> On 九月 22, 2017, 9:11 a.m., bhavik patel wrote: > > pom.xml > > Line 212 (original), 212 (patched) > > <https://reviews.apache.org/r/62495/diff/1/?file=1832777#file1832777line212> > > > > @pengjianhua : This change needs thorough testing of Ranger Admin as > > well as Ranger KMS in Simple, Kerberos, SSL, KnoxSSO, KnoxProxy enabled > > environments. > > > > Also need to check all features on jdk 1.7 as well as 1.8. Also, > > atleast one plugin communication needs to be verified. > > > > Can you please confirm: all these cases are tested before commiting > > this patch. > > > > This is based on earlier experience of updating tomcat version. > > pengjianhua wrote: > Ok. We have a complete automated integration test environment for Ranger. > I had tested the functions of Ranger using our automated integration test > environment. The test results show that there is no problem. I will further > test the effect of this issue for ranger using our automated integration test > environment in tonight and tomorrow. > > Qiang Zhang wrote: > @bhavik patel: Do you have further suggestions? If not, I'll fix the > issue. > > bhavik patel wrote: > @Qiang Zhang: If Peng Jianhua can confirm that there integration test > covered all the above scenario which i mentioned above(especially on SSL > environment).
@bhavik patel: Thanks for your reminder, I lack this case for my automated integration test environment.?I will add this case to my automated integration test environment and test it again. Thanks. - pengjianhua ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/62495/#review185959 ----------------------------------------------------------- On 九月 22, 2017, 8:35 a.m., pengjianhua wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/62495/ > ----------------------------------------------------------- > > (Updated 九月 22, 2017, 8:35 a.m.) > > > Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan > Neethiraj, Velmurugan Periasamy, and Qiang Zhang. > > > Bugs: RANGER-1797 > https://issues.apache.org/jira/browse/RANGER-1797 > > > Repository: ranger > > > Description > ------- > > [Security Vulnerability Alert] Tomcat Information leakage and remote code > execution vulnerabilities. > > CVE ID: > CVE-2017-12615\CVE-2017-12616 > > Description > CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with > HTTP PUTs enabled, it was possible to upload a JSP file to the server via a > specially crafted request. This JSP could then be requested and any code it > contained would be executed by the server. > CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to > 7.0.80, it was possible to use a specially crafted request, bypass security > constraints, or get the source code of JSPs for resources served by the > VirtualDirContext, thereby cased code disclosure. > > Scope > CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 > CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 > > Solution > The official release of the Apache Tomcat 7.0.81 version has fixed the two > vulnerabilities and recommends upgrading to the latest version. > > Reference > https://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 > > > Diffs > ----- > > pom.xml 3958014c > > > Diff: https://reviews.apache.org/r/62495/diff/1/ > > > Testing > ------- > > > Thanks, > > pengjianhua > >
