Re: Questions on recent CVE fixes

2018-03-14 Thread Harish Krishnan 
Thanks for the response and confirmation, Mark.

On Wed, Mar 14, 2018 at 12:24 AM, Mark Thomas  wrote:

> On 14/03/2018 01:04, Harish Krishnan wrote:
>
>> Hi All,
>>
>> Thanks for all the help and work you great people do.
>>
>>   My question is regarding CVE-2018-1305
>>  and
>> CVE-2018-1304 > cvename.cgi?name=CVE-2018-1304>
>> that
>> were fixed in the latest builds.
>> We use Tomcat 7.x.
>>
>> a) When can we expect the CVE scores determined for these vulnerabilities.
>> On NVD, it still says awaiting analysis.
>> This information would help us determine the SLA on when we can update
>> tomcat builds.
>>
>
> The Tomcat community does not provide CVSS scores. There are multiple
> reasons for this including:
> - they are too subjective;
> - the true score depends on how Tomcat is being used and that can only
>   be determined by the user and can vary wildly from user to user for
>   any one vulnerability.
>
> The correct thing to do is exactly what you are doing. Review the
> vulnerabilities, figure out of they impact you or not and, if they do
> impact you, figure out the extent of that impact, what you need to to to
> mitigate that impact and how quickly you need to do it.
>
> b) Regarding 1st CVE (#1305), we do not use annotation based security
>> constraints. Instead we configure it in our web.xml.
>> With this understanding, is it safe to consider we are not vulnerable?
>>
>
> Correct. You are not vulnerable because you do not define security
> constraints via annotations.
>
> c) Regarding 2nd CVE (#1304), the url pattern in all our security
>> constraints is of the format "/*".
>> * i believe would include everything.
>> To confirm with you, does this include the empty ("") string to make our
>> usage vulnerable too?
>>
>
> No. You are not vulnerable. The vulnerability only applies if the url
> pattern of the empty string is used to define a security constraint.
>
> Kind regards,
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Binding a non root user to port 443

2018-03-14 Thread tomcat 

Hi.

On 14.03.2018 18:21, Cheltenham, Chris wrote:

Ok , I thank you guys for being so helpful.
I would never expect that.



Speaking as a user myself, I would not be so surprised. This list is quite exceptional in 
terms of the general quality of the people trying to answer user questions, and in terms 
of the general quality of the answers themselves.  The contributors here, in general, will 
try to respond as well as they can, and to really help resolving user issues to the best 
of their abilities, even when they do not stricly concern tomcat per se (like your issue).


(Full disclosure : I am occasionally one of these guys, although my own qualifications 
pale somewhat in comparison to most of the others.)


As for the help supplicant, there are only a few rules, and they are listed 
here :
http://tomcat.apache.org/lists.html#tomcat-users


Basically I am have tomcat running on port 8443 as user tomcat.
I am trying to find ways to redirect them to 443 WITHOUT using iptables or
the firewall or the load balancer.
I have no control over any of those tools and I cannot use a reverse proxy
wither because I do not have control of apache.

I think that leaves me basically with authbind or set cap , locally.

However, I cannot get either to work.

Set cap seemed easiest.

You start the tomcat server and then I ran this
setcap cap_net_bind_service=+ep /opt/jdk1.8.0_161/jre/bin/java

So now what?

How does it know to bind java process to 443?
$netstat -an says 443 is not open and it does not work using curl.

That is where I am right now.



What we cannot do here is resolving organisational issues within your work 
environment.

Without entering into the reasons why you cannot ask whoever is responsible for whatever 
is in front of tomcat to really help you and direct these client calls to port 8443 of 
your server (although that would in principle the kind of thing for which they are paid), 
I am wondering why you do not try the iptables method outlined at :

 https://wiki.apache.org/httpd/NonRootPortBinding
 -> Alternative method (iptables/linux): NAT

If you can run the setcap command, it means that you have root access to your server, so 
you can run the iptables command also. And it seems simpler (and with less side-effects) 
than any of the other methods, in this case.


(On the other hand, if you do not have root access, then pretty much any command or 
utility that would allow you to redirect port 443 to something else, will not be 
accessible to you either; because if you could do that, then what would be the point of 
protecting these lower ports ?).


I just tried this (as root) on a Linux Debian server, which is running tomcat on its 
default HTTP port 8080 :


# iptables -t nat -A PREROUTING -d 127.0.0.1 -p tcp --dport 500 -m addrtype --dst-type 
LOCAL -j DNAT --to-destination 127.0.0.1:8080
# iptables -t nat -A OUTPUT -d 127.0.0.1 -p tcp --dport 500 -m addrtype --dst-type LOCAL 
-j DNAT --to-destination 127.0.0.1:8080


and then, *from the same host*, I can access "http://locahost:500/"; and get the tomcat 
default welcome page, without changing the Tomcat configuration.


(In the above, I just used the origin port 500, because it is below 1024, and happened to 
be unused on my server.)


To make this work in your case and from outside the host itself,
- replace all "127.0.0.1" above, by the external IP address of your server (which you can 
see via "ipconfig -a")

- replace all "500" by "443"
- replace all "8080" by "8443"

As per above, these rules are temporary and will not survive a system reboot.
However, if you do a "man iptables", you should find somewhere the way to make these rules 
persistent. (Or search Google for "make iptables permanent").


tips :
- to see if these rules have "stuck", use the command "iptables -L -t dnat -n"
- to delete the above rules, use exactly the same command as for setting them, but change 
the "-A" into "-D"
- rules implemented via iptables will not be visible when you do "netstat -pan --tcp | 
grep LISTEN", because there is not really any process listening on the port which you 
redirect in that way. iptables works at a lower level, modifying the ip packets themselves 
as they enter and exit your system. tomcat still listens on its original port, and still 
thinks it is reading from and writing to that same port (kind of).
You may also have to be careful that your application is never sending back to the 
clients, a link which would contain the port :8443, or that would seriously confuse 
everything.


And again, if you do not have root access to your tomcat host, AND you cannot get help 
from the people managing whatever is in front of your server, then you are in an 
impossible situation, and you should probably report this to your managers and ask them 
for help.

In French we say : "à l'impossible, nul n'est tenu"







===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-50

RE: Binding a non root user to port 443

2018-03-14 Thread Cheltenham, Chris 
Ok , I thank you guys for being so helpful.
I would never expect that.

Basically I am have tomcat running on port 8443 as user tomcat.
I am trying to find ways to redirect them to 443 WITHOUT using iptables or 
the firewall or the load balancer.
I have no control over any of those tools and I cannot use a reverse proxy 
wither because I do not have control of apache.

I think that leaves me basically with authbind or set cap , locally.

However, I cannot get either to work.

Set cap seemed easiest.

You start the tomcat server and then I ran this
setcap cap_net_bind_service=+ep /opt/jdk1.8.0_161/jre/bin/java

So now what?

How does it know to bind java process to 443?
$netstat -an says 443 is not open and it does not work using curl.

That is where I am right now.





===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Olaf Kock [mailto:tom...@olafkock.de]
Sent: Wednesday, March 14, 2018 11:59 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443


On 14.03.2018 16:02, Cheltenham, Chris wrote:
> Chris,
>
> I am kind of lost. I am not sure what you guys are asking.
> If I asked the same thing twice its because whatever was sent by
> someone else other than you did not work or I cannot use.

well, I'm also lost. It would help to know what didn't work for you and, if 
possible, why. It doesn't help anyone if we're giving the same answers 
again, not knowing any of the aspects that need to be changed, or anything 
about what you can't use.

Olaf


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Binding a non root user to port 443

2018-03-14 Thread Olaf Kock 


On 14.03.2018 16:02, Cheltenham, Chris wrote:

Chris,

I am kind of lost. I am not sure what you guys are asking.
If I asked the same thing twice its because whatever was sent by someone
else other than you did not work or I cannot use.


well, I'm also lost. It would help to know what didn't work for you and, 
if possible, why. It doesn't help anyone if we're giving the same 
answers again, not knowing any of the aspects that need to be changed, 
or anything about what you can't use.


Olaf


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Binding a non root user to port 443

2018-03-14 Thread Cheltenham, Chris 
Chris,

I am kind of lost. I am not sure what you guys are asking.
If I asked the same thing twice its because whatever was sent by someone 
else other than you did not work or I cannot use.


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, March 14, 2018 10:31 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 3/14/18 10:02 AM, Cheltenham, Chris wrote:
> Oh this thread was long ago and answered by someone else.

You asked the same question on 2018-03-02, and got many replies including 
the ones I gave in this thread. Actually, I replied as well.

Previous thread: https://markmail.org/thread/bfct4jm5saotfmsq
Current thread:  https://markmail.org/thread/rpqtbbfualtztapb

So the question is: why are you asking the same question again? Did you not 
like those answers? Did you try any of them and were having trouble? It 
doesn't seem like you tried all the possibilities that were suggested back 
in early March.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpMjYdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiVTBAAlS4cPlgdtwjFMqaO
OBGdD68dhWdUHr/FZ4ltzmwUryBjq1pvj7TRrW96jLdYcNBPBvSzojZIi+rqn4HM
KmJ9hm0WlMoUw91x4TGQA17NYUKK4V5lcnqJIl14eMtKko+uyTo709ENK9C4uU/d
3Sm71axrlkwyS4WlLK8HOp4iD6xXeU+9bJK5QyOLaKnVRwjtOR+n4tSVeDQnu2kD
1PcFi1GrhwG9fi/IIHzgJ/MFpXx9wjfVKLE9f2g1LeB8c1p4y76pjfxkJcLPuhl5
3tES2hm3dcqqwyTm+21JGchLPdfc/TZ8+8deMwVtMDEfDqPEaR89CVoaGmnxHM+N
ppNXPKNIgPM47BCw+SEdfPUVnGSN13r1iwf5o3/O2YM/4Xfuu3ZFWHAsVg82rH4J
2mzqlZJWHHXS76EWJRkTz7+C9wDcLOv2J4Lb4BCsTNmu9O57NffQS98SG1bvCsXg
4Kv+MjSDEKNtR2OdjdzHrcezccQayqhux0pvfcXBdB8W6ZQ+x8ECVIilHAU5sVOb
Hfj6AToRNHRHZmn+duN6R7wDw3ex2+C1wDPUJSewMB6eQKpCKzwAygELjeJMsx6d
qWwcuWXXDXVLZeNt2z/iWlII6DbQKFQIi6oCVgiJgwGQbkA3eHHnE+MirfsDG0yZ
NVICZWzx/RbejoyXhX2Wm//xaGM=
=4NSi
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

2018-03-14 Thread Richard Tearle 
Hello

On 1 March 2018 at 23:31, George S.  wrote:

> I'm hitting the error:
>
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]]
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed
> Caused by: java.lang.IllegalArgumentException: Cannot store
> non-PrivateKeys
>
> The connector is configured as:
>
>
>  address="10.0.0.62"
>maxThreads="150" SSLEnabled="true">
> 
>  certificateFile="conf/certificate.pem"
>  type="RSA" />
> 
> 
>
> I've verified the tomcat user can read the two files, and I've su'd to
> user tomcat and used:
>
> openssl rsa -in key.pem -text
>
> and the private key was dumped as expected. The key is not encrypted. The
> cert is self-signed and was generated by OpenSSL using CA.sh.
>
> I'm kind of at a loss here. The example server.xml entries show naming PEM
> files directly, and the connector docs seem to imply that pem files are
> supported.
>
> Can anyone give me a pointer on what to do here?
>
> --
> George S.
> *MH Software, Inc.*
> Voice: 303 438 9585
> http://www.mhsoftware.com
>


Are you using the Tomcat Native Library? I think that's required when using
PEM encoded certificates.

-- 

*Richard Tearle BSc(Hons) MCP*

Senior Consultant

*Northgate Public Services (NPS)*

Mobile: +44 (0)7738 888315

Email: richard.tea...@northgateps.com

Web: www.n orthgatepublicservices.co.uk

Please consider the environment before printing this e-mail

-- 
This email is sent on behalf of Northgate Public Services (UK) Limited and 
its associated companies including Rave Technologies (India) Pvt Limited 
(together "Northgate Public Services") and is strictly confidential and 
intended solely for the addressee(s). 
If you are not the intended recipient of this email you must: (i) not 
disclose, copy or distribute its contents to any other person nor use its 
contents in any way or you may be acting unlawfully;  (ii) contact 
Northgate Public Services immediately on +44(0)1442 768445 quoting the name 
of the sender and the addressee then delete it from your system.
Northgate Public Services has taken reasonable precautions to ensure that 
no viruses are contained in this email, but does not accept any 
responsibility once this email has been transmitted.  You should scan 
attachments (if any) for viruses.

Northgate Public Services (UK) Limited, registered in England and Wales 
under number 00968498 with a registered address of Peoplebuilding 2, 
Peoplebuilding Estate, Maylands Avenue, Hemel Hempstead, Hertfordshire, HP2 
4NW.  Rave Technologies (India) Pvt Limited, registered in India under 
number 117068 with a registered address of 2nd Floor, Ballard House, Adi 
Marzban Marg, Ballard Estate, Mumbai, Maharashtra, India, 41.

Re: Tomcat 8.5.28 SSL - Cannot store non-PrivateKeys

2018-03-14 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

George,

On 3/1/18 6:31 PM, George S. wrote:
> I'm hitting the error:
> 
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] 
> org.apache.catalina.LifecycleException: Failed to initialize
> component [Connector[HTTP/1.1-8443]] Caused by:
> org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed Caused by:
> java.lang.IllegalArgumentException: Cannot store non-PrivateKeys
> 
> The connector is configured as:
> 
> 
>  protocol="org.apache.coyote.http11.Http11NioProtocol" 
> address="10.0.0.62" maxThreads="150" SSLEnabled="true"> 
>   certificateFile="conf/certificate.pem" type="RSA" /> 
>  
> 
> I've verified the tomcat user can read the two files, and I've su'd
> to user tomcat and used:
> 
> openssl rsa -in key.pem -text
> 
> and the private key was dumped as expected. The key is not
> encrypted. The cert is self-signed and was generated by OpenSSL
> using CA.sh.
> 
> I'm kind of at a loss here. The example server.xml entries show
> naming PEM files directly, and the connector docs seem to imply
> that pem files are supported.
> 
> Can anyone give me a pointer on what to do here?

Can you post the full stack trace?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpMncdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFjjfxAAih2I3LYlq1CK/jr3
+kSQnlBd/A8jEG5DhgWHxNogc6kWRg06FhF/vahoAkcik/dP1378tf7J19M1uMRM
zjvoB9is69ndSWEZd4s6IRxuevgb41Z4f95vbkkoLINc66OdW8dkNy1dIiE2FU6I
zEePIpr0x+A00fIYHTn4MaTFp0KmthnfK1xpJ/8sfa07aWj61o1WoIhgZ947izN7
oEidKrpabsSyhTxRMJcOQRrOje6nHYpuSnSrOTAMpdTy9gx3jOrMgp4jdZGlkxSe
6WAWabYj9Vp3YEBABgRC6xBfA1OSF1pDWGL86KikTI7DgIjlDRuWsCxAWMKTRZts
Qhe30w6XVhb8oYqqsgnHcUl+7Y1bcoCp58bswmwyHAUpo8oSMD8l5+H7kzyKFyWl
Sr+lirwBZaFEaQcso0xjT5onUWcWmEnQCeDL+mEGbrBzhkzsgw3JnyY49piFxdPa
I9ITf1JIuzEzdgf/eb+X2aQFhsYdeYGQxjo1bR0i0FysNaa+bTDj+PzA2wmw/Jsr
MWsjsfUQywf+3JlMsxJTqoE5tsrMc1YHpcRSdekPPe0JTO/s/2noEwsJ6m6nyzUR
/s847U+GcrII/R6btN+4ZhgaxFlTLxZbNrKQyjGyY2EadaAoCOEBRqV2C7SaJIbi
IECm0k0MhI+BvHWTiBrguFKWabE=
=udOa
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Binding a non root user to port 443

2018-03-14 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Chris,

On 3/14/18 10:02 AM, Cheltenham, Chris wrote:
> Oh this thread was long ago and answered by someone else.

You asked the same question on 2018-03-02, and got many replies
including the ones I gave in this thread. Actually, I replied as well.

Previous thread: https://markmail.org/thread/bfct4jm5saotfmsq
Current thread:  https://markmail.org/thread/rpqtbbfualtztapb

So the question is: why are you asking the same question again? Did
you not like those answers? Did you try any of them and were having
trouble? It doesn't seem like you tried all the possibilities that
were suggested back in early March.

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpMjYdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFiVTBAAlS4cPlgdtwjFMqaO
OBGdD68dhWdUHr/FZ4ltzmwUryBjq1pvj7TRrW96jLdYcNBPBvSzojZIi+rqn4HM
KmJ9hm0WlMoUw91x4TGQA17NYUKK4V5lcnqJIl14eMtKko+uyTo709ENK9C4uU/d
3Sm71axrlkwyS4WlLK8HOp4iD6xXeU+9bJK5QyOLaKnVRwjtOR+n4tSVeDQnu2kD
1PcFi1GrhwG9fi/IIHzgJ/MFpXx9wjfVKLE9f2g1LeB8c1p4y76pjfxkJcLPuhl5
3tES2hm3dcqqwyTm+21JGchLPdfc/TZ8+8deMwVtMDEfDqPEaR89CVoaGmnxHM+N
ppNXPKNIgPM47BCw+SEdfPUVnGSN13r1iwf5o3/O2YM/4Xfuu3ZFWHAsVg82rH4J
2mzqlZJWHHXS76EWJRkTz7+C9wDcLOv2J4Lb4BCsTNmu9O57NffQS98SG1bvCsXg
4Kv+MjSDEKNtR2OdjdzHrcezccQayqhux0pvfcXBdB8W6ZQ+x8ECVIilHAU5sVOb
Hfj6AToRNHRHZmn+duN6R7wDw3ex2+C1wDPUJSewMB6eQKpCKzwAygELjeJMsx6d
qWwcuWXXDXVLZeNt2z/iWlII6DbQKFQIi6oCVgiJgwGQbkA3eHHnE+MirfsDG0yZ
NVICZWzx/RbejoyXhX2Wm//xaGM=
=4NSi
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Binding a non root user to port 443

2018-03-14 Thread Cheltenham, Chris 
Coty,

Oh this thread was long ago and answered by someone else.

Thanks

===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Cheltenham, Chris [mailto:ccheltenham-...@philasd.org]
Sent: Wednesday, March 14, 2018 10:02 AM
To: Tomcat Users List 
Subject: RE: Binding a non root user to port 443

Hello Coty,

I am not sure what you mean?


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, March 14, 2018 9:45 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 3/13/18 2:20 PM, Coty Sutherland wrote:
> This looks like a continuation of this thread from 11 days ago:
> https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html

Indeed.
>
Chris C, you didn't like any of the responses you got in the previous 
thread?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpJ0gdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgEwQ/+KXqUvNkOjfgdCc/x
2B+bdVSzqowaVN23W647L4QsVqulJhVwZAYUk8UZAEYpGF9UjjRTbAuc7enp603p
ucNn9zw9CpmbmkRY2Pgq8tWTwgIWcTVbGdtwxocFA/Dd0G3p+KwYpuhRJpK1MxpI
77UVrYzOOHE46HCovszKAagV1zLmKRMNccjALxDauHUtFNJuY+xqwQhjTmcZtflU
mkXAOC6lsi36AIk1opkfsj4x0+c8/PgksOdRbQHzXROIeRWOL7nxfqHVrapqhj+f
uZqmx3Y2UAl2KFFynOTMEhBBgCz6lE+4x2hh75v24PI6kkpdPYaJgYJOx3YBjPqr
NGJuNV8Ucpcel1iP+juEteKtCo36sSijaPFriT9Aa0lzilLWlR8nZVeWfBS3DtSN
ZB6lK/RUqDxbLyVpYKrQ98IUU/9zGlN4VcXIUBQNq4knwpiHThiTMF9+kj0SSHf6
Y/eGsbS4DArTohEBLhnGqIEFonPHNGSg5G3rNx9xTaQIc7h9Y7aWYVngZvQnxF3h
cUi3YE53Chdora3QVcCsiadj1Dxoht93pCN94qKz9RTxDeyVsckLTwFnD8R7ghiS
CPCDA8Y4UfT4TzbrycYcrnlwAq0jUuRm3Jh01GtsS0hyLsdEnHWHSOV3d+IzQh/R
RarLLuJOKkgxTNyJ822LZBBkRoQ=
=r4aT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Binding a non root user to port 443

2018-03-14 Thread Cheltenham, Chris 
Hello Coty,

I am not sure what you mean?


===

Thank You;

Chris Cheltenham
Technology Services
The School District of Philadelphia

Work # 215-400-5025
Cell # 215-301-6571


-Original Message-
From: Christopher Schultz [mailto:ch...@christopherschultz.net]
Sent: Wednesday, March 14, 2018 9:45 AM
To: users@tomcat.apache.org
Subject: Re: Binding a non root user to port 443

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 3/13/18 2:20 PM, Coty Sutherland wrote:
> This looks like a continuation of this thread from 11 days ago:
> https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html

Indeed.
>
Chris C, you didn't like any of the responses you got in the previous 
thread?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpJ0gdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgEwQ/+KXqUvNkOjfgdCc/x
2B+bdVSzqowaVN23W647L4QsVqulJhVwZAYUk8UZAEYpGF9UjjRTbAuc7enp603p
ucNn9zw9CpmbmkRY2Pgq8tWTwgIWcTVbGdtwxocFA/Dd0G3p+KwYpuhRJpK1MxpI
77UVrYzOOHE46HCovszKAagV1zLmKRMNccjALxDauHUtFNJuY+xqwQhjTmcZtflU
mkXAOC6lsi36AIk1opkfsj4x0+c8/PgksOdRbQHzXROIeRWOL7nxfqHVrapqhj+f
uZqmx3Y2UAl2KFFynOTMEhBBgCz6lE+4x2hh75v24PI6kkpdPYaJgYJOx3YBjPqr
NGJuNV8Ucpcel1iP+juEteKtCo36sSijaPFriT9Aa0lzilLWlR8nZVeWfBS3DtSN
ZB6lK/RUqDxbLyVpYKrQ98IUU/9zGlN4VcXIUBQNq4knwpiHThiTMF9+kj0SSHf6
Y/eGsbS4DArTohEBLhnGqIEFonPHNGSg5G3rNx9xTaQIc7h9Y7aWYVngZvQnxF3h
cUi3YE53Chdora3QVcCsiadj1Dxoht93pCN94qKz9RTxDeyVsckLTwFnD8R7ghiS
CPCDA8Y4UfT4TzbrycYcrnlwAq0jUuRm3Jh01GtsS0hyLsdEnHWHSOV3d+IzQh/R
RarLLuJOKkgxTNyJ822LZBBkRoQ=
=r4aT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Binding a non root user to port 443

2018-03-14 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Coty,

On 3/13/18 2:20 PM, Coty Sutherland wrote:
> This looks like a continuation of this thread from 11 days ago: 
> https://www.mail-archive.com/users@tomcat.apache.org/msg128541.html

Indeed.
> 
Chris C, you didn't like any of the responses you got in the
previous thread?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQJRBAEBCAA7FiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqpJ0gdHGNocmlzQGNo
cmlzdG9waGVyc2NodWx0ei5uZXQACgkQHPApP6U8pFgEwQ/+KXqUvNkOjfgdCc/x
2B+bdVSzqowaVN23W647L4QsVqulJhVwZAYUk8UZAEYpGF9UjjRTbAuc7enp603p
ucNn9zw9CpmbmkRY2Pgq8tWTwgIWcTVbGdtwxocFA/Dd0G3p+KwYpuhRJpK1MxpI
77UVrYzOOHE46HCovszKAagV1zLmKRMNccjALxDauHUtFNJuY+xqwQhjTmcZtflU
mkXAOC6lsi36AIk1opkfsj4x0+c8/PgksOdRbQHzXROIeRWOL7nxfqHVrapqhj+f
uZqmx3Y2UAl2KFFynOTMEhBBgCz6lE+4x2hh75v24PI6kkpdPYaJgYJOx3YBjPqr
NGJuNV8Ucpcel1iP+juEteKtCo36sSijaPFriT9Aa0lzilLWlR8nZVeWfBS3DtSN
ZB6lK/RUqDxbLyVpYKrQ98IUU/9zGlN4VcXIUBQNq4knwpiHThiTMF9+kj0SSHf6
Y/eGsbS4DArTohEBLhnGqIEFonPHNGSg5G3rNx9xTaQIc7h9Y7aWYVngZvQnxF3h
cUi3YE53Chdora3QVcCsiadj1Dxoht93pCN94qKz9RTxDeyVsckLTwFnD8R7ghiS
CPCDA8Y4UfT4TzbrycYcrnlwAq0jUuRm3Jh01GtsS0hyLsdEnHWHSOV3d+IzQh/R
RarLLuJOKkgxTNyJ822LZBBkRoQ=
=r4aT
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: TomcatCon Training: Tomcat for Administrators

2018-03-14 Thread Mark Thomas 
With less than 4 weeks to go, places are still available for the "Tomcat
for Administrators" training course in Manchester, UK.

If you are thinking of attending, please book early as the more notice
we have, the easier it is for us to arrange various logistics -
particularly catering.

I hope to see you there.

Mark
on behalf of the Apache Tomcat PMC


On 19/02/18 14:50, Mark Thomas wrote:
> All,
> 
> The Apache Tomcat PMC is delighted to announce that the registration for
> the training course "Tomcat for Administrators" is now open.
> 
> This one-day training course will take place in central Manchester, UK
> on Tuesday April 10, 2018.
> 
> Full details, including the schedule is available on the website:
> http://tomcat.apache.org/conference.html
> 
> Registration is via EventBrite:
> https://www.eventbrite.com/e/tomcatcon-training-tomcat-for-administrators-tickets-43039556472?aff=lists
> 
> We hope to see you there.
> 
> Mark
> on behalf of the Apache Tomcat PMC
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Questions on recent CVE fixes

2018-03-14 Thread Mark Thomas 

On 14/03/2018 01:04, Harish Krishnan wrote:

Hi All,

Thanks for all the help and work you great people do.

  My question is regarding CVE-2018-1305
 and
CVE-2018-1304 
that
were fixed in the latest builds.
We use Tomcat 7.x.

a) When can we expect the CVE scores determined for these vulnerabilities.
On NVD, it still says awaiting analysis.
This information would help us determine the SLA on when we can update
tomcat builds.


The Tomcat community does not provide CVSS scores. There are multiple 
reasons for this including:

- they are too subjective;
- the true score depends on how Tomcat is being used and that can only
  be determined by the user and can vary wildly from user to user for
  any one vulnerability.

The correct thing to do is exactly what you are doing. Review the 
vulnerabilities, figure out of they impact you or not and, if they do 
impact you, figure out the extent of that impact, what you need to to to 
mitigate that impact and how quickly you need to do it.



b) Regarding 1st CVE (#1305), we do not use annotation based security
constraints. Instead we configure it in our web.xml.
With this understanding, is it safe to consider we are not vulnerable?


Correct. You are not vulnerable because you do not define security 
constraints via annotations.



c) Regarding 2nd CVE (#1304), the url pattern in all our security
constraints is of the format "/*".
* i believe would include everything.
To confirm with you, does this include the empty ("") string to make our
usage vulnerable too?


No. You are not vulnerable. The vulnerability only applies if the url 
pattern of the empty string is used to define a security constraint.


Kind regards,

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org