Re: Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

Hi Richard, On Thu, Mar 5, 2020 at 4:42 AM Richard Huntrods wrote: > > On 3/4/2020 6:28 AM, Martin Grigorov wrote: > > On Wed, Mar 4, 2020 at 4:02 PM Johan Compagner > > wrote: > > > >>> > Or for now generate 2 build artifacts? (as long as it is really just > >> the > package rename)

Aw: Re: Fix for CVE-2020-1938

> >Ghostcat is the name of a malware strain that has been around since at >least October last year. When referencing vulnerabilities it is best to >stick to the CVE reference since they should be unique (and if something >goes wrong and they aren't there are procedures to get them re-issued so

Aw: Re: Fix for the Ghostcat vulnerability

Hi,   >> If it is, what is the recommended mitigation? We consider using the >> "secret" feature (the filtering by request attributes is infeasible >> for us), but that would be a bit of effort and we are in a hurry. >> > >We're in the same position as you. External web servers talking to

Re: Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

On 3/4/2020 6:28 AM, Martin Grigorov wrote: On Wed, Mar 4, 2020 at 4:02 PM Johan Compagner wrote: Or for now generate 2 build artifacts? (as long as it is really just the package rename) Hm, no. I just tested locally Tomcat 10.0.1 with Apache Wicket (9.x, master). Nothing more. Tomcat

Re: tomcat 7.0.100 AJP connector with mod_jk on another host

Hello, the problem was that I edited the wrong server.xml. The one that was not used. So now that I figured that out, settings these two settings help.

tomcat 7.0.100 AJP connector with mod_jk on another host

Hello, I've just upgraded to tomcat7 (7.0.100) afterwards I'm unable to reconfigure it to the pre 7.0.100 behaviour where AJP connector listens on the public ip address in order to use it with mod_jk. Can someone help me out to make it works again? My server.xml is:

Tomcat 9.0.31 Invalid character found in the request target

Hi Tomcat Team, When there is invalid characters, it return error message with stacktrace as shown below. 1) is there any way to costmize error message ? if yes, please let me know. 2) Is there any way to spress stack-trace being shown on 400 bad request ? 3) Based on Accept header

Re: Tomcat 9 : relaxedQueryChars

On 04/03/2020 20:20, Robert Hicks wrote: > We are getting the following over and over in our catalina.out file: > > java.lang.IllegalArgumentException: Invalid character found in the request > target. The valid characters are defined in RFC 7230 and RFC 3986 Do you know what URIs are triggering

Tomcat 9 : relaxedQueryChars

We are getting the following over and over in our catalina.out file: java.lang.IllegalArgumentException: Invalid character found in the request target. The valid characters are defined in RFC 7230 and RFC 3986 Our server.xml has the following copied from an online search I think:

Re: Fix for the Ghostcat vulnerability

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Dave, On 3/4/20 05:45, Dave Ford wrote: > On Wed, 2020-03-04 at 10:24 +0100, Jürgen Göres wrote: >> >> If it is, what is the recommended mitigation? We consider using >> the "secret" feature (the filtering by request attributes is >> infeasible for

g! shell 255 character limit

I am encountering a 255 character limit in the g! shell when running Tomcat 9.0.31. I do not see the issue in Tomcat 7. I have searched for solutions to this issue but have been unsuccessful. Any help is greatly appreciated.

Re: Tomcat 9.0.16 Packaging Change (Extras)

Hi Mark, -Dcom.sun.management.jmxremote.registry.ssl=false solved the problem. Thanks for that. Regards, Stephen On Wed, 4 Mar 2020 at 18:09, Mark Thomas wrote: > On 04/03/2020 06:45, Stephen Hames wrote: > > Hi Mark, > > > > Apologies for the very late reply here. I had to set the upgrade

Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

On Wed, Mar 4, 2020 at 4:02 PM Johan Compagner wrote: > > > > > > > Or for now generate 2 build artifacts? (as long as it is really just > the > > > package rename) > > > > > > > Hm, no. I just tested locally Tomcat 10.0.1 with Apache Wicket (9.x, > > master). Nothing more. > > Tomcat 10.0.x is

Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

> > > > Or for now generate 2 build artifacts? (as long as it is really just the > > package rename) > > > > Hm, no. I just tested locally Tomcat 10.0.1 with Apache Wicket (9.x, > master). Nothing more. > Tomcat 10.0.x is not production ready so it is too early to do anything > about Jakarta APIs

Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

Hi Johan, On Wed, Mar 4, 2020 at 10:34 AM Johan Compagner wrote: > Martin :) > > exactly my point.. so Wicket now needs to have 2 branches right? that are > the same except for the package rename for a long time > (so kind of having 2 masters) > > Or for now generate 2 build artifacts? (as long

Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

Hi, On Mon, Mar 2, 2020 at 7:23 PM Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > All, > > If you go to tomcat.apache.org right now, you'll see documentation and > downloads for Tomcat 10. In the news section, it's shown as

Re: issue faced in tomcat 8.5.51

On Fri, 2020-02-28 at 13:39 +, Rathore, Rajendra wrote: > Caused by: java.lang.IllegalArgumentException: The AJP Connector is > configured with secretRequired="true" but the secret attribute is > either null or "". This combination is not valid. Are you talking to this via an apache webserver

Re: Fix for the Ghostcat vulnerability

On Wed, 2020-03-04 at 10:24 +0100, Jürgen Göres wrote: > > If it is, what is the recommended mitigation? We consider using the > "secret" feature (the filtering by request attributes is infeasible > for us), but that would be a bit of effort and we are in a hurry. > We're in the same position

Re: Fix for CVE-2020-1938

I assume from context that you mean CVE-2020-1938. Ghostcat is the name of a malware strain that has been around since at least October last year. When referencing vulnerabilities it is best to stick to the CVE reference since they should be unique (and if something goes wrong and they aren't

Re: Tomcat 9.0.16 Packaging Change (Extras)

On 04/03/2020 06:45, Stephen Hames wrote: > Hi Mark, > > Apologies for the very late reply here. I had to set the upgrade aside > temporarily... > > Steps to reproduce: > > server.xml snippet > > className="org.apache.catalina.mbeans.JmxRemoteLifecycleListener" >

Fix for the Ghostcat vulnerability

Hi,   we are using Tomcat 9.0.x and 8.5.x in our stack. We make use of the AJP protocol since we use Apache HTTPD as reverse proxy and found it to be mostly hazzle-free over the last few years, so we would like to continue using it. Since the HTTPD and the Tomcats are in general not on the same

Re: Severe problem when migrating from tomcat v7.0.99 to 7.0.100?

On 04/03/2020 09:04, michael.b...@arctis.at wrote: > Hello, > > We are currently fighting with the tomcat update from v7.0.99 to > v7.0.100. Since there are open security issues in v7.0.99 we are forced > to do it promptly, however I have the feeling that we detected a major > issue in v7.0.100.

Severe problem when migrating from tomcat v7.0.99 to 7.0.100?

Hello, We are currently fighting with the tomcat update from v7.0.99 to v7.0.100. Since there are open security issues in v7.0.99 we are forced to do it promptly, however I have the feeling that we detected a major issue in v7.0.100. We have a Faces-Application, based on

Re: cookie configurations for Tomcat 7

Chris, Martin, Here is the PR: https://github.com/apache/tomcat/pull/252 Lazar On Sat, Feb 29, 2020 at 8:27 AM Martin Grigorov wrote: > On Fri, Feb 28, 2020 at 7:31 PM Lazar Kirchev > wrote: > > > Chris, > > > > I just thought that I have some concerns passing a map with the headers > to > >

Re: Problem with tomcat connector in IIS using tomcat 9.0.31

On Wed, Mar 4, 2020 at 10:30 AM Stephen Hames wrote: > Hi Matthias, > > I suspect your issue is: address="::"You probably want > address="0.0.0.0" or the ipv4 IP address that your tomcat instance is > listening on. :: allows any on IPv6, but for IPv4 I suspect that tomcat > would still be

Re: Problem with tomcat connector in IIS using tomcat 9.0.31

On 04.03.2020 09:30, Stephen Hames wrote: Hi Matthias, I suspect your issue is: address="::"You probably want address="0.0.0.0" or the ipv4 IP address that your tomcat instance is listening on. :: allows any on IPv6, but for IPv4 I suspect that tomcat would still be listening only on

Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

Martin :) exactly my point.. so Wicket now needs to have 2 branches right? that are the same except for the package rename for a long time (so kind of having 2 masters) Or for now generate 2 build artifacts? (as long as it is really just the package rename) On Wed, 4 Mar 2020 at 09:14, Martin

Re: Problem with tomcat connector in IIS using tomcat 9.0.31

Hi Matthias, I suspect your issue is: address="::"You probably want address="0.0.0.0" or the ipv4 IP address that your tomcat instance is listening on. :: allows any on IPv6, but for IPv4 I suspect that tomcat would still be listening only on 127.0.0.1 Regards, Stephen On Wed, 4 Mar 2020

Re: Problem with tomcat connector in IIS using tomcat 9.0.31

Hi Matthias, Please read this discussion: https://lists.apache.org/thread.html/r9f3a2ea48f2e76f7c092ea2dc4caec7d15c86f7773281ef6c8cdb817%40%3Cusers.tomcat.apache.org%3E The problem and a workaround are explained here:

Re: Proposal: Note on web site that Tomcat 10 is a milestone-release

Hi Johan, On Mon, Mar 2, 2020 at 7:32 PM Johan Compagner wrote: > And when you are at it, also mention there in big letters that they really > should read the release notes... This tomcat will not work with all the > major frameworks people use for quite some time... > If you still use Apache