Bugzilla – Bug 793391
VUL-1: CVE-2012-4431: tomcat: bypass of CSRF prevention filter
Last modified: 2014-07-17 09:42:53 UTC
Via full-disclosure: -------------------------------------------------------------------------- CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.31 - Tomcat 6.0.0 to 6.0.35 Description: The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. Mitigation: Users of affected versions should apply one of the following mitigations: - Tomcat 7.0.x users should upgrade to 7.0.32 or later - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html --------------------------------------------------------------------------
submitted, see https://bugzilla.novell.com/show_bug.cgi?id=791426#c11
There is a typo in the bnc# ref in the submission. Can you re-submit, please?
sent tomcat: 144989, tomcat6:144990, tomcat6:23086
This is an autogenerated message for OBS integration: This bug (793391) was mentioned in https://build.opensuse.org/request/show/144989 Maintenance / https://build.opensuse.org/request/show/144990 Maintenance /
This is an autogenerated message for OBS integration: This bug (793391) was mentioned in https://build.opensuse.org/request/show/145902 Maintenance /
openSUSE-SU-2012:1700-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 789406,791423,791424,791426,791679,793391,793394 CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887 Sources used: openSUSE 12.1 (src): libtcnative-1-0-1.3.3-3.7.1, tomcat6-6.0.33-3.7.1
openSUSE-SU-2012:1701-1: An update that fixes 10 vulnerabilities is now available. Category: security (moderate) Bug References: 779538,789406,791423,791424,791426,791679,793391,793394 CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887 Sources used: openSUSE 12.2 (src): tomcat-7.0.27-2.9.1
submitted fixed packages tomcat(7), tomcat5 - not needed tomcat6 (with refreshed CVE-2012-4431.patch): 12.1: 146828 sle11: 23294
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SERVER 11-SP1-TERADATA (x86_64) SUSE-MANAGER 1.2 (x86_64)
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
released
This is an autogenerated message for OBS integration: This bug (793391) was mentioned in https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6
This is an autogenerated message for OBS integration: This bug (793391) was mentioned in https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6