[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Tomi Korkalainen tomi.korkalai...@gmail.com changed: What|Removed |Added CC||tomi.korkalai...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Jani Similä jani.sim...@gmail.com changed: What|Removed |Added CC||jani.sim...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586227 - /tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml
Author: mturk Date: Thu Apr 10 06:55:27 2014 New Revision: 1586227 URL: http://svn.apache.org/r1586227 Log: Resolve 56363 bug Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml?rev=1586227r1=1586226r2=1586227view=diff == --- tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml (original) +++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/changelog.xml Thu Apr 10 06:55:27 2014 @@ -39,6 +39,9 @@ section name=Changes between 1.1.29 and 1.1.30 changelog fix + bug56363/bug: Use OpenSSL 1.0.1g with Windows binaries. (mturk) +/fix +fix bug55915/bug: Apply Mike Noordermeer's patch for ECDHE support. (mturk) /fix fix - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #2 from Mladen Turk mt...@apache.org --- Update done and tested. We'll start release process today or tomorrow and new version containing OpenSSL 1.0.1g will be available after VOTE finishes and we create ANN message. I'll close this issue when we send the ANN message. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56374] Page in wrong language - getting lower rank Accept-Language in request header
https://issues.apache.org/bugzilla/show_bug.cgi?id=56374 Christopher Schultz ch...@christopherschultz.net changed: What|Removed |Added Resolution|FIXED |INVALID --- Comment #9 from Christopher Schultz ch...@christopherschultz.net --- Possible duplicate of bug #55399? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tagging Tomcat Native 1.1.30
Mladen, On 4/9/14, 11:42 PM, Mladen Turk wrote: I plan to tag 1.1.30 either later today or tomorrow and push for a quick release vote. Comments? Go for it. No bugs in it can be worse than this week's OpenSSL vulnerability. -chris signature.asc Description: OpenPGP digital signature
Re: ErrorValve enhancement
Nick, Please file a Bugzilla bug and attach your patch to it. -chris On 4/9/14, 10:36 AM, Nick Bunn wrote: Good Day, As i'm sure you are all aware when the default error valve returns its report it publishes the tomcat version and some other troubleshooting data. This of course breaks one of my securities teams rules and also is published as a item that needs to be remediated when hardening tomcat(OWASP - goo.gl/Zr9xso http://goo.gl/Zr9xso ). When using the OWASP solution of replacing the serverInfo.properties file it can and will break tools/code that uses that information(in my case our deployment agent). The other two solutions are to create our own valve and just change it to the default error valve or override the status code at the HTTPD server(which broke our JSON and SOAP requests that were providing valid 4XX and 5XX). That being said why not just have the capability to disable this information in the current error valve? This way we are not requiring users to override there serverinfo.properties or create some customer error valve they will have to maintain. Thoughts? Attached is the a simple patch to version 7.0.x. Can easily be ported to 8.0.x as not much as changed. You would then just add the below to your server.xml Valve className=org.apache.catalina.valves.ErrorReportValve showReport=false showServerInfo=false / Thanks, Nick Bunn - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: CVE-2014-0160
Andrew, On 4/8/14, 5:43 PM, Andrew Carr wrote: http://www.openssl.org/news/secadv_20140407.txt Hi Tomcat Devs, I have been on the dev list for a few years, and a tomcat developer longer than that. While I haven't contributed yet, I was curious if this cve needs a contribution. As far as I can tell, if you recompile your native libs with the unaffected version of SSL, you will not be vulnerable to this CVE. Is that assumption correct or does there need to be a change to tcnative? Technically, it's just a re-link, but it makes sense to push-out the latest 1.1 branch code and call it 1.1.30 to reduce confusion and to get a few useful features out to the world. -chris signature.asc Description: OpenPGP digital signature
Re: Java 8 compatibility for Tomcat 7
Mark, On 4/8/14, 10:55 AM, Mark Thomas wrote: On 08/04/2014 06:32, Emmanuel Bourg wrote: Le 08/04/2014 14:03, Mark Thomas a écrit : Can you provide the details of the failure. That might help ID a solution. Thank you, here is the build log on Debian: http://87.98.165.193/debian/openjdk8-rebuild/logs-failed-jdk8/tomcat7_7.0.52-1_unstable_jdk8.log [javac] /«PKGBUILDDIR»/java/org/apache/catalina/tribes/tipis/AbstractReplicatedMap.java:1107: error: keySet() in AbstractReplicatedMap cannot override keySet() in ConcurrentHashMap [javac] public SetObject keySet() { [javac]^ [javac] return type SetObject is not compatible with KeySetView [javac] where K,V are type-variables: [javac] K extends Object declared in class ConcurrentHashMap [javac] V extends Object declared in class ConcurrentHashMap This issue is caused by the addition of a keySet() method to ConcurrentHashMap in Java 8 with a return type incompatible with the keySet() method in AbstractReplicatedMap. In r1222329 AbstractReplicatedMap was changed to no longer inherit ConcurrentHashMap and implement directly the Map interface. This had the side effect of fixing this Java 8 issue for Tomcat 8. That looks like something we are going to need to fix but any fix is going to have to change the API. On that basis, back-porting r1222329 is probably the best option. Any objections to back-porting this fix to 7.0.x? +1 to back-porting -chris signature.asc Description: OpenPGP digital signature
[Bug 55399] Request English but Response Spanish Language (Default Locale)
https://issues.apache.org/bugzilla/show_bug.cgi?id=55399 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added CC||st...@rkbb.co.uk --- Comment #9 from Konstantin Kolinko knst.koli...@gmail.com --- *** Bug 56374 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56374] Page in wrong language - getting lower rank Accept-Language in request header
https://issues.apache.org/bugzilla/show_bug.cgi?id=56374 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Resolution|INVALID |DUPLICATE --- Comment #10 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Christopher Schultz from comment #9) Possible duplicate of bug #55399? Yes, I think it is. *** This bug has been marked as a duplicate of bug 55399 *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586252 - /tomcat/native/branches/1.1.x/java/org/apache/tomcat/
Author: mturk Date: Thu Apr 10 09:47:07 2014 New Revision: 1586252 URL: http://svn.apache.org/r1586252 Log: Update externals Modified: tomcat/native/branches/1.1.x/java/org/apache/tomcat/ (props changed) Propchange: tomcat/native/branches/1.1.x/java/org/apache/tomcat/ -- --- svn:externals (original) +++ svn:externals Thu Apr 10 09:47:07 2014 @@ -1 +1 @@ -^/tomcat/trunk/java/org/apache/tomcat/jni@1528407 jni +^/tomcat/trunk/java/org/apache/tomcat/jni@1561162 jni - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586254 - in /tomcat/native/branches/1.1.x/xdocs: miscellaneous/project.xml news/2014.xml news/project.xml project.xml
Author: mturk Date: Thu Apr 10 10:00:23 2014 New Revision: 1586254 URL: http://svn.apache.org/r1586254 Log: Add year 2014 news section Added: tomcat/native/branches/1.1.x/xdocs/news/2014.xml (with props) Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml tomcat/native/branches/1.1.x/xdocs/news/project.xml tomcat/native/branches/1.1.x/xdocs/project.xml Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml?rev=1586254r1=1586253r2=1586254view=diff == --- tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml (original) +++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml Thu Apr 10 10:00:23 2014 @@ -34,6 +34,7 @@ /menu menu name=News +item name=2014 href=../news/2014.html/ item name=2013 href=../news/2013.html/ item name=2012 href=../news/2012.html/ item name=2011 href=../news/2011.html/ Added: tomcat/native/branches/1.1.x/xdocs/news/2014.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/news/2014.xml?rev=1586254view=auto == --- tomcat/native/branches/1.1.x/xdocs/news/2014.xml (added) +++ tomcat/native/branches/1.1.x/xdocs/news/2014.xml Thu Apr 10 10:00:23 2014 @@ -0,0 +1,35 @@ +?xml version=1.0 encoding=UTF-8? +!-- + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the License); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an AS IS BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +-- +!DOCTYPE document [ + !ENTITY project SYSTEM project.xml +] +document url=2014.html + + project; + + properties +author email=general.AT.tomcat.DOT.apache.DOT.orgApache Tomcat Native Project/author +title2013 News and Status/title + /properties + +body + +section name=2014 News amp; Status +/section +/body +/document Propchange: tomcat/native/branches/1.1.x/xdocs/news/2014.xml -- svn:eol-style = native Propchange: tomcat/native/branches/1.1.x/xdocs/news/2014.xml -- svn:mime-type = text/xml Modified: tomcat/native/branches/1.1.x/xdocs/news/project.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/news/project.xml?rev=1586254r1=1586253r2=1586254view=diff == --- tomcat/native/branches/1.1.x/xdocs/news/project.xml (original) +++ tomcat/native/branches/1.1.x/xdocs/news/project.xml Thu Apr 10 10:00:23 2014 @@ -34,6 +34,7 @@ /menu menu name=News +item name=2014 href=../news/2014.html/ item name=2013 href=../news/2013.html/ item name=2012 href=../news/2012.html/ item name=2011 href=../news/2011.html/ Modified: tomcat/native/branches/1.1.x/xdocs/project.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/project.xml?rev=1586254r1=1586253r2=1586254view=diff == --- tomcat/native/branches/1.1.x/xdocs/project.xml (original) +++ tomcat/native/branches/1.1.x/xdocs/project.xml Thu Apr 10 10:00:23 2014 @@ -34,6 +34,7 @@ /menu menu name=News +item name=2014 href=news/2014.html/ item name=2013 href=news/2013.html/ item name=2012 href=news/2012.html/ item name=2011 href=news/2011.html/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586258 - /tomcat/native/branches/1.1.x/jnirelease.sh
Author: mturk Date: Thu Apr 10 10:19:54 2014 New Revision: 1586258 URL: http://svn.apache.org/r1586258 Log: No more docs/printer files Modified: tomcat/native/branches/1.1.x/jnirelease.sh Modified: tomcat/native/branches/1.1.x/jnirelease.sh URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/jnirelease.sh?rev=1586258r1=1586257r2=1586258view=diff == --- tomcat/native/branches/1.1.x/jnirelease.sh (original) +++ tomcat/native/branches/1.1.x/jnirelease.sh Thu Apr 10 10:19:54 2014 @@ -21,7 +21,7 @@ #native/include/tcn_version.h #native/os/win32/libtcnative.rc -# Default place to look for apr source. Can be overridden with +# Default place to look for apr source. Can be overridden with # --with-apr=[directory] apr_src_dir=`pwd`/srclib/apr JKJNIEXT= @@ -62,7 +62,7 @@ else echo echo Problem finding apr source in: \`$apr_src_dir' echo Use: -echo --with-apr=directory +echo --with-apr=directory echo exit 1 fi @@ -182,13 +182,17 @@ fi top=`pwd` cd ${JKJNIDIST}/jni/xdocs ant -$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html ../../CHANGELOG.txt 2/dev/null +$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/changelog.html ../../CHANGELOG.txt 2/dev/null if [ $? -ne 0 ]; then echo -echo $EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html failed +echo $EXPTOOL $EXPOPTS ../build/docs/miscellaneous/changelog.html failed echo exit 1 fi +# Remove first 25 lines from converted file which contains +# page navagation data. +# Remember to increase the lines when new file is added to news. +sed -i '1,25d' ../../CHANGELOG.txt cd $top mv ${JKJNIDIST}/jni/build/docs ${JKJNIDIST}/jni/docs rm -rf ${JKJNIDIST}/jni/build @@ -233,14 +237,8 @@ if [ $? -ne 0 ]; then echo exit 1 fi -$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html ../../CHANGELOG.txt 2/dev/null -if [ $? -ne 0 ]; then -echo -echo $EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html failed -echo -exit 1 -fi cd $top +cp ${JKJNIDIST}/CHANGELOG.txt ${JKWINDIST} mv ${JKWINDIST}/jni/build/docs ${JKWINDIST}/jni/docs rm -rf ${JKWINDIST}/jni/build - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586263 - in /tomcat/native/branches/1.1.x: build.properties.default build.xml native/include/tcn_version.h
Author: mturk Date: Thu Apr 10 10:27:08 2014 New Revision: 1586263 URL: http://svn.apache.org/r1586263 Log: Prepare versions for 1.1.30 release Modified: tomcat/native/branches/1.1.x/build.properties.default tomcat/native/branches/1.1.x/build.xml tomcat/native/branches/1.1.x/native/include/tcn_version.h Modified: tomcat/native/branches/1.1.x/build.properties.default URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/build.properties.default?rev=1586263r1=1586262r2=1586263view=diff == --- tomcat/native/branches/1.1.x/build.properties.default (original) +++ tomcat/native/branches/1.1.x/build.properties.default Thu Apr 10 10:27:08 2014 @@ -18,7 +18,7 @@ # - Version Control Flags - version.major=1 version.minor=1 -version.build=29 +version.build=30 version.patch=0 #version.suffix=-dev version.suffix= Modified: tomcat/native/branches/1.1.x/build.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/build.xml?rev=1586263r1=1586262r2=1586263view=diff == --- tomcat/native/branches/1.1.x/build.xml (original) +++ tomcat/native/branches/1.1.x/build.xml Thu Apr 10 10:27:08 2014 @@ -33,7 +33,7 @@ property name=year value=2014 / property name=version.major value=1 / property name=version.minor value=1 / -property name=version.build value=29 / +property name=version.build value=30 / property name=version.patch value=0 / property name=version.suffixvalue= / Modified: tomcat/native/branches/1.1.x/native/include/tcn_version.h URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/tcn_version.h?rev=1586263r1=1586262r2=1586263view=diff == --- tomcat/native/branches/1.1.x/native/include/tcn_version.h (original) +++ tomcat/native/branches/1.1.x/native/include/tcn_version.h Thu Apr 10 10:27:08 2014 @@ -75,7 +75,7 @@ extern C { * This symbol is defined for internal, development copies of TCN. This * symbol will be #undef'd for releases. */ -#define TCN_IS_DEV_VERSION 1 +#define TCN_IS_DEV_VERSION 0 /** The formatted string of APU's version */ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586266 - /tomcat/native/tags/TOMCAT_NATIVE_1_1_30/
Author: mturk Date: Thu Apr 10 10:36:32 2014 New Revision: 1586266 URL: http://svn.apache.org/r1586266 Log: Tag 1.1.30 Added: tomcat/native/tags/TOMCAT_NATIVE_1_1_30/ (props changed) - copied from r1586265, tomcat/native/branches/1.1.x/ Propchange: tomcat/native/tags/TOMCAT_NATIVE_1_1_30/ -- --- svn:ignore (added) +++ svn:ignore Thu Apr 10 10:36:32 2014 @@ -0,0 +1 @@ +dist Propchange: tomcat/native/tags/TOMCAT_NATIVE_1_1_30/ -- --- svn:mergeinfo (added) +++ svn:mergeinfo Thu Apr 10 10:36:32 2014 @@ -0,0 +1,3 @@ +/tomcat/native/trunk:815411,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180 +/tomcat/tc7.0.x/trunk:1199985,1200164,1349932,1434887,1435769 +/tomcat/trunk:815418,832198,1001939,1033916,1043103,1044729,1078522,1145209,1145285,1149092,1241356,1241406-1241407,1242254,1292671,1299980,1300102,1434905,1437083 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56381] New: ServletRequest can be modified by Multiple Threads
https://issues.apache.org/bugzilla/show_bug.cgi?id=56381 Bug ID: 56381 Summary: ServletRequest can be modified by Multiple Threads Product: Tomcat 8 Version: trunk Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: mgai...@hotmail.com ServletRequest implementor can be being referenced by multiple threads its easy to see that every attribute of the Request contains (including maps) can be and will be modified this is unacceptable and must be corrected asap (by introducing synchronized blocks for any code modifying ServletRequest and or attributes of ServletRequest) Originally reported by Jess Holle 10 April 2014 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[VOTE] Release Apache Tomcat Native 1.1.30
Version 1.1.30 is bug fixing release with added ECDH if supported by OpenSSL library. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The VOTE will remain open for at least 48 hours. The Apache Tomcat Native 1.1.30 is [ ] Stable, go ahead and release [ ] Broken because of ... [1] http://people.apache.org/~mturk/native/1.1.30 [2] https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_1_30 Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56381] ServletRequest can be modified by Multiple Threads
https://issues.apache.org/bugzilla/show_bug.cgi?id=56381 Remy Maucherat r...@apache.org changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID OS||All -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
2014-04-10 13:50 GMT+02:00 Mladen Turk mt...@apache.org: The Apache Tomcat Native 1.1.30 is [X] Stable, go ahead and release [ ] Broken because of ... Rémy
svn commit: r1586282 - /tomcat/jk/trunk/native/common/jk_ajp_common.c
Author: rjung Date: Thu Apr 10 12:37:18 2014 New Revision: 1586282 URL: http://svn.apache.org/r1586282 Log: Followup for r1586044 (broken request chunking). Modified: tomcat/jk/trunk/native/common/jk_ajp_common.c Modified: tomcat/jk/trunk/native/common/jk_ajp_common.c URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.c?rev=1586282r1=1586281r2=1586282view=diff == --- tomcat/jk/trunk/native/common/jk_ajp_common.c (original) +++ tomcat/jk/trunk/native/common/jk_ajp_common.c Thu Apr 10 12:37:18 2014 @@ -1479,11 +1479,15 @@ static int ajp_read_into_msg_buff(ajp_en /* Pick the max size since we don't know the content_length */ -if ((r-is_chunked len == 0) || len 0 || len maxlen) { +if (r-is_chunked ae-left_bytes_to_send == 0) { len = maxlen; -} -if (ae-left_bytes_to_send 0 (jk_uint64_t)len ae-left_bytes_to_send) { -len = (int)ae-left_bytes_to_send; +} else { +if ((jk_uint64_t)maxlen ae-left_bytes_to_send) { +maxlen = (int)ae-left_bytes_to_send; +} +if (len 0 || len maxlen) { +len = maxlen; +} } if ((len = ajp_read_fully_from_server(r, l, read_buf, len)) 0) { - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56382] New: Add logging of deployment time
https://issues.apache.org/bugzilla/show_bug.cgi?id=56382 Bug ID: 56382 Summary: Add logging of deployment time Product: Tomcat 7 Version: trunk Hardware: All Status: NEW Severity: enhancement Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: b...@mail.ru Tomcat logs the start of the deployment directory, but doesn't log finish. I've created the small patch, which logs when the particular deployment is finished, with the deployment time. So output will be like this: Apr 10, 2014 4:26:17 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory C:\AAA\Tools\apache-tomcat-7.0.52\webapps\aaa-admin Apr 10, 2014 4:31:10 PM org.apache.catalina.startup.HostConfig deployDirectory INFO: Deployment of web application directory C:\AAA\Tools\apache-tomcat-7.0.52\webapps\aaa-admin has finished in 292,516 ms. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56382] Add logging of deployment time
https://issues.apache.org/bugzilla/show_bug.cgi?id=56382 --- Comment #1 from Danila Galimov b...@mail.ru --- Created attachment 31506 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31506action=edit Proposed patch -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
Mladen, On 10.4.2014 13:50, Mladen Turk wrote: The Apache Tomcat Native 1.1.30 is [X] Stable, go ahead and release [ ] Broken because of ... (non-binding) Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit. - Filippo.io [1] reports it is not vulnerable to Heartbleed bug. - SSLLabs [2] reports it is not vulnerable to Heartbleed bug. - SSLLabs reports that Forward secrecy is enabled when proper cipher suites (including EECDH/ECDHE) are enabled. - Smoke tests of APR, with and without TLS, all passed. -Ognjen [1] http://filippo.io/Heartbleed/ [2] https://www.ssllabs.com/ssltes - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote: Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit. - Filippo.io [1] reports it is not vulnerable to Heartbleed bug. - SSLLabs [2] reports it is not vulnerable to Heartbleed bug. - SSLLabs reports that Forward secrecy is enabled when proper cipher suites (including EECDH/ECDHE) are enabled. - Smoke tests of APR, with and without TLS, all passed. Cool. Thanks -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [VOTE] Release Apache Tomcat Native 1.1.30
Is the TCN portion of BZ 56027 address completely or partially with this release? I see the exposure of the FIPS_mode setting, but it looks like the temporary 512 bit RSA key is still being done in the SSL_TMP_KEYS_INIT macro (line 77). When I hacked my workaround eariier this year I had to make sure I didn't call FIPS_mode_set if it was already set and disable the 512 bit key to get TCN to spin up correctly. -Rob From: Mladen Turk [mt...@apache.org] Sent: Thursday, April 10, 2014 9:01 AM To: dev@tomcat.apache.org Subject: Re: [VOTE] Release Apache Tomcat Native 1.1.30 On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote: Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit. - Filippo.io [1] reports it is not vulnerable to Heartbleed bug. - SSLLabs [2] reports it is not vulnerable to Heartbleed bug. - SSLLabs reports that Forward secrecy is enabled when proper cipher suites (including EECDH/ECDHE) are enabled. - Smoke tests of APR, with and without TLS, all passed. Cool. Thanks -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56381] ServletRequest can be modified by Multiple Threads
https://issues.apache.org/bugzilla/show_bug.cgi?id=56381 --- Comment #1 from Jess Holle je...@ptc.com --- I am perfectly aware that the servlet API makes no guarantees about thread safety of the [Http]ServletRequest interface or implementations thereof. I also understand that providing general thread-safety in implementation would have performance and/or implementation complexity costs that may not be appropriate. As such I've been calling getParameterMap() and the like in my first servlet filter -- thus allowing other threads to access this data after this point without issues up until the request thread completes work on the request. There are some really good use cases for this sort of thing -- e.g. monitoring the state of all in-flight requests. The real issue here, however, is what occurs if these APIs are invoked after the request thread completes its request work. It was clear to me that the other threads could get bad data in such a case -- and I'm fine with that. They should have made a copy of the data if the data acquisition is more than just a best effort affair. What was not at all clear is that recycle behavior could allow any bit of code to toss ServletRequest objects to other threads, call methods against these objects too late and completely corrupt later servlet requests! That's a real safety issue in a larger application. For my own monitoring code I've added a read/write lock that ensures that there is no possible race condition between request completion and switching over to a copy of the ServletRequest data. That's well and good. What I can't do, however, is keep any other developer from doing something stupid and corrupting unrelated requests, which is a troubleshooting nightmare. I suppose I could change my servlet filter implementation to use a wrapped ServletRequest object with built-in read/write locking that switched the underlying ServletRequest object to null at the end of the request. That's a lot of workaround code to avoid intrinsic recycle issues, though. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586306 - /tomcat/native/branches/1.1.x/xdocs/news/2014.xml
Author: kkolinko Date: Thu Apr 10 14:01:13 2014 New Revision: 1586306 URL: http://svn.apache.org/r1586306 Log: Followup to r1586254: correct title. Modified: tomcat/native/branches/1.1.x/xdocs/news/2014.xml Modified: tomcat/native/branches/1.1.x/xdocs/news/2014.xml URL: http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/news/2014.xml?rev=1586306r1=1586305r2=1586306view=diff == --- tomcat/native/branches/1.1.x/xdocs/news/2014.xml (original) +++ tomcat/native/branches/1.1.x/xdocs/news/2014.xml Thu Apr 10 14:01:13 2014 @@ -24,7 +24,7 @@ properties author email=general.AT.tomcat.DOT.apache.DOT.orgApache Tomcat Native Project/author -title2013 News and Status/title +title2014 News and Status/title /properties body - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56383] New: Securing ErrorReportValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383 Bug ID: 56383 Summary: Securing ErrorReportValve Product: Tomcat 7 Version: trunk Hardware: All OS: All Status: NEW Severity: enhancement Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: thrain...@gmail.com Created attachment 31507 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31507action=edit Patch for ErrorReportValve When the default error valve returns its report it publishes the tomcat version and some other troubleshooting data. This of course breaks security standards at some companies and also is published as a item that needs to be remediated when hardening tomcat(OWASP - goo.gl/Zr9xso ). When using the OWASP solution of replacing the serverInfo.properties file it can and will break tools/code that uses that information. Attached is the proposed enhancement to be able switch options to show minimal information back. By adding the below will only return a html page with only the status. No CSS or title Valve className=org.apache.catalina.valves.ErrorReportValve showReport=false showServerInfo=false / Currently, default is true for both so if users still want to see the current report nothing will have to change in there server.xml -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: ErrorValve enhancement
Chris, Done (Bug 56383 https://issues.apache.org/bugzilla/show_bug.cgi?id=56383). I didn't know if we needed to talk about it first since it was a enhancement. On another note do i need to make another bug for Tomcat 8 or if this one gets excepted it will be ported over? What about documentation? Does a patch for the site need to be included in the bug report as well? Thanks, Nick Bunn On Thu, Apr 10, 2014 at 2:17 AM, Christopher Schultz ch...@christopherschultz.net wrote: Nick, Please file a Bugzilla bug and attach your patch to it. -chris On 4/9/14, 10:36 AM, Nick Bunn wrote: Good Day, As i'm sure you are all aware when the default error valve returns its report it publishes the tomcat version and some other troubleshooting data. This of course breaks one of my securities teams rules and also is published as a item that needs to be remediated when hardening tomcat(OWASP - goo.gl/Zr9xso http://goo.gl/Zr9xso ). When using the OWASP solution of replacing the serverInfo.properties file it can and will break tools/code that uses that information(in my case our deployment agent). The other two solutions are to create our own valve and just change it to the default error valve or override the status code at the HTTPD server(which broke our JSON and SOAP requests that were providing valid 4XX and 5XX). That being said why not just have the capability to disable this information in the current error valve? This way we are not requiring users to override there serverinfo.properties or create some customer error valve they will have to maintain. Thoughts? Attached is the a simple patch to version 7.0.x. Can easily be ported to 8.0.x as not much as changed. You would then just add the below to your server.xml Valve className=org.apache.catalina.valves.ErrorReportValve showReport=false showServerInfo=false / Thanks, Nick Bunn - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org -- Thanks, Nick Bunn
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Luke Hall lh...@vocera.com changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment #3 from Luke Hall lh...@vocera.com --- Is there any possibility that you could provide us with a copy of the updated Tomcat Native library now? My company has several affected servers and we have been struggling to build the library ourselves, but with no success. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [VOTE] Release Apache Tomcat Native 1.1.30
Just tested against a CentOS 6 box configured to be in FIPS mode at boot as per RH's directions and TCN will not start, tossing the same error I saw before in catalina.out: Apr 10, 2014 9:01:19 AM org.apache.catalina.core.AprLifecycleListener lifecycleEvent SEVERE: Failed to initialize the SSLEngine. java.lang.reflect.InvocationTargetException at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:269) at org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:108) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:813) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) Commenting out line 77 (where the 512 bit RSA key is generated) allows TCN to start and run normally. I don't understand all of the FIPS requirements, but should execution be allowed to continue if we can generate *any* of the initial keys rather than requiring all of them? The logic of the macros in lines 68 through 82 wind up causing the SSL_TMP_KEYS_INIT(r) call at line 692 to fire if any key init fails, rather than seeing if at least one passes. I did see in the changelog that BZ 56027 is only partially addressed, in that the fipsModeGet() method is now available. -Rob From: Robert Sanders [rsand...@trustedcs.com] Sent: Thursday, April 10, 2014 9:15 AM To: Tomcat Developers List Subject: RE: [VOTE] Release Apache Tomcat Native 1.1.30 Is the TCN portion of BZ 56027 address completely or partially with this release? I see the exposure of the FIPS_mode setting, but it looks like the temporary 512 bit RSA key is still being done in the SSL_TMP_KEYS_INIT macro (line 77). When I hacked my workaround eariier this year I had to make sure I didn't call FIPS_mode_set if it was already set and disable the 512 bit key to get TCN to spin up correctly. -Rob From: Mladen Turk [mt...@apache.org] Sent: Thursday, April 10, 2014 9:01 AM To: dev@tomcat.apache.org Subject: Re: [VOTE] Release Apache Tomcat Native 1.1.30 On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote: Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit. - Filippo.io [1] reports it is not vulnerable to Heartbleed bug. - SSLLabs [2] reports it is not vulnerable to Heartbleed bug. - SSLLabs reports that Forward secrecy is enabled when proper cipher suites (including EECDH/ECDHE) are enabled. - Smoke tests of APR, with and without TLS, all passed. Cool. Thanks -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #4 from Mike Noordermeer m...@normi.net --- While I understand that the disclosure process of this bug has been far from optimal, and really appreciate all effort the maintainer(s) spend on this project, a turnaround time of 3 days for such a critical issue is not acceptable and currently forcing us to use the Java SSL implementation and BIO/NIO connectors. Would it, for future reference, be possible to document the Windows library build process better? We too have been struggling (and failing) to build the library ourselves, which has forced us to switch to the BIO connector due to the extreme severity of the issue. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 Mike Noordermeer m...@normi.net changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #5 from Mike Noordermeer m...@normi.net --- BTW, Luke, the intended release can be found at http://people.apache.org/~mturk/native/1.1.30/. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #6 from jeffrey.jan...@polydyne.com --- Thanks to Mladen for his effort on getting this out as fast as he has. The ease with which this problem was addressable on the *NIX platforms leads me to ask if there is a better way of addressing the native libraries in the Windows world? The *NIX guys could just go get the latest OpenSSL version, install it, and restart their Tomcats, because the libraries are dynamically linked. However, the Windows version is statically linked, so we had to wait for Mladen to work his magic or try to do the build ourselves using minimal instructions. My question is, what would be the downside to leaving the Windows version as a set of 2 or 3 dll files instead of statically linking them as they are now? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55915] Add ECDHE support to tcnative-1.dll
https://issues.apache.org/bugzilla/show_bug.cgi?id=55915 --- Comment #5 from jeffrey.jan...@polydyne.com --- Wanted to report that the Qualys SSL Labs' SSl test tool is now reporting that, with this version, the ECDHE ciphers are available and will be used by the IE releases that support them (not IE8/XP does not). In fact, I am now getting an A rating on the tool and all major browsers are shown to use a cipher that offers Forward Secrecy. Thanks for quickly addressing this one. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #7 from Konstantin Kolinko knst.koli...@gmail.com --- (In reply to Mike Noordermeer from comment #4) 1. The timing is unfortunate. There is a conference going on right now. Key people are there. http://www.apachecon.com/ Also this bug is where I learned this issue from. Thank you Mike for filing it. 2. Nobody here works for Microsoft. Providing windows binaries is a courtesy and may stop at any random moment. Would it, for future reference, be possible to document the Windows library build process better? 3. Documentation improvement patches are appreciated. You may submit one via bugzilla. (In reply to Jeffrey.Janner from comment #6) However, the Windows version is statically linked, so we had to wait for Mladen to work his magic or try to do the build ourselves using minimal instructions. 4. a) That would be a mess. b) Somebody would still need to build OpenSSL for you. http://openssl.org/ provides source code only. See 2. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383 Nick Bunn thrain...@gmail.com changed: What|Removed |Added CC||thrain...@gmail.com -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tagging Tomcat Native 1.1.30
Nice. On Thu, Apr 10, 2014 at 4:09 AM, Christopher Schultz ch...@christopherschultz.net wrote: Mladen, On 4/9/14, 11:42 PM, Mladen Turk wrote: I plan to tag 1.1.30 either later today or tomorrow and push for a quick release vote. Comments? Go for it. No bugs in it can be worse than this week's OpenSSL vulnerability. -chris -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
Re: CVE-2014-0160
Thanks for the response, both of you. On Thu, Apr 10, 2014 at 4:30 AM, Christopher Schultz ch...@christopherschultz.net wrote: Andrew, On 4/8/14, 5:43 PM, Andrew Carr wrote: http://www.openssl.org/news/secadv_20140407.txt Hi Tomcat Devs, I have been on the dev list for a few years, and a tomcat developer longer than that. While I haven't contributed yet, I was curious if this cve needs a contribution. As far as I can tell, if you recompile your native libs with the unaffected version of SSL, you will not be vulnerable to this CVE. Is that assumption correct or does there need to be a change to tcnative? Technically, it's just a re-link, but it makes sense to push-out the latest 1.1 branch code and call it 1.1.30 to reduce confusion and to get a few useful features out to the world. -chris -- With Regards, Andrew Carr e. andrewlanec...@gmail.com w. andrew.c...@openlogic.com h. 4235255668 c. 4239489852 a. 101 Francis Drive, Greeneville, TN, 37743
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #8 from Mike Noordermeer m...@normi.net --- (In reply to Konstantin Kolinko from comment #7) 2. Nobody here works for Microsoft. Providing windows binaries is a courtesy and may stop at any random moment. That's good to know, and may be something to mention on the site, so people don't build production infrastructure on it. Would it, for future reference, be possible to document the Windows library build process better? 3. Documentation improvement patches are appreciated. You may submit one via bugzilla. I would love to improve the documentation, but at the moment it seems nobody knows how the Windows build works except for Mladen. See for instance this post of Mark Thomas: http://mail-archives.apache.org/mod_mbox/tomcat-dev/201205.mbox/%3c4fba6dfc.4090...@apache.org%3E -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
On 04/10/2014 03:15 PM, Robert Sanders wrote: Is the TCN portion of BZ 56027 address completely or partially with this release? Nope. This issue was not fixed with this release. Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #9 from jeffrey.jan...@polydyne.com --- (In reply to Konstantin Kolinko from comment #7) (In reply to Jeffrey.Janner from comment #6) However, the Windows version is statically linked, so we had to wait for Mladen to work his magic or try to do the build ourselves using minimal instructions. 4. a) That would be a mess. b) Somebody would still need to build OpenSSL for you. http://openssl.org/ provides source code only. See 2. Yep. Luckily, that site has a link (http://www.openssl.org/related/binaries.html) to someone who provides binaries almost as fast as OpenSSL releases them. That site is http://slproweb.com/products/Win32OpenSSL.html. I think in this case he and Mladen had versions available at about the same time, though we're still waiting on an approved release from the ASF. Overall, I'm generally OK getting the full suite from the ASF, its just would be nice to have alternatives. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56363] OpenSSL security advisory - Heartbleed bug
https://issues.apache.org/bugzilla/show_bug.cgi?id=56363 --- Comment #10 from Mladen Turk mt...@apache.org --- I'll update the BUILDING with windows section since everyone are so concerned of my health :) It's very simple. The biggest problem is compiling apr and openssl. OpenSSL needs to be patched to allow /MD with static lib (something I tried to convince openssl developers for years without luck). We have the patch in the source dist. Then you have to put apr and openssl include and lib files to some directory C:\foo\bar\include C:\foo\bar\lib Then execute: nmake -f NMAKEMakefile WITH_APR=C:\foo\bar WITH_OPENSSL=C:\foo\bar APR_DECLARE_STATIC=1 [ENABLE_OCSP=1] When building APR I also modify apr.hw and set APR_HAVE_IPV6 to 1. That's it. 10 minutes for all architectures on an average box. Note. Forget about IDE builds. They change the format of those .dsp, .vcproj whatever files with each version. Use nmake and command line. You'll need them to build openssl anyhow, so why not for all. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56381] ServletRequest can be modified by Multiple Threads
https://issues.apache.org/bugzilla/show_bug.cgi?id=56381 --- Comment #2 from Remy Maucherat r...@apache.org --- Yes, sync if needed + clear the facade objects. This is a long running topic that is well suited for the user list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
Mladen, On 4/10/14, 9:29 AM, Mladen Turk wrote: On 04/10/2014 03:15 PM, Robert Sanders wrote: Is the TCN portion of BZ 56027 address completely or partially with this release? Nope. This issue was not fixed with this release. The primary tcnative bit was in svn. Did you build 1.1/trunk, or did you just apply certain patches? There was a followup-comment about the 512-bit RSA key generation which is a separate problem IMO which has not yet been addressed. -chris signature.asc Description: OpenPGP digital signature
Re: [VOTE] Release Apache Tomcat Native 1.1.30
Mladen, On 4/10/14, 5:50 AM, Mladen Turk wrote: Version 1.1.30 is bug fixing release with added ECDH if supported by OpenSSL library. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The VOTE will remain open for at least 48 hours. The Apache Tomcat Native 1.1.30 is [X] Stable, go ahead and release [ ] Broken because of ... Thanks for this. -chris signature.asc Description: OpenPGP digital signature
Re: [VOTE] Release Apache Tomcat Native 1.1.30
2014-04-10 15:50 GMT+04:00 Mladen Turk mt...@apache.org: Version 1.1.30 is bug fixing release with added ECDH if supported by OpenSSL library. The proposed release artefacts can be found at [1], and the build was done using tag [2]. The VOTE will remain open for at least 48 hours. The Apache Tomcat Native 1.1.30 is [x] Stable, go ahead and release [ ] Broken because of ... I've run current 8.0.x (@r1586315) testsuite with JDK 7u51 32-bit on Windows7 with non-OSCP and with OSCP binaries. Both runs have completed successfully. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
On 04/10/2014 05:55 PM, Christopher Schultz wrote: Mladen, On 4/10/14, 9:29 AM, Mladen Turk wrote: On 04/10/2014 03:15 PM, Robert Sanders wrote: Is the TCN portion of BZ 56027 address completely or partially with this release? Nope. This issue was not fixed with this release. The primary tcnative bit was in svn. Did you build 1.1/trunk, or did you just apply certain patches? There was a followup-comment about the 512-bit RSA key generation which is a separate problem IMO which has not yet been addressed. See the top email. It contains the tag used for builds. Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
RE: [VOTE] Release Apache Tomcat Native 1.1.30
I'll concur with Chris for release. WRT BZ 56027 there is no regression. The exposure of the fipsModeGet will be useful moving forward to have the main Tomcat code avoid a double call to initialize SSL, but some one with more understanding of the FIPS requirements that I do should look at how TCN is pre-generating keys lengths. -R The Apache Tomcat Native 1.1.30 is [X] Stable, go ahead and release [ ] Broken because of ... - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat Native 1.1.30
On 04/10/2014 05:55 PM, Christopher Schultz wrote: Mladen, On 4/10/14, 9:29 AM, Mladen Turk wrote: On 04/10/2014 03:15 PM, Robert Sanders wrote: Is the TCN portion of BZ 56027 address completely or partially with this release? Nope. This issue was not fixed with this release. The primary tcnative bit was in svn. Did you build 1.1/trunk, or did you just apply certain patches? There was a followup-comment about the 512-bit RSA key generation which is a separate problem IMO which has not yet been addressed. Ah, now I saw your commit. You will have to apply this to branches/1.1.x This is where the releases are coming from. Trunk is just a playground and probably expecting a major rewrite, so don't bother with it :) Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 55943] Provide a way prevent looking at the System classloader before the webapp classloaders
https://issues.apache.org/bugzilla/show_bug.cgi?id=55943 --- Comment #12 from hifisoftw...@gmail.com --- I was able to figure out the fix. When I added the following line to context.xml file, class loader behaviour was restored: Loader delegate=true/ Thanks -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56382] Add logging of deployment time
https://issues.apache.org/bugzilla/show_bug.cgi?id=56382 --- Comment #2 from Konstantin Kolinko knst.koli...@gmail.com --- Comment on attachment 31506 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31506 Proposed patch In reply to attachment 31506 if( log.isInfoEnabled() ) +startTime = System.currentTimeMillis(); log.info(sm.getString(hostConfig.deployDir, dir.getAbsolutePath())); 1. The above change breaks the code, because of missing '{' after an 'if' above. System.currentTimeMillis() - startTime 2. Boxing and unboxing have to be explicit, per our coding rules. 3. This covers only 'deployDirectory(..)' method. What about the others? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383 Konstantin Kolinko knst.koli...@gmail.com changed: What|Removed |Added Attachment #31507|0 |1 is patch|| -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383 --- Comment #1 from Konstantin Kolinko knst.koli...@gmail.com --- Comment on attachment 31507 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31507 Patch for ErrorReportValve 1. Add getter methods? 2. Expose new attributes via JMX? (Update mbeans-descriptors.xml file in the same package) 3. Documentation? (Update webapps/docs/config/valve.xml. A bit more work than usually, because ErrorReporValve is not documented there at all) -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
NIO2 connector status
Hi, With some fixes in, I think the status is now better than what the welcome message says, which is: The NIO2 connector is currently EXPERIMENTAL and should not be used in production In preparation for the next build, I would like to update it to: The NIO2 connector is currently BETA and should not be used in production It is now supposed to be doing semi useful things, but with possible remaining bugs. At least it can be tested. The known issue is that (possible) testsuite failure: test.entry=org.apache.tomcat.websocket.TestWebSocketFrameClientSSL test.entry.methods=testConnectToServerEndpoint (after removing the assertion) But I haven't been able to reproduce it despite lots of hacks to skew the timings. The most current theory given the symptoms is it would be a missing onWritePossible event (but no idea why it is SSL specific, and I did some theorical tightening which didn't improve anything so I'm not sure there's an issue with that). So if someone has better luck and (hopefully) has an idea how to fix it, I'm interested. Other than this one, the testsuite now seems very reliable on NIO2, which cannot hurt. Rémy
Re: [VOTE] Release Apache Tomcat Native 1.1.30
On 04/10/2014 01:50 PM, Mladen Turk wrote: The Apache Tomcat Native 1.1.30 is [X] Stable, go ahead and release [ ] Broken because of ... My vote, FTR. Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1585657 - /tomcat/jk/trunk/native/common/jk_connect.c
2014-04-08 11:52 GMT+04:00 mt...@apache.org: Author: mturk Date: Tue Apr 8 07:52:56 2014 New Revision: 1585657 URL: http://svn.apache.org/r1585657 Log: Use port when calling getaddrinfo and skip bogus addresses Modified: tomcat/jk/trunk/native/common/jk_connect.c Modified: tomcat/jk/trunk/native/common/jk_connect.c URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_connect.c?rev=1585657r1=1585656r2=1585657view=diff == --- tomcat/jk/trunk/native/common/jk_connect.c (original) +++ tomcat/jk/trunk/native/common/jk_connect.c Tue Apr 8 07:52:56 2014 @@ -430,6 +430,8 @@ int jk_resolve(const char *host, int por */ struct addrinfo hints, *ai_list, *ai = NULL; int error; +char pbuf[12]; +char *pbufptr = NULL; memset(hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; @@ -440,7 +442,11 @@ int jk_resolve(const char *host, int por else #endif hints.ai_family = JK_INET; -error = getaddrinfo(host, NULL, hints, ai_list); +if (port 0) { +snprintf(pbuf, port, sizeof(pbuf)); +pbufptr = pbuf; +} +error = getaddrinfo(host, pbufptr, hints, ai_list); The getaddrinfo method is called twice in this method. The above modifies the first call. Apply the same change to the second call, a few lines below? Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Please add to ContributorsGroup.
HI Please add to the ContributorsGroup in order to edit the Tomcat wiki. name: KeiichiFujino -- Keiichi.Fujino
Re: Please add to ContributorsGroup.
On 10/04/2014 15:43, Keiichi Fujino wrote: HI Please add to the ContributorsGroup in order to edit the Tomcat wiki. name: KeiichiFujino Done. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of ContributorsGroup by markt
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The ContributorsGroup page has been changed by markt: https://wiki.apache.org/tomcat/ContributorsGroup?action=diffrev1=19rev2=20 * PierreJean * GaryBriggs * JeanFredericClere + * KeiichiFujino - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586478 - in /tomcat/trunk: java/org/apache/catalina/webresources/CachedResource.java webapps/docs/changelog.xml
Author: markt Date: Thu Apr 10 22:02:14 2014 New Revision: 1586478 URL: http://svn.apache.org/r1586478 Log: Ensure that the static resource cache is able to detect when a cache entry is invalidated by being overridden by a new resource in a different WebResourceSet Modified: tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java?rev=1586478r1=1586477r2=1586478view=diff == --- tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java (original) +++ tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java Thu Apr 10 22:02:14 2014 @@ -89,8 +89,9 @@ public class CachedResource implements W return true; } -if (!webResource.exists() root.getResourceInternal( -webAppPath, useClassLoaderResources).exists()) { +WebResource webResourceInternal = root.getResourceInternal( +webAppPath, useClassLoaderResources); +if (!webResource.exists() webResourceInternal.exists()) { return false; } @@ -101,6 +102,13 @@ public class CachedResource implements W return false; } +// Has a resource been inserted / removed in a different resource set +if (webResource.getLastModified() != webResourceInternal.getLastModified() || +webResource.getContentLength() != webResourceInternal.getContentLength()) { +return false; +} + + nextCheck = ttl + now; return true; } Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1586478r1=1586477r2=1586478view=diff == --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Thu Apr 10 22:02:14 2014 @@ -83,6 +83,11 @@ bug56365/bug: Simplify file name pattern matching code in codeStandardJarScanner/code. (kkolinko) /scode + fix +Ensure that the static resource cache is able to detect when a cache +entry is invalidated by being overridden by a new resource in a +different codeWebResourceSet/code. (markt) + /fix /changelog /subsection subsection name=Coyote - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of summit-na-2014 by KeiichiFujino
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The summit-na-2014 page has been changed by KeiichiFujino: https://wiki.apache.org/tomcat/summit-na-2014?action=diffrev1=10rev2=11 * mavenization of build * Arquillian tests * Additions to authentication/realm API to improve extension capabilities (e.g. support bcrypt, pbkdf2, etc.) + * Monitoring of Tomcat Cluster(Tribes) by mbean. * Please add your topics here... - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Tomcat Wiki] Update of summit-na-2014 by KeiichiFujino
Dear Wiki user, You have subscribed to a wiki page or wiki category on Tomcat Wiki for change notification. The summit-na-2014 page has been changed by KeiichiFujino: https://wiki.apache.org/tomcat/summit-na-2014?action=diffrev1=11rev2=12 * Arquillian tests * Additions to authentication/realm API to improve extension capabilities (e.g. support bcrypt, pbkdf2, etc.) * Monitoring of Tomcat Cluster(Tribes) by mbean. + * Improvement of Cluster Deployer(FarmWarDeployer). + * When adding new cluster membe, synchronize the war that is deployed on the master node. + * Add support for parallel deployment. * Please add your topics here... - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Java 8 compatibility for Tomcat 7
On 10/04/2014 02:34, Christopher Schultz wrote: Mark, On 4/8/14, 10:55 AM, Mark Thomas wrote: On 08/04/2014 06:32, Emmanuel Bourg wrote: Le 08/04/2014 14:03, Mark Thomas a écrit : Can you provide the details of the failure. That might help ID a solution. Thank you, here is the build log on Debian: http://87.98.165.193/debian/openjdk8-rebuild/logs-failed-jdk8/tomcat7_7.0.52-1_unstable_jdk8.log [javac] /«PKGBUILDDIR»/java/org/apache/catalina/tribes/tipis/AbstractReplicatedMap.java:1107: error: keySet() in AbstractReplicatedMap cannot override keySet() in ConcurrentHashMap [javac] public SetObject keySet() { [javac]^ [javac] return type SetObject is not compatible with KeySetView [javac] where K,V are type-variables: [javac] K extends Object declared in class ConcurrentHashMap [javac] V extends Object declared in class ConcurrentHashMap This issue is caused by the addition of a keySet() method to ConcurrentHashMap in Java 8 with a return type incompatible with the keySet() method in AbstractReplicatedMap. In r1222329 AbstractReplicatedMap was changed to no longer inherit ConcurrentHashMap and implement directly the Map interface. This had the side effect of fixing this Java 8 issue for Tomcat 8. That looks like something we are going to need to fix but any fix is going to have to change the API. On that basis, back-porting r1222329 is probably the best option. Any objections to back-porting this fix to 7.0.x? +1 to back-porting I spoke with Filip at ApacheCon. This is meant to be an internal API so the refactoring should be safe. I've done the back-port and fixed a handful of IDE warnings while I was at it. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586500 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/ha/context/ java/org/apache/catalina/ha/session/ java/org/apache/catalina/tribes/tipis/ test/org/apache/catalina/tribes/dem
Author: markt Date: Thu Apr 10 23:21:19 2014 New Revision: 1586500 URL: http://svn.apache.org/r1586500 Log: Backport refactoring of AbstractReplicatedMap to implement Map rather than extend ConcurrentHashMap to enable Tomcat 7 to be built with Java 8. Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java tomcat/tc7.0.x/trunk/java/org/apache/catalina/tribes/tipis/AbstractReplicatedMap.java tomcat/tc7.0.x/trunk/java/org/apache/catalina/tribes/tipis/LazyReplicatedMap.java tomcat/tc7.0.x/trunk/java/org/apache/catalina/tribes/tipis/ReplicatedMap.java tomcat/tc7.0.x/trunk/test/org/apache/catalina/tribes/demos/MapDemo.java tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ -- Merged /tomcat/trunk:r1222329 Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java?rev=1586500r1=1586499r2=1586500view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java Thu Apr 10 23:21:19 2014 @@ -16,10 +16,10 @@ */ package org.apache.catalina.ha.context; -import java.util.AbstractMap; import java.util.Collections; import java.util.Enumeration; import java.util.HashSet; +import java.util.Map; import java.util.Set; import java.util.concurrent.ConcurrentHashMap; @@ -61,8 +61,10 @@ public class ReplicatedContext extends S CatalinaCluster catclust = (CatalinaCluster)this.getCluster(); if (this.context == null) this.context = new ReplApplContext(this); if ( catclust != null ) { -ReplicatedMap map = new ReplicatedMap(this,catclust.getChannel(),DEFAULT_REPL_TIMEOUT, - getName(),getClassLoaders()); +ReplicatedMapString,Object map = +new ReplicatedMapString,Object(this, +catclust.getChannel(),DEFAULT_REPL_TIMEOUT, +getName(),getClassLoaders()); map.setChannelSendOptions(mapSendOptions); ((ReplApplContext)this.context).setAttributeMap(map); if (getAltDDName() != null) context.setAttribute(Globals.ALT_DD_ATTR, getAltDDName()); @@ -86,10 +88,10 @@ public class ReplicatedContext extends S super.stopInternal(); -AbstractMapString,Object map = -((ReplApplContext)this.context).getAttributeMap(); +MapString,Object map = +((ReplApplContext)this.context).getAttributeMap(); if ( map!=null map instanceof ReplicatedMap) { -((ReplicatedMap)map).breakdown(); +((ReplicatedMap?,?)map).breakdown(); } } @@ -145,10 +147,10 @@ public class ReplicatedContext extends S return super.getFacade(); } -public AbstractMapString,Object getAttributeMap() { -return (AbstractMapString,Object)this.attributes; +public MapString,Object getAttributeMap() { +return this.attributes; } -public void setAttributeMap(AbstractMapString,Object map) { +public void setAttributeMap(MapString,Object map) { this.attributes = map; } Modified: tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java?rev=1586500r1=1586499r2=1586500view=diff == --- tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java (original) +++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java Thu Apr 10 23:21:19 2014 @@ -115,7 +115,8 @@ public class BackupManager extends Clust @Override public ClusterMessage requestCompleted(String sessionId) { if (!getState().isAvailable()) return null; -LazyReplicatedMap map = (LazyReplicatedMap)sessions; +LazyReplicatedMapString,Session map = +(LazyReplicatedMapString,Session)sessions; map.replicate(sessionId,false); return null; } @@ -159,7 +160,6 @@ public class BackupManager extends Clust * @exception LifecycleException if this component detects a fatal error * that prevents this component from being used */ -@SuppressWarnings(unchecked) @Override protected synchronized void
svn commit: r1586501 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/tomcat/util/descriptor/LocalResolver.java java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java webapps/docs/changelog.
Author: markt Date: Thu Apr 10 23:25:06 2014 New Revision: 1586501 URL: http://svn.apache.org/r1586501 Log: Add a work around for validating XML documents (often TLDs) that use just the file name to refer to refer to the JavaEE schema on which they are based. Modified: tomcat/tc6.0.x/trunk/STATUS.txt tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1586501r1=1586500r2=1586501view=diff == --- tomcat/tc6.0.x/trunk/STATUS.txt (original) +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Apr 10 23:25:06 2014 @@ -28,14 +28,6 @@ None PATCHES PROPOSED TO BACKPORT: [ New proposals should be added at the end of the list ] -* Add a work around for validating XML documents (often TLDs) that use - just the file name to refer to refer to the JavaEE schema on which they - are based. - (Backport of r1579931) - https://people.apache.org/~kkolinko/patches/2014-04-05_tc6_LocalResolver_nameOnly.patch - +1: kkolinko, markt, schultz - -1: - PATCHES/ISSUES THAT ARE STALLED: Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java?rev=1586501r1=1586500r2=1586501view=diff == --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java Thu Apr 10 23:25:06 2014 @@ -37,6 +37,11 @@ public class LocalResolver implements En private static final StringManager sm = StringManager.getManager(Constants.PACKAGE_NAME); +private static final String[] JAVA_EE_NAMESPACES = { +XmlIdentifiers.JAVAEE_1_4_NS, +XmlIdentifiers.JAVAEE_5_NS }; + + private final MapString,String publicIds; private final MapString,String systemIds; private final boolean blockExternal; @@ -92,6 +97,18 @@ public class LocalResolver implements En return is; } +// Work-around for XML documents that use just the file name for the +// location to refer to a JavaEE schema +for (String javaEENamespace : JAVA_EE_NAMESPACES) { +String javaEESystemId = javaEENamespace + '/' + systemId; +resolved = systemIds.get(javaEESystemId); +if (resolved != null) { +InputSource is = new InputSource(resolved); +is.setPublicId(publicId); +return is; +} +} + // Resolve the supplied systemId against the base URI systemUri; try { Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java?rev=1586501r1=1586500r2=1586501view=diff == --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java Thu Apr 10 23:25:06 2014 @@ -49,6 +49,8 @@ public final class XmlIdentifiers { http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd;; // from J2EE 1.4 +public static final String JAVAEE_1_4_NS = +http://java.sun.com/xml/ns/j2ee;; public static final String WEB_24_XSD = http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd;; public static final String TLD_20_XSD = @@ -57,6 +59,8 @@ public final class XmlIdentifiers { http://www.ibm.com/webservices/xsd/j2ee_web_services_1_1.xsd;; // from JavaEE 5 +public static final String JAVAEE_5_NS = +http://java.sun.com/xml/ns/javaee;; public static final String WEB_25_XSD = http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd;; public static final String TLD_21_XSD = Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1586501r1=1586500r2=1586501view=diff == --- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Apr 10 23:25:06 2014 @@ -77,6 +77,11 @@ Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. (markt) /fix + fix +Add a work around for validating XML documents (often TLDs) that use +
svn commit: r1586509 - /tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java
Author: markt Date: Thu Apr 10 23:48:33 2014 New Revision: 1586509 URL: http://svn.apache.org/r1586509 Log: CTR Javadoc Fix warning Modified: tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java Modified: tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java?rev=1586509r1=1586508r2=1586509view=diff == --- tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java Thu Apr 10 23:48:33 2014 @@ -5,9 +5,9 @@ * The ASF licenses this file to You under the Apache License, Version 2.0 * (the License); you may not use this file except in compliance with * the License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an AS IS BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -42,38 +42,38 @@ import org.apache.el.util.ReflectionUtil /** * An codeExpression/code that refers to a method on an object. - * + * * p * codeThe {@link ExpressionFactory#createMethodExpression} method * can be used to parse an expression string and return a concrete instance * of codeMethodExpression/code that encapsulates the parsed expression. - * The {@link FunctionMapper} is used at parse time, not evaluation time, - * so one is not needed to evaluate an expression using this class. + * The {@link FunctionMapper} is used at parse time, not evaluation time, + * so one is not needed to evaluate an expression using this class. * However, the {@link ELContext} is needed at evaluation time./p * - * pThe {@link #getMethodInfo} and {@link #invoke} methods will evaluate the - * expression each time they are called. The {@link ELResolver} in the - * codeELContext/code is used to resolve the top-level variables and to - * determine the behavior of the code./code and code[]/code - * operators. For any of the two methods, the {@link ELResolver#getValue} - * method is used to resolve all properties up to but excluding the last + * pThe {@link #getMethodInfo} and {@link #invoke} methods will evaluate the + * expression each time they are called. The {@link ELResolver} in the + * codeELContext/code is used to resolve the top-level variables and to + * determine the behavior of the code./code and code[]/code + * operators. For any of the two methods, the {@link ELResolver#getValue} + * method is used to resolve all properties up to but excluding the last * one. This provides the codebase/code object on which the method - * appears. If the codebase/code object is null, a - * codeNullPointerException/code must be thrown. At the last resolution, + * appears. If the codebase/code object is null, a + * codeNullPointerException/code must be thrown. At the last resolution, * the final codeproperty/code is then coerced to a codeString/code, - * which provides the name of the method to be found. A method matching the - * name and expected parameters provided at parse time is found and it is + * which provides the name of the method to be found. A method matching the + * name and expected parameters provided at parse time is found and it is * either queried or invoked (depending on the method called on this * codeMethodExpression/code)./p * - * pSee the notes about comparison, serialization and immutability in + * pSee the notes about comparison, serialization and immutability in * the {@link Expression} javadocs. * * @see javax.el.ELResolver * @see javax.el.Expression * @see javax.el.ExpressionFactory * @see javax.el.MethodExpression - * + * * @author Jacob Hookom [ja...@hookom.net] * */ @@ -93,7 +93,7 @@ public final class MethodExpressionImpl private Class[] paramTypes; /** - * + * */ public MethodExpressionImpl() { super(); @@ -121,7 +121,7 @@ public final class MethodExpressionImpl /** * Determines whether the specified object is equal to this * codeExpression/code. - * + * * p * The result is codetrue/code if and only if the argument is not * codenull/code, is an codeExpression/code object that is the @@ -129,7 +129,7 @@ public final class MethodExpressionImpl * codeMethodExpression/code), and has an identical parsed * representation. * /p - * + * * p * Note that two expressions can be equal if their expression Strings are * different. For example, code${fn1:foo()}/code and @@ -137,7 +137,7 @@ public final class MethodExpressionImpl * codeFunctionMapper/codes mapped codefn1:foo/code and * codefn2:foo/code to the same method. * /p -
svn commit: r1586510 - /tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java
Author: markt Date: Thu Apr 10 23:49:00 2014 New Revision: 1586510 URL: http://svn.apache.org/r1586510 Log: CTR Javadoc Fix warning Modified: tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java Modified: tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java?rev=1586510r1=1586509r2=1586510view=diff == --- tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java Thu Apr 10 23:49:00 2014 @@ -5,9 +5,9 @@ * The ASF licenses this file to You under the Apache License, Version 2.0 * (the License); you may not use this file except in compliance with * the License. You may obtain a copy of the License at - * + * * http://www.apache.org/licenses/LICENSE-2.0 - * + * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an AS IS BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. @@ -43,7 +43,7 @@ import org.apache.el.util.ReflectionUtil /** * An codeExpression/code that can get or set a value. - * + * * p * In previous incarnations of this API, expressions could only be read. * codeValueExpression/code objects can now be used both to retrieve a @@ -55,37 +55,37 @@ import org.apache.el.util.ReflectionUtil * details. Expressions that cannot be used as l-values must always return * codetrue/code from codeisReadOnly()/code. * /p - * + * * p * codeThe {@link ExpressionFactory#createValueExpression} method * can be used to parse an expression string and return a concrete instance * of codeValueExpression/code that encapsulates the parsed expression. - * The {@link FunctionMapper} is used at parse time, not evaluation time, - * so one is not needed to evaluate an expression using this class. + * The {@link FunctionMapper} is used at parse time, not evaluation time, + * so one is not needed to evaluate an expression using this class. * However, the {@link ELContext} is needed at evaluation time./p * * pThe {@link #getValue}, {@link #setValue}, {@link #isReadOnly} and * {@link #getType} methods will evaluate the expression each time they are - * called. The {@link ELResolver} in the codeELContext/code is used to + * called. The {@link ELResolver} in the codeELContext/code is used to * resolve the top-level variables and to determine the behavior of the * code./code and code[]/code operators. For any of the four methods, - * the {@link ELResolver#getValue} method is used to resolve all properties - * up to but excluding the last one. This provides the codebase/code - * object. At the last resolution, the codeValueExpression/code will - * call the corresponding {@link ELResolver#getValue}, - * {@link ELResolver#setValue}, {@link ELResolver#isReadOnly} or - * {@link ELResolver#getType} method, depending on which was called on + * the {@link ELResolver#getValue} method is used to resolve all properties + * up to but excluding the last one. This provides the codebase/code + * object. At the last resolution, the codeValueExpression/code will + * call the corresponding {@link ELResolver#getValue}, + * {@link ELResolver#setValue}, {@link ELResolver#isReadOnly} or + * {@link ELResolver#getType} method, depending on which was called on * the codeValueExpression/code. * /p * - * pSee the notes about comparison, serialization and immutability in + * pSee the notes about comparison, serialization and immutability in * the {@link Expression} javadocs. * * @see javax.el.ELResolver * @see javax.el.Expression * @see javax.el.ExpressionFactory * @see javax.el.ValueExpression - * + * * @author Jacob Hookom [ja...@hookom.net] * */ @@ -107,7 +107,7 @@ public final class ValueExpressionImpl e } /** - * + * */ public ValueExpressionImpl(String expr, Node node, FunctionMapper fnMapper, VariableMapper varMapper, Class expectedType) { @@ -120,7 +120,7 @@ public final class ValueExpressionImpl e /* * (non-Javadoc) - * + * * @see java.lang.Object#equals(java.lang.Object) */ public boolean equals(Object obj) { @@ -130,7 +130,7 @@ public final class ValueExpressionImpl e /* * (non-Javadoc) - * + * * @see javax.el.ValueExpression#getExpectedType() */ public Class getExpectedType() { @@ -140,21 +140,17 @@ public final class ValueExpressionImpl e /** * Returns the type the result of the expression will be coerced to after * evaluation. - * + * * @return the codeexpectedType/code passed to the * codeExpressionFactory.createValueExpression/code method * that created this codeValueExpression/code. -
svn commit: r1586512 - /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java
Author: markt Date: Thu Apr 10 23:50:16 2014 New Revision: 1586512 URL: http://svn.apache.org/r1586512 Log: CTR Javadoc Fix warning Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java?rev=1586512r1=1586511r2=1586512view=diff == --- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java (original) +++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java Thu Apr 10 23:50:16 2014 @@ -37,9 +37,9 @@ public final class Cookies { // extends private static org.apache.juli.logging.Log log= org.apache.juli.logging.LogFactory.getLog(Cookies.class ); - + // expected average number of cookies per request -public static final int INITIAL_SIZE=4; +public static final int INITIAL_SIZE=4; ServerCookie scookies[]=new ServerCookie[INITIAL_SIZE]; int cookieCount=0; boolean unprocessed=true; @@ -51,16 +51,16 @@ public final class Cookies { // extends * being quoted. */ public static final boolean ALLOW_EQUALS_IN_VALUE; - + /* List of Separator Characters (see isSeparator()) -Excluding the '/' char violates the RFC, but +Excluding the '/' char violates the RFC, but it looks like a lot of people put '/' -in unquoted values: '/': ; //47 -'\t':9 ' ':32 '\':34 '(':40 ')':41 ',':44 ':':58 ';':59 '':60 +in unquoted values: '/': ; //47 +'\t':9 ' ':32 '\':34 '(':40 ')':41 ',':44 ':':58 ';':59 '':60 '=':61 '':62 '?':63 '@':64 '[':91 '\\':92 ']':93 '{':123 '}':125 */ -public static final char SEPARATORS[] = { '\t', ' ', '\', '(', ')', ',', +public static final char SEPARATORS[] = { '\t', ' ', '\', '(', ')', ',', ':', ';', '', '=', '', '?', '@', '[', '\\', ']', '{', '}' }; protected static final boolean separators[] = new boolean[128]; @@ -71,7 +71,7 @@ public final class Cookies { // extends for (int i = 0; i SEPARATORS.length; i++) { separators[SEPARATORS[i]] = true; } - + ALLOW_EQUALS_IN_VALUE = Boolean.valueOf(System.getProperty( org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE, false)).booleanValue(); @@ -138,7 +138,7 @@ public final class Cookies { // extends } // Indexed access - + public ServerCookie getCookie( int idx ) { if( unprocessed ) { getCookieCount(); // will also update the cookies @@ -166,7 +166,7 @@ public final class Cookies { // extends System.arraycopy( scookies, 0, scookiesTmp, 0, cookieCount); scookies=scookiesTmp; } - + ServerCookie c = scookies[cookieCount]; if( c==null ) { c= new ServerCookie(); @@ -177,7 +177,7 @@ public final class Cookies { // extends } -// code from CookieTools +// code from CookieTools /** Add all Cookie found in the headers of a request. */ @@ -227,11 +227,11 @@ public final class Cookies { // extends } return true; } - + // - // DEPRECATED, OLD - + private void processCookieHeader( String cookieString ) { if( dbg0 ) log( Parsing cookie header + cookieString ); @@ -245,17 +245,17 @@ public final class Cookies { // extends String token = tok.nextToken(); int i = token.indexOf(=); if (i -1) { - + // XXX // the trims here are a *hack* -- this should // be more properly fixed to be spec compliant - + String name = token.substring(0, i).trim(); String value = token.substring(i+1, token.length()).trim(); -// RFC 2109 and bug +// RFC 2109 and bug value=stripQuote( value ); ServerCookie cookie = addCookie(); - + cookie.getName().setString(name); cookie.getValue().setString(value); if( dbg 0 ) log( Add cookie + name + = + value); @@ -269,12 +269,11 @@ public final class Cookies { // extends * * Strips quotes from the start and end of the cookie string * This conforms to RFC 2965 - * - * @param valuea codeString/code specifying the cookie - * value (possibly quoted). * - * @see #setValue + * @param valuea codeString/code specifying the cookie + * value (possibly quoted). * + *
Tomcat 6 timing of next release
The various backports have now been applied. It makes sense to wait for the 1.1.30 release to pick up the OpenSSL fix for Windows users so I'm currently planning on tagging this early next week (assuming 1.1.30 is released). Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: Tomcat 6 timing of next release
2014-04-11 3:57 GMT+04:00 Mark Thomas ma...@apache.org: The various backports have now been applied. It makes sense to wait for the 1.1.30 release to pick up the OpenSSL fix for Windows users so I'm currently planning on tagging this early next week (assuming 1.1.30 is released). There is one more Jasper EL regression that I think is need to be addressed in Tomcat 6. https://issues.apache.org/bugzilla/show_bug.cgi?id=56334 Thus far I have tested that it is reproducible with war from bugzilla (in 8.0.x or in 7.0.x, I don't remember), but have not dug further to fix it. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56383] Securing ErrorReportValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=56383 Nick Bunn thrain...@gmail.com changed: What|Removed |Added Attachment #31507|0 |1 is obsolete|| --- Comment #2 from Nick Bunn thrain...@gmail.com --- Created attachment 31510 -- https://issues.apache.org/bugzilla/attachment.cgi?id=31510action=edit Patch for ErrorReportValve_02 Added *Getter methods *Exposed new attributes via JMX? *Updated Documentation -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1585657 - /tomcat/jk/trunk/native/common/jk_connect.c
On 04/10/2014 09:57 PM, Konstantin Kolinko wrote: 2014-04-08 11:52 GMT+04:00 mt...@apache.org: Author: mturk Date: Tue Apr 8 07:52:56 2014 New Revision: 1585657 URL: http://svn.apache.org/r1585657 Log: Use port when calling getaddrinfo and skip bogus addresses Modified: tomcat/jk/trunk/native/common/jk_connect.c Modified: tomcat/jk/trunk/native/common/jk_connect.c URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_connect.c?rev=1585657r1=1585656r2=1585657view=diff == --- tomcat/jk/trunk/native/common/jk_connect.c (original) +++ tomcat/jk/trunk/native/common/jk_connect.c Tue Apr 8 07:52:56 2014 @@ -430,6 +430,8 @@ int jk_resolve(const char *host, int por */ struct addrinfo hints, *ai_list, *ai = NULL; int error; +char pbuf[12]; +char *pbufptr = NULL; memset(hints, 0, sizeof(hints)); hints.ai_socktype = SOCK_STREAM; @@ -440,7 +442,11 @@ int jk_resolve(const char *host, int por else #endif hints.ai_family = JK_INET; -error = getaddrinfo(host, NULL, hints, ai_list); +if (port 0) { +snprintf(pbuf, port, sizeof(pbuf)); +pbufptr = pbuf; +} +error = getaddrinfo(host, pbufptr, hints, ai_list); The getaddrinfo method is called twice in this method. The above modifies the first call. Apply the same change to the second call, a few lines below? Hmm, yes, good catch. Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1586578 - /tomcat/jk/trunk/native/common/jk_connect.c
Author: mturk Date: Fri Apr 11 05:56:38 2014 New Revision: 1586578 URL: http://svn.apache.org/r1586578 Log: Ensure that we use port buffer with getaddrinfo call Modified: tomcat/jk/trunk/native/common/jk_connect.c Modified: tomcat/jk/trunk/native/common/jk_connect.c URL: http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_connect.c?rev=1586578r1=1586577r2=1586578view=diff == --- tomcat/jk/trunk/native/common/jk_connect.c (original) +++ tomcat/jk/trunk/native/common/jk_connect.c Fri Apr 11 05:56:38 2014 @@ -454,7 +454,7 @@ int jk_resolve(const char *host, int por */ if (error == EAI_FAMILY prefer_ipv6) { hints.ai_family = JK_INET; -error = getaddrinfo(host, NULL, hints, ai_list); +error = getaddrinfo(host, pbufptr, hints, ai_list); } #endif if (error) { @@ -466,7 +466,7 @@ int jk_resolve(const char *host, int por if (prefer_ipv6) { ai = ai_list; while (ai) { -if (ai-ai_family == AF_INET6) { +if (ai-ai_family == JK_INET6) { /* ignore elements without required address info */ if((ai-ai_addr != NULL) (ai-ai_addrlen 0)) { family = JK_INET6; @@ -480,7 +480,7 @@ int jk_resolve(const char *host, int por if (ai == NULL) { ai = ai_list; while (ai) { -if (ai-ai_family == AF_INET) { +if (ai-ai_family == JK_INET) { /* ignore elements without required address info */ if((ai-ai_addr != NULL) (ai-ai_addrlen 0)) { family = JK_INET; - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org