Re: Host appBase vs. Context docBase

2016-10-07 Thread Igal @ Lucee.org 

Suppose you tell us your Tomcat version.
I'm using Tomcat 8.5.5 -- not sure how relevant that is since AFAIK this 
has not changed in years.



It is highly unlikely that you want the  name to be App1
Of course that my host name is not App1, that was to remove fluff and to 
keep only the relevant information in the email.



The path attribute of the  element must not be used unless the 
 element is in server.xml, which it should not be

I actually prefer it to be in server.xml


The docBase attribute is used only when the  element is located in 
conf/Catalina/[host]/[appName].xml
That is definitely not true.  I've set up Tomcat many many times like 
this and it works.  I may have not set it up the best way, hence my 
question here, but the docBase attribute is indeed, used.



You need to read the documentation for , , and deployment for 
the Tomcat version you're using.
It would have been nice to see some real life examples of complete 
configurations.


Igal Sapir
Lucee Core Developer
Lucee.org 

On 10/7/2016 12:39 PM, Caldarale, Charles R wrote:

From: Igal @ Lucee.org [mailto:i...@lucee.org]
Subject: Host appBase vs. Context docBase
Suppose that I have an application at C:\WebApps\App1

Suppose you tell us your Tomcat version.







   


Both of the above are incorrect.  It is highly unlikely that you want the  name to be App1.  The 
appBase attribute of  must point to a directory where one or more webapps are located for 
automatic deployment.  It must never point to a specific webapp.  The path attribute of the  
element must not be used unless the  element is in server.xml, which it should not be.  The 
docBase attribute is used only when the  element is located in 
conf/Catalina/[host]/[appName].xml.

You need to read the documentation for , , and deployment for 
the Tomcat version you're using.

  - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Host appBase vs. Context docBase

2016-10-07 Thread Caldarale, Charles R 
> From: Igal @ Lucee.org [mailto:i...@lucee.org] 
> Subject: Host appBase vs. Context docBase

> Suppose that I have an application at C:\WebApps\App1

Suppose you tell us your Tomcat version.

> 
> 
> 

> 
> 
>   
> 

Both of the above are incorrect.  It is highly unlikely that you want the 
 name to be App1.  The appBase attribute of  must point to a 
directory where one or more webapps are located for automatic deployment.  It 
must never point to a specific webapp.  The path attribute of the  
element must not be used unless the  element is in server.xml, which 
it should not be.  The docBase attribute is used only when the  
element is located in conf/Catalina/[host]/[appName].xml.

You need to read the documentation for , , and deployment for 
the Tomcat version you're using.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Host appBase vs. Context docBase

2016-10-07 Thread Igal @ Lucee.org 

Hi,

Suppose that I have an application at C:\WebApps\App1

Is it better to set it up as Host appBase (option 1) or as Context
docBase with empty path (option 2):









 


Thanks,

Igal Sapir

Lucee Core Developer
Lucee.org

Re: CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow

2016-10-07 Thread Konstantin Kolinko 
2016-10-07 18:02 GMT+03:00 Markus Koschany :
> Hello,
>
> the recent security announcement for Apache Tomcat JK (CVE-2016-6808)
> mentions that only IIS/ISAPI specific code is vulnerable. This issue was
> apparently fixed in [1]. The vulnerable code is in the
> map_uri_to_worker_ext function which is used by the IIS, Apache 1.3 and
> Apache 2.0 implementations.
>
> Could someone clarify why the official security announcement only
> mentions IIS and not all three servers? Are users who use Apache Tomcat
> JK with Apache 2.x affected by CVE-2016-6808?
>
> Regards,
>
> Markus
>
>
> [1] https://svn.apache.org/viewvc?view=revision=1762057

Quoting from announcement:
[q]
The IIS/ISAPI specific code implements special handling when a virtual
host is present. The virtual host name and the URI are concatenated to
create a virtual host mapping rule. The length checks prior to writing
to the target buffer for this rule did not take account of the length of
the virtual host name, creating the potential for a buffer overflow.
It is not known if this overflow is exploitable.
[/q]

The issue is caused by incorrect handling of vhost argument of the
map_uri_to_worker_ext function.

In case of Apache HTTPD server the value of vhost argument is always
NULL, thus vhost_len = 0. and those servers are not affected.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

CVE-2016-6808 Apache Tomcat JK ISAPI Connector buffer overflow

2016-10-07 Thread Markus Koschany 
Hello,

the recent security announcement for Apache Tomcat JK (CVE-2016-6808)
mentions that only IIS/ISAPI specific code is vulnerable. This issue was
apparently fixed in [1]. The vulnerable code is in the
map_uri_to_worker_ext function which is used by the IIS, Apache 1.3 and
Apache 2.0 implementations.

Could someone clarify why the official security announcement only
mentions IIS and not all three servers? Are users who use Apache Tomcat
JK with Apache 2.x affected by CVE-2016-6808?

Regards,

Markus


[1] https://svn.apache.org/viewvc?view=revision=1762057







signature.asc
Description: OpenPGP digital signature

Re: Is there a 6.0.x patch for CVE-2016-5388?

2016-10-07 Thread Violeta Georgieva 
Hi,

2016-10-04 9:35 GMT+03:00 Vamsavardhana Reddy :
>
> Hi,
>
> Thanks for your reply.  I meant to ask if Tomcat will be releasing a 6.0.x
> version (say 6.0.46?) addressing this CVE.  If yes, what time frame may I
> expect this version out?

For Tomcat 6.0.46 you can follow this [1].

Regards,
Violeta

[1] http://marc.info/?l=tomcat-dev=147584952203449=2

>
> Best regards,
> Vamsi

RE: Getting a blank page in Tomcat 6.3

2016-10-07 Thread Christoph Nenning 
> From: "Nagappan , Ganesh  - IT- PLM - Bhuj" 

> To: Tomcat Users List , 
> Date: 06.10.2016 13:54
> Subject: RE: Getting a blank page in Tomcat 6.3
> 
> 
> 
> "-Original Message-
> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] 
> Sent: Thursday, October 06, 2016 4:28 PM
> To: users@tomcat.apache.org
> Subject: Re: Getting a blank page in Tomcat 6.3
> 
> On 06.10.2016 12:43, Nagappan , Ganesh  - IT- PLM - Bhuj wrote:
> >
> > "-Original Message-
> > From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
> > Sent: Thursday, October 06, 2016 3:47 PM
> > To: users@tomcat.apache.org
> > Subject: Re: Getting a blank page in Tomcat 6.3
> >
> > On 06.10.2016 11:00, Nagappan , Ganesh  - IT- PLM - Bhuj wrote:
> >> Hi,
> >>
> >>   Version : Apache Tomvcat 6.3
> >>
> >>   OS  : Windows server 2008 R2
> >>
> >>   We are using Tomcat for our TCRA application extracting
> reports. When I start the Tomcat the default homepage, It is working 
fine.
> >>
> >> But When I go to http://teamcenter:8080/TCRA/Portal/  It displays
> a blank page.
> >>
> >> Please give me an suggestion.
> >>
> >
> > 1) if you are using IE, turn off the "display friendly error pages" 
> > option
> > 2) turn off Tomcat
> > 3) find the Tomcat logfiles directory, and delete all the files
> > 4) turn on Tomcat
> > 5) make *one* access to http://teamcenter:8080/TCRA/Portal/ to get the 

> > blank page
> > 6) turn off Tomcat again
> > 7) look at the logfiles.  Any indication of a problem there ?
> >
> > and when you have some real information that might allow us to 
> help you without having to unwrap our crystal ball, come back here.
> >
> > 8) upgrade your Tomcat. That version is 10 (?) years old.
> > (Do not know really, because Tomcat 6.3 does not exist, and 
> neither does 6.0.3) Use (tomcat-directory)/bin/version.bat to find 
> out the real version.
> > Or look in the first lines of the Tomcat logfile."
> >
> >
> > Hi Andre,
> >
> >
> > First thanks for replying.
> >
> > Sorry for wrong specification of my version
> >
> > It is Apache Tomcat 6.0.35
> >
> > I had done all the the steps specified by you and attached the 
> catalina.log and local host log file.
> >
> > Awaiting for your reply.
> >
> 
> Well, the attachments did not make it to the list.
> This list software often strips attachments.
> Try again, but copy/paste the relevant log sections directly in the 
> message then.
> And apologies for the tone of the previous message, but without the 
> attachments, it looked really like a poor post with insufficient 
information.
> 
> 
> "
> Hi,
> 
> I found that there is problem with Ports 8005 and 8009 before 
> itself. I had also tried by changing the port, But I had got the 
> same "Blank Page " error.
> 
> I have displayed my log file below.
> 
> This is my catalina log file
> 
> 

> Oct 6, 2016 4:05:24 PM org.apache.catalina.core.AprLifecycleListener 
init
> INFO: Loaded APR based Apache Tomcat Native library 1.1.22.
> Oct 6, 2016 4:05:24 PM org.apache.catalina.core.AprLifecycleListener 
init
> INFO: APR capabilities: IPv6 [false], sendfile [true], accept 
> filters [false], random [true].
> Oct 6, 2016 4:05:25 PM org.apache.coyote.http11.Http11AprProtocol init
> INFO: Initializing Coyote HTTP/1.1 on http-8080
> Oct 6, 2016 4:05:25 PM org.apache.coyote.ajp.AjpAprProtocol init
> SEVERE: Error initializing endpoint
> java.lang.Exception: Socket bind failed: [730048] Only one usage of 
> each socket address (protocol/network address/port) is normally 
permitted. 
>at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:649)
>at org.apache.coyote.ajp.AjpAprProtocol.init(AjpAprProtocol.java:160)
>at 
org.apache.catalina.connector.Connector.initialize(Connector.java:1049)
>at org.apache.catalina.core.StandardService.initialize
> (StandardService.java:703)
>at org.apache.catalina.core.StandardServer.initialize
> (StandardServer.java:838)
>at org.apache.catalina.startup.Catalina.load(Catalina.java:538)
>at org.apache.catalina.startup.Catalina.load(Catalina.java:562)
>at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>at sun.reflect.NativeMethodAccessorImpl.invoke
> (NativeMethodAccessorImpl.java:39)
>at sun.reflect.DelegatingMethodAccessorImpl.invoke
> (DelegatingMethodAccessorImpl.java:25)
>at java.lang.reflect.Method.invoke(Method.java:597)
>at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261)
>at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
> Oct 6, 2016 4:05:25 PM org.apache.catalina.core.StandardService 
initialize
> SEVERE: Failed to initialize connector [Connector[AJP/1.3-8009]]
> LifecycleException:  Protocol handler initialization failed: 
> java.lang.Exception: Socket bind failed: [730048] Only one usage