Update bundled Apache Tomcat due to security vulnerabilities


* Apache has released the Apache Software Foundation Releases Security Updates: * [https://www.us-cert.gov/ncas/current-activity/2017/04/12/Apache-Software-Foundation-Releases-Security-Updates] There are a few vulnerabilities reported: # CVE-2017-5648 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C8a78e8fe-616e-1959-3c0e-26704fc72766@apache.org%3E] # CVE-2017-5650 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C6d8077ef-1bcb-d07b-0bd0-f70ab0043faf@apache.org%3E] # CVE-2017-5651 - [http://mail-archives.us.apache.org/mod_mbox/www-announce/201704.mbox/%3C63a584ba-4db7-85d3-0206-c1164b9d26c6@apache.org%3E] # CVE-2016-6817 - [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6817] # CVE-2016-6816 - [http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816] For CVE-2017-5650 and CVE-2017-5651, the Severity is Important and: {quote}Versions Affected: * *Apache Tomcat 9.0.0.M1 to 9.0.0.M18* * *Apache Tomcat 8.5.0 to 8.5.12* * Apache Tomcat 8.0.x and earlier are not affected{quote} {quote}Users of the affected versions should apply one of the following mitigations: * *Upgrade to Apache Tomcat 9.0.0.M19 or later* * *Upgrade to Apache Tomcat 8.5.13 or later*{quote} (+) Moving forward, fix versions of JIRA should be bundled with Tomcat 8.5.13/9.0.0.M19 or above. h5. Workaround If Tomcat is to be manually upgraded, please refer to [How to upgrade Apache Tomcat version in JIRA 7.x|https://confluence.atlassian.com/display/JIRAKB/How+to+upgrade+Apache+Tomcat+version+in+JIRA+7.x]. Currently Tomcat 8.5.13 and 8.5.14 are available. (!) Manually upgrading Tomcat is not recommended or supported.

Affected Software

CPE Name Name Version
jira server and data center 7.3.0
jira server and data center 7.6.9
jira server and data center 7.11.0
jira server and data center 7.3.4