[ofbiz-framework] branch release22.01 updated: Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)

Wed, 26 Jan 2022 04:11:15 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch release22.01
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/release22.01 by this push:
     new bbc5757  Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
bbc5757 is described below

commit bbc5757782d99dfe59153641796b3ad5280d6fed
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Jan 26 12:40:29 2022 +0100

    Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
    
        The fix for bug CVE-2020-9484 introduced a time of check, time of use
        vulnerability that allowed a local attacker to perform actions with the
        privileges of the user that the Tomcat process is using. This issue is 
only
        exploitable when Tomcat is configured to persist sessions using the 
FileStore.
    
    Also reverts node from 13.14.0 back to 16.13.1. It accidentally slipped in 
with
    OFBIZ-11960
---
 build.gradle | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/build.gradle b/build.gradle
index a198d14..896b1d1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -109,7 +109,7 @@ javadoc {
 
 node {
     download = true
-    version = "13.14.0"
+    version = "16.13.1"
     // npmVersion will be the one that comes default with node
 
     // https://github.com/node-gradle/gradle-node-plugin/blob/2.2.4/README.md
@@ -225,8 +225,8 @@ dependencies {
     implementation 'org.apache.sshd:sshd-core:1.7.0' // So far we did not 
update from 1.7.0 because of a compile issue. You may try w/ a newer version 
than  2.4.0
     implementation 'org.apache.tika:tika-core:1.28' //  2.1.0 does not work
     implementation 'org.apache.tika:tika-parsers:1.28' //  2.1.0 does not work
-    implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.54' // Remember 
to change the version number (9 now) in javadoc block if needed.
-    implementation 'org.apache.tomcat:tomcat-jasper:9.0.54'
+    implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.58' // Remember 
to change the version number (9 now) in javadoc block if needed.
+    implementation 'org.apache.tomcat:tomcat-jasper:9.0.58'
     implementation 'org.apache.axis2:axis2-kernel:1.7.9' // Above: 
SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does 
not exist
     implementation 'batik:batik-svg-dom:1.6-1'
     implementation 'org.apache.xmlgraphics:fop:2.3' // NOTE: since 2.4 
dependencies are messed up. See 
https://github.com/moqui/moqui-fop/blob/master/build.gradle

Reply via email to