I created https://issues.apache.org/jira/browse/OOZIE-2725 for this.
We should also fix https://issues.apache.org/jira/browse/OOZIE-2723 for 4.3 because it's a license violation. On Fri, Nov 4, 2016 at 5:37 AM, Shwetha Shivalingamurthy < [email protected]> wrote: > Oozie uses tomcat version 6.0.44. This and a couple of other security > issues were raised with this tomcat version. We should upgrade tomcat, > even in 4.3 release > > Regards, > Shwetha > > > > > > > On 27/10/16, 5:47 PM, "Mark Thomas" <[email protected]> wrote: > > >CVE-2016-6796 Apache Tomcat Security Manager Bypass > > > >Severity: Low > > > >Vendor: The Apache Software Foundation > > > >Versions Affected: > >Apache Tomcat 9.0.0.M1 to 9.0.0.M9 > >Apache Tomcat 8.5.0 to 8.5.4 > >Apache Tomcat 8.0.0.RC1 to 8.0.36 > >Apache Tomcat 7.0.0 to 7.0.70 > >Apache Tomcat 6.0.0 to 6.0.45 > >Earlier, unsupported versions may also be affected. > > > >Description > >A malicious web application was able to bypass a configured > >SecurityManager via manipulation of the configuration parameters for the > >JSP Servlet. > > > >Mitigation > >Users of affected versions should apply one of the following mitigations > >- Upgrade to Apache Tomcat 9.0.0.M10 or later > >- Upgrade to Apache Tomcat 8.5.5 or later > >- Upgrade to Apache Tomcat 8.0.37 or later > >- Upgrade to Apache Tomcat 7.0.72 or later > > (Apache Tomcat 7.0.71 has the fix but was not released) > >- Upgrade to Apache Tomcat 6.0.47 or later > > (Apache Tomcat 6.0.46 has the fix but was not released) > > > >Credit: > >This issue was discovered by the Apache Tomcat Security Team. > > > >References: > >[1] http://tomcat.apache.org/security-9.html > >[2] http://tomcat.apache.org/security-8.html > >[3] http://tomcat.apache.org/security-7.html > >[4] http://tomcat.apache.org/security-6.html > > > >
