Bugzilla – Bug 986359
VUL-0: CVE-2016-3092: tomcat6,tomcat5,tomcat,jakarta-commons-fileupload: Usage of vulnerable FileUpload package can result in denial of service
Last modified: 2023-03-16 12:30:45 UTC
http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-7.html Upstream fixes: Tomcat 8.5.x: http://svn.apache.org/viewvc?view=revision&revision=1743722 Tomcat 8.0.x: http://svn.apache.org/viewvc?view=revision&revision=1743738 References: https://bugzilla.redhat.com/show_bug.cgi?id=1349468 (we need to check if 7 and 5 are also affected, I am currently assuming yes)
tomcat7 (SUSE:SLE-12:Update) has similar code tomcat6 (SUSE:SLE-11:Update) has similar code tomcat5 does not seem to have the fileupload code embedded.
bugbot adjusting priority
According to http://www.mail-archive.com/announce@tomcat.apache.org/msg00212.html Tomcat 6 is not affected by this vulnerability.
SUSE-SU-2016:2188-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 986359,988489 CVE References: CVE-2016-3092,CVE-2016-5388 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): tomcat-8.0.32-8.7
openSUSE-SU-2016:2252-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 986359,988489 CVE References: CVE-2016-3092,CVE-2016-5388 Sources used: openSUSE Leap 42.1 (src): tomcat-8.0.32-8.1
SUSE-SU-2017:1660-1: An update that fixes 12 vulnerabilities is now available. Category: security (important) Bug References: 1007853,1007854,1007855,1007857,1007858,1011805,1011812,1015119,1033447,1033448,986359,988489 CVE References: CVE-2016-0762,CVE-2016-3092,CVE-2016-5018,CVE-2016-5388,CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-6816,CVE-2016-8735,CVE-2016-8745,CVE-2017-5647,CVE-2017-5648 Sources used: SUSE Linux Enterprise Server for SAP 12 (src): tomcat-7.0.78-7.13.4 SUSE Linux Enterprise Server 12-LTSS (src): tomcat-7.0.78-7.13.4
released
SUSE-SU-2023:0730-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1208513, 986359 CVE References: CVE-2016-3092, CVE-2023-24998 Sources used: openSUSE Leap 15.4 (src): jakarta-commons-fileupload-1.1.1-150000.4.8.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): jakarta-commons-fileupload-1.1.1-150000.4.8.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): jakarta-commons-fileupload-1.1.1-150000.4.8.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): jakarta-commons-fileupload-1.1.1-150000.4.8.1 SUSE CaaS Platform 4.0 (src): jakarta-commons-fileupload-1.1.1-150000.4.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0758-1: An update that solves two vulnerabilities can now be installed. Category: security (important) Bug References: 1208513, 986359 CVE References: CVE-2016-3092, CVE-2023-24998 Sources used: SUSE OpenStack Cloud 9 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE OpenStack Cloud Crowbar 9 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP4 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP2 BCL 12-SP2 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4 ESPOS 12-SP4 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP4 LTSS 12-SP4 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server 12 SP5 (src): jakarta-commons-fileupload-1.1.1-122.8.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): jakarta-commons-fileupload-1.1.1-122.8.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.