Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: Trunk
    • Fix Version/s: 14.12.01, 13.07.03, 16.11.01
    • Component/s: framework
    • Labels:
      None
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Though disputed CVE-2013-2185 indicates a possible vulnerabilty with jasper.jar. Better safe than sorry: I will backport to all concerned branches (R14 and R13)

        Activity

        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        MD5 Checked, committed in
        trunk r1717760
        R14.12 r1717761
        R13.07 r1717762

        Show
        jacques.le.roux Jacques Le Roux added a comment - MD5 Checked, committed in trunk r1717760 R14.12 r1717761 R13.07 r1717762
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        While checking with "OWASP Dependency Check" it reported 3 possible vulnerabilities with using Tomcat 7.0.65. Actually none of CVE-2009-2696, CVE-2007-5461 and CVE-2002-0493 concern our usage of Tomcat. So we were safe from them with Tomcat to 7.0.64 and are safe with Tomcat to 7.0.65. I even believe Tomcat 7.0.64 was safe from CVE-2013-2185, but as I said this is disputed and not clear so I preferred updating. See my message in dev ML about upgrading to Tomcat 8... http://markmail.org/message/tgdzfcpjhkcmig7d ...

        Show
        jacques.le.roux Jacques Le Roux added a comment - While checking with "OWASP Dependency Check" it reported 3 possible vulnerabilities with using Tomcat 7.0.65. Actually none of CVE-2009-2696, CVE-2007-5461 and CVE-2002-0493 concern our usage of Tomcat. So we were safe from them with Tomcat to 7.0.64 and are safe with Tomcat to 7.0.65. I even believe Tomcat 7.0.64 was safe from CVE-2013-2185, but as I said this is disputed and not clear so I preferred updating. See my message in dev ML about upgrading to Tomcat 8... http://markmail.org/message/tgdzfcpjhkcmig7d ...
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        Actually working with "OWASP Dependency Check" on OFBiz to identify and possibly fix dependencies vulnerabilities is very tedious (you need to check issues one by one and put the possible suppress information in the suppression file and run again the check, etc.). It appears, I guess because it's disputed by the Tomcat team[1], CVE-2013-2185 is also not fixed in Tomcat to 7.0.65, and I guess will not be either in Tomcat 8 or 9.

        [1]<<The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.>>

        Show
        jacques.le.roux Jacques Le Roux added a comment - Actually working with "OWASP Dependency Check" on OFBiz to identify and possibly fix dependencies vulnerabilities is very tedious (you need to check issues one by one and put the possible suppress information in the suppression file and run again the check, etc.). It appears, I guess because it's disputed by the Tomcat team [1] , CVE-2013-2185 is also not fixed in Tomcat to 7.0.65, and I guess will not be either in Tomcat 8 or 9. [1] <<The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.>>
        Hide
        jacques.le.roux Jacques Le Roux added a comment -

        I fixed some filenames and trunk .classpath files in
        trunk r1732570
        R15.12 r1732573
        R14.12 r1732571
        R13.07 r1732572.
        No functional changes.

        Show
        jacques.le.roux Jacques Le Roux added a comment - I fixed some filenames and trunk .classpath files in trunk r1732570 R15.12 r1732573 R14.12 r1732571 R13.07 r1732572. No functional changes.

          People

          • Assignee:
            jacques.le.roux Jacques Le Roux
            Reporter:
            jacques.le.roux Jacques Le Roux
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development

                Agile