> Update Tomcat to 8.0.42 because of CVE-2017-5648
> ------------------------------------------------
>
> Key: OFBIZ-9313
> URL:
https://issues.apache.org/jira/browse/OFBIZ-9313> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
> Affects Versions: Trunk, Release Branch 16.11
> Reporter: Jacques Le Roux
> Assignee: Jacques Le Roux
> Priority: Trivial
> Labels: cve
> Fix For: Upcoming Release, 16.11.02
>
>
> Quoting a message from
[hidden email]
> {quote}
> VE-2017-5648 Apache Tomcat Information Disclosure
> Severity: Low
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0.M17
> Apache Tomcat 8.5.0 to 8.5.11
> Apache Tomcat 8.0.0.RC1 to 8.0.41
> Apache Tomcat 7.0.0 to 7.0.75
> Apache Tomcat 6.0.x is not affected
> Description
> While investigating bug 60718, it was noticed that some calls to
> application listeners did not use the appropriate facade object. When
> running an untrusted application under a SecurityManager, it was
> therefore possible for that untrusted application to retain a reference
> to the request or response object and thereby access and/or modify
> information associated with another web application.
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.0.M18 or later
> - Upgrade to Apache Tomcat 8.5.12 or later
> - Upgrade to Apache Tomcat 8.0.42 or later
> - Upgrade to Apache Tomcat 7.0.76 or later
> Credit:
> This issue was identified by the Tomcat security team.
> History:
> 2017-04-10 Original advisory
> References:
> [1]
https://bz.apache.org/bugzilla/show_bug.cgi?id=60718> [2]
http://tomcat.apache.org/security-9.html> [3]
http://tomcat.apache.org/security-8.html> [4]
http://tomcat.apache.org/security-7.html> {quote}
> It's a low security issue so I'll not backport on no longer or not released branches
> All tests pass and UI seems OK.
Locked
