[Bug 60451] java.lang.ArrayIndexOutOfBoundsException when a servlet writes more than the output buffer max length on a connection to be upgraded to HTTP/2

https://bz.apache.org/bugzilla/show_bug.cgi?id=60451 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED

svn commit: r1773307 - in /tomcat/tc8.5.x/trunk: ./ java/org/apache/coyote/http2/ test/org/apache/coyote/http2/ webapps/docs/

Author: markt Date: Thu Dec 8 22:20:26 2016 New Revision: 1773307 URL: http://svn.apache.org/viewvc?rev=1773307=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60451 Correctly handle HTTP/2 header values that contain characters with unicode code points in the range 128 to 255.

svn commit: r1773306 - in /tomcat/trunk: java/org/apache/coyote/http2/ test/org/apache/coyote/http2/ webapps/docs/

Author: markt Date: Thu Dec 8 22:19:41 2016 New Revision: 1773306 URL: http://svn.apache.org/viewvc?rev=1773306=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60451 Correctly handle HTTP/2 header values that contain characters with unicode code points in the range 128 to 255.

Re: URGENT: Tomcat 7 Aliases

On 08/12/2016 21:15, Victor Rodriguez wrote: > THANKS IN ADVANCE FOR YOUR HELP! Please stop shouting. This question belongs on the users list. Mark > > I have abc.war and I want both /abc and /xyz to work for it. I've tried > adding aliases="/abc=abc.war,/xyz=abc.war" and

URGENT: Tomcat 7 Aliases

THANKS IN ADVANCE FOR YOUR HELP! I have abc.war and I want both /abc and /xyz to work for it. I've tried adding aliases="/abc=abc.war,/xyz=abc.war" and aliases="/abc=abc,/xyz=abc" but neither of those worked. This is how my original context.xml looked like. WEB-INF/web.xml

svn commit: r17334 - /dev/tomcat/tomcat-8/v8.5.9/ /release/tomcat/tomcat-8/v8.5.9/

Author: markt Date: Thu Dec 8 20:50:30 2016 New Revision: 17334 Log: Release 8.5.9 Added: release/tomcat/tomcat-8/v8.5.9/ - copied from r17250, dev/tomcat/tomcat-8/v8.5.9/ Removed: dev/tomcat/tomcat-8/v8.5.9/ -

[VOTE][RESULT] Release Apache Tomcat 8.5.9

The following votes were cast: Binding: +1 (stable): violetagg, remm, kfujino, fschumacher Non-binding: +1 (stable): ebourg, csutherl, huxing The vote therefore passes. Thanks to everyone who contributed to this this release Mark

svn commit: r17333 - /dev/tomcat/tomcat-9/v9.0.0.M15/ /release/tomcat/tomcat-9/v9.0.0.M15/

Author: markt Date: Thu Dec 8 20:48:07 2016 New Revision: 17333 Log: Release 9.0.0.M15 Added: release/tomcat/tomcat-9/v9.0.0.M15/ - copied from r17237, dev/tomcat/tomcat-9/v9.0.0.M15/ Removed: dev/tomcat/tomcat-9/v9.0.0.M15/

[VOTE][RESULT] Release Apache Tomcat 9.0.0.M15

The following votes were cast: Binding: +1 (stable): markt, violetagg, remm, kfujino, fschumacher Non-binding: +1 (stable): huxing The vote therefore passes. Thanks to everyone who contributed to this this release Mark - To

[Bug 60372] BufferOverflowException at java.nio.HeapByteBuffer.put

https://bz.apache.org/bugzilla/show_bug.cgi?id=60372 --- Comment #18 from mgrigorov --- 8.5.9 is being voted at the moment. If everything is OK it will be available in the next few days. -- You are receiving this mail because: You are the assignee for the bug.

[Bug 60372] BufferOverflowException at java.nio.HeapByteBuffer.put

https://bz.apache.org/bugzilla/show_bug.cgi?id=60372 --- Comment #17 from Jan Kostelansky --- dear support when can I expect the patch to be included in tomcat 8.5 or tomcat 9 release? I have not found it in changelog of latest tomcat 8.5 Thank you, Jan --

[Bug 60372] BufferOverflowException at java.nio.HeapByteBuffer.put

https://bz.apache.org/bugzilla/show_bug.cgi?id=60372 Violeta Georgieva changed: What|Removed |Added CC|

[Bug 60455] java.nio.BufferOverflowException

https://bz.apache.org/bugzilla/show_bug.cgi?id=60455 Violeta Georgieva changed: What|Removed |Added Resolution|--- |DUPLICATE

[Bug 60455] New: java.nio.BufferOverflowException

https://bz.apache.org/bugzilla/show_bug.cgi?id=60455 Bug ID: 60455 Summary: java.nio.BufferOverflowException Product: Tomcat 9 Version: 9.0.0.M11 Hardware: PC Status: NEW Severity: critical Priority: P2

Re: [VOTE] Release Apache Tomcat 8.5.9

Hi, The proposed 8.5.9 release is: [ ] Broken - do not release [ X ] Stable - go ahead and release as <8.5.8> (should be 8.5.9) Test case pass. Our test web app works fine. -- From:Mark Thomas Time:2016 Dec 6

Re: Missing commit for CVE-2016-6797 on the security pages

Le 8/12/2016 à 11:49, Mark Thomas a écrit : > Added. Thank you Mark. > The commits on the security pages are meant to be just those required to > fix the vulnerability. > > Back-porters may need additional commits for various reasons: > a) prior commits that aligned the code with later

Re: About CVE-2015-5345

On 08/12/2016 09:54, Emmanuel Bourg wrote: > [resending as a new message instead of a reply, sorry] Thanks. > I'm still working on the security backports in Debian and I have a > question regarding CVE-2015-5345. On the Tomcat 7 security page the > commits 1715213 and 1717212 are referenced. If

[Bug 60451] java.lang.ArrayIndexOutOfBoundsException when a servlet writes more than the output buffer max length on a connection to be upgraded to HTTP/2

https://bz.apache.org/bugzilla/show_bug.cgi?id=60451 --- Comment #3 from Ludovic Pénet --- Agreed. I left the bug opened because the exception raised was quite unclear to me and having another error trace would be great. -- You are receiving this mail because: You are the

svn commit: r1773214 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml

Author: markt Date: Thu Dec 8 11:11:51 2016 New Revision: 1773214 URL: http://svn.apache.org/viewvc?rev=1773214=rev Log: Add additional commit that fix the broken config options Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified:

svn commit: r1773212 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml

Author: markt Date: Thu Dec 8 10:58:28 2016 New Revision: 1773212 URL: http://svn.apache.org/viewvc?rev=1773212=rev Log: Fix typo Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-7.html URL:

[Bug 60451] java.lang.ArrayIndexOutOfBoundsException when a servlet writes more than the output buffer max length on a connection to be upgraded to HTTP/2

https://bz.apache.org/bugzilla/show_bug.cgi?id=60451 --- Comment #2 from Michael Osipov <1983-01...@gmx.net> --- This one is worth reading: http://stackoverflow.com/a/30446122/696632 -- You are receiving this mail because: You are the assignee for the bug.

Re: Missing commit for CVE-2016-6797 on the security pages

On 08/12/2016 00:37, Emmanuel Bourg wrote: > Hi, > > The security pages are missing another commit, this time for > CVE-2016-6797. The newly added validateGlobalResourceAccess method in > ResourceLinkFactory was later modified to iterate over the classloader > hierarchy. Without this modification

svn commit: r1773211 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s

Author: markt Date: Thu Dec 8 10:41:54 2016 New Revision: 1773211 URL: http://svn.apache.org/viewvc?rev=1773211=rev Log: And regression fix to CVE-2016-6796 commits Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html

About CVE-2015-5345

[resending as a new message instead of a reply, sorry] Hi all, I'm still working on the security backports in Debian and I have a question regarding CVE-2015-5345. On the Tomcat 7 security page the commits 1715213 and 1717212 are referenced. If I'm not mistaken the commit 1716860 should also be

About CVE-2015-5345

Hi all, I'm still working on the security backports in Debian and I have a question regarding CVE-2015-5345. On the Tomcat 7 security page the commits 1715213 and 1717212 are referenced. If I'm not mistaken the commit 1716860 should also be part of the fix, otherwise the mapper*RedirectEnabled

Re: Same request object passed to two threads

On 08/12/2016 07:32, Violeta Georgieva wrote: > 2016-12-08 3:48 GMT+02:00 Matthew Bellew : >> >> I have narrowed this down quite a lot. This bug is caused by the same >> Http11Processor being pushed on to the recycledProcessors stack twice. I >> discovered this by add a