----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/62495/#review185959 -----------------------------------------------------------
pom.xml Line 212 (original), 212 (patched) <https://reviews.apache.org/r/62495/#comment262304> @pengjianhua : This change needs thorough testing of Ranger Admin as well as Ranger KMS in Simple, Kerberos, SSL, KnoxSSO, KnoxProxy enabled environments. Also need to check all features on jdk 1.7 as well as 1.8. Also, atleast one plugin communication needs to be verified. Can you please confirm: all these cases are tested before commiting this patch. This is based on earlier experience of updating tomcat version. - bhavik patel On Sept. 22, 2017, 8:35 a.m., pengjianhua wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/62495/ > ----------------------------------------------------------- > > (Updated Sept. 22, 2017, 8:35 a.m.) > > > Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan > Neethiraj, Velmurugan Periasamy, and Qiang Zhang. > > > Bugs: RANGER-1797 > https://issues.apache.org/jira/browse/RANGER-1797 > > > Repository: ranger > > > Description > ------- > > [Security Vulnerability Alert] Tomcat Information leakage and remote code > execution vulnerabilities. > > CVE ID: > CVE-2017-12615\CVE-2017-12616 > > Description > CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with > HTTP PUTs enabled, it was possible to upload a JSP file to the server via a > specially crafted request. This JSP could then be requested and any code it > contained would be executed by the server. > CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to > 7.0.80, it was possible to use a specially crafted request, bypass security > constraints, or get the source code of JSPs for resources served by the > VirtualDirContext, thereby cased code disclosure. > > Scope > CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 > CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 > > Solution > The official release of the Apache Tomcat 7.0.81 version has fixed the two > vulnerabilities and recommends upgrading to the latest version. > > Reference > https://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 > > > Diffs > ----- > > pom.xml 3958014c > > > Diff: https://reviews.apache.org/r/62495/diff/1/ > > > Testing > ------- > > > Thanks, > > pengjianhua > >
