ranger-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bhavik patel <bhavikpatel...@gmail.com>
Subject Re: Review Request 62495: RANGER-1797:Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.82.
Date Tue, 05 Dec 2017 09:57:07 GMT

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192836
-----------------------------------------------------------


Ship it!




Ship It!

- bhavik patel


On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
> 
> (Updated Dec. 5, 2017, 2:59 a.m.)
> 
> 
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O hEigeartaigh,
Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan Neethiraj, Velmurugan Periasamy, and
Qiang Zhang.
> 
> 
> Bugs: RANGER-1797
>     https://issues.apache.org/jira/browse/RANGER-1797
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> [Security Vulnerability Alert] Tomcat Information leakage and remote code execution vulnerabilities.
> 
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
> 
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled,
it was possible to upload a JSP file to the server via a specially crafted request. This JSP
could then be requested and any code it contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80, it
was possible to use a specially crafted request, bypass security constraints, or get the source
code of JSPs for resources served by the VirtualDirContext, thereby cased code disclosure.
> 
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
> 
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two vulnerabilities
and recommends upgrading to the latest version.
> 
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
> 
> 
> Diffs
> -----
> 
>   embeddedwebserver/pom.xml 81699573 
>   pom.xml 589cd6ac 
>   src/main/assembly/admin-web.xml aa37426f 
>   src/main/assembly/kms.xml 7c40ce4e 
> 
> 
> Diff: https://reviews.apache.org/r/62495/diff/5/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> pengjianhua
> 
>


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message