Re: [VOTE] Release Apache Tomcat 9.0.0.M27

2017-09-19 Thread Huxing Zhang
Hi, here is my test result, although the vote has finished: The proposed 9.0.0.M27 release is: [ ] Broken - do not release [ X ] Alpha - go ahead and release as 9.0.0.M27 Unit test passed. Our web application works fine. -- Mark

Re: Draft EOL announcement for Tomcat Native 1.1.x

2017-09-19 Thread Mark Thomas
Updated with Konstantin's feedback. Further comments, feedback etc welcome. The Apache Tomcat Team announces that support for Apache Tomcat Native 1.1.x will end on 30 September 2018. This means that after 30 September 2018: - releases from the 1.1.x branch are highly unlikely - bugs

svn commit: r21712 - /dev/tomcat/tomcat-8/v8.5.21/ /release/tomcat/tomcat-8/v8.5.21/

2017-09-19 Thread markt
Author: markt Date: Tue Sep 19 20:29:38 2017 New Revision: 21712 Log: Release Apache Tomcat 8.5.21 Added: release/tomcat/tomcat-8/v8.5.21/ - copied from r21711, dev/tomcat/tomcat-8/v8.5.21/ Removed: dev/tomcat/tomcat-8/v8.5.21/

svn commit: r21711 - /dev/tomcat/tomcat-9/v9.0.0.M27/ /release/tomcat/tomcat-9/v9.0.0.M27/

2017-09-19 Thread markt
Author: markt Date: Tue Sep 19 20:29:09 2017 New Revision: 21711 Log: Release Apache Tomcat 9.0.0.M27 Added: release/tomcat/tomcat-9/v9.0.0.M27/ - copied from r21710, dev/tomcat/tomcat-9/v9.0.0.M27/ Removed: dev/tomcat/tomcat-9/v9.0.0.M27/

svn commit: r21710 - /dev/tomcat/tomcat-6/

2017-09-19 Thread markt
Author: markt Date: Tue Sep 19 20:28:21 2017 New Revision: 21710 Log: Tomcat 6 has reached end of life Removed: dev/tomcat/tomcat-6/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands,

[RESULT][VOTE] Release Apache Tomcat 8.5.21

2017-09-19 Thread Mark Thomas
The following voters were cast: Binding: +1: rjung, markt, fschumacher, mgrigorov, csutherl, violetagg Non-binding: +1: ebourg The vote therefore passes. Thank you to everyone who contributed to this release. Mark - To

[RESULT][VOTE] Release Apache Tomcat 9.0.0.M27

2017-09-19 Thread Mark Thomas
The following votes were cast: Binding: +1: markt, rjung, fschumacher, mgrigorov, violetagg No other voters were cast. The vote therefore passes. Thank you to everyone who contributed to this release. - To unsubscribe,

Re: [VOTE] Release Apache Tomcat 9.0.0.M27

2017-09-19 Thread Violeta Georgieva
2017-09-13 21:49 GMT+03:00 Mark Thomas : > > The proposed Apache Tomcat 9.0.0.M27 release is now available for voting. > > This is a milestone release for the 9.0.x branch. It should be > noted that, as a milestone release: > - Servlet 4.0 is not finalised > - It is not known if

Re: [VOTE] Release Apache Tomcat 8.5.21

2017-09-19 Thread Violeta Georgieva
2017-09-14 0:02 GMT+03:00 Mark Thomas : > > The proposed Apache Tomcat 8.5.21 release is now available for voting. > > The major changes compared to the 8.5.20 release are: > > - Additional capabilities for the CGI Servlet. Based on patches provided > by jm009. > > - Added

svn commit: r1808887 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/tomcat/util/http/Cookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl Date: Tue Sep 19 14:22:06 2017 New Revision: 1808887 URL: http://svn.apache.org/viewvc?rev=1808887=rev Log: Update fix for bug 59904 so that values less than zero are accepted instead of throwing a NegativeArraySizeException. Modified: tomcat/tc7.0.x/trunk/ (props

svn commit: r1808884 - in /tomcat/tc8.0.x/trunk: ./ java/org/apache/tomcat/util/http/ServerCookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl Date: Tue Sep 19 14:17:12 2017 New Revision: 1808884 URL: http://svn.apache.org/viewvc?rev=1808884=rev Log: Update fix for bug 59904 so that values less than zero are accepted instead of throwing a NegativeArraySizeException. Modified: tomcat/tc8.0.x/trunk/ (props

svn commit: r1808881 - in /tomcat/trunk: ./ java/org/apache/tomcat/util/http/ServerCookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl Date: Tue Sep 19 14:10:12 2017 New Revision: 1808881 URL: http://svn.apache.org/viewvc?rev=1808881=rev Log: Cherry-pick r1808880 from 8.5.x/trunk Modified: tomcat/trunk/ (props changed) tomcat/trunk/java/org/apache/tomcat/util/http/ServerCookies.java

svn commit: r1808880 - in /tomcat/tc8.5.x/trunk: java/org/apache/tomcat/util/http/ServerCookies.java webapps/docs/changelog.xml

2017-09-19 Thread csutherl
Author: csutherl Date: Tue Sep 19 14:07:02 2017 New Revision: 1808880 URL: http://svn.apache.org/viewvc?rev=1808880=rev Log: Update fix for bug 59904 so that values less than zero are accepted instead of throwing a NegativeArraySizeException. Modified:

Tagging Tomcat 7/8.0

2017-09-19 Thread Violeta Georgieva
Hi, I'm planning to start preparing Tomcat 7/8.0 for a release later today. If you would like to include something in addition, please reply here. Regards, Violeta

Re: [VOTE] Release Apache Tomcat 8.5.21

2017-09-19 Thread Coty Sutherland
On Wed, Sep 13, 2017 at 5:02 PM, Mark Thomas wrote: > The proposed Apache Tomcat 8.5.21 release is now available for voting. > > The major changes compared to the 8.5.20 release are: > > - Additional capabilities for the CGI Servlet. Based on patches provided > by jm009. > > -

[CORRECTION][SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure

2017-09-19 Thread Mark Thomas
The body of the original advisory referred to CVE-2017-7674. This was incorrect. It was a copy and paste error from a previous Tomcat advisory. The correct CVE reference is CVE-2017-12616, as per the subject line. On 19/09/17 11:58, Mark Thomas wrote: > CVE-2017-7674 Apache Tomcat Information

[CORRECTION][SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
The body of the original advisory referred to CVE-2017-7674. This was incorrect. It was a copy and paste error from a previous Tomcat advisory. The correct CVE reference is CVE-2017-12615, as per the subject line. On 19/09/17 11:58, Mark Thomas wrote: > CVE-2017-12615 Apache Tomcat Remote Code

svn propchange: r1804729 - svn:log

2017-09-19 Thread markt
Author: markt Revision: 1804729 Modified property: svn:log Modified: svn:log at Tue Sep 19 11:01:39 2017 -- --- svn:log (original) +++ svn:log Tue Sep 19 11:01:39 2017 @@ -1 +1,4 @@ Correct regression in r1804604 that

svn propchange: r1804604 - svn:log

2017-09-19 Thread markt
Author: markt Revision: 1804604 Modified property: svn:log Modified: svn:log at Tue Sep 19 11:01:02 2017 -- --- svn:log (original) +++ svn:log Tue Sep 19 11:01:02 2017 @@ -3,3 +3,5 @@ Code clean-up - Correct indent -

[SECURITY] CVE-2017-12615 Apache Tomcat Remote Code Execution via JSP upload

2017-09-19 Thread Mark Thomas
CVE-2017-7674 Apache Tomcat Remote Code Execution via JSP Upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.79 Description: When running on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of

[SECURITY] CVE-2017-12616 Apache Tomcat Information Disclosure

2017-09-19 Thread Mark Thomas
CVE-2017-7674 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 7.0.0 to 7.0.80 Description: When using a VirtualDirContext it was possible to bypass security constraints and/or view the source code of JSPs for

svn commit: r1808857 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml

2017-09-19 Thread markt
Author: markt Date: Tue Sep 19 10:57:45 2017 New Revision: 1808857 URL: http://svn.apache.org/viewvc?rev=1808857=rev Log: Add details for CVE-2017-12615 and CVE-2017-12616 Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified: