-
Suggestion
-
Resolution: Duplicate
-
19
-
4
-
-
There are new vulnerabilities reported by apache:
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E
It is recommended to update tomcat at least to version 8.5.32.
Workaround
- Update Tomcat to 8.5.32 following this guide: https://confluence.atlassian.com/jirakb/how-to-upgrade-apache-tomcat-version-in-jira-7-x-879957866.html
- Add relaxedChars property to your server.xml as in here https://confluence.atlassian.com/display/JIRAKB/Changing+server.xml+to+handle+requests+with+special+characters
- has a regression in
-
JRASERVER-67974 JQL search panel is missing when viewing saved filter due to missing Tomcat parameters
-
- Closed
-
[JRASERVER-67695] Upgrade to Tomcat 8.5.32 necessary
New CVE as of 10/4/2018.
CVE-2018-11784++++
Products & Version Affected:++++
Apache Tomcat 9.0.0.M1 to 9.0.11++++
Apache Tomcat 8.5.0 to 8.5.33++++
Apache Tomcat 7.0.23 to 7.0.90++++
Patch Number(s):++++
Apache Tomcat 9.0.12 or later++++
Apache Tomcat 8.5.34 or later++++
Apache Tomcat 7.0.91 or later
The last info that I had was that Jira is not supported using a non-bundled Tomcat. That would mean, should we follow the "Workaround", we would create a Jira-system that is not officially supported. Our customers are obviously not going to be happy with a workaround from the developer that essentially voids any support contract they might have. Are they any plans to create a new version with a patched Tomcat?
Please don't install 7.2.12.
Follow https://jira.atlassian.com/browse/JRASERVER-67974 if already did.
Tried 7.12..2 but got problem with health check that always report an application link problem. Th log analyzer never starts, just sit at 0%, waited 15 minutes and then rolled back to 7.12.1, which works fine.
Why is it closed as duplicate without any link to the duplicated issue? Does the 7.12.2 installer includes Tomcat 8.5.32? 7.12.2 Release Note does not show any fixed issues..
Thanks for clarifications..
Given that _https://jira.atlassian.com/browse/JRASERVER-67678_ is private, can you please update where this is to be fixed?
p.avens1658105765
The browser and server war is still going on: https://bz.apache.org/bugzilla/show_bug.cgi?id=62273.
The quick fix for problems you encountered is adding relaxedQueryChars="[]|{}\" to Connector in server.xml, as favourite filter query is using '[' and ']' in rest call which isn't escaped by browser.
We are still conducting testing to see if tomcat upgrade won't break anything more, so I recommend to wait a little more.
In around week I will update.
Do you have support ticket for it?
Sure I have - GHS-125241
-----------------------------------------------------------
Andy Nguyen 28/Aug/18 9:49 AM
Good day Pavels,
The only update we have for you today is, the bug ticket has been assigned:
_https://jira.atlassian.com/browse/JRASERVER-67678_
Take note that it's still private and you have no access. However, it's being worked on by the same developer that worked on this earlier (you have access):
_https://jira.atlassian.com/browse/JRASERVER-64394_
Currently it's in progress, nevertheless it may take some time so that we can be sure there's no compatibility problem in the code.
Would you prefer us to keep this ticket frozen for the time being?
Kind regards,
Andy
-----------------------------------------------------------
Are you using JIRA version with 8.5.29 tomcat or older?
Currently we use Jira 7.11.1 with the bundled Tomcat version 8.5.29
EDIT: My bad - ignore it.