[ https://issues.apache.org/jira/browse/RANGER-2213?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16626195#comment-16626195 ]
Velmurugan Periasamy commented on RANGER-2213: ---------------------------------------------- [~mehul]/[~zhangqiang2] - I see this patch has been committed. Can this be resolved? Is there anything else pending? > Tomcat Security Vulnerability Alert. The version of the tomcat for ranger > should upgrade to 7.0.90. > --------------------------------------------------------------------------------------------------- > > Key: RANGER-2213 > URL: https://issues.apache.org/jira/browse/RANGER-2213 > Project: Ranger > Issue Type: Bug > Components: Ranger > Affects Versions: master > Reporter: Qiang Zhang > Assignee: Qiang Zhang > Priority: Major > Labels: patch > Fix For: 2.0.0, 1.2.0 > > Attachments: > 0001-RANGER-2213-Tomcat-Security-Vulnerability-Alert.-The.patch > > > [SECURITY] CVE-2018-1336 > Severity: High > Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, > 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. > Description: An improper handing of overflow in the UTF-8 decoder with > supplementary characters can lead to an infinite loop in the decoder causing > a Denial of Service. > CVE-2018-8014 > Description: The defaults settings for the CORS filter provided in Apache > Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to > 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is > expected that users of the CORS filter will have configured it appropriately > for their environment rather than using it in the default configuration. > Therefore, it is expected that most users will not be impacted by this issue. > CVE-2018-8034 > Description: The host name verification when using TLS with the WebSocket > client was missing. It is now enabled by default. > Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, > 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. -- This message was sent by Atlassian JIRA (v7.6.3#76005)