Security update for tomcat10 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2024:0208-1 Final 1 1 2024-01-24T12:54:37Z current 2024-01-24T12:54:37Z 2024-01-24T12:54:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat10 This update for tomcat10 fixes the following issues: Updated to Tomcat 10.1.18 - CVE-2023-46589: Fixed HTTP request smuggling due to incorrect headers parsing (bsc#1217649) Find the full release notes at: https://tomcat.apache.org/tomcat-9.0-doc/changelog.html The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container containers/apache-tomcat:10.1-openjdk11-2024-208,Container containers/apache-tomcat:10.1-openjdk17-2024-208,Container containers/apache-tomcat:10.1-openjdk21-2024-208,SUSE-2024-208,SUSE-SLE-Module-Web-Scripting-15-SP5-2024-208,openSUSE-SLE-15.5-2024-208 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2024/suse-su-20240208-1/ Link for SUSE-SU-2024:0208-1 https://lists.suse.com/pipermail/sle-security-updates/2024-January/017751.html E-Mail link for SUSE-SU-2024:0208-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1217649 SUSE Bug 1217649 https://www.suse.com/security/cve/CVE-2023-46589/ SUSE CVE CVE-2023-46589 page Container containers/apache-tomcat:10.1-openjdk11 Container containers/apache-tomcat:10.1-openjdk17 Container containers/apache-tomcat:10.1-openjdk21 SUSE Linux Enterprise Module for Web and Scripting 15 SP5 openSUSE Leap 15.5 tomcat10-10.1.18-150200.5.8.1 tomcat10-el-5_0-api-10.1.18-150200.5.8.1 tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 tomcat10-lib-10.1.18-150200.5.8.1 tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 tomcat10-admin-webapps-10.1.18-150200.5.8.1 tomcat10-doc-10.1.18-150200.5.8.1 tomcat10-docs-webapp-10.1.18-150200.5.8.1 tomcat10-embed-10.1.18-150200.5.8.1 tomcat10-jsvc-10.1.18-150200.5.8.1 tomcat10-webapps-10.1.18-150200.5.8.1 tomcat10-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk11 tomcat10-el-5_0-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk11 tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk11 tomcat10-lib-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk11 tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk11 tomcat10-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk17 tomcat10-el-5_0-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk17 tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk17 tomcat10-lib-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk17 tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk17 tomcat10-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk21 tomcat10-el-5_0-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk21 tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk21 tomcat10-lib-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk21 tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 as a component of Container containers/apache-tomcat:10.1-openjdk21 tomcat10-10.1.18-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 tomcat10-admin-webapps-10.1.18-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 tomcat10-el-5_0-api-10.1.18-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 tomcat10-lib-10.1.18-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 tomcat10-webapps-10.1.18-150200.5.8.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 tomcat10-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-admin-webapps-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-docs-webapp-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-el-5_0-api-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-embed-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-jsvc-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-lib-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 tomcat10-webapps-10.1.18-150200.5.8.1 as a component of openSUSE Leap 15.5 Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue. CVE-2023-46589 Container containers/apache-tomcat:10.1-openjdk11:tomcat10-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk11:tomcat10-el-5_0-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk11:tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk11:tomcat10-lib-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk11:tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk17:tomcat10-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk17:tomcat10-el-5_0-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk17:tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk17:tomcat10-lib-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk17:tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk21:tomcat10-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk21:tomcat10-el-5_0-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk21:tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk21:tomcat10-lib-10.1.18-150200.5.8.1 Container containers/apache-tomcat:10.1-openjdk21:tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-10.1.18-150200.5.8.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-admin-webapps-10.1.18-150200.5.8.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-el-5_0-api-10.1.18-150200.5.8.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-lib-10.1.18-150200.5.8.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:tomcat10-webapps-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-admin-webapps-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-docs-webapp-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-el-5_0-api-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-embed-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-jsp-3_1-api-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-jsvc-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-lib-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-servlet-6_0-api-10.1.18-150200.5.8.1 openSUSE Leap 15.5:tomcat10-webapps-10.1.18-150200.5.8.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2024/suse-su-20240208-1/ https://www.suse.com/security/cve/CVE-2023-46589.html CVE-2023-46589 https://bugzilla.suse.com/1217649 SUSE Bug 1217649