File _patchinfo of Package patchinfo.5927

<patchinfo incident="5927">
  <issue id="1019016" tracker="bnc">tomcat-el-3_0-api: package verification fails</issue>
  <issue id="1002639" tracker="bnc">Tomcat Lacks "setenv.sh" Implementation</issue>
  <issue id="977410" tracker="bnc">Tomcat-apache : The command tomcat-digest doesn't work</issue>
  <issue id="1042910" tracker="bnc">VUL-0: CVE-2017-5664: tomcat,tomcat6: Security constrained bypass in error page mechanism</issue>
  <issue id="1053352" tracker="bnc">VUL-0: CVE-2017-7674: tomcat: The CORS Filter issue could lead to client and server side cache poisoning</issue>
  <issue id="1059554" tracker="bnc">VUL-0: CVE-2017-12615, CVE-2017-12617: tomcat: Remote Code Execution via JSP Upload</issue>
  <issue id="2017-7674" tracker="cve" />
  <issue id="2017-12617" tracker="cve" />
  <issue id="2017-5664" tracker="cve" />
  <category>security</category>
  <rating>important</rating>
  <packager>malbu</packager>
  <description>This update for tomcat fixes the following issues:

Security issues fixed:

- CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. (bsc#1042910).
- CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning (bsc#1053352)
- CVE-2017-12617: A remote code execution possibility via JSP Upload was fixed (bsc#1059554)


Non security issues fixed:

- Fix tomcat-digest classpath error (bsc#977410) 
- Read setenv.sh when starting Tomcat with catalina.sh (bsc#1002639)
- Fix packaged /etc/alternatives symlinks for api libs that caused
  rpm -V to report link mismatch (bsc#1019016)
</description>
  <summary>Security update for tomcat</summary>
</patchinfo>