Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(project): fixes Tomcat to 9.0.35 due to CVE-2020-9484 #4734

Merged
merged 1 commit into from
Jun 15, 2020
Merged

fix(project): fixes Tomcat to 9.0.35 due to CVE-2020-9484 #4734

merged 1 commit into from
Jun 15, 2020

Conversation

npepinpe
Copy link
Member

@npepinpe npepinpe commented Jun 15, 2020
edited

Description

This PR fixes the previously not fixed Tomcat version to 9.0.35 (was previous resolved to 9.0.30), due to a security vulnerability in 9.0.30. This does not affect any production versions at the moment.

Related issues

closes #4733

Pull Request Checklist

  • All commit messages match our commit message guidelines
  • The submitting code follows our code style
  • If submitting code, please run mvn clean install -DskipTests locally before committing

@npepinpe npepinpe self-assigned this Jun 15, 2020
MiguelPires
MiguelPires suggested changes Jun 15, 2020
View reviewed changes
parent/pom.xml Outdated
@@ -85,6 +85,7 @@
<version.restassert>4.3.0</version.restassert>
<version.spring-framework>5.2.7.RELEASE</version.spring-framework>
<version.spring-boot>2.3.1.RELEASE</version.spring-boot>
<version.tomcat>9.0.31</version.tomcat>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From the posted CVE, the affected versions span from 9.0.0 (including) to 9.0.35 (excluding). Did you mean to pin this to 9.0.35?

Copy link
Member Author

@npepinpe npepinpe Jun 15, 2020
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, I took it from the second CVE they link to where it says fixed in 9.0.31 :s good catch!

@npepinpe npepinpe changed the title fix(project): fixes Tomcat to 9.0.31 due to CVE-2020-9484 fix(project): fixes Tomcat to 9.0.35 due to CVE-2020-9484 Jun 15, 2020
MiguelPires
MiguelPires approved these changes Jun 15, 2020
View reviewed changes
Copy link
Contributor

@MiguelPires MiguelPires left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

bors r+

@zeebe-bors
Copy link
Contributor

zeebe-bors bot commented Jun 15, 2020

Build succeeded

@zeebe-bors zeebe-bors bot merged commit c16d5c5 into develop Jun 15, 2020
@zeebe-bors zeebe-bors bot deleted the 4733-tomcat-cve branch June 15, 2020 14:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@MiguelPires MiguelPires MiguelPires approved these changes

Assignees

@npepinpe npepinpe

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

CVE introduced by the inclusion of Tomcat
3 participants
@npepinpe @MiguelPires @csuermann