Could TomEE 7.0.5

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Could TomEE 7.0.5

Alex The Rocker
Hello,

While checking latest TomEE 7.0.5, I noticed that it's based on Tomcat 8.5.21.

I recently received the following CVE alert with impacts Tomcat 8.5.x
until Tomcat 8.5.22:

[SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

I see that it is fixed in Tomcat 8.5.23:
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.23

Would it be possible to upgrade TomEE 7.0.5 snapshot dependency to
Tomcat 8.5.23 ?

Best regards,
Alexandre
Reply | Threaded
Open this post in threaded view
|

Re: Could TomEE 7.0.5

jgallimore
Pushed it earlier, deploying snapshots now:
https://github.com/apache/tomee/commit/bdd41eb48076b370c07aaaa386c801049b17fca2

:-)

Cheers

Jon

On Tue, Oct 10, 2017 at 5:56 PM, Alex The Rocker <[hidden email]>
wrote:

> Hello,
>
> While checking latest TomEE 7.0.5, I noticed that it's based on Tomcat
> 8.5.21.
>
> I recently received the following CVE alert with impacts Tomcat 8.5.x
> until Tomcat 8.5.22:
>
> [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP
> upload
>
> I see that it is fixed in Tomcat 8.5.23:
> https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.23
>
> Would it be possible to upgrade TomEE 7.0.5 snapshot dependency to
> Tomcat 8.5.23 ?
>
> Best regards,
> Alexandre
>