You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kylin.apache.org by "Shaofeng SHI (JIRA)" <ji...@apache.org> on 2018/11/01 01:23:00 UTC

[jira] [Resolved] (KYLIN-3611) Upgrade Tomcat to 7.0.91, 8.5.34 or later

     [ https://issues.apache.org/jira/browse/KYLIN-3611?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Shaofeng SHI resolved KYLIN-3611.
---------------------------------
    Resolution: Fixed

> Upgrade Tomcat to 7.0.91, 8.5.34 or later
> -----------------------------------------
>
>                 Key: KYLIN-3611
>                 URL: https://issues.apache.org/jira/browse/KYLIN-3611
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Shaofeng SHI
>            Assignee: zhoujie
>            Priority: Major
>             Fix For: v2.6.0, v2.5.1
>
>
> h2. [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect
>  
>  
>  
> CVE-2018-11784 Apache Tomcat - Open Redirect
> Severity: Moderate
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.11
> Apache Tomcat 8.5.0 to 8.5.33
> Apache Tomcat 7.0.23 to 7.0.90
> The unsupported 8.0.x release line has not been analysed but is likely
> to be affected.
> Description:
> When the default servlet returned a redirect to a directory (e.g.
> redirecting to '/foo/' when the user requested '/foo') a specially
> crafted URL could be used to cause the redirect to be generated to any
> URI of the attackers choice.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.12 or later.
> - Upgrade to Apache Tomcat 8.5.34 or later.
> - Upgrade to Apache Tomcat 7.0.91 or later.
> - Use mapperDirectoryRedirectEnabled="true" and
>   mapperContextRootRedirectEnabled="true" on the Context to ensure that
>   redirects are issued by the Mapper rather than the default Servlet.
>   See the Context configuration documentation for further important
>   details.
> Credit:
> This vulnerability was found by Sergey Bobrov and reported responsibly
> to the Apache Tomcat Security Team.
> History:
> 2018-10-03 Original advisory
> References:
> [1] [http://tomcat.apache.org/security-9.html]
> [2] [http://tomcat.apache.org/security-8.html]
> [3] [http://tomcat.apache.org/security-7.html]



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)