[GUMP@vmgump]: Project tomcat-native-make (in module tomcat-native) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-native-make has an issue affecting its community integration. This issue affects 4 projects, and has been outstanding for 4 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-native-make : Tomcat native library using Apache Portable Runtime - tomcat-native-make-install : Tomcat native library using Apache Portable Runtime - tomcat-tc7.0.x-test-apr : Tomcat 7.x, a web server implementing Java Servlet 3.0, ... - tomcat-tc8.0.x-test-apr : Tomcat 8.x, a web server implementing the Java Servlet 3.1, ... Full details are available at: http://vmgump.apache.org/gump/public/tomcat-native/tomcat-native-make/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -INFO- Failed with reason build failed The following work was performed: http://vmgump.apache.org/gump/public/tomcat-native/tomcat-native-make/gump_work/build_tomcat-native_tomcat-native-make.html Work Name: build_tomcat-native_tomcat-native-make (Type: Build) Work ended in a state of : Failed Elapsed: 26 secs Command Line: make [Working Directory: /srv/gump/public/workspace/tomcat-native/native] - make[1]: Entering directory `/srv/gump/public/workspace/tomcat-native/native' /bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl-master/dest-20160223/include -I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1 -o src/address.lo -c src/address.c && touch src/address.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl-master/dest-20160223/include -I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1 -o src/bb.lo -c src/bb.c && touch src/bb.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl-master/dest-20160223/include -I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1 -o src/dir.lo -c src/dir.c && touch src/dir.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl-master/dest-20160223/include -I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1 -o src/error.lo -c src/error.c && touch src/error.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl-master/dest-20160223/include -I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1 -o src/file.lo -c src/file.c && touch src/file.lo /bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool --silent --mode=compile gcc -g -O2 -pthread -DHAVE_CONFIG_H -DLINUX -D_REENTRANT -D_GNU_SOURCE -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP -I/srv/gump/public/workspace/tomcat-native/native/include -I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux -I/srv/gump/public/workspace/openssl-master/dest-20160223/include -I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1 -o src/info.lo -c src/info.c && touch src/info.lo /bin/bash
[Bug 57830] Add support for ProxyProtocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 --- Comment #9 from Christopher Schultz--- I think Daniel Ruggeri did some work on this. He's been waiting for some feedback from me. Maybe I should get on that! -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59001] Unable to load jar files when they have exclamation in the path
https://bz.apache.org/bugzilla/show_bug.cgi?id=59001 --- Comment #6 from Mark Thomas--- I really wanted to fix this but I'm not sure that supporting this use case is worth the cost. There are two places I have found (so far) where changes would be required. The first is during start-up to ensure that the paths used to construct the URLs for the class loaders escape "!/" to "%21/". The second is in the web resources implementation where FileResource.getURL() needs to escape "!/" to "%21/". The problem stems from the fact that the only way to do this escaping (that I have been able to find) is URL -> toString() -> replaceAll() -> new URL(). And that is relatively expensive. I'm not concerned about startup. That is a one-off cost. What concerns me is the performance impact of adding this to FileResource.getURL(). That gets called a lot. I'm concerned that the impact of adding this escaping is going to be measurable for end users. The other option is to take the position that anytime code constructs a jar URL, that code is responsible for ensuring that any !/ sequences in the path it uses to construct that URL are escaped. While we could do this in Tomcat (there are ~20 places we'd need to fix this), I suspect a whole bunch of third-party code won't handle this correctly. And this is before we get into the mess that is JARs in WARs. Given that most users don't need this (I don't recall seeing this issue reported previously and that's going back to Tomcat 4.1.x) I'm leaning heavily towards WONTFIX. There is going to need to be a really good reason to fix this to change my mind. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 48674] Tomcat Virtual Host Manager application doesn't persist newly created virtual hosts
https://bz.apache.org/bugzilla/show_bug.cgi?id=48674 Mark Thomaschanged: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #12 from Mark Thomas --- I've applied a variation of Coty Sutherland's patch to trunk for 9.0.0.M4 onwards. We can tweak that as feedback is received. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1731735 - /tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
Author: markt Date: Mon Feb 22 20:22:38 2016 New Revision: 1731735 URL: http://svn.apache.org/viewvc?rev=1731735=rev Log: Restore correct array size after r1731734 Modified: tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java Modified: tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1731735=1731734=1731735=diff == --- tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java (original) +++ tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java Mon Feb 22 20:22:38 2016 @@ -360,7 +360,7 @@ public final class HTMLHostManagerServle writer.print (MessageFormat.format(HOSTS_ROW_DETAILS_SECTION, args)); -args = new Object[6]; +args = new Object[4]; if (host.getState().isAvailable()) { args[0] = response.encodeURL (request.getContextPath() + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1731734 - in /tomcat/trunk: java/org/apache/catalina/manager/host/ webapps/docs/
Author: markt Date: Mon Feb 22 20:19:15 2016 New Revision: 1731734 URL: http://svn.apache.org/viewvc?rev=1731734=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=48674 Implement an option within the Host Manager web pplication to persist the current configuration. Based on a patch by Coty Sutherland. Modified: tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java tomcat/trunk/java/org/apache/catalina/manager/host/LocalStrings.properties tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1731734=1731733=1731734=diff == --- tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java (original) +++ tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java Mon Feb 22 20:19:15 2016 @@ -94,7 +94,8 @@ public final class HTMLHostManagerServle } else if (command.equals("/list")) { // Nothing to do - always generate list } else if (command.equals("/add") || command.equals("/remove") || -command.equals("/start") || command.equals("/stop")) { +command.equals("/start") || command.equals("/stop") || +command.equals("/persist")) { message = smClient.getString( "hostManagerServlet.postCommand", command); } else { @@ -143,6 +144,8 @@ public final class HTMLHostManagerServle message = start(name, smClient); } else if (command.equals("/stop")) { message = stop(name, smClient); +} else if (command.equals("/persist")) { +message = persist(smClient); } else { //Try GET doGet(request, response); @@ -227,6 +230,22 @@ public final class HTMLHostManagerServle /** + * Persist the current configuration to server.xml. + * + * @param smClient i18n resources localized for the client + */ +protected String persist(StringManager smClient) { + +StringWriter stringWriter = new StringWriter(); +PrintWriter printWriter = new PrintWriter(stringWriter); + +super.persist(printWriter, smClient); + +return stringWriter.toString(); +} + + +/** * Render a HTML list of the currently active Contexts in our virtual host, * and memory and server status information. * @@ -341,7 +360,7 @@ public final class HTMLHostManagerServle writer.print (MessageFormat.format(HOSTS_ROW_DETAILS_SECTION, args)); -args = new Object[4]; +args = new Object[6]; if (host.getState().isAvailable()) { args[0] = response.encodeURL (request.getContextPath() + @@ -362,10 +381,10 @@ public final class HTMLHostManagerServle args[3] = hostsRemove; if (host == this.installedHost) { writer.print(MessageFormat.format( -MANAGER_HOST_ROW_BUTTON_SECTION, args)); +MANAGER_HOST_ROW_BUTTON_SECTION, args)); } else { writer.print(MessageFormat.format( -HOSTS_ROW_BUTTON_SECTION, args)); +HOSTS_ROW_BUTTON_SECTION, args)); } } } @@ -413,6 +432,14 @@ public final class HTMLHostManagerServle args[0] = smClient.getString("htmlHostManagerServlet.addButton"); writer.print(MessageFormat.format(ADD_SECTION_END, args)); +// Persist Configuration Section +args = new Object[4]; +args[0] = smClient.getString("htmlHostManagerServlet.persistTitle"); +args[1] = response.encodeURL(request.getContextPath() + "/html/persist"); +args[2] = smClient.getString("htmlHostManagerServlet.persistAllButton"); +args[3] = smClient.getString("htmlHostManagerServlet.persistAll"); +writer.print(MessageFormat.format(PERSIST_SECTION, args)); + // Server Header Section args = new Object[7]; args[0] = smClient.getString("htmlHostManagerServlet.serverTitle"); @@ -483,6 +510,9 @@ public final class HTMLHostManagerServle " " + " " + " \n" + +" " + +" " + +" \n" + " \n" + "\n"; @@ -552,4 +582,20 @@ public final class HTMLHostManagerServle "\n" + "\n"; +private static final String PERSIST_SECTION = +"\n" + +"\n" + +" {0}\n" + +"\n" + +"\n" + +
svn commit: r1731733 - /tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml
Author: markt Date: Mon Feb 22 20:14:36 2016 New Revision: 1731733 URL: http://svn.apache.org/viewvc?rev=1731733=rev Log: Add the RFC6265 cookie processor Modified: tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml Modified: tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml?rev=1731733=1731732=1731733=diff == --- tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml (original) +++ tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml Mon Feb 22 20:14:36 2016 @@ -462,6 +462,13 @@ storeFactoryClass="org.apache.catalina.storeconfig.StoreFactoryBase"> + +
svn commit: r1731732 - /tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml
Author: markt Date: Mon Feb 22 20:09:49 2016 New Revision: 1731732 URL: http://svn.apache.org/viewvc?rev=1731732=rev Log: Don't want to persist the Loader.domain attribute Modified: tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml Modified: tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml?rev=1731732=1731731=1731732=diff == --- tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml (original) +++ tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml Mon Feb 22 20:09:49 2016 @@ -210,6 +210,7 @@ default="false" tagClass="org.apache.catalina.loader.WebappLoader" storeFactoryClass="org.apache.catalina.storeconfig.LoaderSF"> +domain
[Bug 57830] Add support for ProxyProtocol
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830 --- Comment #8 from Axel Fontaine--- +1 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1731697 - /tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
Author: markt Date: Mon Feb 22 17:33:09 2016 New Revision: 1731697 URL: http://svn.apache.org/viewvc?rev=1731697=rev Log: OpenSSL master has removed support for 23 ciphers Modified: tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java Modified: tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java?rev=1731697=1731696=1731697=diff == --- tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java (original) +++ tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java Mon Feb 22 17:33:09 2016 @@ -330,6 +330,29 @@ public class TesterOpenSSL { unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA); unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA); unimplemented.add(Cipher.TLS_DH_RSA_WITH_SEED_CBC_SHA); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_NULL_SHA); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_RC4_128_SHA); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_RC4_128_SHA); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_NULL_SHA); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_RC4_128_SHA); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256); +unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256); +unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384); + unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256); + unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384); } OPENSSL_UNIMPLEMENTED_CIPHERS = Collections.unmodifiableSet(unimplemented); } - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: tomcat memory allocation
Am 22.02.2016 um 16:52 schrieb Matip Ma Teha Louis Blaise: Good evening everyone, I have a problem with tomcat, in fact I installed Tomcat 6 on a server that has 12 GB of RAM, and tomcat allows me to use only about 2GB to 12GB. therefore I would like to know if there is not a solution to it to expand this memory to over 2GB. thank you. Hello, you have posted your question to the wrong mail address. Please have a look at http://tomcat.apache.org/lists.html#tomcat-users to see where to post questions about tomcat. When posting your questions, post them to one list only, please. Regards, Felix
[Bug 59043] New: SingleSignOn valve warns about missing session when invoking HttpServletRequest.logout
https://bz.apache.org/bugzilla/show_bug.cgi?id=59043 Bug ID: 59043 Summary: SingleSignOn valve warns about missing session when invoking HttpServletRequest.logout Product: Tomcat 8 Version: 8.0.32 Hardware: PC Status: NEW Severity: major Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: roberto.benede...@dedalus.eu When HttpServletRequest.logout() is invoked, first the ID of the current session is changed, then all the sessions in SingleSignOnEntry are expired, but the current one has changed its ID, hence the annoying warning. >From the log: ... FINE [http-nio-8080-exec-3] AuthenticatorBase.register Authenticated 'john.doe' with type 'FORM' FINE [http-nio-8080-exec-3] AuthenticatorBase.register Session ID changed on authentication from [6F6874832A811D2B69AA06F3745C4CC7] to [FD2777025AC71CA72A44545472DAB5C2] FINE [http-nio-8080-exec-3] SingleSignOn.register SSO registering SSO session [9284A1891047D0FA96629C9059528302] for user [john.doe] with authentication type [FORM] FINE [http-nio-8080-exec-3] SingleSignOn.associate SSO associating application session [StandardSession[FD2777025AC71CA72A44545472DAB5C2]] with SSO session [9284A1891047D0FA96629C9059528302] ... FINE [http-nio-8080-exec-4] AuthenticatorBase.register Authenticated 'none' with type 'null' FINE [http-nio-8080-exec-4] AuthenticatorBase.register Session ID changed on authentication from [FD2777025AC71CA72A44545472DAB5C2] to [DCE8372B4BF6AD84F63BF5664D8E941E] FINE [http-nio-8080-exec-4] SingleSignOn.deregister SSO expiring application session [Host: [localhost], Context: [/app], SessionID: [FD2777025AC71CA72A44545472DAB5C2]] associated with SSO session [9284A1891047D0FA96629C9059528302] WARNING [http-nio-8080-exec-4] SingleSignOn.expire SSO unable to expire session [Host: [localhost], Context: [/app], SessionID: [FD2777025AC71CA72A44545472DAB5C2]] because the Session could not be found ... -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59043] SingleSignOn valve warns about missing session when invoking HttpServletRequest.logout
https://bz.apache.org/bugzilla/show_bug.cgi?id=59043 Roberto Benedettichanged: What|Removed |Added OS||All CC||roberto.benedetti@dedalus.e ||u -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1731638 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s
Author: markt Date: Mon Feb 22 13:18:59 2016 New Revision: 1731638 URL: http://svn.apache.org/viewvc?rev=1731638=rev Log: Improve descriptions. In particular, make it clear when an issue only impact users running untrusted web applications under a security manager. Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1731638=1731637=1731638=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Mon Feb 22 13:18:59 2016 @@ -338,6 +338,10 @@ +This issue only affects users running untrusted web applications under a + security manager. + + When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the @@ -410,12 +414,17 @@ -The StatusManagerServlet could be loaded by a web application when a - security manager was configured. This servlet would then provide the web - application with a list of all deployed applications and a list of the - HTTP request lines for all requests currently being processed. This could - have exposed sensitive information from other web applications such as - session IDs to the web application. +This issue only affects users running untrusted web applications under a + security manager. + + +The internal StatusManagerServlet could be loaded by a malicious web + application when a security manager was configured. This servlet could + then provide the malicious web application with a list of all deployed + applications and a list of the HTTP request lines for all requests + currently being processed. This could have exposed sensitive information + from other web applications, such as session IDs, to the web + application. This was fixed in revision http://svn.apache.org/viewvc?view=revrev=1722802;>1722802. @@ -434,6 +443,10 @@ +This issue only affects users running untrusted web applications under a + security manager. + + Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731638=1731637=1731638=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 13:18:59 2016 @@ -398,15 +398,18 @@ -Low: CSRF token leak +Moderate: CSRF token leak http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351; rel="nofollow">CVE-2015-5351 The index page of the Manager and Host Manager applications included a valid CSRF token when issuing a redirect as a result of an - unauthenticated request to the root of the web application. This token - could then be used by an attacker to construct a CSRF attack. + unauthenticated request to the root of the web application. If an + attacker had access to the Manager or Host Manager applications + (typically these applications are only accessible to internal users, not + exposed to the Internet), this token could then be used by the attacker + to construct a CSRF attack. This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1720661;>1720661 and @@ -426,12 +429,17 @@ -The StatusManagerServlet could be loaded by a web application when a - security manager was configured. This servlet would then provide the web - application with a list of all deployed applications and a list of the - HTTP request lines for all requests currently being processed. This could - have exposed sensitive information from other web applications such as - session IDs to the web application. +This issue only affects users running untrusted web applications under a + security manager. + + +The internal StatusManagerServlet could be loaded by a malicious web + application when a security manager was configured. This servlet could + then provide the malicious web application with a list of all deployed + applications and a list of the HTTP request lines for all requests + currently being processed. This could have
svn commit: r1731632 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s
Author: markt Date: Mon Feb 22 12:30:11 2016 New Revision: 1731632 URL: http://svn.apache.org/viewvc?rev=1731632=rev Log: Fix typo Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1731632=1731631=1731632=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Mon Feb 22 12:30:11 2016 @@ -381,7 +381,7 @@ The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options + could cause regressions so two new Context configuration options (mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731632=1731631=1731632=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 12:30:11 2016 @@ -374,7 +374,7 @@ The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options + could cause regressions so two new Context configuration options (mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1731632=1731631=1731632=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Mon Feb 22 12:30:11 2016 @@ -465,7 +465,7 @@ The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options + could cause regressions so two new Context configuration options (mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. Modified: tomcat/site/trunk/docs/security-9.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1731632=1731631=1731632=diff == --- tomcat/site/trunk/docs/security-9.html (original) +++ tomcat/site/trunk/docs/security-9.html Mon Feb 22 12:30:11 2016 @@ -324,7 +324,7 @@ The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options + could cause regressions so two new Context configuration options (mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1731632=1731631=1731632=diff == --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Mon Feb 22 12:30:11 2016 @@ -87,7 +87,7 @@ The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options + could cause regressions so two new Context
svn propchange: r1725931 - svn:log
Author: markt Revision: 1725931 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:19:25 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:19:25 2016 @@ -1 +1,2 @@ Protect initialization of ResourceLinkFactory when running with a SecurityManager. +This is the fix for CVE-2016-0763 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1727182 - svn:log
Author: markt Revision: 1727182 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:18:21 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:18:21 2016 @@ -1,2 +1,3 @@ When using the new sessionAttributeValueClassNameFilter, apply the filter earlier rather than loading the class and then deciding to filter it out. When a SecurityManager is used, enable filtering by default. +This is part 2 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1725929 - svn:log
Author: markt Revision: 1725929 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:19:12 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:19:12 2016 @@ -1 +1,2 @@ Protect initialization of ResourceLinkFactory when running with a SecurityManager. +This is the fix for CVE-2016-0763 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1727034 - svn:log
Author: markt Revision: 1727034 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:17:33 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:17:33 2016 @@ -1,2 +1,3 @@ When using the new sessionAttributeValueClassNameFilter, apply the filter earlier rather than loading the class and then deciding to filter it out. When a SecurityManager is used, enable filtering by default. +This is part 1 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1725914 - svn:log
Author: markt Revision: 1725914 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:16:23 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:16:23 2016 @@ -1,2 +1,3 @@ When using the new sessionAttributeValueClassNameFilter, apply the filter earlier rather than loading the class and then deciding to filter it out. When a SecurityManager is used, enable filtering by default. +This is part 2 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1727034 - svn:log
Author: markt Revision: 1727034 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:17:47 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:17:47 2016 @@ -1,3 +1,3 @@ When using the new sessionAttributeValueClassNameFilter, apply the filter earlier rather than loading the class and then deciding to filter it out. When a SecurityManager is used, enable filtering by default. -This is part 1 of 2 of the fix for CVE-2016-0714 +This is part 2 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1726923 - svn:log
Author: markt Revision: 1726923 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:17:12 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:17:12 2016 @@ -2,3 +2,4 @@ Expand the session attribute filtering o - new option to filter based on implementation class of value - new option to log a warning message if an attribute is filtered out - always log a message at at least debug level if an attribute is filtered out +This is part 1 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1726196 - svn:log
Author: markt Revision: 1726196 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:16:40 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:16:40 2016 @@ -2,3 +2,4 @@ Expand the session attribute filtering o - new option to filter based on implementation class of value - new option to log a warning message if an attribute is filtered out - always log a message at at least debug level if an attribute is filtered out +This is part 1 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1725926 - svn:log
Author: markt Revision: 1725926 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:18:56 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:18:56 2016 @@ -1 +1,2 @@ Protect initialization of ResourceLinkFactory when running with a SecurityManager. +This is the fix for CVE-2016-0763 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1726203 - svn:log
Author: markt Revision: 1726203 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:16:57 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:16:57 2016 @@ -1,2 +1,3 @@ When using the new sessionAttributeValueClassNameFilter, apply the filter earlier rather than loading the class and then deciding to filter it out. When a SecurityManager is used, enable filtering by default. +This is part 2 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1727166 - svn:log
Author: markt Revision: 1727166 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:18:05 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:18:05 2016 @@ -2,3 +2,4 @@ Expand the session attribute filtering o - new option to filter based on implementation class of value - new option to log a warning message if an attribute is filtered out - always log a message at at least debug level if an attribute is filtered out +This is part 1 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1725263 - svn:log
Author: markt Revision: 1725263 Modified property: svn:log Modified: svn:log at Mon Feb 22 12:16:05 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 12:16:05 2016 @@ -2,3 +2,4 @@ Expand the session attribute filtering o - new option to filter based on implementation class of value - new option to log a warning message if an attribute is filtered out - always log a message at at least debug level if an attribute is filtered out +This is part 1 of 2 of the fix for CVE-2016-0714 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure
On 22 February 2016 at 11:23, Mark Thomaswrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > CVE-2015-5345 Apache Tomcat Directory disclosure > > Severity: Low > > Vendor: The Apache Software Foundation > > Versions Affected: > - - Apache Tomcat 6.0.0 to 6.0.44 > - - Apache Tomcat 7.0.0 to 7.0.66 > - - Apache Tomcat 8.0.0.RC1 to 8.0.29 > - - Apache Tomcat 9.0.0.M1 > - - Earlier, unsupported Tomcat versions may be affected > > Description: > When accessing a directory protected by a security constraint with a URL > that did not end in a slash, Tomcat would redirect to the URL with the > trailing slash thereby confirming the presence of the directory before > processing the security constraint. It was therefore possible for a user > to determine if a directory existed or not, even if the user was not > permitted to view the directory. The issue also occurred at the root of > a web application in which case the presence of the web application was > confirmed, even if a user did not have access. > > The solution was to implement the redirect in the DefaultServlet so that > any security constraints and/or security enforcing Filters were > processed before the redirect. The Tomcat team recognised that moving > the redirect could cause regressions to two new Context configuration s/to two/so two/ ? > options (mapperContextRootRedirectEnabled and > mapperDirectoryRedirectEnabled) were introduced. The initial default was > false for both since this was more secure. However, due to regressions > such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled > was later changed to true since it was viewed that the regression was > more serious than the security risk of associated with being able to > determine if a web application was deployed at a given path. > > Mitigation: > Users of affected versions should apply one of the following mitigations > - - Upgrade to Apache Tomcat 9.0.0.M3 or later > (9.0.0.M2 has the fix but was not released) > - - Upgrade to Apache Tomcat 8.0.30 or later > - - Upgrade to Apache Tomcat 7.0.67 or later > - - Upgrade to Apache Tomcat 6.0.45 or later > > > Credit: > This issue was discovered by Mark Koek of QCSec. > > References: > [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765 > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html > [4] http://tomcat.apache.org/security-7.html > [5] http://tomcat.apache.org/security-6.html > > -BEGIN PGP SIGNATURE- > Version: GnuPG v2 > > iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO > A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB > Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN > DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj > Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw > gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8 > kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO > zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik > t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ > WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj > Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e > HnSzWGDdd63z0ixY0g2I > =6UrH > -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1731628 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml
Author: markt Date: Mon Feb 22 12:11:07 2016 New Revision: 1731628 URL: http://svn.apache.org/viewvc?rev=1731628=rev Log: Correction. The regressions in the original fix for CVE-2015-5345 were not addressed until 7.0.68 Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731628=1731627=1731628=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 12:11:07 2016 @@ -356,6 +356,48 @@ +Low: Directory disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345; rel="nofollow">CVE-2015-5345 + + + +When accessing a directory protected by a security constraint with a URL + that did not end in a slash, Tomcat would redirect to the URL with the + trailing slash thereby confirming the presence of the directory before + processing the security constraint. It was therefore possible for a user + to determine if a directory existed or not, even if the user was not + permitted to view the directory. The issue also occurred at the root of a + web application in which case the presence of the web application was + confirmed, even if a user did not have access. + + +The solution was to implement the redirect in the DefaultServlet so that + any security constraints and/or security enforcing Filters were processed + before the redirect. The Tomcat team recognised that moving the redirect + could cause regressions to two new Context configuration options + (mapperContextRootRedirectEnabled and + mapperDirectoryRedirectEnabled) were introduced. The initial + default was false for both since this was more secure. + However, due to regressions such as + https://bz.apache.org/bugzilla/show_bug.cgi?id=58765;>Bug + 58765 the default for mapperContextRootRedirectEnabled + was later changed to true since it was viewed that the regression was + more serious than the security risk of associated with being able to + determine if a web application was deployed at a given path. + + +This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1715213;>1715213 and + http://svn.apache.org/viewvc?view=revrev=1717212;>1717212. + + +This issue was identified by Mark Koek of QCSec on 12 October 2015 and +made public on 22 February 2016. + + +Affects: 7.0.0 to 7.0.67 + + + Low: CSRF token leak http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351; rel="nofollow">CVE-2015-5351 @@ -461,48 +503,6 @@ 10 December 2015 Fixed in Apache Tomcat 7.0.67 - - -Low: Directory disclosure - http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345; rel="nofollow">CVE-2015-5345 - - - -When accessing a directory protected by a security constraint with a URL - that did not end in a slash, Tomcat would redirect to the URL with the - trailing slash thereby confirming the presence of the directory before - processing the security constraint. It was therefore possible for a user - to determine if a directory existed or not, even if the user was not - permitted to view the directory. The issue also occurred at the root of a - web application in which case the presence of the web application was - confirmed, even if a user did not have access. - - -The solution was to implement the redirect in the DefaultServlet so that - any security constraints and/or security enforcing Filters were processed - before the redirect. The Tomcat team recognised that moving the redirect - could cause regressions to two new Context configuration options - (mapperContextRootRedirectEnabled and - mapperDirectoryRedirectEnabled) were introduced. The initial - default was false for both since this was more secure. - However, due to regressions such as - https://bz.apache.org/bugzilla/show_bug.cgi?id=58765;>Bug - 58765 the default for mapperContextRootRedirectEnabled - was later changed to true since it was viewed that the regression was - more serious than the security risk of associated with being able to - determine if a web application was deployed at a given path. - - -This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1715213;>1715213 and - http://svn.apache.org/viewvc?view=revrev=1717212;>1717212. - - -This issue was identified by Mark Koek of QCSec on 12 October 2015 and -made public on 22 February 2016. - - -Affects: 7.0.0 to 7.0.66 - Note: The issue below was fixed in Apache Tomcat 7.0.66 but the Modified: tomcat/site/trunk/xdocs/security-7.xml URL:
svn propchange: r1720652 - svn:log
Author: markt Revision: 1720652 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:56:45 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:56:45 2016 @@ -1 +1,2 @@ Don't create session unnecessarily in the Manager application. +This is part 1 of 2 of the fix for CVE-2015-5351 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1722800 - svn:log
Author: markt Revision: 1722800 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:59:16 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:59:16 2016 @@ -1 +1,2 @@ Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. +This is the fix for CVE-2016-0706 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1722802 - svn:log
Author: markt Revision: 1722802 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:59:41 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:59:41 2016 @@ -1 +1,2 @@ Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. +This is the fix for CVE-2016-0706 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1722801 - svn:log
Author: markt Revision: 1722801 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:59:27 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:59:27 2016 @@ -1 +1,2 @@ Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. +This is the fix for CVE-2016-0706 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1720663 - svn:log
Author: markt Revision: 1720663 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:57:56 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:57:56 2016 @@ -1 +1,2 @@ Don't create sessions unnecessarily in the Host Manager application. +This is part 2 of 2 of the fix for CVE-2015-5351 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1722799 - svn:log
Author: markt Revision: 1722799 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:59:03 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:59:03 2016 @@ -1 +1,2 @@ Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. +This is the fix for CVE-2016-0706 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1720661 - svn:log
Author: markt Revision: 1720661 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:57:44 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:57:44 2016 @@ -1 +1,2 @@ Don't create sessions unnecessarily in the Manager application. +This is part 1 of 2 of the fix for CVE-2015-5351 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1720655 - svn:log
Author: markt Revision: 1720655 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:57:00 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:57:00 2016 @@ -1 +1,2 @@ -Don't create session unnecessarily in the Host Manager application. +Don't create session unnecessarily in the Host Manager application +This is part 2 of 2 of the fix for CVE-2015-5351 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 58486] JreMemoryLeakPreventionListener: initialize two further JRE classes
https://bz.apache.org/bugzilla/show_bug.cgi?id=58486 --- Comment #5 from Luke Woodward--- I have a bug number for the report now: JDK-8146961. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1713184 - svn:log
Author: markt Revision: 1713184 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:52:44 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:52:44 2016 @@ -1 +1,2 @@ Handle the unlikely case where different versions of a web application are deployed with different session settings +This is part 1 of 2 of the fix for CVE-2015-5346 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1720658 - svn:log
Author: markt Revision: 1720658 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:57:14 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:57:14 2016 @@ -1 +1,2 @@ Don't create sessions unnecessarily in the Manager application. +This is part 1 of 2 of the fix for CVE-2015-5351 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1713187 - svn:log
Author: markt Revision: 1713187 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:53:56 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:53:56 2016 @@ -1 +1,2 @@ Handle the unlikely case where different versions of a web application are deployed with different session settings +This is the fix for CVE-2015-5346 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1720660 - svn:log
Author: markt Revision: 1720660 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:57:28 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:57:28 2016 @@ -1 +1,2 @@ Don't create sessions unnecessarily in the Host Manager application. +This is part 2 of 2 of the fix for CVE-2015-5351 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1713185 - svn:log
Author: markt Revision: 1713185 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:53:20 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:53:20 2016 @@ -1 +1,2 @@ Handle the unlikely case where different versions of a web application are deployed with different session settings +This is part 1 of 2 of the fix for CVE-2015-5346 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1723414 - svn:log
Author: markt Revision: 1723414 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:53:03 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:53:03 2016 @@ -1,2 +1,3 @@ Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58809 Correctly recycle the cookies when mapping requests for parallel deployment +This is part 2 of 2 of the fix for CVE-2015-5346 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1723506 - svn:log
Author: markt Revision: 1723506 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:53:36 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:53:36 2016 @@ -1,2 +1,3 @@ Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58809 Correctly recycle the cookies when mapping requests for parallel deployment +This is part 2 of 2 of the fix for CVE-2015-5346 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1717216 - svn:log
Author: markt Revision: 1717216 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:46:34 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:46:34 2016 @@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st - Ensure the Mapper does not add the '/' handling the redirect - Handle the redirect in the DefaultServlet - Add a redirect to FORM auth if auth is occurring at the context root else the login page could be submitted to the wrong web application +This is part 2 of 2 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1715216 - svn:log
Author: markt Revision: 1715216 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:46:18 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:46:18 2016 @@ -1 +1,2 @@ Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. +This is part 1 of 2 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1717212 - svn:log
Author: markt Revision: 1717212 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:46:02 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:46:02 2016 @@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st - Ensure the Mapper does not add the '/' handling the redirect - Handle the redirect in the DefaultServlet - Add a redirect to FORM auth if auth is occurring at the context root else the login page could be submitted to the wrong web application +This is part 2 of 2 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1715213 - svn:log
Author: markt Revision: 1715213 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:45:32 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:45:32 2016 @@ -1 +1,2 @@ Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. +This is part 1 of 2 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1717209 - svn:log
Author: markt Revision: 1717209 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:45:04 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:45:04 2016 @@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st - Ensure the Mapper does not add the '/' handling the redirect - Handle the redirect in the DefaultServlet - Add a redirect to FORM auth if auth is occurring at the context root else the login page could be submitted to the wrong web application +This is part 2 of 2 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1716894 - svn:log
Author: markt Revision: 1716894 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:43:59 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:43:59 2016 @@ -1,2 +1,3 @@ Additional fix for BZ 58660 When Mapper root redirect is enabled, ensure '/' is added to path for redirect +This is part 3 of 3 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1716882 - svn:log
Author: markt Revision: 1716882 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:43:40 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:43:40 2016 @@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st - Ensure the Mapper does not add the '/' - Handle the redirect in the DefaultServlet - Add a redirect to FORM auth if auth is occurring at the context root else the login page could be submitted to the wrong web application +This is part 2 of 3 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1715207 - svn:log
Author: markt Revision: 1715207 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:44:21 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:44:21 2016 @@ -1 +1,2 @@ Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. +This is part 1 of 2 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1715206 - svn:log
Author: markt Revision: 1715206 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:43:22 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:43:22 2016 @@ -1 +1,2 @@ Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. +This is part 1 of 3 of the fix for CVE-2015-5345 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1700900 - svn:log
Author: markt Revision: 1700900 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:41:11 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:41:11 2016 @@ -1 +1 @@ -Update proposal +This is the fix for CVE-2015-5174 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1696281 - svn:log
Author: markt Revision: 1696281 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:39:48 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:39:48 2016 @@ -1,3 +1,4 @@ Fix Javadoc Separate test cases into separate test methods and add some additional tests. Clean up the code and fix a couple of edge cases +This is part 1 of 2 of the fix for CVE-2015-5174 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1700897 - svn:log
Author: markt Revision: 1700897 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:40:06 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:40:06 2016 @@ -1 +1,2 @@ More normalization edge cases +This is part 2 of 2 of the fix for CVE-2015-5174 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1700898 - svn:log
Author: markt Revision: 1700898 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:40:42 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:40:42 2016 @@ -1 +1,2 @@ More normalization edge cases +This is part 2 of 2 of the fix for CVE-2015-5174 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1696284 - svn:log
Author: markt Revision: 1696284 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:40:24 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:40:24 2016 @@ -1,3 +1,4 @@ Fix Javadoc Separate test cases into separate test methods and add some additional tests. Clean up the code and fix a couple of edge cases +This is part 1 of 2 of the fix for CVE-2015-5174 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1700896 - svn:log
Author: markt Revision: 1700896 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:39:25 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:39:25 2016 @@ -1 +1,2 @@ More normalization edge cases +This is part 2 of 2 of the fix for CVE-2015-5174 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1696280 - svn:log
Author: markt Revision: 1696280 Modified property: svn:log Modified: svn:log at Mon Feb 22 11:39:06 2016 -- --- svn:log (original) +++ svn:log Mon Feb 22 11:39:06 2016 @@ -1,3 +1,4 @@ Fix Javadoc Separate test cases into separate test methods and add some additional tests. Clean up the code and fix a couple of edge cases +This is part 1 of 2 of the fix for CVE-2015-5174 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2015-5346 Apache Tomcat Session fixation
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5346 Apache Tomcat Session fixation Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.5 to 7.0.65 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 Description: When recycling the Request object to use for a new request, the requestedSessionSSL field was not recycled. This meant that a session ID provided in the next request to be processed using the recycled Request object could be used when it should not have been. This gave the client the ability to control the session ID. In theory, this could have been used as part of a session fixation attack but it would have been hard to achieve as the attacker would not have been able to force the victim to use the 'correct' Request object. It was also necessary for at least one web application to be configured to use the SSL session ID as the HTTP session ID. This is not a common configuration. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.30 or later - - Upgrade to Apache Tomcat 7.0.67 or later (7.0.66 has the fix but was not released) Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+WAAoJEBDAHFovYFnnNasQANmHvs8L9RvbPSPvmR8sT9rc nfoC64cVqVFx6G99+iskQ4SKL00zZk10gCNKvwu6aBW8Dv7U+sqoo09vtIVJ9qvD 9qBIaZMfnqMxMaHtonUj8E1/9GryquYNj7pWMf0tut2/RIvQq8/1tAtTgrzjVXG2 qtpB/ECBHQ53tJuPxRDakgav17Ok90DbAO4rsSdmCUwUg8NEYieNb6RG4eRSvuav ffE2zaicXIHWLdnVEMpOWtum76+GMfS5B+zd03/OQmiJy+arVvGwyrn1ydKZI1JI 7gQT97SgLlI3iGtK3tc4S56tNQ9+K2oMp2B0qAceNG9MWimED9sC1aXoAARacoYI c+cZdnhiRxsYycEdTXbNqhat+se6vKeXqgrsrr3CbNmaNl6siRZD/d+9PbmXh+0z hHSC9tmG5ZAO3vS4wwHX+9qZlfdcQ2zAZnAnRZKtuRMgDphP+wszain4p+U82TV9 eshrfHzzN4R0kuBWXkl4Pf4KQd+ZCVmp8efXFcyXK2fV7FUmLRvwtZ43EPa77tRI egiZcN/WEqGHODKNr/AGQYuiuEU7gm3hqnJlgDLpPzKF2ptkLcEh9/HYcW9yI1Kf x+fKtcfr6jGjJRxFw5PRsHEO8ToE8w38mPmeLzQH3WRcoc+g5+BinbIe/fwMsVPM cAK/Ln4UhXIcIM1f7h5M =is2n -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0763 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 to 9.0.0.M2 Description: ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9 AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723 Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7 XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+ D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/ Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK /L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA 90lXXPnmrbSsQR10jD/j =5LII -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2015-5351 Apache Tomcat CSRF token leak
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5351 Apache Tomcat CSRF token leak Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 7.0.1 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.31 - - Apache Tomcat 9.0.0.M1 Description: The index page of the Manager and Host Manager applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to construct a CSRF attack. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu97AAoJEBDAHFovYFnnkOkP/353AyMvuZvUHx7MJS6QmthF ba5gOE0JprULz0VN9q6ilf1ZXE7myZiVxt0tWT9MvuQi+iMQUtarESxv/bnA1RSF QsUoxgb4Wc6whrWIZUSXU9Vag5e7Ar/N3con0jzMLyopx0DBnOWNKQE/pp9Q6NPI RRvOAWnq9nm3P9/D2x9AOl/LDaEFuPHW/GkfwuosNTLCRsWYqa1DN20cFnq/S8Iz +jPpjkYsfIOoodLcX2t4B92alC3fRNPgG4Q8iuhwj3Umsw44D5/gdbmcEeEtqB4C wYIQsyXdIA4JBSx44w8ihP+Z+pNt+MkxgXvhfGWu30JDELXRaXU0ItveeePTjRJR u0jC09frTLKG7UnbVxitV7CgvMtEU6zGjaJsfEQcsES6q4s9qCzHCbp9alqQnW1i 5ZvabdyAkZVfdRsgurI6RAI1R/s2mWmXlIFjiKiYt3Qeyqkg5cFBNHctEw/DREiR 6GA6xmk06uKXUzv0SZUuvadWqkJ2JwVmd5Doe5IaoK4K069Ab5EJQSG1qQcXv6G2 LsYK4L9s+Zcp+m10unFX4v1CB8UnVPKw33intlvE7/6r0yBOaigtFHqV+ifuUdOO bkENBx8Gp/HAx0VCpwhYP2AKkoSSqSOktsv/iBokWfIrsUG304uGoa3rWsAIcGCx I/Yy6rJBLqfrQj4qFtc3 =bm3r -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0706 Apache Tomcat Security Manager bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: The StatusManagerServlet could be loaded by a web application when a security manager was configured. This servlet would then provide the web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications such as session IDs to the web application. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9qAAoJEBDAHFovYFnny/0P/0VtkiCt56FeS3I42BlvjAne w/oqurmk/XoF/gof+VYxYuNOXMIwvgyGMjj21kZf+n2DjINXLHp9VFZ/APeSJ8kL XcnTL1EBK1JBdxsieIhGAfLMeDO04wO3uuorJHwJIBbl4ymh7N4A2fgciKgCmNyB y22TPT5Hz7iFCU8Ij6xsYJERpveUrenenAqbgjdcpILydbBoTqmZtZtWmPOFki90 cZo/2D0Av4H4SKh1PuCkzjk2DFXfyXcq+tDaX8dizPinQMQsbAX63BoYy5LrfWrJ epgY9Q0QziOyp7b5Z72AjQ3RJR7yZS/iT3wb37jceI3Dq/mpkWFggqEGkSpFdGX7 AhoqVXjFw9eakjst0k5LZ29+dD8Fqz+2umXlRwelsxInLNgDk67Z2XehqkWWb85b 64PFh3ZYj/8CxxV6ErGq0bBhpCsNHZffEzOT/Ebldjn/afHajne3Yd9SZEbbZO3U ejCSG2UziJ4t4mygnGyWaRCgKtjCrejzDZYicOICJEDE8enaPbNs0Ka8lR8fh21y U3avzYIu7MosqvqoEAleMkjXySWSufqGF0ugbtsZx1lisl9Zax0LfXbq5sLmdNMS fXhxu/1RfHfPS7NUP9YYs5OdWxCxecD/kiaxc3ArVVPdgAMSwlEyI59gSD/y7XPd fitNMHbOMz6qG/uxVfH0 =6KO+ -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1731626 - in /tomcat/site/trunk: docs/index.html docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/securi
Author: markt Date: Mon Feb 22 11:21:42 2016 New Revision: 1731626 URL: http://svn.apache.org/viewvc?rev=1731626=rev Log: Announcements for 7 CVEs Modified: tomcat/site/trunk/docs/index.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/index.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1731626=1731625=1731626=diff == --- tomcat/site/trunk/docs/index.html (original) +++ tomcat/site/trunk/docs/index.html Mon Feb 22 11:21:42 2016 @@ -254,7 +254,8 @@ include: Restore the default for mapperContextRootRedirectEnabled to -true +true + Expand session attribute filtering on load/unload to all managers Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1731626=1731625=1731626=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Mon Feb 22 11:21:42 2016 @@ -215,6 +215,9 @@ Apache Tomcat 6.x vulnerabilities +Fixed in Apache Tomcat 6.0.45 + + Fixed in Apache Tomcat 6.0.44 @@ -324,6 +327,137 @@ + +11 February 2016 Fixed in Apache Tomcat 6.0.45 + + + + +Low: Limited directory traversal + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174; rel="nofollow">CVE-2015-5174 + + + +When accessing resources via the ServletContext methods + getResource() getResourceAsStream() and + getResourcePaths() the paths should be limited to the + current web application. The validation was not correct and paths of the + form "/.." were not rejected. Note that paths starting with + "/../" were correctly rejected. This bug allowed malicious + web applications running under a security manager to obtain a directory + listing for the directory in which the web application had been deployed. + This should not be possible when running under a security manager. + Typically, the directory listing that would be exposed would be for + $CATALINA_BASE/webapps. + + + +This was fixed in revision http://svn.apache.org/viewvc?view=revrev=1700900;>1700900. + + +This issue was identified by the Tomcat security team on 12 August 2015 + and made public on 22 February 2016. + + +Affects: 6.0.0 to 6.0.44 + + + +Low: Directory disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345; rel="nofollow">CVE-2015-5345 + + + +When accessing a directory protected by a security constraint with a URL + that did not end in a slash, Tomcat would redirect to the URL with the + trailing slash thereby confirming the presence of the directory before + processing the security constraint. It was therefore possible for a user + to determine if a directory existed or not, even if the user was not + permitted to view the directory. The issue also occurred at the root of a + web application in which case the presence of the web application was + confirmed, even if a user did not have access. + + +The solution was to implement the redirect in the DefaultServlet so that + any security constraints and/or security enforcing Filters were processed + before the redirect. The Tomcat team recognised that moving the redirect + could cause regressions to two new Context configuration options + (mapperContextRootRedirectEnabled and + mapperDirectoryRedirectEnabled) were introduced. The initial + default was false for both since this was more secure. + However, due to regressions such as + https://bz.apache.org/bugzilla/show_bug.cgi?id=58765;>Bug + 58765 the default for mapperContextRootRedirectEnabled + was later changed to true since it was viewed that the regression was + more serious than the security risk of associated with being able to + determine if a web application was deployed at a given path. + + +This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1715216;>1715216 and + http://svn.apache.org/viewvc?view=revrev=1717216;>1717216. + + +This issue was identified by Mark Koek of QCSec on 12 October 2015 and + made public on 22 February 2016. + + +Affects: 6.0.0 to 6.0.44 + + + +Low: Security Manager bypass + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706; rel="nofollow">CVE-2016-0706 + + + +The StatusManagerServlet could be loaded by a web application when a + security manager was
[SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2016-0714 Apache Tomcat Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The Cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu9PAAoJEBDAHFovYFnnllEQAMj38sm4FeeXJ2XOK/ODpj2J SLK0VMib2gjRmMfuH15OPyYBIHPaWVD4E3ONiLz/2F9oqVAYfvswQnLfNrJ9k8oF K+ETBoWfyODb8QddYQOd3JpDslrOLPscve6dgnkx/R8hZSPOvsmo8IIG4Bwh5VQM rkAct8EFGpVuQ9ou59F8xSx7fhRMHhNKt8XwsuBIj43MwFv5P8rHhNJDbgC8hSP7 w8yKwrQ7alfeuzwQPegf11YEcauPog4TnD3JAuufcuPQefvDHRAIoKNRCwyvFbRC rVHdsV5AehWaKKHj9Yu2IJB88s+0wXWlH01hG+wYl1jSVxs3CHhhP0FS55vwItWP Igl26iz33esPlzQaVyWf5jOUOYfF0tZel4bDFcQrIQASJKS2vxCuOBgUhr+bReMD I8W1A78EdGXm5IGqmPqHNXn+qAQKfs352eVFiS4vM+5n6wdVThxRzTIt/Op0iz8k rOIm05kkZQedh7utUy4iW59MKHr9xGRQRI1r4/sdKHDIRSlzsfzJVrATqqLPxukg QhG3LL0fO+kKLb526GZOlTaAcT7hM2wdYkLytiUItpMUR8ZfozqIS/nRUPmCfDgW 8QFRZEYIgETUYELbnj9chx0NJOkSH9OICV1U7EergsKsdpXN8uCDRy609ufSPn+W M6wXyzp1l4aE2hnn22gZ =OQbe -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2015-5174 Apache Tomcat Limited Directory Traversal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5174 Apache Tomcat Limited Directory Traversal Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.64 - - Apache Tomcat 8.0.0.RC1 to 8.0.26 - - Apache Tomcat 9 is not affected - - Earlier, unsupported Tomcat versions may be affected Description: When accessing resources via the ServletContext methods getResource() getResourceAsStream() and getResourcePaths() the paths should be limited to the current web application. The validation was not correct and paths of the form "/.." were not rejected. Note that paths starting with "/../" were correctly rejected. This bug allowed malicious web applications running under a security manager to obtain a directory listing for the directory in which the web application had been deployed. This should not be possible when running under a security manager. Typically, the directory listing that would be exposed would be for $CATALINA_BASE/webapps. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 8.0.27 or later - - Upgrade to Apache Tomcat 7.0.65 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+JAAoJEBDAHFovYFnnubgQAICDB8mbxG4KbSDT1YAcqjJd lToWRjRKVd0UzIaOZFUmqV0Ap7o181xMfQpSfGZSAAukF7+zTcX33O+cklTkZaw/ yjprJSI942enkWlGygiJxIH8DUadGa62iTMyhXmpqLqkD5ura5sSNEdzir7aEnUw P8vLdpmfbdUqNn9Qv1L27btm5+lU6OU+I8nBTB5ESyDxjhVrpc1d8GVcRaXh0mU4 56oeIAJg7O9ozXrIQa692K4pAV+VqZFb52Vwk3XiNENn0VjwM2W7PAqy+vtAfkLt wt5SDVjoXuCW1jBTjTU+hmxzDziN0WzgVMgFsSVZg0lyU/H837e/bOOmNVA1dfGD F6Ln40a1eYkZQ6eXK9SPmz36OnU/akM3+rcDEz9e9spvbe/c4oH5T3/yZwmsONSO 4G+9JyMCg/YKWl2+YIJSGGxO1khaLbXZvyvVwkpq0IzJZ/ZhTp7BQY+DYb4axVY3 QLBx6/XzoIRfLxf1lpvUakGw8P/0y2BPHRa+3b0WDJSElD4H6KAQd+q5vb1eyK6+ 0bNPLYd9AyxYwaIuZMk2WtT+pQO0R3Ao6mVBNFk8K/YJj7msMsS4feI76I2LYLT0 WCLKWb/noO8oPmjYk6a7AZKncT9nASN+rCfbXedw6F+COxfVjuddbttsGza2oH7o NKmM5mCdDfQztF3uOTnu =aYIY -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 CVE-2015-5345 Apache Tomcat Directory disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.66 - - Apache Tomcat 8.0.0.RC1 to 8.0.29 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: When accessing a directory protected by a security constraint with a URL that did not end in a slash, Tomcat would redirect to the URL with the trailing slash thereby confirming the presence of the directory before processing the security constraint. It was therefore possible for a user to determine if a directory existed or not, even if the user was not permitted to view the directory. The issue also occurred at the root of a web application in which case the presence of the web application was confirmed, even if a user did not have access. The solution was to implement the redirect in the DefaultServlet so that any security constraints and/or security enforcing Filters were processed before the redirect. The Tomcat team recognised that moving the redirect could cause regressions to two new Context configuration options (mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled) were introduced. The initial default was false for both since this was more secure. However, due to regressions such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled was later changed to true since it was viewed that the regression was more serious than the security risk of associated with being able to determine if a web application was deployed at a given path. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.30 or later - - Upgrade to Apache Tomcat 7.0.67 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by Mark Koek of QCSec. References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [4] http://tomcat.apache.org/security-7.html [5] http://tomcat.apache.org/security-6.html -BEGIN PGP SIGNATURE- Version: GnuPG v2 iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8 kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e HnSzWGDdd63z0ixY0g2I =6UrH -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 59010] Disabling socketBuffer with "-1" doesn't cause exception on linux
https://bz.apache.org/bugzilla/show_bug.cgi?id=59010 --- Comment #5 from Rashmi--- I think the same configuration is used on Linux as well. We are using the same code sample attached in the first comment on both servers and the jre is also the same. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GUMP@vmgump]: Project tomcat-tc7.0.x-test-apr (in module tomcat-7.0.x) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-tc7.0.x-test-apr has an issue affecting its community integration. This issue affects 1 projects, and has been outstanding for 2 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-tc7.0.x-test-apr : Tomcat 7.x, a web server implementing Java Servlet 3.0, ... Full details are available at: http://vmgump.apache.org/gump/public/tomcat-7.0.x/tomcat-tc7.0.x-test-apr/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on tomcat-tc7.0.x-dbcp exists, no need to add for property tomcat-dbcp-src.jar. -DEBUG- Dependency on commons-daemon exists, no need to add for property commons-daemon.native.src.tgz. -DEBUG- Dependency on commons-daemon exists, no need to add for property tomcat-native.tar.gz. -DEBUG- Dependency on tomcat-tc7.0.x-dbcp exists, no need to add for property tomcat-dbcp.home. -INFO- Failed with reason build failed -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-7.0.x/output/logs-APR -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-7.0.x/output/test-tmp-APR/logs The following work was performed: http://vmgump.apache.org/gump/public/tomcat-7.0.x/tomcat-tc7.0.x-test-apr/gump_work/build_tomcat-7.0.x_tomcat-tc7.0.x-test-apr.html Work Name: build_tomcat-7.0.x_tomcat-tc7.0.x-test-apr (Type: Build) Work ended in a state of : Failed Elapsed: 26 mins 19 secs Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Dcommons-pool.home=/srv/gump/public/workspace/commons-pool-1.x -Dtest.temp=output/test-tmp-APR -Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.13-SNAPSHOT.jar -Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-2.3-SNAPSHOT.jar -Dexamples.sources.skip=true -Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/dist/commons-daemon-20160222.jar -Dtomcat-dbcp-src.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-src.jar -Dtomcat-dbcp.home=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps -Dtest.excludePerformance=true -Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar -Dcommons-dbcp.home=/srv/gump/public/workspace/commons-dbcp-1.x -Dexecute.test.apr=true -Dexecute.test.bio=false -Dcommons-daemon.native.src.tgz=/srv/gump/public/wo rkspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz -Dtest.reports=output/logs-APR -Dtomcat-native.tar.gz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz -Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar -Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native/dest-20160222/lib -Dexecute.test.nio=false -Dtest.accesslog=true -Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20160222.jar -Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-3.5-SNAPSHOT.jar -Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test [Working Directory: /srv/gump/public/workspace/tomcat-7.0.x] CLASSPATH: /usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-7.0.x/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/servlet-api.ja r:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/jasper.jar:/srv/gump
[GUMP@vmgump]: Project tomcat-trunk-test-apr (in module tomcat-trunk) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-trunk-test-apr has an issue affecting its community integration. This issue affects 1 projects, and has been outstanding for 2 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-trunk-test-apr : Tomcat 9.x, a web server implementing the Java Servlet 4.0, ... Full details are available at: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-test-apr/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -DEBUG- Dependency on commons-daemon exists, no need to add for property commons-daemon.native.src.tgz. -DEBUG- Dependency on commons-daemon exists, no need to add for property tomcat-native.tar.gz. -INFO- Failed with reason build failed -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-trunk/output/logs-APR -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-trunk/output/test-tmp-APR/logs -WARNING- No directory [/srv/gump/public/workspace/tomcat-trunk/output/test-tmp-APR/logs] The following work was performed: http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-test-apr/gump_work/build_tomcat-trunk_tomcat-trunk-test-apr.html Work Name: build_tomcat-trunk_tomcat-trunk-test-apr (Type: Build) Work ended in a state of : Failed Elapsed: 44 mins 24 secs Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.13-SNAPSHOT.jar -Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-2.3-SNAPSHOT.jar -Dtest.reports=output/logs-APR -Dtomcat-native.tar.gz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz -Dexamples.sources.skip=true -Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar -Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native-trunk/dest-20160222/lib -Dtest.relaxTiming=true -Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/dist/commons-daemon-20160222.jar -Dcommons-daemon.native.src.tgz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz -Dtest.temp=output/test-tmp-APR -Dtest.accesslog=true - Dexecute.test.nio=false -Dtest.openssl.path=/srv/gump/public/workspace/openssl-master/dest-20160222/bin/openssl -Dexecute.test.apr=true -Dtest.excludePerformance=true -Dexecute.test.nio2=false -Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-3.5-SNAPSHOT.jar -Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar -Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test [Working Directory: /srv/gump/public/workspace/tomcat-trunk] CLASSPATH: /usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-trunk/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/servlet-api.ja r:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/websocket-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jaspic-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-storeconfig.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper-el.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-tribes.jar:/srv/gump/public/workspace