kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KYLIN-3611) Upgrade Tomcat to 7.0.91, 8.5.34 or later
Date Tue, 30 Oct 2018 09:02:43 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16668378#comment-16668378
] 

ASF GitHub Bot commented on KYLIN-3611:
---------------------------------------

asfgit commented on issue #320: KYLIN-3611 upgrade to apache tomcat 7.0.91
URL: https://github.com/apache/kylin/pull/320#issuecomment-434221541
 
 
   Can one of the admins verify this patch?

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Upgrade Tomcat to 7.0.91, 8.5.34 or later
> -----------------------------------------
>
>                 Key: KYLIN-3611
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3611
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: zhoujie
>            Priority: Major
>             Fix For: v2.6.0, v2.5.1
>
>
> h2. [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
>  
>  
>  
> CVE-2018-11784 Apache Tomcat - Open Redirect
> Severity: Moderate
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.11
> Apache Tomcat 8.5.0 to 8.5.33
> Apache Tomcat 7.0.23 to 7.0.90
> The unsupported 8.0.x release line has not been analysed but is likely
> to be affected.
> Description:
> When the default servlet returned a redirect to a directory (e.g.
> redirecting to '/foo/' when the user requested '/foo') a specially
> crafted URL could be used to cause the redirect to be generated to any
> URI of the attackers choice.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.12 or later.
> - Upgrade to Apache Tomcat 8.5.34 or later.
> - Upgrade to Apache Tomcat 7.0.91 or later.
> - Use mapperDirectoryRedirectEnabled="true" and
>   mapperContextRootRedirectEnabled="true" on the Context to ensure that
>   redirects are issued by the Mapper rather than the default Servlet.
>   See the Context configuration documentation for further important
>   details.
> Credit:
> This vulnerability was found by Sergey Bobrov and reported responsibly
> to the Apache Tomcat Security Team.
> History:
> 2018-10-03 Original advisory
> References:
> [1] [http://tomcat.apache.org/security-9.html]
> [2] [http://tomcat.apache.org/security-8.html]
> [3] [http://tomcat.apache.org/security-7.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message