Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2018:3968-1 Final 1 1 2018-12-03T14:33:18Z current 2018-12-03T14:33:18Z 2018-12-03T14:33:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat to 9.0.12 fixes the following issues: See the full changelog at: http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.12_(markt) Security issues fixed: - CVE-2018-11784: When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (bsc#1110850) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-Module-Development-Tools-OBS-15-2018-2823,SUSE-SLE-Module-Web-Scripting-15-2018-2823 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2018/suse-su-20183968-1/ Link for SUSE-SU-2018:3968-1 https://www.suse.com/support/update/announcement/2018/suse-su-20183968-1.html E-Mail link for SUSE-SU-2018:3968-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1110850 SUSE Bug 1110850 https://www.suse.com/security/cve/CVE-2018-11784/ SUSE CVE CVE-2018-11784 page SUSE Linux Enterprise Module for Web and Scripting 15 tomcat-9.0.12-3.8.3 tomcat-admin-webapps-9.0.12-3.8.3 tomcat-el-3_0-api-9.0.12-3.8.3 tomcat-jsp-2_3-api-9.0.12-3.8.3 tomcat-lib-9.0.12-3.8.3 tomcat-servlet-4_0-api-9.0.12-3.8.3 tomcat-webapps-9.0.12-3.8.3 tomcat-9.0.12-3.8.3 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 tomcat-admin-webapps-9.0.12-3.8.3 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 tomcat-el-3_0-api-9.0.12-3.8.3 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 tomcat-jsp-2_3-api-9.0.12-3.8.3 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 tomcat-lib-9.0.12-3.8.3 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 tomcat-servlet-4_0-api-9.0.12-3.8.3 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 tomcat-webapps-9.0.12-3.8.3 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. CVE-2018-11784 SUSE Linux Enterprise Module for Web and Scripting 15:tomcat-9.0.12-3.8.3 SUSE Linux Enterprise Module for Web and Scripting 15:tomcat-admin-webapps-9.0.12-3.8.3 SUSE Linux Enterprise Module for Web and Scripting 15:tomcat-el-3_0-api-9.0.12-3.8.3 SUSE Linux Enterprise Module for Web and Scripting 15:tomcat-jsp-2_3-api-9.0.12-3.8.3 SUSE Linux Enterprise Module for Web and Scripting 15:tomcat-lib-9.0.12-3.8.3 SUSE Linux Enterprise Module for Web and Scripting 15:tomcat-servlet-4_0-api-9.0.12-3.8.3 SUSE Linux Enterprise Module for Web and Scripting 15:tomcat-webapps-9.0.12-3.8.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2018/suse-su-20183968-1/ https://www.suse.com/security/cve/CVE-2018-11784.html CVE-2018-11784 https://bugzilla.suse.com/1110850 SUSE Bug 1110850 https://bugzilla.suse.com/1122212 SUSE Bug 1122212