> On 三月 8, 2018, 9:04 a.m., Velmurugan Periasamy wrote: > > pom.xml > > Line 213 (original), 213 (patched) > > <https://reviews.apache.org/r/65980/diff/1/?file=1972547#file1972547line213> > > > > Can you please provide details on testing done?
I am verifying the issue according to “Testing Done” - Qiang ----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/65980/#review198865 ----------------------------------------------------------- On 三月 8, 2018, 8:18 a.m., Qiang Zhang wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/65980/ > ----------------------------------------------------------- > > (Updated 三月 8, 2018, 8:18 a.m.) > > > Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O > hEigeartaigh, Gautam Borad, Madhan Neethiraj, pengjianhua, Ramesh Mani, > Selvamohan Neethiraj, sam rome, and Velmurugan Periasamy. > > > Bugs: RANGER-1994 > https://issues.apache.org/jira/browse/RANGER-1994 > > > Repository: ranger > > > Description > ------- > > [SECURITY] CVE-2018-1305 Security constraint annotations applied too late > > CVE-2018-1305 Security constraint annotations applied too late > > Severity: High > > Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to > 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84 > > Description: Security constraints defined by annotations of Servlets were > only applied once a Servlet had been loaded. Because security constraints > defined in this way apply to the URL pattern and any URLs below that point, > it was possible - depending on the order Servlets were loaded - for some > security constraints not to be applied. This could have exposed resources to > users who were not authorised to access them. > > Mitigation: Users of the affected versions should apply one of the following > mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat > 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or > later > > References:https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@%3Cannounce.tomcat.apache.org%3E > > > Diffs > ----- > > pom.xml d6f98b4 > > > Diff: https://reviews.apache.org/r/65980/diff/1/ > > > Testing > ------- > > > Thanks, > > Qiang Zhang > >
