This is an automated email from the ASF dual-hosted git repository.
jleroux pushed a commit to branch release18.12
in repository https://gitbox.apache.org/repos/asf/ofbiz-framework.git
The following commit(s) were added to refs/heads/release18.12 by this push:
new 40e8945 Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
40e8945 is described below
commit 40e89450aec4a937b193552b5b3a29c20873a43c
Author: Jacques Le Roux <jacques.le.r...@les7arts.com>
AuthorDate: Wed Jan 26 13:09:27 2022 +0100
Fixed: Upgrade Tomcat from 9.0.54 to 9.0.58 (OFBIZ-12539)
The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability that allowed a local attacker to perform actions with the
privileges of the user that the Tomcat process is using. This issue is only
exploitable when Tomcat is configured to persist sessions using the
FileStore.
---
build.gradle | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/build.gradle b/build.gradle
index 77cb43c..55789a2 100644
--- a/build.gradle
+++ b/build.gradle
@@ -198,10 +198,10 @@ dependencies {
compile 'org.apache.sshd:sshd-core:1.7.0'
compile 'org.apache.tika:tika-core:1.28'
compile 'org.apache.tika:tika-parsers:1.28'
- compile 'org.apache.tomcat:tomcat-catalina-ha:9.0.54'
- compile 'org.apache.tomcat:tomcat-catalina:9.0.54'
- compile 'org.apache.tomcat:tomcat-jasper:9.0.54'
- compile 'org.apache.tomcat:tomcat-tribes:9.0.54'
+ compile 'org.apache.tomcat:tomcat-catalina-ha:9.0.58'
+ compile 'org.apache.tomcat:tomcat-catalina:9.0.58'
+ compile 'org.apache.tomcat:tomcat-jasper:9.0.58'
+ compile 'org.apache.tomcat:tomcat-tribes:9.0.58'
compile 'org.apache.xmlgraphics:fop:2.3'
compile 'org.apache.xmlrpc:xmlrpc-client:3.1.3'
compile 'org.apache.xmlrpc:xmlrpc-server:3.1.3'
