Examples. Add a hard coded limit of 10 attributes per session
> for the servlet session example. (markt)
> - Add: Examples. Add the ability to delete session attributes and add
> a hard coded limit of 10 attributes per session for the JSP form
> authentication example. (markt)
> - Add: Examples. Limit the shopping cart example to only allow adding
> the pre-defined items to the cart. (markt)
> - Fix: Examples. Remove JSP calendar example. (markt)
> - Other
> - Fix: 69465: Fix warnings during native image compilation using the
> Tomcat embedded JARs. (markt)
> - Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
> - Update: Update EasyMock to 5.5.0. (markt)
> - Update: Update Checkstyle to 10.20.2. (markt)
> - Update: Update BND to 7.1.0. (markt)
> - Add: Improvements to French translations. (remm)
> - Add: Improvements to Korean translations. (markt)
> - Add: Improvements to Chinese translations. (markt)
> - Add: Improvements to Japanese translations by tak7iji. (markt)
>
> Patch Instructions:
>
> To install this SUSE update use the SUSE recommended installation methods
> like YaST online_update or "zypper patch".
> Alternatively you can run the command listed for your product:
>
> - openSUSE Leap 15.6
> zypper in -t patch openSUSE-SLE-15.6-2025-58=1
> - Web and Scripting Module 15-SP6
> zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2025-58=1
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
> zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-58=1
> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
> zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-58=1
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
> zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-58=1
> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
> zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-58=1
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
> zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-58=1
> - SUSE Linux Enterprise Server 15 SP3 LTSS
> zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-58=1
> - SUSE Linux Enterprise Server 15 SP4 LTSS
> zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-58=1
> - SUSE Linux Enterprise Server 15 SP5 LTSS
> zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-58=1
> - SUSE Linux Enterprise Server for SAP Applications 15 SP3
> zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-58=1
> - SUSE Linux Enterprise Server for SAP Applications 15 SP4
> zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-58=1
> - SUSE Linux Enterprise Server for SAP Applications 15 SP5
> zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-58=1
> - SUSE Manager Server 4.3
> zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-58=1
> - SUSE Enterprise Storage 7.1
> zypper in -t patch SUSE-Storage-7.1-2025-58=1
>
> Package List:
>
> - openSUSE Leap 15.6 (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-docs-webapp-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-embed-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - tomcat-jsvc-9.0.98-150200.74.1
> - tomcat-javadoc-9.0.98-150200.74.1
> - Web and Scripting Module 15-SP6 (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
> (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
> (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
> (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
> (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
> (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Manager Server 4.3 (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
> - SUSE Enterprise Storage 7.1 (noarch)
> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
> - tomcat-admin-webapps-9.0.98-150200.74.1
> - tomcat-lib-9.0.98-150200.74.1
> - tomcat-9.0.98-150200.74.1
> - tomcat-webapps-9.0.98-150200.74.1
> - tomcat-el-3_0-api-9.0.98-150200.74.1
>
> References:
>
> - https://www.suse.com/security/cve/CVE-2024-50379.html
> - https://www.suse.com/security/cve/CVE-2024-52317.html
> - https://www.suse.com/security/cve/CVE-2024-54677.html
> - https://bugzilla.suse.com/show_bug.cgi?id=1233435
> - https://bugzilla.suse.com/show_bug.cgi?id=1234663
> - https://bugzilla.suse.com/show_bug.cgi?id=1234664
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/suma-updates/attachments/20250110/4e88c641/attachment.htm>
More information about the suma-updates
mailing list