File _patchinfo of Package patchinfo.16459

<patchinfo incident="16459">
  <issue tracker="bnc" id="1172562">VUL-1: tomcat: lots of tomcat files are writable for the tomcat user / tomcat group</issue>
  <issue tracker="bnc" id="1092163">servletapi5: servlet.jar not created</issue>
  <issue tracker="cve" id="2020-13943"/>
  <issue tracker="bnc" id="1177582">VUL-0: CVE-2020-13943: tomcat: HTTP/2 Request mix-up</issue>
  <issue tracker="bnc" id="1178396">Tomcat doesn't need anymore /usr/lib/tmpfiles.d/tomcat.conf and /run/tomcat.pid</issue>
  <issue tracker="cve" id="2020-17527"/>
  <issue tracker="bnc" id="1179602">VUL-0: CVE-2020-17527: tomcat6,tomcat: HTTP/2 request header mix-up</issue>
  <packager>mateialbu</packager>
  <rating>moderate</rating>
  <category>security</category>
  <summary>Security update for tomcat</summary>
  <description>This update for tomcat fixes the following issues:

Security issues fixed:

- CVE-2020-13943: Fixed a HTTP/2 Request mix-up (bsc#1177582).
- CVE-2020-17527: Fixed a HTTP/2 request header mix-up (bsc#1179602).

Non-security issue fixed:

- Removed tomcat-9.0.init and /usr/lib/tmpfiles.d/tomcat.conf from package. They're not used anymore becuse of systemd (bsc#1178396).
- Fixed 'tomcat-servlet-4_0-api' package alternatives to use and keep a symlink for compatibility (bsc#1092163).
- Don't give write permissions for the tomcat group on files and directories where it's not needed (bsc#1172562).
</description>
</patchinfo>