[GUMP@vmgump]: Project tomcat-native-make (in module tomcat-native) failed

2016-02-22 Thread Bill Barker 
To whom it may engage...

This is an automated request, but not an unsolicited one. For 
more information please visit http://gump.apache.org/nagged.html, 
and/or contact the folk at gene...@gump.apache.org.

Project tomcat-native-make has an issue affecting its community integration.
This issue affects 4 projects,
 and has been outstanding for 4 runs.
The current state of this project is 'Failed', with reason 'Build Failed'.
For reference only, the following projects are affected by this:
- tomcat-native-make :  Tomcat native library using Apache Portable Runtime
- tomcat-native-make-install :  Tomcat native library using Apache Portable 
Runtime
- tomcat-tc7.0.x-test-apr :  Tomcat 7.x, a web server implementing Java 
Servlet 3.0,
...
- tomcat-tc8.0.x-test-apr :  Tomcat 8.x, a web server implementing the Java 
Servlet 3.1,
...


Full details are available at:

http://vmgump.apache.org/gump/public/tomcat-native/tomcat-native-make/index.html

That said, some information snippets are provided here.

The following annotations (debug/informational/warning/error messages) were 
provided:
 -INFO- Failed with reason build failed



The following work was performed:
http://vmgump.apache.org/gump/public/tomcat-native/tomcat-native-make/gump_work/build_tomcat-native_tomcat-native-make.html
Work Name: build_tomcat-native_tomcat-native-make (Type: Build)
Work ended in a state of : Failed
Elapsed: 26 secs
Command Line: make 
[Working Directory: /srv/gump/public/workspace/tomcat-native/native]
-
make[1]: Entering directory `/srv/gump/public/workspace/tomcat-native/native'
/bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool 
--silent --mode=compile gcc -g -O2 -pthread   -DHAVE_CONFIG_H  -DLINUX 
-D_REENTRANT -D_GNU_SOURCE   -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP   
-I/srv/gump/public/workspace/tomcat-native/native/include 
-I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux 
-I/srv/gump/public/workspace/openssl-master/dest-20160223/include  
-I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1   -o 
src/address.lo -c src/address.c && touch src/address.lo
/bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool 
--silent --mode=compile gcc -g -O2 -pthread   -DHAVE_CONFIG_H  -DLINUX 
-D_REENTRANT -D_GNU_SOURCE   -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP   
-I/srv/gump/public/workspace/tomcat-native/native/include 
-I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux 
-I/srv/gump/public/workspace/openssl-master/dest-20160223/include  
-I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1   -o src/bb.lo 
-c src/bb.c && touch src/bb.lo
/bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool 
--silent --mode=compile gcc -g -O2 -pthread   -DHAVE_CONFIG_H  -DLINUX 
-D_REENTRANT -D_GNU_SOURCE   -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP   
-I/srv/gump/public/workspace/tomcat-native/native/include 
-I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux 
-I/srv/gump/public/workspace/openssl-master/dest-20160223/include  
-I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1   -o src/dir.lo 
-c src/dir.c && touch src/dir.lo
/bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool 
--silent --mode=compile gcc -g -O2 -pthread   -DHAVE_CONFIG_H  -DLINUX 
-D_REENTRANT -D_GNU_SOURCE   -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP   
-I/srv/gump/public/workspace/tomcat-native/native/include 
-I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux 
-I/srv/gump/public/workspace/openssl-master/dest-20160223/include  
-I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1   -o 
src/error.lo -c src/error.c && touch src/error.lo
/bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool 
--silent --mode=compile gcc -g -O2 -pthread   -DHAVE_CONFIG_H  -DLINUX 
-D_REENTRANT -D_GNU_SOURCE   -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP   
-I/srv/gump/public/workspace/tomcat-native/native/include 
-I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux 
-I/srv/gump/public/workspace/openssl-master/dest-20160223/include  
-I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1   -o src/file.lo 
-c src/file.c && touch src/file.lo
/bin/bash /srv/gump/public/workspace/apr-1/dest-20160223/build-1/libtool 
--silent --mode=compile gcc -g -O2 -pthread   -DHAVE_CONFIG_H  -DLINUX 
-D_REENTRANT -D_GNU_SOURCE   -g -O2 -DHAVE_OPENSSL -DHAVE_POOL_PRE_CLEANUP   
-I/srv/gump/public/workspace/tomcat-native/native/include 
-I/usr/lib/jvm/java-8-oracle/include -I/usr/lib/jvm/java-8-oracle/include/linux 
-I/srv/gump/public/workspace/openssl-master/dest-20160223/include  
-I/srv/gump/public/workspace/apr-1/dest-20160223/include/apr-1   -o src/info.lo 
-c src/info.c && touch src/info.lo
/bin/bash

[Bug 57830] Add support for ProxyProtocol

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830

--- Comment #9 from Christopher Schultz  ---
I think Daniel Ruggeri did some work on this. He's been waiting for some
feedback from me. Maybe I should get on that!

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59001] Unable to load jar files when they have exclamation in the path

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59001

--- Comment #6 from Mark Thomas  ---
I really wanted to fix this but I'm not sure that supporting this use case is
worth the cost.

There are two places I have found (so far) where changes would be required. The
first is during start-up to ensure that the paths used to construct the URLs
for the class loaders escape "!/" to "%21/".

The second is in the web resources implementation where FileResource.getURL()
needs to escape "!/" to "%21/".

The problem stems from the fact that the only way to do this escaping (that I
have been able to find) is URL -> toString() -> replaceAll() -> new URL(). And
that is relatively expensive.

I'm not concerned about startup. That is a one-off cost. What concerns me is
the performance impact of adding this to FileResource.getURL(). That gets
called a lot. I'm concerned that the impact of adding this escaping is going to
be measurable for end users.

The other option is to take the position that anytime code constructs a jar
URL, that code is responsible for ensuring that any !/ sequences in the path it
uses to construct that URL are escaped. While we could do this in Tomcat (there
are ~20 places we'd need to fix this), I suspect a whole bunch of third-party
code won't handle this correctly. And this is before we get into the mess that
is JARs in WARs.

Given that most users don't need this (I don't recall seeing this issue
reported previously and that's going back to Tomcat 4.1.x) I'm leaning heavily
towards WONTFIX. There is going to need to be a really good reason to fix this
to change my mind.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 48674] Tomcat Virtual Host Manager application doesn't persist newly created virtual hosts

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=48674

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |FIXED

--- Comment #12 from Mark Thomas  ---
I've applied a variation of Coty Sutherland's patch to trunk for 9.0.0.M4
onwards. We can tweak that as feedback is received.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1731735 - /tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 20:22:38 2016
New Revision: 1731735

URL: http://svn.apache.org/viewvc?rev=1731735=rev
Log:
Restore correct array size after r1731734

Modified:

tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java

Modified: 
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1731735=1731734=1731735=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java 
(original)
+++ 
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java 
Mon Feb 22 20:22:38 2016
@@ -360,7 +360,7 @@ public final class HTMLHostManagerServle
 writer.print
 (MessageFormat.format(HOSTS_ROW_DETAILS_SECTION, args));
 
-args = new Object[6];
+args = new Object[4];
 if (host.getState().isAvailable()) {
 args[0] = response.encodeURL
 (request.getContextPath() +



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1731734 - in /tomcat/trunk: java/org/apache/catalina/manager/host/ webapps/docs/

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 20:19:15 2016
New Revision: 1731734

URL: http://svn.apache.org/viewvc?rev=1731734=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=48674
Implement an option within the Host Manager web pplication to persist the 
current configuration.
Based on a patch by Coty Sutherland.

Modified:

tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
tomcat/trunk/java/org/apache/catalina/manager/host/HostManagerServlet.java
tomcat/trunk/java/org/apache/catalina/manager/host/LocalStrings.properties
tomcat/trunk/webapps/docs/changelog.xml

Modified: 
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java?rev=1731734=1731733=1731734=diff
==
--- 
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java 
(original)
+++ 
tomcat/trunk/java/org/apache/catalina/manager/host/HTMLHostManagerServlet.java 
Mon Feb 22 20:19:15 2016
@@ -94,7 +94,8 @@ public final class HTMLHostManagerServle
 } else if (command.equals("/list")) {
 // Nothing to do - always generate list
 } else if (command.equals("/add") || command.equals("/remove") ||
-command.equals("/start") || command.equals("/stop")) {
+command.equals("/start") || command.equals("/stop") ||
+command.equals("/persist")) {
 message = smClient.getString(
 "hostManagerServlet.postCommand", command);
 } else {
@@ -143,6 +144,8 @@ public final class HTMLHostManagerServle
 message = start(name, smClient);
 } else if (command.equals("/stop")) {
 message = stop(name, smClient);
+} else if (command.equals("/persist")) {
+message = persist(smClient);
 } else {
 //Try GET
 doGet(request, response);
@@ -227,6 +230,22 @@ public final class HTMLHostManagerServle
 
 
 /**
+ * Persist the current configuration to server.xml.
+ *
+ * @param smClient i18n resources localized for the client
+ */
+protected String persist(StringManager smClient) {
+
+StringWriter stringWriter = new StringWriter();
+PrintWriter printWriter = new PrintWriter(stringWriter);
+
+super.persist(printWriter, smClient);
+
+return stringWriter.toString();
+}
+
+
+/**
  * Render a HTML list of the currently active Contexts in our virtual host,
  * and memory and server status information.
  *
@@ -341,7 +360,7 @@ public final class HTMLHostManagerServle
 writer.print
 (MessageFormat.format(HOSTS_ROW_DETAILS_SECTION, args));
 
-args = new Object[4];
+args = new Object[6];
 if (host.getState().isAvailable()) {
 args[0] = response.encodeURL
 (request.getContextPath() +
@@ -362,10 +381,10 @@ public final class HTMLHostManagerServle
 args[3] = hostsRemove;
 if (host == this.installedHost) {
 writer.print(MessageFormat.format(
-MANAGER_HOST_ROW_BUTTON_SECTION, args));
+MANAGER_HOST_ROW_BUTTON_SECTION, args));
 } else {
 writer.print(MessageFormat.format(
-HOSTS_ROW_BUTTON_SECTION, args));
+HOSTS_ROW_BUTTON_SECTION, args));
 }
 }
 }
@@ -413,6 +432,14 @@ public final class HTMLHostManagerServle
 args[0] = smClient.getString("htmlHostManagerServlet.addButton");
 writer.print(MessageFormat.format(ADD_SECTION_END, args));
 
+// Persist Configuration Section
+args = new Object[4];
+args[0] = smClient.getString("htmlHostManagerServlet.persistTitle");
+args[1] = response.encodeURL(request.getContextPath() + 
"/html/persist");
+args[2] = 
smClient.getString("htmlHostManagerServlet.persistAllButton");
+args[3] = smClient.getString("htmlHostManagerServlet.persistAll");
+writer.print(MessageFormat.format(PERSIST_SECTION, args));
+
 // Server Header Section
 args = new Object[7];
 args[0] = smClient.getString("htmlHostManagerServlet.serverTitle");
@@ -483,6 +510,9 @@ public final class HTMLHostManagerServle
 "  " +
 "   " +
 "  \n" +
+"  " +
+"   " +
+"  \n" +
 " \n" +
 "\n";
 
@@ -552,4 +582,20 @@ public final class HTMLHostManagerServle
 "\n" +
 "\n";
 
+private static final String PERSIST_SECTION =
+"\n" +
+"\n" +
+" {0}\n" +
+"\n" +
+"\n" +
+

svn commit: r1731733 - /tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 20:14:36 2016
New Revision: 1731733

URL: http://svn.apache.org/viewvc?rev=1731733=rev
Log:
Add the RFC6265 cookie processor

Modified:
tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml

Modified: tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml?rev=1731733=1731732=1731733=diff
==
--- tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml 
(original)
+++ tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml Mon 
Feb 22 20:14:36 2016
@@ -462,6 +462,13 @@
 storeFactoryClass="org.apache.catalina.storeconfig.StoreFactoryBase">
  
  
+ 
+

svn commit: r1731732 - /tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 20:09:49 2016
New Revision: 1731732

URL: http://svn.apache.org/viewvc?rev=1731732=rev
Log:
Don't want to persist the Loader.domain attribute

Modified:
tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml

Modified: tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml?rev=1731732=1731731=1731732=diff
==
--- tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml 
(original)
+++ tomcat/trunk/java/org/apache/catalina/storeconfig/server-registry.xml Mon 
Feb 22 20:09:49 2016
@@ -210,6 +210,7 @@
 default="false"
 tagClass="org.apache.catalina.loader.WebappLoader"
 storeFactoryClass="org.apache.catalina.storeconfig.LoaderSF">
+domain

[Bug 57830] Add support for ProxyProtocol

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=57830

--- Comment #8 from Axel Fontaine  ---
+1

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1731697 - /tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 17:33:09 2016
New Revision: 1731697

URL: http://svn.apache.org/viewvc?rev=1731697=rev
Log:
OpenSSL master has removed support for 23 ciphers

Modified:

tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java

Modified: 
tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java?rev=1731697=1731696=1731697=diff
==
--- 
tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java 
(original)
+++ 
tomcat/trunk/test/org/apache/tomcat/util/net/openssl/ciphers/TesterOpenSSL.java 
Mon Feb 22 17:33:09 2016
@@ -330,6 +330,29 @@ public class TesterOpenSSL {
 unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_128_CBC_SHA);
 unimplemented.add(Cipher.TLS_DH_RSA_WITH_CAMELLIA_256_CBC_SHA);
 unimplemented.add(Cipher.TLS_DH_RSA_WITH_SEED_CBC_SHA);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_NULL_SHA);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_RC4_128_SHA);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_RC4_128_SHA);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_NULL_SHA);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_RC4_128_SHA);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256);
+unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256);
+unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384);
+
unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256);
+
unimplemented.add(Cipher.TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384);
+
unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256);
+
unimplemented.add(Cipher.TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384);
 }
 OPENSSL_UNIMPLEMENTED_CIPHERS = 
Collections.unmodifiableSet(unimplemented);
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: tomcat memory allocation

2016-02-22 Thread Felix Schumacher 

Am 22.02.2016 um 16:52 schrieb Matip Ma Teha Louis Blaise:


Good evening everyone,
I have a problem with tomcat, in fact I installed Tomcat 6 on a server 
that has 12 GB of RAM, and tomcat allows me to use only about 2GB to 12GB.
therefore I would like to know if there is not a solution to it to 
expand this memory to over 2GB.


thank you.


Hello,

you have posted your question to the wrong mail address. Please have a 
look at http://tomcat.apache.org/lists.html#tomcat-users to see where to 
post questions about tomcat.


When posting your questions, post them to one list only, please.

Regards,
 Felix

[Bug 59043] New: SingleSignOn valve warns about missing session when invoking HttpServletRequest.logout

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59043

Bug ID: 59043
   Summary: SingleSignOn valve warns about missing session when
invoking HttpServletRequest.logout
   Product: Tomcat 8
   Version: 8.0.32
  Hardware: PC
Status: NEW
  Severity: major
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: roberto.benede...@dedalus.eu

When HttpServletRequest.logout() is invoked, first the ID of the current
session is changed, then all the sessions in SingleSignOnEntry are expired, but
the current one has changed its ID, hence the annoying warning.

>From the log:
...
FINE [http-nio-8080-exec-3] AuthenticatorBase.register Authenticated 'john.doe'
with type 'FORM'
FINE [http-nio-8080-exec-3] AuthenticatorBase.register Session ID changed on
authentication from [6F6874832A811D2B69AA06F3745C4CC7] to
[FD2777025AC71CA72A44545472DAB5C2]
FINE [http-nio-8080-exec-3] SingleSignOn.register SSO registering SSO session
[9284A1891047D0FA96629C9059528302] for user [john.doe] with authentication type
[FORM]
FINE [http-nio-8080-exec-3] SingleSignOn.associate SSO associating application
session [StandardSession[FD2777025AC71CA72A44545472DAB5C2]] with SSO session
[9284A1891047D0FA96629C9059528302]
...
FINE [http-nio-8080-exec-4] AuthenticatorBase.register Authenticated 'none'
with type 'null'
FINE [http-nio-8080-exec-4] AuthenticatorBase.register Session ID changed on
authentication from [FD2777025AC71CA72A44545472DAB5C2] to
[DCE8372B4BF6AD84F63BF5664D8E941E]
FINE [http-nio-8080-exec-4] SingleSignOn.deregister SSO expiring application
session [Host: [localhost], Context: [/app], SessionID:
[FD2777025AC71CA72A44545472DAB5C2]] associated with SSO session
[9284A1891047D0FA96629C9059528302]
WARNING [http-nio-8080-exec-4] SingleSignOn.expire SSO unable to expire session
[Host: [localhost], Context: [/app], SessionID:
[FD2777025AC71CA72A44545472DAB5C2]] because the Session could not be found
...

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59043] SingleSignOn valve warns about missing session when invoking HttpServletRequest.logout

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59043

Roberto Benedetti  changed:

   What|Removed |Added

 OS||All
 CC||roberto.benedetti@dedalus.e
   ||u

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1731638 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 13:18:59 2016
New Revision: 1731638

URL: http://svn.apache.org/viewvc?rev=1731638=rev
Log:
Improve descriptions. In particular, make it clear when an issue only impact 
users running untrusted web applications under a security manager.

Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1731638=1731637=1731638=diff
==
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Feb 22 13:18:59 2016
@@ -338,6 +338,10 @@
 
 
 
+This issue only affects users running untrusted web applications under a
+   security manager.
+   
+
 When accessing resources via the ServletContext methods
getResource() getResourceAsStream() and
getResourcePaths() the paths should be limited to the
@@ -410,12 +414,17 @@
 
 
 
-The StatusManagerServlet could be loaded by a web application when a
-   security manager was configured. This servlet would then provide the web
-   application with a list of all deployed applications and a list of the
-   HTTP request lines for all requests currently being processed. This 
could
-   have exposed sensitive information from other web applications such as
-   session IDs to the web application.
+This issue only affects users running untrusted web applications under a
+   security manager.
+   
+
+The internal StatusManagerServlet could be loaded by a malicious web
+   application when a security manager was configured. This servlet could
+   then provide the malicious web application with a list of all deployed
+   applications and a list of the HTTP request lines for all requests
+   currently being processed. This could have exposed sensitive information
+   from other web applications, such as session IDs, to the web
+   application.
 
 
 This was fixed in revision http://svn.apache.org/viewvc?view=revrev=1722802;>1722802.
@@ -434,6 +443,10 @@
 
 
 
+This issue only affects users running untrusted web applications under a
+   security manager.
+   
+
 Tomcat provides several session persistence mechanisms. The
StandardManager persists session over a restart. The
PersistentManager is able to persist sessions to files, a

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731638=1731637=1731638=diff
==
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 13:18:59 2016
@@ -398,15 +398,18 @@
 
 
 
-Low: CSRF token leak
+Moderate: CSRF token leak
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351; 
rel="nofollow">CVE-2015-5351
 
 
 
 The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
-   unauthenticated request to the root of the web application. This token
-   could then be used by an attacker to construct a CSRF attack.
+   unauthenticated request to the root of the web application. If an
+   attacker had access to the Manager or Host Manager applications
+   (typically these applications are only accessible to internal users, not
+   exposed to the Internet), this token could then be used by the attacker
+   to construct a CSRF attack.
 
 
 This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1720661;>1720661 and
@@ -426,12 +429,17 @@
 
 
 
-The StatusManagerServlet could be loaded by a web application when a
-   security manager was configured. This servlet would then provide the web
-   application with a list of all deployed applications and a list of the
-   HTTP request lines for all requests currently being processed. This 
could
-   have exposed sensitive information from other web applications such as
-   session IDs to the web application.
+This issue only affects users running untrusted web applications under a
+   security manager.
+   
+
+The internal StatusManagerServlet could be loaded by a malicious web
+   application when a security manager was configured. This servlet could
+   then provide the malicious web application with a list of all deployed
+   applications and a list of the HTTP request lines for all requests
+   currently being processed. This could have

svn commit: r1731632 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 12:30:11 2016
New Revision: 1731632

URL: http://svn.apache.org/viewvc?rev=1731632=rev
Log:
Fix typo

Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1731632=1731631=1731632=diff
==
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Feb 22 12:30:11 2016
@@ -381,7 +381,7 @@
 The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were 
processed
before the redirect. The Tomcat team recognised that moving the redirect
-   could cause regressions to two new Context configuration options
+   could cause regressions so two new Context configuration options
(mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The 
initial
default was false for both since this was more secure. 

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731632=1731631=1731632=diff
==
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 12:30:11 2016
@@ -374,7 +374,7 @@
 The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were 
processed
before the redirect. The Tomcat team recognised that moving the redirect
-   could cause regressions to two new Context configuration options
+   could cause regressions so two new Context configuration options
(mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The 
initial
default was false for both since this was more secure. 

Modified: tomcat/site/trunk/docs/security-8.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1731632=1731631=1731632=diff
==
--- tomcat/site/trunk/docs/security-8.html (original)
+++ tomcat/site/trunk/docs/security-8.html Mon Feb 22 12:30:11 2016
@@ -465,7 +465,7 @@
 The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were 
processed
before the redirect. The Tomcat team recognised that moving the redirect
-   could cause regressions to two new Context configuration options
+   could cause regressions so two new Context configuration options
(mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The 
initial
default was false for both since this was more secure. 

Modified: tomcat/site/trunk/docs/security-9.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1731632=1731631=1731632=diff
==
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Mon Feb 22 12:30:11 2016
@@ -324,7 +324,7 @@
 The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were 
processed
before the redirect. The Tomcat team recognised that moving the redirect
-   could cause regressions to two new Context configuration options
+   could cause regressions so two new Context configuration options
(mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The 
initial
default was false for both since this was more secure. 

Modified: tomcat/site/trunk/xdocs/security-6.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1731632=1731631=1731632=diff
==
--- tomcat/site/trunk/xdocs/security-6.xml (original)
+++ tomcat/site/trunk/xdocs/security-6.xml Mon Feb 22 12:30:11 2016
@@ -87,7 +87,7 @@
 The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were 
processed
before the redirect. The Tomcat team recognised that moving the redirect
-   could cause regressions to two new Context configuration options
+   could cause regressions so two new Context

svn propchange: r1725931 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1725931
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:19:25 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:19:25 2016
@@ -1 +1,2 @@
 Protect initialization of ResourceLinkFactory when running with a 
SecurityManager.
+This is the fix for CVE-2016-0763


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1727182 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1727182
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:18:21 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:18:21 2016
@@ -1,2 +1,3 @@
 When using the new sessionAttributeValueClassNameFilter, apply the filter 
earlier rather than loading the class and then deciding to filter it out.
 When a SecurityManager is used, enable filtering by default.
+This is part 2 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1725929 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1725929
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:19:12 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:19:12 2016
@@ -1 +1,2 @@
 Protect initialization of ResourceLinkFactory when running with a 
SecurityManager.
+This is the fix for CVE-2016-0763


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1727034 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1727034
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:17:33 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:17:33 2016
@@ -1,2 +1,3 @@
 When using the new sessionAttributeValueClassNameFilter, apply the filter 
earlier rather than loading the class and then deciding to filter it out.
 When a SecurityManager is used, enable filtering by default.
+This is part 1 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1725914 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1725914
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:16:23 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:16:23 2016
@@ -1,2 +1,3 @@
 When using the new sessionAttributeValueClassNameFilter, apply the filter 
earlier rather than loading the class and then deciding to filter it out.
 When a SecurityManager is used, enable filtering by default.
+This is part 2 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1727034 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1727034
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:17:47 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:17:47 2016
@@ -1,3 +1,3 @@
 When using the new sessionAttributeValueClassNameFilter, apply the filter 
earlier rather than loading the class and then deciding to filter it out.
 When a SecurityManager is used, enable filtering by default.
-This is part 1 of 2 of the fix for CVE-2016-0714
+This is part 2 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1726923 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1726923
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:17:12 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:17:12 2016
@@ -2,3 +2,4 @@ Expand the session attribute filtering o
 - new option to filter based on implementation class of value
 - new option to log a warning message if an attribute is filtered out
 - always log a message at at least debug level if an attribute is filtered out
+This is part 1 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1726196 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1726196
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:16:40 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:16:40 2016
@@ -2,3 +2,4 @@ Expand the session attribute filtering o
 - new option to filter based on implementation class of value
 - new option to log a warning message if an attribute is filtered out
 - always log a message at at least debug level if an attribute is filtered out
+This is part 1 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1725926 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1725926
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:18:56 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:18:56 2016
@@ -1 +1,2 @@
 Protect initialization of ResourceLinkFactory when running with a 
SecurityManager.
+This is the fix for CVE-2016-0763


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1726203 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1726203
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:16:57 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:16:57 2016
@@ -1,2 +1,3 @@
 When using the new sessionAttributeValueClassNameFilter, apply the filter 
earlier rather than loading the class and then deciding to filter it out.
 When a SecurityManager is used, enable filtering by default.
+This is part 2 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1727166 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1727166
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:18:05 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:18:05 2016
@@ -2,3 +2,4 @@ Expand the session attribute filtering o
 - new option to filter based on implementation class of value
 - new option to log a warning message if an attribute is filtered out
 - always log a message at at least debug level if an attribute is filtered out
+This is part 1 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1725263 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1725263
Modified property: svn:log

Modified: svn:log at Mon Feb 22 12:16:05 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 12:16:05 2016
@@ -2,3 +2,4 @@ Expand the session attribute filtering o
 - new option to filter based on implementation class of value
 - new option to log a warning message if an attribute is filtered out
 - always log a message at at least debug level if an attribute is filtered out
+This is part 1 of 2 of the fix for CVE-2016-0714


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure

2016-02-22 Thread sebb 
On 22 February 2016 at 11:23, Mark Thomas  wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> CVE-2015-5345 Apache Tomcat Directory disclosure
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - - Apache Tomcat 6.0.0 to 6.0.44
> - - Apache Tomcat 7.0.0 to 7.0.66
> - - Apache Tomcat 8.0.0.RC1 to 8.0.29
> - - Apache Tomcat 9.0.0.M1
> - - Earlier, unsupported Tomcat versions may be affected
>
> Description:
> When accessing a directory protected by a security constraint with a URL
> that did not end in a slash, Tomcat would redirect to the URL with the
> trailing slash thereby confirming the presence of the directory before
> processing the security constraint. It was therefore possible for a user
> to determine if a directory existed or not, even if the user was not
> permitted to view the directory. The issue also occurred at the root of
> a web application in which case the presence of the web application was
> confirmed, even if a user did not have access.
>
> The solution was to implement the redirect in the DefaultServlet so that
> any security constraints and/or security enforcing Filters were
> processed before the redirect. The Tomcat team recognised that moving
> the redirect could cause regressions to two new Context configuration

s/to two/so two/ ?

> options (mapperContextRootRedirectEnabled and
> mapperDirectoryRedirectEnabled) were introduced. The initial default was
> false for both since this was more secure. However, due to regressions
> such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled
> was later changed to true since it was viewed that the regression was
> more serious than the security risk of associated with being able to
> determine if a web application was deployed at a given path.
>
> Mitigation:
> Users of affected versions should apply one of the following mitigations
> - - Upgrade to Apache Tomcat 9.0.0.M3 or later
>   (9.0.0.M2 has the fix but was not released)
> - - Upgrade to Apache Tomcat 8.0.30 or later
> - - Upgrade to Apache Tomcat 7.0.67 or later
> - - Upgrade to Apache Tomcat 6.0.45 or later
>
>
> Credit:
> This issue was discovered by Mark Koek of QCSec.
>
> References:
> [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
> [4] http://tomcat.apache.org/security-7.html
> [5] http://tomcat.apache.org/security-6.html
>
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v2
>
> iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO
> A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB
> Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN
> DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj
> Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw
> gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8
> kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO
> zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik
> t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ
> WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj
> Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e
> HnSzWGDdd63z0ixY0g2I
> =6UrH
> -END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1731628 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 12:11:07 2016
New Revision: 1731628

URL: http://svn.apache.org/viewvc?rev=1731628=rev
Log:
Correction. The regressions in the original fix for CVE-2015-5345 were not 
addressed until 7.0.68

Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/xdocs/security-7.xml

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1731628=1731627=1731628=diff
==
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Mon Feb 22 12:11:07 2016
@@ -356,6 +356,48 @@
 
 
 
+Low: Directory disclosure
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345; 
rel="nofollow">CVE-2015-5345
+
+
+
+When accessing a directory protected by a security constraint with a URL
+   that did not end in a slash, Tomcat would redirect to the URL with the
+   trailing slash thereby confirming the presence of the directory before
+   processing the security constraint. It was therefore possible for a user
+   to determine if a directory existed or not, even if the user was not
+   permitted to view the directory. The issue also occurred at the root of 
a
+   web application in which case the presence of the web application was
+   confirmed, even if a user did not have access.
+
+
+The solution was to implement the redirect in the DefaultServlet so that
+   any security constraints and/or security enforcing Filters were 
processed
+   before the redirect. The Tomcat team recognised that moving the redirect
+   could cause regressions to two new Context configuration options
+   (mapperContextRootRedirectEnabled and
+   mapperDirectoryRedirectEnabled) were introduced. The 
initial
+   default was false for both since this was more secure. 
+   However, due to regressions such as
+   https://bz.apache.org/bugzilla/show_bug.cgi?id=58765;>Bug
+   58765 the default for mapperContextRootRedirectEnabled
+   was later changed to true since it was viewed that the regression was
+   more serious than the security risk of associated with being able to
+   determine if a web application was deployed at a given path.
+
+
+This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1715213;>1715213 and
+   http://svn.apache.org/viewvc?view=revrev=1717212;>1717212.
+
+
+This issue was identified by Mark Koek of QCSec on 12 October 2015 and
+made public on 22 February 2016.
+
+
+Affects: 7.0.0 to 7.0.67
+
+
+
 Low: CSRF token leak
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5351; 
rel="nofollow">CVE-2015-5351
 
@@ -461,48 +503,6 @@
 10 December 2015 Fixed in Apache Tomcat 
7.0.67
 
   
-
-
-Low: Directory disclosure
-   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345; 
rel="nofollow">CVE-2015-5345
-
-
-
-When accessing a directory protected by a security constraint with a URL
-   that did not end in a slash, Tomcat would redirect to the URL with the
-   trailing slash thereby confirming the presence of the directory before
-   processing the security constraint. It was therefore possible for a user
-   to determine if a directory existed or not, even if the user was not
-   permitted to view the directory. The issue also occurred at the root of 
a
-   web application in which case the presence of the web application was
-   confirmed, even if a user did not have access.
-
-
-The solution was to implement the redirect in the DefaultServlet so that
-   any security constraints and/or security enforcing Filters were 
processed
-   before the redirect. The Tomcat team recognised that moving the redirect
-   could cause regressions to two new Context configuration options
-   (mapperContextRootRedirectEnabled and
-   mapperDirectoryRedirectEnabled) were introduced. The 
initial
-   default was false for both since this was more secure. 
-   However, due to regressions such as
-   https://bz.apache.org/bugzilla/show_bug.cgi?id=58765;>Bug
-   58765 the default for mapperContextRootRedirectEnabled
-   was later changed to true since it was viewed that the regression was
-   more serious than the security risk of associated with being able to
-   determine if a web application was deployed at a given path.
-
-
-This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1715213;>1715213 and
-   http://svn.apache.org/viewvc?view=revrev=1717212;>1717212.
-
-
-This issue was identified by Mark Koek of QCSec on 12 October 2015 and
-made public on 22 February 2016.
-
-
-Affects: 7.0.0 to 7.0.66
-
   
 
 Note: The issue below was fixed in Apache Tomcat 7.0.66 but the

Modified: tomcat/site/trunk/xdocs/security-7.xml
URL:

svn propchange: r1720652 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1720652
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:56:45 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:56:45 2016
@@ -1 +1,2 @@
 Don't create session unnecessarily in the Manager application.
+This is part 1 of 2 of the fix for CVE-2015-5351


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1722800 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1722800
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:59:16 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:59:16 2016
@@ -1 +1,2 @@
 Add the StatusManagerServlet to the list of Servlets that can only be loaded 
by privileged applications.
+This is the fix for CVE-2016-0706


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1722802 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1722802
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:59:41 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:59:41 2016
@@ -1 +1,2 @@
 Add the StatusManagerServlet to the list of Servlets that can only be loaded 
by privileged applications.
+This is the fix for CVE-2016-0706


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1722801 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1722801
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:59:27 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:59:27 2016
@@ -1 +1,2 @@
 Add the StatusManagerServlet to the list of Servlets that can only be loaded 
by privileged applications.
+This is the fix for CVE-2016-0706


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1720663 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1720663
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:57:56 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:57:56 2016
@@ -1 +1,2 @@
 Don't create sessions unnecessarily in the Host Manager application.
+This is part 2 of 2 of the fix for CVE-2015-5351


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1722799 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1722799
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:59:03 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:59:03 2016
@@ -1 +1,2 @@
 Add the StatusManagerServlet to the list of Servlets that can only be loaded 
by privileged applications.
+This is the fix for CVE-2016-0706


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1720661 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1720661
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:57:44 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:57:44 2016
@@ -1 +1,2 @@
 Don't create sessions unnecessarily in the Manager application.
+This is part 1 of 2 of the fix for CVE-2015-5351


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1720655 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1720655
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:57:00 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:57:00 2016
@@ -1 +1,2 @@
-Don't create session unnecessarily in the Host Manager application.
+Don't create session unnecessarily in the Host Manager application
+This is part 2 of 2 of the fix for CVE-2015-5351


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 58486] JreMemoryLeakPreventionListener: initialize two further JRE classes

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=58486

--- Comment #5 from Luke Woodward  ---
I have a bug number for the report now: JDK-8146961.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1713184 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1713184
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:52:44 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:52:44 2016
@@ -1 +1,2 @@
 Handle the unlikely case where different versions of a web application are 
deployed with different session settings
+This is part 1 of 2 of the fix for CVE-2015-5346


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1720658 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1720658
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:57:14 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:57:14 2016
@@ -1 +1,2 @@
 Don't create sessions unnecessarily in the Manager application.
+This is part 1 of 2 of the fix for CVE-2015-5351


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1713187 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1713187
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:53:56 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:53:56 2016
@@ -1 +1,2 @@
 Handle the unlikely case where different versions of a web application are 
deployed with different session settings
+This is the fix for CVE-2015-5346


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1720660 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1720660
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:57:28 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:57:28 2016
@@ -1 +1,2 @@
 Don't create sessions unnecessarily in the Host Manager application.
+This is part 2 of 2 of the fix for CVE-2015-5351


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1713185 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1713185
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:53:20 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:53:20 2016
@@ -1 +1,2 @@
 Handle the unlikely case where different versions of a web application are 
deployed with different session settings
+This is part 1 of 2 of the fix for CVE-2015-5346


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1723414 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1723414
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:53:03 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:53:03 2016
@@ -1,2 +1,3 @@
 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
 Correctly recycle the cookies when mapping requests for parallel deployment
+This is part 2 of 2 of the fix for CVE-2015-5346


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1723506 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1723506
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:53:36 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:53:36 2016
@@ -1,2 +1,3 @@
 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58809
 Correctly recycle the cookies when mapping requests for parallel deployment
+This is part 2 of 2 of the fix for CVE-2015-5346


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1717216 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1717216
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:46:34 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:46:34 2016
@@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st
 - Ensure the Mapper does not add the '/' handling the redirect
 - Handle the redirect in the DefaultServlet
 - Add a redirect to FORM auth if auth is occurring at the context root else 
the login page could be submitted to the wrong web application
+This is part 2 of 2 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1715216 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1715216
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:46:18 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:46:18 2016
@@ -1 +1,2 @@
 Move the functionality that provides redirects for context roots and 
directories where a trailing / is added from the Mapper to the 
DefaultServlet. This enables such requests to be processed by any configured 
Valves and Filters before the redirect is made. This behaviour is configurable 
via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled 
attributes of the Context which may be used to restore the previous behaviour.
+This is part 1 of 2 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1717212 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1717212
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:46:02 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:46:02 2016
@@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st
 - Ensure the Mapper does not add the '/' handling the redirect
 - Handle the redirect in the DefaultServlet
 - Add a redirect to FORM auth if auth is occurring at the context root else 
the login page could be submitted to the wrong web application
+This is part 2 of 2 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1715213 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1715213
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:45:32 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:45:32 2016
@@ -1 +1,2 @@
 Move the functionality that provides redirects for context roots and 
directories where a trailing / is added from the Mapper to the 
DefaultServlet. This enables such requests to be processed by any configured 
Valves and Filters before the redirect is made. This behaviour is configurable 
via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled 
attributes of the Context which may be used to restore the previous behaviour.
+This is part 1 of 2 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1717209 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1717209
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:45:04 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:45:04 2016
@@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st
 - Ensure the Mapper does not add the '/' handling the redirect
 - Handle the redirect in the DefaultServlet
 - Add a redirect to FORM auth if auth is occurring at the context root else 
the login page could be submitted to the wrong web application
+This is part 2 of 2 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1716894 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1716894
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:43:59 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:43:59 2016
@@ -1,2 +1,3 @@
 Additional fix for BZ 58660
 When Mapper root redirect is enabled, ensure '/' is added to path for redirect
+This is part 3 of 3 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1716882 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1716882
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:43:40 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:43:40 2016
@@ -3,3 +3,4 @@ With mapperContextRootRedirectEnabled st
 - Ensure the Mapper does not add the '/'
 - Handle the redirect in the DefaultServlet
 - Add a redirect to FORM auth if auth is occurring at the context root else 
the login page could be submitted to the wrong web application
+This is part 2 of 3 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1715207 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1715207
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:44:21 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:44:21 2016
@@ -1 +1,2 @@
 Move the functionality that provides redirects for context roots and 
directories where a trailing / is added from the Mapper to the 
DefaultServlet. This enables such requests to be processed by any configured 
Valves and Filters before the redirect is made. This behaviour is configurable 
via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled 
attributes of the Context which may be used to restore the previous behaviour.
+This is part 1 of 2 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1715206 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1715206
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:43:22 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:43:22 2016
@@ -1 +1,2 @@
 Move the functionality that provides redirects for context roots and 
directories where a trailing / is added from the Mapper to the 
DefaultServlet. This enables such requests to be processed by any configured 
Valves and Filters before the redirect is made. This behaviour is configurable 
via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled 
attributes of the Context which may be used to restore the previous behaviour.
+This is part 1 of 3 of the fix for CVE-2015-5345


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1700900 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1700900
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:41:11 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:41:11 2016
@@ -1 +1 @@
-Update proposal
+This is the fix for CVE-2015-5174


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1696281 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1696281
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:39:48 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:39:48 2016
@@ -1,3 +1,4 @@
 Fix Javadoc
 Separate test cases into separate test methods and add some additional tests.
 Clean up the code and fix a couple of edge cases
+This is part 1 of 2 of the fix for CVE-2015-5174


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1700897 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1700897
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:40:06 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:40:06 2016
@@ -1 +1,2 @@
 More normalization edge cases
+This is part 2 of 2 of the fix for CVE-2015-5174


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1700898 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1700898
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:40:42 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:40:42 2016
@@ -1 +1,2 @@
 More normalization edge cases
+This is part 2 of 2 of the fix for CVE-2015-5174


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1696284 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1696284
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:40:24 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:40:24 2016
@@ -1,3 +1,4 @@
 Fix Javadoc
 Separate test cases into separate test methods and add some additional tests.
 Clean up the code and fix a couple of edge cases
+This is part 1 of 2 of the fix for CVE-2015-5174


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1700896 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1700896
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:39:25 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:39:25 2016
@@ -1 +1,2 @@
 More normalization edge cases
+This is part 2 of 2 of the fix for CVE-2015-5174


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn propchange: r1696280 - svn:log

2016-02-22 Thread markt 
Author: markt
Revision: 1696280
Modified property: svn:log

Modified: svn:log at Mon Feb 22 11:39:06 2016
--
--- svn:log (original)
+++ svn:log Mon Feb 22 11:39:06 2016
@@ -1,3 +1,4 @@
 Fix Javadoc
 Separate test cases into separate test methods and add some additional tests.
 Clean up the code and fix a couple of edge cases
+This is part 1 of 2 of the fix for CVE-2015-5174


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2015-5346 Apache Tomcat Session fixation

2016-02-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2015-5346 Apache Tomcat Session fixation

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.5 to 7.0.65
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1

Description:
When recycling the Request object to use for a new request, the
requestedSessionSSL field was not recycled. This meant that a session ID
provided in the next request to be processed using the recycled Request
object could be used when it should not have been. This gave the client
the ability to control the session ID. In theory, this could have been
used as part of a session fixation attack but it would have been hard to
achieve as the attacker would not have been able to force the victim to
use the 'correct' Request object. It was also necessary for at least one
web application to be configured to use the SSL session ID as the HTTP
session ID. This is not a common configuration.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
  (7.0.66 has the fix but was not released)


Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html





-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu+WAAoJEBDAHFovYFnnNasQANmHvs8L9RvbPSPvmR8sT9rc
nfoC64cVqVFx6G99+iskQ4SKL00zZk10gCNKvwu6aBW8Dv7U+sqoo09vtIVJ9qvD
9qBIaZMfnqMxMaHtonUj8E1/9GryquYNj7pWMf0tut2/RIvQq8/1tAtTgrzjVXG2
qtpB/ECBHQ53tJuPxRDakgav17Ok90DbAO4rsSdmCUwUg8NEYieNb6RG4eRSvuav
ffE2zaicXIHWLdnVEMpOWtum76+GMfS5B+zd03/OQmiJy+arVvGwyrn1ydKZI1JI
7gQT97SgLlI3iGtK3tc4S56tNQ9+K2oMp2B0qAceNG9MWimED9sC1aXoAARacoYI
c+cZdnhiRxsYycEdTXbNqhat+se6vKeXqgrsrr3CbNmaNl6siRZD/d+9PbmXh+0z
hHSC9tmG5ZAO3vS4wwHX+9qZlfdcQ2zAZnAnRZKtuRMgDphP+wszain4p+U82TV9
eshrfHzzN4R0kuBWXkl4Pf4KQd+ZCVmp8efXFcyXK2fV7FUmLRvwtZ43EPa77tRI
egiZcN/WEqGHODKNr/AGQYuiuEU7gm3hqnJlgDLpPzKF2ptkLcEh9/HYcW9yI1Kf
x+fKtcfr6jGjJRxFw5PRsHEO8ToE8w38mPmeLzQH3WRcoc+g5+BinbIe/fwMsVPM
cAK/Ln4UhXIcIM1f7h5M
=is2n
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2016-0763 Apache Tomcat Security Manager Bypass

2016-02-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2016-0763 Apache Tomcat Security Manager Bypass

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1 to 9.0.0.M2

Description:
ResourceLinkFactory.setGlobalContext() is a public method and was
accessible by web applications running under a security manager
without any checks. This allowed a malicious web application to inject
a malicious global context that could in turn be used to disrupt other
web applications and/or read and write data owned by other web
applications.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
- - Upgrade to Apache Tomcat 8.0.32 or later
  (8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by The Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu+yAAoJEBDAHFovYFnnPIgP/j9nli2IrsZEyhDyJ6XqAcg9
AisYAv7iSQ63zLe27CERDdOS9BBFI9j+MwkabF0FzmTGxugLyRwpKLt8Y3BV/723
Jwgds8phJcOm5oouzblUBfx/HdFDRI8+J6q7CNoSh61yXatuKRe5upc51W9G8/Vd
YS6b5XNqavBgvkQZudITIsr4N9vqxb+QVS9iMJfrACikgeq6QR6rwkJWAEcUYHrn
RESKuCTPzw8yf1Q1C8Ar9BUdSx8MRFDHfV8stKmjQWslud0EOP5bObWXBsv9vrQ7
XNKVKA69Hp1Kk++ORHUPnv6B2bCRsD5mZmBwqcvi6jVMuVMKaiLgCqJqfXcJEb4+
D86kjsBCQchGWSsFEwzmoQI++wW60Mn5QRlibF90LHAJLfZLo+cCsOUZABqgv3+j
xwA6HpR5ToMepO5CNcL76wDoBJDEPRXjIuVY6RhWnS7UXi4kuqp/qxtWBifn07X/
Ncbm5TWhf4ESnS5YOPMNefA5aDQJKRclymyXB37VxMwHdJ/zkY8uV48SeG9ACHNt
KBaXiS7FiNKLWqbzZijsXM2a40benXn6ocxStyApF7h15k/8/pyyq4DC55TBMitK
/L+RHHp9RAS+wP98xyYpFnuVI8/LkHSJwnLvTURDQlr1Fi/AJ5YIB+Y9GPE2sigA
90lXXPnmrbSsQR10jD/j
=5LII
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2015-5351 Apache Tomcat CSRF token leak

2016-02-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2015-5351 Apache Tomcat CSRF token leak

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.1 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.31
- - Apache Tomcat 9.0.0.M1

Description:
The index page of the Manager and Host Manager applications included a
valid CSRF token when issuing a redirect as a result of an
unauthenticated request to the root of the web application. This token
could then be used by an attacker to construct a CSRF attack.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.32 or later
  (8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later

Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html



-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu97AAoJEBDAHFovYFnnkOkP/353AyMvuZvUHx7MJS6QmthF
ba5gOE0JprULz0VN9q6ilf1ZXE7myZiVxt0tWT9MvuQi+iMQUtarESxv/bnA1RSF
QsUoxgb4Wc6whrWIZUSXU9Vag5e7Ar/N3con0jzMLyopx0DBnOWNKQE/pp9Q6NPI
RRvOAWnq9nm3P9/D2x9AOl/LDaEFuPHW/GkfwuosNTLCRsWYqa1DN20cFnq/S8Iz
+jPpjkYsfIOoodLcX2t4B92alC3fRNPgG4Q8iuhwj3Umsw44D5/gdbmcEeEtqB4C
wYIQsyXdIA4JBSx44w8ihP+Z+pNt+MkxgXvhfGWu30JDELXRaXU0ItveeePTjRJR
u0jC09frTLKG7UnbVxitV7CgvMtEU6zGjaJsfEQcsES6q4s9qCzHCbp9alqQnW1i
5ZvabdyAkZVfdRsgurI6RAI1R/s2mWmXlIFjiKiYt3Qeyqkg5cFBNHctEw/DREiR
6GA6xmk06uKXUzv0SZUuvadWqkJ2JwVmd5Doe5IaoK4K069Ab5EJQSG1qQcXv6G2
LsYK4L9s+Zcp+m10unFX4v1CB8UnVPKw33intlvE7/6r0yBOaigtFHqV+ifuUdOO
bkENBx8Gp/HAx0VCpwhYP2AKkoSSqSOktsv/iBokWfIrsUG304uGoa3rWsAIcGCx
I/Yy6rJBLqfrQj4qFtc3
=bm3r
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass

2016-02-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2016-0706 Apache Tomcat Security Manager bypass

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1
- - Earlier, unsupported Tomcat versions may be affected

Description:
The StatusManagerServlet could be loaded by a web application when a
security manager was configured. This servlet would then provide the web
application with a list of all deployed applications and a list of the
HTTP request lines for all requests currently being processed. This
could have exposed sensitive information from other web applications
such as session IDs to the web application.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.32 or later
  (8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by The Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html
-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu9qAAoJEBDAHFovYFnny/0P/0VtkiCt56FeS3I42BlvjAne
w/oqurmk/XoF/gof+VYxYuNOXMIwvgyGMjj21kZf+n2DjINXLHp9VFZ/APeSJ8kL
XcnTL1EBK1JBdxsieIhGAfLMeDO04wO3uuorJHwJIBbl4ymh7N4A2fgciKgCmNyB
y22TPT5Hz7iFCU8Ij6xsYJERpveUrenenAqbgjdcpILydbBoTqmZtZtWmPOFki90
cZo/2D0Av4H4SKh1PuCkzjk2DFXfyXcq+tDaX8dizPinQMQsbAX63BoYy5LrfWrJ
epgY9Q0QziOyp7b5Z72AjQ3RJR7yZS/iT3wb37jceI3Dq/mpkWFggqEGkSpFdGX7
AhoqVXjFw9eakjst0k5LZ29+dD8Fqz+2umXlRwelsxInLNgDk67Z2XehqkWWb85b
64PFh3ZYj/8CxxV6ErGq0bBhpCsNHZffEzOT/Ebldjn/afHajne3Yd9SZEbbZO3U
ejCSG2UziJ4t4mygnGyWaRCgKtjCrejzDZYicOICJEDE8enaPbNs0Ka8lR8fh21y
U3avzYIu7MosqvqoEAleMkjXySWSufqGF0ugbtsZx1lisl9Zax0LfXbq5sLmdNMS
fXhxu/1RfHfPS7NUP9YYs5OdWxCxecD/kiaxc3ArVVPdgAMSwlEyI59gSD/y7XPd
fitNMHbOMz6qG/uxVfH0
=6KO+
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1731626 - in /tomcat/site/trunk: docs/index.html docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/securi

2016-02-22 Thread markt 
Author: markt
Date: Mon Feb 22 11:21:42 2016
New Revision: 1731626

URL: http://svn.apache.org/viewvc?rev=1731626=rev
Log:
Announcements for 7 CVEs

Modified:
tomcat/site/trunk/docs/index.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/index.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/index.html?rev=1731626=1731625=1731626=diff
==
--- tomcat/site/trunk/docs/index.html (original)
+++ tomcat/site/trunk/docs/index.html Mon Feb 22 11:21:42 2016
@@ -254,7 +254,8 @@ include:
 
 
 Restore the default for mapperContextRootRedirectEnabled to
-true
+true
+
 
 Expand session attribute filtering on load/unload to all managers
 

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1731626=1731625=1731626=diff
==
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Mon Feb 22 11:21:42 2016
@@ -215,6 +215,9 @@
 Apache Tomcat 6.x 
vulnerabilities
 
 
+Fixed in Apache Tomcat 6.0.45
+
+
 Fixed in Apache Tomcat 6.0.44
 
 
@@ -324,6 +327,137 @@
 
   
 
+
+11 February 2016 Fixed in Apache Tomcat 
6.0.45
+
+
+
+
+Low: Limited directory traversal
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5174; 
rel="nofollow">CVE-2015-5174
+
+
+
+When accessing resources via the ServletContext methods
+   getResource() getResourceAsStream() and
+   getResourcePaths() the paths should be limited to the
+   current web application. The validation was not correct and paths of the
+   form "/.." were not rejected. Note that paths starting with
+   "/../" were correctly rejected. This bug allowed malicious
+   web applications running under a security manager to obtain a directory
+   listing for the directory in which the web application had been 
deployed.
+   This should not be possible when running under a security manager.
+   Typically, the directory listing that would be exposed would be for
+   $CATALINA_BASE/webapps.
+
+
+
+This was fixed in revision http://svn.apache.org/viewvc?view=revrev=1700900;>1700900.
+
+
+This issue was identified by the Tomcat security team on 12 August 2015
+   and made public on 22 February 2016.
+
+
+Affects: 6.0.0 to 6.0.44
+  
+
+
+Low: Directory disclosure
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5345; 
rel="nofollow">CVE-2015-5345
+
+
+
+When accessing a directory protected by a security constraint with a URL
+   that did not end in a slash, Tomcat would redirect to the URL with the
+   trailing slash thereby confirming the presence of the directory before
+   processing the security constraint. It was therefore possible for a user
+   to determine if a directory existed or not, even if the user was not
+   permitted to view the directory. The issue also occurred at the root of 
a
+   web application in which case the presence of the web application was
+   confirmed, even if a user did not have access.
+
+
+The solution was to implement the redirect in the DefaultServlet so that
+   any security constraints and/or security enforcing Filters were 
processed
+   before the redirect. The Tomcat team recognised that moving the redirect
+   could cause regressions to two new Context configuration options
+   (mapperContextRootRedirectEnabled and
+   mapperDirectoryRedirectEnabled) were introduced. The 
initial
+   default was false for both since this was more secure. 
+   However, due to regressions such as
+   https://bz.apache.org/bugzilla/show_bug.cgi?id=58765;>Bug
+   58765 the default for mapperContextRootRedirectEnabled
+   was later changed to true since it was viewed that the regression was
+   more serious than the security risk of associated with being able to
+   determine if a web application was deployed at a given path.
+
+
+This was fixed in revisions http://svn.apache.org/viewvc?view=revrev=1715216;>1715216 and
+   http://svn.apache.org/viewvc?view=revrev=1717216;>1717216.
+
+
+This issue was identified by Mark Koek of QCSec on 12 October 2015 and
+   made public on 22 February 2016.
+
+
+Affects: 6.0.0 to 6.0.44
+  
+
+
+Low: Security Manager bypass
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0706; 
rel="nofollow">CVE-2016-0706
+
+
+
+The StatusManagerServlet could be loaded by a web application when a
+   security manager was

[SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass

2016-02-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2016-0714 Apache Tomcat Security Manager Bypass

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1
- - Earlier, unsupported Tomcat versions may be affected

Description:
Tomcat provides several session persistence mechanisms. The
StandardManager persists session over a restart. The PersistentManager
is able to persist sessions to files, a database or a custom Store. The
Cluster implementation persists sessions to one or more additional nodes
in the cluster. All of these mechanisms could be exploited to bypass a
security manager. Session persistence is performed by Tomcat code with
the permissions assigned to Tomcat internal code. By placing a carefully
crafted object into a session, a malicious web application could trigger
the execution of arbitrary code.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.32 or later
  (8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by The Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu9PAAoJEBDAHFovYFnnllEQAMj38sm4FeeXJ2XOK/ODpj2J
SLK0VMib2gjRmMfuH15OPyYBIHPaWVD4E3ONiLz/2F9oqVAYfvswQnLfNrJ9k8oF
K+ETBoWfyODb8QddYQOd3JpDslrOLPscve6dgnkx/R8hZSPOvsmo8IIG4Bwh5VQM
rkAct8EFGpVuQ9ou59F8xSx7fhRMHhNKt8XwsuBIj43MwFv5P8rHhNJDbgC8hSP7
w8yKwrQ7alfeuzwQPegf11YEcauPog4TnD3JAuufcuPQefvDHRAIoKNRCwyvFbRC
rVHdsV5AehWaKKHj9Yu2IJB88s+0wXWlH01hG+wYl1jSVxs3CHhhP0FS55vwItWP
Igl26iz33esPlzQaVyWf5jOUOYfF0tZel4bDFcQrIQASJKS2vxCuOBgUhr+bReMD
I8W1A78EdGXm5IGqmPqHNXn+qAQKfs352eVFiS4vM+5n6wdVThxRzTIt/Op0iz8k
rOIm05kkZQedh7utUy4iW59MKHr9xGRQRI1r4/sdKHDIRSlzsfzJVrATqqLPxukg
QhG3LL0fO+kKLb526GZOlTaAcT7hM2wdYkLytiUItpMUR8ZfozqIS/nRUPmCfDgW
8QFRZEYIgETUYELbnj9chx0NJOkSH9OICV1U7EergsKsdpXN8uCDRy609ufSPn+W
M6wXyzp1l4aE2hnn22gZ
=OQbe
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2015-5174 Apache Tomcat Limited Directory Traversal

2016-02-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2015-5174 Apache Tomcat Limited Directory Traversal

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.64
- - Apache Tomcat 8.0.0.RC1 to 8.0.26
- - Apache Tomcat 9 is not affected
- - Earlier, unsupported Tomcat versions may be affected

Description:
When accessing resources via the ServletContext methods getResource()
getResourceAsStream() and getResourcePaths() the paths should be limited
to the current web application. The validation was not correct and paths
of the form "/.." were not rejected. Note that paths starting with
"/../" were correctly rejected.
This bug allowed malicious web applications running under a security
manager to obtain a directory listing for the directory in which the web
application had been deployed. This should not be possible when running
under a security manager. Typically, the directory listing that would be
exposed would be for $CATALINA_BASE/webapps.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 8.0.27 or later
- - Upgrade to Apache Tomcat 7.0.65 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by the Apache Tomcat security team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html








-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu+JAAoJEBDAHFovYFnnubgQAICDB8mbxG4KbSDT1YAcqjJd
lToWRjRKVd0UzIaOZFUmqV0Ap7o181xMfQpSfGZSAAukF7+zTcX33O+cklTkZaw/
yjprJSI942enkWlGygiJxIH8DUadGa62iTMyhXmpqLqkD5ura5sSNEdzir7aEnUw
P8vLdpmfbdUqNn9Qv1L27btm5+lU6OU+I8nBTB5ESyDxjhVrpc1d8GVcRaXh0mU4
56oeIAJg7O9ozXrIQa692K4pAV+VqZFb52Vwk3XiNENn0VjwM2W7PAqy+vtAfkLt
wt5SDVjoXuCW1jBTjTU+hmxzDziN0WzgVMgFsSVZg0lyU/H837e/bOOmNVA1dfGD
F6Ln40a1eYkZQ6eXK9SPmz36OnU/akM3+rcDEz9e9spvbe/c4oH5T3/yZwmsONSO
4G+9JyMCg/YKWl2+YIJSGGxO1khaLbXZvyvVwkpq0IzJZ/ZhTp7BQY+DYb4axVY3
QLBx6/XzoIRfLxf1lpvUakGw8P/0y2BPHRa+3b0WDJSElD4H6KAQd+q5vb1eyK6+
0bNPLYd9AyxYwaIuZMk2WtT+pQO0R3Ao6mVBNFk8K/YJj7msMsS4feI76I2LYLT0
WCLKWb/noO8oPmjYk6a7AZKncT9nASN+rCfbXedw6F+COxfVjuddbttsGza2oH7o
NKmM5mCdDfQztF3uOTnu
=aYIY
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2015-5345 Apache Tomcat Directory disclosure

2016-02-22 Thread Mark Thomas 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

CVE-2015-5345 Apache Tomcat Directory disclosure

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.66
- - Apache Tomcat 8.0.0.RC1 to 8.0.29
- - Apache Tomcat 9.0.0.M1
- - Earlier, unsupported Tomcat versions may be affected

Description:
When accessing a directory protected by a security constraint with a URL
that did not end in a slash, Tomcat would redirect to the URL with the
trailing slash thereby confirming the presence of the directory before
processing the security constraint. It was therefore possible for a user
to determine if a directory existed or not, even if the user was not
permitted to view the directory. The issue also occurred at the root of
a web application in which case the presence of the web application was
confirmed, even if a user did not have access.

The solution was to implement the redirect in the DefaultServlet so that
any security constraints and/or security enforcing Filters were
processed before the redirect. The Tomcat team recognised that moving
the redirect could cause regressions to two new Context configuration
options (mapperContextRootRedirectEnabled and
mapperDirectoryRedirectEnabled) were introduced. The initial default was
false for both since this was more secure. However, due to regressions
such as Bug 58765 [1] the default for mapperContextRootRedirectEnabled
was later changed to true since it was viewed that the regression was
more serious than the security risk of associated with being able to
determine if a web application was deployed at a given path.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.30 or later
- - Upgrade to Apache Tomcat 7.0.67 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by Mark Koek of QCSec.

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=58765
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html
[4] http://tomcat.apache.org/security-7.html
[5] http://tomcat.apache.org/security-6.html

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu+lAAoJEBDAHFovYFnnFrYP+wZwqPsP6vtAn4VrIslTxrkO
A31WCsXwnvggSIBLdITCwpJFywqPfpurFhce38Chgznli9E46Pr6dukTC56NhjmB
Cv7+PTdpJxM3vKFw+OlLrfIrxEFtHbYOTI6q7NgjfVjdbG9LbVgG3JRTmf3tT+GN
DU165VK7TxvBj68ll05gLECgAtrGFAEQl+51VlfWRZw8wXGFni2X43kEwUpihgHj
Ci4W1+sBUln0ww+aKa6sRpJTi/s3tKPWckjMY//bDIMfd4gdK7N6CJSrRMbj6Gsw
gfm1ixWlJJPKVvokH08NKvxcpwvRX4D1RD80WkaCrC7WMKzK8ohmhxxhIDXHmPE8
kibaJuy1WqQG+G/H00LTGpGkeevyg4/mH2hDxDbDJ5ye1RMA9GsKFC1YpDzugTxO
zr9lX9QRWpPNEJDXSipdjs27p8hcF+vgwI5eVd5R721wpv17IEg0Lsy4zvvswFik
t3rIj6wwVYHFoMNpwA/sojaRTGb62nqGREYiGMX4fPPd2OCtl1J4I8oZ3x4Q2gkJ
WRX98z6a04zMisiGNeTjl7ZkgEjNNW8/XG4J5sFmgSo5p2XwBCINLyWfnYiQporj
Ym0Ig9k8t5BHntgkP02a+CF9GScdkxNq8UC8Ad2oAHBqOEXd/9DHv80fA7ApvG7e
HnSzWGDdd63z0ixY0g2I
=6UrH
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59010] Disabling socketBuffer with "-1" doesn't cause exception on linux

2016-02-22 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59010

--- Comment #5 from Rashmi  ---
I think the same configuration is used on Linux as well. We are using the same
code sample attached in the first comment on both servers and the jre is also
the same.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GUMP@vmgump]: Project tomcat-tc7.0.x-test-apr (in module tomcat-7.0.x) failed

2016-02-22 Thread Bill Barker 
To whom it may engage...

This is an automated request, but not an unsolicited one. For 
more information please visit http://gump.apache.org/nagged.html, 
and/or contact the folk at gene...@gump.apache.org.

Project tomcat-tc7.0.x-test-apr has an issue affecting its community 
integration.
This issue affects 1 projects,
 and has been outstanding for 2 runs.
The current state of this project is 'Failed', with reason 'Build Failed'.
For reference only, the following projects are affected by this:
- tomcat-tc7.0.x-test-apr :  Tomcat 7.x, a web server implementing Java 
Servlet 3.0,
...


Full details are available at:

http://vmgump.apache.org/gump/public/tomcat-7.0.x/tomcat-tc7.0.x-test-apr/index.html

That said, some information snippets are provided here.

The following annotations (debug/informational/warning/error messages) were 
provided:
 -DEBUG- Dependency on tomcat-tc7.0.x-dbcp exists, no need to add for property 
tomcat-dbcp-src.jar.
 -DEBUG- Dependency on commons-daemon exists, no need to add for property 
commons-daemon.native.src.tgz.
 -DEBUG- Dependency on commons-daemon exists, no need to add for property 
tomcat-native.tar.gz.
 -DEBUG- Dependency on tomcat-tc7.0.x-dbcp exists, no need to add for property 
tomcat-dbcp.home.
 -INFO- Failed with reason build failed
 -INFO- Project Reports in: 
/srv/gump/public/workspace/tomcat-7.0.x/output/logs-APR
 -INFO- Project Reports in: 
/srv/gump/public/workspace/tomcat-7.0.x/output/test-tmp-APR/logs



The following work was performed:
http://vmgump.apache.org/gump/public/tomcat-7.0.x/tomcat-tc7.0.x-test-apr/gump_work/build_tomcat-7.0.x_tomcat-tc7.0.x-test-apr.html
Work Name: build_tomcat-7.0.x_tomcat-tc7.0.x-test-apr (Type: Build)
Work ended in a state of : Failed
Elapsed: 26 mins 19 secs
Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true 
-Dbuild.sysclasspath=only org.apache.tools.ant.Main 
-Dgump.merge=/srv/gump/public/gump/work/merge.xml 
-Dcommons-pool.home=/srv/gump/public/workspace/commons-pool-1.x 
-Dtest.temp=output/test-tmp-APR 
-Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.13-SNAPSHOT.jar 
-Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-2.3-SNAPSHOT.jar
 -Dexamples.sources.skip=true 
-Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/dist/commons-daemon-20160222.jar
 
-Dtomcat-dbcp-src.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-src.jar
 -Dtomcat-dbcp.home=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps 
-Dtest.excludePerformance=true 
-Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar 
-Dcommons-dbcp.home=/srv/gump/public/workspace/commons-dbcp-1.x 
-Dexecute.test.apr=true -Dexecute.test.bio=false 
-Dcommons-daemon.native.src.tgz=/srv/gump/public/wo
 
rkspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz
 -Dtest.reports=output/logs-APR 
-Dtomcat-native.tar.gz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz
 -Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar 
-Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native/dest-20160222/lib 
-Dexecute.test.nio=false -Dtest.accesslog=true 
-Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20160222.jar
 
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-3.5-SNAPSHOT.jar
 -Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test 
[Working Directory: /srv/gump/public/workspace/tomcat-7.0.x]
CLASSPATH: 
/usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-7.0.x/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/servlet-api.ja
 
r:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-7.0.x/output/build/lib/jasper.jar:/srv/gump

[GUMP@vmgump]: Project tomcat-trunk-test-apr (in module tomcat-trunk) failed

2016-02-22 Thread Bill Barker 
To whom it may engage...

This is an automated request, but not an unsolicited one. For 
more information please visit http://gump.apache.org/nagged.html, 
and/or contact the folk at gene...@gump.apache.org.

Project tomcat-trunk-test-apr has an issue affecting its community integration.
This issue affects 1 projects,
 and has been outstanding for 2 runs.
The current state of this project is 'Failed', with reason 'Build Failed'.
For reference only, the following projects are affected by this:
- tomcat-trunk-test-apr :  Tomcat 9.x, a web server implementing the Java 
Servlet 4.0,
...


Full details are available at:

http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-test-apr/index.html

That said, some information snippets are provided here.

The following annotations (debug/informational/warning/error messages) were 
provided:
 -DEBUG- Dependency on commons-daemon exists, no need to add for property 
commons-daemon.native.src.tgz.
 -DEBUG- Dependency on commons-daemon exists, no need to add for property 
tomcat-native.tar.gz.
 -INFO- Failed with reason build failed
 -INFO- Project Reports in: 
/srv/gump/public/workspace/tomcat-trunk/output/logs-APR
 -INFO- Project Reports in: 
/srv/gump/public/workspace/tomcat-trunk/output/test-tmp-APR/logs
 -WARNING- No directory 
[/srv/gump/public/workspace/tomcat-trunk/output/test-tmp-APR/logs]



The following work was performed:
http://vmgump.apache.org/gump/public/tomcat-trunk/tomcat-trunk-test-apr/gump_work/build_tomcat-trunk_tomcat-trunk-test-apr.html
Work Name: build_tomcat-trunk_tomcat-trunk-test-apr (Type: Build)
Work ended in a state of : Failed
Elapsed: 44 mins 24 secs
Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true 
-Dbuild.sysclasspath=only org.apache.tools.ant.Main 
-Dgump.merge=/srv/gump/public/gump/work/merge.xml 
-Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.13-SNAPSHOT.jar 
-Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-2.3-SNAPSHOT.jar
 -Dtest.reports=output/logs-APR 
-Dtomcat-native.tar.gz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz
 -Dexamples.sources.skip=true 
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar 
-Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native-trunk/dest-20160222/lib 
-Dtest.relaxTiming=true 
-Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/dist/commons-daemon-20160222.jar
 
-Dcommons-daemon.native.src.tgz=/srv/gump/public/workspace/apache-commons/daemon/dist/bin/commons-daemon-20160222-native-src.tar.gz
 -Dtest.temp=output/test-tmp-APR -Dtest.accesslog=true -
 Dexecute.test.nio=false 
-Dtest.openssl.path=/srv/gump/public/workspace/openssl-master/dest-20160222/bin/openssl
 -Dexecute.test.apr=true -Dtest.excludePerformance=true 
-Dexecute.test.nio2=false 
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-3.5-SNAPSHOT.jar
 -Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar 
-Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test 
[Working Directory: /srv/gump/public/workspace/tomcat-trunk]
CLASSPATH: 
/usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-trunk/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/servlet-api.ja
 
r:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/websocket-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jaspic-api.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-storeconfig.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/jasper-el.jar:/srv/gump/public/workspace/tomcat-trunk/output/build/lib/catalina-tribes.jar:/srv/gump/public/workspace