You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ofbiz.apache.org by Pierre Smits <pi...@apache.org> on 2022/01/26 11:42:00 UTC
Re: [ofbiz-framework] branch trunk updated: Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
Hey Jacques,
It seems to me that this commit does not address the issue described in the
referenced ticket: https://issues.apache.org/jira/browse/OFBIZ-12539.
Should this not be corrected? E.g. having its own ticket?
Met vriendelijke groet,
Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory <https://directory.apache.org>, PMC Member*
Anyone could have been you, whereas I've always been anyone.
On Wed, Jan 26, 2022 at 12:34 PM <jl...@apache.org> wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> jleroux pushed a commit to branch trunk
> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
>
>
> The following commit(s) were added to refs/heads/trunk by this push:
> new 6ed30b7 Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
> 6ed30b7 is described below
>
> commit 6ed30b76652e24162bcbc6efe4ca912ba0e31bc2
> Author: Jacques Le Roux <ja...@les7arts.com>
> AuthorDate: Wed Jan 26 12:31:50 2022 +0100
>
> Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
>
> The fix for bug CVE-2020-9484 introduced a time of check, time of use
> vulnerability that allowed a local attacker to perform actions with the
> privileges of the user that the Tomcat process is using. This issue is
> only
> exploitable when Tomcat is configured to persist sessions using the
> FileStore.
> ---
> themes/common-theme/webapp/common/js/package.json | 33
> ++++++++++++-----------
> 1 file changed, 18 insertions(+), 15 deletions(-)
>
> diff --git a/themes/common-theme/webapp/common/js/package.json
> b/themes/common-theme/webapp/common/js/package.json
> index 036a227..429ade6 100644
> --- a/themes/common-theme/webapp/common/js/package.json
> +++ b/themes/common-theme/webapp/common/js/package.json
> @@ -1,17 +1,20 @@
> {
> - "name": "ofbiz-framework",
> - "description": "ofbiz-framework NPM dependencies configuration",
> - "repository": "https://github.com/apache/ofbiz-framework.git",
> - "license": "Apache-2.0",
> - "dependencies": {
> - "jquery": "^3.6.0",
> - "jquery-migrate": "^3.3.2",
> - "jquery-validation": "^1.19.3",
> - "jquery.browser": "^0.1.0",
> - "dompurify": "^2.3.4",
> - "jquery-ui-dist": "^1.13.0",
> - "trumbowyg": "^2.25.1",
> - "flot": "^4.2.2",
> - "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3"
> - }
> + "name": "ofbiz-framework",
> + "description": "ofbiz-framework NPM dependencies configuration",
> + "repository": "https://github.com/apache/ofbiz-framework.git",
> + "license": "Apache-2.0",
> + "dependencies": {
> + "jquery": "^3.6.0",
> + "jquery-migrate": "^3.3.2",
> + "jquery-validation": "^1.19.3",
> + "jquery.browser": "^0.1.0",
> + "dompurify": "^2.3.4",
> + "jquery-ui-dist": "^1.13.0",
> + "trumbowyg": "^2.25.1",
> + "flot": "^4.2.2",
> + "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3"
> + },
> + "scripts": {
> + "lint": "jshint **.js --reporter checkstyle > checkstyle.xml"
> + }
> }
>
Re: [ofbiz-framework] branch trunk updated: Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
Posted by Pierre Smits <pi...@apache.org>.
Jacques,
I don't know for a release from r18, but regarding a release from r22, you
could consider sharing your viewpoint in thread 'Time to cut the first
release of the R22 branch?' instead of here.
Met vriendelijke groet,
Pierre Smits
*Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
2008 (without privileges)
Proud contributor to the ASF since 2006
*Apache Directory <https://directory.apache.org>, PMC Member*
Anyone could have been you, whereas I've always been anyone.
On Wed, Jan 26, 2022 at 2:04 PM Jacques Le Roux <
jacques.le.roux@les7arts.com> wrote:
> Hi Pierre, All,
>
> Yes saw that, complications comes with me using Win7.
>
> As I said in the Jira: I'm not sure we need to make new releases (18 and
> 22).
> Because I doubt users persist sessions using advanced FileStore feature.
> So maybe simply a warning could be sufficient.
>
> Jacques
>
> Le 26/01/2022 à 12:42, Pierre Smits a écrit :
> > Hey Jacques,
> >
> > It seems to me that this commit does not address the issue described in
> the
> > referenced ticket: https://issues.apache.org/jira/browse/OFBIZ-12539.
> >
> > Should this not be corrected? E.g. having its own ticket?
> >
> >
> > Met vriendelijke groet,
> >
> > Pierre Smits
> > *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/>
> since
> > 2008 (without privileges)
> > Proud contributor to the ASF since 2006
> >
> > *Apache Directory <https://directory.apache.org>, PMC Member*
> >
> > Anyone could have been you, whereas I've always been anyone.
> >
> >
> > On Wed, Jan 26, 2022 at 12:34 PM <jl...@apache.org> wrote:
> >
> >> This is an automated email from the ASF dual-hosted git repository.
> >>
> >> jleroux pushed a commit to branch trunk
> >> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
> >>
> >>
> >> The following commit(s) were added to refs/heads/trunk by this push:
> >> new 6ed30b7 Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58
> (OFBIZ-12539)
> >> 6ed30b7 is described below
> >>
> >> commit 6ed30b76652e24162bcbc6efe4ca912ba0e31bc2
> >> Author: Jacques Le Roux <ja...@les7arts.com>
> >> AuthorDate: Wed Jan 26 12:31:50 2022 +0100
> >>
> >> Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
> >>
> >> The fix for bug CVE-2020-9484 introduced a time of check, time of
> use
> >> vulnerability that allowed a local attacker to perform actions
> with the
> >> privileges of the user that the Tomcat process is using. This
> issue is
> >> only
> >> exploitable when Tomcat is configured to persist sessions using the
> >> FileStore.
> >> ---
> >> themes/common-theme/webapp/common/js/package.json | 33
> >> ++++++++++++-----------
> >> 1 file changed, 18 insertions(+), 15 deletions(-)
> >>
> >> diff --git a/themes/common-theme/webapp/common/js/package.json
> >> b/themes/common-theme/webapp/common/js/package.json
> >> index 036a227..429ade6 100644
> >> --- a/themes/common-theme/webapp/common/js/package.json
> >> +++ b/themes/common-theme/webapp/common/js/package.json
> >> @@ -1,17 +1,20 @@
> >> {
> >> - "name": "ofbiz-framework",
> >> - "description": "ofbiz-framework NPM dependencies configuration",
> >> - "repository": "https://github.com/apache/ofbiz-framework.git",
> >> - "license": "Apache-2.0",
> >> - "dependencies": {
> >> - "jquery": "^3.6.0",
> >> - "jquery-migrate": "^3.3.2",
> >> - "jquery-validation": "^1.19.3",
> >> - "jquery.browser": "^0.1.0",
> >> - "dompurify": "^2.3.4",
> >> - "jquery-ui-dist": "^1.13.0",
> >> - "trumbowyg": "^2.25.1",
> >> - "flot": "^4.2.2",
> >> - "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3"
> >> - }
> >> + "name": "ofbiz-framework",
> >> + "description": "ofbiz-framework NPM dependencies configuration",
> >> + "repository": "https://github.com/apache/ofbiz-framework.git",
> >> + "license": "Apache-2.0",
> >> + "dependencies": {
> >> + "jquery": "^3.6.0",
> >> + "jquery-migrate": "^3.3.2",
> >> + "jquery-validation": "^1.19.3",
> >> + "jquery.browser": "^0.1.0",
> >> + "dompurify": "^2.3.4",
> >> + "jquery-ui-dist": "^1.13.0",
> >> + "trumbowyg": "^2.25.1",
> >> + "flot": "^4.2.2",
> >> + "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3"
> >> + },
> >> + "scripts": {
> >> + "lint": "jshint **.js --reporter checkstyle > checkstyle.xml"
> >> + }
> >> }
> >>
>
Re: [ofbiz-framework] branch trunk updated: Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
Posted by Jacques Le Roux <ja...@les7arts.com>.
Hi Pierre, All,
Yes saw that, complications comes with me using Win7.
As I said in the Jira: I'm not sure we need to make new releases (18 and 22).
Because I doubt users persist sessions using advanced FileStore feature. So maybe simply a warning could be sufficient.
Jacques
Le 26/01/2022 à 12:42, Pierre Smits a écrit :
> Hey Jacques,
>
> It seems to me that this commit does not address the issue described in the
> referenced ticket: https://issues.apache.org/jira/browse/OFBIZ-12539.
>
> Should this not be corrected? E.g. having its own ticket?
>
>
> Met vriendelijke groet,
>
> Pierre Smits
> *Proud* *contributor** of* Apache OFBiz <https://ofbiz.apache.org/> since
> 2008 (without privileges)
> Proud contributor to the ASF since 2006
>
> *Apache Directory <https://directory.apache.org>, PMC Member*
>
> Anyone could have been you, whereas I've always been anyone.
>
>
> On Wed, Jan 26, 2022 at 12:34 PM <jl...@apache.org> wrote:
>
>> This is an automated email from the ASF dual-hosted git repository.
>>
>> jleroux pushed a commit to branch trunk
>> in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
>>
>>
>> The following commit(s) were added to refs/heads/trunk by this push:
>> new 6ed30b7 Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
>> 6ed30b7 is described below
>>
>> commit 6ed30b76652e24162bcbc6efe4ca912ba0e31bc2
>> Author: Jacques Le Roux <ja...@les7arts.com>
>> AuthorDate: Wed Jan 26 12:31:50 2022 +0100
>>
>> Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
>>
>> The fix for bug CVE-2020-9484 introduced a time of check, time of use
>> vulnerability that allowed a local attacker to perform actions with the
>> privileges of the user that the Tomcat process is using. This issue is
>> only
>> exploitable when Tomcat is configured to persist sessions using the
>> FileStore.
>> ---
>> themes/common-theme/webapp/common/js/package.json | 33
>> ++++++++++++-----------
>> 1 file changed, 18 insertions(+), 15 deletions(-)
>>
>> diff --git a/themes/common-theme/webapp/common/js/package.json
>> b/themes/common-theme/webapp/common/js/package.json
>> index 036a227..429ade6 100644
>> --- a/themes/common-theme/webapp/common/js/package.json
>> +++ b/themes/common-theme/webapp/common/js/package.json
>> @@ -1,17 +1,20 @@
>> {
>> - "name": "ofbiz-framework",
>> - "description": "ofbiz-framework NPM dependencies configuration",
>> - "repository": "https://github.com/apache/ofbiz-framework.git",
>> - "license": "Apache-2.0",
>> - "dependencies": {
>> - "jquery": "^3.6.0",
>> - "jquery-migrate": "^3.3.2",
>> - "jquery-validation": "^1.19.3",
>> - "jquery.browser": "^0.1.0",
>> - "dompurify": "^2.3.4",
>> - "jquery-ui-dist": "^1.13.0",
>> - "trumbowyg": "^2.25.1",
>> - "flot": "^4.2.2",
>> - "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3"
>> - }
>> + "name": "ofbiz-framework",
>> + "description": "ofbiz-framework NPM dependencies configuration",
>> + "repository": "https://github.com/apache/ofbiz-framework.git",
>> + "license": "Apache-2.0",
>> + "dependencies": {
>> + "jquery": "^3.6.0",
>> + "jquery-migrate": "^3.3.2",
>> + "jquery-validation": "^1.19.3",
>> + "jquery.browser": "^0.1.0",
>> + "dompurify": "^2.3.4",
>> + "jquery-ui-dist": "^1.13.0",
>> + "trumbowyg": "^2.25.1",
>> + "flot": "^4.2.2",
>> + "@chinchilla-software/jquery-ui-timepicker-addon": "^1.6.3"
>> + },
>> + "scripts": {
>> + "lint": "jshint **.js --reporter checkstyle > checkstyle.xml"
>> + }
>> }
>>