Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Mark, On 5/24/16 10:06 AM, Mark Thomas wrote: > TL;DR If you use remote JMX, you need to update your JVM to address > CVE-2016-3427 > > For the longer version, see the blog post I just published on > this:

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 >> >> For the

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

Woonsan, On 5/25/16 11:29 AM, Woonsan Ko wrote: > On Wed, May 25, 2016 at 11:12 AM, Christopher Schultz > wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: TL;DR If you use remote JMX, you need to update your JVM to address CVE-2016-3427

Re: [VOTE][RESULT] Release Apache Tomcat 9.0.0.M6

A bit late to this but I've done quick sanity checks from a Spring Framework perspective (framework tests, websocket, Servlet 3 async, Servlet 3.1 non-blocking) with no issues encountered. On Mon, May 16, 2016 at 6:34 AM, Mark Thomas wrote: > The following votes were cast: > >

[Tomcat Wiki] Update of "AJP with stunnel" by ChristopherSchultz

Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "AJP with stunnel" page has been changed by ChristopherSchultz: https://wiki.apache.org/tomcat/AJP%20with%20stunnel New page: = AJP over stunnel = stunnel is a little more

Tomcat 8.5: Avoid NPE on bind for APR when using SSL.

This needs to be ported back to 8.5. http://svn.apache.org/viewvc?view=revision=1726515 - Matt

Re: 8.0.35 Javadoc problems

> No. I just forgot to send out the announcement. I'll get that done shortly. Cool, thanks! - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59179] HTTP Public Key Pinning for Tomcat

https://bz.apache.org/bugzilla/show_bug.cgi?id=59179 --- Comment #2 from Abdessamed MANSOURI --- Created attachment 33891 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33891=edit Patch for what Mark recommended. This patch is based on OP's patch, i did what Mark

Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

On 25/05/2016 16:12, Christopher Schultz wrote: > Mark, > > On 5/24/16 10:06 AM, Mark Thomas wrote: >> TL;DR If you use remote JMX, you need to update your JVM to address >> CVE-2016-3427 > >> For the longer version, see the blog post I just published on >> this:

[ANN] Apache Tomcat 8.0.35 available

Apologies for the delay in sending this out. The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.35. Apache Tomcat 8.0 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language and Java WebSocket technologies.

[GUMP@vmgump]: Project tomcat-tc8.0.x-validate (in module tomcat-8.0.x) failed

/workspace/apache-commons/beanutils/dist/commons-beanutils-20160525.jar:/srv/gump/packages/commons-collections3/commons-collections-3.2.1.jar:/srv/gump/public/workspace/apache-commons/cli/target/commons-cli-1.4-SNAPSHOT.jar:/srv/gump/public/workspace/commons-lang-trunk/target/commons-lang3-3.5-SNAPSHOT.ja

Re: [DISCUSS] Logging

On 25/05/2016 15:03, Mark Thomas wrote: > On 25/05/2016 12:26, Rémy Maucherat wrote: >> 2016-05-25 12:43 GMT+02:00 Mark Thomas : >>> 1. Simplified JULI that uses JUL directly but with our existing >>> LogManager and configuration extensions. >>> Thoughts? >>> >> >> I'd vote

svn commit: r1745535 - in /tomcat/trunk/java/org/apache: catalina/core/ catalina/ha/context/ catalina/startup/ catalina/tribes/transport/bio/ catalina/tribes/util/ tomcat/util/descriptor/web/

Author: markt Date: Wed May 25 20:44:36 2016 New Revision: 1745535 URL: http://svn.apache.org/viewvc?rev=1745535=rev Log: Remove unnecessary whitespace Modified: tomcat/trunk/java/org/apache/catalina/core/StandardWrapper.java

svn commit: r1745538 - in /tomcat/trunk/test/org/apache: catalina/nonblocking/TestNonBlockingAPI.java tomcat/util/net/TestXxxEndpoint.java

Author: markt Date: Wed May 25 20:47:26 2016 New Revision: 1745538 URL: http://svn.apache.org/viewvc?rev=1745538=rev Log: Remove unnecessary Log definitions. Parent class defines a Log. Modified: tomcat/trunk/test/org/apache/catalina/nonblocking/TestNonBlockingAPI.java

Re: Tomcat 8.5: Avoid NPE on bind for APR when using SSL.

2016-05-25 19:11 GMT+02:00 Matt Cosentino : > This needs to be ported back to 8.5. > > http://svn.apache.org/viewvc?view=revision=1726515 > > No. Rémy

Re: 8.0.35 Javadoc problems

On 25/05/2016 17:00, Coty Sutherland wrote: > Did this issue hold up the release announcement for 8.0.35? There was > a user in #tomcat asking why it wasn't announced and was concerned > that the release had issues. No. I just forgot to send out the announcement. I'll get that done shortly. Mark

[Bug 58626] Tomcat does not start at boot time due to SIGHUP

https://bz.apache.org/bugzilla/show_bug.cgi?id=58626 --- Comment #18 from Mark Thomas --- (In reply to Michael Osipov from comment #17) > Quite a nice solution. Line 274 has too many spaces in it. Ack. If this works, I'll fix that before committing it. > I will test that

[Bug 59564] HttpServletRequest.getPart() always returns null with HTTP/2

https://bz.apache.org/bugzilla/show_bug.cgi?id=59564 Violeta Georgieva changed: What|Removed |Added Status|NEEDINFO|NEW ---

[Bug 59604] Invalid url-pattern in servlet mapping on s390x

https://bz.apache.org/bugzilla/show_bug.cgi?id=59604 Mark Thomas changed: What|Removed |Added Status|NEW |NEEDINFO --- Comment

[Bug 59604] Invalid url-pattern in servlet mapping on s390x

https://bz.apache.org/bugzilla/show_bug.cgi?id=59604 Dave changed: What|Removed |Added Status|NEEDINFO|NEW --- Comment #15 from

[Bug 57098] Weird Reponse for a HTTP request on HTTPS(SSL) port

https://bz.apache.org/bugzilla/show_bug.cgi?id=57098 Yang changed: What|Removed |Added CC||muyuqiu...@163.com -- You

[Bug 59604] Invalid url-pattern in servlet mapping on s390x

https://bz.apache.org/bugzilla/show_bug.cgi?id=59604 --- Comment #13 from Dave --- Created attachment 33892 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33892=edit conf/web.xml (did not make any changes) -- You are receiving this mail because: You are the

[Bug 59604] Invalid url-pattern in servlet mapping on s390x

https://bz.apache.org/bugzilla/show_bug.cgi?id=59604 --- Comment #14 from Dave --- Created attachment 33893 --> https://bz.apache.org/bugzilla/attachment.cgi?id=33893=edit log file with nothing in webapps/ -- You are receiving this mail because: You are the assignee for

svn commit: r1745471 - /tomcat/tc7.0.x/trunk/build.xml

Author: markt Date: Wed May 25 10:55:50 2016 New Revision: 1745471 URL: http://svn.apache.org/viewvc?rev=1745471=rev Log: Remove unused property Modified: tomcat/tc7.0.x/trunk/build.xml Modified: tomcat/tc7.0.x/trunk/build.xml URL:

[DISCUSS] Logging

I've been looking at Bug 58588 [1]. It looks clear that the JULI extras JARs no longer add value and I'm happy to remove them. That bug also raises the question "How would users switch Tomcat's internal logging to LOGBack, log4j2 or something else?". A quick look at the respective manuals suggest

svn commit: r1745468 - /tomcat/tc8.5.x/trunk/build.xml

Author: markt Date: Wed May 25 10:53:26 2016 New Revision: 1745468 URL: http://svn.apache.org/viewvc?rev=1745468=rev Log: Remove unused property Modified: tomcat/tc8.5.x/trunk/build.xml Modified: tomcat/tc8.5.x/trunk/build.xml URL:

svn commit: r1745467 - /tomcat/trunk/build.xml

Author: markt Date: Wed May 25 10:52:57 2016 New Revision: 1745467 URL: http://svn.apache.org/viewvc?rev=1745467=rev Log: Remove unused property Modified: tomcat/trunk/build.xml Modified: tomcat/trunk/build.xml URL:

svn commit: r1745469 - /tomcat/tc8.0.x/trunk/build.xml

Author: markt Date: Wed May 25 10:55:19 2016 New Revision: 1745469 URL: http://svn.apache.org/viewvc?rev=1745469=rev Log: Remove unused property Modified: tomcat/tc8.0.x/trunk/build.xml Modified: tomcat/tc8.0.x/trunk/build.xml URL:

[Bug 58588] Remove extras/juli from Tomcat 9 build and deliveries as Log4J 1.x has reached EOL.

https://bz.apache.org/bugzilla/show_bug.cgi?id=58588 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED

svn commit: r1745473 - in /tomcat/trunk: build.xml webapps/docs/changelog.xml webapps/docs/logging.xml

Author: markt Date: Wed May 25 11:11:10 2016 New Revision: 1745473 URL: http://svn.apache.org/viewvc?rev=1745473=rev Log: Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=58588 Remove the JULI extras package Modified: tomcat/trunk/build.xml tomcat/trunk/webapps/docs/changelog.xml

Re: [DISCUSS] Logging

On 25/05/2016 12:26, Rémy Maucherat wrote: > 2016-05-25 12:43 GMT+02:00 Mark Thomas : > >> I've been looking at Bug 58588 [1]. It looks clear that the JULI extras >> JARs no longer add value and I'm happy to remove them. That bug also >> raises the question "How would users

Re: [DISCUSS] Logging

2016-05-25 12:43 GMT+02:00 Mark Thomas : > I've been looking at Bug 58588 [1]. It looks clear that the JULI extras > JARs no longer add value and I'm happy to remove them. That bug also > raises the question "How would users switch Tomcat's internal logging to > LOGBack, log4j2

[Bug 59081] Cipher ordering not working

https://bz.apache.org/bugzilla/show_bug.cgi?id=59081 Ognjen Blagojevic changed: What|Removed |Added Status|RESOLVED

Re: [DISCUSS] Logging

On 25/05/2016 12:26, Rémy Maucherat wrote: > 2016-05-25 12:43 GMT+02:00 Mark Thomas : > >> I've been looking at Bug 58588 [1]. It looks clear that the JULI extras >> JARs no longer add value and I'm happy to remove them. That bug also >> raises the question "How would users

svn commit: r1745479 - /tomcat/trunk/webapps/docs/logging.xml

Author: markt Date: Wed May 25 12:55:50 2016 New Revision: 1745479 URL: http://svn.apache.org/viewvc?rev=1745479=rev Log: whitespace Modified: tomcat/trunk/webapps/docs/logging.xml Modified: tomcat/trunk/webapps/docs/logging.xml URL:

Re: 8.0.35 Javadoc problems

Did this issue hold up the release announcement for 8.0.35? There was a user in #tomcat asking why it wasn't announced and was concerned that the release had issues. -Coty - To unsubscribe, e-mail:

svn commit: r1745496 - /tomcat/trunk/java/org/apache/catalina/core/NamingContextListener.java

Author: markt Date: Wed May 25 14:35:58 2016 New Revision: 1745496 URL: http://svn.apache.org/viewvc?rev=1745496=rev Log: Remove unnecessary field Modified: tomcat/trunk/java/org/apache/catalina/core/NamingContextListener.java Modified:

[Bug 59635] New: PerMessageDeflate.sendMassagePart() IllegalArgumentException using atmosphere

https://bz.apache.org/bugzilla/show_bug.cgi?id=59635 Bug ID: 59635 Summary: PerMessageDeflate.sendMassagePart() IllegalArgumentException using atmosphere Product: Tomcat 8 Version: 8.0.33 Hardware: Macintosh

[Tomcat Wiki] Update of "FAQ/Connectors" by ChristopherSchultz

Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification. The "FAQ/Connectors" page has been changed by ChristopherSchultz: https://wiki.apache.org/tomcat/FAQ/Connectors?action=diff=16=17 directives to say http:// (or https://) instead of

RE: [SECURITY] Java Deserialization, JMX and CVE-2016-3427

> From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Subject: Re: [SECURITY] Java Deserialization, JMX and CVE-2016-3427 > "Java SE: 6u113, 7u99, 8u77; Java SE Embedded: 8u77; JRockit: R28.3.9" > I have Java 1.8.0_91. Am I affected? No. > What about if I had Java 1.8.0_60?