Re: Tomcat 9 returning 404 for audio files

2024-03-13 Thread Sam 
Thank you so much!

Finally issue is resolved.

Regards!

On Tue, Mar 12, 2024, 11:43 p.m. Anson Cheung 
wrote:

> ok,it's a problem caused by tomcat cache. You need to disable it. Please
> refer to
>
> https://serverfault.com/questions/40205/how-do-i-disable-tomcat-caching-im-having-weird-static-file-problems
>
> On Wed, Mar 13, 2024 at 3:46 AM Chuck Caldarale  wrote:
>
> >
> > > On Mar 12, 2024, at 13:15, Sam  wrote:
> > >
> > > As I said earlier, 404 error is only returned 1st time.
> > >
> > > Subsequent requests work fine.
> >
> >
> > What triggers the creation of the audio file? Is it possible that the
> > trigger creates a file-not-found state in the Tomcat resource cache, and
> > that’s what is returned the first time?
> >
> >   - Chuck
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>

[SECURITY] CVE-2024-23672 Apache Tomcat - Denial of Service

2024-03-13 Thread Mark Thomas 

CVE-2024-23672 Apache Tomcat - Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M16
Apache Tomcat 10.1.0-M1 to 10.1.18
Apache Tomcat 9.0.0-M1 to 9.0.85
Apache Tomcat 8.5.0 to 8.5.98

Description:
It was possible for a WebSocket client to keep a WebSocket connection 
open leading to increased resource consumption.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M17 or later
- Upgrade to Apache Tomcat 10.1.19 or later
- Upgrade to Apache Tomcat 9.0.86 or later
- Upgrade to Apache Tomcat 8.5.99 or later

History:
2024-03-13 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

[SECURITY] CVE-2024-24549 Apache Tomcat - Denial of Service

2024-03-13 Thread Mark Thomas 

CVE-2024-24549 Apache Tomcat - Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M16
Apache Tomcat 10.1.0-M1 to 10.1.18
Apache Tomcat 9.0.0-M1 to 9.0.85
Apache Tomcat 8.5.0 to 8.5.98

Description:
When processing an HTTP/2 request, if the request exceeded any of the 
configured limits for headers, the associated HTTP/2 stream was not 
reset until after all of the headers had been processed.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M17 or later
- Upgrade to Apache Tomcat 10.1.19 or later
- Upgrade to Apache Tomcat 9.0.86 or later
- Upgrade to Apache Tomcat 8.5.99 or later

Credit:
This vulnerability was reported responsibly to the Tomcat security team 
by Bartek Nowotarski (https://nowotarski.info/).


History:
2024-03-13 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html
[4] https://tomcat.apache.org/security-8.html

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: When does Tomcat add and remove threads?

2024-03-13 Thread Harri Pesonen 
Yes the standard JDK ThreadPoolExecutor behavior is bad.
Here is a good thread describing how to fix ThreadPoolExecutor to behave how it 
should be.

https://stackoverflow.com/questions/19528304/how-to-get-the-threadpoolexecutor-to-increase-threads-to-max-before-queueing

Obviously Tomcat had to do similar thing.
I wish that JDK would add some kind of easy option to ThreadPoolExecutor to add 
more threads instead of adding to queue, when all existing threads are busy, 
because the current behavior does not make sense.

-Harri

-Original Message-
From: john.e.gr...@wellsfargo.com.INVALID  
Sent: tiistai 12. maaliskuuta 2024 18.54
To: users@tomcat.apache.org
Subject: RE: When does Tomcat add and remove threads?

[Et saa yleensä sähköpostia john.e.gr...@wellsfargo.com.invalid. Lisätietoja 
siitä, miksi tämä on tärkeää, on osoitteessa 
https://aka.ms/LearnAboutSenderIdentification ]

All,


> -Original Message-
> From: Christopher Schultz 
> Sent: Tuesday, March 12, 2024 8:31 AM
> To: users@tomcat.apache.org
> Subject: Re: When does Tomcat add and remove threads?
>
> John,
>
> On 3/11/24 18:14, john.e.gr...@wellsfargo.com.INVALID wrote:
> > From: Christopher Schultz 
> > Sent: Monday, March 11, 2024 5:09 PM
>  >
> >> On 3/11/24 17:47, john.e.gr...@wellsfargo.com.INVALID wrote:
> >>> I am using Tomcat 9.x.
> >>>
> >>> When does Tomcat add and remove threads from its internal thread 
> >>> pool?  I'm talking about the threads with names like 
> >>> http-nio-8080-exec-1.  It appears the thread pool is Tomcat's own 
> >>> ThreadPoolExecutor but I don't see the exact behavior documented.
> >>> I'm familiar with how java.util.concurrent does it, but it looks 
> >>> like Tomcat's version is a little different.
>  >>
> >> Are you looking for a technical explanation with code references, 
> >> or a plain-English description of when threads are created and 
> >> added? >
> > Mostly plain English like the j.u.c. ThreadPoolExecutor Java doc has.
> > What happens when all core threads are in use?  When do tasks go on 
> > the queue?  When does core thread + 1 get added?  When do threads 
> > get removed?
> Tomcat will create thread pools under two separate circumstances. They 
> are related, but behave somewhat differently.
>
> First, if you declare an  in your server.xml, then a thread 
> pool will be created. You can control the number of threads and their 
> retention policy such as "keep X spare threads around" and "retire 
> threads after N seconds without being used."
>
> Second, if you declare a  without specifying an "executor", 
> a thread pool will be configured for you but you don't really have 
> control over it because all those nice configuration options for an 
>  are not available on the . If you want to 
> control those settings, use a  linked with an . 
> To be clear, if you declare a  without an "executor" 
> attribute, your thread pool will be of a fixed size and threads will 
> never be released. (I think the thread pool starts small and grows but 
> will never shrink.)
>
> An  is implemented in the StandardThreadExecutor and 
> ThreadPoolExecutor classes, which I believe were adaptations of 
> classes from java.util.concurrent introduced into Tomcat before 
> java.util.concurrent was actually available -- which is why it wasn't 
> used directly in Tomcat. (NB: The ThreadPoolExecutor class in Tomcat 
> contains an "@author Doug Lea" tag. The Tomcat source is licensed 
> under AL2, the JDK source is licensed under GPL2, but the original was 
> released by Doug Lea into the public domain under a CC0
> 1.0 Deed license.)
>
> The re-sizing occurs in the ThreadPoolExecutor class if you'd like to 
> read it. It is not entirely straightforward. You could start by 
> reading the code for the runWorker(Worker w) method where, at the end, 
> processWorkerExit is called.
>
> But since Tomcat's ThreadPoolExecutor is basically Java's 
> ThreadPoolExecutor, they work the same.
>
> -chris
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org

I took matters in to my own hands and wrote a test to see what was happening.

Unlike java.util.concurrent.ThreadPoolExecutor, Tomcat's TPE adds threads when 
all core threads are busy.  It only adds tasks to the queue when max threads 
are busy.  I prefer this behavior to the JDK behavior.

Threads are removed when idle for 60 seconds.  This appears to be hard-coded in 
AbstreactEndpoint.createExecutor().

Thanks

B CB  [  
X  ܚX KK[XZ[
 \ \  ][  X  ܚX P X ]  \X K ܙ B  ܈Y][ۘ[  [X[  K[XZ[
 \ \  Z[ X ]  \X K ܙ B