Security issue involving HTTP response headers

2019-10-01 Thread jamesl
We have a customer who is particularly concerned about security. We just updated their Tomcat, which solved all the issues coming up in their security scan, except for one involving the following HTTP headers: X-FRAME-OPTIONS X-XSS-PROTECTION X-CONTENT-TYPE-OPTIONS and strict transport

RE: Tomcat 9.0.24/9.0.26 suspected memory leak

2019-10-01 Thread Chen Levy
> -Original Message- > From: Mark Thomas > Sent: Tuesday, October 1, 2019 17:43 > To: users@tomcat.apache.org > Subject: Re: Tomcat 9.0.24/9.0.26 suspected memory leak > > Found it. > > HTTP/2 on NIO is affected. > HTTP/2 on APR/native is not affected. > > Need to check on NIO2 but I

Re: Tomcat 9.0.24/9.0.26 suspected memory leak

2019-10-01 Thread Mark Thomas
Found it. HTTP/2 on NIO is affected. HTTP/2 on APR/native is not affected. Need to check on NIO2 but I suspect it is affected. Patch to follow shortly. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For

Re: tomcat startup error on windows 10

2019-10-01 Thread Mark Thomas
On 01/10/2019 22:12, Barry Kimelman wrote: > my laptop is windows 10 , 64 bit > > I am running tomcat 9.0.14. it has been running fine since I installed it, > until today. Today for the first time in a long while I could not start > tomcat. > > I found the following logfile >

Re: Tomcat 9.0.24/9.0.26 suspected memory leak

2019-10-01 Thread Mark Thomas
On 30/09/2019 14:12, Rémy Maucherat wrote: > I added debug code in > AbstractProtocol.ConnectionHandler.release(SocketWrapperBase) to check > if the processor considered was present in the waitingProcessors map. The > result is the following: >

tomcat startup error on windows 10

2019-10-01 Thread Barry Kimelman
my laptop is windows 10 , 64 bit I am running tomcat 9.0.14. it has been running fine since I installed it, until today. Today for the first time in a long while I could not start tomcat. I found the following logfile *** *

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Mark Thomas
On 01/10/2019 18:27, Martin Cocaro wrote: > yes, upgrading to 8.5 is work in progress, but would want to have a > conclusive test that the same scenario fails in 8.0.X. What is the best way > to distribute the POC code and what is required from our end to get access > to it? Martin, There is no

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro
yes, upgrading to 8.5 is work in progress, but would want to have a conclusive test that the same scenario fails in 8.0.X. What is the best way to distribute the POC code and what is required from our end to get access to it? On Tue, Oct 1, 2019 at 1:54 PM Christopher Schultz <

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 10/1/19 12:15, Martin Cocaro wrote: > Thank you Chris for the answer. The EOL date and its policy made > me wonder if the CVE was tested it against that version. > > Is there any place I can get a POC version of the CVE test case so >

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro
Thank you Chris for the answer. The EOL date and its policy made me wonder if the CVE was tested it against that version. Is there any place I can get a POC version of the CVE test case so that I can do the test myself against version 8.0.53? On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro
Thank you for the confirmation! Much appreciated. On Tue, Oct 1, 2019 at 12:46 PM Mark Thomas wrote: > > Martin, > > > > On 10/1/19 10:35, Martin Cocaro wrote: > >> Apache Tomcat Users Team, > > > >> The purpose of this email is to request information regarding > >> Apache Tomcat CVE-2018-8037

Re: Release of Tomcat 8.5.46, EOL of 8.5.x?

2019-10-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/27/19 12:18, Mark Thomas wrote: > On 27/09/2019 14:38, KM wrote: >> I saw the announcement of the latest 8.5.x version of Tomcat. >> Has anyone heard of an EOL date for Tomcat 8.5.x? I haven't seen >> anything about it anywhere. I saw

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Mark Thomas
> Martin, > > On 10/1/19 10:35, Martin Cocaro wrote: >> Apache Tomcat Users Team, > >> The purpose of this email is to request information regarding >> Apache Tomcat CVE-2018-8037 >> possibly affecting >> version 8.0.X (particularly 8.0.53). The

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 10/1/19 10:35, Martin Cocaro wrote: > Apache Tomcat Users Team, > > The purpose of this email is to request information regarding > Apache Tomcat CVE-2018-8037 > possibly affecting >

Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro
Apache Tomcat Users Team, The purpose of this email is to request information regarding Apache Tomcat CVE-2018-8037 possibly affecting version 8.0.X (particularly 8.0.53). The CVE was made public on 22-July-2018, after being privately disclosed on