-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0013 Apache Tomcat Manager XSS vulnerability
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.5
- - Tomcat 6.0.0 to 6.0.29
- - Tomcat 5.5.0 to 5.5.31
- - Earlier, unsupported versions may also
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-0534 Apache Tomcat DoS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.6
- - Tomcat 6.0.0 to 6.0.30
Description:
Tomcat did not enforce the maxHttpHeaderSize limit while p
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
The original report is [1].
Tomcat is affected when accessing a form based security constrained
page or any page that calls javax.servlet.ServletRequest.getLocale() or
javax.servlet.ServletRequest.getLocales().
Work-arounds have been implemented in
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.3
- - Tomcat 6.0.0 to 6.0.?
- - Tomcat 5.5.0 to 5.5.?
- - Earlier, unsupport
CVE-2010-3718 Apache Tomcat Local bypass of security manger file permissions
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
- Tomcat 7.0.0 to 7.0.3
- Tomcat 6.0.0 to 6.0.?
- Tomcat 5.5.0 to 5.5.?
- Earlier, unsupported versions may also be affected
Description:
When run
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.8
Apache Tomcat 7.0.8 is primarily a security and bug fix release with
numerous fixes compared to 7.0.6.
Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Thanks very much Chris, Chuck, and Mark. I did indeed have
org.apache.catalina.STRICT_SERVLET_COMPLIANCE=true in my CATALINA_OPTS.
I remember setting that a long time ago to fix a problem, but I can't remember
what it was.
I added org.apache.tomcat.util.http.ServerCookie.FWD_SLASH_IS_SEPARATO
Hi All,
I'm probably causing all the confusion here as I am quite confused about Tomcat
myself so likely not explained my questions in a clear way. I apologise for
that.
Anyway, I believe now I have finally found the answer I'm looking for, after
reading all your suggestions and googling for a
Hi Jeff,
You're right. It is not officially documented. I wonder why.
I read so many official documents, some of them I read a few times,
still so confusing for me (as I'm just starting out to learn Tomcat).
Regards
Conway
-Original Message-
From: Jeffrey Janner [mailto:jeffrey.jan...@po
Chris -
I was working on the OP's original assumption of just getting his first webapp
up in Tomcat.
I believe someone else had already suggested he look at the RUNNING.txt file
for doing multiple instances.
But the OP wasn't originally asking about multiple instances of Tomcat, but
running mult
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Jeffrey,
On 2/4/2011 10:06 AM, Jeffrey Janner wrote:
> You don't need to duplicate the entire Tomcat structure for your
> webapp. Get rid of everything else in C:\WebApp1 except the ROOT and
> sslcerts directory. Then configure everything else in th
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Parag,
On 2/4/2011 5:04 AM, Parag Thakur wrote:
> When I try to access a secure URL (e.g. /secure/foo.do) from a java
> program using apache httpclient library (where the client is configured
> to use "C:\keys\webserver.keystore" as the truststore an
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Subject: Re: Unable to store a session with Tomcat 7 linux and Internet
> Explorer
> Simple initial observations show that the cookie returned by Tomcat 7
> has the "Version:1" and "HttpOnly" options set.
So a few quick things
On 04/02/2011 22:02, Brian Cross wrote:
> Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
> and ran into a strange issue. I cannot get an http session to "stick"
> when using Internet Explorer. A new session gets created every time you
> load the test page in IE only. I ha
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Brian,
On 2/4/2011 5:02 PM, Brian Cross wrote:
> Test URL (broken) on Tomcat 7:
> http://www.tigernet.com:8180/t/test/sessiontest.jsp
>
> Test URL (working) on Tomcat 6
> http://www.tigernet.com/t/test/sessiontest.jsp
Simple initial observations sho
Chris - I've already been through all the changes in JNDIRealm between the
two versions and nothing jumped out at me. Since I don't have much else to
go on, I'll give it another shot. The JNDI logging is probably worthwhile.
I'll have to investigate how to enable that.
André - I appreciate that fe
Hello Tomcat experts, I am looking at going from Tomcat 6 to 7 on Linux
and ran into a strange issue. I cannot get an http session to "stick"
when using Internet Explorer. A new session gets created every time you
load the test page in IE only. I have verified this issue on IE 6, IE
8, and IE
Hi,
This looks like a symptom of this:
Bug 50700 – Context parameters are being overridden with parameters from the
web application deployment descriptor
https://issues.apache.org/bugzilla/show_bug.cgi?id=50700
Please vote for this bug and/or provide additional information in the bug
comments.
Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Brandon,
On 2/3/2011 5:36 PM, Brandon DuRette wrote:
One of our customers had configured JNDIRealm to authenticate against Active
Directory using the userPattern="DOMAIN/{0}". This was working great with
Tomcat 6.0.20 (wi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 2/3/2011 10:12 PM, Konstantin Kolinko wrote:
> Thank you a lot. Fixed with
> http://svn.apache.org/viewvc?rev=1067072&view=rev
Sorry, didn't see your response before I replied to the original thread.
At least the bug can be closed quic
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Konstantin,
On 2/3/2011 8:21 PM, eurotrans-Verlag wrote:
> I noticed that when sending an invalid request to Tomcat 7.0.7 (e.g. without
> a HTTP method), Tomcat throws a NullPointerException, instead of responding
> with a "400 Bad Request".
>
> If y
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Brandon,
On 2/3/2011 5:36 PM, Brandon DuRette wrote:
> One of our customers had configured JNDIRealm to authenticate against Active
> Directory using the userPattern="DOMAIN/{0}". This was working great with
> Tomcat 6.0.20 (with my patch for 42579 ap
Jeffrey Janner wrote:
Adam -
If you have the physical memory for it, you might want to look into breaking
your sites into multiple Tomcat instances (see RUNNING.TXT in the install
directory). At a minimum, you won't have to restart all sites just because one
becomes a memory hog. Plus it wou
Adam -
If you have the physical memory for it, you might want to look into breaking
your sites into multiple Tomcat instances (see RUNNING.TXT in the install
directory). At a minimum, you won't have to restart all sites just because one
becomes a memory hog. Plus it would help narrow the list
Conway, see inline comments below:
> -Original Message-
> From: Conway Liu [mailto:c...@xtra.co.nz]
> Sent: Thursday, February 03, 2011 1:11 AM
> To: users@tomcat.apache.org
> Subject: Tomcat Service configuration for running sites
>
> Hi,
>
> Thanks to all who answered my previous post
Mark -
I run a number my sites under this configuration. Works great.
Didn't realize it was officially documented though.
Jeff
> -Original Message-
> From: Mark Eggers [mailto:its_toas...@yahoo.com]
> Sent: Thursday, February 03, 2011 3:41 PM
> To: Tomcat Users List
> Subject: Re: Tomcat
On 4 February 2011 14:27, James Godrej wrote:
> I have to run multiple instances of Tomcat.
> The reason I am doing so is I have a server where I hosted a learning
> management
> system known as
> Sakai which runs on Tomcat 5.5.30 and now on same server I have to host
> another
> learning managem
> From: James Godrej [mailto:jamesgod...@yahoo.in]
> Subject: running multiple instances of Tomcat on same server
> Can some one point me where is that given on Tomcat official docs
> or what is the doc which I gave link above trying to say.
Look in the RUNNING.txt file in the Tomcat installati
I have to run multiple instances of Tomcat.
The reason I am doing so is I have a server where I hosted a learning
management
system known as
Sakai which runs on Tomcat 5.5.30 and now on same server I have to host another
learning management system known as OLAT.
As per OLAT doc here in Tomcat
Hi,
Again, thanks to all who replied my post. Your input helped me learn a lot
more about Tomcat.
While reading your answers, I have continued to google about this topic and
today I came across a site that gave me a hint.
To run Tomcat as a windows service, I didn't need to have a separate
insta
Thanks. So is this behavior due to SSL renegotiation?
Also, would the ciphers issue be related to this?
Thanks again,
Parag
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Friday, February 04, 2011 3:38 PM
To: Tomcat Users List
Subject: Re: Nio Connector and self s
On 04/02/2011 10:04, Parag Thakur wrote:
> Oddly, the same program works if I use
> org.apache.coyote.http11.Http11Protocol instead of
> org.apache.coyote.http11.Http11NioProtocol. Any idea what might be
> causing the NIO implementation to not work in this case? Does this have
> anything to do with
Hello,
I have tomcat 6.0.30 configured with NIOConnector
(org.apache.coyote.http11.Http11NioProtocol) using latest JRE
(1.6.0_23). The connector has 1 way SSL enabled, except for a URL that
requires 2 way SSL. I do so using following security constraint in
web.xml:
33 matches
Mail list logo