[
https://issues.apache.org/jira/browse/RANGER-2213?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Qiang Zhang updated RANGER-2213:
--------------------------------
Attachment: 0001-RANGER-2213-Tomcat-Security-Vulnerability-Alert.-The.patch
> Tomcat Security Vulnerability Alert. The version of the tomcat for ranger
> should upgrade to 7.0.90.
> ---------------------------------------------------------------------------------------------------
>
> Key: RANGER-2213
> URL: https://issues.apache.org/jira/browse/RANGER-2213
> Project: Ranger
> Issue Type: Bug
> Components: Ranger
> Affects Versions: master
> Reporter: Qiang Zhang
> Assignee: Qiang Zhang
> Priority: Major
> Labels: patch
> Attachments:
> 0001-RANGER-2213-Tomcat-Security-Vulnerability-Alert.-The.patch
>
>
> [SECURITY] CVE-2018-1336
> Severity: High
> Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30,
> 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
> Description: An improper handing of overflow in the UTF-8 decoder with
> supplementary characters can lead to an infinite loop in the decoder causing
> a Denial of Service.
> CVE-2018-8014
> Description: The defaults settings for the CORS filter provided in Apache
> Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to
> 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is
> expected that users of the CORS filter will have configured it appropriately
> for their environment rather than using it in the default configuration.
> Therefore, it is expected that most users will not be impacted by this issue.
> CVE-2018-8034
> Description: The host name verification when using TLS with the WebSocket
> client was missing. It is now enabled by default.
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31,
> 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
