openSUSE Local Security Checks : openSUSE Security Advisory (SUSE-SU-2025:1024-1)

Vulnerability Search		Search 324607 CVE descriptions and 145615 test descriptions, access 10,000+ cross references.
	Tests CVE All

Test ID: 1.3.6.1.4.1.25623.1.1.18.2.2025.1024.1

Category: openSUSE Local Security Checks

Title: openSUSE Security Advisory (SUSE-SU-2025:1024-1)

Summary: The remote host is missing an update for the 'tomcat10' package(s) announced via the SUSE-SU-2025:1024-1 advisory.

Description: Summary:
The remote host is missing an update for the 'tomcat10' package(s) announced via the SUSE-SU-2025:1024-1 advisory.

Vulnerability Insight:
This update for tomcat10 fixes the following issues:

- CVE-2025-24813: Fixed potential RCE and/or information disclosure/corruption with
partial PUT (bsc#1239302)

Other fixes:

- Update to Tomcat 10.1.39
* Fixes:
+ launch with java 17 (bsc#1239676)
* Catalina
+ Fix: 69602: Fix regression in releases from 12-2024 that were too strict
and rejected weak etags in the If-Range header with a 400 response.
Instead will consider it as a failed match since strong etags are required
for If-Range. (remm)
+ Fix: When looking up class loader resources by resource name, the resource
name should not start with '/'. If the resource name does start with '/',
Tomcat is lenient and looks it up as if the '/' was not present. When the
web application class loader was configured with external repositories and
names starting with '/' were used for lookups, it was possible that cached
'not found' results could effectively hide lookup results using the
correct resource name. (markt)
+ Fix: Enable the JNDIRealm to validate credentials provided to
HttpServletRequest.login(String username, String password) when the realm
is configured to use GSSAPI authentication. (markt)
+ Fix: Fix a bug in the JRE compatibility detection that incorrectly
identified Java 19 and Java 20 as supporting Java 21 features. (markt)
+ Fix: Improve the checks for exposure to and protection against
CVE-2024-56337 so that reflection is not used unless required. The checks
for whether the file system is case sensitive or not have been removed.
(markt)
+ Add: Add support for logging the connection ID (as returned by
ServletRequest.getServletConnection().getConnectionId()) with the
AccessLogValve and ExtendedAccessLogValve. Based on pull request #814 by
Dmole. (markt)
+ Fix: Avoid scenarios where temporary files used for partial PUT would not
be deleted. (remm)
+ Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught
exception introduced for the check for CVE-2024-56337. (remm)
* Cluster
+ Add: 69598: Add detection of service account token changes to the
KubernetesMembershipProvider implementation and reload the token if it
changes. Based on a patch by Miroslav Jezbera. (markt)
* Coyote
+ Fix: 69575: Avoid using compression if a response is already compressed
using compress, deflate or zstd. (remm)
+ Update: Use Transfer-Encoding for compression rather than Content-Encoding
if the client submits a TE header containing gzip. (remm)
+ Fix: Fix a race condition in the handling of HTTP/2 stream reset that
could cause unexpected 500 responses. (markt)
* Other
+ Add: Add makensis as an option for building the Installer for Windows on
non-Windows platforms. (rjung/markt)
+ Update: Update Byte Buddy to 1.17.1. (markt)
+ Update: Update Checkstyle to 10.21.3. (markt)
+ Update: Update SpotBugs to 4.9.1. (markt)
+ Update: Update JSign to 7.1. (markt)
+ Add: ... [Please see the references for more information on the vulnerabilities]

Affected Software/OS:
'tomcat10' package(s) on openSUSE Leap 15.6.

Solution:
Please install the updated package(s).

CVSS Score:
10.0

CVSS Vector:
AV:N/AC:L/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2024-56337
Common Vulnerability Exposure (CVE) ID: CVE-2025-24813

Copyright Copyright (C) 2025 Greenbone AG

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.
To run a free test of this vulnerability against your system, register below.

Test ID:	1.3.6.1.4.1.25623.1.1.18.2.2025.1024.1
Category:	openSUSE Local Security Checks
Title:	openSUSE Security Advisory (SUSE-SU-2025:1024-1)
Summary:	The remote host is missing an update for the 'tomcat10' package(s) announced via the SUSE-SU-2025:1024-1 advisory.
Description:	Summary: The remote host is missing an update for the 'tomcat10' package(s) announced via the SUSE-SU-2025:1024-1 advisory. Vulnerability Insight: This update for tomcat10 fixes the following issues: - CVE-2025-24813: Fixed potential RCE and/or information disclosure/corruption with partial PUT (bsc#1239302) Other fixes: - Update to Tomcat 10.1.39 * Fixes: + launch with java 17 (bsc#1239676) * Catalina + Fix: 69602: Fix regression in releases from 12-2024 that were too strict and rejected weak etags in the If-Range header with a 400 response. Instead will consider it as a failed match since strong etags are required for If-Range. (remm) + Fix: When looking up class loader resources by resource name, the resource name should not start with '/'. If the resource name does start with '/', Tomcat is lenient and looks it up as if the '/' was not present. When the web application class loader was configured with external repositories and names starting with '/' were used for lookups, it was possible that cached 'not found' results could effectively hide lookup results using the correct resource name. (markt) + Fix: Enable the JNDIRealm to validate credentials provided to HttpServletRequest.login(String username, String password) when the realm is configured to use GSSAPI authentication. (markt) + Fix: Fix a bug in the JRE compatibility detection that incorrectly identified Java 19 and Java 20 as supporting Java 21 features. (markt) + Fix: Improve the checks for exposure to and protection against CVE-2024-56337 so that reflection is not used unless required. The checks for whether the file system is case sensitive or not have been removed. (markt) + Add: Add support for logging the connection ID (as returned by ServletRequest.getServletConnection().getConnectionId()) with the AccessLogValve and ExtendedAccessLogValve. Based on pull request #814 by Dmole. (markt) + Fix: Avoid scenarios where temporary files used for partial PUT would not be deleted. (remm) + Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught exception introduced for the check for CVE-2024-56337. (remm) * Cluster + Add: 69598: Add detection of service account token changes to the KubernetesMembershipProvider implementation and reload the token if it changes. Based on a patch by Miroslav Jezbera. (markt) * Coyote + Fix: 69575: Avoid using compression if a response is already compressed using compress, deflate or zstd. (remm) + Update: Use Transfer-Encoding for compression rather than Content-Encoding if the client submits a TE header containing gzip. (remm) + Fix: Fix a race condition in the handling of HTTP/2 stream reset that could cause unexpected 500 responses. (markt) * Other + Add: Add makensis as an option for building the Installer for Windows on non-Windows platforms. (rjung/markt) + Update: Update Byte Buddy to 1.17.1. (markt) + Update: Update Checkstyle to 10.21.3. (markt) + Update: Update SpotBugs to 4.9.1. (markt) + Update: Update JSign to 7.1. (markt) + Add: ... [Please see the references for more information on the vulnerabilities] Affected Software/OS: 'tomcat10' package(s) on openSUSE Leap 15.6. Solution: Please install the updated package(s). CVSS Score: 10.0 CVSS Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2024-56337 Common Vulnerability Exposure (CVE) ID: CVE-2025-24813
Copyright	Copyright (C) 2025 Greenbone AG