> On 十一月 30, 2017, 9:38 a.m., Vishal Suvagia wrote: > > pom.xml > > Line 212 (original), 212 (patched) > > <https://reviews.apache.org/r/62495/diff/2/?file=1850092#file1850092line212> > > > > @PengJianhua, > > I used attached patch and did a build on my local machine > > using mvn clean compile package. > > After that, I ran the setup for Ranger-Admin. Then I did a > > ranger-admin-services start. I am getting error in catalina.out file as the > > Tomcat server start itself is failing(PS: attached log file on apache jira). > > > > To resolve the issue I had to add a dependency for javax.annotation-api. > > > > Did the attached patch work for you without adding this dependency ? If > > yes Kindly share how did this work for you ! > > pengjianhua wrote: > Ok. I didn't add this dependency. My compiling is ok. Please delete your > local maven repository. Then compile the ranger project using the following > command: > sudo mvn clean compile package assembly:assembly install -DskipTests > > Vishal Suvagia wrote: > Pengjianhua, the compile goes through fine. But did Ranger-Admin service > start using the compiled packaged bits. Are you able to access Ranger UI ? > > pengjianhua wrote: > I can access ranger UI. Your question should have nothing to do with this > issue. If I guess good, you should be more in-depth understanding of how to > use ranger, please refer to the manual to configure your ranger. > If you encounter problems during use, you can email me or the community. > > bhavik patel wrote: > @Pengjianhua : When I try to start Ranger-Admin and Ranger-KMS services, > the service start itself is failing and also got the same error in > catalina.out which Vishal has attached on jira. > > Not sure how it's working for you!!! > > Colm O hEigeartaigh wrote: > It also fails for me with errors in catalina.out like: > > INFO: validateJarFile(....../lib/javax.servlet-api-3.1.0.jar) - jar not > loaded. See Servlet Spec 3.0, section 10.7.2. Offending class: > javax/servlet/Servlet.class > > pengjianhua wrote: > I compiled the source that I built the patch.Based on the compiling's > version I've been testing and verify whether the issue effected the ranger's > function. Maybe our lastest modifications introduced new issues. I will also > compile the lastest source to further verify the problem you mentioned. > > pengjianhua wrote: > I'm sorry. In this patch I lacked the tomcat-annotations-api dependency > package. I had fixed this patch. Thanks! > > pengjianhua wrote: > Hi Colm and bhavik patel, Is there any problem now, if there is no > problem, I will merge this issue. > > Vishal Suvagia wrote: > Hi Pengjianhua, > The versions for org.apache.tomcat -> annotations-api > present here -> > https://mvnrepository.com/artifact/org.apache.tomcat/annotations-api do not > have a specific build for 7.0.82 (last stable build version is 6.0.53). > Additionally recent fixes from tomcat devs suggest that the > tomcat.annotations-api has been removed from tomcat-embed-core shipments in > favour of javax.annotations-api refer -> > https://bz.apache.org/bugzilla/show_bug.cgi?id=61439.
Ok. Thanks. How do you think we should deal with this issue? Should we upgrade directly to tomcat7.0.83 or is there a better way to handle this issue? - pengjianhua ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/62495/#review192253 ----------------------------------------------------------- On 十二月 5, 2017, 2:59 a.m., pengjianhua wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/62495/ > ----------------------------------------------------------- > > (Updated 十二月 5, 2017, 2:59 a.m.) > > > Review request for ranger, Alok Lal, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, Ramesh Mani, Selvamohan > Neethiraj, Velmurugan Periasamy, and Qiang Zhang. > > > Bugs: RANGER-1797 > https://issues.apache.org/jira/browse/RANGER-1797 > > > Repository: ranger > > > Description > ------- > > [Security Vulnerability Alert] Tomcat Information leakage and remote code > execution vulnerabilities. > > CVE ID: > CVE-2017-12615\CVE-2017-12616 > > Description > CVE-2017-12615:When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with > HTTP PUTs enabled, it was possible to upload a JSP file to the server via a > specially crafted request. This JSP could then be requested and any code it > contained would be executed by the server. > CVE-2017-12616:When using a VirtualDirContext with Apache Tomcat 7.0.0 to > 7.0.80, it was possible to use a specially crafted request, bypass security > constraints, or get the source code of JSPs for resources served by the > VirtualDirContext, thereby cased code disclosure. > > Scope > CVE-2017-12615:Apache Tomcat 7.0.0 - 7.0.79 > CVE-2017-12616:Apache Tomcat 7.0.0 - 7.0.80 > > Solution > The official release of the Apache Tomcat 7.0.81 version has fixed the two > vulnerabilities and recommends upgrading to the latest version. > > Reference > https://tomcat.apache.org/security-7.html > http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81 > https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.82 > > > Diffs > ----- > > embeddedwebserver/pom.xml 81699573 > pom.xml 589cd6ac > src/main/assembly/admin-web.xml aa37426f > src/main/assembly/kms.xml 7c40ce4e > > > Diff: https://reviews.apache.org/r/62495/diff/5/ > > > Testing > ------- > > > Thanks, > > pengjianhua > >
