[jira] [Commented] (KYLIN-3611) Upgrade Tomcat to 7.0.91, 8.5.34 or later

Wed, 31 Oct 2018 08:49:50 -0700 


    [ 
https://issues.apache.org/jira/browse/KYLIN-3611?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16670273#comment-16670273
 ] 

ASF GitHub Bot commented on KYLIN-3611:
---------------------------------------

saveORwaste opened a new pull request #321: KYLIN-3611 update to apache tomcat 
7.0.91
URL: https://github.com/apache/kylin/pull/321
 
 
   

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


> Upgrade Tomcat to 7.0.91, 8.5.34 or later
> -----------------------------------------
>
>                 Key: KYLIN-3611
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3611
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: zhoujie
>            Priority: Major
>             Fix For: v2.6.0, v2.5.1
>
>
> h2. [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
>  
>  
>  
> CVE-2018-11784 Apache Tomcat - Open Redirect
> Severity: Moderate
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.11
> Apache Tomcat 8.5.0 to 8.5.33
> Apache Tomcat 7.0.23 to 7.0.90
> The unsupported 8.0.x release line has not been analysed but is likely
> to be affected.
> Description:
> When the default servlet returned a redirect to a directory (e.g.
> redirecting to '/foo/' when the user requested '/foo') a specially
> crafted URL could be used to cause the redirect to be generated to any
> URI of the attackers choice.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.12 or later.
> - Upgrade to Apache Tomcat 8.5.34 or later.
> - Upgrade to Apache Tomcat 7.0.91 or later.
> - Use mapperDirectoryRedirectEnabled="true" and
>   mapperContextRootRedirectEnabled="true" on the Context to ensure that
>   redirects are issued by the Mapper rather than the default Servlet.
>   See the Context configuration documentation for further important
>   details.
> Credit:
> This vulnerability was found by Sergey Bobrov and reported responsibly
> to the Apache Tomcat Security Team.
> History:
> 2018-10-03 Original advisory
> References:
> [1] [http://tomcat.apache.org/security-9.html]
> [2] [http://tomcat.apache.org/security-8.html]
> [3] [http://tomcat.apache.org/security-7.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to