security update for tomcat6

- fix bnc#793394 - bypass of security constraints (CVE-2012-3546)
* apache-tomcat-CVE-2012-3546.patch
http://svn.apache.org/viewvc?view=revision&revision=1381035
- fix bnc#793391 - bypass of CSRF prevention filter (CVE-2012-4431)
* apache-tomcat-CVE-2012-4431.patch
http://svn.apache.org/viewvc?view=revision&revision=1394456

- document how to protect against slowloris DoS (CVE-2012-5568/bnc#791679)
in README.SUSE

- fixes
bnc#791423 - cnonce tracking weakness (CVE-2012-5885)
bnc#791424 - authentication caching weakness (CVE-2012-5886)
bnc#791426 - stale nonce weakness (CVE-2012-5887)
* apache-tomcat-CVE-2009-2693-CVE-2009-2901-CVE-2009-2902.patch
http://svn.apache.org/viewvc?view=revision&revision=1380829

- fix bnc#789406 - HTTP NIO connector OOM DoS via a request with
large headers (CVE-2012-2733)
* http://svn.apache.org/viewvc?view=revision&revision=1356208

Fixed bugs
bnc#791679
CVE-2012-5568: tomcat: affected by slowloris DoS
bnc#789406
CVE-2012-2733: tomcat: HTTP NIO connector OOM DoS via a request with large headers
bnc#793394
CVE-2012-3546: tomcat: Bypass of security constraints
bnc#793391
CVE-2012-4431: tomcat: bypass of CSRF prevention filter
bnc#791426
CVE-2012-5887: tomcat: stale nonce weakness
bnc#791424
CVE-2012-5886: tomcat: authentication caching weakness
bnc#791423
CVE-2012-5885: tomcat: cnonce tracking weakness
CVE-CVE-2009-2902
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename.
CVE-CVE-2009-2693
Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry
CVE-CVE-2009-2901
The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requireme
Selected Binaries
openSUSE Build Service is sponsored by