ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Created] (OFBIZ-9313) Update Tomcat to 8.0.42 because of CVE-2017-5648
Date Tue, 11 Apr 2017 09:18:41 GMT
Jacques Le Roux created OFBIZ-9313:
--------------------------------------

             Summary: Update Tomcat to 8.0.42 because of CVE-2017-5648
                 Key: OFBIZ-9313
                 URL: https://issues.apache.org/jira/browse/OFBIZ-9313
             Project: OFBiz
          Issue Type: Sub-task
          Components: framework
    Affects Versions: Release Branch 16.11, Trunk
            Reporter: Jacques Le Roux
            Priority: Trivial


Quoting a message from announce@apache.org
{quote}
VE-2017-5648 Apache Tomcat Information Disclosure

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M17
Apache Tomcat 8.5.0 to 8.5.11
Apache Tomcat 8.0.0.RC1 to 8.0.41
Apache Tomcat 7.0.0 to 7.0.75
Apache Tomcat 6.0.x is not affected

Description
While investigating bug 60718, it was noticed that some calls to
application listeners did not use the appropriate facade object. When
running an untrusted application under a SecurityManager, it was
therefore possible for that untrusted application to retain a reference
to the request or response object and thereby access and/or modify
information associated with another web application.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M18 or later
- Upgrade to Apache Tomcat 8.5.12 or later
- Upgrade to Apache Tomcat 8.0.42 or later
- Upgrade to Apache Tomcat 7.0.76 or later

Credit:
This issue was identified by the Tomcat security team.

History:
2017-04-10 Original advisory

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html
{quote}

It's a low security issue so I'll not backport on no longer or not released branches

All tests pass and UI seems OK.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message