> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine using
mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a ranger-admin-services
start. I am getting error in catalina.out file as the Tomcat server start itself is failing(PS:
attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If yes
Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your local maven
repository. Then compile the ranger project using the following command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service start using
the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this issue.
If I guess good, you should be more in-depth understanding of how to use ranger, please refer
to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, the service
start itself is failing and also got the same error in catalina.out which Vishal has attached
on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not loaded. See
Servlet Spec 3.0, section 10.7.2. Offending class: javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's version I've
been testing and verify whether the issue effected the ranger's function. Maybe our lastest
modifications introduced new issues. I will also compile the lastest source to further verify
the problem you mentioned.
I'm sorry. In this patch I lacked the tomcat-annotations-api dependency package. I had fixed
this patch. Thanks!
- pengjianhua
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On 十一月 30, 2017, 1:55 p.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated 十一月 30, 2017, 1:55 p.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh,
Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and
Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled,
it was possible to upload a JSP file to the server via a specially crafted request. This JSP
could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it
was possible to use a specially crafted request, bypass security constraints, or get the source
code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities
and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> pom.xml 589cd6ac
>
>
> Diff: https://reviews.apache.org/r/62495/diff/3/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
|