Security update for tomcat6 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2016:2229-1 Final 1 1 2016-09-02T15:32:51Z current 2016-09-02T15:32:51Z 2016-09-02T15:32:51Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat6 This update for tomcat6 fixes the following issue: - CVE-2016-5388 Setting HTTP_PROXY environment variable via Proxy header (bsc#988489) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). slessp4-tomcat-12727 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2016/suse-su-20162229-1/ Link for SUSE-SU-2016:2229-1 https://lists.suse.com/pipermail/sle-security-updates/2016-September/002253.html E-Mail link for SUSE-SU-2016:2229-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/988489 SUSE Bug 988489 https://www.suse.com/security/cve/CVE-2016-5388/ SUSE CVE CVE-2016-5388 page SUSE Linux Enterprise Server 11 SP4 SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-6.0.45-0.53.2 tomcat6-admin-webapps-6.0.45-0.53.2 tomcat6-docs-webapp-6.0.45-0.53.2 tomcat6-javadoc-6.0.45-0.53.2 tomcat6-jsp-2_1-api-6.0.45-0.53.2 tomcat6-lib-6.0.45-0.53.2 tomcat6-servlet-2_5-api-6.0.45-0.53.2 tomcat6-webapps-6.0.45-0.53.2 tomcat6-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-admin-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-docs-webapp-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-javadoc-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-jsp-2_1-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-lib-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-servlet-2_5-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server 11 SP4 tomcat6-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-admin-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-docs-webapp-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-javadoc-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-jsp-2_1-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-lib-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-servlet-2_5-api-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 tomcat6-webapps-6.0.45-0.53.2 as a component of SUSE Linux Enterprise Server for SAP Applications 11 SP4 Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability. CVE-2016-5388 SUSE Linux Enterprise Server 11 SP4:tomcat6-6.0.45-0.53.2 SUSE Linux Enterprise Server 11 SP4:tomcat6-admin-webapps-6.0.45-0.53.2 SUSE Linux Enterprise Server 11 SP4:tomcat6-docs-webapp-6.0.45-0.53.2 SUSE Linux Enterprise Server 11 SP4:tomcat6-javadoc-6.0.45-0.53.2 SUSE Linux Enterprise Server 11 SP4:tomcat6-jsp-2_1-api-6.0.45-0.53.2 SUSE Linux Enterprise Server 11 SP4:tomcat6-lib-6.0.45-0.53.2 SUSE Linux Enterprise Server 11 SP4:tomcat6-servlet-2_5-api-6.0.45-0.53.2 SUSE Linux Enterprise Server 11 SP4:tomcat6-webapps-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-admin-webapps-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-docs-webapp-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-javadoc-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-jsp-2_1-api-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-lib-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-servlet-2_5-api-6.0.45-0.53.2 SUSE Linux Enterprise Server for SAP Applications 11 SP4:tomcat6-webapps-6.0.45-0.53.2 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2016/suse-su-20162229-1/ https://www.suse.com/security/cve/CVE-2016-5388.html CVE-2016-5388 https://bugzilla.suse.com/988484 SUSE Bug 988484 https://bugzilla.suse.com/988486 SUSE Bug 988486 https://bugzilla.suse.com/988487 SUSE Bug 988487 https://bugzilla.suse.com/988488 SUSE Bug 988488 https://bugzilla.suse.com/988489 SUSE Bug 988489 https://bugzilla.suse.com/988491 SUSE Bug 988491 https://bugzilla.suse.com/988492 SUSE Bug 988492 https://bugzilla.suse.com/989125 SUSE Bug 989125 https://bugzilla.suse.com/989174 SUSE Bug 989174