[
https://issues.apache.org/jira/browse/RANGER-5094?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17910249#comment-17910249
]
Basapuram Kumar commented on RANGER-5094:
-----------------------------------------
PR - https://github.com/apache/ranger/pull/499
> Bump tomcat to 8.9.96
> ---------------------
>
> Key: RANGER-5094
> URL: https://issues.apache.org/jira/browse/RANGER-5094
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Affects Versions: 2.5.0
> Reporter: Basapuram Kumar
> Priority: Major
> Time Spent: 10m
> Remaining Estimate: 0h
>
> Bump tomcat to 8.9.96 to fix CVE-2023-46589
> CVE-2023-46589 Description
> ```
> Improper Input Validation vulnerability in Apache Tomcat.Tomcat from
> 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1
> through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP
> trailer headers. A trailer header that exceeded the header size limit could
> cause Tomcat to treat a single request as multiple requests leading to the
> possibility of request smuggling when behind a reverse proxy. Users are
> recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83
> onwards or 8.5.96 onwards, which fix the issue.
> ```
>
> As per this tomcat *8.5.96* onwards has the {*}fix{*}, and currently ranger
> uses *8.5.94.*
>
> Suggesting to bump the tomcat to 8.5.96.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
