ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Colm O hEigeartaigh <cohei...@apache.org>
Subject Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Date Tue, 28 Nov 2017 09:54:09 GMT


> On Oct. 10, 2017, 5:19 a.m., bhavik patel wrote:
> > @pengjianhua : Any updates on this?
> 
> pengjianhua wrote:
>     I am testing SSL/Kerberos for Ranger KMS.
> 
> pengjianhua wrote:
>     I tested the patch. The Java 1.8 is required. That is to say users must upgrade jdk
to 1.8 above.
> 
> pengjianhua wrote:
>     I had verified SSL/Kerberos for admin\kms. And I will merge the issue.

Why is Java 1.8 required?


- Colm


-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review187494
-----------------------------------------------------------


On Oct. 10, 2017, 7:01 a.m., pengjianhua wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
> 
> (Updated Oct. 10, 2017, 7:01 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh,
Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and
Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
>     https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled,
it was possible to upload a JSP file to the server via a specially crafted request. This JSP
could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it
was possible to use a specially crafted request, bypass security constraints, or get the source
code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities
and recommends upgrading to the latest version.
> 
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> 
> 
> Diffs
> -----
> 
>   pom.xml 3958014c 
> 
> 
> Diff: https://reviews.apache.org/r/62495/diff/2/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> pengjianhua
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message