Re: encodeURL, jsessionid and mod_rewrite ?

Peter Kreuser > Am 04.10.2017 um 02:44 schrieb Christopher Schultz > : > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Laurant, > >> On 10/3/17 5:17 PM, Laurent Perez wrote: >> I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A >> "foo" war

RE: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

> From: Baron Fujimoto [mailto:ba...@hawaii.edu] > Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload > I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat > website seem to reference it yet, but it appears to be available in the >

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

On Tue, Oct 03, 2017 at 10:55:26AM +, Mark Thomas wrote: >CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload > >Severity: Important > >Vendor: The Apache Software Foundation > >Versions Affected: >[...] >Apache Tomcat 8.0.0.RC1 to 8.0.46 >[...] > >Description: >When running with

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

I wrote: I mean, I know that I need to get HTTPAPI and Tomcat speaking the same language, but where do I begin? Christopher Schultz (Tomcat List) wrote: First, I would check to see what Tomcat is actually advertising. There are several ways to do that. One of them is to use Qualys's SSLLabs

Re: VS: Tomcat accesslogs / Geoserver

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jussila, On 10/3/17 1:40 AM, Jussila Ville wrote: > Thanks for your fast answer. > > I'm quite new with Tomcat and HTTP. But as you said, Geoserver is > taking care of the authentication itself. So this is the problem > and we are not able to log

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 10/3/17 5:52 PM, James H. H. Lampert wrote: > Dear Mr. Klement, and members of the Tomcat List: > > I have a series of AS/400 programs using HTTPAPI to access > services hosted by a webapp running under Tomcat. > > Up until now, I've

Re: encodeURL, jsessionid and mod_rewrite ?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Laurant, On 10/3/17 5:17 PM, Laurent Perez wrote: > I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A > "foo" war is deployed at /foo context path under tomcat. The /foo > path is not public, apache has a rewrite rule defined as :

Re: Can i use tomcat 9.0.x version in production

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Murthy, On 10/3/17 7:38 AM, s v n trimurthulu wrote: > At present we are using 7.0.x in our production environment. As we > have received few CVE alerts we wanted to migrate it to latest > version 9.0.x. But when i see the status of the 9.0.x

Problem: (GSKit) No compatible cipher suite available between SSL end points.

Dear Mr. Klement, and members of the Tomcat List: I have a series of AS/400 programs using HTTPAPI to access services hosted by a webapp running under Tomcat. Up until now, I've only tested this configuration with Tomcat 7, running on a local Linux (CentOS) box, and the last time I tested

encodeURL, jsessionid and mod_rewrite ?

Hi I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A "foo" war is deployed at /foo context path under tomcat. The /foo path is not public, apache has a rewrite rule defined as : /bar/* rewrites internally to /foo/*. I'm using jstl and its for every url in my jsps to gain the

Re: Mapping role names to groups

On 03/10/17 14:01, Sebastian Trost wrote: > Hi! > > I was looking for a way to map security role names from tomcat to LDAP > groups. I found an old thread from August 2009 with the exact problem in > which Christopher Schultz recommended to write a servlet filter or valve to > do that. > >

Mapping role names to groups

Hi! I was looking for a way to map security role names from tomcat to LDAP groups. I found an old thread from August 2009 with the exact problem in which Christopher Schultz recommended to write a servlet filter or valve to do that. Original mail:

Re: Can i use tomcat 9.0.x version in production

On 03/10/17 12:38, s v n trimurthulu wrote: > Hello There, > > At present we are using 7.0.x in our production environment. As we have > received few CVE alerts we wanted to migrate it to latest version 9.0.x. I'm not sure if you look at the vulnerability data for the last 12 months that the

Can i use tomcat 9.0.x version in production

Hello There, At present we are using 7.0.x in our production environment. As we have received few CVE alerts we wanted to migrate it to latest version 9.0.x. But when i see the status of the 9.0.x release it is showing "Stable = No". So i request you to suggest me whether i can use the latest

[ANN] Apache Tomcat 9.0.1 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.1 (beta). Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.1 is the first

[ANN] Apache Tomcat 8.5.23 available

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.23. Tomcat 8.x users should normally be using 8.5.x releases in preference to 8.0.x releases. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression

[SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0 Apache Tomcat 8.5.0 to 8.5.22 Apache Tomcat 8.0.0.RC1 to 8.0.46 Apache Tomcat 7.0.0 to 7.0.81 Description: When

Tomcat 9.0.1 - StandardJarScanner only scanning for HandlesTypes due to classloader issues

In my embedded tomcat app, StandardJarScanner is doing a minimal Servlet 3.0 annotation scanning, specifically only HandlesTypes. After digging in, it appears that because the classloader that loaded StandardJarScanner is the same that loaded StandardContext and ContextConfig