On October 23, 2018 4:33:19 AM UTC, Igal Sapir wrote:
>I just checked https://tomcat.apache.org/ and it does not support
>HTTP/2.
>
>Who can fix that?
>
>Igal
The infrastructure team.
Mark
-
To unsubscribe, e-mail:
I am able to build locally on that same revision.
Any ideas?
Igal
On Mon, Oct 22, 2018 at 9:51 PM wrote:
> The Buildbot has detected a new failure on builder tomcat-trunk while
> building . Full details are available at:
> https://ci.apache.org/builders/tomcat-trunk/builds/3677
>
>
The Buildbot has detected a new failure on builder tomcat-trunk while building
. Full details are available at:
https://ci.apache.org/builders/tomcat-trunk/builds/3677
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The AnyBranchScheduler
I just checked https://tomcat.apache.org/ and it does not support HTTP/2.
Who can fix that?
Igal
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #15 from Igal Sapir ---
(In reply to Konstantin Kolinko from comment #14)
> I think that this listener must be mentioned on "security-howto.xml".
>
> http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Listeners
>
> It
Author: isapir
Date: Tue Oct 23 04:26:21 2018
New Revision: 1844615
URL: http://svn.apache.org/viewvc?rev=1844615=rev
Log:
Added JniLifecycleListener statement to security-howto BZ 62830
Modified:
tomcat/trunk/webapps/docs/security-howto.xml
Modified:
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc7.0.x-test-apr has an issue affecting its community
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc8.5.x-test-apr has an issue affecting its community
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-trunk-test-nio2 has an issue affecting its community integration.
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc8.5.x-test-nio2 has an issue affecting its community
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc7.0.x-test-nio has an issue affecting its community
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #14 from Konstantin Kolinko ---
I think that this listener must be mentioned on "security-howto.xml".
http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Listeners
It can be configured in any container (e.g. in
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #13 from Igal Sapir ---
(In reply to Christopher Schultz from comment #12)
> Sorry... I must be missing something, here.
>
> System.loadLibrary isn't ClassLoader-specific... once the library has been
> loaded, it can't be loaded
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc8.5.x-test-nio has an issue affecting its community
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc7.0.x-test-bio has an issue affecting its community
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #8 from mingxuan ---
Thank you very much. Your explanation is authoritative. This problem is really
caused by Web's arbitrary path uploading and CGI arbitrary resolution. And left
behind CGI's script back door. This should really
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #12 from Christopher Schultz ---
Sorry... I must be missing something, here.
System.loadLibrary isn't ClassLoader-specific... once the library has been
loaded, it can't be loaded again at all.
The code here is all fine, and using
On 22/10/2018 09:19, Bill Barker wrote:
To whom it may engage...
test-compile:
[javac] Compiling 168 source files to
/srv/gump/public/workspace/tomcat-7.0.x/output/testclasses
[javac]
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #7 from Mark Thomas ---
Speaking as a member of both the Tomcat and ASF security teams:
I whole-heartedly endorse everything Rémy said in comment #3.
There is no vulnerability here. By design, the CGI servlet executes what it is
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #11 from Igal Sapir ---
JniLifecycleListener, Library.load(), and Library.loadLibrary() available in
Tomcat 9.0.13, 8.5.35, and 7.0.92
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
Igal Sapir changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
Author: isapir
Date: Mon Oct 22 18:06:11 2018
New Revision: 1844593
URL: http://svn.apache.org/viewvc?rev=1844593=rev
Log:
Added JniLifecycleListener per BZ 62830
Added:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/JniLifecycleListener.java
Modified:
Author: isapir
Date: Mon Oct 22 17:54:31 2018
New Revision: 1844592
URL: http://svn.apache.org/viewvc?rev=1844592=rev
Log:
Added JniLifecycleListener per BZ 62830
Added:
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/JniLifecycleListener.java
Modified:
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #6 from mingxuan ---
Well. Thank you very much! Thank you! I'll send an e-mail to the security team.
Ha-ha! I always feel like a problem。。。 ;)
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #5 from Remy Maucherat ---
Yes, obvious security concerns should always be discussed on the security
mailing list.
At this time, the CGI servlet treats as CGI any mapped path.
--
You are receiving this mail because:
You are the
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #4 from mingxuan ---
Thank you very much for your reply. If there are safety problems. Is it a
direct email to secur...@tomcat.apache.org? I still think there is a risk.
Because CGI has been opened. Upload it to this directory for
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
Remy Maucherat changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
mingxuan changed:
What|Removed |Added
OS|All |Mac OS X 10.13
--
You are receiving this
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
mingxuan changed:
What|Removed |Added
OS||All
--- Comment #2 from mingxuan ---
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #1 from mingxuan ---
Created attachment 36203
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36203=edit
Please refer to the annex for details.
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
Bug ID: 62844
Summary: Tomcat CGI suffix name arbitrary resolution
vulnerability
Product: Tomcat 9
Version: 9.0.8
Hardware: PC
Status: NEW
GitHub user mdfst13 opened a pull request:
https://github.com/apache/tomcat/pull/128
Add missing word for readability
Not an important change, but seemed worth making now while it's topical
rather than leaving as is. The old version said that it tested in the past.
This version
-native-1.2-1.0.2/dest-20181022/lib
-Dtest.relaxTiming=true -Dexecute.test.nio=false -Dtest.accesslog=true
-Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20181022.jar
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-4.0-SNAPSHOT.jar
.x/tomcat-build-libs
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.7.3a-201803300640/ecj-4.7.3a.jar
-Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native-1.2-1.1.1/dest-20181022/lib
-Dtest.relaxTiming=true
-Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/target/commons
-Dtest.accesslog=true
-Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20181022.jar
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-4.0-SNAPSHOT.jar
-Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test
[Working Directory: /srv
-Dexecute.test.nio=true
-Dtest.openssl.path=/srv/gump/public/workspace/openssl-1.1.1/dest-20181022/bin/openssl
-Dexecu
te.test.bio=false -Dexecute.test.apr=false -Dtest.excludePerformance=true
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-4.0-SNAPSHOT.jar
-Dhamcrest.jar
-Dtest.accesslog=true
-Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20181022.jar
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-4.0-SNAPSHOT.jar
-Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test
[Working Directory: /srv/gump
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #9 from Igal Sapir ---
Commit r1844531 adds JniLifecycleListener to trunk
--
You are receiving this mail because:
You are the assignee for the bug.
-
To
Author: isapir
Date: Mon Oct 22 08:02:26 2018
New Revision: 1844531
URL: http://svn.apache.org/viewvc?rev=1844531=rev
Log:
Added JniLifecycleListener per BZ 62830
Added:
tomcat/trunk/java/org/apache/catalina/core/JniLifecycleListener.java
Modified:
tomcat/trunk/webapps/docs/changelog.xml
39 matches
Mail list logo
