Security update for tomcat SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2020:1799-1 Final 1 1 2020-11-01T05:23:52Z current 2020-11-01T05:23:52Z 2020-11-01T05:23:52Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: - CVE-2020-13943: Fixed HTTP/2 Request mix-up (bsc#1177582) This update was imported from the SUSE:SLE-15-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-2020-1799 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4R6SGGLLSOWWSBNVPTFE4HEM6542AMI5/ E-Mail link for openSUSE-SU-2020:1799-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1177582 SUSE Bug 1177582 https://www.suse.com/security/cve/CVE-2020-13943/ SUSE CVE CVE-2020-13943 page openSUSE Leap 15.2 tomcat-9.0.36-lp152.2.10.1 tomcat-admin-webapps-9.0.36-lp152.2.10.1 tomcat-docs-webapp-9.0.36-lp152.2.10.1 tomcat-el-3_0-api-9.0.36-lp152.2.10.1 tomcat-embed-9.0.36-lp152.2.10.1 tomcat-javadoc-9.0.36-lp152.2.10.1 tomcat-jsp-2_3-api-9.0.36-lp152.2.10.1 tomcat-jsvc-9.0.36-lp152.2.10.1 tomcat-lib-9.0.36-lp152.2.10.1 tomcat-servlet-4_0-api-9.0.36-lp152.2.10.1 tomcat-webapps-9.0.36-lp152.2.10.1 tomcat-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-admin-webapps-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-docs-webapp-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-el-3_0-api-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-embed-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-javadoc-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-jsp-2_3-api-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-jsvc-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-lib-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-servlet-4_0-api-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 tomcat-webapps-9.0.36-lp152.2.10.1 as a component of openSUSE Leap 15.2 If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to 8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This could lead to users seeing responses for unexpected resources. CVE-2020-13943 openSUSE Leap 15.2:tomcat-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-admin-webapps-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-docs-webapp-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-el-3_0-api-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-embed-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-javadoc-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-jsp-2_3-api-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-jsvc-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-lib-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-servlet-4_0-api-9.0.36-lp152.2.10.1 openSUSE Leap 15.2:tomcat-webapps-9.0.36-lp152.2.10.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/4R6SGGLLSOWWSBNVPTFE4HEM6542AMI5/ https://www.suse.com/security/cve/CVE-2020-13943.html CVE-2020-13943 https://bugzilla.suse.com/1177582 SUSE Bug 1177582