[ofbiz-framework] branch trunk updated: Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)

Wed, 26 Jan 2022 04:12:11 -0800 

This is an automated email from the ASF dual-hosted git repository.

jleroux pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git


The following commit(s) were added to refs/heads/trunk by this push:
     new b16065c  Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
b16065c is described below

commit b16065c0bd146c719a633189c6aaf86963f8803f
Author: Jacques Le Roux <[email protected]>
AuthorDate: Wed Jan 26 13:07:50 2022 +0100

    Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
    
    The fix for bug CVE-2020-9484 introduced a time of check, time of use
    vulnerability that allowed a local attacker to perform actions with the
    privileges of the user that the Tomcat process is using. This issue is only
    exploitable when Tomcat is configured to persist sessions using the 
FileStore.
    
    Note: because I'm a kind of outlaw (using deprecated Win 7) I must use node
    13.14.0 and it causes me some issues, like the previous revert.
    You can't have your cake and eat it
---
 build.gradle | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build.gradle b/build.gradle
index 0dc7486..896b1d1 100644
--- a/build.gradle
+++ b/build.gradle
@@ -225,8 +225,8 @@ dependencies {
     implementation 'org.apache.sshd:sshd-core:1.7.0' // So far we did not 
update from 1.7.0 because of a compile issue. You may try w/ a newer version 
than  2.4.0
     implementation 'org.apache.tika:tika-core:1.28' //  2.1.0 does not work
     implementation 'org.apache.tika:tika-parsers:1.28' //  2.1.0 does not work
-    implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.54' // Remember 
to change the version number (9 now) in javadoc block if needed.
-    implementation 'org.apache.tomcat:tomcat-jasper:9.0.54'
+    implementation 'org.apache.tomcat:tomcat-catalina-ha:9.0.58' // Remember 
to change the version number (9 now) in javadoc block if needed.
+    implementation 'org.apache.tomcat:tomcat-jasper:9.0.58'
     implementation 'org.apache.axis2:axis2-kernel:1.7.9' // Above: 
SOAPEventHandler.java:42: error: package org.apache.axiom.om.impl.builder does 
not exist
     implementation 'batik:batik-svg-dom:1.6-1'
     implementation 'org.apache.xmlgraphics:fop:2.3' // NOTE: since 2.4 
dependencies are messed up. See 
https://github.com/moqui/moqui-fop/blob/master/build.gradle

Reply via email to