> On Nov. 30, 2017, 9:38 a.m., Vishal Suvagia wrote:
> > pom.xml
> > Line 212 (original), 212 (patched)
> > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212>
> >
> > @PengJianhua,
> > I used attached patch and did a build on my local machine
> > using mvn clean compile package.
> > After that, I ran the setup for Ranger-Admin. Then I did a
> > ranger-admin-services start. I am getting error in catalina.out file as the
> > Tomcat server start itself is failing(PS: attached log file on apache jira).
> >
> > To resolve the issue I had to add a dependency for javax.annotation-api.
> >
> > Did the attached patch work for you without adding this dependency ? If
> > yes Kindly share how did this work for you !
>
> pengjianhua wrote:
> Ok. I didn't add this dependency. My compiling is ok. Please delete your
> local maven repository. Then compile the ranger project using the following
> command:
> sudo mvn clean compile package assembly:assembly install -DskipTests
>
> Vishal Suvagia wrote:
> Pengjianhua, the compile goes through fine. But did Ranger-Admin service
> start using the compiled packaged bits. Are you able to access Ranger UI ?
>
> pengjianhua wrote:
> I can access ranger UI. Your question should have nothing to do with this
> issue. If I guess good, you should be more in-depth understanding of how to
> use ranger, please refer to the manual to configure your ranger.
> If you encounter problems during use, you can email me or the community.
>
> bhavik patel wrote:
> @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services,
> the service start itself is failing and also got the same error in
> catalina.out which Vishal has attached on jira.
>
> Not sure how it's working for you!!!
>
> Colm O hEigeartaigh wrote:
> It also fails for me with errors in catalina.out like:
>
> INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not
> loaded. See Servlet Spec 3.0, section 10.7.2. Offending class:
> javax/servlet/Servlet.class
>
> pengjianhua wrote:
> I compiled the source that I built the patch.Based on the compiling's
> version I've been testing and verify whether the issue effected the ranger's
> function. Maybe our lastest modifications introduced new issues. I will also
> compile the lastest source to further verify the problem you mentioned.
>
> pengjianhua wrote:
> I'm sorry. In this patch I lacked the tomcat-annotations-api dependency
> package. I had fixed this patch. Thanks!
>
> pengjianhua wrote:
> Hi Colm and bhavik patel, Is there any problem now, if there is no
> problem, I will merge this issue.
Hi Pengjianhua,
The versions for org.apache.tomcat -> annotations-api present
here -> https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do
not have a specific build for 7.0.82 (last stable build version is 6.0.53).
Additionally recent fixes from tomcat devs suggest that the
tomcat.annotations-api has been removed from tomcat-embed-core shipments in
favour of javax.annotations-api refer ->
https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
- Vishal
-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/62495/#review192253
-----------------------------------------------------------
On Dec. 5, 2017, 2:59 a.m., pengjianhua wrote:
>
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/62495/
> -----------------------------------------------------------
>
> (Updated Dec. 5, 2017, 2:59 a.m.)
>
>
> Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan
> Neethiraj, Velmurugan Periasamy, and Qiang Zhang.
>
>
> Bugs: RANGER-1797
> https://issues.apache.org/jira/browse/RANGER-1797
>
>
> Repository: ranger
>
>
> Description
> -------
>
> [Security Vulnerability Alert] Tomcat Information leakage and remote code
> execution vulnerabilities.
>
> CVE ID:
> CVE-2017-12615\CVE-2017-12616
>
> Description
> CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with
> HTTP PUTs enabled, it was possible to upload a JSP file to the server via a
> specially crafted request. This JSP could then be requested and any code it
> contained would be executed by the server.
> CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to
> 7.0.80, it was possible to use a specially crafted request, bypass security
> constraints, or get the source code of JSPs for resources served by the
> VirtualDirContext, thereby cased code disclosure.
>
> Scope
> CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79
> CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80
>
> Solution
> The official release of the Apache Tomcat 7.0.81 version has fixed the two
> vulnerabilities and recommends upgrading to the latest version.
>
> Reference
> https://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
> https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82
>
>
> Diffs
> -----
>
> embeddedwebserver/pom.xml 81699573
> pom.xml 589cd6ac
> src/main/assembly/admin-web.xml aa37426f
> src/main/assembly/kms.xml 7c40ce4e
>
>
> Diff: https://reviews.apache.org/r/62495/diff/5/
>
>
> Testing
> -------
>
>
> Thanks,
>
> pengjianhua
>
>
