Basapuram Kumar created RANGER-5094:
---------------------------------------
Summary: Bump tomcat to 8.9.96
Key: RANGER-5094
URL: https://issues.apache.org/jira/browse/RANGER-5094
Project: Ranger
Issue Type: Improvement
Components: Ranger
Affects Versions: 2.5.0
Reporter: Basapuram Kumar
Bump tomcat to 8.9.96 to fix CVE-2023-46589
CVE-2023-46589 Description
```
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1
through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through
9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer
headers. A trailer header that exceeded the header size limit could cause
Tomcat to treat a single request as multiple requests leading to the
possibility of request smuggling when behind a reverse proxy. Users are
recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83
onwards or 8.5.96 onwards, which fix the issue.
```
As per this tomcat *8.5.96* onwards has the {*}fix{*}, and currently ranger
uses *8.5.94.*
Suggesting to bump the tomcat to 8.5.96.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
