[
https://issues.apache.org/jira/browse/KYLIN-3553?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16617357#comment-16617357
]
ASF subversion and git services commented on KYLIN-3553:
--------------------------------------------------------
Commit b521a5b21852c78eb58e128c6bf5d43c4f91f2a4 in kylin's branch
refs/heads/2.5.0-hadoop3.1 from xingpeng1
[ https://gitbox.apache.org/repos/asf?p=kylin.git;h=b521a5b ]
KYLIN-3553 Tomcat Security Vulnerability Alert. The version of the tomcat for
kylin should upgrade to 7.0.90.
> Upgrade Tomcat to 7.0.90.
> -------------------------
>
> Key: KYLIN-3553
> URL: https://issues.apache.org/jira/browse/KYLIN-3553
> Project: Kylin
> Issue Type: Bug
> Components: Security
> Affects Versions: v2.4.0
> Reporter: Peng Xing
> Assignee: Peng Xing
> Priority: Major
> Fix For: v2.5.0, v2.4.2
>
>
> [SECURITY] CVE-2018-1336
> Severity: High
> Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30,
> 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
> Description: An improper handing of overflow in the UTF-8 decoder with
> supplementary characters can lead to an infinite loop in the decoder causing
> a Denial of Service.
> CVE-2018-8014
> Description: The defaults settings for the CORS filter provided in Apache
> Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to
> 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is
> expected that users of the CORS filter will have configured it appropriately
> for their environment rather than using it in the default configuration.
> Therefore, it is expected that most users will not be impacted by this issue.
> CVE-2018-8034
> Description: The host name verification when using TLS with the WebSocket
> client was missing. It is now enabled by default.
> Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31,
> 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
