ofbiz-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jacques Le Roux (JIRA)" <j...@apache.org>
Subject [jira] [Closed] (OFBIZ-9313) Update Tomcat to 8.0.42 because of CVE-2017-5648
Date Tue, 11 Apr 2017 09:19:41 GMT

     [ https://issues.apache.org/jira/browse/OFBIZ-9313?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jacques Le Roux closed OFBIZ-9313.
----------------------------------
       Resolution: Fixed
         Assignee: Jacques Le Roux
    Fix Version/s: 16.11.02
                   Upcoming Release

Fixed at  revision 1790943.

> Update Tomcat to 8.0.42 because of CVE-2017-5648
> ------------------------------------------------
>
>                 Key: OFBIZ-9313
>                 URL: https://issues.apache.org/jira/browse/OFBIZ-9313
>             Project: OFBiz
>          Issue Type: Sub-task
>          Components: framework
>    Affects Versions: Trunk, Release Branch 16.11
>            Reporter: Jacques Le Roux
>            Assignee: Jacques Le Roux
>            Priority: Trivial
>              Labels: cve
>             Fix For: Upcoming Release, 16.11.02
>
>
> Quoting a message from announce@apache.org
> {quote}
> VE-2017-5648 Apache Tomcat Information Disclosure
> Severity: Low
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0.M17
> Apache Tomcat 8.5.0 to 8.5.11
> Apache Tomcat 8.0.0.RC1 to 8.0.41
> Apache Tomcat 7.0.0 to 7.0.75
> Apache Tomcat 6.0.x is not affected
> Description
> While investigating bug 60718, it was noticed that some calls to
> application listeners did not use the appropriate facade object. When
> running an untrusted application under a SecurityManager, it was
> therefore possible for that untrusted application to retain a reference
> to the request or response object and thereby access and/or modify
> information associated with another web application.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.0.M18 or later
> - Upgrade to Apache Tomcat 8.5.12 or later
> - Upgrade to Apache Tomcat 8.0.42 or later
> - Upgrade to Apache Tomcat 7.0.76 or later
> Credit:
> This issue was identified by the Tomcat security team.
> History:
> 2017-04-10 Original advisory
> References:
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
> [4] http://tomcat.apache.org/security-7.html
> {quote}
> It's a low security issue so I'll not backport on no longer or not released branches
> All tests pass and UI seems OK.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message