Re: #tomcat on Freenode?
Coty, On 9/15/21 10:08, Coty Sutherland wrote: Hi all, It's been quite a while now and all of the communities that I'm a part of have moved from Freenode to Libera.Chat at this point. I can't even access Freenode now without jumping through some hoops to get new credentials, so I'm definitely not doing that. Some users in #tomcat on libera.chat have pointed out that we still reference Freenode from our project page even though none of us are there anymore. Should we just remove the irc page at this point? Or do we want to update it to point to libera.chat? If there are no objections, I'll just update the reference. +1 to updating the reference to point to Libra.Chat. -chris On Tue, May 25, 2021 at 9:19 AM Coty Sutherland wrote: On Thu, May 20, 2021 at 1:03 PM Christopher Schultz < ch...@christopherschultz.net> wrote: Coty, On 5/19/21 15:28, Coty Sutherland wrote: Hi all, I was just notified about some mess going on with Freenode which has seemingly resulted in a mass exodus of users from the freenode servers. I read about this last night and I immediately thought "I wonder if Coty will say anything about this." :) lol, of course :P It's an "interesting" situation, for some values of "interesting." We (well, Coty) maintains a presence on #freenode because it appears to help some people. Probably a very small number of people (relatively speaking). Removing that resource may cause some people to fail to get help. OTOH, we don't maintain a presence on fb, AIM, or Parler and we prefer the mailing list for most interactions for a whole host of reasons. I wasn't exactly proposing that we remove the resource, just that in light of all the people migrating away from freenode and the likelihood that the Fedora community will do the same, I won't be available there going forward (I really only started hanging out on freenode because the Fedora community communicates there a lot). And since I was basically the only committer hanging around, I didn't think it was worth keeping a reference on the project page which makes it look as if the channel was an 'official' place to get help. I'm equally as OK leaving it, but since I was the only person paying it any attention I thought it was worth asking how others thought :) I don't think there are any people who are using #freenode because they don't trust the ASF infrastructure. I think they just want to use IRC. (Which, for those who are unfamiliar, is like Slack but without all the stupid cat photos.) #freenode was great because you didn't have to pay The Man to run an IRC channel/server for you and you also didn't have to run it yourself. It was a nice, shared infrastructure. All of that still exists. It's just got a bad taste to it because something that was free and grassroots is now owned by a corporation and Corporations Are Bad m'kay. If we want to provide support via IRC, there is nothing wrong with #freenode in spite of recent events, IMHO. I think the question should be "is a realtime support system appropriate for our community?" I tend to think not, but I'm not the only one here. I wouldn't call what is being provided in #tomcat on freenode "realtime support" haha There's maybe one question a month there on average (at least when I'm online during the week), and sometimes they even go unanswered depending on who is available at the time. If we are going to "quit" #freenode, should we put our efforts into pointing people to the mailing list(s) instead of pointing them to another competing platform? I think we should funnel people to the mailing lists. If the mailing list has too high a bar, then I guess we can point them to Slack. (Does Slack require an account? Requiring signup sucks. At least subscribing to a mailing list doesn't mean you need another entry in your password safe.) Anyhow, I'd love to hear what others think. But I would suggest that you consider your motivations before doing anything. Specifically: 1. Why abandon #freenode? 2. Why move to anything other than mailing-list? I agree, we should drive everyone to mailing lists but not everyone likes them so having a few options is good for the community IMO. Also, we aren't really abandoning anything because we don't really maintain it, it's led by community folk as far as I know; I'm not a moderator. I was just suggesting that if it's not a resource we're actively maintaining that we maybe shouldn't point to it from the project page. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
[SECURITY] CVE-2021-41079 Apache Tomcat DoS
CVE-2021-41079 Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 10.0.0-M1 to 10.0.2 Apache Tomcat 9.0.0-M1 to 9.0.43 Apache Tomcat 8.5.0 to 8.5.63 Description: When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 10.0.4 or later - Upgrade to Apache Tomcat 9.0.44 or later - Upgrade to Apache Tomcat 8.5.64 or later Note: This issue was fixed in Apache Tomcat 10.0.3 but the release vote for the 10.0.3 release candidate did not pass. Therefore, although users must download 10.0.4 to obtain a version that includes a fix for this issue, version 10.0.3 is not included in the list of affected versions. Credit: The Apache Tomcat Security Team would like to thank: - Thomas Wozenilek for originally reporting this issue - David Frankson of Infinite Campus for providing a test case that reproduced the issue. History: 2021-09-15 Original advisory References: [1] https://tomcat.apache.org/security-10.html [2] https://tomcat.apache.org/security-9.html [3] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: #tomcat on Freenode?
Hi all, It's been quite a while now and all of the communities that I'm a part of have moved from Freenode to Libera.Chat at this point. I can't even access Freenode now without jumping through some hoops to get new credentials, so I'm definitely not doing that. Some users in #tomcat on libera.chat have pointed out that we still reference Freenode from our project page even though none of us are there anymore. Should we just remove the irc page at this point? Or do we want to update it to point to libera.chat? If there are no objections, I'll just update the reference. On Tue, May 25, 2021 at 9:19 AM Coty Sutherland wrote: > On Thu, May 20, 2021 at 1:03 PM Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> Coty, >> >> On 5/19/21 15:28, Coty Sutherland wrote: >> > Hi all, >> > >> > I was just notified about some mess going on with Freenode which has >> > seemingly resulted in a mass exodus of users from the freenode servers. >> >> I read about this last night and I immediately thought "I wonder if Coty >> will say anything about this." :) >> > > lol, of course :P > > >> It's an "interesting" situation, for some values of "interesting." >> >> We (well, Coty) maintains a presence on #freenode because it appears to >> help some people. Probably a very small number of people (relatively >> speaking). Removing that resource may cause some people to fail to get >> help. OTOH, we don't maintain a presence on fb, AIM, or Parler and we >> prefer the mailing list for most interactions for a whole host of reasons. >> > > I wasn't exactly proposing that we remove the resource, just that in light > of all the people migrating away from freenode and the likelihood that the > Fedora community will do the same, I won't be available there going forward > (I really only started hanging out on freenode because the Fedora community > communicates there a lot). And since I was basically the only committer > hanging around, I didn't think it was worth keeping a reference on the > project page which makes it look as if the channel was an 'official' place > to get help. I'm equally as OK leaving it, but since I was the only person > paying it any attention I thought it was worth asking how others thought :) > > >> I don't think there are any people who are using #freenode because they >> don't trust the ASF infrastructure. I think they just want to use IRC. >> (Which, for those who are unfamiliar, is like Slack but without all the >> stupid cat photos.) #freenode was great because you didn't have to pay >> The Man to run an IRC channel/server for you and you also didn't have to >> run it yourself. It was a nice, shared infrastructure. All of that still >> exists. It's just got a bad taste to it because something that was free >> and grassroots is now owned by a corporation and Corporations Are Bad >> m'kay. >> >> If we want to provide support via IRC, there is nothing wrong with >> #freenode in spite of recent events, IMHO. >> >> I think the question should be "is a realtime support system appropriate >> for our community?" I tend to think not, but I'm not the only one here. >> > > I wouldn't call what is being provided in #tomcat on freenode "realtime > support" haha There's maybe one question a month there on average (at least > when I'm online during the week), and sometimes they even go unanswered > depending on who is available at the time. > > >> If we are going to "quit" #freenode, should we put our efforts into >> pointing people to the mailing list(s) instead of pointing them to >> another competing platform? I think we should funnel people to the >> mailing lists. If the mailing list has too high a bar, then I guess we >> can point them to Slack. (Does Slack require an account? Requiring >> signup sucks. At least subscribing to a mailing list doesn't mean you >> need another entry in your password safe.) >> >> Anyhow, I'd love to hear what others think. But I would suggest that you >> consider your motivations before doing anything. Specifically: >> >> 1. Why abandon #freenode? >> >> 2. Why move to anything other than mailing-list? >> > > I agree, we should drive everyone to mailing lists but not everyone likes > them so having a few options is good for the community IMO. Also, we aren't > really abandoning anything because we don't really maintain it, it's led by > community folk as far as I know; I'm not a moderator. I was just suggesting > that if it's not a resource we're actively maintaining that we maybe > shouldn't point to it from the project page. > > >> -chris >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >>
RE: FW: 403 Errors for REST Web Services after upgrade from 8.5.30 to 8.5.58
Thank you again for your suggestion. I was able to fix the problem afterwards, after adding extra tomcat realm authenticator logging. The below section of the web.xml file, which was meant to give shorthand names to roles has been the cause of the problem. I removed this section and references to shorthand names, replacing them with the full AD Role (e.g. CN=ISSWA-MyApplicationName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com) and testing passed. This case can be set to closed. CN=ISSWA-MyApplicationName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com admin CN=ISSWA-MyApplicationName-Readonly,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com readonly CN=ISSWA-MyApplicationName-User,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate Information Services,OU=cp,OU=Services,DC=myapplicationdomain,DC=com user -Original Message- From: Christopher Schultz Sent: 14 September 2021 4:02 PM To: users@tomcat.apache.org Subject: Re: FW: 403 Errors for REST Web Services after upgrade from 8.5.30 to 8.5.58 CAUTION: This e-mail originated outside the University of Southampton. Mike, On 9/13/21 10:56, Mike Webb wrote: > I manage a web application that uses REST Web Services. After upgrading from > 8.5.30 to 8.5.58, the web services return 403 messages. > > Commenting out the and sections below > allows the web services to run again, but it does remove the security > constraints. How can I get it working securely again? > > > > admin > readonly > user > > CN=ISSWA-MyWebsiteName-Admin,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate > Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com > > CN=ISSWA-MyWebsiteName-Readonly,OU=ISSWA-AppRoles,OU=WebApps,OU=Corporate > Information Services,OU=cp,OU=Services,DC=mywebsitename,DC=com > > CN=ISSWA-MyWebsiteName-User,OU=ISSWA-AppRoles,OU=WebApps,OU > =Corporate Information > Services,OU=cp,OU=Services,DC=mywebsitename,DC=com > > > > CONFIDENTIAL > > > > The server that does not works has > == > Tomcat Version: Apache Tomcat/8.5.58 > JVM Version: 11.0.12+7-LTS > JVM Vendor: Red Hat, Inc. > OS Name: Linux > OS Version: 3.10.0-1160.36.2.el7.x86_64 OS Architecture: amd64 > > > The server that not work has > > Tomcat version: Apache Tomcat/8.5.30 > JVM Version: 11.0.11+9-LTS > JVM Vendor: Red Hat, Inc. > OS Name: Linux > OS Version: 3.10.0-1160.31.1.el7.x86_64 > OS Architecture: amd64 Are you able to segregate that non-working machine to run some tests against it? Can you increase the logging for the authenticator / realm to see what is happening? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org