On 11/04/2019 14:52, Mark Thomas wrote: > On 11/04/2019 14:31, Rainer Jung wrote: >> Am 11.04.2019 um 14:51 schrieb Rémy Maucherat: >>> On Thu, Apr 11, 2019 at 2:00 PM Rainer Jung <rainer.j...@kippdata.de> >>> wrote: >>> >>>> Am 10.04.2019 um 15:44 schrieb Mark Thomas: >>>>> The proposed Apache Tomcat 9.0.18 release is now available for voting. >>>>> >>>>> The major changes compared to the 9.0.17 release are: >>>>> >>>>> - Fix for CVE-2019-0232 a RCE vulnerability on Windows >>>>> >>>>> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also >>>>> now supported if used with a ECJ version with support for those >>>>> Java >>>>> versions >>>>> >>>>> - Various NIO2 stability improvements >>>>> >>>>> Along with lots of other bug fixes and improvements. >>>>> >>>>> For full details, see the changelog: >>>>> https://ci.apache.org/projects/tomcat/tomcat9/docs/changelog.html >>>>> >>>>> It can be obtained from: >>>>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.18/ >>>>> The Maven staging repo is: >>>>> https://repository.apache.org/content/repositories/orgapachetomcat-1207/ >>>>> >>>>> The tag is: >>>>> https://github.com/apache/tomcat/tree/9.0.18 >>>>> 0862607e5da91a7c476a6350288d8d8a9380f556 >>>>> >>>>> The proposed 9.0.18 release is: >>>>> [ ] Broken - do not release >>>>> [ ] Stable - go ahead and release as 9.0.18 >>>>> >>>>> >>>>> Due to the security fix contained in this release, the voting period >>>>> may >>>>> be shortened once sufficient votes are cast to enable a faster release. >>>> >>>> The MBeans for beans with j2eeType seem to be not filled with data. I >>>> have not checked since 9.0.12, so I don't know when that heppaned. Just >>>> wantd to give a heads up before investigating more. >>>> >>>> Example diff for one bean: >>>> >>>> Name: >>>> >>>> Catalina:j2eeType=Servlet,WebModule=//localhost/,name=default,J2EEApplication=none,J2EEServer=none >>>> >>>> -modelerType: org.apache.catalina.mbeans.ContainerMBean >>>> -maxTime: 0 >>>> -requestCount: 0 >>>> -servletClass: org.apache.catalina.servlets.DefaultServlet >>>> -countAllocated: 0 >>>> -available: 0 >>>> -backgroundProcessorDelay: -1 >>>> -processingTime: XXX >>>> -loadOnStartup: 1 >>>> -singleThreadModel: false >>>> -loadTime: XXX >>>> -stateName: STARTED >>>> -minTime: XXX >>>> -classLoadTime: XXX >>>> -asyncSupported: false >>>> -objectName: >>>> >>>> Catalina:j2eeType=Servlet,WebModule=//localhost/,name=default,J2EEApplication=none,J2EEServer=none >>>> >>>> -maxInstances: 20 >>>> -errorCount: 0 >>>> +modelerType: org.apache.tomcat.util.modeler.BaseModelMBean >>>> +empty: false >>>> >>>> The modelerType has changed, all attributes missing. >>>> >>> >>> The good news is that 8.5 seems fine. >>> >>> I'll investigate. If we need to do a new release (IMO: yes), I'll flip >>> the >>> useAsyncIO default value ... >> >> I did some more checks: >> >> - as you said, 8.5.40 is fine >> >> - using the same scripts, 9.0.17 is also fine, so this looks like a real >> code regression >> >> Thus I would also be -1 for the 9.0.18 release.
https://github.com/apache/tomcat/commit/8cbe4ba594dc41615faafb216fcb4ff3e0d8fafc seems to be the trigger. I haven't reviewed the commit yet. Mark >>>> Another minor observation: file >>>> java/org/apache/tomcat/util/json/JSONParser.jj is in git but missing >>>> from the src distribution. >> >> There is an explicit .jj exclusion in build.xml. But that exclusion is >> older than the jj file, so I'm not sure whether it should get bundloed >> or not. At least the release build process does not generate it, so it >> seems we should better bundle it. > > That file looks like a jjt file rather than a jj file. Maybe a rename is > required? > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
