svn commit: r1856216 - in /ofbiz/branches/release16.11: build.gradle specialpurpose/example/build.gradle

Author: jleroux
Date: Mon Mar 25 17:53:01 2019
New Revision: 1856216

URL: http://svn.apache.org/viewvc?rev=1856216&view=rev
Log:
Fixed: Update Tomcat to 9.0.16 due to CVE-2019-0199
(OFBIZ-10873)

The HTTP/2 implementation accepted streams with excessive numbers of
SETTINGS frames and also permitted clients to keep streams open without
reading/writing request/response data. By keeping streams open for
requests that utilised the Servlet API's blocking I/O, clients were able
to cause server-side threads to block eventually leading to thread
exhaustion and a DoS.

Actually it's from 8.5.37 to 8.5.38 in R16

Modified:
    ofbiz/branches/release16.11/build.gradle
    ofbiz/branches/release16.11/specialpurpose/example/build.gradle

Modified: ofbiz/branches/release16.11/build.gradle
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/build.gradle?rev=1856216&r1=1856215&r2=1856216&view=diff
==============================================================================
--- ofbiz/branches/release16.11/build.gradle (original)
+++ ofbiz/branches/release16.11/build.gradle Mon Mar 25 17:53:01 2019
@@ -123,10 +123,10 @@ dependencies {
     compile 'org.apache.shiro:shiro-core:1.3.0'
     compile 'org.apache.tika:tika-core:1.12'
     compile 'org.apache.tika:tika-parsers:1.12'
-    compile 'org.apache.tomcat:tomcat-catalina-ha:8.5.37'
-    compile 'org.apache.tomcat:tomcat-catalina:8.5.37'
-    compile 'org.apache.tomcat:tomcat-jasper:8.5.37'
-    compile 'org.apache.tomcat:tomcat-tribes:8.5.37'
+    compile 'org.apache.tomcat:tomcat-catalina-ha:8.5.38'
+    compile 'org.apache.tomcat:tomcat-catalina:8.5.38'
+    compile 'org.apache.tomcat:tomcat-jasper:8.5.38'
+    compile 'org.apache.tomcat:tomcat-tribes:8.5.38'
     compile 'org.apache.xmlgraphics:fop:2.1'
     compile 'org.apache.xmlrpc:xmlrpc-client:3.1.3'
     compile 'org.apache.xmlrpc:xmlrpc-server:3.1.3'
@@ -229,14 +229,14 @@ sourceSets {
             exclude excludedJavaSources
             exclude excludedConfigFiles
             // Below are necessary for unit tests run by Gradle and integration tests
-            exclude { FileTreeElement elem -> elem.getName().contains('.properties') &&
-                !elem.getName().contains('start.properties') &&
-                !elem.getName().contains('load-data.properties') &&
+            exclude { FileTreeElement elem -> elem.getName().contains('.properties') &&
+                !elem.getName().contains('start.properties') &&
+                !elem.getName().contains('load-data.properties') &&
                 !elem.getName().contains('debug.properties') &&
                 !elem.getName().contains('cache.properties') &&
                 !elem.getName().contains('test.properties') &&
                 !elem.getName().contains('rmi.properties')}
-            exclude { FileTreeElement elem -> elem.getName().contains('.xml') &&
+            exclude { FileTreeElement elem -> elem.getName().contains('.xml') &&
                 !elem.getName().contains('entityengine.xml')
                 }
         }

Modified: ofbiz/branches/release16.11/specialpurpose/example/build.gradle
URL: http://svn.apache.org/viewvc/ofbiz/branches/release16.11/specialpurpose/example/build.gradle?rev=1856216&r1=1856215&r2=1856216&view=diff
==============================================================================
--- ofbiz/branches/release16.11/specialpurpose/example/build.gradle (original)
+++ ofbiz/branches/release16.11/specialpurpose/example/build.gradle Mon Mar 25 17:53:01 2019
@@ -1,3 +1,3 @@
 dependencies {
-    pluginLibsCompile 'org.apache.tomcat.embed:tomcat-embed-websocket:8.5.37'
+    pluginLibsCompile 'org.apache.tomcat.embed:tomcat-embed-websocket:8.5.38'
 }
\ No newline at end of file