[Bug 56561] NoSuchElementException on empty attribute in Validator$ValidateVisitor.getJspAttribute(Validator.java:1385)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56561 --- Comment #3 from Mark Thomas ma...@apache.org --- We don't revoke releases, we just produce a new release. How quickly the next set of releases happens depends on a number of factors. I was planning another 8.0.x shortly anyway to try and get back to a monthly release cycle. I can also do 6.0.x if necessary. It is always a balancing act between waiting to see if further issues emerge and getting another release out. At this point, I think it probably makes sense to wait a little longer. I'll aim to do a new 6.0.x release shortly after the next 8.0.x release. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56568] New: Incompatible change in JSPs only permit GET POST or HEAD
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568 Bug ID: 56568 Summary: Incompatible change in JSPs only permit GET POST or HEAD Product: Tomcat 8 Version: 8.0.1 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Jasper Assignee: dev@tomcat.apache.org Reporter: gkis...@yandex.ru Since JSP 2.3 (Tomcat 8) only supported method for JSP is GET POST or HEAD: https://jcp.org/aboutJava/communityprocess/maintenance/jsr245/245-MR3.html http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/jasper/servlet/JspServlet.java?view=diffr1=1497877r2=1497878pathrev=1497878 But, I suppose, it is a big incompatible change as, for example, for exception handler it is used to forward to JSP for rendering exception and iso JSP view since JSP 2.3 response is: Method Not Allowed HTTP Status 405 - JSPs only permit GET POST or HEAD description The specified HTTP method is not allowed for the requested resource. Apache Tomcat/8.0.3 If we use REST and Spring HandlerExceptionResolver in case of exception we bump into this problem for sure. Are there any workaround for this problem (iso change http method type)? http://stackoverflow.com/questions/23886941/http-status-405-jsps-only-permit-get-post-or-head -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56568] Incompatible change in JSPs only permit GET POST or HEAD
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568 Grigory gkis...@yandex.ru changed: What|Removed |Added Hardware|PC |All OS||All --- Comment #1 from Grigory gkis...@yandex.ru --- http://stackoverflow.com/questions/23886941/http-status-405-jsps-only-permit-get-post-or-head -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597753 - /tomcat/trunk/test/webapp/bug5nnnn/bug56334and56561.jspx
Author: kkolinko Date: Tue May 27 11:59:14 2014 New Revision: 1597753 URL: http://svn.apache.org/r1597753 Log: Add license header Modified: tomcat/trunk/test/webapp/bug5/bug56334and56561.jspx Modified: tomcat/trunk/test/webapp/bug5/bug56334and56561.jspx URL: http://svn.apache.org/viewvc/tomcat/trunk/test/webapp/bug5/bug56334and56561.jspx?rev=1597753r1=1597752r2=1597753view=diff == --- tomcat/trunk/test/webapp/bug5/bug56334and56561.jspx (original) +++ tomcat/trunk/test/webapp/bug5/bug56334and56561.jspx Tue May 27 11:59:14 2014 @@ -1,3 +1,20 @@ +?xml version=1.0 encoding=utf-8 ? +!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the License); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an AS IS BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +-- jsp:root version=2.3 xmlns=http://www.w3.org/1999/xhtml; xmlns:jsp=http://java.sun.com/JSP/Page; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597754 - /tomcat/trunk/test/webapp/bug5nnnn/bug53545.html
Author: kkolinko Date: Tue May 27 12:01:52 2014 New Revision: 1597754 URL: http://svn.apache.org/r1597754 Log: Add license header Modified: tomcat/trunk/test/webapp/bug5/bug53545.html Modified: tomcat/trunk/test/webapp/bug5/bug53545.html URL: http://svn.apache.org/viewvc/tomcat/trunk/test/webapp/bug5/bug53545.html?rev=1597754r1=1597753r2=1597754view=diff == --- tomcat/trunk/test/webapp/bug5/bug53545.html (original) +++ tomcat/trunk/test/webapp/bug5/bug53545.html Tue May 27 12:01:52 2014 @@ -1,3 +1,19 @@ +!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the License); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an AS IS BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +-- html body pOK/p - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597755 - /tomcat/trunk/test/webapp/WEB-INF/bug53545.tld
Author: kkolinko Date: Tue May 27 12:04:30 2014 New Revision: 1597755 URL: http://svn.apache.org/r1597755 Log: Add license header Modified: tomcat/trunk/test/webapp/WEB-INF/bug53545.tld Modified: tomcat/trunk/test/webapp/WEB-INF/bug53545.tld URL: http://svn.apache.org/viewvc/tomcat/trunk/test/webapp/WEB-INF/bug53545.tld?rev=1597755r1=1597754r2=1597755view=diff == --- tomcat/trunk/test/webapp/WEB-INF/bug53545.tld (original) +++ tomcat/trunk/test/webapp/WEB-INF/bug53545.tld Tue May 27 12:04:30 2014 @@ -1,3 +1,20 @@ +?xml version=1.0 encoding=utf-8 ? +!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the License); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an AS IS BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +-- taglib xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597757 - in /tomcat/tc7.0.x/trunk: ./ test/webapp-3.0/WEB-INF/bug53545.tld test/webapp-3.0/bug5nnnn/bug53545.html test/webapp-3.0/bug5nnnn/bug56334and56561.jspx
Author: kkolinko Date: Tue May 27 12:17:29 2014 New Revision: 1597757 URL: http://svn.apache.org/r1597757 Log: Add license header It is backport of revisions 1597753-1597755 from tomcat/trunk. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/test/webapp-3.0/WEB-INF/bug53545.tld tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug53545.html tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug56334and56561.jspx Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1597753-1597755 Modified: tomcat/tc7.0.x/trunk/test/webapp-3.0/WEB-INF/bug53545.tld URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/webapp-3.0/WEB-INF/bug53545.tld?rev=1597757r1=1597756r2=1597757view=diff == --- tomcat/tc7.0.x/trunk/test/webapp-3.0/WEB-INF/bug53545.tld (original) +++ tomcat/tc7.0.x/trunk/test/webapp-3.0/WEB-INF/bug53545.tld Tue May 27 12:17:29 2014 @@ -1,3 +1,20 @@ +?xml version=1.0 encoding=utf-8 ? +!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the License); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an AS IS BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +-- taglib xmlns=http://java.sun.com/xml/ns/j2ee; xmlns:xsi=http://www.w3.org/2001/XMLSchema-instance; xsi:schemaLocation=http://java.sun.com/xml/ns/j2ee http://java.sun.com/xml/ns/j2ee/web-jsptaglibrary_2_0.xsd; Modified: tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug53545.html URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug53545.html?rev=1597757r1=1597756r2=1597757view=diff == --- tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug53545.html (original) +++ tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug53545.html Tue May 27 12:17:29 2014 @@ -1,3 +1,19 @@ +!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the License); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an AS IS BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +-- html body pOK/p Modified: tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug56334and56561.jspx URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug56334and56561.jspx?rev=1597757r1=1597756r2=1597757view=diff == --- tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug56334and56561.jspx (original) +++ tomcat/tc7.0.x/trunk/test/webapp-3.0/bug5/bug56334and56561.jspx Tue May 27 12:17:29 2014 @@ -1,3 +1,20 @@ +?xml version=1.0 encoding=utf-8 ? +!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the License); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an AS IS BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +-- jsp:root version=2.2 xmlns=http://www.w3.org/1999/xhtml; xmlns:jsp=http://java.sun.com/JSP/Page; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional
svn commit: r1597759 - /tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
Author: kkolinko Date: Tue May 27 12:25:57 2014 New Revision: 1597759 URL: http://svn.apache.org/r1597759 Log: Discern the first and the second requests in the test case. Modified: tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java Modified: tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java?rev=1597759r1=1597758r2=1597759view=diff == --- tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java (original) +++ tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java Tue May 27 12:25:57 2014 @@ -427,7 +427,7 @@ public class TestAbstractHttp11Processor tomcat.start(); -String request1 = GET /async HTTP/1.1\r\n + +String request1 = GET /async?1 HTTP/1.1\r\n + Host: localhost: + getPort() + \r\n + Connection: keep-alive\r\n + Cache-Control: max-age=0\r\n + @@ -438,7 +438,7 @@ public class TestAbstractHttp11Processor Cookie: something.that.should.not.leak=true\r\n + \r\n; -String request2 = GET /async HTTP/1.1\r\n + +String request2 = GET /async?2 HTTP/1.1\r\n + Host: localhost: + getPort() + \r\n + Connection: keep-alive\r\n + Cache-Control: max-age=0\r\n + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597761 - in /tomcat/tc7.0.x/trunk: ./ test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
Author: kkolinko Date: Tue May 27 12:29:00 2014 New Revision: 1597761 URL: http://svn.apache.org/r1597761 Log: Discern the first and the second requests in the test case. It is merge of r1597759 from tomcat/trunk. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1597759 Modified: tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java?rev=1597761r1=1597760r2=1597761view=diff == --- tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java (original) +++ tomcat/tc7.0.x/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java Tue May 27 12:29:00 2014 @@ -429,7 +429,7 @@ public class TestAbstractHttp11Processor tomcat.start(); -String request1 = GET /async HTTP/1.1\r\n + +String request1 = GET /async?1 HTTP/1.1\r\n + Host: localhost: + getPort() + \r\n + Connection: keep-alive\r\n + Cache-Control: max-age=0\r\n + @@ -440,7 +440,7 @@ public class TestAbstractHttp11Processor Cookie: something.that.should.not.leak=true\r\n + \r\n; -String request2 = GET /async HTTP/1.1\r\n + +String request2 = GET /async?2 HTTP/1.1\r\n + Host: localhost: + getPort() + \r\n + Connection: keep-alive\r\n + Cache-Control: max-age=0\r\n + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597764 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
Author: markt Date: Tue May 27 12:39:01 2014 New Revision: 1597764 URL: http://svn.apache.org/r1597764 Log: CVE-2014-0075 CVE-2014-0095 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119 Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1597764r1=1597763r2=1597764view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Tue May 27 12:39:01 2014 @@ -200,6 +200,9 @@ a href=#Apache_Tomcat_6.x_vulnerabilitiesApache Tomcat 6.x vulnerabilities/a /li li +a href=#Fixed_in_Apache_Tomcat_6.0.41Fixed in Apache Tomcat 6.0.41/a +/li +li a href=#Fixed_in_Apache_Tomcat_6.0.39Fixed in Apache Tomcat 6.0.39/a /li li @@ -300,6 +303,117 @@ /div +h3 id=Fixed_in_Apache_Tomcat_6.0.41 +span style=float: right;released 2014-05-23/span Fixed in Apache Tomcat 6.0.41/h3 +div class=text + + +p +iNote: The issues below were fixed in Apache Tomcat 6.0.40 but the + release vote for the 6.0.40 release candidate did not pass. + Therefore, although users must download 6.0.41 to obtain a version that + includes fixes for these issues, version 6.0.40 is not + included in the list of affected versions./i +/p + + +p +strongImportant: Denial of Service/strong + a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0075; rel=nofollowCVE-2014-0075/a +/p + + +pIt was possible to craft a malformed chunk size as part of a chucked + request that enabled an unlimited amount of data to be streamed to the + server, bypassing the various size limits enforced on a request. This + enabled a denial of service attack./p + + +pThis was fixed in revision a href=http://svn.apache.org/viewvc?view=revamp;rev=1579262;1579262/a./p + + +pThis issue was reported to the Tomcat security team by David Jorm of the + Red Hat Security Response Team on 28 February 2014 and made public on 27 + May 2014./p + + +pAffects: 6.0.0-6.0.39/p + + +p +strongImportant: Information disclosure/strong + a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0096; rel=nofollowCVE-2014-0096/a +/p + + +pThe default servlet allows web applications to define (at multiple + levels) an XSLT to be used to format a directory listing. When running + under a security manager, the processing of these was not subject to the + same constraints as the web application. This enabled a malicious web + application to bypass the file access constraints imposed by the security + manager via the use of external XML entities./p + + +pThis was fixed in revision a href=http://svn.apache.org/viewvc?view=revamp;rev=1585853;1585853/a./p + + +pThis issue was identified by the Tomcat security team on 27 February 2014 + and made public on 27 May 2014./p + + +pAffects: 6.0.0-6.0.39/p + + +p +strongImportant: Information disclosure/strong + a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0099; rel=nofollowCVE-2014-0099/a +/p + + +pThe code used to parse the request content length header did not check + for overflow in the result. This exposed a request smuggling + vulnerability when Tomcat was located behind a reverse proxy that + correctly processed the content length header./p + + +pThis was fixed in revision a href=http://svn.apache.org/viewvc?view=revamp;rev=1580473;1580473/a./p + + +pA test case that demonstrated the parsing bug was sent to the Tomcat + security team on 13 March 2014 but no context was provided. The security + implications were identified by the Tomcat security team the day the + report was received and made public on 27 May 2014./p + + +pAffects: 6.0.0-6.0.39/p + + +p +strongLow: Information Disclosure/strong + a href=http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0119; rel=nofollowCVE-2014-0119/a +/p + + +pIn limited circumstances it was possible for a malicious web application + to replace the XML parsers used by Tomcat to process XSLTs for the + default servlet, JSP documents, tag library descriptors (TLDs) and tag + plugin configuration files. The injected XML parser(s) could then bypass + the limits imposed on XML external entities and/or have visibility of the + XML files processed for other web applications deployed on the same + Tomcat instance./p + + +pThis was fixed in revision a href=http://svn.apache.org/viewvc?view=revamp;rev=1593821;1593821/a./p + + +pThis issue was identified by the Tomcat security team
[SECURITY] CVE-2014-0075 Apache Tomcat denial of service
CVE-2014-0075 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was reported to the Tomcat security team by David Jorm of the Red Hat Security Response Team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2014-0095 Apache Tomcat denial of service
CVE-2014-0095 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 Description: A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) Credit: This issue was reported as a possible bug via the Tomcat users mailing list and the security implications were identified by theTomcat security team. References: [1] http://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2014-0097 Apache Tomcat information disclosure
CVE-2014-0097 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: A test case that demonstrated the parsing bug was sent to the Tomcat security team but no context was provided. The security implications were identified by the Tomcat security team . References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2014-0119 Apache Tomcat information disclosure
CVE-2014-0119 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.5 - Apache Tomcat 7.0.0 to 7.0.53 - Apache Tomcat 6.0.0 to 6.0.39 Description: In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.8 or later (8.0.6 and 8.0.7 contain the fix but were not released) - Upgrade to Apache Tomcat 7.0.54 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was identified by the Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2014-0096 Apache Tomcat information disclosure
CVE-2014-0096 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: This issue was identified by the Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1579262 - svn:log
Author: markt Revision: 1579262 Modified property: svn:log Modified: svn:log at Tue May 27 13:01:05 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:01:05 2014 @@ -1 +1,2 @@ Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. +This is the fix for CVE-2014-0075 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1585853 - svn:log
Author: markt Revision: 1585853 Modified property: svn:log Modified: svn:log at Tue May 27 13:01:43 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:01:43 2014 @@ -1,2 +1,3 @@ Redefine the globalXsltFile initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. +This is the fix for CVE-2014-0096 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1580473 - svn:log
Author: markt Revision: 1580473 Modified property: svn:log Modified: svn:log at Tue May 27 13:02:28 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:02:28 2014 @@ -1 +1,2 @@ Fix possible overflow when parsing long values from a byte array. +This is the fix for CVE-2014-0099 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1593821 - svn:log
Author: markt Revision: 1593821 Modified property: svn:log Modified: svn:log at Tue May 27 13:02:59 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:02:59 2014 @@ -1,3 +1,4 @@ Defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. Patch by markt. +This is the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1590028 - svn:log
Author: markt Revision: 1590028 Modified property: svn:log Modified: svn:log at Tue May 27 13:03:55 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:03:55 2014 @@ -1 +1,2 @@ Defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. +This is part 2 of 2 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589997 - svn:log
Author: markt Revision: 1589997 Modified property: svn:log Modified: svn:log at Tue May 27 13:04:22 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:04:22 2014 @@ -1 +1,2 @@ More defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. +This is part 1 of 2 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578341 - svn:log
Author: markt Revision: 1578341 Modified property: svn:log Modified: svn:log at Tue May 27 13:05:13 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:05:13 2014 @@ -1 +1,2 @@ Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. +This is the fix for CVE-2014-0075 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578637 - svn:log
Author: markt Revision: 1578637 Modified property: svn:log Modified: svn:log at Tue May 27 13:05:56 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:05:56 2014 @@ -1 +1,2 @@ Redefine globalXsltFile as relative to CATALINA_BASE/conf or CATALINA_HOME/conf +This is part 1 of 2 of the fix for CVE-2014-0096 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578655 - svn:log
Author: markt Revision: 1578655 Modified property: svn:log Modified: svn:log at Tue May 27 13:06:29 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:06:29 2014 @@ -1 +1,2 @@ Prevent user supplied XSLTs from defining external entities +This is part 2 of 2 of the fix for CVE-2014-0096 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578814 - svn:log
Author: markt Revision: 1578814 Modified property: svn:log Modified: svn:log at Tue May 27 13:07:06 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:07:06 2014 @@ -1 +1,2 @@ Fix possible overflow when parsing long values from a byte array. +This is the fix for CVE-2014-0099 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure
CORRECTION: This is CVE-2014-0099 *NOT* -0097 Apologies for the typo On 27/05/2014 13:46, Mark Thomas wrote: CVE-2014-0099 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39 Description: The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) - Upgrade to Apache Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later (6.0.40 contains the fix but was not released) Credit: A test case that demonstrated the parsing bug was sent to the Tomcat security team but no context was provided. The security implications were identified by the Tomcat security team . References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: security-unsubscr...@tomcat.apache.org For additional commands, e-mail: security-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589837 - svn:log
Author: markt Revision: 1589837 Modified property: svn:log Modified: svn:log at Tue May 27 13:10:17 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:10:17 2014 @@ -1 +1,2 @@ Add some defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. +This is part 1 of 3 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589980 - svn:log
Author: markt Revision: 1589980 Modified property: svn:log Modified: svn:log at Tue May 27 13:10:46 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:10:46 2014 @@ -1 +1,2 @@ More defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. +This is part 2 of 3 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1589990 - svn:log
Author: markt Revision: 1589990 Modified property: svn:log Modified: svn:log at Tue May 27 13:11:10 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:11:10 2014 @@ -1 +1,2 @@ More defensive coding around some XML activities that are triggered by web applications and are therefore at potential risk of a memory leak. +This is part 3 of 3 of the fix for CVE-2014-0119 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578337 - svn:log
Author: markt Revision: 1578337 Modified property: svn:log Modified: svn:log at Tue May 27 13:11:56 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:11:56 2014 @@ -1 +1,2 @@ Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. +This is the fix for CVE-2014-0075 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578392 - svn:log
Author: markt Revision: 1578392 Modified property: svn:log Modified: svn:log at Tue May 27 13:14:27 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:14:27 2014 @@ -1 +1,2 @@ Correct regression introduced in 8.0.0-RC2 as part of the Servlet 3.1 non-blocking IO support that broke handling of requests with an explicit content length of zero. +This is the fix for CVE-2014-0095 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578610 - svn:log
Author: markt Revision: 1578610 Modified property: svn:log Modified: svn:log at Tue May 27 13:15:01 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:15:01 2014 @@ -1 +1,2 @@ Redefine globalXsltFile as relative to CATALINA_BASE/conf or CATALINA_HOME/conf +This is part 1 of 2 of the fix for CVE-2014-0096 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578611 - svn:log
Author: markt Revision: 1578611 Modified property: svn:log Modified: svn:log at Tue May 27 13:15:27 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:15:27 2014 @@ -1 +1,2 @@ Prevent user supplied XSLTs from defining external entities +This is part 2 of 2 of the fix for CVE-2014-0096 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1578812 - svn:log
Author: markt Revision: 1578812 Modified property: svn:log Modified: svn:log at Tue May 27 13:15:51 2014 -- --- svn:log (original) +++ svn:log Tue May 27 13:15:51 2014 @@ -1 +1,2 @@ Fix possible overflow when parsing long values from a byte array. +This is the fix for CVE-2014-0099 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597774 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml
Author: markt Date: Tue May 27 13:16:39 2014 New Revision: 1597774 URL: http://svn.apache.org/r1597774 Log: Fix copy/paste error in fix revision info Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1597774r1=1597773r2=1597774view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Tue May 27 13:16:39 2014 @@ -357,7 +357,7 @@ thread which could lead to a denial of service./p -pThis was fixed in revision a href=http://svn.apache.org/viewvc?view=revamp;rev=1578337;1578337/a./p +pThis was fixed in revision a href=http://svn.apache.org/viewvc?view=revamp;rev=1578392;1578392/a./p pThis issue was reported as a possible bug via the Tomcat users mailing Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1597774r1=1597773r2=1597774view=diff == --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Tue May 27 13:16:39 2014 @@ -112,7 +112,7 @@ was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service./p -pThis was fixed in revision revlink rev=15783371578337/revlink./p +pThis was fixed in revision revlink rev=15783921578392/revlink./p pThis issue was reported as a possible bug via the Tomcat users mailing list on 3 March 2014 and the security implications were identified by the - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a restored build on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/85 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1597757 Blamelist: kkolinko Build succeeded! sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597788 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: markt Date: Tue May 27 13:52:06 2014 New Revision: 1597788 URL: http://svn.apache.org/r1597788 Log: Vote Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1597788r1=1597787r2=1597788view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Tue May 27 13:52:06 2014 @@ -30,7 +30,7 @@ PATCHES PROPOSED TO BACKPORT: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56561 Fixed NoSuchElementException when an attribute has empty string as value http://svn.apache.org/viewvc?view=revisionrevision=1597532 - +1 violetagg, kkolinko + +1 violetagg, kkolinko, markt -1 PATCHES/ISSUES THAT ARE STALLED: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-7-trunk
The Buildbot has detected a new failure on builder tomcat-7-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-7-trunk/builds/86 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/tc7.0.x/trunk] 1597761 Blamelist: kkolinko BUILD FAILED: failed compile_1 sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56546] Improve thread trace logging in WebappClassLoader.clearReferencesThreads()
https://issues.apache.org/bugzilla/show_bug.cgi?id=56546 --- Comment #5 from Mark Thomas ma...@apache.org --- Is there anything more to do here? If not, I'll resolve this as fixed. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56546] Improve thread trace logging in WebappClassLoader.clearReferencesThreads()
https://issues.apache.org/bugzilla/show_bug.cgi?id=56546 --- Comment #6 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Mark Thomas from comment #5) I am OK to treat this as enhancement, though Remy raised this as a serious issue. In any case it is not a stopper for tagging 8.0.next. On my TODO is to pursue idea from Comment 2 (print all traces at once). I do no have time today though. Implementing that needs some refactoring. My idea is to split threads loop into two loops, where the first one populates some informational structure and the second performs stopping (if enabled). I think the current code has a minor issue: It attempts to shut down executor for each encountered thread. Thus I think it does it N times if there are N running threads for the same Executor. This feature is off by default, though. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56546] Improve thread trace logging in WebappClassLoader.clearReferencesThreads()
https://issues.apache.org/bugzilla/show_bug.cgi?id=56546 Remy Maucherat r...@apache.org changed: What|Removed |Added Priority|P2 |P1 Severity|normal |enhancement --- Comment #7 from Remy Maucherat r...@apache.org --- It is not actually a serious issue, it is cosmetic but fairly irriating ... So enhancement is fine, but I am bumping up the priority. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot failure in ASF Buildbot on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building ASF Buildbot. Full details are available at: http://ci.apache.org/builders/tomcat-trunk/builds/114 Buildbot URL: http://ci.apache.org/ Buildslave for this Build: bb-vm_ubuntu Build Reason: scheduler Build Source Stamp: [branch tomcat/trunk] 1597755 Blamelist: kkolinko BUILD FAILED: failed compile_1 sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56561] NoSuchElementException on empty attribute in Validator$ValidateVisitor.getJspAttribute(Validator.java:1385)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56561 --- Comment #4 from Violeta Georgieva violet...@apache.org --- I also plan another 7.0.x release at the beginning of the next month. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597837 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt java/org/apache/jasper/compiler/Validator.java webapps/docs/changelog.xml
Author: violetagg
Date: Tue May 27 17:51:17 2014
New Revision: 1597837
URL: http://svn.apache.org/r1597837
Log:
Merged revision 1597532 from tomcat/trunk:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56561
Fixed NoSuchElementException when an attribute has empty string as value.
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/Validator.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc6.0.x/trunk/
--
Merged /tomcat/trunk:r1597532
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1597837r1=1597836r2=1597837view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Tue May 27 17:51:17 2014
@@ -27,11 +27,6 @@ None
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56561
- Fixed NoSuchElementException when an attribute has empty string as value
- http://svn.apache.org/viewvc?view=revisionrevision=1597532
- +1 violetagg, kkolinko, markt
- -1
PATCHES/ISSUES THAT ARE STALLED:
Modified: tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/Validator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/Validator.java?rev=1597837r1=1597836r2=1597837view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/Validator.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/jasper/compiler/Validator.java Tue May
27 17:51:17 2014
@@ -1327,8 +1327,12 @@ class Validator {
} else {
// Get text with \$ and \# escaping removed.
// Should be a single Text node
-value = ((ELNode.Text) el.iterator().next())
-.getText();
+IteratorELNode it = el.iterator();
+if (it.hasNext()) {
+value = ((ELNode.Text) it.next()).getText();
+} else {
+value = ;
+}
el = null;
}
}
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1597837r1=1597836r2=1597837view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Tue May 27 17:51:17 2014
@@ -43,6 +43,16 @@
!-- Section names:
General, Catalina, Coyote, Jasper, Cluster, Web applications, Other
--
+section name=Tomcat 6.0.42 (markt)
+ subsection name=Jasper
+changelog
+ fix
+bug56561/bug: Avoid codeNoSuchElementException/code while
+handling attributes with empty string value. (violetagg)
+ /fix
+/changelog
+ /subsection
+/section
section name=Tomcat 6.0.41 (markt) rtext=released 2014-05-23
subsection name=Jasper
changelog
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56561] NoSuchElementException on empty attribute in Validator$ValidateVisitor.getJspAttribute(Validator.java:1385)
https://issues.apache.org/bugzilla/show_bug.cgi?id=56561 Violeta Georgieva violet...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #5 from Violeta Georgieva violet...@apache.org --- This has been fixed in 6.0.x for 6.0.42 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] CVE-2014-0095 Apache Tomcat denial of service
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 All, On 5/27/14, 8:46 AM, Mark Thomas wrote: CVE-2014-0095 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3 Description: A regression was introduced in revision 1519838 that caused AJP requests to hang if an explicit content length of zero was set on the request. The hanging request consumed a request processing thread which could lead to a denial of service. Mitigation: Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 8.0.5 or later (8.0.4 contains the fix but was not released) Alternate mitigation: SetEnvIf Content-Length ^0$ no-jk=1 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJThNxLAAoJEBzwKT+lPKRYUAQP/jG3mbXNsti249+OTkXldsiZ uRb9daxgArTH3HaOH9YuL/TPbq6cwOhDlHbIRDFzAEZFpyKySbGBkmpkBdeYUTLX qWWU4IZIGuK8uUysopZ9nohxzi3JghrkE3kSrrUcCGUjmqX1i+MMy/eCdqvOZzxE PlCvCIkQpyCdyodUlW8LmKiofc9/FUEn/820orm+BzMyMTJgZLbxyGtOKPcJkyQA ib/Lky2EmLcP1q/RjlI5ACeFubxNVmdu2Vy4KWkjZQLfVqc4AcBcbDy4INYK+RPs hA2iwctSBul5RXuHcKEJOHDD3FCQJ1u4vchMzmBFj3NnZicf9mbTmk3PXxpT3a3/ HnLxKcQOg0htWSuObMDo/FontTUoid9WJb7jV6Bia1TNEvSgpfjhahcRKIXhvBTw 7+kmQTtdJmL2o/qvlR3ju+zIDMFHCXIHznlhzkcsHQnRWFU4DAEyGQ4z48rXc46U BPVQAZwEkE0V8VzfpvwRG4hQ5bOHPvRX1dVFzZGnuoHMyvpqEolkeQYHWFmlxjMx MEi7oaRAz/cbHwyWmtUd8bjiCcJYy5jF0w2DhQFSi7digjuJc2++tk1vp8touKYA u3nArG5q37uDSk75DAR5tH/lrwtAgpOJe0C9elBygicvK4Al0vCnc3N5G4zFzUJm WjrJ3SUuRSPSChbHyvz0 =FF7n -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] CVE-2014-0097 Apache Tomcat information disclosure
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
On 5/27/14, 8:46 AM, Mark Thomas wrote:
CVE-2014-0097 Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache
Tomcat 7.0.0 to 7.0.52 - Apache Tomcat 6.0.0 to 6.0.39
Description: The code used to parse the request content length
header did not check for overflow in the result. This exposed a
request smuggling vulnerability when Tomcat was located behind a
reverse proxy that correctly processed the content length header.
Mitigation: Users of affected versions should apply one of the
following mitigations - Upgrade to Apache Tomcat 8.0.5 or later
(8.0.4 contains the fix but was not released) - Upgrade to Apache
Tomcat 7.0.53 or later - Upgrade to Apache Tomcat 6.0.41 or later
(6.0.40 contains the fix but was not released)
Alternate mitigation (for httpd):
SetEnvIf Content-Length ,{10,} no-jk=1
You can use any reasonable number in place of 10. Note that a 1GiB
Content-Length would be 1073741824 which is 10 characters, so it
would be rejected.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJThN0pAAoJEBzwKT+lPKRYsp0QAMI6viexulYScNMfgExgxxmw
IU/2GzWBxkATN1OEtRXMObqG+ODC2QkCIDNP4Dsznvi8iwlkzr+q/DwqdbisB0xS
gF2JSuNCFdVPzR/KmmgFVzMNj3SmmmIwXp9hQHOBr1H6mTd/om+DcZ2w5sRozqeG
0bC/co5ZddZIV+ObY89qBHYNpt6zLL4PC2Bz7azrB+0X27G5pyh252cFi3IiGzq6
HujnoIMqf8ddz2MTthUz0VFNTVnnZRVTIB/0hX+2sKe/9TcjEfuPxIRnrTtmVoYE
aN62jdL+Ezt34GL8MwbZRDLBgBPNCS4V8pKGwiZpq7qtAlpWJNv/IpwkTzTyHkSm
oeAZSElvQYeVD1tqRYubPXMhvmscYnntbEjBSi1QdSwrvUr1ZIq1z6xuO4hDURx7
Td/B+axvPS3AVOXTk49gxLE/BG+//ly93svfTFRELDTcOsv5am4W4jGHjMRVcDhy
TmJwXUPIpvy8kqmmzZ5hH3hc26Zj47QQxwZeGyFIAjKMklHE0StBr3qtmasEr5tv
H+lWUrBIUXD0i87qzcPNSbRMSTsQvQ27CqPUEslF2o5N/QF/CVc0aQrmcsgil790
b67hpOJ6q3qwTzeCs927qj9+GAC435OHAu9YyjBYHoYReNdVurYP00uMKg+7zL5t
3XDkBXjrLm/FTWpmLBPV
=qbxd
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597855 - in /tomcat/trunk: java/org/apache/tomcat/util/descriptor/web/ApplicationListener.java webapps/docs/changelog.xml
Author: violetagg
Date: Tue May 27 19:32:11 2014
New Revision: 1597855
URL: http://svn.apache.org/r1597855
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55282
o.a.t.util.descriptor.web.ApplicationListener overrides equals and hashCode
methods.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/descriptor/web/ApplicationListener.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trunk/java/org/apache/tomcat/util/descriptor/web/ApplicationListener.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/tomcat/util/descriptor/web/ApplicationListener.java?rev=1597855r1=1597854r2=1597855view=diff
==
---
tomcat/trunk/java/org/apache/tomcat/util/descriptor/web/ApplicationListener.java
(original)
+++
tomcat/trunk/java/org/apache/tomcat/util/descriptor/web/ApplicationListener.java
Tue May 27 19:32:11 2014
@@ -40,4 +40,33 @@ public class ApplicationListener {
public boolean isPluggabilityBlocked() {
return pluggabilityBlocked;
}
+
+
+@Override
+public int hashCode() {
+final int prime = 31;
+int result = 1;
+result = prime * result + ((className == null) ? 0 :
className.hashCode());
+return result;
+}
+
+
+@Override
+public boolean equals(Object obj) {
+if (this == obj) {
+return true;
+}
+if (!(obj instanceof ApplicationListener)) {
+return false;
+}
+ApplicationListener other = (ApplicationListener) obj;
+if (className == null) {
+if (other.className != null) {
+return false;
+}
+} else if (!className.equals(other.className)) {
+return false;
+}
+return true;
+}
}
\ No newline at end of file
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1597855r1=1597854r2=1597855view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue May 27 19:32:11 2014
@@ -48,6 +48,10 @@
subsection name=Catalina
changelog
fix
+bug55282/bug: Ensure that one and the same application listener is
+added only once when starting the web application. (violetagg)
+ /fix
+ fix
bug55975/bug: Apply consistent escaping for double quote and
backslash characters when escaping cookie values. (markt)
/fix
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597858 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/deploy/ApplicationListener.java webapps/docs/changelog.xml
Author: violetagg
Date: Tue May 27 19:45:55 2014
New Revision: 1597858
URL: http://svn.apache.org/r1597858
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55282
Merged revision 1597855 from tomcat/trunk:
o.a.t.util.descriptor.web.ApplicationListener overrides equals and hashCode
methods.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apache/catalina/deploy/ApplicationListener.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
--
Merged /tomcat/trunk:r1597855
Modified:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/deploy/ApplicationListener.java
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/deploy/ApplicationListener.java?rev=1597858r1=1597857r2=1597858view=diff
==
---
tomcat/tc7.0.x/trunk/java/org/apache/catalina/deploy/ApplicationListener.java
(original)
+++
tomcat/tc7.0.x/trunk/java/org/apache/catalina/deploy/ApplicationListener.java
Tue May 27 19:45:55 2014
@@ -40,4 +40,33 @@ public class ApplicationListener {
public boolean isPluggabilityBlocked() {
return pluggabilityBlocked;
}
+
+
+@Override
+public int hashCode() {
+final int prime = 31;
+int result = 1;
+result = prime * result + ((className == null) ? 0 :
className.hashCode());
+return result;
+}
+
+
+@Override
+public boolean equals(Object obj) {
+if (this == obj) {
+return true;
+}
+if (!(obj instanceof ApplicationListener)) {
+return false;
+}
+ApplicationListener other = (ApplicationListener) obj;
+if (className == null) {
+if (other.className != null) {
+return false;
+}
+} else if (!className.equals(other.className)) {
+return false;
+}
+return true;
+}
}
\ No newline at end of file
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1597858r1=1597857r2=1597858view=diff
==
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Tue May 27 19:45:55 2014
@@ -58,6 +58,10 @@
section name=Tomcat 7.0.55 (violetagg)
subsection name=Catalina
changelog
+ fix
+bug55282/bug: Ensure that one and the same application listener is
+added only once when starting the web application. (violetagg)
+ /fix
add
bug56461/bug: New codefailCtxIfServletStartFails/code attribute
on Context and Host configuration to force the context startup to fail
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55282] JSF PhaseListeners are duplicated
https://issues.apache.org/bugzilla/show_bug.cgi?id=55282 Violeta Georgieva violet...@apache.org changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |FIXED --- Comment #9 from Violeta Georgieva violet...@apache.org --- Thanks for the investigation. This has been fixed in trunk for 8.0.9 and in 7.0.x for 7.0.55 onwards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Tomcat cipher suite config. Was: Tomcat 7 cannot get ciphers with SHA256 or SHA384
Switching to dev list… I’m using the interactive mode of https://github.com/timw/groktls to dump these. Cool. I was just using the SSLInfo class and grep, obviously :) I've been thinking that the way Tomcat does JSSE cipher suites is a bit ... verbose. It would be nice to roll something like what groktls/OpenSSL can do into Tomcat. I was kinda planning that when I wrote it, but it ended up getting a bit big to insert into Tomcat - doing a Java 7 upgrade across Oracle/HP and IBM (who have mostly the same cipher suites, but with SSL_ instead of TLS_ at the front) and trying to enumerate the sensible cipher suites broke me. I’m using it in our internal platform (which embeds Tomcat), and that works really well - ciphers=FIPS:@STRENGTH is a lot simpler as a default config than the 84 cipher suite names it was previously (will be worse again in Java 8). I know you don’t have to list a bunch of those 84 for things to work OK, but it’s still easier to understand if it’s policy based. I’d still be interested in helping Tomcat get something like this - inserting a third party lib is probably a no go, but there’s no problem with copying the code (APLv2) or the idea. The biggest problem I see with the policy based approach is the lack of standardisation of names that makes forward compatibility quite tricky - for example the CCM suites in RFC6655 leave off the digest/mac algo, the CHACHA20_POLY1305 construction in draft-agl-tls-chacha20poly1305 (among others) use different numbers of terms for the cipher suite etc. I’m wondering whether a simpler term matching approach might work better than the full parsing approach currently used in groktls. The OpenSSL expressions are horrific though (I copied some of the syntax, but not the semantics): e.g. our current internal Apache config is -ALL:!ADH:!EXP:!aNULL:!SSLv2:!MD5:!KRB5:!PSK:HIGH+TLSv1.2:HIGH+TLSv1 Surely we can do better than that... cheers tim - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tomcat cipher suite config. Was: Tomcat 7 cannot get ciphers with SHA256 or SHA384
2014-05-28 1:35 GMT+04:00 Tim Whittington t...@apache.org:
Switching to dev list…
I’m using the interactive mode of https://github.com/timw/groktls
to dump these.
Cool. I was just using the SSLInfo class and grep, obviously :)
I've been thinking that the way Tomcat does JSSE cipher suites is a
bit ... verbose. It would be nice to roll something like what
groktls/OpenSSL can do into Tomcat.
I was kinda planning that when I wrote it, but it ended up getting a bit big
to insert into Tomcat - doing a Java 7 upgrade across Oracle/HP and IBM (who
have mostly the same cipher suites, but with SSL_ instead of TLS_ at the
front) and trying to enumerate the sensible cipher suites broke me.
I’m using it in our internal platform (which embeds Tomcat), and that works
really well - ciphers=FIPS:@STRENGTH is a lot simpler as a default config
than the 84 cipher suite names it was previously (will be worse again in Java
8). I know you don’t have to list a bunch of those 84 for things to work OK,
but it’s still easier to understand if it’s policy based.
I’d still be interested in helping Tomcat get something like this - inserting
a third party lib is probably a no go, but there’s no problem with copying
the code (APLv2) or the idea.
The biggest problem I see with the policy based approach is the lack of
standardisation of names that makes forward compatibility quite tricky - for
example the CCM suites in RFC6655 leave off the digest/mac algo, the
CHACHA20_POLY1305 construction in draft-agl-tls-chacha20poly1305 (among
others) use different numbers of terms for the cipher suite etc.
I’m wondering whether a simpler term matching approach might work better than
the full parsing approach currently used in groktls.
The OpenSSL expressions are horrific though (I copied some of the syntax, but
not the semantics):
e.g. our current internal Apache config is
-ALL:!ADH:!EXP:!aNULL:!SSLv2:!MD5:!KRB5:!PSK:HIGH+TLSv1.2:HIGH+TLSv1
Surely we can do better than that...
I do not see how FIPS:@STRENGTH or similar can be done without
coding some list of actual cipher names.
As for that I have an idea not for Apache Tomcat source code, but for
an administrator:
Put that list into catalina.properties as a property, and reference it
in actual server.xml, e.g. ${FIPS_STRENGTH}.
How to prepare that list may be a topic for a Wiki.
Best regards,
Konstantin Kolinko
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tomcat cipher suite config. Was: Tomcat 7 cannot get ciphers with SHA256 or SHA384
On 28/05/2014, at 9:48 am, Konstantin Kolinko knst.koli...@gmail.com wrote:
2014-05-28 1:35 GMT+04:00 Tim Whittington t...@apache.org:
Switching to dev list…
I’m using the interactive mode of https://github.com/timw/groktls
to dump these.
Cool. I was just using the SSLInfo class and grep, obviously :)
I've been thinking that the way Tomcat does JSSE cipher suites is a
bit ... verbose. It would be nice to roll something like what
groktls/OpenSSL can do into Tomcat.
I was kinda planning that when I wrote it, but it ended up getting a bit
big to insert into Tomcat - doing a Java 7 upgrade across Oracle/HP and IBM
(who have mostly the same cipher suites, but with SSL_ instead of TLS_ at
the front) and trying to enumerate the sensible cipher suites broke me.
I’m using it in our internal platform (which embeds Tomcat), and that works
really well - ciphers=FIPS:@STRENGTH is a lot simpler as a default config
than the 84 cipher suite names it was previously (will be worse again in
Java 8). I know you don’t have to list a bunch of those 84 for things to
work OK, but it’s still easier to understand if it’s policy based.
I’d still be interested in helping Tomcat get something like this -
inserting a third party lib is probably a no go, but there’s no problem with
copying the code (APLv2) or the idea.
The biggest problem I see with the policy based approach is the lack of
standardisation of names that makes forward compatibility quite tricky - for
example the CCM suites in RFC6655 leave off the digest/mac algo, the
CHACHA20_POLY1305 construction in draft-agl-tls-chacha20poly1305 (among
others) use different numbers of terms for the cipher suite etc.
I’m wondering whether a simpler term matching approach might work better
than the full parsing approach currently used in groktls.
The OpenSSL expressions are horrific though (I copied some of the syntax,
but not the semantics):
e.g. our current internal Apache config is
-ALL:!ADH:!EXP:!aNULL:!SSLv2:!MD5:!KRB5:!PSK:HIGH+TLSv1.2:HIGH+TLSv1
Surely we can do better than that...
I do not see how FIPS:@STRENGTH or similar can be done without
coding some list of actual cipher names.
groktls does it by parsing cipher suite names, and then matching on component
parts, but in general you’re correct.
The matching is fairly sane (although things like FIPS can evolve - new CCM
cipher suites is an example), the parsing is pretty hacky though...
As for that I have an idea not for Apache Tomcat source code, but for
an administrator:
Put that list into catalina.properties as a property, and reference it
in actual server.xml, e.g. ${FIPS_STRENGTH}.
How to prepare that list may be a topic for a Wiki.
This just shifts the problem, so preparing the list is still hard to manage.
groktls in interactive mode lets you produce that list based on policy
expressions, so you can do that now if it’s workable for you.
(I just hacked in a bare mode that spits out a comma separated list).
cheers
tim
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56568] Incompatible change in JSPs only permit GET POST or HEAD
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568 --- Comment #2 from Mark Thomas ma...@apache.org --- My original proposal [1] included a page directive to make this configurable. That part was rejected. Options at this point: 1. Go ahead and add the page directive anyway 2. Add an init param to the JSP Servlet to control the default methods supported 3. Check the method via an over-ridable method that could be over-riden by invididual JSPs. 4. Do 2 3. 5. Skip the method check if the JSP is an error page. I stil think that the page directive is the way to handle this but I'd really like to do that with support from the JSP EG. Is 5 a sufficient solution for now? Can you think of any other use cases that might break because of this change? [1] https://java.net/jira/browse/JSP-33 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56568] Incompatible change in JSPs only permit GET POST or HEAD
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568 --- Comment #3 from Konstantin Kolinko knst.koli...@gmail.com --- The specification requirement is not to reject, but to provide undefined behaviour. The rejection behaviour is a security hardening. (In reply to Mark Thomas from comment #2) 3. Check the method via an over-ridable method that could be over-riden by invididual JSPs. I think implementing 3. means that the check is moved from org.apache.jasper.servlet.JspServlet#service(...) into org.apache.jasper.runtime.HttpJspBase#service(...) In this case there may be an alternative base class e.g. AnyMethodHttpJspBase and the JSP pages may be patched to use %page extends=o.a.j.runtime.AnyMethodHttpJspBase % This strikes me as ugly / hacky. 2. Add an init param to the JSP Servlet to control the default methods supported Maybe. As a regexp? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] CVE-2014-0119 Apache Tomcat information disclosure
2014-05-27 16:46 GMT+04:00 Mark Thomas ma...@apache.org: CVE-2014-0119 Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.5 - Apache Tomcat 7.0.0 to 7.0.53 - Apache Tomcat 6.0.0 to 6.0.39 Description: In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XMl parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance. The default servlet part of this issue was fixed by the following commits: http://svn.apache.org/r1588193 http://svn.apache.org/r1588199 http://svn.apache.org/r1589640 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1597913 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
Author: kkolinko Date: Wed May 28 00:51:50 2014 New Revision: 1597913 URL: http://svn.apache.org/r1597913 Log: Amend revision lists for CVE-2014-0119 Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1597913r1=1597912r2=1597913view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Wed May 28 00:51:50 2014 @@ -403,7 +403,8 @@ Tomcat instance./p -pThis was fixed in revision a href=http://svn.apache.org/viewvc?view=revamp;rev=1593821;1593821/a./p +pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1589640;1589640/a and + a href=http://svn.apache.org/viewvc?view=revamp;rev=1593821;1593821/a./p pThis issue was identified by the Tomcat security team on 12 April 2014 Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1597913r1=1597912r2=1597913view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Wed May 28 00:51:50 2014 @@ -340,7 +340,8 @@ Tomcat instance./p -pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1590028;1590028/a and +pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1588199;1588199/a, + a href=http://svn.apache.org/viewvc?view=revamp;rev=1590028;1590028/a and a href=http://svn.apache.org/viewvc?view=revamp;rev=1589997;1589997/a./p Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1597913r1=1597912r2=1597913view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Wed May 28 00:51:50 2014 @@ -295,7 +295,8 @@ Tomcat instance./p -pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1589837;1589837/a, +pThis was fixed in revisions a href=http://svn.apache.org/viewvc?view=revamp;rev=1588193;1588193/a, + a href=http://svn.apache.org/viewvc?view=revamp;rev=1589837;1589837/a, a href=http://svn.apache.org/viewvc?view=revamp;rev=1589980;1589980/a and a href=http://svn.apache.org/viewvc?view=revamp;rev=1589990;1589990/a./p Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1597913r1=1597912r2=1597913view=diff == --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Wed May 28 00:51:50 2014 @@ -117,7 +117,8 @@ XML files processed for other web applications deployed on the same Tomcat instance./p -pThis was fixed in revision revlink rev=15938211593821/revlink./p +pThis was fixed in revisions revlink rev=15896401589640/revlink and + revlink rev=15938211593821/revlink./p pThis issue was identified by the Tomcat security team on 12 April 2014 and made public on 27 May 2014./p Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1597913r1=1597912r2=1597913view=diff == --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Wed May 28 00:51:50 2014 @@ -63,7 +63,8 @@ XML files processed for other web applications deployed on the same Tomcat instance./p -pThis was fixed in revisions revlink rev=15900281590028/revlink and +pThis was fixed in revisions revlink rev=15881991588199/revlink, + revlink rev=15900281590028/revlink and revlink rev=15899971589997/revlink./p pThis issue was identified by the Tomcat security team on 12 April 2014 Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1597913r1=1597912r2=1597913view=diff == --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Wed May 28 00:51:50 2014 @@ -69,7 +69,8 @@ XML files processed for other web applications deployed on the same Tomcat instance./p -pThis was
