-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/
-----------------------------------------------------------
Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O
hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan
Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
Bugs: RANGER-1797
https://issues.apache.org/jira/browse/RANGER-1797
Repository: ranger
Description
-------
?Security Vulnerability Alert?Tomcat Information leakage and remote code
execution vulnerabilities.
CVE ID:
CVE-2017-12615\CVE-2017-12616
Description
CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP
PUTs enabled, it was possible to upload a JSP file to the server via a
specially crafted request. This JSP could then be requested and any code it
contained would be executed by the server.
CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to
7.0.80, it was possible to use a specially crafted request, bypass security
constraints, or get the source code of JSPs for resources served by the
VirtualDirContext, thereby cased code disclosure.
Scope
CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
Solution
The official release of the Apache Tomcat 7.0.81 version has fixed the two
vulnerabilities and recommends upgrading to the latest version.
Reference
https://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
Diffs
-----
pom.xml 3958014c
Diff: https://reviews.apache.org/r/62495/diff/1/
Testing
-------
Thanks,
pengjianhua
