Re: Java 8 compatibility for Tomcat 7

[Emmanuel Bourg]

Le 11/04/2014 01:19, Mark Thomas a écrit :

> I spoke with Filip at ApacheCon. This is meant to be an internal API
> so the refactoring should be safe.
> 
> I've done the back-port and fixed a handful of IDE warnings while I
> was at it.

Thank you Mark. Do you think this could be backported to Tomcat 6 too?
It fails with the same error:

http://87.98.165.193/debian/openjdk8-rebuild/logs-failed-jdk8/tomcat6_6.0.39-1_unstable_jdk8.log

Emmanuel Bourg


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586578 - /tomcat/jk/trunk/native/common/jk_connect.c

[mturk]

Author: mturk
Date: Fri Apr 11 05:56:38 2014
New Revision: 1586578

URL: http://svn.apache.org/r1586578
Log:
Ensure that we use port buffer with getaddrinfo call

Modified:
tomcat/jk/trunk/native/common/jk_connect.c

Modified: tomcat/jk/trunk/native/common/jk_connect.c
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_connect.c?rev=1586578&r1=1586577&r2=1586578&view=diff
==
--- tomcat/jk/trunk/native/common/jk_connect.c (original)
+++ tomcat/jk/trunk/native/common/jk_connect.c Fri Apr 11 05:56:38 2014
@@ -454,7 +454,7 @@ int jk_resolve(const char *host, int por
  */
 if (error == EAI_FAMILY && prefer_ipv6) {
 hints.ai_family = JK_INET;
-error = getaddrinfo(host, NULL, &hints, &ai_list);
+error = getaddrinfo(host, pbufptr, &hints, &ai_list);
 }
 #endif
 if (error) {
@@ -466,7 +466,7 @@ int jk_resolve(const char *host, int por
 if (prefer_ipv6) {
 ai = ai_list;
 while (ai) {
-if (ai->ai_family == AF_INET6) {
+if (ai->ai_family == JK_INET6) {
 /* ignore elements without required address info */
 if((ai->ai_addr != NULL) && (ai->ai_addrlen > 0)) {

 family = JK_INET6;
@@ -480,7 +480,7 @@ int jk_resolve(const char *host, int por
 if (ai == NULL) {
 ai = ai_list;
 while (ai) {
-if (ai->ai_family == AF_INET) {
+if (ai->ai_family == JK_INET) {
 /* ignore elements without required address info */
 if((ai->ai_addr != NULL) && (ai->ai_addrlen > 0)) {

 family = JK_INET;



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: svn commit: r1585657 - /tomcat/jk/trunk/native/common/jk_connect.c

[Mladen Turk]

On 04/10/2014 09:57 PM, Konstantin Kolinko wrote:

2014-04-08 11:52 GMT+04:00  :

Author: mturk
Date: Tue Apr  8 07:52:56 2014
New Revision: 1585657

URL: http://svn.apache.org/r1585657
Log:
Use port when calling getaddrinfo and skip bogus addresses

Modified:
 tomcat/jk/trunk/native/common/jk_connect.c

Modified: tomcat/jk/trunk/native/common/jk_connect.c
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_connect.c?rev=1585657&r1=1585656&r2=1585657&view=diff
==
--- tomcat/jk/trunk/native/common/jk_connect.c (original)
+++ tomcat/jk/trunk/native/common/jk_connect.c Tue Apr  8 07:52:56 2014
@@ -430,6 +430,8 @@ int jk_resolve(const char *host, int por
   */
  struct addrinfo hints, *ai_list, *ai = NULL;
  int error;
+char  pbuf[12];
+char *pbufptr = NULL;

  memset(&hints, 0, sizeof(hints));
  hints.ai_socktype = SOCK_STREAM;
@@ -440,7 +442,11 @@ int jk_resolve(const char *host, int por
  else
  #endif
  hints.ai_family = JK_INET;
-error = getaddrinfo(host, NULL, &hints, &ai_list);
+if (port > 0) {
+snprintf(pbuf, port, sizeof(pbuf));
+pbufptr = pbuf;
+}
+error = getaddrinfo(host, pbufptr, &hints, &ai_list);



The "getaddrinfo" method is called twice in this method. The above
modifies the first call.

Apply the same change to the second call, a few lines below?



Hmm, yes, good catch.


Regards
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56383] Securing ErrorReportValve

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56383

Nick Bunn  changed:

   What|Removed |Added

  Attachment #31507|0   |1
is obsolete||

--- Comment #2 from Nick Bunn  ---
Created attachment 31510
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31510&action=edit
Patch for ErrorReportValve_02

Added 
*Getter methods
*Exposed new attributes via JMX? 
*Updated Documentation

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Tomcat 6 timing of next release

[Konstantin Kolinko]

2014-04-11 3:57 GMT+04:00 Mark Thomas :
> The various backports have now been applied. It makes sense to wait for
> the 1.1.30 release to pick up the OpenSSL fix for Windows users so I'm
> currently planning on tagging this early next week (assuming 1.1.30 is
> released).
>

There is one more Jasper EL regression that I think is need to be
addressed in Tomcat 6.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56334

Thus far I have tested that it is reproducible with war from bugzilla
(in 8.0.x or in 7.0.x, I don't remember),  but have not dug further to
fix it.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Tomcat 6 timing of next release

[Mark Thomas]

The various backports have now been applied. It makes sense to wait for
the 1.1.30 release to pick up the OpenSSL fix for Windows users so I'm
currently planning on tagging this early next week (assuming 1.1.30 is
released).

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586512 - /tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java

[markt]

Author: markt
Date: Thu Apr 10 23:50:16 2014
New Revision: 1586512

URL: http://svn.apache.org/r1586512
Log:
CTR Javadoc Fix warning

Modified:
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java

Modified: tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java?rev=1586512&r1=1586511&r2=1586512&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java 
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/http/Cookies.java Thu Apr 
10 23:50:16 2014
@@ -37,9 +37,9 @@ public final class Cookies { // extends 
 
 private static org.apache.juli.logging.Log log=
 org.apache.juli.logging.LogFactory.getLog(Cookies.class );
-
+
 // expected average number of cookies per request
-public static final int INITIAL_SIZE=4; 
+public static final int INITIAL_SIZE=4;
 ServerCookie scookies[]=new ServerCookie[INITIAL_SIZE];
 int cookieCount=0;
 boolean unprocessed=true;
@@ -51,16 +51,16 @@ public final class Cookies { // extends 
  * being quoted.
  */
 public static final boolean ALLOW_EQUALS_IN_VALUE;
-
+
 /*
 List of Separator Characters (see isSeparator())
-Excluding the '/' char violates the RFC, but 
+Excluding the '/' char violates the RFC, but
 it looks like a lot of people put '/'
-in unquoted values: '/': ; //47 
-'\t':9 ' ':32 '\"':34 '(':40 ')':41 ',':44 ':':58 ';':59 '<':60 
+in unquoted values: '/': ; //47
+'\t':9 ' ':32 '\"':34 '(':40 ')':41 ',':44 ':':58 ';':59 '<':60
 '=':61 '>':62 '?':63 '@':64 '[':91 '\\':92 ']':93 '{':123 '}':125
 */
-public static final char SEPARATORS[] = { '\t', ' ', '\"', '(', ')', ',', 
+public static final char SEPARATORS[] = { '\t', ' ', '\"', '(', ')', ',',
 ':', ';', '<', '=', '>', '?', '@', '[', '\\', ']', '{', '}' };
 
 protected static final boolean separators[] = new boolean[128];
@@ -71,7 +71,7 @@ public final class Cookies { // extends 
 for (int i = 0; i < SEPARATORS.length; i++) {
 separators[SEPARATORS[i]] = true;
 }
-
+
 ALLOW_EQUALS_IN_VALUE = Boolean.valueOf(System.getProperty(
 
"org.apache.tomcat.util.http.ServerCookie.ALLOW_EQUALS_IN_VALUE",
 "false")).booleanValue();
@@ -138,7 +138,7 @@ public final class Cookies { // extends 
 }
 
 //  Indexed access 
-
+
 public ServerCookie getCookie( int idx ) {
 if( unprocessed ) {
 getCookieCount(); // will also update the cookies
@@ -166,7 +166,7 @@ public final class Cookies { // extends 
 System.arraycopy( scookies, 0, scookiesTmp, 0, cookieCount);
 scookies=scookiesTmp;
 }
-
+
 ServerCookie c = scookies[cookieCount];
 if( c==null ) {
 c= new ServerCookie();
@@ -177,7 +177,7 @@ public final class Cookies { // extends 
 }
 
 
-// code from CookieTools 
+// code from CookieTools
 
 /** Add all Cookie found in the headers of a request.
  */
@@ -227,11 +227,11 @@ public final class Cookies { // extends 
 }
 return true;
 }
-
+
 
 // -
 //  DEPRECATED, OLD 
-
+
 private void processCookieHeader(  String cookieString )
 {
 if( dbg>0 ) log( "Parsing cookie header " + cookieString );
@@ -245,17 +245,17 @@ public final class Cookies { // extends 
 String token = tok.nextToken();
 int i = token.indexOf("=");
 if (i > -1) {
-
+
 // XXX
 // the trims here are a *hack* -- this should
 // be more properly fixed to be spec compliant
-
+
 String name = token.substring(0, i).trim();
 String value = token.substring(i+1, token.length()).trim();
-// RFC 2109 and bug 
+// RFC 2109 and bug
 value=stripQuote( value );
 ServerCookie cookie = addCookie();
-
+
 cookie.getName().setString(name);
 cookie.getValue().setString(value);
 if( dbg > 0 ) log( "Add cookie " + name + "=" + value);
@@ -269,12 +269,11 @@ public final class Cookies { // extends 
  *
  * Strips quotes from the start and end of the cookie string
  * This conforms to RFC 2965
- * 
- * @param valuea String specifying the cookie 
- * value (possibly quoted).
  *
- * @see #setValue
+ * @param valuea String specifying the cookie
+ * value (possibly quoted).
  *

svn commit: r1586510 - /tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java

[markt]

Author: markt
Date: Thu Apr 10 23:49:00 2014
New Revision: 1586510

URL: http://svn.apache.org/r1586510
Log:
CTR Javadoc Fix warning

Modified:
tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java

Modified: tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java?rev=1586510&r1=1586509&r2=1586510&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/el/ValueExpressionImpl.java Thu Apr 10 
23:49:00 2014
@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *  http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -43,7 +43,7 @@ import org.apache.el.util.ReflectionUtil
 
 /**
  * An Expression that can get or set a value.
- * 
+ *
  * 
  * In previous incarnations of this API, expressions could only be read.
  * ValueExpression objects can now be used both to retrieve a
@@ -55,37 +55,37 @@ import org.apache.el.util.ReflectionUtil
  * details. Expressions that cannot be used as l-values must always return
  * true from isReadOnly().
  * 
- * 
+ *
  * 
  * The {@link ExpressionFactory#createValueExpression} method
  * can be used to parse an expression string and return a concrete instance
  * of ValueExpression that encapsulates the parsed expression.
- * The {@link FunctionMapper} is used at parse time, not evaluation time, 
- * so one is not needed to evaluate an expression using this class.  
+ * The {@link FunctionMapper} is used at parse time, not evaluation time,
+ * so one is not needed to evaluate an expression using this class.
  * However, the {@link ELContext} is needed at evaluation time.
  *
  * The {@link #getValue}, {@link #setValue}, {@link #isReadOnly} and
  * {@link #getType} methods will evaluate the expression each time they are
- * called. The {@link ELResolver} in the ELContext is used to 
+ * called. The {@link ELResolver} in the ELContext is used to
  * resolve the top-level variables and to determine the behavior of the
  * . and [] operators. For any of the four methods,
- * the {@link ELResolver#getValue} method is used to resolve all properties 
- * up to but excluding the last one. This provides the base 
- * object. At the last resolution, the ValueExpression will 
- * call the corresponding {@link ELResolver#getValue}, 
- * {@link ELResolver#setValue}, {@link ELResolver#isReadOnly} or 
- * {@link ELResolver#getType} method, depending on which was called on 
+ * the {@link ELResolver#getValue} method is used to resolve all properties
+ * up to but excluding the last one. This provides the base
+ * object. At the last resolution, the ValueExpression will
+ * call the corresponding {@link ELResolver#getValue},
+ * {@link ELResolver#setValue}, {@link ELResolver#isReadOnly} or
+ * {@link ELResolver#getType} method, depending on which was called on
  * the ValueExpression.
  * 
  *
- * See the notes about comparison, serialization and immutability in 
+ * See the notes about comparison, serialization and immutability in
  * the {@link Expression} javadocs.
  *
  * @see javax.el.ELResolver
  * @see javax.el.Expression
  * @see javax.el.ExpressionFactory
  * @see javax.el.ValueExpression
- * 
+ *
  * @author Jacob Hookom [ja...@hookom.net]
  *
  */
@@ -107,7 +107,7 @@ public final class ValueExpressionImpl e
 }
 
 /**
- * 
+ *
  */
 public ValueExpressionImpl(String expr, Node node, FunctionMapper fnMapper,
 VariableMapper varMapper, Class expectedType) {
@@ -120,7 +120,7 @@ public final class ValueExpressionImpl e
 
 /*
  * (non-Javadoc)
- * 
+ *
  * @see java.lang.Object#equals(java.lang.Object)
  */
 public boolean equals(Object obj) {
@@ -130,7 +130,7 @@ public final class ValueExpressionImpl e
 
 /*
  * (non-Javadoc)
- * 
+ *
  * @see javax.el.ValueExpression#getExpectedType()
  */
 public Class getExpectedType() {
@@ -140,21 +140,17 @@ public final class ValueExpressionImpl e
 /**
  * Returns the type the result of the expression will be coerced to after
  * evaluation.
- * 
+ *
  * @return the expectedType passed to the
  * ExpressionFactory.createValueExpression method
  * that created this ValueExpression.
- * 
+ *
  * @see javax.el.Expression#getExpressionString()
  */
 public String getExpressionString() {
 return this.expr;
 }
 
-/

svn commit: r1586509 - /tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java

[markt]

Author: markt
Date: Thu Apr 10 23:48:33 2014
New Revision: 1586509

URL: http://svn.apache.org/r1586509
Log:
CTR Javadoc Fix warning

Modified:
tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java

Modified: tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java?rev=1586509&r1=1586508&r2=1586509&view=diff
==
--- tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/el/MethodExpressionImpl.java Thu Apr 
10 23:48:33 2014
@@ -5,9 +5,9 @@
  * The ASF licenses this file to You under the Apache License, Version 2.0
  * (the "License"); you may not use this file except in compliance with
  * the License.  You may obtain a copy of the License at
- * 
+ *
  *  http://www.apache.org/licenses/LICENSE-2.0
- * 
+ *
  * Unless required by applicable law or agreed to in writing, software
  * distributed under the License is distributed on an "AS IS" BASIS,
  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
@@ -42,38 +42,38 @@ import org.apache.el.util.ReflectionUtil
 
 /**
  * An Expression that refers to a method on an object.
- * 
+ *
  * 
  * The {@link ExpressionFactory#createMethodExpression} method
  * can be used to parse an expression string and return a concrete instance
  * of MethodExpression that encapsulates the parsed expression.
- * The {@link FunctionMapper} is used at parse time, not evaluation time, 
- * so one is not needed to evaluate an expression using this class.  
+ * The {@link FunctionMapper} is used at parse time, not evaluation time,
+ * so one is not needed to evaluate an expression using this class.
  * However, the {@link ELContext} is needed at evaluation time.
  *
- * The {@link #getMethodInfo} and {@link #invoke} methods will evaluate the 
- * expression each time they are called. The {@link ELResolver} in the 
- * ELContext is used to resolve the top-level variables and to 
- * determine the behavior of the . and [] 
- * operators. For any of the two methods, the {@link ELResolver#getValue} 
- * method is used to resolve all properties up to but excluding the last 
+ * The {@link #getMethodInfo} and {@link #invoke} methods will evaluate the
+ * expression each time they are called. The {@link ELResolver} in the
+ * ELContext is used to resolve the top-level variables and to
+ * determine the behavior of the . and []
+ * operators. For any of the two methods, the {@link ELResolver#getValue}
+ * method is used to resolve all properties up to but excluding the last
  * one. This provides the base object on which the method
- * appears. If the base object is null, a 
- * NullPointerException must be thrown. At the last resolution, 
+ * appears. If the base object is null, a
+ * NullPointerException must be thrown. At the last resolution,
  * the final property is then coerced to a String,
- * which provides the name of the method to be found. A method matching the 
- * name and expected parameters provided at parse time is found and it is 
+ * which provides the name of the method to be found. A method matching the
+ * name and expected parameters provided at parse time is found and it is
  * either queried or invoked (depending on the method called on this
  * MethodExpression).
  *
- * See the notes about comparison, serialization and immutability in 
+ * See the notes about comparison, serialization and immutability in
  * the {@link Expression} javadocs.
  *
  * @see javax.el.ELResolver
  * @see javax.el.Expression
  * @see javax.el.ExpressionFactory
  * @see javax.el.MethodExpression
- * 
+ *
  * @author Jacob Hookom [ja...@hookom.net]
  *
  */
@@ -93,7 +93,7 @@ public final class MethodExpressionImpl 
 private Class[] paramTypes;
 
 /**
- * 
+ *
  */
 public MethodExpressionImpl() {
 super();
@@ -121,7 +121,7 @@ public final class MethodExpressionImpl 
 /**
  * Determines whether the specified object is equal to this
  * Expression.
- * 
+ *
  * 
  * The result is true if and only if the argument is not
  * null, is an Expression object that is the
@@ -129,7 +129,7 @@ public final class MethodExpressionImpl 
  * MethodExpression), and has an identical parsed
  * representation.
  * 
- * 
+ *
  * 
  * Note that two expressions can be equal if their expression Strings are
  * different. For example, ${fn1:foo()} and
@@ -137,7 +137,7 @@ public final class MethodExpressionImpl 
  * FunctionMappers mapped fn1:foo and
  * fn2:foo to the same method.
  * 
- * 
+ *
  * @param obj
  *the Object to test for equality.
  * @return true if obj equals this
@@ -153,22 +153,22 @@ public final class MethodExpressionImpl 
 /**
  * Returns the original String used 

svn commit: r1586501 - in /tomcat/tc6.0.x/trunk: STATUS.txt java/org/apache/tomcat/util/descriptor/LocalResolver.java java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java webapps/docs/changelog.

[markt]

Author: markt
Date: Thu Apr 10 23:25:06 2014
New Revision: 1586501

URL: http://svn.apache.org/r1586501
Log:
Add a work around for validating XML documents (often TLDs) that use just the 
file name to refer to refer to the JavaEE schema on which they are based.

Modified:
tomcat/tc6.0.x/trunk/STATUS.txt

tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java

tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1586501&r1=1586500&r2=1586501&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Apr 10 23:25:06 2014
@@ -28,14 +28,6 @@ None
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-* Add a work around for validating XML documents (often TLDs) that use
-  just the file name to refer to refer to the JavaEE schema on which they
-  are based.
-  (Backport of r1579931)
-  
https://people.apache.org/~kkolinko/patches/2014-04-05_tc6_LocalResolver_nameOnly.patch
-  +1: kkolinko, markt, schultz
-  -1:
-
 
 PATCHES/ISSUES THAT ARE STALLED:
 

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java?rev=1586501&r1=1586500&r2=1586501&view=diff
==
--- 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java 
(original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/LocalResolver.java 
Thu Apr 10 23:25:06 2014
@@ -37,6 +37,11 @@ public class LocalResolver implements En
 private static final StringManager sm =
 StringManager.getManager(Constants.PACKAGE_NAME);
 
+private static final String[] JAVA_EE_NAMESPACES = {
+XmlIdentifiers.JAVAEE_1_4_NS,
+XmlIdentifiers.JAVAEE_5_NS };
+
+
 private final Map publicIds;
 private final Map systemIds;
 private final boolean blockExternal;
@@ -92,6 +97,18 @@ public class LocalResolver implements En
 return is;
 }
 
+// Work-around for XML documents that use just the file name for the
+// location to refer to a JavaEE schema
+for (String javaEENamespace : JAVA_EE_NAMESPACES) {
+String javaEESystemId = javaEENamespace + '/' + systemId;
+resolved = systemIds.get(javaEESystemId);
+if (resolved != null) {
+InputSource is = new InputSource(resolved);
+is.setPublicId(publicId);
+return is;
+}
+}
+
 // Resolve the supplied systemId against the base
 URI systemUri;
 try {

Modified: 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java?rev=1586501&r1=1586500&r2=1586501&view=diff
==
--- 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java 
(original)
+++ 
tomcat/tc6.0.x/trunk/java/org/apache/tomcat/util/descriptor/XmlIdentifiers.java 
Thu Apr 10 23:25:06 2014
@@ -49,6 +49,8 @@ public final class XmlIdentifiers {
 "http://java.sun.com/dtd/web-jsptaglibrary_1_2.dtd";;
 
 // from J2EE 1.4
+public static final String JAVAEE_1_4_NS =
+"http://java.sun.com/xml/ns/j2ee";;
 public static final String WEB_24_XSD =
 "http://java.sun.com/xml/ns/j2ee/web-app_2_4.xsd";;
 public static final String TLD_20_XSD =
@@ -57,6 +59,8 @@ public final class XmlIdentifiers {
 "http://www.ibm.com/webservices/xsd/j2ee_web_services_1_1.xsd";;
 
 // from JavaEE 5
+public static final String JAVAEE_5_NS =
+"http://java.sun.com/xml/ns/javaee";;
 public static final String WEB_25_XSD =
 "http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";;
 public static final String TLD_21_XSD =

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1586501&r1=1586500&r2=1586501&view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Thu Apr 10 23:25:06 2014
@@ -77,6 +77,11 @@
 Prevent user supplied XSLTs used by the DefaultServlet from defining
 external entities. (markt)
   
+  
+Add a work around for validating XML documents (often TLDs) that use
+just th

svn commit: r1586500 - in /tomcat/tc7.0.x/trunk: ./ java/org/apache/catalina/ha/context/ java/org/apache/catalina/ha/session/ java/org/apache/catalina/tribes/tipis/ test/org/apache/catalina/tribes/dem

[markt]

Author: markt
Date: Thu Apr 10 23:21:19 2014
New Revision: 1586500

URL: http://svn.apache.org/r1586500
Log:
Backport refactoring of AbstractReplicatedMap to implement Map rather than 
extend  ConcurrentHashMap to enable Tomcat 7 to be built with Java 8.

Modified:
tomcat/tc7.0.x/trunk/   (props changed)

tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java
tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java

tomcat/tc7.0.x/trunk/java/org/apache/catalina/tribes/tipis/AbstractReplicatedMap.java

tomcat/tc7.0.x/trunk/java/org/apache/catalina/tribes/tipis/LazyReplicatedMap.java

tomcat/tc7.0.x/trunk/java/org/apache/catalina/tribes/tipis/ReplicatedMap.java
tomcat/tc7.0.x/trunk/test/org/apache/catalina/tribes/demos/MapDemo.java
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc7.0.x/trunk/
--
  Merged /tomcat/trunk:r1222329

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java?rev=1586500&r1=1586499&r2=1586500&view=diff
==
--- 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java 
(original)
+++ 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java 
Thu Apr 10 23:21:19 2014
@@ -16,10 +16,10 @@
  */
 package org.apache.catalina.ha.context;
 
-import java.util.AbstractMap;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
+import java.util.Map;
 import java.util.Set;
 import java.util.concurrent.ConcurrentHashMap;
 
@@ -61,8 +61,10 @@ public class ReplicatedContext extends S
 CatalinaCluster catclust = (CatalinaCluster)this.getCluster();
 if (this.context == null) this.context = new ReplApplContext(this);
 if ( catclust != null ) {
-ReplicatedMap map = new 
ReplicatedMap(this,catclust.getChannel(),DEFAULT_REPL_TIMEOUT,
-  
getName(),getClassLoaders());
+ReplicatedMap map =
+new ReplicatedMap(this,
+catclust.getChannel(),DEFAULT_REPL_TIMEOUT,
+getName(),getClassLoaders());
 map.setChannelSendOptions(mapSendOptions);
 ((ReplApplContext)this.context).setAttributeMap(map);
 if (getAltDDName() != null) 
context.setAttribute(Globals.ALT_DD_ATTR, getAltDDName());
@@ -86,10 +88,10 @@ public class ReplicatedContext extends S
 
 super.stopInternal();
 
-AbstractMap map =
-((ReplApplContext)this.context).getAttributeMap();
+Map map =
+((ReplApplContext)this.context).getAttributeMap();
 if ( map!=null && map instanceof ReplicatedMap) {
-((ReplicatedMap)map).breakdown();
+((ReplicatedMap)map).breakdown();
 }
 }
 
@@ -145,10 +147,10 @@ public class ReplicatedContext extends S
  return super.getFacade();
 }
 
-public AbstractMap getAttributeMap() {
-return (AbstractMap)this.attributes;
+public Map getAttributeMap() {
+return this.attributes;
 }
-public void setAttributeMap(AbstractMap map) {
+public void setAttributeMap(Map map) {
 this.attributes = map;
 }
 

Modified: 
tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java
URL: 
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java?rev=1586500&r1=1586499&r2=1586500&view=diff
==
--- tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java 
(original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/catalina/ha/session/BackupManager.java 
Thu Apr 10 23:21:19 2014
@@ -115,7 +115,8 @@ public class BackupManager extends Clust
 @Override
 public ClusterMessage requestCompleted(String sessionId) {
 if (!getState().isAvailable()) return null;
-LazyReplicatedMap map = (LazyReplicatedMap)sessions;
+LazyReplicatedMap map =
+(LazyReplicatedMap)sessions;
 map.replicate(sessionId,false);
 return null;
 }
@@ -159,7 +160,6 @@ public class BackupManager extends Clust
  * @exception LifecycleException if this component detects a fatal error
  *  that prevents this component from being used
  */
-@SuppressWarnings("unchecked")
 @Override
 protected synchronized void startInternal() throws LifecycleException {
 
@@ -167,12 +167,10 @@ public class BackupManager extends Clust
 
 try {
 if (clu

Re: Java 8 compatibility for Tomcat 7

[Mark Thomas]

On 10/04/2014 02:34, Christopher Schultz wrote:
> Mark,
> 
> On 4/8/14, 10:55 AM, Mark Thomas wrote:
>> On 08/04/2014 06:32, Emmanuel Bourg wrote:
>>> Le 08/04/2014 14:03, Mark Thomas a écrit :
>>> 
 Can you provide the details of the failure. That might help
 ID a solution.
>>> 
>>> Thank you, here is the build log on Debian:
>>> 
>>> http://87.98.165.193/debian/openjdk8-rebuild/logs-failed-jdk8/tomcat7_7.0.52-1_unstable_jdk8.log
>>>
>>>
>>> 
[javac]
>>> /«PKGBUILDDIR»/java/org/apache/catalina/tribes/tipis/AbstractReplicatedMap.java:1107:
>>>
>>> 
error: keySet() in AbstractReplicatedMap cannot override keySet() in
>>> ConcurrentHashMap [javac] public Set keySet()
>>> { [javac]^ [javac]   return type
>>> Set is not compatible with KeySetView [javac]   where
>>> K,V are type-variables: [javac] K extends Object declared
>>> in class ConcurrentHashMap [javac] V extends Object
>>> declared in class ConcurrentHashMap
>>> 
>>> 
>>> This issue is caused by the addition of a keySet() method to 
>>> ConcurrentHashMap in Java 8 with a return type incompatible
>>> with the keySet() method in AbstractReplicatedMap.
>>> 
>>> In r1222329 AbstractReplicatedMap was changed to no longer
>>> inherit ConcurrentHashMap and implement directly the Map
>>> interface. This had the side effect of fixing this Java 8 issue
>>> for Tomcat 8.
>> 
>> That looks like something we are going to need to fix but any fix
>> is going to have to change the API. On that basis, back-porting
>> r1222329 is probably the best option.
>> 
>> Any objections to back-porting this fix to 7.0.x?
> 
> +1 to back-porting

I spoke with Filip at ApacheCon. This is meant to be an internal API
so the refactoring should be safe.

I've done the back-port and fixed a handful of IDE warnings while I
was at it.

Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "summit-na-2014" by KeiichiFujino

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "summit-na-2014" page has been changed by KeiichiFujino:
https://wiki.apache.org/tomcat/summit-na-2014?action=diff&rev1=11&rev2=12

   * Arquillian tests
   * Additions to authentication/realm API to improve extension capabilities 
(e.g. support bcrypt, pbkdf2, etc.)
   * Monitoring of Tomcat Cluster(Tribes) by mbean.
+  * Improvement of  Cluster Deployer(FarmWarDeployer).
+   * When adding new cluster membe, synchronize the war that is deployed on 
the master node. 
+   * Add support for parallel deployment.
   * Please add your topics here...
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "summit-na-2014" by KeiichiFujino

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "summit-na-2014" page has been changed by KeiichiFujino:
https://wiki.apache.org/tomcat/summit-na-2014?action=diff&rev1=10&rev2=11

   * mavenization of build
   * Arquillian tests
   * Additions to authentication/realm API to improve extension capabilities 
(e.g. support bcrypt, pbkdf2, etc.)
+  * Monitoring of Tomcat Cluster(Tribes) by mbean.
   * Please add your topics here...
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586478 - in /tomcat/trunk: java/org/apache/catalina/webresources/CachedResource.java webapps/docs/changelog.xml

[markt]

Author: markt
Date: Thu Apr 10 22:02:14 2014
New Revision: 1586478

URL: http://svn.apache.org/r1586478
Log:
Ensure that the static resource cache is able to detect when a cache entry is 
invalidated by being overridden by a new resource in a different WebResourceSet

Modified:
tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java
tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java?rev=1586478&r1=1586477&r2=1586478&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/CachedResource.java Thu 
Apr 10 22:02:14 2014
@@ -89,8 +89,9 @@ public class CachedResource implements W
 return true;
 }
 
-if (!webResource.exists() && root.getResourceInternal(
-webAppPath, useClassLoaderResources).exists()) {
+WebResource webResourceInternal = root.getResourceInternal(
+webAppPath, useClassLoaderResources);
+if (!webResource.exists() && webResourceInternal.exists()) {
 return false;
 }
 
@@ -101,6 +102,13 @@ public class CachedResource implements W
 return false;
 }
 
+// Has a resource been inserted / removed in a different resource set
+if (webResource.getLastModified() != 
webResourceInternal.getLastModified() ||
+webResource.getContentLength() != 
webResourceInternal.getContentLength()) {
+return false;
+}
+
+
 nextCheck = ttl + now;
 return true;
 }

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1586478&r1=1586477&r2=1586478&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Thu Apr 10 22:02:14 2014
@@ -83,6 +83,11 @@
 56365: Simplify file name pattern matching code in
 StandardJarScanner. (kkolinko)
   
+  
+Ensure that the static resource cache is able to detect when a cache
+entry is invalidated by being overridden by a new resource in a
+different WebResourceSet. (markt)
+  
 
   
   



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Tomcat Wiki] Update of "ContributorsGroup" by markt

[Apache Wiki]

Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change 
notification.

The "ContributorsGroup" page has been changed by markt:
https://wiki.apache.org/tomcat/ContributorsGroup?action=diff&rev1=19&rev2=20

   * PierreJean
   * GaryBriggs
   * JeanFredericClere
+  * KeiichiFujino
  

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Please add to ContributorsGroup.

[Mark Thomas]

On 10/04/2014 15:43, Keiichi Fujino wrote:
> HI
> 
> Please add to the ContributorsGroup in order to edit the Tomcat wiki.
> 
> name: KeiichiFujino
> 
> 
Done.

Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Please add to ContributorsGroup.

[Keiichi Fujino]

HI

Please add to the ContributorsGroup in order to edit the Tomcat wiki.

name: KeiichiFujino


-- 
Keiichi.Fujino

Re: svn commit: r1585657 - /tomcat/jk/trunk/native/common/jk_connect.c

[Konstantin Kolinko]

2014-04-08 11:52 GMT+04:00  :
> Author: mturk
> Date: Tue Apr  8 07:52:56 2014
> New Revision: 1585657
>
> URL: http://svn.apache.org/r1585657
> Log:
> Use port when calling getaddrinfo and skip bogus addresses
>
> Modified:
> tomcat/jk/trunk/native/common/jk_connect.c
>
> Modified: tomcat/jk/trunk/native/common/jk_connect.c
> URL: 
> http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_connect.c?rev=1585657&r1=1585656&r2=1585657&view=diff
> ==
> --- tomcat/jk/trunk/native/common/jk_connect.c (original)
> +++ tomcat/jk/trunk/native/common/jk_connect.c Tue Apr  8 07:52:56 2014
> @@ -430,6 +430,8 @@ int jk_resolve(const char *host, int por
>   */
>  struct addrinfo hints, *ai_list, *ai = NULL;
>  int error;
> +char  pbuf[12];
> +char *pbufptr = NULL;
>
>  memset(&hints, 0, sizeof(hints));
>  hints.ai_socktype = SOCK_STREAM;
> @@ -440,7 +442,11 @@ int jk_resolve(const char *host, int por
>  else
>  #endif
>  hints.ai_family = JK_INET;
> -error = getaddrinfo(host, NULL, &hints, &ai_list);
> +if (port > 0) {
> +snprintf(pbuf, port, sizeof(pbuf));
> +pbufptr = pbuf;
> +}
> +error = getaddrinfo(host, pbufptr, &hints, &ai_list);


The "getaddrinfo" method is called twice in this method. The above
modifies the first call.

Apply the same change to the second call, a few lines below?


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Mladen Turk]

On 04/10/2014 01:50 PM, Mladen Turk wrote:


The Apache Tomcat Native 1.1.30 is
  [X] Stable, go ahead and release
  [ ] Broken because of ...




My vote, FTR.

Regards
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

NIO2 connector status

[Rémy Maucherat]

Hi,

With some fixes in, I think the status is now better than what the
"welcome" message says, which is: The NIO2 connector is currently
EXPERIMENTAL and should not be used in production

In preparation for the next build, I would like to update it to: The NIO2
connector is currently BETA and should not be used in production
It is now supposed to be doing semi useful things, but with possible
remaining bugs. At least it can be tested.

The known issue is that (possible) testsuite failure:
test.entry=org.apache.tomcat.websocket.TestWebSocketFrameClientSSL
test.entry.methods=testConnectToServerEndpoint
(after removing the assertion)
But I haven't been able to reproduce it despite lots of hacks to skew the
timings. The most current theory given the symptoms is it would be a
missing onWritePossible event (but no idea why it is SSL specific, and I
did some theorical tightening which didn't improve anything so I'm not sure
there's an issue with that). So if someone has better luck and (hopefully)
has an idea how to fix it, I'm interested.
Other than this one, the testsuite now seems very reliable on NIO2, which
cannot hurt.

Rémy

[Bug 56383] Securing ErrorReportValve

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56383

--- Comment #1 from Konstantin Kolinko  ---
Comment on attachment 31507
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31507
Patch for ErrorReportValve

1. Add getter methods?

2. Expose new attributes via JMX? 
(Update mbeans-descriptors.xml file in the same package)

3. Documentation?

(Update webapps/docs/config/valve.xml. A bit more work than usually, because
ErrorReporValve is not documented there at all)

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56383] Securing ErrorReportValve

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56383

Konstantin Kolinko  changed:

   What|Removed |Added

  Attachment #31507|0   |1
   is patch||

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56382] Add logging of deployment time

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56382

--- Comment #2 from Konstantin Kolinko  ---
Comment on attachment 31506
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31506
Proposed patch

In reply to attachment 31506

> if( log.isInfoEnabled() )
> +startTime = System.currentTimeMillis();
> log.info(sm.getString("hostConfig.deployDir",
> dir.getAbsolutePath()));

1. The above change breaks the code, because of missing '{' after an 'if'
above.

> System.currentTimeMillis() - startTime

2. Boxing and unboxing have to be explicit, per our coding rules.

3. This covers only 'deployDirectory(..)' method. What about the others?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55943] Provide a way prevent looking at the System classloader before the webapp classloaders

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55943

--- Comment #12 from hifisoftw...@gmail.com ---
I was able to figure out the fix. When I added the following line to
context.xml file, class loader behaviour was restored:


Thanks

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Mladen Turk]

On 04/10/2014 05:55 PM, Christopher Schultz wrote:

Mladen,

On 4/10/14, 9:29 AM, Mladen Turk wrote:

On 04/10/2014 03:15 PM, Robert Sanders wrote:

Is the TCN portion of BZ 56027 address completely or partially with
this release?


Nope. This issue was not fixed with this release.


The primary tcnative bit was in svn. Did you build 1.1/trunk, or did you
just apply certain patches?

There was a followup-comment about the 512-bit RSA key generation which
is a separate problem IMO which has not yet been addressed.



Ah, now I saw your commit.
You will have to apply this to branches/1.1.x
This is where the releases are coming from.
Trunk is just a playground and probably expecting a major rewrite, so
don't bother with it :)


Regards
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [VOTE] Release Apache Tomcat Native 1.1.30

[Robert Sanders]

I'll concur with Chris for release.  WRT BZ 56027 there is no regression.  The 
exposure of the fipsModeGet will be useful moving forward to have the main 
Tomcat code avoid a double call to initialize SSL, but some one with more 
understanding of the FIPS requirements that I do should look at how TCN is 
pre-generating keys lengths.

-R


> The Apache Tomcat Native 1.1.30 is
>  [X] Stable, go ahead and release
>  [ ] Broken because of ...

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Mladen Turk]

On 04/10/2014 05:55 PM, Christopher Schultz wrote:

Mladen,

On 4/10/14, 9:29 AM, Mladen Turk wrote:

On 04/10/2014 03:15 PM, Robert Sanders wrote:

Is the TCN portion of BZ 56027 address completely or partially with
this release?


Nope. This issue was not fixed with this release.


The primary tcnative bit was in svn. Did you build 1.1/trunk, or did you
just apply certain patches?

There was a followup-comment about the 512-bit RSA key generation which
is a separate problem IMO which has not yet been addressed.



See the top email. It contains the tag used for builds.


Regards
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Konstantin Kolinko]

2014-04-10 15:50 GMT+04:00 Mladen Turk :
> Version 1.1.30 is bug fixing release with added ECDH
> if supported by OpenSSL library.
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
>
> The VOTE will remain open for at least 48 hours.
>
> The Apache Tomcat Native 1.1.30 is
>  [x] Stable, go ahead and release
>  [ ] Broken because of ...
>

I've run current 8.0.x (@r1586315) testsuite with JDK 7u51 32-bit on
Windows7 with non-OSCP and with OSCP binaries.  Both runs have
completed successfully.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Christopher Schultz]

Mladen,

On 4/10/14, 5:50 AM, Mladen Turk wrote:
> Version 1.1.30 is bug fixing release with added ECDH
> if supported by OpenSSL library.
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2].
> 
> The VOTE will remain open for at least 48 hours.
> 
> The Apache Tomcat Native 1.1.30 is
>  [X] Stable, go ahead and release
>  [ ] Broken because of ...

Thanks for this.

-chris



signature.asc
Description: OpenPGP digital signature

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Christopher Schultz]

Mladen,

On 4/10/14, 9:29 AM, Mladen Turk wrote:
> On 04/10/2014 03:15 PM, Robert Sanders wrote:
>> Is the TCN portion of BZ 56027 address completely or partially with
>> this release?
> 
> Nope. This issue was not fixed with this release.

The primary tcnative bit was in svn. Did you build 1.1/trunk, or did you
just apply certain patches?

There was a followup-comment about the 512-bit RSA key generation which
is a separate problem IMO which has not yet been addressed.

-chris



signature.asc
Description: OpenPGP digital signature

[Bug 56381] ServletRequest can be modified by Multiple Threads

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56381

--- Comment #2 from Remy Maucherat  ---
Yes, sync if needed + clear the facade objects. This is a long running topic
that is well suited for the user list.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

--- Comment #10 from Mladen Turk  ---
I'll update the BUILDING with windows section since everyone are so concerned
of my health :)

It's very simple. The biggest problem is compiling apr and openssl. OpenSSL
needs to be patched to allow /MD with static lib (something I tried to convince
openssl developers for years without luck). We have the patch in the source
dist. Then you have to put apr and openssl include and lib files to some
directory 
C:\foo\bar\include
C:\foo\bar\lib

Then execute:
nmake -f NMAKEMakefile WITH_APR=C:\foo\bar WITH_OPENSSL=C:\foo\bar
APR_DECLARE_STATIC=1 [ENABLE_OCSP=1]

When building APR I also modify apr.hw and set  APR_HAVE_IPV6 to 1.

That's it. 10 minutes for all architectures on an average box.
Note. Forget about IDE builds. They change the format of those .dsp, .vcproj
whatever files with each version. Use nmake and command line. You'll need them
to build openssl anyhow, so why not for all.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

--- Comment #9 from jeffrey.jan...@polydyne.com ---
(In reply to Konstantin Kolinko from comment #7)
> (In reply to Jeffrey.Janner from comment #6)
> > However, the Windows version is statically linked, so we had to wait for
> > Mladen to work his magic or try to do the build ourselves using minimal
> > instructions.
> 
> 4. a) That would be a mess.  b) Somebody would still need to build OpenSSL
> for you. http://openssl.org/ provides source code only. See 2.

Yep.  Luckily, that site has a link
(http://www.openssl.org/related/binaries.html) to someone who provides binaries
almost as fast as OpenSSL releases them.
That site is http://slproweb.com/products/Win32OpenSSL.html.
I think in this case he and Mladen had versions available at about the same
time, though we're still waiting on an "approved" release from the ASF.
Overall, I'm generally OK getting the full suite from the ASF, its just would
be nice to have alternatives.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Mladen Turk]

On 04/10/2014 03:15 PM, Robert Sanders wrote:

Is the TCN portion of BZ 56027 address completely or partially with this 
release?


Nope. This issue was not fixed with this release.


Regards
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

--- Comment #8 from Mike Noordermeer  ---
(In reply to Konstantin Kolinko from comment #7)
> 2. Nobody here works for Microsoft.
> 
> Providing windows binaries is a courtesy and may stop at any random moment.

That's good to know, and may be something to mention on the site, so people
don't build production infrastructure on it.

> > Would it, for future reference, be possible to document the Windows
> > library build process better?
> 
> 3. Documentation improvement patches are appreciated. You may submit one via
> bugzilla.

I would love to improve the documentation, but at the moment it seems nobody
knows how the Windows build works except for Mladen. See for instance this post
of Mark Thomas:
http://mail-archives.apache.org/mod_mbox/tomcat-dev/201205.mbox/%3c4fba6dfc.4090...@apache.org%3E

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: CVE-2014-0160

[Andrew Carr]

Thanks for the response, both of you.


On Thu, Apr 10, 2014 at 4:30 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Andrew,
>
> On 4/8/14, 5:43 PM, Andrew Carr wrote:
> > http://www.openssl.org/news/secadv_20140407.txt
> >
> > Hi Tomcat Devs,
> >
> > I have been on the dev list for a few years, and a tomcat developer
> longer
> > than that.  While I haven't contributed yet, I was curious if this cve
> > needs a contribution.  As far as I can tell, if you recompile your native
> > libs with the unaffected version of SSL, you will not be vulnerable to
> this
> > CVE.
> >
> > Is that assumption correct or does there need to be a change to tcnative?
>
> Technically, it's just a re-link, but it makes sense to push-out the
> latest 1.1 branch code and call it 1.1.30 to reduce confusion and to get
> a few useful features out to the world.
>
> -chris
>
>


-- 
With Regards,
Andrew Carr

e. andrewlanec...@gmail.com
w. andrew.c...@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743

Re: Tagging Tomcat Native 1.1.30

[Andrew Carr]

Nice.


On Thu, Apr 10, 2014 at 4:09 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Mladen,
>
> On 4/9/14, 11:42 PM, Mladen Turk wrote:
> > I plan to tag 1.1.30 either later today or tomorrow and
> > push for a quick release vote.
> >
> > Comments?
>
> Go for it. No bugs in it can be worse than this week's OpenSSL
> vulnerability.
>
> -chris
>
>


-- 
With Regards,
Andrew Carr

e. andrewlanec...@gmail.com
w. andrew.c...@openlogic.com
h. 4235255668
c. 4239489852
a. 101 Francis Drive, Greeneville, TN, 37743

[Bug 56383] Securing ErrorReportValve

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56383

Nick Bunn  changed:

   What|Removed |Added

 CC||thrain...@gmail.com

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

--- Comment #7 from Konstantin Kolinko  ---
(In reply to Mike Noordermeer from comment #4)

1. The timing is unfortunate. There is a conference going on right now. Key
people are there.
http://www.apachecon.com/

Also this bug is where I learned this issue from. Thank you Mike for filing it.

2. Nobody here works for Microsoft.

Providing windows binaries is a courtesy and may stop at any random moment.

> Would it, for future reference, be possible to document the Windows
> library build process better?

3. Documentation improvement patches are appreciated. You may submit one via
bugzilla.

(In reply to Jeffrey.Janner from comment #6)
> However, the Windows version is statically linked, so we had to wait for
> Mladen to work his magic or try to do the build ourselves using minimal
> instructions.

4. a) That would be a mess.  b) Somebody would still need to build OpenSSL for
you. http://openssl.org/ provides source code only. See 2.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55915] Add ECDHE support to tcnative-1.dll

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55915

--- Comment #5 from jeffrey.jan...@polydyne.com ---
Wanted to report that the Qualys SSL Labs' SSl test tool is now reporting that,
with this version, the ECDHE ciphers are available and will be used by the IE
releases that support them (not IE8/XP does not). In fact, I am now getting an
A rating on the tool and all major browsers are shown to use a cipher that
offers Forward Secrecy.
Thanks for quickly addressing this one.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

--- Comment #6 from jeffrey.jan...@polydyne.com ---
Thanks to Mladen for his effort on getting this out as fast as he has.
The ease with which this problem was addressable on the *NIX platforms leads me
to ask if there is a better way of addressing the native libraries in the
Windows world?  
The *NIX guys could just go get the latest OpenSSL version, install it, and
restart their Tomcats, because the libraries are dynamically linked. However,
the Windows version is statically linked, so we had to wait for Mladen to work
his magic or try to do the build ourselves using minimal instructions.
My question is, what would be the downside to leaving the Windows version as a
set of 2 or 3 dll files instead of statically linking them as they are now?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

Mike Noordermeer  changed:

   What|Removed |Added

 Status|NEEDINFO|NEW

--- Comment #5 from Mike Noordermeer  ---
BTW, Luke, the intended release can be found at
http://people.apache.org/~mturk/native/1.1.30/.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

--- Comment #4 from Mike Noordermeer  ---
While I understand that the disclosure process of this bug has been far from
optimal, and really appreciate all effort the maintainer(s) spend on this
project, a turnaround time of 3 days for such a critical issue is not
acceptable and currently forcing us to use the Java SSL implementation and
BIO/NIO connectors.

Would it, for future reference, be possible to document the Windows library
build process better? We too have been struggling (and failing) to build the
library ourselves, which has forced us to switch to the BIO connector due to
the extreme severity of the issue.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [VOTE] Release Apache Tomcat Native 1.1.30

[Robert Sanders]

Just tested against a CentOS 6 box configured to be in FIPS mode at boot as per 
RH's directions and TCN will not start, tossing the same error I saw before in 
catalina.out:

Apr 10, 2014 9:01:19 AM org.apache.catalina.core.AprLifecycleListener 
lifecycleEvent
SEVERE: Failed to initialize the SSLEngine.
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at 
org.apache.catalina.core.AprLifecycleListener.initializeSSL(AprLifecycleListener.java:269)
at 
org.apache.catalina.core.AprLifecycleListener.lifecycleEvent(AprLifecycleListener.java:108)
at 
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:142)
at 
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:813)
at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)

Commenting out line 77 (where the 512 bit RSA key is generated)  allows TCN to 
start and run normally.  I don't understand all of the FIPS requirements, but 
should execution be allowed to continue if we can generate *any* of the initial 
keys rather than requiring all of them?  The logic of the macros in lines 68 
through 82 wind up causing the SSL_TMP_KEYS_INIT(r) call at line 692 to fire if 
any key init fails, rather than seeing if at least one passes.

I did see in the changelog that BZ 56027 is only partially addressed, in that 
the fipsModeGet() method is now available.  

-Rob


From: Robert Sanders [rsand...@trustedcs.com]
Sent: Thursday, April 10, 2014 9:15 AM
To: Tomcat Developers List
Subject: RE: [VOTE] Release Apache Tomcat Native 1.1.30

Is the TCN portion of BZ 56027 address completely or partially with this 
release?  I see the exposure of the FIPS_mode setting, but it looks like the 
temporary 512 bit RSA key is still being done in the SSL_TMP_KEYS_INIT macro 
(line 77).  When I hacked my workaround eariier this year I had to make sure I 
didn't call FIPS_mode_set if it was already set and disable the 512 bit key to 
get TCN to spin up correctly.

-Rob


From: Mladen Turk [mt...@apache.org]
Sent: Thursday, April 10, 2014 9:01 AM
To: dev@tomcat.apache.org
Subject: Re: [VOTE] Release Apache Tomcat Native 1.1.30

On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote:
>
> Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit.
>
> - Filippo.io [1] reports it is not vulnerable to Heartbleed bug.
>
> - SSLLabs [2] reports it is not vulnerable to Heartbleed bug.
>
> - SSLLabs reports that Forward secrecy is enabled when proper cipher suites 
> (including EECDH/ECDHE) are enabled.
>
> - Smoke tests of APR, with and without TLS, all passed.
>

Cool.

Thanks
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

Luke Hall  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

--- Comment #3 from Luke Hall  ---
Is there any possibility that you could provide us with a copy of the updated
Tomcat Native library now? My company has several affected servers and we have
been struggling to build the library ourselves, but with no success.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: ErrorValve enhancement

[Nick Bunn]

Chris,
Done (Bug 56383 ).
I didn't know if we needed to talk about it first since it was a
enhancement. On another note do i need to make another bug for Tomcat 8 or
if this one gets excepted it will be ported over? What about documentation?
Does a patch for the site need to be included in the bug report as well?

Thanks,
Nick Bunn


On Thu, Apr 10, 2014 at 2:17 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> Nick,
>
> Please file a Bugzilla bug and attach your patch to it.
>
> -chris
>
> On 4/9/14, 10:36 AM, Nick Bunn wrote:
> > Good Day,
> > As i'm sure you are all aware when the default error valve returns its
> > report it publishes the tomcat version and some other troubleshooting
> > data. This of course breaks one of my securities teams rules and also is
> > published as a item that needs to be remediated when hardening
> > tomcat(OWASP - goo.gl/Zr9xso  ). When using the
> > OWASP solution of replacing the serverInfo.properties file it can and
> > will break tools/code that uses that information(in my case our
> > deployment agent). The other two solutions are to create our own valve
> > and just change it to the default error valve or override the status
> > code at the HTTPD server(which broke our JSON and SOAP requests that
> > were providing valid 4XX and 5XX). That being said why not just have the
> > capability to disable this information in the current error valve? This
> > way we are not requiring users to override there serverinfo.properties
> > or create some customer error valve they will have to maintain. Thoughts?
> >
> > Attached is the a simple patch to version 7.0.x. Can easily be ported to
> > 8.0.x as not much as changed. You would then just add the below to your
> > server.xml
> >
> >  > showReport="false" showServerInfo="false" />
> >
> >
> > Thanks,
> > Nick Bunn
> >
> >
> >
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
>
>


-- 
Thanks,
Nick Bunn

[Bug 56383] New: Securing ErrorReportValve

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56383

Bug ID: 56383
   Summary: Securing ErrorReportValve
   Product: Tomcat 7
   Version: trunk
  Hardware: All
OS: All
Status: NEW
  Severity: enhancement
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: thrain...@gmail.com

Created attachment 31507
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31507&action=edit
Patch for ErrorReportValve

When the default error valve returns its report it publishes the tomcat version
and some other troubleshooting data. This of course breaks security standards
at some companies and also is published as a item that needs to be remediated
when hardening tomcat(OWASP - goo.gl/Zr9xso ). When using the OWASP solution of
replacing the serverInfo.properties file it can and will break tools/code that
uses that information. 

Attached is the proposed enhancement to be able switch options to show minimal
information back.

By adding the below will only return a html page with only the status. No CSS
or title


Currently, default is true for both so if users still want to see the current
report nothing will have to change in there server.xml

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586306 - /tomcat/native/branches/1.1.x/xdocs/news/2014.xml

[kkolinko]

Author: kkolinko
Date: Thu Apr 10 14:01:13 2014
New Revision: 1586306

URL: http://svn.apache.org/r1586306
Log:
Followup to r1586254: correct title.

Modified:
tomcat/native/branches/1.1.x/xdocs/news/2014.xml

Modified: tomcat/native/branches/1.1.x/xdocs/news/2014.xml
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/news/2014.xml?rev=1586306&r1=1586305&r2=1586306&view=diff
==
--- tomcat/native/branches/1.1.x/xdocs/news/2014.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/news/2014.xml Thu Apr 10 14:01:13 2014
@@ -24,7 +24,7 @@
 
   
 Apache Tomcat Native 
Project
-2013 News and Status
+2014 News and Status
   
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56381] ServletRequest can be modified by Multiple Threads

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56381

--- Comment #1 from Jess Holle  ---
I am perfectly aware that the servlet API makes no guarantees about thread
safety of the [Http]ServletRequest interface or implementations thereof.

I also understand that providing general thread-safety in implementation would
have performance and/or implementation complexity costs that may not be
appropriate.

As such I've been calling getParameterMap() and the like in my first servlet
filter -- thus allowing other threads to access this data after this point
without issues up until the request thread completes work on the request. 
There are some really good use cases for this sort of thing -- e.g. monitoring
the state of all in-flight requests.

The real issue here, however, is what occurs if these APIs are invoked after
the request thread completes its request work.  It was clear to me that the
other threads could get bad data in such a case -- and I'm fine with that. 
They should have made a copy of the data if the data acquisition is more than
just a "best effort" affair.  What was not at all clear is that recycle
behavior could allow any bit of code to toss ServletRequest objects to other
threads, call methods against these objects too late and completely corrupt
later servlet requests!  That's a real safety issue in a larger application.

For my own monitoring code I've added a read/write lock that ensures that there
is no possible race condition between request completion and switching over to
a copy of the ServletRequest data.  That's well and good.  What I can't do,
however, is keep any other developer from doing something stupid and corrupting
unrelated requests, which is a troubleshooting nightmare.

I suppose I could change my servlet filter implementation to use a wrapped
ServletRequest object with built-in read/write locking that switched the
underlying ServletRequest object to null at the end of the request.  That's a
lot of workaround code to avoid intrinsic recycle issues, though.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

RE: [VOTE] Release Apache Tomcat Native 1.1.30

[Robert Sanders]

Is the TCN portion of BZ 56027 address completely or partially with this 
release?  I see the exposure of the FIPS_mode setting, but it looks like the 
temporary 512 bit RSA key is still being done in the SSL_TMP_KEYS_INIT macro 
(line 77).  When I hacked my workaround eariier this year I had to make sure I 
didn't call FIPS_mode_set if it was already set and disable the 512 bit key to 
get TCN to spin up correctly.

-Rob
  

From: Mladen Turk [mt...@apache.org]
Sent: Thursday, April 10, 2014 9:01 AM
To: dev@tomcat.apache.org
Subject: Re: [VOTE] Release Apache Tomcat Native 1.1.30

On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote:
>
> Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit.
>
> - Filippo.io [1] reports it is not vulnerable to Heartbleed bug.
>
> - SSLLabs [2] reports it is not vulnerable to Heartbleed bug.
>
> - SSLLabs reports that Forward secrecy is enabled when proper cipher suites 
> (including EECDH/ECDHE) are enabled.
>
> - Smoke tests of APR, with and without TLS, all passed.
>

Cool.

Thanks
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Mladen Turk]

On 04/10/2014 02:56 PM, Ognjen Blagojevic wrote:


Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit.

- Filippo.io [1] reports it is not vulnerable to Heartbleed bug.

- SSLLabs [2] reports it is not vulnerable to Heartbleed bug.

- SSLLabs reports that Forward secrecy is enabled when proper cipher suites 
(including EECDH/ECDHE) are enabled.

- Smoke tests of APR, with and without TLS, all passed.



Cool.

Thanks
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Ognjen Blagojevic]

Mladen,

On 10.4.2014 13:50, Mladen Turk wrote:

The Apache Tomcat Native 1.1.30 is
  [X] Stable, go ahead and release
  [ ] Broken because of ...


(non-binding)

Tested with Tomcat 8.0.5, Oracle Java 1.7.0_51 on Windows 7 64-bit.

- Filippo.io [1] reports it is not vulnerable to Heartbleed bug.

- SSLLabs [2] reports it is not vulnerable to Heartbleed bug.

- SSLLabs reports that Forward secrecy is enabled when proper cipher 
suites (including EECDH/ECDHE) are enabled.


- Smoke tests of APR, with and without TLS, all passed.

-Ognjen

[1] http://filippo.io/Heartbleed/
[2] https://www.ssllabs.com/ssltes


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56382] Add logging of deployment time

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56382

--- Comment #1 from Danila Galimov  ---
Created attachment 31506
  --> https://issues.apache.org/bugzilla/attachment.cgi?id=31506&action=edit
Proposed patch

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56382] New: Add logging of deployment time

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56382

Bug ID: 56382
   Summary: Add logging of deployment time
   Product: Tomcat 7
   Version: trunk
  Hardware: All
Status: NEW
  Severity: enhancement
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: b...@mail.ru

Tomcat logs the start of the deployment directory, but doesn't log finish.
I've created the small patch, which logs when the particular deployment is
finished, with the deployment time.

So output will be like this:

Apr 10, 2014 4:26:17 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deploying web application directory
C:\AAA\Tools\apache-tomcat-7.0.52\webapps\aaa-admin



Apr 10, 2014 4:31:10 PM org.apache.catalina.startup.HostConfig deployDirectory
INFO: Deployment of web application directory
C:\AAA\Tools\apache-tomcat-7.0.52\webapps\aaa-admin has finished in 292,516 ms.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586282 - /tomcat/jk/trunk/native/common/jk_ajp_common.c

[rjung]

Author: rjung
Date: Thu Apr 10 12:37:18 2014
New Revision: 1586282

URL: http://svn.apache.org/r1586282
Log:
Followup for r1586044 (broken request chunking).

Modified:
tomcat/jk/trunk/native/common/jk_ajp_common.c

Modified: tomcat/jk/trunk/native/common/jk_ajp_common.c
URL: 
http://svn.apache.org/viewvc/tomcat/jk/trunk/native/common/jk_ajp_common.c?rev=1586282&r1=1586281&r2=1586282&view=diff
==
--- tomcat/jk/trunk/native/common/jk_ajp_common.c (original)
+++ tomcat/jk/trunk/native/common/jk_ajp_common.c Thu Apr 10 12:37:18 2014
@@ -1479,11 +1479,15 @@ static int ajp_read_into_msg_buff(ajp_en
 
 /* Pick the max size since we don't know the content_length
  */
-if ((r->is_chunked && len == 0) || len < 0 || len > maxlen) {
+if (r->is_chunked && ae->left_bytes_to_send == 0) {
 len = maxlen;
-}
-if (ae->left_bytes_to_send > 0 && (jk_uint64_t)len > 
ae->left_bytes_to_send) {
-len = (int)ae->left_bytes_to_send;
+} else {
+if ((jk_uint64_t)maxlen > ae->left_bytes_to_send) {
+maxlen = (int)ae->left_bytes_to_send;
+}
+if (len < 0 || len > maxlen) {
+len = maxlen;
+}
 }
 
 if ((len = ajp_read_fully_from_server(r, l, read_buf, len)) < 0) {



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat Native 1.1.30

[Rémy Maucherat]

2014-04-10 13:50 GMT+02:00 Mladen Turk :

> The Apache Tomcat Native 1.1.30 is
>  [X] Stable, go ahead and release
>  [ ] Broken because of ...
>

Rémy

[Bug 56381] ServletRequest can be modified by Multiple Threads

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56381

Remy Maucherat  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |INVALID
 OS||All

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE] Release Apache Tomcat Native 1.1.30

[Mladen Turk]

Version 1.1.30 is bug fixing release with added ECDH
if supported by OpenSSL library.
The proposed release artefacts can be found at [1],
and the build was done using tag [2].

The VOTE will remain open for at least 48 hours.

The Apache Tomcat Native 1.1.30 is
 [ ] Stable, go ahead and release
 [ ] Broken because of ...


 [1] http://people.apache.org/~mturk/native/1.1.30
 [2] https://svn.apache.org/repos/asf/tomcat/native/tags/TOMCAT_NATIVE_1_1_30


Regards
--
^TM

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56381] New: ServletRequest can be modified by Multiple Threads

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56381

Bug ID: 56381
   Summary: ServletRequest can be modified by Multiple Threads
   Product: Tomcat 8
   Version: trunk
  Hardware: PC
Status: NEW
  Severity: normal
  Priority: P2
 Component: Catalina
  Assignee: dev@tomcat.apache.org
  Reporter: mgai...@hotmail.com

ServletRequest implementor can be being referenced by multiple threads 
its easy to see that every attribute of the Request contains (including maps)
can be and will be modified
this is unacceptable and must be corrected asap (by introducing synchronized
blocks for any code modifying ServletRequest and or attributes of
ServletRequest)

Originally reported by Jess Holle 10 April 2014

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586266 - /tomcat/native/tags/TOMCAT_NATIVE_1_1_30/

[mturk]

Author: mturk
Date: Thu Apr 10 10:36:32 2014
New Revision: 1586266

URL: http://svn.apache.org/r1586266
Log:
Tag 1.1.30

Added:
tomcat/native/tags/TOMCAT_NATIVE_1_1_30/   (props changed)
  - copied from r1586265, tomcat/native/branches/1.1.x/

Propchange: tomcat/native/tags/TOMCAT_NATIVE_1_1_30/
--
--- svn:ignore (added)
+++ svn:ignore Thu Apr 10 10:36:32 2014
@@ -0,0 +1 @@
+dist

Propchange: tomcat/native/tags/TOMCAT_NATIVE_1_1_30/
--
--- svn:mergeinfo (added)
+++ svn:mergeinfo Thu Apr 10 10:36:32 2014
@@ -0,0 +1,3 @@
+/tomcat/native/trunk:815411,1342003,1342008,1342013,1342020,1342024,1394258,1394342,1424947,1424971,1430753,1437081,1438342,1439337,1441884,1441886,1442579,1442581,1445972,1507113,1532577,1532590,1539594,1555184,1559180
+/tomcat/tc7.0.x/trunk:1199985,1200164,1349932,1434887,1435769
+/tomcat/trunk:815418,832198,1001939,1033916,1043103,1044729,1078522,1145209,1145285,1149092,1241356,1241406-1241407,1242254,1292671,1299980,1300102,1434905,1437083



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586263 - in /tomcat/native/branches/1.1.x: build.properties.default build.xml native/include/tcn_version.h

[mturk]

Author: mturk
Date: Thu Apr 10 10:27:08 2014
New Revision: 1586263

URL: http://svn.apache.org/r1586263
Log:
Prepare versions for 1.1.30 release

Modified:
tomcat/native/branches/1.1.x/build.properties.default
tomcat/native/branches/1.1.x/build.xml
tomcat/native/branches/1.1.x/native/include/tcn_version.h

Modified: tomcat/native/branches/1.1.x/build.properties.default
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/build.properties.default?rev=1586263&r1=1586262&r2=1586263&view=diff
==
--- tomcat/native/branches/1.1.x/build.properties.default (original)
+++ tomcat/native/branches/1.1.x/build.properties.default Thu Apr 10 10:27:08 
2014
@@ -18,7 +18,7 @@
 # - Version Control Flags -
 version.major=1
 version.minor=1
-version.build=29
+version.build=30
 version.patch=0
 #version.suffix=-dev
 version.suffix=

Modified: tomcat/native/branches/1.1.x/build.xml
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/build.xml?rev=1586263&r1=1586262&r2=1586263&view=diff
==
--- tomcat/native/branches/1.1.x/build.xml (original)
+++ tomcat/native/branches/1.1.x/build.xml Thu Apr 10 10:27:08 2014
@@ -33,7 +33,7 @@
 
 
 
-
+
 
 
 

Modified: tomcat/native/branches/1.1.x/native/include/tcn_version.h
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/native/include/tcn_version.h?rev=1586263&r1=1586262&r2=1586263&view=diff
==
--- tomcat/native/branches/1.1.x/native/include/tcn_version.h (original)
+++ tomcat/native/branches/1.1.x/native/include/tcn_version.h Thu Apr 10 
10:27:08 2014
@@ -75,7 +75,7 @@ extern "C" {
  *  This symbol is defined for internal, "development" copies of TCN. This
  *  symbol will be #undef'd for releases.
  */
-#define TCN_IS_DEV_VERSION  1
+#define TCN_IS_DEV_VERSION  0
 
 
 /** The formatted string of APU's version */



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586258 - /tomcat/native/branches/1.1.x/jnirelease.sh

[mturk]

Author: mturk
Date: Thu Apr 10 10:19:54 2014
New Revision: 1586258

URL: http://svn.apache.org/r1586258
Log:
No more docs/printer files

Modified:
tomcat/native/branches/1.1.x/jnirelease.sh

Modified: tomcat/native/branches/1.1.x/jnirelease.sh
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/jnirelease.sh?rev=1586258&r1=1586257&r2=1586258&view=diff
==
--- tomcat/native/branches/1.1.x/jnirelease.sh (original)
+++ tomcat/native/branches/1.1.x/jnirelease.sh Thu Apr 10 10:19:54 2014
@@ -21,7 +21,7 @@
 #native/include/tcn_version.h
 #native/os/win32/libtcnative.rc
 
-# Default place to look for apr source.  Can be overridden with 
+# Default place to look for apr source.  Can be overridden with
 #   --with-apr=[directory]
 apr_src_dir=`pwd`/srclib/apr
 JKJNIEXT=""
@@ -62,7 +62,7 @@ else
 echo ""
 echo "Problem finding apr source in: \`$apr_src_dir'"
 echo "Use:"
-echo "  --with-apr=" 
+echo "  --with-apr="
 echo ""
 exit 1
 fi
@@ -182,13 +182,17 @@ fi
 top="`pwd`"
 cd ${JKJNIDIST}/jni/xdocs
 ant
-$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html > 
../../CHANGELOG.txt 2>/dev/null
+$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/changelog.html > 
../../CHANGELOG.txt 2>/dev/null
 if [ $? -ne 0 ]; then
 echo ""
-echo "$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html 
failed"
+echo "$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/changelog.html failed"
 echo ""
 exit 1
 fi
+# Remove first 25 lines from converted file which contains
+# page navagation data.
+# Remember to increase the lines when new file is added to news.
+sed -i '1,25d' ../../CHANGELOG.txt
 cd "$top"
 mv ${JKJNIDIST}/jni/build/docs ${JKJNIDIST}/jni/docs
 rm -rf ${JKJNIDIST}/jni/build
@@ -233,14 +237,8 @@ if [ $? -ne 0 ]; then
 echo ""
 exit 1
 fi
-$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html > 
../../CHANGELOG.txt 2>/dev/null
-if [ $? -ne 0 ]; then
-echo ""
-echo "$EXPTOOL $EXPOPTS ../build/docs/miscellaneous/printer/changelog.html 
failed"
-echo ""
-exit 1
-fi
 cd "$top"
+cp ${JKJNIDIST}/CHANGELOG.txt ${JKWINDIST}
 
 mv ${JKWINDIST}/jni/build/docs ${JKWINDIST}/jni/docs
 rm -rf ${JKWINDIST}/jni/build



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586254 - in /tomcat/native/branches/1.1.x/xdocs: miscellaneous/project.xml news/2014.xml news/project.xml project.xml

[mturk]

Author: mturk
Date: Thu Apr 10 10:00:23 2014
New Revision: 1586254

URL: http://svn.apache.org/r1586254
Log:
Add year 2014 news section

Added:
tomcat/native/branches/1.1.x/xdocs/news/2014.xml   (with props)
Modified:
tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml
tomcat/native/branches/1.1.x/xdocs/news/project.xml
tomcat/native/branches/1.1.x/xdocs/project.xml

Modified: tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml?rev=1586254&r1=1586253&r2=1586254&view=diff
==
--- tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/miscellaneous/project.xml Thu Apr 10 
10:00:23 2014
@@ -34,6 +34,7 @@
 
 
 
+
 
 
 

Added: tomcat/native/branches/1.1.x/xdocs/news/2014.xml
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/news/2014.xml?rev=1586254&view=auto
==
--- tomcat/native/branches/1.1.x/xdocs/news/2014.xml (added)
+++ tomcat/native/branches/1.1.x/xdocs/news/2014.xml Thu Apr 10 10:00:23 2014
@@ -0,0 +1,35 @@
+
+
+
+]>
+
+
+  &project;
+
+  
+Apache Tomcat Native 
Project
+2013 News and Status
+  
+
+
+
+
+
+
+

Propchange: tomcat/native/branches/1.1.x/xdocs/news/2014.xml
--
svn:eol-style = native

Propchange: tomcat/native/branches/1.1.x/xdocs/news/2014.xml
--
svn:mime-type = text/xml

Modified: tomcat/native/branches/1.1.x/xdocs/news/project.xml
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/news/project.xml?rev=1586254&r1=1586253&r2=1586254&view=diff
==
--- tomcat/native/branches/1.1.x/xdocs/news/project.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/news/project.xml Thu Apr 10 10:00:23 2014
@@ -34,6 +34,7 @@
 
 
 
+
 
 
 

Modified: tomcat/native/branches/1.1.x/xdocs/project.xml
URL: 
http://svn.apache.org/viewvc/tomcat/native/branches/1.1.x/xdocs/project.xml?rev=1586254&r1=1586253&r2=1586254&view=diff
==
--- tomcat/native/branches/1.1.x/xdocs/project.xml (original)
+++ tomcat/native/branches/1.1.x/xdocs/project.xml Thu Apr 10 10:00:23 2014
@@ -34,6 +34,7 @@
 
 
 
+
 
 
 



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1586252 - /tomcat/native/branches/1.1.x/java/org/apache/tomcat/

[mturk]

Author: mturk
Date: Thu Apr 10 09:47:07 2014
New Revision: 1586252

URL: http://svn.apache.org/r1586252
Log:
Update externals

Modified:
tomcat/native/branches/1.1.x/java/org/apache/tomcat/   (props changed)

Propchange: tomcat/native/branches/1.1.x/java/org/apache/tomcat/
--
--- svn:externals (original)
+++ svn:externals Thu Apr 10 09:47:07 2014
@@ -1 +1 @@
-^/tomcat/trunk/java/org/apache/tomcat/jni@1528407 jni
+^/tomcat/trunk/java/org/apache/tomcat/jni@1561162 jni



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 55399] Request English but Response Spanish Language (Default Locale)

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=55399

Konstantin Kolinko  changed:

   What|Removed |Added

 CC||st...@rkbb.co.uk

--- Comment #9 from Konstantin Kolinko  ---
*** Bug 56374 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56374] Page in wrong language - getting lower rank Accept-Language in request header

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56374

Konstantin Kolinko  changed:

   What|Removed |Added

 Resolution|INVALID |DUPLICATE

--- Comment #10 from Konstantin Kolinko  ---
(In reply to Christopher Schultz from comment #9)
> Possible duplicate of bug #55399?

Yes, I think it is.

*** This bug has been marked as a duplicate of bug 55399 ***

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Java 8 compatibility for Tomcat 7

[Christopher Schultz]

Mark,

On 4/8/14, 10:55 AM, Mark Thomas wrote:
> On 08/04/2014 06:32, Emmanuel Bourg wrote:
>> Le 08/04/2014 14:03, Mark Thomas a écrit :
>>
>>> Can you provide the details of the failure. That might help ID a solution.
>>
>> Thank you, here is the build log on Debian:
>>
>> http://87.98.165.193/debian/openjdk8-rebuild/logs-failed-jdk8/tomcat7_7.0.52-1_unstable_jdk8.log
>>
>> [javac]
>> /«PKGBUILDDIR»/java/org/apache/catalina/tribes/tipis/AbstractReplicatedMap.java:1107:
>> error: keySet() in AbstractReplicatedMap cannot override keySet() in
>> ConcurrentHashMap
>> [javac] public Set keySet() {
>> [javac]^
>> [javac]   return type Set is not compatible with KeySetView
>> [javac]   where K,V are type-variables:
>> [javac] K extends Object declared in class ConcurrentHashMap
>> [javac] V extends Object declared in class ConcurrentHashMap
>>
>>
>> This issue is caused by the addition of a keySet() method to
>> ConcurrentHashMap in Java 8 with a return type incompatible with the
>> keySet() method in AbstractReplicatedMap.
>>
>> In r1222329 AbstractReplicatedMap was changed to no longer inherit
>> ConcurrentHashMap and implement directly the Map interface. This had the
>> side effect of fixing this Java 8 issue for Tomcat 8.
> 
> That looks like something we are going to need to fix but any fix is
> going to have to change the API. On that basis, back-porting r1222329 is
> probably the best option.
> 
> Any objections to back-porting this fix to 7.0.x?

+1 to back-porting

-chris



signature.asc
Description: OpenPGP digital signature

Re: CVE-2014-0160

[Christopher Schultz]

Andrew,

On 4/8/14, 5:43 PM, Andrew Carr wrote:
> http://www.openssl.org/news/secadv_20140407.txt
> 
> Hi Tomcat Devs,
> 
> I have been on the dev list for a few years, and a tomcat developer longer
> than that.  While I haven't contributed yet, I was curious if this cve
> needs a contribution.  As far as I can tell, if you recompile your native
> libs with the unaffected version of SSL, you will not be vulnerable to this
> CVE.
> 
> Is that assumption correct or does there need to be a change to tcnative?

Technically, it's just a re-link, but it makes sense to push-out the
latest 1.1 branch code and call it 1.1.30 to reduce confusion and to get
a few useful features out to the world.

-chris



signature.asc
Description: OpenPGP digital signature

Re: ErrorValve enhancement

[Christopher Schultz]

Nick,

Please file a Bugzilla bug and attach your patch to it.

-chris

On 4/9/14, 10:36 AM, Nick Bunn wrote:
> Good Day,
> As i'm sure you are all aware when the default error valve returns its
> report it publishes the tomcat version and some other troubleshooting
> data. This of course breaks one of my securities teams rules and also is
> published as a item that needs to be remediated when hardening
> tomcat(OWASP - goo.gl/Zr9xso  ). When using the
> OWASP solution of replacing the serverInfo.properties file it can and
> will break tools/code that uses that information(in my case our
> deployment agent). The other two solutions are to create our own valve
> and just change it to the default error valve or override the status
> code at the HTTPD server(which broke our JSON and SOAP requests that
> were providing valid 4XX and 5XX). That being said why not just have the
> capability to disable this information in the current error valve? This
> way we are not requiring users to override there serverinfo.properties
> or create some customer error valve they will have to maintain. Thoughts?
> 
> Attached is the a simple patch to version 7.0.x. Can easily be ported to
> 8.0.x as not much as changed. You would then just add the below to your
> server.xml
> 
>  showReport="false" showServerInfo="false" />
> 
> 
> Thanks,
> Nick Bunn
> 
> 
> 
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
> 



signature.asc
Description: OpenPGP digital signature

Re: Tagging Tomcat Native 1.1.30

[Christopher Schultz]

Mladen,

On 4/9/14, 11:42 PM, Mladen Turk wrote:
> I plan to tag 1.1.30 either later today or tomorrow and
> push for a quick release vote.
> 
> Comments?

Go for it. No bugs in it can be worse than this week's OpenSSL
vulnerability.

-chris



signature.asc
Description: OpenPGP digital signature

[Bug 56374] Page in wrong language - getting lower rank Accept-Language in request header

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56374

Christopher Schultz  changed:

   What|Removed |Added

 Resolution|FIXED   |INVALID

--- Comment #9 from Christopher Schultz  ---
Possible duplicate of bug #55399?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56363] OpenSSL security advisory - Heartbleed bug

[bugzilla]

https://issues.apache.org/bugzilla/show_bug.cgi?id=56363

--- Comment #2 from Mladen Turk  ---
Update done and tested.
We'll start release process today or tomorrow and new version containing
OpenSSL 1.0.1g will be available after VOTE finishes and we create ANN message.

I'll close this issue when we send the ANN message.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org