Security update for tomcat (important)


This update for tomcat fixes the following issues: Feature changes: The embedded Apache Commons DBCP component was updated to version 2.0. (bsc#1010893 fate#321029) Security fixes: - CVE-2016-0762: Realm Timing Attack (bsc#1007854) - CVE-2016-5018: Security Manager Bypass (bsc#1007855) - CVE-2016-6794: System Property Disclosure (bsc#1007857) - CVE-2016-6796: Security Manager Bypass (bsc#1007858) - CVE-2016-6797: Unrestricted Access to Global Resources (bsc#1007853) - CVE-2016-8735: Remote code execution vulnerability in JmxRemoteLifecycleListener (bsc#1011805) - CVE-2016-6816: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests (bsc#1011812) Bug fixes: - Enabled optional setenv.sh script. See section '(3.4) Using the "setenv" script' in <a rel="nofollow" href="http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt">http://tomcat.apache.org/tomcat-8.0-doc/RUNNING.txt</a>. (bsc#1002639) This update supplies the new packages apache-commons-pool2 and apache-commons-dbcp in version 2 to allow tomcat to use the DBCP 2.0 interface. This update was imported from the SUSE:SLE-12-SP2:Update update project.

Affected Package

OS OS Version Package Name Package Version
openSUSE Leap 42.2 tomcat-webapps 8.0.36-4.1
openSUSE Leap 42.2 tomcat-embed 8.0.36-4.1
openSUSE Leap 42.2 tomcat-servlet-3_1-api 8.0.36-4.1
openSUSE Leap 42.2 apache-commons-dbcp 2.1.1-2.1
openSUSE Leap 42.2 apache-commons-dbcp-javadoc 2.1.1-2.1
openSUSE Leap 42.2 apache-commons-pool2 2.4.2-2.1
openSUSE Leap 42.2 tomcat-admin-webapps 8.0.36-4.1
openSUSE Leap 42.2 apache-commons-pool2-javadoc 2.4.2-2.1
openSUSE Leap 42.2 tomcat-el-3_0-api 8.0.36-4.1
openSUSE Leap 42.2 tomcat-jsvc 8.0.36-4.1
openSUSE Leap 42.2 tomcat-jsp-2_3-api 8.0.36-4.1
openSUSE Leap 42.2 tomcat-docs-webapp 8.0.36-4.1
openSUSE Leap 42.2 tomcat 8.0.36-4.1
openSUSE Leap 42.2 tomcat-javadoc 8.0.36-4.1
openSUSE Leap 42.2 tomcat-lib 8.0.36-4.1