Security update for tomcat (important)

This update for tomcat fixes the following issues:

Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security
issues.

Fixed security issues:

• CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in
  Apache Tomcat allowed remote authenticated users to bypass intended
  SecurityManager restrictions and list a parent directory via a /…
  (slash dot dot) in a pathname used by a web application in a
  getResource, getResourceAsStream, or getResourcePaths call, as
  demonstrated by the $CATALINA_BASE/webapps directory. (bsc#967967)
• CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when
  different session settings are used for deployments of multiple versions
  of the same web application, might have allowed remote attackers to
  hijack web sessions by leveraging use of a requestedSessionSSL field
  for an unintended request, related to CoyoteAdapter.java and
  Request.java. (bsc#967814)
• CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects
  before considering security constraints and Filters, which allowed
  remote attackers to determine the existence of a directory via a URL
  that lacks a trailing / (slash) character. (bsc#967965)
• CVE-2015-5351: The (1) Manager and (2) Host Manager applications in
  Apache Tomcat established sessions and send CSRF tokens for arbitrary
  new requests, which allowed remote attackers to bypass a CSRF protection
  mechanism by using a token. (bsc#967812)
• CVE-2016-0706: Apache Tomcat did not place
  org.apache.catalina.manager.StatusManagerServlet on the
  org/apache/catalina/core/RestrictedServlets.properties list, which
  allowed remote authenticated users to bypass intended SecurityManager
  restrictions and read arbitrary HTTP requests, and consequently
  discover session ID values, via a crafted web application. (bsc#967815)
• CVE-2016-0714: The session-persistence implementation in Apache Tomcat
  mishandled session attributes, which allowed remote authenticated users
  to bypass intended SecurityManager restrictions and execute arbitrary
  code in a privileged context via a web application that places a crafted
  object in a session. (bsc#967964)
• CVE-2016-0763: The setGlobalContext method in
  org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat did
  not consider whether ResourceLinkFactory.setGlobalContext callers are
  authorized, which allowed remote authenticated users to bypass intended
  SecurityManager restrictions and read or write to arbitrary application
  data, or cause a denial of service (application disruption), via a web
  application that sets a crafted global context. (bsc#967966)

The full changes can be read on:
<a href=“http://tomcat.apache.org/tomcat-8.0-doc/changelog.html”>http://tomcat.apache.org/tomcat-8.0-doc/changelog.html</a>