svn commit: r1790943 - in /ofbiz: branches/release16.11/build.gr
Locked
svn commit: r1790943 - in /ofbiz: branches/release16.11/build.gr
 
|
Author: jleroux
Date: Tue Apr 11 09:18:32 2017 New Revision: 1790943 URL: http://svn.apache.org/viewvc?rev=1790943&view=rev Log: Fixed: Update Tomcat to 8.0.42 because of CVE-2017-5648 (OFBIZ-9313) Quoting a message from [hidden email] ================================================================================ VE-2017-5648 Apache Tomcat Information Disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M17 Apache Tomcat 8.5.0 to 8.5.11 Apache Tomcat 8.0.0.RC1 to 8.0.41 Apache Tomcat 7.0.0 to 7.0.75 Apache Tomcat 6.0.x is not affected Description While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M18 or later - Upgrade to Apache Tomcat 8.5.12 or later - Upgrade to Apache Tomcat 8.0.42 or later - Upgrade to Apache Tomcat 7.0.76 or later Credit: This issue was identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [4] http://tomcat.apache.org/security-7.html ================================================================================ It's a low security issue so I'll not backport on no longer or not released branches All tests pass and UI seems OK. Modified: ofbiz/branches/release16.11/build.gradle ofbiz/ofbiz-framework/trunk/build.gradle Modified: ofbiz/branches/release16.11/build.gradle URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/build.gradle?rev=1790943&r1=1790942&r2=1790943&view=diff ============================================================================== --- ofbiz/branches/release16.11/build.gradle (original) +++ ofbiz/branches/release16.11/build.gradle Tue Apr 11 09:18:32 2017 @@ -114,10 +114,10 @@ dependencies { compile 'org.apache.shiro:shiro-core:1.3.0' compile 'org.apache.tika:tika-core:1.12' compile 'org.apache.tika:tika-parsers:1.12' - compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.39' - compile 'org.apache.tomcat:tomcat-catalina:8.0.39' - compile 'org.apache.tomcat:tomcat-jasper:8.0.39' - compile 'org.apache.tomcat:tomcat-tribes:8.0.39' + compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.42' + compile 'org.apache.tomcat:tomcat-catalina:8.0.42' + compile 'org.apache.tomcat:tomcat-jasper:8.0.42' + compile 'org.apache.tomcat:tomcat-tribes:8.0.42' compile 'org.apache.xmlgraphics:fop:2.1' compile 'org.apache.xmlrpc:xmlrpc-client:3.1.2' compile 'org.apache.xmlrpc:xmlrpc-server:3.1.2' @@ -159,7 +159,7 @@ dependencies { runtime 'org.apache.axis2:axis2-adb:1.7.1' runtime 'org.apache.httpcomponents:httpcore:4.4.1' runtime 'org.apache.servicemix.bundles:org.apache.servicemix.bundles.xpp3:1.1.4c_7' - runtime 'org.apache.tomcat.extras:tomcat-extras-juli-adapters:8.0.39' + runtime 'org.apache.tomcat.extras:tomcat-extras-juli-adapters:8.0.42' runtime 'org.apache.xalan:com.springsource.org.apache.xml.serializer:2.7.1' runtime 'ws-commons-java5:ws-commons-java5:1.0.1' Modified: ofbiz/ofbiz-framework/trunk/build.gradle URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?rev=1790943&r1=1790942&r2=1790943&view=diff ============================================================================== --- ofbiz/ofbiz-framework/trunk/build.gradle (original) +++ ofbiz/ofbiz-framework/trunk/build.gradle Tue Apr 11 09:18:32 2017 @@ -17,6 +17,7 @@ * under the License. */ import at.bxm.gradleplugins.svntools.tasks.SvnCheckout +import at.bxm.gradleplugins.svntools.tasks.SvnUpdate import org.apache.tools.ant.filters.ReplaceTokens /* ======================================================== @@ -125,14 +126,14 @@ dependencies { compile 'org.apache.shiro:shiro-core:1.3.0' compile 'org.apache.tika:tika-core:1.12' compile 'org.apache.tika:tika-parsers:1.12' - compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.39' - compile 'org.apache.tomcat:tomcat-catalina:8.0.39' - compile 'org.apache.tomcat:tomcat-jasper:8.0.39' - compile 'org.apache.tomcat:tomcat-tribes:8.0.39' + compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.42' + compile 'org.apache.tomcat:tomcat-catalina:8.0.42' + compile 'org.apache.tomcat:tomcat-jasper:8.0.42' + compile 'org.apache.tomcat:tomcat-tribes:8.0.42' compile 'org.apache.xmlgraphics:fop:2.1' compile 'org.apache.xmlrpc:xmlrpc-client:3.1.2' compile 'org.apache.xmlrpc:xmlrpc-server:3.1.2' - compile 'org.codehaus.groovy:groovy-all:2.4.5' + compile 'org.codehaus.groovy:groovy-all:2.4.10' compile 'org.freemarker:freemarker:2.3.25-incubating' // Remember to change the version number in FreeMarkerWorker class when upgrading compile 'org.hamcrest:hamcrest-all:1.3' compile 'org.owasp.esapi:esapi:2.1.0' @@ -750,7 +751,7 @@ task pullAllPluginsSource(group: ofbizPl doLast { delete "${pluginsDir}" } } task pullPluginsFromSvn(type: SvnCheckout, dependsOn: deleteBeforePulling) { - svnUrl = "https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk" + svnUrl = "http://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk" workspaceDir = "${pluginsDir}" } dependsOn pullPluginsFromSvn @@ -774,6 +775,14 @@ task pullAllPluginsSource(group: ofbizPl } } +task updateAllPluginsSource(group: ofbizPlugin, + description: 'Update all plugins from source control.') { + + task updatePluginsFromSvn(type: SvnUpdate) { + workspaceDir = "${pluginsDir}" + } +} + // ========== Clean up tasks ========== task cleanCatalina(group: cleanupGroup, description: 'Clean Catalina data in runtime/catalina/work') { doLast { delete "${rootDir}/runtime/catalina/work" } |
«
Return to OFBiz - Commits
|
1 view|%1 views
| Free forum by Nabble | Edit this page |