On 4/10/2019 7:58 AM, Mark Thomas wrote:
The proposed 8.5.40 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.40
Unit tests pass for NIO, NIO2, and APR on Windows 10 with Java 1.8u181
and TC-Native 1.2.21 and Ubuntu 18.04 with Java 1.8u202 and TC-Native 1.2.21
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331
Bug ID: 63331
Summary: Tomcat crash, Problematic Frame:
org.apache.tomcat.util.log.SystemLogHandler.println
Product: Tomcat 9
Version: 9.0.16
Hardware: PC
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331
Mark Thomas changed:
What|Removed |Added
Resolution|--- |INVALID
Status|NEW
CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93
Description:
When running on Windows with
Author: markt
Date: Wed Apr 10 11:02:51 2019
New Revision: 1857239
URL: http://svn.apache.org/viewvc?rev=1857239=rev
Log:
Add details of CVE-2019-0232
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 9b0004c (commit)
This tag includes the following new commits:
new 9b0004c Tag 9.0.18
The 1 revisions listed
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 9b0004cf29f0a53e816d1047d9b25c03f0e295b5
Author: Mark Thomas
AuthorDate: Wed Apr 10 12:57:17 2019 +0100
Tag 9.0.18
---
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 7254a63 Fix checkstyle warnings
7254a63 is
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 7fc16d1 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63320
Ensure that StatementCache caches statements that
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 9ea280c Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63320
Ensure that StatementCache caches statements that
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 806195b Revert local change made for load testing
new 44ec74c Escape debug output to aid readability
new
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 806195b Revert local change made for load testing
The Buildbot has detected a new failure on builder tomcat-7-trunk while
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-7-trunk/builds/1319
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new bd4f326 Correct backport for Java 6
bd4f326 is
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481872313
@isapir @ChristopherSchultz I have added more comments hope this helps
Am 09.04.2019 um 19:45 schrieb Mark Thomas:
Hi all,
I'm a bit behind again this month - mainly because I was at the http
workshop last week (very useful - a write-up is on the way).
I'm very keen on reading your notes. On the httpd dev list Bill
mentioned three links to notes taken by Daniel
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 0c21aac Increment version for next development
The proposed Apache Tomcat 9.0.18 release is now available for voting.
The major changes compared to the 9.0.17 release are:
- Fix for CVE-2019-0232 a RCE vulnerability on Windows
- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
now supported if used with a ECJ version
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 8.5.40
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5ec070352b283535946327b44228b610a27a76c5
Author: Mark Thomas
AuthorDate: Wed Apr 10 15:26:13 2019 +0100
Tag 8.5.40
---
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 8.5.40
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 5ec0703 (commit)
This tag includes the following new commits:
new 5ec0703 Tag 8.5.40
The 1 revisions listed
Author: markt
Date: Wed Apr 10 14:57:10 2019
New Revision: 33547
Log:
Upload 8.5.40 for voting
Added:
dev/tomcat/tomcat-8/v8.5.40/
dev/tomcat/tomcat-8/v8.5.40/KEYS
dev/tomcat/tomcat-8/v8.5.40/README.html
dev/tomcat/tomcat-8/v8.5.40/RELEASE-NOTES
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new a7832e0 Update RM
a7832e0 is described below
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
Bug ID: 6
Summary: JAASRealm needs to override isAvailable method to
prevent LockOutRealm to lock the user in case JAAS
login modules are unavailable
Product: Tomcat
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
Bug ID: 63334
Summary: LockOutRealm will continue to invoke inner user realms
even when the user is lockout
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: PC
https://bz.apache.org/bugzilla/show_bug.cgi?id=63335
Bug ID: 63335
Summary: OneLineFormatter will append new space so that the
exception stacktrace is shifted but it will not do
that for all lines
Product: Tomcat 8
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
Bug ID: 63336
Summary: Currently there is no way to know in form error page
that the user was not authenticated because it was
locked out
Product: Tomcat 8
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
Mark Thomas changed:
What|Removed |Added
OS||All
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
Mark Thomas changed:
What|Removed |Added
OS||All
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #2 from Mark Thomas ---
Sorry about the typo
"... in use and its configuration."
--
You are receiving this mail because:
You are the assignee for the bug.
-
To
The Buildbot has detected a restored build on builder tomcat-7-trunk while
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-7-trunk/builds/1320
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The
On 10/04/2019 15:58, Mark Thomas wrote:
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
Unit tests pass for NIO, NIO2 and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21
Mark
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
*** WARNING: tag 9.0.18 was deleted! ***
was 9b0004c Tag 9.0.18
This change permanently discards the following revisions:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new d58aa08 Add vectoring for NIO
d58aa08 is
On 10/04/2019 14:44, Mark Thomas wrote:
> The proposed 9.0.18 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.18
Unit tests pass for NIO, NIO2 and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21
Mark
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new e451c30 Fix failing test
e451c30 is described
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 7b961c2 Fix failing test
7b961c2 is described
The proposed Apache Tomcat 8.5.40 release is now available for voting.
The major changes compared to the 8.5.39 release are:
- Fix for CVE-2019-0232 a RCE vulnerability on Windows
- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
now supported if used with a ECJ version
Author: markt
Date: Wed Apr 10 13:13:30 2019
New Revision: 33545
Log:
Upload 9.0.18 for release
Added:
dev/tomcat/tomcat-9/v9.0.18/
dev/tomcat/tomcat-9/v9.0.18/KEYS
dev/tomcat/tomcat-9/v9.0.18/README.html
dev/tomcat/tomcat-9/v9.0.18/RELEASE-NOTES
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new d71b285 Increment version number for next
On Wed, Apr 10, 2019 at 3:44 PM Mark Thomas wrote:
> The proposed 9.0.18 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.18
>
> Rémy
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331
--- Comment #2 from Christopher Schultz ---
Or bad hardware.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new bc714fd Add asynchronous IO API for NIO
bc714fd
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 03272c8 Fix failing test
03272c8 is described
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 0862607 (commit)
This tag includes the following new commits:
new 0862607 Tag 9.0.18
The 1 revisions listed
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0862607e5da91a7c476a6350288d8d8a9380f556
Author: Mark Thomas
AuthorDate: Wed Apr 10 13:36:27 2019 +0100
Tag 9.0.18
---
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 7.0.94
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 9ddb14a (commit)
This tag includes the following new commits:
new 9ddb14a Tag 7.0.94
The 1 revisions listed
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 7.0.94
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 9ddb14a0e76080feee34f3eca89e5413b93852f9
Author: Mark Thomas
AuthorDate: Wed Apr 10 17:40:23 2019 +0100
Tag 7.0.94
---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #3 from jchobanto...@yahoo.com ---
I’m sorry but the fix is not going to expose anything to the user - the end
user still is going to get unauthenticated but we are going to invoke our inner
realms like JAASRealm which is not needed
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #4 from Mark Thomas ---
Please read up on timing attacks.
A Map lookup following by a return will be noticeably faster than the
authentication process.
Your proposed change would enable an attacker to determine:
- if an account
Author: markt
Date: Wed Apr 10 17:15:53 2019
New Revision: 33551
Log:
Upload 7.0.94 for voting
Added:
dev/tomcat/tomcat-7/v7.0.94/
dev/tomcat/tomcat-7/v7.0.94/KEYS
dev/tomcat/tomcat-7/v7.0.94/README.html
dev/tomcat/tomcat-7/v7.0.94/RELEASE-NOTES
Added: dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512
==
--- dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512
(added)
+++
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new ca838df Increment version for next development
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
--- Comment #4 from jchobanto...@yahoo.com ---
Thank you for pointing out that isLocked() and unlock() methods are public - I
already know that. Even with this information I need to provide custom
LockOutRealm in order to see the real reason
The proposed Apache Tomcat 7.0.94 release is now available for voting.
The major changes compared to the 7.0.93 release are:
- Fix for CVE-2019-0232 a RCE vulnerability on Windows
- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
now supported if used with a ECJ version
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #5 from jchobanto...@yahoo.com ---
Thank you for clarifying your point that attacker could determine there is a
lockout realm installed based on the speed of the request/response, although
this is questionable as if you are dealing
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
Mark Thomas changed:
What|Removed |Added
OS||All
--- Comment #1 from Mark Thomas
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
--- Comment #2 from jchobanto...@yahoo.com ---
Ok, forget about modifying the basic ream to report the error - the application
could have 401 error page and put that information itself - again the request
is to add http request attribute so
On 09/04/2019 19:08, Violeta Georgieva wrote:
> На вт, 9.04.2019 г. в 20:45 ч. Mark Thomas написа:
>>
>> Hi all,
>>
>> I'm a bit behind again this month - mainly because I was at the http
>> workshop last week (very useful - a write-up is on the way). I've been
>> through the open bugs and
On 10/04/2019 18:22, Mark Thomas wrote:
> The proposed 7.0.94 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 7.0.94 Stable
Unit tests pass for BIO, NIO and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21
Mark
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
--- Comment #3 from Mark Thomas ---
See this thread in the archives:
http://tomcat.markmail.org/thread/4garqvcph2ci3j5m
The isLocked() method of the Realm was made public and exposed via JMX to
support this sort of custom feature. unlock() is
rmaucher commented on issue #153: Add async API for NIO
URL: https://github.com/apache/tomcat/pull/153#issuecomment-481834218
Since I got no objections, I merged the code.
This is an automated message from the Apache Git
rmaucher closed pull request #153: Add async API for NIO
URL: https://github.com/apache/tomcat/pull/153
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
jchobantonov opened a new pull request #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157
This is an automated message from the Apache Git Service.
To respond to the
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481842267
No explanation?
-1
This is an automated message
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481847793
But an explanation should be included with all PRs. What if BZ is deleted?
(It shouldn't be, but there's no reason to make
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481848050
Code comments would be helpful, here, too.
This is an
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481849557
Code comments are exactly the same as what tomcat source code have for
DataSourceRealm, not sure what else do you need as a
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850427
The low-quality of the existing code and/or documentation is not an excuse
for maintaining that level of quality.
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850875
> I think that it'd be cleaner/more readable if `invocationSuccess` is
initialized with `false` value and only set to
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481852195
> The low-quality of the existing code and/or documentation is not an excuse
for maintaining that level of quality.
Ok,
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481860226
> But these lines are all in the same transaction, no?
Yes they are - there is no need to use local variable as well - it
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
--- Comment #2 from jchobanto...@yahoo.com ---
Pull request: https://github.com/apache/tomcat/pull/157
--
You are receiving this mail because:
You are the assignee for the bug.
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #6 from Christopher Schultz ---
Realms aren't difficult to write, including a simple realm like the
LockOutRealm.
Feel free to implement your own Realm which meets your requirements. If you'd
like, you can propose a patch, but I
On 4/10/2019 10:22 AM, Mark Thomas wrote:
The proposed 7.0.94 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 7.0.94 Stable
Unit tests pass for BIO, NIO, and APR on Ubuntu 18.04 with Java
1.6u45/1.7u80 and TC-Native-1.2.21
Igal
michael-o commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481843426
I agree with @ChristopherSchultz .
This is an automated message
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481845121
the explanation of the reason is here
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
On 4/10/2019 6:44 AM, Mark Thomas wrote:
The proposed 9.0.18 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 9.0.18
Unit tests pass for NIO, NIO2, and APR on Ubuntu 18.04 with Java 1.8u202
and TC-Native 1.2.21
Igal
isapir commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850076
I think that it'd be cleaner/more readable if `invocationSuccess` is
initialized with `false` value and only set to `true` upon
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481851585
> I think that it'd be cleaner/more readable if `invocationSuccess` is
initialized with `false` value and only set to `true`
isapir commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481853982
> To reduce the number of changed lines and opportunities for mistakes,
there could be a local flag for success which is copied to the
isapir commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481861275
> Ok, let me know what you think we should put as a comment additionally
that is so greatly missed and it is not obvious enough for
81 matches
Mail list logo
