svn commit: r1790943 - in /ofbiz: branches/release16.11/build.gradle ofbiz-framework/trunk/build.gradle

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

svn commit: r1790943 - in /ofbiz: branches/release16.11/build.gradle ofbiz-framework/trunk/build.gradle

jleroux@apache.org
Author: jleroux
Date: Tue Apr 11 09:18:32 2017
New Revision: 1790943

URL: http://svn.apache.org/viewvc?rev=1790943&view=rev
Log:
Fixed: Update Tomcat to 8.0.42 because of CVE-2017-5648
(OFBIZ-9313)

Quoting a message from [hidden email]

================================================================================
VE-2017-5648 Apache Tomcat Information Disclosure

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M17
Apache Tomcat 8.5.0 to 8.5.11
Apache Tomcat 8.0.0.RC1 to 8.0.41
Apache Tomcat 7.0.0 to 7.0.75
Apache Tomcat 6.0.x is not affected

Description
While investigating bug 60718, it was noticed that some calls to
application listeners did not use the appropriate facade object. When
running an untrusted application under a SecurityManager, it was
therefore possible for that untrusted application to retain a reference
to the request or response object and thereby access and/or modify
information associated with another web application.

Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M18 or later
- Upgrade to Apache Tomcat 8.5.12 or later
- Upgrade to Apache Tomcat 8.0.42 or later
- Upgrade to Apache Tomcat 7.0.76 or later

Credit:
This issue was identified by the Tomcat security team.

History:
2017-04-10 Original advisory

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html
================================================================================

It's a low security issue so I'll not backport on no longer or not released
branches

All tests pass and UI seems OK.

Modified:
    ofbiz/branches/release16.11/build.gradle
    ofbiz/ofbiz-framework/trunk/build.gradle

Modified: ofbiz/branches/release16.11/build.gradle
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/build.gradle?rev=1790943&r1=1790942&r2=1790943&view=diff
==============================================================================
--- ofbiz/branches/release16.11/build.gradle (original)
+++ ofbiz/branches/release16.11/build.gradle Tue Apr 11 09:18:32 2017
@@ -114,10 +114,10 @@ dependencies {
     compile 'org.apache.shiro:shiro-core:1.3.0'
     compile 'org.apache.tika:tika-core:1.12'
     compile 'org.apache.tika:tika-parsers:1.12'
-    compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.39'
-    compile 'org.apache.tomcat:tomcat-catalina:8.0.39'
-    compile 'org.apache.tomcat:tomcat-jasper:8.0.39'
-    compile 'org.apache.tomcat:tomcat-tribes:8.0.39'
+    compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.42'
+    compile 'org.apache.tomcat:tomcat-catalina:8.0.42'
+    compile 'org.apache.tomcat:tomcat-jasper:8.0.42'
+    compile 'org.apache.tomcat:tomcat-tribes:8.0.42'
     compile 'org.apache.xmlgraphics:fop:2.1'
     compile 'org.apache.xmlrpc:xmlrpc-client:3.1.2'
     compile 'org.apache.xmlrpc:xmlrpc-server:3.1.2'
@@ -159,7 +159,7 @@ dependencies {
     runtime 'org.apache.axis2:axis2-adb:1.7.1'
     runtime 'org.apache.httpcomponents:httpcore:4.4.1'
     runtime 'org.apache.servicemix.bundles:org.apache.servicemix.bundles.xpp3:1.1.4c_7'
-    runtime 'org.apache.tomcat.extras:tomcat-extras-juli-adapters:8.0.39'
+    runtime 'org.apache.tomcat.extras:tomcat-extras-juli-adapters:8.0.42'
     runtime 'org.apache.xalan:com.springsource.org.apache.xml.serializer:2.7.1'
     runtime 'ws-commons-java5:ws-commons-java5:1.0.1'
 

Modified: ofbiz/ofbiz-framework/trunk/build.gradle
URL: http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/build.gradle?rev=1790943&r1=1790942&r2=1790943&view=diff
==============================================================================
--- ofbiz/ofbiz-framework/trunk/build.gradle (original)
+++ ofbiz/ofbiz-framework/trunk/build.gradle Tue Apr 11 09:18:32 2017
@@ -17,6 +17,7 @@
  * under the License.
  */
 import at.bxm.gradleplugins.svntools.tasks.SvnCheckout
+import at.bxm.gradleplugins.svntools.tasks.SvnUpdate
 import org.apache.tools.ant.filters.ReplaceTokens
 
 /* ========================================================
@@ -125,14 +126,14 @@ dependencies {
     compile 'org.apache.shiro:shiro-core:1.3.0'
     compile 'org.apache.tika:tika-core:1.12'
     compile 'org.apache.tika:tika-parsers:1.12'
-    compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.39'
-    compile 'org.apache.tomcat:tomcat-catalina:8.0.39'
-    compile 'org.apache.tomcat:tomcat-jasper:8.0.39'
-    compile 'org.apache.tomcat:tomcat-tribes:8.0.39'
+    compile 'org.apache.tomcat:tomcat-catalina-ha:8.0.42'
+    compile 'org.apache.tomcat:tomcat-catalina:8.0.42'
+    compile 'org.apache.tomcat:tomcat-jasper:8.0.42'
+    compile 'org.apache.tomcat:tomcat-tribes:8.0.42'
     compile 'org.apache.xmlgraphics:fop:2.1'
     compile 'org.apache.xmlrpc:xmlrpc-client:3.1.2'
     compile 'org.apache.xmlrpc:xmlrpc-server:3.1.2'
-    compile 'org.codehaus.groovy:groovy-all:2.4.5'
+    compile 'org.codehaus.groovy:groovy-all:2.4.10'
     compile 'org.freemarker:freemarker:2.3.25-incubating' // Remember to change the version number in FreeMarkerWorker class when upgrading
     compile 'org.hamcrest:hamcrest-all:1.3'
     compile 'org.owasp.esapi:esapi:2.1.0'
@@ -750,7 +751,7 @@ task pullAllPluginsSource(group: ofbizPl
         doLast { delete "${pluginsDir}" }
     }
     task pullPluginsFromSvn(type: SvnCheckout, dependsOn: deleteBeforePulling) {
-        svnUrl = "https://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk"
+        svnUrl = "http://svn.apache.org/repos/asf/ofbiz/ofbiz-plugins/trunk"
         workspaceDir = "${pluginsDir}"
     }
     dependsOn pullPluginsFromSvn
@@ -774,6 +775,14 @@ task pullAllPluginsSource(group: ofbizPl
     }
 }
 
+task updateAllPluginsSource(group: ofbizPlugin,
+        description: 'Update all plugins from source control.') {
+
+    task updatePluginsFromSvn(type: SvnUpdate) {
+        workspaceDir = "${pluginsDir}"
+    }
+}
+
 // ========== Clean up tasks ==========
 task cleanCatalina(group: cleanupGroup, description: 'Clean Catalina data in runtime/catalina/work') {
     doLast { delete "${rootDir}/runtime/catalina/work" }