kylin-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF GitHub Bot (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (KYLIN-3611) Upgrade Tomcat to 7.0.91, 8.5.34 or later
Date Thu, 01 Nov 2018 01:08:00 GMT

    [ https://issues.apache.org/jira/browse/KYLIN-3611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16670989#comment-16670989
] 

ASF GitHub Bot commented on KYLIN-3611:
---------------------------------------

shaofengshi closed pull request #321: KYLIN-3611 update to apache tomcat 7.0.91
URL: https://github.com/apache/kylin/pull/321
 
 
   

This is a PR merged from a forked repository.
As GitHub hides the original diff on merge, it is displayed below for
the sake of provenance:

As this is a foreign pull request (from a fork), the diff is supplied
below (as it won't show otherwise due to GitHub magic):

diff --git a/build/script/download-tomcat.sh b/build/script/download-tomcat.sh
index 54617a0a6d..0f7ae48cb0 100755
--- a/build/script/download-tomcat.sh
+++ b/build/script/download-tomcat.sh
@@ -27,8 +27,8 @@ if [[ `uname -a` =~ "Darwin" ]]; then
     alias md5cmd="md5 -q"
 fi
 
-tomcat_pkg_version="7.0.90"
-tomcat_pkg_md5="cd4890e4e6a212dafd970da37d040877"
+tomcat_pkg_version="7.0.91"
+tomcat_pkg_md5="b53bde6edd935ba731a2f123e92eeee1"
 
 if [ ! -f "build/apache-tomcat-${tomcat_pkg_version}.tar.gz" ]
 then


 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
users@infra.apache.org


> Upgrade Tomcat to 7.0.91, 8.5.34 or later
> -----------------------------------------
>
>                 Key: KYLIN-3611
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3611
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: zhoujie
>            Priority: Major
>             Fix For: v2.6.0, v2.5.1
>
>
> h2. [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
>  
>  
>  
> CVE-2018-11784 Apache Tomcat - Open Redirect
> Severity: Moderate
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.11
> Apache Tomcat 8.5.0 to 8.5.33
> Apache Tomcat 7.0.23 to 7.0.90
> The unsupported 8.0.x release line has not been analysed but is likely
> to be affected.
> Description:
> When the default servlet returned a redirect to a directory (e.g.
> redirecting to '/foo/' when the user requested '/foo') a specially
> crafted URL could be used to cause the redirect to be generated to any
> URI of the attackers choice.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.12 or later.
> - Upgrade to Apache Tomcat 8.5.34 or later.
> - Upgrade to Apache Tomcat 7.0.91 or later.
> - Use mapperDirectoryRedirectEnabled="true" and
>   mapperContextRootRedirectEnabled="true" on the Context to ensure that
>   redirects are issued by the Mapper rather than the default Servlet.
>   See the Context configuration documentation for further important
>   details.
> Credit:
> This vulnerability was found by Sergey Bobrov and reported responsibly
> to the Apache Tomcat Security Team.
> History:
> 2018-10-03 Original advisory
> References:
> [1] [http://tomcat.apache.org/security-9.html]
> [2] [http://tomcat.apache.org/security-8.html]
> [3] [http://tomcat.apache.org/security-7.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message