Re: [VOTE] Release Apache Tomcat 9.0.0.M8

2016-06-10 Thread Felix Schumacher 

Am 07.06.2016 um 18:02 schrieb Mark Thomas:

The proposed Apache Tomcat 9.0.0.M8 release is now available for voting.

This is a milestone release for the 9.0.x branch. It should be
noted that, as a milestone release:
- Servlet 4.0 is not finalised
- The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0

The major changes compared to the 9.0.0.M6 release are:
- Improvements to memory leak detection and prevention including the
   change RMI memory leaks are now correctly treated as application bugs
   rather than a JRE bug
- Fix a couple of memory leaks found in Tomcat
- The HTTP Server header is no longer set by default

For full details, see the changelog:
http://svn.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M8/
The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1085/
The svn tag is:
http://svn.apache.org/repos/asf/tomcat/tags/TOMCAT_9_0_0_M8/

The proposed 9.0.0.M8 release is:
[ ] Broken - do not release
[x] Alpha - go ahead and release as 9.0.0.M8

Regards,
 Felix


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org




-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59661] MailSessionFactory ignores system properties

2016-06-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59661

--- Comment #11 from Michael Osipov <1983-01...@gmx.net> ---
(In reply to Mark Thomas from comment #10)
> (In reply to Michael Osipov from comment #9)
> > The problem with copying is that you may missed custom attributes for custom
> > providers. Though, being an edge cases, still valid.
> 
> Those would have to be set explicitly on the factory.

I think that would default the simplicity of the factory. Especially that most
properties apply per provider/protocol.

> > The other point is that if your Mail does not have a Session associated,
> > Transport with create a default one with the System Properties set. Deating
> > your security concern by default. Have a look at the source code and you
> > will see it.
> 
> I did look and that code is not inside a privileged block so it can't bypass
> the SecurityManager.
> 
> My position remains unchanged from that set out in comment #8.

You are right. It is done in a lower level. Is ssing the SecurityManager in the
session factory a way to go or still a leakage?

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59661] MailSessionFactory ignores system properties

2016-06-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59661

--- Comment #10 from Mark Thomas  ---
(In reply to Michael Osipov from comment #9)
> The problem with copying is that you may missed custom attributes for custom
> providers. Though, being an edge cases, still valid.

Those would have to be set explicitly on the factory.

> The other point is that if your Mail does not have a Session associated,
> Transport with create a default one with the System Properties set. Deating
> your security concern by default. Have a look at the source code and you
> will see it.

I did look and that code is not inside a privileged block so it can't bypass
the SecurityManager.

My position remains unchanged from that set out in comment #8.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1747725 - /tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java

2016-06-10 Thread markt 
Author: markt
Date: Fri Jun 10 15:02:40 2016
New Revision: 1747725

URL: http://svn.apache.org/viewvc?rev=1747725=rev
Log:
Revert r1746718. This is no longer required with the latest update (RC4a).

Modified:
tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java

Modified: 
tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java?rev=1747725=1747724=1747725=diff
==
--- tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/ha/context/ReplicatedContext.java Fri 
Jun 10 15:02:40 2016
@@ -192,7 +192,7 @@ public class ReplicatedContext extends S
 Set names = new HashSet<>();
 names.addAll(attributes.keySet());
 
-return (Enumeration) new MultiEnumeration<>(new 
Enumeration[] {
+return new MultiEnumeration<>(new Enumeration[] {
 super.getAttributeNames(),
 Collections.enumeration(names) });
 }



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56026] RemoteEndpoint.Async#sendText(String, SendHandler) not thread safe

2016-06-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=56026

--- Comment #12 from balusc  ---
Just in case, I investigated this issue for JSF  and OmniFaces
 too. This threadsafety problem doesn't occur on Jetty, Undertow
(WildFly) nor Tyrus (GlassFish/Payara). It occurs on Tomcat only.

Work around was to synchronize session:

synchronized (session) {
results.add(session.getAsyncRemote().sendText(text));
}

Frankly, this kind of contradicts the javax.websocket.Session javadoc
http://docs.oracle.com/javaee/7/api/javax/websocket/Session.html:

> Session objects may be called by multiple threads. Implementations must 
> ensure the integrity of the mutable properties of the session under such 
> circumstances.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 59661] MailSessionFactory ignores system properties

2016-06-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59661

--- Comment #9 from Michael Osipov <1983-01...@gmx.net> ---
(In reply to Mark Thomas from comment #8)
> I'm -1 on the patch as proposed. It allows the bypassing of the
> SecurityManager to access any system property. I've no objection to the
> system properties listed in Annex A of the JavaMail spec being explicitly
> copied across to be used as defaults where defined.

The problem with copying is that you may missed custom attributes for custom
providers. Though, being an edge cases, still valid.
The other point is that if your Mail does not have a Session associated,
Transport with create a default one with the System Properties set. Deating
your security concern by default. Have a look at the source code and you will
see it.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.0.36

2016-06-10 Thread Felix Schumacher 


Am 9. Juni 2016 16:17:47 MESZ, schrieb Mark Thomas :
>The proposed Apache Tomcat 8.0.36 release is now available for voting.
>
>The main changes since 8.0.35 are:
>
>- Ensure error will not be thrown during deployment when scanning jar
>  files with no or invalid MANIFEST.MF files.
>
>- Improvements to memory leak detection and prevention
>
>It can be obtained from:
>https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.0.36/
>The Maven staging repo is:
>https://repository.apache.org/content/repositories/orgapachetomcat-1087/
>The svn tag is:
>http://svn.apache.org/repos/asf/tomcat/tc8.0.x/tags/TOMCAT_8_0_36/
>
>The proposed 8.0.36 release is:
>[ ] Broken - do not release
>[x] Stable - go ahead and release as 8.0.36

Regards, 
Felix

>
>-
>To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.3

2016-06-10 Thread Felix Schumacher 


Am 9. Juni 2016 14:13:07 MESZ, schrieb Mark Thomas :
>The proposed Apache Tomcat 8.5.3 release is now available for voting.
>
>The major changes compared to the 8.5.2 release are:
>
>- Ensure error will not be thrown during deployment when scanning jar
>  files with no or invalid MANIFEST.MF files.
>
>- Improvements to memory leak detection and prevention
>
>- The HTTP Server header is no longer set by default
>
>It can be obtained from:
>https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.3/
>The Maven staging repo is:
>https://repository.apache.org/content/repositories/orgapachetomcat-1086/
>The svn tag is:
>http://svn.apache.org/repos/asf/tomcat/tc8.5.x/tags/TOMCAT_8_5_3/
>
>The proposed 8.5.3 release is:
>[ ] Broken - do not release
>[ ] Alpha  - go ahead and release as 8.5.3
>[ ] Beta   - go ahead and release as 8.5.3
>[x] Stable - go ahead and release as 8.5.3

Tests pass. 

Regards, 
Felix 

>
>-
>To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: dev-h...@tomcat.apache.org


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 9.0.0.M8

2016-06-10 Thread Martin Grigorov 
On Tue, Jun 7, 2016 at 6:02 PM, Mark Thomas  wrote:

> The proposed Apache Tomcat 9.0.0.M8 release is now available for voting.
>
> This is a milestone release for the 9.0.x branch. It should be
> noted that, as a milestone release:
> - Servlet 4.0 is not finalised
> - The EGs have not started work on JSP 2.4, EL 3.1 or WebSocket 1.2/2.0
>
> The major changes compared to the 9.0.0.M6 release are:
> - Improvements to memory leak detection and prevention including the
>   change RMI memory leaks are now correctly treated as application bugs
>   rather than a JRE bug
> - Fix a couple of memory leaks found in Tomcat
> - The HTTP Server header is no longer set by default
>
> For full details, see the changelog:
> http://svn.apache.org/repos/asf/tomcat/trunk/webapps/docs/changelog.xml
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.0.M8/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1085/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tags/TOMCAT_9_0_0_M8/
>
> The proposed 9.0.0.M8 release is:
> [ ] Broken - do not release
> [ ] Alpha - go ahead and release as 9.0.0.M8
>

[ X ] Alpha - go ahead and release as 9.0.0.M8

Regards,
Martin



>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Re: [VOTE] Release Apache Tomcat 8.0.36

2016-06-10 Thread Violeta Georgieva 
Hi,

2016-06-09 17:17 GMT+03:00 Mark Thomas :
>
> The proposed Apache Tomcat 8.0.36 release is now available for voting.
>
> The main changes since 8.0.35 are:
>
> - Ensure error will not be thrown during deployment when scanning jar
>   files with no or invalid MANIFEST.MF files.
>
> - Improvements to memory leak detection and prevention
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.0.36/
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1087/
> The svn tag is:
> http://svn.apache.org/repos/asf/tomcat/tc8.0.x/tags/TOMCAT_8_0_36/
>
> The proposed 8.0.36 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.0.36

Regards,
Violeta

> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>

[Bug 59661] MailSessionFactory ignores system properties

2016-06-10 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=59661

--- Comment #8 from Mark Thomas  ---
I'm -1 on the patch as proposed. It allows the bypassing of the SecurityManager
to access any system property. I've no objection to the system properties
listed in Annex A of the JavaMail spec being explicitly copied across to be
used as defaults where defined.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.3

2016-06-10 Thread Romain Manni-Bucau 
+1 (non-binding) upgraded TomEE 7 master to tomcat 8.5.3 and build is green


Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Wordpress Blog
 | Github  |
LinkedIn  | Tomitriber
 | JavaEE Factory


2016-06-10 3:58 GMT+02:00 Keiichi Fujino :

> 2016-06-09 21:13 GMT+09:00 Mark Thomas :
>
> > The proposed Apache Tomcat 8.5.3 release is now available for voting.
> >
> > The major changes compared to the 8.5.2 release are:
> >
> > - Ensure error will not be thrown during deployment when scanning jar
> >   files with no or invalid MANIFEST.MF files.
> >
> > - Improvements to memory leak detection and prevention
> >
> > - The HTTP Server header is no longer set by default
> >
> > It can be obtained from:
> > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.3/
> > The Maven staging repo is:
> > https://repository.apache.org/content/repositories/orgapachetomcat-1086/
> > The svn tag is:
> > http://svn.apache.org/repos/asf/tomcat/tc8.5.x/tags/TOMCAT_8_5_3/
> >
> > The proposed 8.5.3 release is:
> > [ ] Broken - do not release
> > [ ] Alpha  - go ahead and release as 8.5.3
> > [ ] Beta   - go ahead and release as 8.5.3
> > [X] Stable - go ahead and release as 8.5.3
> >
> >
> +1
> Tested on my test apps (enable BackupManager)
>
>
> > -
> > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: dev-h...@tomcat.apache.org
> >
> > --
> > Keiichi.Fujino
> > 
>
> 
>