On 29/04/2022 19:41, Christopher Schultz wrote:
1. The underlying JVM is affected
2. A Connector is defined with uses mutual TLS
3. The client's key is ECDSA
I was thinking that on startup, we could check for a vulnerable
environment and simply refuse to start the server.
If there are
Hi
Openj9 is not affected I think so version wouldnt be enough, jvm name
should be tested too.
Le sam. 30 avr. 2022 à 00:18, Mark Thomas a écrit :
> On 29/04/2022 19:41, Christopher Schultz wrote:
>
>
>
> > 1. The underlying JVM is affected
> > 2. A Connector is defined with uses mutual TLS
>
https://bz.apache.org/bugzilla/show_bug.cgi?id=66023
--- Comment #7 from Mark Thomas ---
I've committed a fix for 10.1.x. I'll give folks a chance to review it before I
think about back-porting it.
--
You are receiving this mail because:
You are the assignee for the bug.
Hi all,
There are a couple of things I think we need to take into account for
the May releases.
1. OpenSSL. A security release is due 2022-05-03. I am assuming we'll
need to pick that up for Tomcat Native. I am therefore planning for a
Tomcat Native release shortly after the OpenSSL release
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 28ee966d97 Fix BZ 66023 - improve handling of HTTP
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 75049f0c75 Language improvements
75049f0c75 is
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.0.x by this push:
new 8a9f3f08d2 Language improvements
8a9f3f08d2 is
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 68c42b803b Language improvements
68c42b803b is
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 7144b24217 Language improvements
7144b24217 is
All,
CVE-2022-21449 is a bug in the JDK which allows a malicious signer using
ECDSA to forge a signature which an affected (buggy) verifier fails to
detect.
I used deliberate language above instead of "client" and "server"
because in many csases, the server is performing verification as
All,
Please remember that the ApacheCon North American conference is still
accepting presentations until 23 May 2022.
The Tomcat track currently has *zero* proposals, and we were hoping to
fill a 3-day track.
So please, send in your ideas for presentations!
Thanks,
-chris
On 4/7/22
Personally I like this approach. I would suggest putting a descriptive error
description in the logs if this is detected and startup is aborted. From an
environment where curtailing vulnerabilities is key, regardless of the source,
this is truly a Martha Stuart moment. It's a good thing. :-)
https://bz.apache.org/bugzilla/show_bug.cgi?id=66035
--- Comment #5 from Christopher Schultz ---
(In reply to Remy Maucherat from comment #3)
> JF seems to think simply return NULL; is enough (I agree this is not an
> error).
Aha, so simply return NULL instead of throwing an exception?
> Also
Mark,
On 4/29/22 06:03, Mark Thomas wrote:
Hi all,
There are a couple of things I think we need to take into account for
the May releases.
1. OpenSSL. A security release is due 2022-05-03. I am assuming we'll
need to pick that up for Tomcat Native. I am therefore planning for a
Tomcat
14 matches
Mail list logo
