Bug report for Tomcat 6 [2014/04/13]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |41679|New|Enh|2007-02-22|SemaphoreValve should be able to filter on url pat| |43001|New|Enh|2007-07-30|JspC lacks setMappedFile and setDie for use in Ant| |43400|New|Enh|2007-09-14|enum support for tag libs | |43548|Opn|Enh|2007-10-04|xml schema for tomcat-users.xml | |43682|New|Enh|2007-10-23|JULI: web-inf/classes/logging.properties to suppor| |43742|New|Enh|2007-10-30|.tag compiles performed one at a time -- extremel| |43979|New|Enh|2007-11-27|Add abstraction for Java and Classfile output | |44199|New|Enh|2008-01-10|expose current backlog queue size | |44225|New|Enh|2008-01-14|SSL connector tries to load the private keystore f| |44294|New|Enh|2008-01-25|Support for EL functions with varargs | |44645|New|Enh|2008-03-20|[Patch] JNDIRealm - Doesn't support JNDI java.nam| |44787|New|Enh|2008-04-09|provide more error context on java.lang.IllegalSt| |45014|New|Enh|2008-05-15|Request and Response classes should have wrappers | |45282|New|Enh|2008-06-25|NioReceiver doesn't close cleanly, leaving sockets| |45832|New|Enh|2008-09-18|add DIGEST authentication support to Ant tasks| |45878|New|Enh|2008-09-24|Generated jars do not contain proper manifests or | |45879|Opn|Enh|2008-09-24|Windows installer fails to install NOTICE and RELE| |45931|Opn|Enh|2008-10-01|trimSpaces incorrectly modifies output| |46173|New|Enh|2008-11-09|Small patch for manager app: Setting an optional c| |46263|Opn|Enh|2008-11-21|Tomcat reloading of context.xml does not update do| |46284|New|Enh|2008-11-24|Add flag to DeltaManager that blocks processing cl| |46350|New|Enh|2008-12-05|Maven repository should contain source bundles| |46558|Opn|Enh|2009-01-19|Shutdown port with address binding| |46902|New|Enh|2009-03-24|LoginValve to bypass restrictions of j_security_ch| |47214|New|Enh|2009-05-17|Inner classes that are explicitly referenced - sho| |47242|New|Enh|2009-05-22|request for AJP command line client | |47281|New|Enh|2009-05-28|Efficiency of the JDBCStore | |47407|New|Enh|2009-06-23|HttpSessionListener doesn't operate in the session| |47467|New|Enh|2009-07-02|Deployment of the war file by URL when contextpath| |47834|New|Enh|2009-09-14|TldConfig throws Exception when exploring unpacked| |47919|New|Enh|2009-09-30|Log Tomcat Java environment variables in additio| |48358|Opn|Enh|2009-12-09|JSP-unloading reloaded| |48543|New|Enh|2010-01-14|[Patch] More flexibility in specifying -Dcatalina.| |48672|New|Enh|2010-02-03|Tomcat Virtual Host Manager (/host-manager) have b| |48674|New|Enh|2010-02-03|Tomcat Virtual Host Manager application doesn't pe| |48743|New|Enh|2010-02-15|Make the SLEEP variable in catalina.sh settable fr| |48899|New|Enh|2010-03-12|Guess URI charset should solve lot of problems| |48922|New|Enh|2010-03-16|org.apache.catalina.connector.Request clone static| |48928|New|Enh|2010-03-17|An alternative solution to preloading classes when| |49176|Opn|Enh|2010-04-23|Jasper in Dev Mode Is Memory Inefficient | |49464|New|Enh|2010-06-18|DefaultServlet and CharacterEncoding | |49531|New|Enh|2010-06-30|singlesignon failover not working on DeltaManager/| |49804|New|Enh|2010-08-23|Allow Embedded.redirectStreams value to be configu| |49939|New|Enh|2010-09-16|Expose a method via JMX which empties the webapp f| |49943|New|Enh|2010-09-16|Logging (via juli) does not reread configuration c| |50285|New|Enh|2010-11-17|Standard HTTP and AJP connectors silently ignore a| |50288|New|Enh|2010-11-17|Uploading a war file that already exists should au| |50677|Opn|Enh|2011-01-27|Allow system property variables in catalina.proper| |50692|New|Enh|2011-01-31|Improve log message in ThreadPool.logFull | |51142|New|Enh|2011-05-03|Offer possible resolution of StringIndexOutOfBound| |51513|New|Enh|2011-07-15|GzipInterceptor: Do not compress small packages |
Bug report for Taglibs [2014/04/13]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field | |38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)| |42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements | |46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l| |48333|New|Enh|2009-12-02|TLD generator | |55609|New|Enh|2013-09-28|c:forEach loop on integer range consumes unnecessa| +-+---+---+--+--+ | Total6 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Native [2014/04/13]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |48655|Inf|Nor|2010-02-02|Active multipart downloads prevent tomcat shutdown| |49038|Inf|Nor|2010-04-02|Crash in tcnative | |52319|Inf|Maj|2011-12-12|Tomcat 6 crashes with [libapr-1.so.0+0x196da] sig| |52627|New|Min|2012-02-08|Segmentation fault in org.apache.tomcat.jni.File.i| |53605|Inf|Nor|2012-07-26|use tcnative-1.1.24 Tomcat shutdown still crash | |53847|Inf|Nor|2012-09-10|High CPU usage in tomcat native 1.22+ | |53940|New|Enh|2012-09-27|Added support for new CRL loading after expiration| |53952|New|Nor|2012-10-02|Add support for TLS 1.1 and 1.2 | |54085|New|Nor|2012-11-01|ssl_socket_recv sometimes loops infinitely with no| |54664|New|Reg|2013-03-11|[1.1.27 branch] Poll.remove incorrectly reports AP| |55087|New|Cri|2013-06-10|tomcat crashes in tcnative-1.dll with OCSP when OC| |55113|Inf|Nor|2013-06-18|FIPS-compatible OpenSSL fails fingerprint test in | |55114|New|Nor|2013-06-18|BUILDING file in win32 source package contains UNI| |55706|New|Nor|2013-10-25|broken apr version check in native v1.1.29 build; | |55771|New|Maj|2013-11-12|Memory leak and then crash in org.apache.tomcat.jn| |55797|Inf|Nor|2013-11-19|Tomcat 7.0.47 crashes using server jvm.dll and APR| |55938|New|Nor|2013-12-29|clang-analyzer report for 1.1.29 | |56027|New|Nor|2014-01-17|Unable to use TCN on RHEL6 boxes if box is booted | |56108|New|Nor|2014-02-04|Allow user-defined Diffie-Hellman parameters | |56313|New|Maj|2014-03-25|Tomcat 8 crashes in tcnative-1.dll+0x7923 | |56363|New|Cri|2014-04-08|OpenSSL security advisory - Heartbleed bug| |56378|New|Nor|2014-04-09|Cert load fails if cert is located in path with no| |56396|New|Nor|2014-04-11|TCN fails FIPS mode initialization if unable to ge| +-+---+---+--+--+ | Total 23 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Connectors [2014/04/13]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |34526|Opn|Nor|2005-04-19|Truncated content in decompressed requests from mo| |35959|Opn|Enh|2005-08-01|mod_jk not independant of UseCanonicalName| |43303|New|Enh|2007-09-04|Versioning under Windows not reported by many conn| |43968|Inf|Enh|2007-11-26|[patch] support ipv6 with mod_jk | |44290|Inf|Nor|2008-01-24|mod_jk/1.2.26: retry is not useful for an importan| |44349|Inf|Maj|2008-02-04|mod_jk/1.2.26 module does not read worker.status.s| |44379|New|Enh|2008-02-07|convert the output of strftime into UTF-8 | |44454|New|Nor|2008-02-19|busy count reported in mod_jk inflated, causes inc| |44571|New|Enh|2008-03-10|Limits busy per worker to a threshold | |45063|New|Nor|2008-05-22|JK-1.2.26 IIS ISAPI filter issue when running diff| |45313|New|Nor|2008-06-30|mod_jk 1.2.26 apache 2.2.9 static compiled on so| |46337|New|Nor|2008-12-04|real worker name is wrong | |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47327|New|Enh|2009-06-07|remote_user not logged in apache logfile | |47617|Inf|Enh|2009-07-31|include time spent doing ajp_get_endpoint() in err| |47678|New|Cri|2009-08-11|Unable to allocate shared memory when using isapi_| |47714|New|Cri|2009-08-20|Reponse mixed between users | |47750|New|Maj|2009-08-27|Loss of worker settings when changing via jkstatus| |47795|New|Maj|2009-09-07|service sticky_session not being set correctly wit| |47840|Inf|Min|2009-09-14|A broken worker name is written in the log file. | |48191|New|Maj|2009-11-13|Problem with mod_jk 1.2.28 - Can not render up the| |48460|New|Nor|2009-12-30|mod_proxy_ajp document has three misleading portio| |48490|New|Nor|2010-01-05|Changing a node to stopped in uriworkermap.propert| |48513|New|Enh|2010-01-09|IIS Quick setup instructions | |48564|New|Nor|2010-01-18|Unable to turn off retries for LB worker | |48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv| |48891|Opn|Enh|2010-03-11|Missing EOL-style settings in tomcat/jk/trunk | |49035|New|Maj|2010-04-01|data lost when post a multipart/form-data form| |49063|New|Enh|2010-04-07|Please add JkStripSession status in jk-status work| |49135|New|Enh|2010-04-16|SPDY Connector for The Tomcat | |49469|New|Enh|2010-06-19|Workers status page has negative number of connect| |49732|Opn|Nor|2010-08-10|reply_timeout can't wait forever. | |49822|New|Enh|2010-08-25|Add hash lb worker method | |49903|New|Enh|2010-09-09|Make workers file reloadable | |50186|New|Nor|2010-10-31|Wrong documentation of connection_pool_timeout / c| |52334|New|Maj|2011-12-14|recover_time is not properly used | |52483|New|Enh|2012-01-18|Print JkOptions's options in log file and jkstatus| |52651|New|Nor|2012-02-13|JKSHMFile size limitation | |53883|New|Maj|2012-09-17|isapi_redirect v 1.2.37 crashes w3wp.exe on the p| |53977|New|Maj|2012-10-07|32bits isapi connector cannot work in wow64 mode | |54027|New|Cri|2012-10-18|isapi send request to outside address instead of i| |54112|Opn|Blk|2012-11-07|ISAPI redirector not working when IIS recycles| |54117|New|Maj|2012-11-08|access violation exception in isapi_redirect.dll | |54177|New|Nor|2012-11-20|jkmanager generates non-well-formed XML for certai| |54596|New|Nor|2013-02-22|Relative path functionality truncates last charact| |54621|New|Nor|2013-02-28|[PATCH] custom mod_jk availability checks | |54646|New|Trv|2013-03-06|socket_keepalive is sometimes 1 or true or True in| |54923|New|Nor|2013-05-03|nsapi_redirect.so does not work with iPlanet on So| |56005|New|Nor|2014-01-14|ISAPI redirector WEB-INF/META-INF Path Check false| |56352|New|Nor|2014-04-05|tomcat-connectors-1.2.39-windows-x86_64-iis does n| +-+---+---+--+--+ | Total
Bug report for Tomcat Modules [2014/04/13]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |48240|New|Nor|2009-11-19|Tomcat-Lite missing @Override markers | |48268|New|Nor|2009-11-23|Patch to fix generics in tomcat-lite | |48861|New|Nor|2010-03-04|Files without AL headers | |49685|New|Nor|2010-08-02|Unsafe synchronization in class ManagedBean | |49686|New|Nor|2010-08-02|Using an instance lock to protect static shared da| |50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen| |51595|Inf|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho| |51879|Inf|Enh|2011-09-22|Improve access to Native Connection Methods | |52024|Inf|Enh|2011-10-13|Custom interceptor to support automatic failover o| |53088|Opn|Min|2012-04-17|Give PoolCleaner TimerTask a better name | |53198|New|Cri|2012-05-07|'driverClassName' Data Source Property Being Manda| |53199|Inf|Enh|2012-05-07|Refactor ConnectionPool to use ScheduledExecutorSe| |53200|New|Enh|2012-05-07|Be able to use SlowQueryReport without reporting f| |53770|New|Enh|2012-08-23|tomcat-pool: always log validation query syntax er| |53853|New|Nor|2012-09-11|Can tomcat-jdbc consider Thread#getContextClassLoa| |54225|New|Nor|2012-11-30|if initSQL property is set to an empty string a Nu| |54227|New|Nor|2012-11-30|maxAge should be checked on borrow| |54235|New|Nor|2012-12-03|tomcat jdbc pool stackoverflow error used with spr| |54395|New|Nor|2013-01-09|JdbcInterceptor config parameter parsing errors | |54437|New|Enh|2013-01-16|Update PoolProperties javadoc for ConnectState int| |54537|New|Cri|2013-02-07|StatementFinalizer closeInvoked is too slow for la| |54929|New|Nor|2013-05-05|jdbc-pool cannot be used with Java 1.5, java.lang| |54978|New|Nor|2013-05-15|Validate on Borrow should be tested on Reconnect i| |55078|New|Nor|2013-06-07|Configuring a DataSource Resource with dataSourceJ| |55444|New|Nor|2013-08-18|Support JDBC Drivers outside of tomcat/lib/ | |56046|New|Enh|2014-01-21|org.apache.tomcat.jdbc.pool.XADataSource InitSQL p| |56088|New|Maj|2014-01-29|AbstractQueryReport$StatementProxy throws exceptio| |56310|Inf|Maj|2014-03-25|PooledConnection and XAConnection not handled corr| |56318|Opn|Maj|2014-03-26|Oracle DB cursors are leaking when using org.apach| +-+---+---+--+--+ | Total 29 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 8 [2014/04/13]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |51497|New|Enh|2011-07-11|Use canonical IPv6 text representation in logs| |53737|Opn|Enh|2012-08-18|Use ServletContext.getJspConfigDescriptor() in Jas| |53930|New|Enh|2012-09-24|allow capture of catalina stdout/stderr to a comma| |54503|New|Enh|2013-01-29|SAML2 based single sign on| |54700|New|Enh|2013-03-15|Improvement: Add support for system property to sp| |54741|New|Enh|2013-03-22|Add org.apache.catalina.startup.Tomcat#addWebapp(S| |55006|New|Enh|2013-05-22|Add http proxy support for ClientEndpoint using sy| |55243|New|Enh|2013-07-11|Add special search string for nested roles| |55252|New|Enh|2013-07-12|Separate Ant and command-line wrappers for JspC | |55383|New|Enh|2013-08-07|Improve markup and design of Tomcat's HTML pages | |55479|New|Enh|2013-08-24|JSR 196 (JASPIC) support in Tomcat| |9|New|Enh|2013-09-14|UserDatabaseRealm enhacement: may use local JNDI | |55675|New|Enh|2013-10-18|Checking and handling invalid configuration option| |55770|New|Enh|2013-11-12|Allow the crlFile to be reloaded | |55788|New|Enh|2013-11-16|TagPlugins should key on tag QName rather than imp| |55884|Ver|Maj|2013-12-14|JSPs no longer compile in Java 8 | |55917|New|Nor|2013-12-20|Cookie parsing fails hard with ISO-8859-1 values | |55918|New|Nor|2013-12-21|CTL characters may appear in quoted values for RFC| |55920|New|Enh|2013-12-22|Quotes should not be removed from quoted cookie va| |55921|New|Nor|2013-12-22|Cookie values in JSON format are not skipped corre| |55951|New|Enh|2014-01-04|HTML5 specifies UTF-8 encoding for cookie values | |55969|New|Enh|2014-01-07|Security-related enhancements to the Windows Insta| |55975|New|Nor|2014-01-08|Inconsistent escaping applied to V0 cookie values | |55984|New|Nor|2014-01-10|Invalid V1 cookie generated if value contains sepa| |55988|New|Enh|2014-01-11|Add parameter useCipherSuitesOrder to JSSE (BIO an| |56079|New|Nor|2014-01-28|Digitally sign the Windows binaries | |56166|New|Enh|2014-02-20|Suggestions for exception handling (avoid potentia| |56323|New|Enh|2014-03-27|Include service .bat scripts with Microsoft Window| |56348|New|Nor|2014-04-04|ReadListener reading stream on different thread ve| |56361|New|Nor|2014-04-08|org.apache.tomcat.websocket.WsWebSocketContainer#b| |56390|New|Nor|2014-04-11|Tomcat keeps jar files in app/WEB-INF/lib opened| |56391|New|Nor|2014-04-11|test error for NIO and org.apache.tomcat.util.net.| |56393|New|Enh|2014-04-11|Implement RFC6265 for Cookie parsing | |56394|New|Enh|2014-04-11|Allow cookie-parsing to be pluggable | |56397|New|Enh|2014-04-11|Establish parallel Maven-based build process | |56398|New|Enh|2014-04-11|Support Arquillian-based unit testing | |56399|New|Enh|2014-04-11|Re-factor request/response recycling so Coyote and| |56400|New|Enh|2014-04-11|Change POOL2/DBCP2 consumption strategy | |56401|New|Enh|2014-04-11|Log version information on startup| |56402|New|Enh|2014-04-11|Add support for HTTP Upgrade to AJP components| |56403|New|Enh|2014-04-11|Support pluggable password-derivation in Realms | +-+---+---+--+--+ | Total 41 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 7 [2014/04/13]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |18500|New|Enh|2003-03-30|Host aliases to match by regular expression | |28039|Opn|Enh|2004-03-30|Cluster Support for SingleSignOn | |40881|Opn|Enh|2006-11-02|Unable to receive message through TCP channel - | |41007|Opn|Enh|2006-11-20|Can't define customized 503 error page| |43866|New|Enh|2007-11-14|add support for session attribute propagation with| |43925|Opn|Enh|2007-11-21|org.apache.jasper.runtime.BodyContentImpl causing | |44216|New|Enh|2008-01-11|Don't reuse session ID even if emptySessionPath=tr| |49395|New|Enh|2010-06-06|manager.findLeaks : display the date when the leak| |49589|New|Enh|2010-07-12|Tag handlers with constant attribute values are al| |49785|New|Enh|2010-08-19|Enabling TLS for JNDIRealm| |49821|New|Enh|2010-08-25|Tomcat CLI [PATCH/Contribution] | |50019|New|Enh|2010-09-28|Adding JNDI lookup-name support In XML and Resou| |50175|New|Enh|2010-10-28|Enhance memory leak detection by selectively apply| |50234|New|Enh|2010-11-08|JspC use servlet 3.0 features | |50504|New|Enh|2010-12-21|Allow setting query string character set trough re| |50670|New|Enh|2011-01-27|Tribes | RpcChannel | Add option to specify extern| |50944|Ver|Blk|2011-03-18|JSF: java.lang.NullPointerException at com.sun.fac| |51195|New|Enh|2011-05-13|Find leaks reports a false positive memory/class| |51423|Inf|Enh|2011-06-23|[Patch] to add a path and a version parameters to | |51463|New|Enh|2011-07-01|Tomcat.setBaseDir (package org.apache.catalina.st| |51496|New|Enh|2011-07-11|NSIS - Warn that duplicate service name will resul| |51587|New|Enh|2011-07-29|Implement status and uptime commands | |51953|New|Enh|2011-10-04|Proposal: netmask filtering valve and filter [PATC| |52235|New|Enh|2011-11-23|Please do a bit of SEO tuning for the web site| |52381|New|Enh|2011-12-22|Please add OSGi metadata | |52448|New|Enh|2012-01-11|Cache jar indexes in WebappClassLoader to speed up| |52489|New|Enh|2012-01-19|Enhancement request for code signing of war files | |52688|New|Enh|2012-02-16|Add ability to remove old access log files [PATCHE| |52751|Opn|Enh|2012-02-23|Optimized configuration of the system info display| |52952|New|Enh|2012-03-20|Improve ExtensionValidator handling for embedded s| |53085|New|Enh|2012-04-16|[perf] [concurrency] DefaultInstanceManager.annota| |53387|New|Enh|2012-06-08|SSI: Allow to use $1 to get result of regular expr| |53411|Opn|Enh|2012-06-13|NullPointerException in org.apache.tomcat.util.buf| |53492|New|Enh|2012-07-01|Make JspC shell multithreaded | |53553|New|Enh|2012-07-16|[PATCH] Deploy uploaded WAR with context.xml from | |53620|New|Enh|2012-07-30|[juli] delay opening a file until something gets l| |54330|New|Enh|2012-12-19|Patch with some refactoring of Member.java [PATCH | |54499|New|Enh|2013-01-29|Implementation of Extensible EL Interpreter | |54618|New|Enh|2013-02-28|Add filter implementing HTTP Strict Transport Secu| |54802|New|Enh|2013-04-04|Provide location information for exceptions thrown| |55104|New|Enh|2013-06-16|Allow passing arguments with spaces to Commons Dae| |55470|New|Enh|2013-08-23|Help users for ClassNotFoundExceptions during star| |55477|New|Enh|2013-08-23|Add a solution to map an realm name to a security | |55662|New|Enh|2013-10-17|Add a way to set an instance of java.sql.Driver di| |56148|New|Enh|2014-02-17|support (multiple) ocsp stapling | |56181|New|Enh|2014-02-23|RemoteIpValve RemoteIpFilter: HttpServletRequest| |56300|New|Enh|2014-03-22|[Tribes] No useful examples, lack of documentation| |56365|New|Enh|2014-04-08|Simplify use of Mapper in StandardJarScanner | |56382|New|Enh|2014-04-10|Add logging of deployment time| |56383|New|Enh|2014-04-10|Securing ErrorReportValve [PATCH] | |56406|New|Nor|2014-04-13|VirtualDirContext.setExtraResourcePaths incorrect |
svn commit: r1586951 - /tomcat/trunk/bin/service.bat
Author: kkolinko Date: Sun Apr 13 10:06:54 2014 New Revision: 1586951 URL: http://svn.apache.org/r1586951 Log: Correct message displayed by service.bat for an invalid command. Modified: tomcat/trunk/bin/service.bat Modified: tomcat/trunk/bin/service.bat URL: http://svn.apache.org/viewvc/tomcat/trunk/bin/service.bat?rev=1586951r1=1586950r2=1586951view=diff == --- tomcat/trunk/bin/service.bat (original) +++ tomcat/trunk/bin/service.bat Sun Apr 13 10:06:54 2014 @@ -100,7 +100,7 @@ goto end if /i %SERVICE_CMD% == install goto doInstall if /i %SERVICE_CMD% == remove goto doRemove if /i %SERVICE_CMD% == uninstall goto doRemove -echo Unknown parameter %1 +echo Unknown parameter %SERVICE_CMD% :displayUsage echo. echo Usage: service.bat install/remove [service_name] [/user username] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586952 - in /tomcat/tc7.0.x/trunk: ./ bin/service.bat
Author: kkolinko Date: Sun Apr 13 10:09:05 2014 New Revision: 1586952 URL: http://svn.apache.org/r1586952 Log: Merged r1586951 from tomcat/trunk: Correct message displayed by service.bat for an invalid command. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/bin/service.bat Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1586951 Modified: tomcat/tc7.0.x/trunk/bin/service.bat URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/bin/service.bat?rev=1586952r1=1586951r2=1586952view=diff == --- tomcat/tc7.0.x/trunk/bin/service.bat (original) +++ tomcat/tc7.0.x/trunk/bin/service.bat Sun Apr 13 10:09:05 2014 @@ -100,7 +100,7 @@ goto end if /i %SERVICE_CMD% == install goto doInstall if /i %SERVICE_CMD% == remove goto doRemove if /i %SERVICE_CMD% == uninstall goto doRemove -echo Unknown parameter %1 +echo Unknown parameter %SERVICE_CMD% :displayUsage echo. echo Usage: service.bat install/remove [service_name] [/user username] - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586955 - /tomcat/trunk/webapps/docs/changelog.xml
Author: remm Date: Sun Apr 13 10:37:11 2014 New Revision: 1586955 URL: http://svn.apache.org/r1586955 Log: Improve a bit the changelog. Modified: tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1586955r1=1586954r2=1586955view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Sun Apr 13 10:37:11 2014 @@ -104,20 +104,20 @@ bug56336/bug: AJP output corruption and errors. (remm) /fix fix -Handle incomplete writes in NIO2. (remm) +Handle various cases of incomplete writes in NIO2. (remm) /fix - fix + scode Code cleanups and i18n in NIO2. (remm) - /fix + /scode fix -Fix extra onDataAvailable calls. (remm) +Fix extra onDataAvailable calls in the NIO2 connector. (remm) /fix fix Fix gather writes in NIO2 SSL. (remm) /fix - fix + scode Upgrade the NIO2 connectors to beta, but still not ready for production. (remm) - /fix + /scode /changelog /subsection subsection name=Jasper - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586959 - /tomcat/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java
Author: kkolinko Date: Sun Apr 13 10:57:23 2014 New Revision: 1586959 URL: http://svn.apache.org/r1586959 Log: Followup to r1586897 : Apply the same not-null optimization to removeAttributeChangeNotificationListener method. Modified: tomcat/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java Modified: tomcat/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java?rev=1586959r1=1586958r2=1586959view=diff == --- tomcat/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java (original) +++ tomcat/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java Sun Apr 13 10:57:23 2014 @@ -624,11 +624,11 @@ public class BaseModelMBean implements D if (listener == null) throw new IllegalArgumentException(Listener is null); -if (attributeBroadcaster == null) -attributeBroadcaster = new BaseNotificationBroadcaster(); // FIXME - currently this removes *all* notifications for this listener -attributeBroadcaster.removeNotificationListener(listener); +if (attributeBroadcaster != null) { +attributeBroadcaster.removeNotificationListener(listener); +} } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586960 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/modeler/BaseModelMBean.java
Author: kkolinko Date: Sun Apr 13 10:59:37 2014 New Revision: 1586960 URL: http://svn.apache.org/r1586960 Log: Merged r1586959 from tomcat/trunk: Followup to r1586897 : Apply the same not-null optimization to removeAttributeChangeNotificationListener method. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1586959 Modified: tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java?rev=1586960r1=1586959r2=1586960view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/modeler/BaseModelMBean.java Sun Apr 13 10:59:37 2014 @@ -625,11 +625,11 @@ public class BaseModelMBean implements D if (listener == null) throw new IllegalArgumentException(Listener is null); -if (attributeBroadcaster == null) -attributeBroadcaster = new BaseNotificationBroadcaster(); // FIXME - currently this removes *all* notifications for this listener -attributeBroadcaster.removeNotificationListener(listener); +if (attributeBroadcaster != null) { +attributeBroadcaster.removeNotificationListener(listener); +} } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586961 - in /tomcat/trunk: bin/service.bat webapps/docs/changelog.xml
Author: kkolinko Date: Sun Apr 13 11:20:23 2014 New Revision: 1586961 URL: http://svn.apache.org/r1586961 Log: Align DisplayName of Tomcat service installed by service.bat with one installed by the *.exe installer: Use X.0 version number in both instead of X. Modified: tomcat/trunk/bin/service.bat tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/bin/service.bat URL: http://svn.apache.org/viewvc/tomcat/trunk/bin/service.bat?rev=1586961r1=1586960r2=1586961view=diff == --- tomcat/trunk/bin/service.bat (original) +++ tomcat/trunk/bin/service.bat Sun Apr 13 11:20:23 2014 @@ -75,7 +75,7 @@ set EXECUTABLE=%CATALINA_HOME%\bin\tomc rem Set default Service name set SERVICE_NAME=Tomcat@VERSION_MAJOR@ -set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR@ %SERVICE_NAME% +set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR_MINOR@ %SERVICE_NAME% if x%1x == xx goto displayUsage set SERVICE_CMD=%1 @@ -85,7 +85,7 @@ if x%1x == xx goto checkServiceCmd if x%1x == x/userx goto runAsUser if x%1x == x--userx goto runAsUser set SERVICE_NAME=%1 -set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR@ %1 +set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR_MINOR@ %1 shift if x%1x == xx goto checkServiceCmd goto checkUser Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1586961r1=1586960r2=1586961view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Sun Apr 13 11:20:23 2014 @@ -197,10 +197,16 @@ /changelog /subsection subsection name=Other -scode - Review source code and take advantage of Java 7apos;s - try-with-resources syntax where possible. (markt) -/scode +changelog + scode +Review source code and take advantage of Java 7apos;s +try-with-resources syntax where possible. (markt) + /scode + fix +Align DisplayName of Tomcat installed by codeservice.bat/code with +one installed by the *.exe installer. (kkolinko) + /fix +/changelog /subsection /section section name=Tomcat 8.0.5 (markt) rtext=beta, 2014-03-27 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586962 - in /tomcat/tc7.0.x/trunk: ./ bin/service.bat webapps/docs/changelog.xml
Author: kkolinko Date: Sun Apr 13 11:25:14 2014 New Revision: 1586962 URL: http://svn.apache.org/r1586962 Log: Merged r1586961 from tomcat/trunk: Align DisplayName of Tomcat service installed by service.bat with one installed by the *.exe installer: Use X.0 version number in both instead of X. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/bin/service.bat tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1586961 Modified: tomcat/tc7.0.x/trunk/bin/service.bat URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/bin/service.bat?rev=1586962r1=1586961r2=1586962view=diff == --- tomcat/tc7.0.x/trunk/bin/service.bat (original) +++ tomcat/tc7.0.x/trunk/bin/service.bat Sun Apr 13 11:25:14 2014 @@ -75,7 +75,7 @@ set EXECUTABLE=%CATALINA_HOME%\bin\tomc rem Set default Service name set SERVICE_NAME=Tomcat@VERSION_MAJOR@ -set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR@ %SERVICE_NAME% +set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR_MINOR@ %SERVICE_NAME% if x%1x == xx goto displayUsage set SERVICE_CMD=%1 @@ -85,7 +85,7 @@ if x%1x == xx goto checkServiceCmd if x%1x == x/userx goto runAsUser if x%1x == x--userx goto runAsUser set SERVICE_NAME=%1 -set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR@ %1 +set DISPLAYNAME=Apache Tomcat @VERSION_MAJOR_MINOR@ %1 shift if x%1x == xx goto checkServiceCmd goto checkUser Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1586962r1=1586961r2=1586962view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sun Apr 13 11:25:14 2014 @@ -158,6 +158,14 @@ /fix /changelog /subsection + subsection name=Other +changelog + fix +Align DisplayName of Tomcat installed by codeservice.bat/code with +one installed by the *.exe installer. (kkolinko) + /fix +/changelog + /subsection /section section name=Tomcat 7.0.53 (violetagg) rtext=released 2014-03-30 subsection name=Catalina - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586963 - in /tomcat/tc6.0.x/trunk: build.properties.default res/maven/mvn.properties.default
Author: kkolinko Date: Sun Apr 13 11:30:48 2014 New Revision: 1586963 URL: http://svn.apache.org/r1586963 Log: Update for next release Modified: tomcat/tc6.0.x/trunk/build.properties.default tomcat/tc6.0.x/trunk/res/maven/mvn.properties.default Modified: tomcat/tc6.0.x/trunk/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/build.properties.default?rev=1586963r1=1586962r2=1586963view=diff == --- tomcat/tc6.0.x/trunk/build.properties.default (original) +++ tomcat/tc6.0.x/trunk/build.properties.default Sun Apr 13 11:30:48 2014 @@ -25,7 +25,7 @@ # - Version Control Flags - version.major=6 version.minor=0 -version.build=39 +version.build=40 version.patch=0 version.suffix=-dev Modified: tomcat/tc6.0.x/trunk/res/maven/mvn.properties.default URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/res/maven/mvn.properties.default?rev=1586963r1=1586962r2=1586963view=diff == --- tomcat/tc6.0.x/trunk/res/maven/mvn.properties.default (original) +++ tomcat/tc6.0.x/trunk/res/maven/mvn.properties.default Sun Apr 13 11:30:48 2014 @@ -35,7 +35,7 @@ maven.asf.release.repo.url=https://repos maven.asf.release.repo.repositoryId=apache.releases # Release version info -maven.asf.release.deploy.version=6.0.39 +maven.asf.release.deploy.version=6.0.40 #Where do we load the libraries from tomcat.lib.path=../../output/build/lib - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586966 - /tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Author: kkolinko Date: Sun Apr 13 12:00:07 2014 New Revision: 1586966 URL: http://svn.apache.org/r1586966 Log: https://issues.apache.org/bugzilla/show_bug.cgi?id=49993 Add changelog entry for old r1000718 That was in 7.0.3 Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1586966r1=1586965r2=1586966view=diff == --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sun Apr 13 12:00:07 2014 @@ -8570,6 +8570,10 @@ bug49955/bug: Improvement and correction of Building Tomcat guide. Based on a patch from Wesley Acheson. (timw) /update + update +bug49993/bug: Improve check for codeJAVA_HOME/code and add +support for codeJRE_HOME/code in codeservice.bat/code. (mturk) + /update /changelog /subsection /section - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586967 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Sun Apr 13 12:05:49 2014 New Revision: 1586967 URL: http://svn.apache.org/r1586967 Log: proposals Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1586967r1=1586966r2=1586967view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Apr 13 12:05:49 2014 @@ -42,6 +42,7 @@ PATCHES PROPOSED TO BACKPORT: Correct double unescaping http://people.apache.org/~markt/patches/2014-04-12-attribute-escaping-tc6-v1.patch +1: markt + -1: * Enabling building with Java 8 http://people.apache.org/~markt/patches/2014-04-12-build-with-java8-tc6-v1.patch @@ -50,6 +51,41 @@ PATCHES PROPOSED TO BACKPORT: +1: markt -1: +* Fix http://issues.apache.org/bugzilla/show_bug.cgi?id=49993 + Fix http://issues.apache.org/bugzilla/show_bug.cgi?id=56143 + + Improvements to service.bat: + + - Improve service.bat so that it can be launched from a non-UAC console. + This includes using a single call to tomcat6.exe to install the Windows + service rather than three calls, and using command line arguments instead + of environment variables to pass the settings. (BZ 56143) + + - Align options with *.exe Windows installer. This affects --Classpath, + --DisplayName, --StartPath, --StopPath and --LogPath. + + - Make command comparisons case-insensitive. Remove %OS% check for setlocal. + (This assumes that nobody runs on ancient non-NT systems). + + - Improve check for JAVA_HOME and add support for JRE_HOME environment + variable. (BZ 49993) + + (I am not backporting the /user option. The rest of service.bat is the + same as in TC7 TC8). + + https://people.apache.org/~kkolinko/patches/2014-04-13_tc6_service_bat.patch + +1: kkolinko + -1: + +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56369 + Ensure that removing an MBean notification listener + reverts all the operations performed when adding an MBean notification + listener. + http://svn.apache.org/r1586897 + http://svn.apache.org/r1586960 + +1: kkolinko + -1: + PATCHES/ISSUES THAT ARE STALLED: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 49993] service.bat does not check for JAVA_HOME validity
https://issues.apache.org/bugzilla/show_bug.cgi?id=49993 --- Comment #2 from Konstantin Kolinko knst.koli...@gmail.com --- Fixed in the trunk as r1000718 That is included in 7.0.3 onwards. Proposed backport for 6.0.x. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a new failure on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/1858 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1586960 Blamelist: kkolinko BUILD FAILED: failed compile_1 sincerely, -The Buildbot
[Bug 56369] BaseModelMBean does not clean-up attributeBroadcaster in removeNotificationListener()
https://issues.apache.org/bugzilla/show_bug.cgi?id=56369 --- Comment #2 from Konstantin Kolinko knst.koli...@gmail.com --- I re-filed this at Apache Commons Modeler project as https://issues.apache.org/jira/browse/MODELER-31 Proposed for Tomcat 6. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of Security/Heartbleed by ChristopherSchultz
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The Security/Heartbleed page has been changed by ChristopherSchultz: https://wiki.apache.org/tomcat/Security/Heartbleed Comment: Information on Heartbleed New page: This Wiki entry serves as a place for all relevant information regarding [[http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160|CVE-2014-0160]] (aka the “Heartbleed” OpenSSL bug). Rather than regurgitating this information repeatedly on mailing lists, etc., please make references to this page and refer people to it. With any luck, its usefulness will be short-lived. I’ll go ahead and put the explanations last for convenience. If you’d like to read some of the justifications, you’ll find them at the end. == Is this a Tomcat problem? == No. This is a problem with a library that, under some configurations, causes your server to be vulnerable. == Am I Vulnerable? == If you are running any server that uses OpenSSL version 1.0.1 with any patch level before “g” you may be vulnerable. Unless you happened to install OpenSSL 1.0.1 for the first time after 2014-04-08 or so, you are almost certainly vulnerable. If you are running OpenSSL 0.9.8 or 1.0.0, then you are not vulnerable to this particular vulnerability. If you are using Tomcat with any Java connector (BIO or NIO), then you are not vulnerable to this particular vulnerability. == How do I fix my servers? == This is an easy 2-step process: 1. Update OpenSSL to a version that includes the fix. The natural version number for this is 1.0.1g, though some package maintainers have chosen to back-port their fixes to versions with a lower patch-level. Among such maintainers are Debian and probably also Debian-based distributions such as Ubuntu. 2. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. == Is there anything else I need to do? == Yes: you need to change any password that ever traversed your HTTP server while vulnerable. That pretty much means you have to change all passwords, and notify your users that they should change all their passwords as well. Unfortunately, any other sensitive information that traversed your server should be consider compromised. In many cases, there is nothing to be done unless that information can be changed (credit card numbers, account numbers, passwords etc.). == What about servers for services that I use personally? == You should wait until your bank, email provider, online store, etc. patches and re-keys their servers and then change your password(s) as soon as possible. == Why should I do any of this? == You need to patch your servers if you are vulnerable. That part should be obvious. You need to re-key your servers because, during the period when your servers were vulnerable, it is possible (though improbable) that your server’s key was read remotely due to this bug. If an attacker has your key, they can decrypt any past or future communication if they can observe the encrypted traffic. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of Security/Heartbleed by ChristopherSchultz
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The Security/Heartbleed page has been changed by ChristopherSchultz: https://wiki.apache.org/tomcat/Security/Heartbleed?action=diffrev1=1rev2=2 This is an easy 2-step process: - 1. Update OpenSSL to a version that includes the fix. The natural version number for this is 1.0.1g, though some package maintainers have chosen to back-port their fixes to versions with a lower patch-level. Among such maintainers are Debian and probably also Debian-based distributions such as Ubuntu. + 1. Update OpenSSL to a version that includes the fix. The natural version number for this is 1.0.1g, though some package maintainers have chosen to back-port their fixes to versions with a lower patch-level. Among such maintainers are Debian and probably also Debian-based distributions such as Ubuntu. - + - 2. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. + 1. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. == Is there anything else I need to do? == - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586972 - /tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java
Author: kkolinko Date: Sun Apr 13 12:49:34 2014 New Revision: 1586972 URL: http://svn.apache.org/r1586972 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56406 Correct typo in example in VirtualDirContext javadoc. Other documentation files (config/context.xml, config/resources.xml) are OK. Modified: tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java Modified: tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java?rev=1586972r1=1586971r2=1586972view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java Sun Apr 13 12:49:34 2014 @@ -69,7 +69,7 @@ public class VirtualDirContext extends F * must be separated by a comma. * /p * Example: code - * /=/Users/slaurent/mywebapp/src/main/webapp;/pictures=/Users/slaurent/sharedpictures + * /=/Users/slaurent/mywebapp/src/main/webapp,/pictures=/Users/slaurent/sharedpictures * /code * p * The path to the docBase must not be added here, otherwise resources would - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56406] VirtualDirContext.setExtraResourcePaths incorrect separator in example semicolon instead comma
https://issues.apache.org/bugzilla/show_bug.cgi?id=56406 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #1 from Konstantin Kolinko knst.koli...@gmail.com --- Fixed by r1586972 and will be in 7.0.54. TC 6 and 8 not affected, they do not have this feature. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of Security/Heartbleed by SebastianBazley
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The Security/Heartbleed page has been changed by SebastianBazley: https://wiki.apache.org/tomcat/Security/Heartbleed?action=diffrev1=2rev2=3 Comment: Revoke certificates 1. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. + 1. Revoke any certificates that might have been compromised. + This does not guarantee that the old certificate cannot still be used in MITM attacks, as most browsers don't check revocations in a timely fashion (if at all). + However it should help to catch some attacks. + == Is there anything else I need to do? == Yes: you need to change any password that ever traversed your HTTP server while vulnerable. That pretty much means you have to change all passwords, and notify your users that they should change all their passwords as well. Unfortunately, any other sensitive information that traversed your server should be consider compromised. In many cases, there is nothing to be done unless that information can be changed (credit card numbers, account numbers, passwords etc.). - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/5678 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1586951 Blamelist: kkolinko BUILD FAILED: failed compile_1 sincerely, -The Buildbot
Heartbleed info
All, I've taken the liberty of creating a Heartbleed info page on the wiki. I'm going to add a mention of it under the Not a vulnerability in Tomcat section for the security pages for Tomcats 6, 7, and 8. Shall I also add something to the home page as well? Or shall we just roll that into the upcoming announcement of tcnative 1.1.30? I kind of think it should do with the tcnative announcement, but Mladen hasn't yet closed the vote, published the build, etc. and I wanted to get something up sooner rather than later. Does anyone have any suggestions for how to proceed? Thanks, -chris signature.asc Description: OpenPGP digital signature
buildbot success in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a restored build on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/1860 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1586972 Blamelist: kkolinko Build succeeded! sincerely, -The Buildbot
svn commit: r1586992 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
Author: schultz Date: Sun Apr 13 14:11:34 2014 New Revision: 1586992 URL: http://svn.apache.org/r1586992 Log: Added information about CVE-2014-0160 (OpenSSL Heartbleed). Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1586992r1=1586991r2=1586992view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Sun Apr 13 14:11:34 2014 @@ -1927,6 +1927,30 @@ encoding issues that may still exist in the JVM. This work around is included in Tomcat 6.0.18 onwards./p + +p +strongImportant: Remote Memory Read/strong + a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160; rel=nofollowCVE-2014-0160/a (a.k.a. Heartbleed)/p + + +pA bug in certain versions of a href=www.openssl.orgOpenSSL/a +can allow an unauthenticated remote user to read certain contents of +the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29 +include this vulnerable version of OpenSSL. tcnative 1.1.30 and later +ship with patched versions of OpenSSL./p + + +pAn explanation of how to deterine whether you are vulnerable and what +steps to take, see the Tomcat Wiki's +a href=https://wiki.apache.org/tomcat/Security/Heartbleed;Heartbleed/a +page./p + + +pThis issue was first announced on 7 April 2014./p + + +pAffects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29/p + /div /div Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1586992r1=1586991r2=1586992view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Sun Apr 13 14:11:34 2014 @@ -1529,6 +1529,30 @@ /ul + +p +strongImportant: Remote Memory Read/strong + a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160; rel=nofollowCVE-2014-0160/a (a.k.a. Heartbleed)/p + + +pA bug in certain versions of a href=www.openssl.orgOpenSSL/a +can allow an unauthenticated remote user to read certain contents of +the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29 +include this vulnerable version of OpenSSL. tcnative 1.1.30 and later +ship with patched versions of OpenSSL./p + + +pAn explanation of how to deterine whether you are vulnerable and what +steps to take, see the Tomcat Wiki's +a href=https://wiki.apache.org/tomcat/Security/Heartbleed;Heartbleed/a +page./p + + +pThis issue was first announced on 7 April 2014./p + + +pAffects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29/p + /div /div Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1586992r1=1586991r2=1586992view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Sun Apr 13 14:11:34 2014 @@ -434,7 +434,28 @@ div class=text -pNo reports/p +p +strongImportant: Remote Memory Read/strong + a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0160; rel=nofollowCVE-2014-0160/a (a.k.a. Heartbleed)/p + + +pA bug in certain versions of a href=www.openssl.orgOpenSSL/a +can allow an unauthenticated remote user to read certain contents of +the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29 +include this vulnerable version of OpenSSL. tcnative 1.1.30 and later +ship with patched versions of OpenSSL./p + + +pAn explanation of how to deterine whether you are vulnerable and what +steps to take, see the Tomcat Wiki's +a href=https://wiki.apache.org/tomcat/Security/Heartbleed;Heartbleed/a +page./p + + +pThis issue was first announced on 7 April 2014./p + + +pAffects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29/p /div Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1586992r1=1586991r2=1586992view=diff == --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Sun Apr 13 14:11:34 2014 @@ -1183,8 +1183,24 @@ encoding issues that may still exist in the JVM. This work around is included in Tomcat 6.0.18 onwards./p +
Re: Heartbleed info
On 13/04/2014 08:09, Christopher Schultz wrote: All, I've taken the liberty of creating a Heartbleed info page on the wiki. I'm going to add a mention of it under the Not a vulnerability in Tomcat section for the security pages for Tomcats 6, 7, and 8. And tc-native please. Shall I also add something to the home page as well? Or shall we just roll that into the upcoming announcement of tcnative 1.1.30? I kind of think it should do with the tcnative announcement, but Mladen hasn't yet closed the vote, published the build, etc. and I wanted to get something up sooner rather than later. +1 to the native announcement. Does anyone have any suggestions for how to proceed? Your plan looks good to me. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of Security/Heartbleed by ChristopherSchultz
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The Security/Heartbleed page has been changed by ChristopherSchultz: https://wiki.apache.org/tomcat/Security/Heartbleed?action=diffrev1=3rev2=4 == Am I Vulnerable? == - If you are running any server that uses OpenSSL version 1.0.1 with any patch level before “g” you may be vulnerable. Unless you happened to install OpenSSL 1.0.1 for the first time after 2014-04-08 or so, you are almost certainly vulnerable. If you are running OpenSSL 0.9.8 or 1.0.0, then you are not vulnerable to this particular vulnerability. If you are using Tomcat with any Java connector (BIO or NIO), then you are not vulnerable to this particular vulnerability. + If you are running any server that uses OpenSSL version 1.0.1 with any patch level before “g” you may be vulnerable. Unless you happened to install OpenSSL 1.0.1 for the *first* time after 2014-04-08 or so, you are almost certainly vulnerable. If you are running an ASF-provided tcnative binary version 1.1.24-1.1.29, then you are vulnerable, as tcnative ships with a statically-linked OpenSSL version which is vulnerable. If you are running OpenSSL 0.9.8 or 1.0.0, then you are not vulnerable to this particular vulnerability. If you are using Tomcat with any Java connector (BIO or NIO), then you are not vulnerable to this particular vulnerability. == How do I fix my servers? == This is an easy 2-step process: - 1. Update OpenSSL to a version that includes the fix. The natural version number for this is 1.0.1g, though some package maintainers have chosen to back-port their fixes to versions with a lower patch-level. Among such maintainers are Debian and probably also Debian-based distributions such as Ubuntu. + 1. Update OpenSSL to a version that includes the fix. The natural version number for this is 1.0.1g, though some package maintainers have chosen to back-port their fixes to versions with a lower patch-level. Among such maintainers are Debian and probably also Debian-based distributions such as Ubuntu. tcnative 1.1.30 and later include patched versions of OpenSSL. 1. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Heartbleed info
Mark, On 4/13/14, 10:10 AM, Mark Thomas wrote: On 13/04/2014 08:09, Christopher Schultz wrote: All, I've taken the liberty of creating a Heartbleed info page on the wiki. I'm going to add a mention of it under the Not a vulnerability in Tomcat section for the security pages for Tomcats 6, 7, and 8. And tc-native please. Shall I also add something to the home page as well? Or shall we just roll that into the upcoming announcement of tcnative 1.1.30? I kind of think it should do with the tcnative announcement, but Mladen hasn't yet closed the vote, published the build, etc. and I wanted to get something up sooner rather than later. +1 to the native announcement. Does anyone have any suggestions for how to proceed? Your plan looks good to me. Okay, good. I've updated the Tomcat security info (will do tcnative soon). Once I've done that, what's the process to actually refresh the website? I re-built and committed the .html files from svn already. -chris signature.asc Description: OpenPGP digital signature
Re: Heartbleed info
On 13/04/2014 08:18, Christopher Schultz wrote: Mark, On 4/13/14, 10:10 AM, Mark Thomas wrote: On 13/04/2014 08:09, Christopher Schultz wrote: All, I've taken the liberty of creating a Heartbleed info page on the wiki. I'm going to add a mention of it under the Not a vulnerability in Tomcat section for the security pages for Tomcats 6, 7, and 8. And tc-native please. Shall I also add something to the home page as well? Or shall we just roll that into the upcoming announcement of tcnative 1.1.30? I kind of think it should do with the tcnative announcement, but Mladen hasn't yet closed the vote, published the build, etc. and I wanted to get something up sooner rather than later. +1 to the native announcement. Does anyone have any suggestions for how to proceed? Your plan looks good to me. Okay, good. I've updated the Tomcat security info (will do tcnative soon). Once I've done that, what's the process to actually refresh the website? I re-built and committed the .html files from svn already. That is all you need to do. The site should update a few seconds later. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56403] Support pluggable password-derivation in Realms
https://issues.apache.org/bugzilla/show_bug.cgi?id=56403 Gabriel gabrielesanc...@gmail.com changed: What|Removed |Added CC||gabrielesanc...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56403] Support pluggable password-derivation in Realms
https://issues.apache.org/bugzilla/show_bug.cgi?id=56403 --- Comment #1 from Gabriel gabrielesanc...@gmail.com --- This is a much needed feature, I think. Has it been decided that this will never be in Tomcat7? Note that Bug 51966, marked for Tomcat 6, relates to storing passwords more securely using salt and password hashes. I'd say that that feature should be available to Tomcat users without requiring them to write their own code, but it makes sense to use the pluggable interface proposed here to accomplish that. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 51966] Tomcat does not support ssha hashed passwords in all contexts
https://issues.apache.org/bugzilla/show_bug.cgi?id=51966 --- Comment #22 from Gabriel gabrielesanc...@gmail.com --- Note Bug 56403 for Tomcat 8 deals with a pluggable interface that would make it easier to resolve this. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56403] Support pluggable password-derivation in Realms
https://issues.apache.org/bugzilla/show_bug.cgi?id=56403 --- Comment #2 from Christopher Schultz ch...@christopherschultz.net --- I don't see a reason not to back-port it to Tomcat 7. Since it's a breaking API change, I'll be asking for RTC for a back-port. I suspect it will make it. Note that Tomcat 6's implementation (identical in all important ways to that of Tomcat 7 and 8) is not /insecure/, just not terribly secure if being used without any additional controls. As for providing salted passwords out of the box, I'd suggest that salting isn't enough and that iteration is also necessary, etc. and that at this point simply using PBKDF2 or some other password-munging scheme is more appropriate. I do note that PBKDF2 (mist-typed as PBKDF11 in the description) does not store the number of iterations in the generated password which means that you either need to adjust the data you actually store to include it, or you can never change the number of iterations. I suspect we'll provide a PBKDF2 implementation out of the box, but nothing else to avoid any library dependencies. Using the PBKDF2 implementation as an example would make writing a bcrypt- or scrypt-based implementation fairly easy. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1586992 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
2014-04-13 18:11 GMT+04:00 schu...@apache.org: Author: schultz Date: Sun Apr 13 14:11:34 2014 New Revision: 1586992 URL: http://svn.apache.org/r1586992 Log: Added information about CVE-2014-0160 (OpenSSL Heartbleed). Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml Note, that there is also separate page for Tomcat-Native, http://tomcat.apache.org/security-native.html Strictly speaking, this affects Windows versions (zip, exe) of Tomcat that bundle those versions of TC-Native, Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56403] Support pluggable password-derivation in Realms
https://issues.apache.org/bugzilla/show_bug.cgi?id=56403 --- Comment #3 from Gabriel gabrielesanc...@gmail.com --- (In reply to Christopher Schultz from comment #2) I don't see a reason not to back-port it to Tomcat 7. Since it's a breaking API change, I'll be asking for RTC for a back-port. I suspect it will make it. That would be very good, since many systems, for example those running Ubuntu 14.04 LTS for the next few years, will be running Tomcat 7 by default. Note that Tomcat 6's implementation (identical in all important ways to that of Tomcat 7 and 8) is not /insecure/, just not terribly secure if being used without any additional controls. I understand that if the password table is never stolen this is not an issue, but I don't want to be irresponsible, and not use best practices. The current implementation makes it difficult for admins to follow best practice. As for providing salted passwords out of the box, I'd suggest that salting isn't enough and that iteration is also necessary, etc. and that at this point simply using PBKDF2 or some other password-munging scheme is more appropriate. I do note that PBKDF2 (mist-typed as PBKDF11 in the description) does not store the number of iterations in the generated password which means that you either need to adjust the data you actually store to include it, or you can never change the number of iterations. Agree that PBKDF2 is the way to go if one want to be conservative but follow best practice. It is what I wish to use in my web applications. Changing the number of iterations should be allowed. I would prefer to have separate data columns for salt, password digest, and number of iterations, but wouldn't mind if they are all in one delimited field. The beauty of the proposed pluggable interface is that it will be easy to do either, right? I suspect we'll provide a PBKDF2 implementation out of the box, but nothing else to avoid any library dependencies. Using the PBKDF2 implementation as an example would make writing a bcrypt- or scrypt-based implementation fairly easy. That would be splendid. Noting that this bug is about the pluggable interface and not the PBKDF2 implementation, and that a PBKDF2 implementation would probably use the new pluggable interface (am I right to assume that?), should a new bug be created that depends on this one? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1587094 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko Date: Sun Apr 13 20:41:10 2014 New Revision: 1587094 URL: http://svn.apache.org/r1587094 Log: Add documentation patch (backport of r1568920) Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1587094r1=1587093r2=1587094view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Sun Apr 13 20:41:10 2014 @@ -74,6 +74,7 @@ PATCHES PROPOSED TO BACKPORT: same as in TC7 TC8). https://people.apache.org/~kkolinko/patches/2014-04-13_tc6_service_bat.patch + https://people.apache.org/~kkolinko/patches/2014-04-13_tc6_service_bat_docs.patch (documentation) +1: kkolinko -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of Security/Heartbleed by SebastianBazley
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The Security/Heartbleed page has been changed by SebastianBazley: https://wiki.apache.org/tomcat/Security/Heartbleed?action=diffrev1=4rev2=5 Comment: Remove unintentional line break 1. Re-key your server. This means creating a new RSA or DSA server key, creating a new CSR for your Certificate Authority, and applying for a replacement certificate. All CAs allow for the revocation of a server certificate due to “key compromise” which is exactly the reason for the re-keying of your server. You should be able to obtain a replacement certificate at no charge, though free-certificate providers may charge a fee for revocation/replacement. + 1. Revoke any certificates that might have been compromised. This does not guarantee that the old certificate cannot still be used in MITM attacks, as most browsers don't check revocations in a timely fashion (if at all). However it should help to catch some attacks. - 1. Revoke any certificates that might have been compromised. - This does not guarantee that the old certificate cannot still be used in MITM attacks, as most browsers don't check revocations in a timely fashion (if at all). - However it should help to catch some attacks. == Is there anything else I need to do? == - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1586890 - in /tomcat/trunk: java/org/apache/jasper/compiler/ELParser.java test/org/apache/jasper/compiler/TestELParser.java test/org/apache/jasper/compiler/TestParser.java test/webapp
2014-04-13 0:07 GMT+04:00 ma...@apache.org: Author: markt Date: Sat Apr 12 20:07:54 2014 New Revision: 1586890 URL: http://svn.apache.org/r1586890 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56334 Correct double backslash escaping in attributes Added: tomcat/trunk/test/webapp/bug5/bug56334.jspx Modified: tomcat/trunk/java/org/apache/jasper/compiler/ELParser.java tomcat/trunk/test/org/apache/jasper/compiler/TestELParser.java tomcat/trunk/test/org/apache/jasper/compiler/TestParser.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/jasper/compiler/ELParser.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/compiler/ELParser.java?rev=1586890r1=1586889r2=1586890view=diff == --- tomcat/trunk/java/org/apache/jasper/compiler/ELParser.java (original) +++ tomcat/trunk/java/org/apache/jasper/compiler/ELParser.java Sat Apr 12 20:07:54 2014 @@ -209,7 +209,7 @@ public class ELParser { prev = 0; if (ch == '\\') { buf.append('\\'); -prev = '\\'; +continue; } else if (ch == '$' || (!isDeferredSyntaxAllowedAsLiteral ch == '#')) { buf.append(ch); I think it needs 'continue;' here in this branch as well. (So that if (ch == '\\' || ch == '$' block below does not happen and does not set prev=ch. ) I wonder what a test case it will be. @@ -468,18 +468,18 @@ public class ELParser { @Override public void visit(Function n) throws JasperException { -output.append(n.getOriginalText()); +output.append(Generator.escape(n.getOriginalText())); The above method is escaping for Java strings. E.g. it escapes LF - '\' + 'n', but that is a wrong escaping for this use case. output.append('('); } @Override public void visit(Text n) throws JasperException { -output.append(n.getText()); +output.append(Generator.escape(n.getText())); } @Override public void visit(ELText n) throws JasperException { -output.append(n.getText()); +output.append(Generator.escape(n.getText())); } } } Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of Security/Heartbleed by SebastianBazley
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The Security/Heartbleed page has been changed by SebastianBazley: https://wiki.apache.org/tomcat/Security/Heartbleed?action=diffrev1=5rev2=6 Comment: Mention wild-card certificates == Is there anything else I need to do? == + Yes: you need to change any password that ever traversed any HTTP server that was using the potentially compromised certificate. If the certificate was a wildcard certificate, then a single vulnerable server would be sufficient to compromise the certificate and thus the traffic on all other servers using the same certificate. + - Yes: you need to change any password that ever traversed your HTTP server while vulnerable. That pretty much means you have to change all passwords, and notify your users that they should change all their passwords as well. Unfortunately, any other sensitive information that traversed your server should be consider compromised. In many cases, there is nothing to be done unless that information can be changed (credit card numbers, account numbers, passwords etc.). + That pretty much means you have to change all passwords, and notify your users that they should change all their passwords as well. Unfortunately, any other sensitive information that traversed your server should be consider compromised. In many cases, there is nothing to be done unless that information can be changed (credit card numbers, account numbers, passwords etc.). == What about servers for services that I use personally? == - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 52688] Add ability to remove old access log files [PATCHES]
https://issues.apache.org/bugzilla/show_bug.cgi?id=52688 Anthony Jones anth...@anthonyandtobie.com changed: What|Removed |Added CC||anth...@anthonyandtobie.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Wiki
Hi, Please allow me to edit Tomcat wiki. -Ognjen - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: VOTE] Release Apache Tomcat Connectors 1.2.40
On 12/04/2014, at 1:17 am, Mladen Turk mt...@apache.org wrote: Hi, Apache Tomcat Connectors 1.2.40 release candidate is ready for vote at [1]. The build was done using tag [2]. This version is bugfix release, fixing some issues found in version 1.2.39. The VOTE will remain open for at least 48 hours. The Apache Tomcat Connectors 1.2.40 is [x] Stable, go ahead and release [ ] Broken because of ... +1 Built and tested with Apache 2.0, 2.2, 2.4 on OS X. Builds with some warnings. Still have to patch https://issues.apache.org/bugzilla/show_bug.cgi?id=55696 on OS X. cheers tim [1] http://people.apache.org/~mturk/tomcat-connectors/jk-1.2.40/ [2] https://svn.apache.org/repos/asf/tomcat/jk/tags/JK_1_2_40/ Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56387] tomcat shutdown throw a NoClassDefFoundError
https://issues.apache.org/bugzilla/show_bug.cgi?id=56387 --- Comment #2 from qiubo...@qq.com --- yes,thread b could see non-updated value started=true,my typo. we found this excepiton: java.lang.NoClassDefFoundError: org/jboss/netty/util/internal/ExecutorUtil at org.jboss.netty.channel.socket.nio.NioServerSocketChannelFactory.releaseExternalResources(NioServerSocketChannelFactory.java:146) ~[netty-3.2.5.Final.jar:na] at org.jboss.netty.bootstrap.Bootstrap.releaseExternalResources(Bootstrap.java:324) ~[netty-3.2.5.Final.jar:na] at com.alibaba.dubbo.remoting.transport.netty.NettyServer.doClose(NettyServer.java:124) ~[dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.remoting.transport.AbstractServer.close(AbstractServer.java:155) [dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.remoting.transport.AbstractServer.close(AbstractServer.java:163) [dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.remoting.exchange.support.header.HeaderExchangeServer.close(HeaderExchangeServer.java:121) [dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.rpc.protocol.dubbo.DubboProtocol.destroy(DubboProtocol.java:395) [dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.rpc.protocol.ProtocolFilterWrapper.destroy(ProtocolFilterWrapper.java:66) [dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.rpc.protocol.ProtocolListenerWrapper.destroy(ProtocolListenerWrapper.java:72) [dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.config.ProtocolConfig.destroyAll(ProtocolConfig.java:435) [dubbo-2.5.3.jar:2.5.3] at com.alibaba.dubbo.config.AbstractConfig$1.run(AbstractConfig.java:452) [dubbo-2.5.3.jar:2.5.3] at java.lang.Thread.run(Thread.java:722) [na:1.7.0_03] Caused by: java.lang.ClassNotFoundException: org.jboss.netty.util.internal.ExecutorUtil at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1711) ~[na:na] at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1556) ~[na:na] ... 12 common frames omitted the thread b is a java shunt down hook.so,it haven't been stopped . -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56403] Support pluggable password-derivation in Realms
https://issues.apache.org/bugzilla/show_bug.cgi?id=56403 --- Comment #4 from Christopher Schultz ch...@christopherschultz.net --- (In reply to Gabriel from comment #3) (In reply to Christopher Schultz from comment #2) I don't see a reason not to back-port it to Tomcat 7. Since it's a breaking API change, I'll be asking for RTC for a back-port. I suspect it will make it. That would be very good, since many systems, for example those running Ubuntu 14.04 LTS for the next few years, will be running Tomcat 7 by default. Just remember that switching from one password standard to another is ... hard. If you want to switch from using MD5 to SHA1 to SHA2 to RIPEMD, you basically have to write your own passwork-checker. Fortunately, this will be entirely possible using the tools we will provide. Note that Tomcat 6's implementation (identical in all important ways to that of Tomcat 7 and 8) is not /insecure/, just not terribly secure if being used without any additional controls. I understand that if the password table is never stolen this is not an issue, but I don't want to be irresponsible, and not use best practices. The current implementation makes it difficult for admins to follow best practice. +1 As for providing salted passwords out of the box, I'd suggest that salting isn't enough and that iteration is also necessary, etc. and that at this point simply using PBKDF2 or some other password-munging scheme is more appropriate. I do note that PBKDF2 (mist-typed as PBKDF11 in the description) does not store the number of iterations in the generated password which means that you either need to adjust the data you actually store to include it, or you can never change the number of iterations. Agree that PBKDF2 is the way to go if one want to be conservative but follow best practice. It is what I wish to use in my web applications. Changing the number of iterations should be allowed. I would prefer to have separate data columns for salt, password digest, and number of iterations, but wouldn't mind if they are all in one delimited field. The beauty of the proposed pluggable interface is that it will be easy to do either, right? One delimited field is what pretty much everyone expects. Besides, the Tomcat interface is going to have to be simple so I suspect we'll just have a single stored credential byte array or string and present the user's (attempted) password in the same format. The password-munger can do whatever is necessary to compare the two. I suppose it couldn't hurt to add iterations to the list of understood configuration attributes. Since we'll need it for PBKDF2, we may as well enable it for the digest-based algorithms, too. I suspect we'll provide a PBKDF2 implementation out of the box, but nothing else to avoid any library dependencies. Using the PBKDF2 implementation as an example would make writing a bcrypt- or scrypt-based implementation fairly easy. That would be splendid. Noting that this bug is about the pluggable interface and not the PBKDF2 implementation, and that a PBKDF2 implementation would probably use the new pluggable interface (am I right to assume that?), should a new bug be created that depends on this one? Let's just assume that PBKDF2 is my target implementation (as well as a backward-compatible plain-old-digest implementation of course) and go ahead and track suggestions for it, here. There's no need to file additional enhancement requests. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Wiki
2014-04-14 3:03 GMT+04:00 Ognjen Blagojevic ognjen.d.blagoje...@gmail.com: Hi, Please allow me to edit Tomcat wiki. OK, but did you create an account there? Your Wiki account name = ? - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] tomcat pull request: Add maxStartTime to RequestInfo RequestGrou...
GitHub user weipeng2k opened a pull request: https://github.com/apache/tomcat/pull/5 Add maxStartTime to RequestInfo RequestGroupInfo. When retrieve Tomcat's request processor info through JMX, We can got maxTime and the maxRequestUri.Add maxStartTime (type is long, mills , start from 1970) to RequestInfo, We can know what time did this max request happen. You can merge this pull request into a Git repository by running: $ git pull https://github.com/weipeng2k/tomcat trunk Alternatively you can review and apply these changes as the patch at: https://github.com/apache/tomcat/pull/5.patch To close this pull request, make a commit to your master/trunk branch with (at least) the following in the commit message: This closes #5 commit bbe06e4c803426c31717cf4f2298a9829ae37749 Author: weipeng2k weipen...@126.com Date: 2014-04-14T05:33:42Z RequestInfo add maxStartTime property. Add max start time, the longest response start time for a request. commit be7af1c3a52508444d9954bc224c8b2134056029 Author: weipeng2k weipen...@126.com Date: 2014-04-14T05:44:55Z reverse --- If your project is set up for it, you can reply to this email and have your reply appear on GitHub as well. If your project does not have this feature enabled and wishes so, or if the feature is enabled but not working, please contact infrastructure at infrastruct...@apache.org or file a JIRA ticket with INFRA. --- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org