The Apache Tomcat team announces the immediate availability of Apache Standard
Taglib 1.2.3.
Apache Standard Taglib is an open source software implementation of the JSP
Standard Tag Library (JSTL) technology.
This release supports JSTL version 1.2 and includes bug-fixes and improvements
on
CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Standard Taglibs 1.2.1
The unsupported 1.0.x and 1.1.x versions may also be affected.
Description:
When an application uses x:parse or x:transform tags to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 2/26/15 11:26 AM, Mark Shifman wrote:
This is truly embarrassing since I have the manager running fine
on tomcat 7.
http://localhost:8080/manager/status returns 127.0.0.1 - -
[26/Feb/2015:10:47:11 -0500] GET /manager/status HTTP/1.1
This is truly embarrassing since I have the manager running fine on tomcat 7.
http://localhost:8080/manager/status
returns
127.0.0.1 - - [26/Feb/2015:10:47:11 -0500] GET /manager/status HTTP/1.1 404
1022
http://localhost:8080/manager/html
returns
127.0.0.1 - - [26/Feb/2015:11:00:40 -0500] GET
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Deepak,
On 2/25/15 1:49 AM, dku...@ccilindia.co.in wrote:
Perhaps you disabled SSLv3 and a client is trying to connect
using SSLv3?
We agree with your above statement. We have disabled SSLv3 on
Tomcat server and our client is an exe which
On 02/26/2015 11:26 AM, Mark Shifman wrote:
This is truly embarrassing since I have the manager running fine on tomcat 7.
I'm not sure how (or even if) you can have Java attempt to connect
with SSLv3 and then re-try with TLS.
I think it is possible, have a look on JSSE Reference Guide for
sun.security.ssl.allowUnsafeRenegotiation and
sun.security.ssl.allowLegacyHelloMessages, they're explaining how to
catch the
Thank You all who responded;
Did not want to waste your time, hence delayed response.
To make sure no customization has been made on my end I have completely
rebuilt system: Install OS (Ubuntu 14.04.2 LTS) including reformat of
all drives, selected tomcat7 and ssh server during install when
OK,
When do you plan to release the next version ?
Thanks.
Didier.
-Message d'origine-
De : Mark Thomas [mailto:ma...@apache.org]
Envoyé : jeudi 26 février 2015 12:05
À : Tomcat Users List
Objet : Re: request.getServletContext.getContext(/) : return null with tomcat
7.0.59
On
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 2/25/15 5:13 PM, Jan Tosovsky wrote:
there are plenty resources mentioning it is a must to run tomcat as
a dedicated user with limited permissions.
Is it still true when tomcat doesn't run standalone, but via Apache
web server
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Stephen,
On 2/25/15 3:23 PM, Owens, Stephen (ITD) wrote:
For tomcat 8 using log4j and apache commons logging, what would be
the correct values to specify in setenv.sh for:
LOGGING_MANAGER LOGGING_CONFIG
For a tomcat-7.0.26 installation,
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Aurélien,
On 2/26/15 5:23 AM, Aurélien Terrestris wrote:
I agree with Leon.
As do I. Apache httpd can change the attack surface somewhat, but if
requests can still come from an untrusted remote client through to the
application server, then you
Good post Christopher ;)
It makes me remember this doc which is not bad for securing Tomcat :
https://www.owasp.org/index.php/Securing_tomcat
But it lacks some important information on Windows rights which could
be more restricted (I'll try to post something about it one day). And
others like :
2015-02-26 19:28 GMT+03:00 Red redhoo...@gmail.com:
Thank You all who responded;
Did not want to waste your time, hence delayed response.
To make sure no customization has been made on my end I have completely
rebuilt system: Install OS (Ubuntu 14.04.2 LTS) including reformat of
all drives,
On 02/26/2015 12:52 PM, Konstantin Kolinko wrote:
2015-02-26 19:26 GMT+03:00 Mark Shifman mark.shif...@yale.edu:
This is truly embarrassing since I have the manager running fine on tomcat
7.
2015-02-26 19:26 GMT+03:00 Mark Shifman mark.shif...@yale.edu:
This is truly embarrassing since I have the manager running fine on tomcat
7.
http://localhost:8080/manager/status
returns
127.0.0.1 - - [26/Feb/2015:10:47:11 -0500] GET /manager/status HTTP/1.1
404 1022
On 2015-02-26 Christopher Schultz wrote:
On 2/26/15 5:23 AM, Aurélien Terrestris wrote:
I agree with Leon.
As do I. Apache httpd can change the attack surface somewhat, but if
requests can still come from an untrusted remote client through to the
application server, then you still have to
On 2015-02-26 Aurélien Terrestris wrote:
It makes me remember this doc which is not bad for securing Tomcat :
https://www.owasp.org/index.php/Securing_tomcat
This is a good one. I've also found this:
http://server.dzone.com/articles/hacking-liferay-%E2%80%93-securing
It would be nice to
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Jan,
On 2/26/15 4:26 PM, Jan Tosovsky wrote:
On 2015-02-26 Aurélien Terrestris wrote:
It makes me remember this doc which is not bad for securing
Tomcat : https://www.owasp.org/index.php/Securing_tomcat
This is a good one. I've also found
I agree with Leon. That said, a service account with low privileges
only gives filesystem protection ; interesting data is usually stored
in the database and you won't be more protected against SQL injections
or even against a modified jsp stored by the hacker (like in some old
STRUTS
Hi,
We've a problem with the 7.0.59 release:
request.getServletContext.getContext(/) now return null.
It was not the case with the 7.0.57 release.
How to test:
1/ File test.jsp with:
html
body
h2Hello World!/h2
%
ServletContext contexte = request.getServletContext().getContext(/);
On 26/02/2015 10:19, KAZMIERCZAK Didier wrote:
Hi,
We've a problem with the 7.0.59 release:
request.getServletContext.getContext(/) now return null.
Known issue. Already fixed in 7.0.x for the next release.
snip/
It seems that the root cause is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Red,
On 2/26/15 5:28 PM, Red wrote:
On 02/26/2015 12:29 PM, Konstantin Kolinko wrote:
2015-02-26 19:28 GMT+03:00 Red redhoo...@gmail.com:
Thank You all who responded; Did not want to waste your time,
hence delayed response.
To make sure no
On 26/02/2015 22:56, Christopher Schultz wrote:
The solution is to put your Resource into your application's
s/The solution/The best solution/
context.xml and not into the site-wide defaults. Konstantin may not
have spelled-out the solution, but he did give you all the information
you
On 02/26/2015 12:29 PM, Konstantin Kolinko wrote:
2015-02-26 19:28 GMT+03:00 Red redhoo...@gmail.com:
Thank You all who responded;
Did not want to waste your time, hence delayed response.
To make sure no customization has been made on my end I have completely
rebuilt system: Install OS
25 matches
Mail list logo