Re: Review Request 68681: RANGER-2213 Tomcat Security Vulnerability Alert. The version of the tomcat for ranger should upgrade to 7.0.90.

Wed, 12 Sep 2018 01:38:47 -0700 

-----------------------------------------------------------
This is an automatically generated e-mail. To reply, visit:
https://reviews.apache.org/r/68681/#review208553
-----------------------------------------------------------



@Qiang Zhang, Kindly add the testing done with this patch ?

- Vishal Suvagia


On Sept. 11, 2018, 3:07 a.m., Qiang Zhang wrote:
> 
> -----------------------------------------------------------
> This is an automatically generated e-mail. To reply, visit:
> https://reviews.apache.org/r/68681/
> -----------------------------------------------------------
> 
> (Updated Sept. 11, 2018, 3:07 a.m.)
> 
> 
> Review request for ranger, Ankita Sinha, Don Bosco Durai, Colm O 
> hEigeartaigh, Gautam Borad, Madhan Neethiraj, Nitin Galave, pengjianhua, 
> Ramesh Mani, Selvamohan Neethiraj, sam  rome, Venkat Ranganathan, and 
> Velmurugan Periasamy.
> 
> 
> Bugs: RANGER-2213
>     https://issues.apache.org/jira/browse/RANGER-2213
> 
> 
> Repository: ranger
> 
> 
> Description
> -------
> 
> [SECURITY] CVE-2018-1336
> Severity: High 
> Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 
> 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
> Description: An improper handing of overflow in the UTF-8 decoder with 
> supplementary characters can lead to an infinite loop in the decoder causing 
> a Denial of Service.
> 
> CVE-2018-8014
> Description: The defaults settings for the CORS filter provided in Apache 
> Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 
> 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is 
> expected that users of the CORS filter will have configured it appropriately 
> for their environment rather than using it in the default configuration. 
> Therefore, it is expected that most users will not be impacted by this issue.
> 
> CVE-2018-8034
> Description: The host name verification when using TLS with the WebSocket 
> client was missing. It is now enabled by default. 
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 
> 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
> 
> 
> Diffs
> -----
> 
>   pom.xml ae3f4be4c 
> 
> 
> Diff: https://reviews.apache.org/r/68681/diff/1/
> 
> 
> Testing
> -------
> 
> 
> Thanks,
> 
> Qiang Zhang
> 
>

Reply via email to