Re: Tomcat upgrade from 9.0.80 to 9.0.81
Thank you. That is what I was about to ask :). I was using the dev release of 9.0.82. Our QA is testing our application with Tomcat 9.0.82. So far it looks good. Regards, Zdenek Henek On Thu, Oct 12, 2023 at 9:08 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > All, > > On 10/11/23 08:06, i...@flyingfischer.ch wrote: > > > > Am 11.10.23 um 14:02 schrieb Alexander Veit: > >>> Caused by: org.apache.http.ConnectionClosedException: Premature end > >>> of Content-Length delimited message body (expected: 4,999; received: > >>> 3,040) > >>> at > >>> org.apache.http.impl.io > .ContentLengthInputStream.read(ContentLengthInputStream.java:178) > >>> at > >>> io.restassured.internal.util.IOUtils.toByteArray(IOUtils.java:30) > >>> at > >>> > io.restassured.internal.http.GZIPEncoding$GZIPDecompressingEntity.getContent(GZIPEncoding.java:69) > >>> at > >>> > org.apache.http.conn.BasicManagedEntity.getContent(BasicManagedEntity.java:85) > >>> at > >>> > io.restassured.internal.http.HTTPBuilder.parseResponse(HTTPBuilder.java:546) > >>> at > >>> > io.restassured.internal.RequestSpecificationImpl$RestAssuredHttpBuilder.super$2$parseResponse(RequestSpecificationImpl.groovy) > >>> at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown > Source) > >>> at > >>> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > >>> at java.lang.reflect.Method.invoke(Method.java:498) > >>> at > >>> > org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) > >>> at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) > >>> at > >>> groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1268) > >>> at > >>> > org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:144) > >>> > >>> Has anyone seen this? I will keep everyone posted after debugging more. > >> > >> We have experienced the same problem with Tomcat 8.5.94. > >> > >> - > >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > >> For additional commands, e-mail: users-h...@tomcat.apache.org > >> > > > > Seems to be reported multiple times as this is blocking bug for > > upgrading to the last Tomcat version: > > > > > > https://bz.apache.org/bugzilla/show_bug.cgi?id=67670 > > We understand that it is blocking, but if you re using h2, especially > exposed directly to the internet, you should upgrade to the broken > release and use Konstantin's recommended workarounds. > > Both the h2 Rapid Reset and HTTP Trailer / possible request smuggling > CVEs are both very important. > > We apologize for the regressions. Release votes appear to be going well; > we will have a new set of releases for everyone very shortly. > > Although they are not "official" releases, you are welcome to deploy the > release-candidates themselves. Assuming they are voted stable, they will > be identical to the upcoming "official" releases. > > See the dev@ list [VOTE] emails for where to get those release-candidate > artifacts. > > -chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat upgrade from 9.0.80 to 9.0.81
All, On 10/11/23 08:06, i...@flyingfischer.ch wrote: Am 11.10.23 um 14:02 schrieb Alexander Veit: Caused by: org.apache.http.ConnectionClosedException: Premature end of Content-Length delimited message body (expected: 4,999; received: 3,040) at org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:178) at io.restassured.internal.util.IOUtils.toByteArray(IOUtils.java:30) at io.restassured.internal.http.GZIPEncoding$GZIPDecompressingEntity.getContent(GZIPEncoding.java:69) at org.apache.http.conn.BasicManagedEntity.getContent(BasicManagedEntity.java:85) at io.restassured.internal.http.HTTPBuilder.parseResponse(HTTPBuilder.java:546) at io.restassured.internal.RequestSpecificationImpl$RestAssuredHttpBuilder.super$2$parseResponse(RequestSpecificationImpl.groovy) at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1268) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:144) Has anyone seen this? I will keep everyone posted after debugging more. We have experienced the same problem with Tomcat 8.5.94. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Seems to be reported multiple times as this is blocking bug for upgrading to the last Tomcat version: https://bz.apache.org/bugzilla/show_bug.cgi?id=67670 We understand that it is blocking, but if you re using h2, especially exposed directly to the internet, you should upgrade to the broken release and use Konstantin's recommended workarounds. Both the h2 Rapid Reset and HTTP Trailer / possible request smuggling CVEs are both very important. We apologize for the regressions. Release votes appear to be going well; we will have a new set of releases for everyone very shortly. Although they are not "official" releases, you are welcome to deploy the release-candidates themselves. Assuming they are voted stable, they will be identical to the upcoming "official" releases. See the dev@ list [VOTE] emails for where to get those release-candidate artifacts. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat upgrade from 9.0.80 to 9.0.81
Am 11.10.23 um 14:02 schrieb Alexander Veit: Caused by: org.apache.http.ConnectionClosedException: Premature end of Content-Length delimited message body (expected: 4,999; received: 3,040) at org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:178) at io.restassured.internal.util.IOUtils.toByteArray(IOUtils.java:30) at io.restassured.internal.http.GZIPEncoding$GZIPDecompressingEntity.getContent(GZIPEncoding.java:69) at org.apache.http.conn.BasicManagedEntity.getContent(BasicManagedEntity.java:85) at io.restassured.internal.http.HTTPBuilder.parseResponse(HTTPBuilder.java:546) at io.restassured.internal.RequestSpecificationImpl$RestAssuredHttpBuilder.super$2$parseResponse(RequestSpecificationImpl.groovy) at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1268) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:144) Has anyone seen this? I will keep everyone posted after debugging more. We have experienced the same problem with Tomcat 8.5.94. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Seems to be reported multiple times as this is blocking bug for upgrading to the last Tomcat version: https://bz.apache.org/bugzilla/show_bug.cgi?id=67670 Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat upgrade from 9.0.80 to 9.0.81
Caused by: org.apache.http.ConnectionClosedException: Premature end of Content-Length delimited message body (expected: 4,999; received: 3,040) at org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:178) at io.restassured.internal.util.IOUtils.toByteArray(IOUtils.java:30) at io.restassured.internal.http.GZIPEncoding$GZIPDecompressingEntity.getContent(GZIPEncoding.java:69) at org.apache.http.conn.BasicManagedEntity.getContent(BasicManagedEntity.java:85) at io.restassured.internal.http.HTTPBuilder.parseResponse(HTTPBuilder.java:546) at io.restassured.internal.RequestSpecificationImpl$RestAssuredHttpBuilder.super$2$parseResponse(RequestSpecificationImpl.groovy) at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1268) at org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:144) Has anyone seen this? I will keep everyone posted after debugging more. We have experienced the same problem with Tomcat 8.5.94. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Tomcat upgrade from 9.0.80 to 9.0.81
from mobile (sorry for typos ;) On Wed, Oct 11, 2023, 09:05 Amit Pande wrote: > Thank you so much for inputs. > > "If one could help with testing release candidates, it would help." > >> I was thinking about this. Is there a channel/process that we can > subscribe to get the RC candidate updates? If we get to know about a RC > build, we can perform (black box) testing and communicate the results > (Details in case of failures). > Please subscribe to the dev@ list Vote (with links to release candidates) announced at dev@ list :) > Thanks, > Amit > -Original Message- > From: Konstantin Kolinko > Sent: Tuesday, October 10, 2023 7:11 PM > To: Tomcat Users List > Subject: Re: [External] Re: Tomcat upgrade from 9.0.80 to 9.0.81 > > > CAUTION: This email originated from outside the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. If you believe this is a phishing email, use the Report to > Cybersecurity icon in Outlook. > > > > ср, 11 окт. 2023 г. в 02:31, Amit Pande : > > > > Thank you Konstantin for the quick update! > > > > Since this release contained multiple security fixes, it's important to > upgrade. However, there seem regressions too. > > > > What is the way forward here? Follow up version coming sooner? Or a > version with just security fixes and all other changes can go in subsequent > release? > > There are workarounds for these regressions: > > - Regarding this specific issue: I would just disable the compression. > > - Regarding the jdbc-pool issue: it is possible to use tomcat-jdbc.jar > from a previous release. (Either unzipping a release, or pulling the > specific jar from Maven Central). > > Release managers were at a conference, maybe are travelling, and voting > for a new release usually takes 3 days. > > The vote was unusually shortened due to one of the issues going public and > I guess that it might be widely discussed and (ab)used. > > I still do not know how this will be handled, but it may take a few days. > > Watch for "VOTE" threads on the dev mailing list. If one could help with > testing release candidates, it would help. > > Best regards, > Konstantin Kolinko > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org >
RE: [External] Re: Tomcat upgrade from 9.0.80 to 9.0.81
Thank you so much for inputs. "If one could help with testing release candidates, it would help." >> I was thinking about this. Is there a channel/process that we can subscribe >> to get the RC candidate updates? If we get to know about a RC build, we can >> perform (black box) testing and communicate the results (Details in case of >> failures). Thanks, Amit -Original Message- From: Konstantin Kolinko Sent: Tuesday, October 10, 2023 7:11 PM To: Tomcat Users List Subject: Re: [External] Re: Tomcat upgrade from 9.0.80 to 9.0.81 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. ср, 11 окт. 2023 г. в 02:31, Amit Pande : > > Thank you Konstantin for the quick update! > > Since this release contained multiple security fixes, it's important to > upgrade. However, there seem regressions too. > > What is the way forward here? Follow up version coming sooner? Or a version > with just security fixes and all other changes can go in subsequent release? There are workarounds for these regressions: - Regarding this specific issue: I would just disable the compression. - Regarding the jdbc-pool issue: it is possible to use tomcat-jdbc.jar from a previous release. (Either unzipping a release, or pulling the specific jar from Maven Central). Release managers were at a conference, maybe are travelling, and voting for a new release usually takes 3 days. The vote was unusually shortened due to one of the issues going public and I guess that it might be widely discussed and (ab)used. I still do not know how this will be handled, but it may take a few days. Watch for "VOTE" threads on the dev mailing list. If one could help with testing release candidates, it would help. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Tomcat upgrade from 9.0.80 to 9.0.81
ср, 11 окт. 2023 г. в 02:31, Amit Pande : > > Thank you Konstantin for the quick update! > > Since this release contained multiple security fixes, it's important to > upgrade. However, there seem regressions too. > > What is the way forward here? Follow up version coming sooner? Or a version > with just security fixes and all other changes can go in subsequent release? There are workarounds for these regressions: - Regarding this specific issue: I would just disable the compression. - Regarding the jdbc-pool issue: it is possible to use tomcat-jdbc.jar from a previous release. (Either unzipping a release, or pulling the specific jar from Maven Central). Release managers were at a conference, maybe are travelling, and voting for a new release usually takes 3 days. The vote was unusually shortened due to one of the issues going public and I guess that it might be widely discussed and (ab)used. I still do not know how this will be handled, but it may take a few days. Watch for "VOTE" threads on the dev mailing list. If one could help with testing release candidates, it would help. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [External] Re: Tomcat upgrade from 9.0.80 to 9.0.81
Thank you Konstantin for the quick update! Since this release contained multiple security fixes, it's important to upgrade. However, there seem regressions too. What is the way forward here? Follow up version coming sooner? Or a version with just security fixes and all other changes can go in subsequent release? Thanks, Amit From: Konstantin Kolinko Sent: Tuesday, October 10, 2023 5:12:45 PM To: Tomcat Users List Subject: [External] Re: Tomcat upgrade from 9.0.80 to 9.0.81 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. Hi! Thank you for reporting and investigating the issue. I added your observation to https://nam12.safelinks.protection.outlook.com/?url=https%3A%2F%2Fbz.apache.org%2Fbugzilla%2Fshow_bug.cgi%3Fid%3D67670=05%7C01%7CAmit.Pande%40veritas.com%7C65608c49469b42b3f6ea08dbc9de3891%7Cfc8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638325728499716103%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C=oADTYN4nOfLFatx%2BOXDEXsVuXgHZvvBfoFcKK93jrLk%3D=0<https://bz.apache.org/bugzilla/show_bug.cgi?id=67670> Best regards, Konstantin Kolinko ср, 11 окт. 2023 г. в 00:01, Amit Pande : > > I am still investigating more but after upgrading from Tomcat 9.0.80 to > 9.0.81, many of our rest assured based tests are failing with below error ... > > Caused by: org.apache.http.ConnectionClosedException: Premature end of > Content-Length delimited message body (expected: 4,999; received: 3,040) >at > org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:178) >at io.restassured.internal.util.IOUtils.toByteArray(IOUtils.java:30) >at > io.restassured.internal.http.GZIPEncoding$GZIPDecompressingEntity.getContent(GZIPEncoding.java:69) >at > org.apache.http.conn.BasicManagedEntity.getContent(BasicManagedEntity.java:85) >at > io.restassured.internal.http.HTTPBuilder.parseResponse(HTTPBuilder.java:546) >at > io.restassured.internal.RequestSpecificationImpl$RestAssuredHttpBuilder.super$2$parseResponse(RequestSpecificationImpl.groovy) >at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source) >at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >at java.lang.reflect.Method.invoke(Method.java:498) >at > org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) >at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) >at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1268) >at > org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:144) > > Has anyone seen this? I will keep everyone posted after debugging more. > > Thanks, > Amit - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat upgrade from 9.0.80 to 9.0.81
Hi! Thank you for reporting and investigating the issue. I added your observation to https://bz.apache.org/bugzilla/show_bug.cgi?id=67670 Best regards, Konstantin Kolinko ср, 11 окт. 2023 г. в 00:01, Amit Pande : > > I am still investigating more but after upgrading from Tomcat 9.0.80 to > 9.0.81, many of our rest assured based tests are failing with below error ... > > Caused by: org.apache.http.ConnectionClosedException: Premature end of > Content-Length delimited message body (expected: 4,999; received: 3,040) >at > org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:178) >at io.restassured.internal.util.IOUtils.toByteArray(IOUtils.java:30) >at > io.restassured.internal.http.GZIPEncoding$GZIPDecompressingEntity.getContent(GZIPEncoding.java:69) >at > org.apache.http.conn.BasicManagedEntity.getContent(BasicManagedEntity.java:85) >at > io.restassured.internal.http.HTTPBuilder.parseResponse(HTTPBuilder.java:546) >at > io.restassured.internal.RequestSpecificationImpl$RestAssuredHttpBuilder.super$2$parseResponse(RequestSpecificationImpl.groovy) >at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source) >at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >at java.lang.reflect.Method.invoke(Method.java:498) >at > org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107) >at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323) >at groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1268) >at > org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:144) > > Has anyone seen this? I will keep everyone posted after debugging more. > > Thanks, > Amit - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org