Overview

File _patchinfo of Package patchinfo.31365

<patchinfo incident="31365">
  <issue tracker="cve" id="2023-42795"/>
  <issue tracker="cve" id="2023-42794"/>
  <issue tracker="cve" id="2023-45648"/>
  <issue tracker="cve" id="2023-46589"/>
  <issue tracker="cve" id="2024-22029"/>
  <issue tracker="bnc" id="1217649">VUL-0: CVE-2023-46589: Apache Tomcat: HTTP request smuggling due to incorrect headers parsing</issue>
  <issue tracker="bnc" id="1216120">VUL-0: CVE-2023-42794: tomcat: FileUpload: DoS due to accumulation of temporary files on Windows</issue>
  <issue tracker="bnc" id="1216119">VUL-0: CVE-2023-42795: tomcat: Failure during request clean-up leads to sensitive data leaking to subsequent requests</issue>
  <issue tracker="bnc" id="1216118">VUL-0: CVE-2023-45648: tomcat: Trailer header parsing too lenient</issue>
  <issue tracker="bnc" id="1217768">tomcat: updating/patching changes ownership/permissions of server.xml</issue>
  <issue tracker="bnc" id="1217402">AUDIT-FIND: Updating server configuration as root while parsing untrusted data</issue>
  <issue tracker="bnc" id="1219208">VUL-0: EMBARGOED: CVE-2024-22029: tomcat: Escalation to root from tomcat user via %post script</issue>
  <packager>mbussolotto</packager>
  <rating>important</rating>
  <category>security</category>
  <summary>Security update for tomcat</summary>
  <description>This update for tomcat fixes the following issues:

Updated to Tomcat 9.0.85:

- CVE-2023-45648: Improve trailer header parsing (bsc#1216118).
- CVE-2023-42794: FileUpload: remove tmp files to avoid DoS on Windows (bsc#1216120).
- CVE-2023-42795: Improve handling of failures during recycle() methods (bsc#1216119).
- CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing (bsc#1217649)
- CVE-2024-22029: Fixed escalation to root from tomcat user via %post script. (bsc#1219208)
    
The following non-security issues were fixed:

- Fixed the file permissions for server.xml (bsc#1217768, bsc#1217402).

Find the full release notes at:

https://tomcat.apache.org/tomcat-9.0-doc/changelog.html
</description>
</patchinfo>
openSUSE Build Service is sponsored by
Places