You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomee.apache.org by Alex The Rocker <al...@gmail.com> on 2017/10/10 16:56:30 UTC

Could TomEE 7.0.5

Hello,

While checking latest TomEE 7.0.5, I noticed that it's based on Tomcat 8.5.21.

I recently received the following CVE alert with impacts Tomcat 8.5.x
until Tomcat 8.5.22:

[SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

I see that it is fixed in Tomcat 8.5.23:
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.23

Would it be possible to upgrade TomEE 7.0.5 snapshot dependency to
Tomcat 8.5.23 ?

Best regards,
Alexandre

Re: Could TomEE 7.0.5

Posted by Jonathan Gallimore <jo...@gmail.com>.

Pushed it earlier, deploying snapshots now:
https://github.com/apache/tomee/commit/bdd41eb48076b370c07aaaa386c801049b17fca2

:-)

Cheers

Jon

On Tue, Oct 10, 2017 at 5:56 PM, Alex The Rocker <al...@gmail.com>
wrote:

> Hello,
>
> While checking latest TomEE 7.0.5, I noticed that it's based on Tomcat
> 8.5.21.
>
> I recently received the following CVE alert with impacts Tomcat 8.5.x
> until Tomcat 8.5.22:
>
> [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP
> upload
>
> I see that it is fixed in Tomcat 8.5.23:
> https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.23
>
> Would it be possible to upgrade TomEE 7.0.5 snapshot dependency to
> Tomcat 8.5.23 ?
>
> Best regards,
> Alexandre
>