Security update for tomcat6

SUSE Security Update: Security update for tomcat6

Announcement ID:	SUSE-SU-2015:1337-1
Rating:	moderate
References:	#906152 #917127 #918195 #926762 #931442 #932698
Affected Products:	SUSE Linux Enterprise Server 11 SP3 for VMware SUSE Linux Enterprise Server 11 SP3

An update that solves three vulnerabilities and has three fixes is now available. It includes one version update.

Description:

This update fixes the following security issues:

CVE-2014-7810: security manager bypass via EL expressions (bnc#931442)
It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could have used this flaw to bypass security manager protections.
CVE-2014-0227: Limited DoS in chunked transfer encoding input filter (bnc#917127)
It was discovered that the ChunkedInputFilter implementation did not fail subsequent attempts to read input early enough. A remote attacker could have used this flaw to perform a denial of service attack, by streaming an unlimited quantity of data, leading to consumption of server resources.
CVE-2014-0230: non-persistent DoS attack by feeding data by aborting an upload
It was possible for a remote attacker to trigger a non-persistent DoS attack by feeding data by aborting an upload.

Security Issues:

To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:

SUSE Linux Enterprise Server 11 SP3 for VMware:
zypper in -t patch slessp3-tomcat6=10813
SUSE Linux Enterprise Server 11 SP3:
zypper in -t patch slessp3-tomcat6=10813

To bring your system up-to-date, use "zypper patch".