SUSE-SU-2025:0058-1: important: Security update for tomcat
Robert Martin
2024verobeach at gmail.com
Fri Jan 10 13:41:16 UTC 2025
Remove me from your list immediately and permanently. Robert Martin
On Fri, Jan 10, 2025, 8:40 AM Robert Martin <2024verobeach at gmail.com> wrote:
> Remove me from your list immediately and permanently. Robert Martin
>
> On Fri, Jan 10, 2025, 3:34 AM SUSE-MANAGER-UPDATES <null at suse.de> wrote:
>
>> Security update for tomcat
>> Announcement ID: SUSE-SU-2025:0058-1
>> Release Date: 2025-01-10T07:35:34Z
>> Rating: important
>> References:
>>
>> - bsc#1233435 <https://bugzilla.suse.com/show_bug.cgi?id=1233435>
>> - bsc#1234663 <https://bugzilla.suse.com/show_bug.cgi?id=1234663>
>> - bsc#1234664 <https://bugzilla.suse.com/show_bug.cgi?id=1234664>
>>
>> Cross-References:
>>
>> - CVE-2024-50379
>> <https://www.suse.com/security/cve/CVE-2024-50379.html>
>> - CVE-2024-52317
>> <https://www.suse.com/security/cve/CVE-2024-52317.html>
>> - CVE-2024-54677
>> <https://www.suse.com/security/cve/CVE-2024-54677.html>
>>
>> CVSS scores:
>>
>> - CVE-2024-50379 ( SUSE ): 8.5
>> CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
>> - CVE-2024-50379 ( SUSE ): 7.0
>> CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
>> - CVE-2024-50379 ( NVD ): 9.8
>> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
>> - CVE-2024-52317 ( SUSE ): 6.9
>> CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N
>> - CVE-2024-52317 ( SUSE ): 6.5
>> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
>> - CVE-2024-52317 ( NVD ): 6.5
>> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
>> - CVE-2024-54677 ( SUSE ): 8.7
>> CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
>> - CVE-2024-54677 ( SUSE ): 7.5
>> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
>> - CVE-2024-54677 ( NVD ): 5.3
>> CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
>>
>> Affected Products:
>>
>> - openSUSE Leap 15.6
>> - SUSE Enterprise Storage 7.1
>> - SUSE Linux Enterprise High Performance Computing 15 SP3
>> - SUSE Linux Enterprise High Performance Computing 15 SP4
>> - SUSE Linux Enterprise High Performance Computing 15 SP5
>> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
>> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
>> - SUSE Linux Enterprise Server 15 SP3
>> - SUSE Linux Enterprise Server 15 SP3 LTSS
>> - SUSE Linux Enterprise Server 15 SP4
>> - SUSE Linux Enterprise Server 15 SP4 LTSS
>> - SUSE Linux Enterprise Server 15 SP5
>> - SUSE Linux Enterprise Server 15 SP5 LTSS
>> - SUSE Linux Enterprise Server 15 SP6
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP3
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP4
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP5
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP6
>> - SUSE Manager Server 4.3
>> - Web and Scripting Module 15-SP6
>>
>> An update that solves three vulnerabilities can now be installed.
>> Description:
>>
>> This update for tomcat fixes the following issues:
>>
>> Update to Tomcat 9.0.98
>>
>> - Fixed CVEs:
>> - CVE-2024-54677: DoS in examples web application (bsc#1234664)
>> - CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation
>> (bsc#1234663)
>> - CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
>> - Catalina
>> - Add: Add option to serve resources from subpath only with WebDAV
>> Servlet like with DefaultServlet. (michaelo)
>> - Fix: Add special handling for the protocols attribute of
>> SSLHostConfig in storeconfig. (remm)
>> - Fix: 69442: Fix case sensitive check on content-type when parsing
>> request parameters. (remm)
>> - Code: Refactor duplicate code for extracting media type and subtype
>> from content-type into a single method. (markt)
>> - Fix: Compatibility of generated embedded code with components where
>> constructors or property related methods throw a checked exception. (remm)
>> - Fix: The previous fix for inconsistent resource metadata during
>> concurrent reads and writes was incomplete. (markt)
>> - Fix: 69444: Ensure that the javax.servlet.error.message request
>> attribute is set when an application defined error page is called. (markt)
>> - Fix: Avoid quotes for numeric values in the JSON generated by the
>> status servlet. (remm)
>> - Add: Add strong ETag support for the WebDAV and default servlet,
>> which can be enabled by using the useStrongETags init parameter with a
>> value set to true. The ETag generated will be a SHA-1 checksum of the
>> resource content. (remm)
>> - Fix: Use client locale for directory listings. (remm)
>> - Fix: 69439: Improve the handling of multiple Cache-Control headers
>> in the ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
>> - Fix: 69447: Update the support for caching classes the web
>> application class loader cannot find to take account of classes loaded from
>> external repositories. Prior to this fix, these classes could be
>> incorrectly marked as not found. (markt)
>> - Fix: 69466: Rework handling of HEAD requests. Headers explicitly
>> set by users will not be removed and any header present in a HEAD request
>> will also be present in the equivalent GET request. There may be some
>> headers, as per RFC 9110, section 9.3.2, that are present in a GET request
>> that are not present in the equivalent HEAD request. (markt)
>> - Fix: 69471: Log instances of CloseNowException caught by
>> ApplicationDispatcher.invoke() at debug level rather than error level as
>> they are very likely to have been caused by a client disconnection or
>> similar I/O issue. (markt)
>> - Add: Add a test case for the fix for 69442. Also refactor
>> references to application/x-www-form-urlencoded. Based on pull request #779
>> by Chenjp. (markt)
>> - Fix: 69476: Catch possible ISE when trying to report PUT failure in
>> the DefaultServlet. (remm)
>> - Add: Add support for RateLimit header fields for HTTP (draft) in
>> the RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
>> - Add: #787: Add regression tests for 69478. Pull request provided by
>> Thomas Krisch. (markt)
>> - Fix: The default servlet now rejects HTTP range requests when two
>> or more of the requested ranges overlap. Based on pull request #782
>> provided by Chenjp. (markt)
>> - Fix: Enhance Content-Range verification for partial PUT requests
>> handled by the default servlet. Provided by Chenjp in pull request #778.
>> (markt)
>> - Fix: Harmonize DataSourceStore lookup in the global resources to
>> optionally avoid the comp/env prefix which is usually not used there. (remm)
>> - Fix: As required by RFC 9110, the HTTP Range header will now only
>> be processed for GET requests. Based on pull request #790 provided by
>> Chenjp. (markt)
>> - Fix: Deprecate the useAcceptRanges initialisation parameter for the
>> default servlet. It will be removed in Tomcat 12 onwards where it will
>> effectively be hard coded to true. (markt)
>> - Add: Add DataSource based property storage for the WebdavServlet.
>> (remm)
>> - Coyote
>> - Fix: Align encodedSolidusHandling with the Servlet specification.
>> If the pass-through mode is used, any %25 sequences will now also be passed
>> through to avoid errors and/or corruption when the application decodes the
>> path. (markt)
>> - Jasper
>> - Fix: Further optimise EL evaluation of method parameters. Patch
>> provided by Paolo B. (markt)
>> - Fix: Follow-up to the fix for 69381. Apply the optimisation for
>> method lookup performance in expression language to an additional location.
>> (markt)
>> - Web applications
>> - Fix: Documentation. Remove references to the ResourceParams
>> element. Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
>> - Fix: Documentation. 69477: Correct name of attribute for
>> RemoteIPFilter. The attribute is internalProxies rather than
>> allowedInternalProxies. Pull request #786 (markt)
>> - Fix: Examples. Fix broken links when Servlet Request Info example
>> is called via a URL that includes a pathInfo component. (markt)
>> - Fix: Examples. Expand the obfuscation of session cookie values in
>> the request header example to JSON responses. (markt)
>> - Add: Examples. Add the ability to delete session attributes in the
>> servlet session example. (markt)
>> - Add: Examples. Add a hard coded limit of 10 attributes per session
>> for the servlet session example. (markt)
>> - Add: Examples. Add the ability to delete session attributes and add
>> a hard coded limit of 10 attributes per session for the JSP form
>> authentication example. (markt)
>> - Add: Examples. Limit the shopping cart example to only allow adding
>> the pre-defined items to the cart. (markt)
>> - Fix: Examples. Remove JSP calendar example. (markt)
>> - Other
>> - Fix: 69465: Fix warnings during native image compilation using the
>> Tomcat embedded JARs. (markt)
>> - Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
>> - Update: Update EasyMock to 5.5.0. (markt)
>> - Update: Update Checkstyle to 10.20.2. (markt)
>> - Update: Update BND to 7.1.0. (markt)
>> - Add: Improvements to French translations. (remm)
>> - Add: Improvements to Korean translations. (markt)
>> - Add: Improvements to Chinese translations. (markt)
>> - Add: Improvements to Japanese translations by tak7iji. (markt)
>>
>> Patch Instructions:
>>
>> To install this SUSE update use the SUSE recommended installation methods
>> like YaST online_update or "zypper patch".
>> Alternatively you can run the command listed for your product:
>>
>> - openSUSE Leap 15.6
>> zypper in -t patch openSUSE-SLE-15.6-2025-58=1
>> - Web and Scripting Module 15-SP6
>> zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2025-58=1
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
>> zypper in -t patch SUSE-SLE-Product-HPC-15-SP3-LTSS-2025-58=1
>> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
>> zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-ESPOS-2025-58=1
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
>> zypper in -t patch SUSE-SLE-Product-HPC-15-SP4-LTSS-2025-58=1
>> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
>> zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-ESPOS-2025-58=1
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
>> zypper in -t patch SUSE-SLE-Product-HPC-15-SP5-LTSS-2025-58=1
>> - SUSE Linux Enterprise Server 15 SP3 LTSS
>> zypper in -t patch SUSE-SLE-Product-SLES-15-SP3-LTSS-2025-58=1
>> - SUSE Linux Enterprise Server 15 SP4 LTSS
>> zypper in -t patch SUSE-SLE-Product-SLES-15-SP4-LTSS-2025-58=1
>> - SUSE Linux Enterprise Server 15 SP5 LTSS
>> zypper in -t patch SUSE-SLE-Product-SLES-15-SP5-LTSS-2025-58=1
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP3
>> zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP3-2025-58=1
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP4
>> zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP4-2025-58=1
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP5
>> zypper in -t patch SUSE-SLE-Product-SLES_SAP-15-SP5-2025-58=1
>> - SUSE Manager Server 4.3
>> zypper in -t patch SUSE-SLE-Product-SUSE-Manager-Server-4.3-2025-58=1
>> - SUSE Enterprise Storage 7.1
>> zypper in -t patch SUSE-Storage-7.1-2025-58=1
>>
>> Package List:
>>
>> - openSUSE Leap 15.6 (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-docs-webapp-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-embed-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - tomcat-jsvc-9.0.98-150200.74.1
>> - tomcat-javadoc-9.0.98-150200.74.1
>> - Web and Scripting Module 15-SP6 (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP3
>> (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP4
>> (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP4
>> (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise High Performance Computing ESPOS 15 SP5
>> (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise High Performance Computing LTSS 15 SP5
>> (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise Server 15 SP3 LTSS (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise Server 15 SP4 LTSS (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise Server 15 SP5 LTSS (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP3 (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP4 (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Linux Enterprise Server for SAP Applications 15 SP5 (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Manager Server 4.3 (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>> - SUSE Enterprise Storage 7.1 (noarch)
>> - tomcat-jsp-2_3-api-9.0.98-150200.74.1
>> - tomcat-servlet-4_0-api-9.0.98-150200.74.1
>> - tomcat-admin-webapps-9.0.98-150200.74.1
>> - tomcat-lib-9.0.98-150200.74.1
>> - tomcat-9.0.98-150200.74.1
>> - tomcat-webapps-9.0.98-150200.74.1
>> - tomcat-el-3_0-api-9.0.98-150200.74.1
>>
>> References:
>>
>> - https://www.suse.com/security/cve/CVE-2024-50379.html
>> - https://www.suse.com/security/cve/CVE-2024-52317.html
>> - https://www.suse.com/security/cve/CVE-2024-54677.html
>> - https://bugzilla.suse.com/show_bug.cgi?id=1233435
>> - https://bugzilla.suse.com/show_bug.cgi?id=1234663
>> - https://bugzilla.suse.com/show_bug.cgi?id=1234664
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/suma-updates/attachments/20250110/f701c7f6/attachment.htm>
More information about the suma-updates
mailing list