Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:0822-1 Final 1 1 2016-03-18T14:14:17Z current 2016-03-18T14:14:17Z 2016-03-18T14:14:17Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following security issues. Tomcat has been updated from 7.0.55 to 7.0.68. * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (bsc#967967) * CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might have allowed remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. (bsc#967814) * CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allowed remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (bsc#967965) * CVE-2015-5351: The (1) Manager and (2) Host Manager applications in Apache Tomcat established sessions and send CSRF tokens for arbitrary new requests, which allowed remote attackers to bypass a CSRF protection mechanism by using a token. (bsc#967812) * CVE-2016-0706: Apache Tomcat did not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (bsc#967815) * CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandled session attributes, which allowed remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (bsc#967964) * CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat did not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. (bsc#967966) See https://tomcat.apache.org/tomcat-7.0-doc/changelog.html for other fixes since 7.0.55 The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SERVER-12-2016-478 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ Link for SUSE-SU-2016:0822-1 https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html E-Mail link for SUSE-SU-2016:0822-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/967812 SUSE Bug 967812 https://bugzilla.suse.com/967814 SUSE Bug 967814 https://bugzilla.suse.com/967815 SUSE Bug 967815 https://bugzilla.suse.com/967964 SUSE Bug 967964 https://bugzilla.suse.com/967965 SUSE Bug 967965 https://bugzilla.suse.com/967966 SUSE Bug 967966 https://bugzilla.suse.com/967967 SUSE Bug 967967 https://www.suse.com/security/cve/CVE-2015-5174/ SUSE CVE CVE-2015-5174 page https://www.suse.com/security/cve/CVE-2015-5345/ SUSE CVE CVE-2015-5345 page https://www.suse.com/security/cve/CVE-2015-5346/ SUSE CVE CVE-2015-5346 page https://www.suse.com/security/cve/CVE-2015-5351/ SUSE CVE CVE-2015-5351 page https://www.suse.com/security/cve/CVE-2016-0706/ SUSE CVE CVE-2016-0706 page https://www.suse.com/security/cve/CVE-2016-0714/ SUSE CVE CVE-2016-0714 page https://www.suse.com/security/cve/CVE-2016-0763/ SUSE CVE CVE-2016-0763 page SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 tomcat-7.0.68-7.6.1 tomcat-admin-webapps-7.0.68-7.6.1 tomcat-docs-webapp-7.0.68-7.6.1 tomcat-el-2_2-api-7.0.68-7.6.1 tomcat-javadoc-7.0.68-7.6.1 tomcat-jsp-2_2-api-7.0.68-7.6.1 tomcat-lib-7.0.68-7.6.1 tomcat-servlet-3_0-api-7.0.68-7.6.1 tomcat-webapps-7.0.68-7.6.1 tomcat-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-admin-webapps-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-docs-webapp-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-el-2_2-api-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-javadoc-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-jsp-2_2-api-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-lib-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-servlet-3_0-api-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-webapps-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server 12 tomcat-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-admin-webapps-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-docs-webapp-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-el-2_2-api-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-javadoc-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-jsp-2_2-api-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-lib-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-servlet-3_0-api-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-webapps-7.0.68-7.6.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. CVE-2015-5174 SUSE Linux Enterprise Server 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.68-7.6.1 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ https://www.suse.com/security/cve/CVE-2015-5174.html CVE-2015-5174 https://bugzilla.suse.com/967967 SUSE Bug 967967 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. CVE-2015-5345 SUSE Linux Enterprise Server 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.68-7.6.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ https://www.suse.com/security/cve/CVE-2015-5345.html CVE-2015-5345 https://bugzilla.suse.com/967965 SUSE Bug 967965 Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. CVE-2015-5346 SUSE Linux Enterprise Server 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.68-7.6.1 moderate 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ https://www.suse.com/security/cve/CVE-2015-5346.html CVE-2015-5346 https://bugzilla.suse.com/967814 SUSE Bug 967814 The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. CVE-2015-5351 SUSE Linux Enterprise Server 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.68-7.6.1 moderate 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ https://www.suse.com/security/cve/CVE-2015-5351.html CVE-2015-5351 https://bugzilla.suse.com/967812 SUSE Bug 967812 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. CVE-2016-0706 SUSE Linux Enterprise Server 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.68-7.6.1 low 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ https://www.suse.com/security/cve/CVE-2016-0706.html CVE-2016-0706 https://bugzilla.suse.com/967815 SUSE Bug 967815 https://bugzilla.suse.com/971085 SUSE Bug 971085 https://bugzilla.suse.com/988489 SUSE Bug 988489 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. CVE-2016-0714 SUSE Linux Enterprise Server 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.68-7.6.1 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ https://www.suse.com/security/cve/CVE-2016-0714.html CVE-2016-0714 https://bugzilla.suse.com/967964 SUSE Bug 967964 https://bugzilla.suse.com/971085 SUSE Bug 971085 The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. CVE-2016-0763 SUSE Linux Enterprise Server 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.68-7.6.1 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.68-7.6.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20160822-1/ https://www.suse.com/security/cve/CVE-2016-0763.html CVE-2016-0763 https://bugzilla.suse.com/967966 SUSE Bug 967966 https://bugzilla.suse.com/971085 SUSE Bug 971085