Security update for tomcat (important)


This update for Tomcat provides the following fixes: Feature changes: The embedded Apache Commons DBCP component was updated to version 2.0. (bsc#1010893 fate#321029) Security fixes: - CVE-2016-0762: Realm Timing Attack (bsc#1007854) - CVE-2016-5018: Security Manager Bypass (bsc#1007855) - CVE-2016-6794: System Property Disclosure (bsc#1007857) - CVE-2016-6796: Manager Bypass (bsc#1007858) - CVE-2016-6797: Unrestricted Access to Global Resources (bsc#1007853) - CVE-2016-8735: Remote code execution vulnerability in JmxRemoteLifecycleListener (bsc#1011805) - CVE-2016-6816: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests (bsc#1011812) Bugs fixed: - Fixed StringIndexOutOfBoundsException in WebAppClassLoaderBase.filter(). (bsc#974407) - Fixed a deployment error in the examples webapp by changing the context.xml format to the new one introduced by Tomcat 8. (bsc#1004728) - Enabled optional setenv.sh script. See section '(3.4) Using the "setenv" script' in <a rel="nofollow" href="http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt">http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt</a>. (bsc#1002639) - Fixed regression caused by CVE-2016-6816. This update supplies the new packages apache-commons-pool2 and apache-commons-dbcp in version 2 to allow tomcat to use the DBCP 2.0 interface. This update was imported from the SUSE:SLE-12-SP1:Update update project.

Affected Package

OS OS Version Package Name Package Version
openSUSE Leap 42.1 tomcat 8.0.32-11.1
openSUSE Leap 42.1 apache-commons-dbcp-javadoc 2.1.1-2.1
openSUSE Leap 42.1 apache-commons-pool2-javadoc 2.4.2-2.1
openSUSE Leap 42.1 tomcat-javadoc 8.0.32-11.1
openSUSE Leap 42.1 tomcat-jsp-2_3-api 8.0.32-11.1
openSUSE Leap 42.1 apache-commons-pool2 2.4.2-2.1
openSUSE Leap 42.1 tomcat-admin-webapps 8.0.32-11.1
openSUSE Leap 42.1 tomcat-webapps 8.0.32-11.1
openSUSE Leap 42.1 apache-commons-dbcp 2.1.1-2.1
openSUSE Leap 42.1 tomcat-el-3_0-api 8.0.32-11.1
openSUSE Leap 42.1 tomcat-jsvc 8.0.32-11.1
openSUSE Leap 42.1 tomcat-servlet-3_1-api 8.0.32-11.1
openSUSE Leap 42.1 tomcat-docs-webapp 8.0.32-11.1
openSUSE Leap 42.1 tomcat-lib 8.0.32-11.1
openSUSE Leap 42.1 tomcat-embed 8.0.32-11.1