Security issue involving HTTP response headers

2019-10-01 Thread jamesl 
We have a customer who is particularly concerned about security.

We just updated their Tomcat, which solved all the issues coming up in their 
security scan, except for one involving the following HTTP headers:

X-FRAME-OPTIONS
X-XSS-PROTECTION
X-CONTENT-TYPE-OPTIONS

and strict transport security.

The environment is Tomcat 7.0.93, JSSE, running on an AS/400.

Is this something to be fixed in a configuration file, or the webapp, or 
someplace else?
-- 
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat 9.0.24/9.0.26 suspected memory leak

2019-10-01 Thread Chen Levy 
> -Original Message-
> From: Mark Thomas 
> Sent: Tuesday, October 1, 2019 17:43
> To: users@tomcat.apache.org
> Subject: Re: Tomcat 9.0.24/9.0.26 suspected memory leak
> 
> Found it.
> 
> HTTP/2 on NIO is affected.
> HTTP/2 on APR/native is not affected.
> 
> Need to check on NIO2 but I suspect it is affected.
> 
> Patch to follow shortly.
> 
> Mark


Good, here's some more corroborating info:
Mark I followed your suggestion to test without HTTP/2, and one of my servers 
(v9.0.26) has been running without it for a day now, showing no memory 
accumulation
I do not use APR/Native

Chen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9.0.24/9.0.26 suspected memory leak

2019-10-01 Thread Mark Thomas 
Found it.

HTTP/2 on NIO is affected.
HTTP/2 on APR/native is not affected.

Need to check on NIO2 but I suspect it is affected.

Patch to follow shortly.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat startup error on windows 10

2019-10-01 Thread Mark Thomas 
On 01/10/2019 22:12, Barry Kimelman wrote:
> my laptop is windows 10 , 64 bit
> 
> I am running tomcat 9.0.14. it has been running fine since I installed it,
> until today. Today for the first time in a long while I could not start
> tomcat.
> 
> I found the following logfile
> ***
> * C:\Tomcat_9_0_14\logs\commons-daemon.2019-10-01.log *
> ***
> 
> [2019-10-01 13:57:19] [info]  [10036] Commons Daemon procrun (1.1.0.0
> 64-bit) started
> [2019-10-01 13:57:20] [info]  [10036] Running 'Tomcat9' Service...
> [2019-10-01 13:57:20] [info]  [ 9728] Starting service...
> [2019-10-01 13:57:20] [error] [ 9728] Failed creating Java C:\Program
> Files\Java\jre1.8.0_201\bin\server\jvm.dll
> [2019-10-01 13:57:20] [error] [ 9728] The system cannot find the path
> specified.
> [2019-10-01 13:57:21] [error] [ 9728] ServiceStart returned 1
> [2019-10-01 13:57:21] [error] [ 9728] The system cannot find the path
> specified.
> [2019-10-01 13:57:21] [info]  [10036] Run service finished.
> [2019-10-01 13:57:21] [info]  [10036] Commons Daemon procrun finished
> 
> My JAVA_HOME environment variable = C:\Program Files\Java\jdk1.8.0_191
> 
>  Directory of C:\Program Files\Java
> 
> 07/24/2019  02:47 PM  .
> 07/24/2019  02:47 PM  ..
> 01/01/2019  03:47 PM  jdk1.8.0_191
> 07/24/2019  06:29 AM  jre1.8.0_221
>0 File(s)  0 bytes
>4 Dir(s)  561,688,457,216 bytes free
> Under here I found 2 jvm.dll files
>88369521/1/20193:42:28 PM  C:\Program
> Files\Java\jdk1.8.0_191\jre\bin\server\jvm.dll
>8841712   7/24/20196:28:25 AM  C:\Program
> Files\Java\jre1.8.0_221\bin\server\jvm.dll
> 
> I did a recursive search under the tomcat directory looking at text files
> for "jrel1" and did not find anything.
> 
> So far google searches have not turned up anything.
> 
> Any ideas as to why I am having this issue ?

You've upgraded Java since you last ran Tomcat and the service can no
longer find your Java installation.

Run tomcat9w.exe, and update the Java config to point to your preferred JRE.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 9.0.24/9.0.26 suspected memory leak

2019-10-01 Thread Mark Thomas 
On 30/09/2019 14:12, Rémy Maucherat wrote:



> I added debug code in
> AbstractProtocol.ConnectionHandler.release(SocketWrapperBase) to check
> if the processor considered was present in the waitingProcessors map. The
> result is the following:
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@77b16580
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@1d902704
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@610c4fc8
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@1a3a3cb6
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@336f552d
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@3cd94f25
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@66e24762
> TEST-javax.servlet.http.TestHttpServletResponseSendError.NIO.txt:CHECK
> PROCESSOR FAILED org.apache.coyote.http11.Http11Processor@7c7a1c3c
> TEST-org.apache.coyote.http11.TestHttp11Processor.NIO.txt:CHECK PROCESSOR
> FAILED org.apache.coyote.http11.Http11Processor@55a44822
> TEST-org.apache.coyote.http11.upgrade.TestUpgradeInternalHandler.NIO.txt:CHECK
> PROCESSOR FAILED
> org.apache.coyote.http11.upgrade.UpgradeProcessorInternal@6e55ff60
> TEST-org.apache.coyote.http11.upgrade.TestUpgrade.NIO.txt:CHECK PROCESSOR
> FAILED org.apache.coyote.http11.upgrade.UpgradeProcessorExternal@37d98b7f
> TEST-org.apache.tomcat.websocket.server.TestShutdown.NIO.txt:CHECK
> PROCESSOR FAILED
> org.apache.coyote.http11.upgrade.UpgradeProcessorInternal@6be9bd85
> TEST-org.apache.tomcat.websocket.TestWsRemoteEndpoint.NIO.txt:CHECK
> PROCESSOR FAILED
> org.apache.coyote.http11.upgrade.UpgradeProcessorInternal@3bd4e02f
> TEST-org.apache.tomcat.websocket.TestWsRemoteEndpoint.NIO.txt:CHECK
> PROCESSOR FAILED
> org.apache.coyote.http11.upgrade.UpgradeProcessorInternal@4bb23a77
> TEST-org.apache.tomcat.websocket.TestWsRemoteEndpoint.NIO.txt:CHECK
> PROCESSOR FAILED
> org.apache.coyote.http11.upgrade.UpgradeProcessorInternal@32e20d65
> TEST-org.apache.tomcat.websocket.TestWsRemoteEndpoint.NIO.txt:CHECK
> PROCESSOR FAILED
> org.apache.coyote.http11.upgrade.UpgradeProcessorInternal@16abf52f
> 
> All instances of not removed processors are either from async or upgraded
> processors (the internal kind), as expected. I have verified the processor
> instances above are never removed so it might be more robust to simply call
> proto.removeWaitingProcessor(processor); in
> AbstractProtocol.ConnectionHandler.release(SocketWrapperBase) (after all
> the socket is closed and done after that point). There could be a more fine
> grained solution of course.
> 
> However, this does not match the leak scenario described by the user, this
> doesn't happen without async or websockets being used.

I'm not sure those are leaks. I've started to check them and it looks
like Tomcat is shutting down while an async request is still waiting to
timeout. In those circumstances you would expect to see a Processor in
waiting processors.

A separate question is what is the correct error handling for async
requests. There was some discussion on that topic on the Jakarta Servlet
list but it didn't reach any definitive conclusions. I have some patches
I need to get back to that should help but they are still a work in
progress.

I'll keep checking but my sense is that we haven't found the root cause
of this leak yet.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat startup error on windows 10

2019-10-01 Thread Barry Kimelman 
my laptop is windows 10 , 64 bit

I am running tomcat 9.0.14. it has been running fine since I installed it,
until today. Today for the first time in a long while I could not start
tomcat.

I found the following logfile
***
* C:\Tomcat_9_0_14\logs\commons-daemon.2019-10-01.log *
***

[2019-10-01 13:57:19] [info]  [10036] Commons Daemon procrun (1.1.0.0
64-bit) started
[2019-10-01 13:57:20] [info]  [10036] Running 'Tomcat9' Service...
[2019-10-01 13:57:20] [info]  [ 9728] Starting service...
[2019-10-01 13:57:20] [error] [ 9728] Failed creating Java C:\Program
Files\Java\jre1.8.0_201\bin\server\jvm.dll
[2019-10-01 13:57:20] [error] [ 9728] The system cannot find the path
specified.
[2019-10-01 13:57:21] [error] [ 9728] ServiceStart returned 1
[2019-10-01 13:57:21] [error] [ 9728] The system cannot find the path
specified.
[2019-10-01 13:57:21] [info]  [10036] Run service finished.
[2019-10-01 13:57:21] [info]  [10036] Commons Daemon procrun finished

My JAVA_HOME environment variable = C:\Program Files\Java\jdk1.8.0_191

 Directory of C:\Program Files\Java

07/24/2019  02:47 PM  .
07/24/2019  02:47 PM  ..
01/01/2019  03:47 PM  jdk1.8.0_191
07/24/2019  06:29 AM  jre1.8.0_221
   0 File(s)  0 bytes
   4 Dir(s)  561,688,457,216 bytes free
Under here I found 2 jvm.dll files
   88369521/1/20193:42:28 PM  C:\Program
Files\Java\jdk1.8.0_191\jre\bin\server\jvm.dll
   8841712   7/24/20196:28:25 AM  C:\Program
Files\Java\jre1.8.0_221\bin\server\jvm.dll

I did a recursive search under the tomcat directory looking at text files
for "jrel1" and did not find anything.

So far google searches have not turned up anything.

Any ideas as to why I am having this issue ?


==

Barry Kimelman
Winnipeg, Manitoba, Canada

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Mark Thomas 
On 01/10/2019 18:27, Martin Cocaro wrote:
> yes, upgrading to 8.5 is work in progress, but would want to have a
> conclusive test that the same scenario fails in 8.0.X. What is the best way
> to distribute the POC code and what is required from our end to get access
> to it?

Martin,

There is no PoC and even if there was we would not release it.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro 
yes, upgrading to 8.5 is work in progress, but would want to have a
conclusive test that the same scenario fails in 8.0.X. What is the best way
to distribute the POC code and what is required from our end to get access
to it?

On Tue, Oct 1, 2019 at 1:54 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Martin,
>
> On 10/1/19 12:15, Martin Cocaro wrote:
> > Thank you Chris for the answer. The EOL date and its policy made
> > me wonder if the CVE was tested it against that version.
> >
> > Is there any place I can get a POC version of the CVE test case so
> > that I can do the test myself against version 8.0.53?
> Possibly, but we won't be distributing any PoC code, here.
>
> Why not simply plan to migrate to Tomcat 8.5? The process should be
> fairly smooth.
>
> - -chris
>
> > On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <
> > ch...@christopherschultz.net> wrote:
> >
> > Martin,
> >
> > On 10/1/19 10:35, Martin Cocaro wrote:
>  Apache Tomcat Users Team,
> 
>  The purpose of this email is to request information
>  regarding Apache Tomcat CVE-2018-8037
>   possibly
>  affecting version 8.0.X (particularly 8.0.53). The CVE was
>  made public on 22-July-2018, after being privately disclosed
>  on 16-Jun-2018. The EOL date of Tomcat 8.0.X was
>  30-Jun-2018.
> 
>  Reaching out to you to get confirmation on whether the CVE
>  is confirmed to not affect the version 8.0.X or if the CVE
>  was not tested against such version at all as its EOL date
>  preceded the public disclosure.
> 
>  Your help on this matter would be greatly appreciated.
> >
> > That source you are reading (securityfocus) lists all of the
> > vulnerable versions. If you look at the Mitre report, you'll see
> > the same thing, except that they provide a *range* of versions
> > instead of just the individual ones affected.
> >
> > No Tomcat 8.0.x versions appear in the list.
> >
> > I haven't personally tested Tomcat 8.0.x against any
> > proof-of-concept code, but I do not believe it if/was vulnerable to
> > this CVE.
> >
> > -chris
> >>
> >> -
> >>
> >>
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TguwACgkQHPApP6U8
> pFh2ZhAAgCmtJ6pX5pnuirfhc7lGP+1wCYVnpXlDHWBfDuaBBbzo6qgDyaS/bIOQ
> xHAiROr2zCRmwkMVtWu+8Sxrs3uYpO4lorlQ7ehSTzQzfFjD00KIyxafrIE+IyRo
> 6EyQpRrWQFNa4jF5EQgJCmO+UCVjCxzPNKCl/qjJCwz4/q5FWKougEqzMTpol3g1
> x9+dU9yKDi1AUwpQLQI9XY/WYqCknwag/E/sTmZ77nLTZvXP+pwJ1ocACq/Y+jYe
> a2TpRs7EY6xPtpexOKLhqUKbbh4tbGIinVElLoCOYlvCox3rGfOQi99Dr2oOe4IN
> Gm7D2qPYlGkJAEr5lO7ipF0UviojzWJju5Y/YgpUAEvFwYThnymSxbMOq5nPWfuv
> MRXxt1oRv96UJTWLI2kmbVFigA1VJKxkiCZQBK0pdYHxpnUbXJgxaOOqNuIunM3S
> bh/zWN+DfUsNVRqXLekuizFpaVRw7v5KwPOmzsNr8jSUVCwKRRYYCuwnQonicRds
> DghLpGHx4vQbC1KvzRbKZ4Hwx3f4XqXQesMHVS9NkC2PYR1hrrpxYlzLjIAEzvg4
> UfSOTsF3+wwxbYT4HabCQbVrprd+huLctHTZONy/XZec4qUszTFBPwdlNc4578Q7
> SQrKZpyvfRn8KPyTvMfkODCLvuZzOg3FNTt9ek/VYhLzWjOKNSc=
> =RjHm
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Martin,

On 10/1/19 12:15, Martin Cocaro wrote:
> Thank you Chris for the answer. The EOL date and its policy made
> me wonder if the CVE was tested it against that version.
>
> Is there any place I can get a POC version of the CVE test case so
> that I can do the test myself against version 8.0.53?
Possibly, but we won't be distributing any PoC code, here.

Why not simply plan to migrate to Tomcat 8.5? The process should be
fairly smooth.

- -chris

> On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
> Martin,
>
> On 10/1/19 10:35, Martin Cocaro wrote:
 Apache Tomcat Users Team,

 The purpose of this email is to request information
 regarding Apache Tomcat CVE-2018-8037
  possibly
 affecting version 8.0.X (particularly 8.0.53). The CVE was
 made public on 22-July-2018, after being privately disclosed
 on 16-Jun-2018. The EOL date of Tomcat 8.0.X was
 30-Jun-2018.

 Reaching out to you to get confirmation on whether the CVE
 is confirmed to not affect the version 8.0.X or if the CVE
 was not tested against such version at all as its EOL date
 preceded the public disclosure.

 Your help on this matter would be greatly appreciated.
>
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see
> the same thing, except that they provide a *range* of versions
> instead of just the individual ones affected.
>
> No Tomcat 8.0.x versions appear in the list.
>
> I haven't personally tested Tomcat 8.0.x against any
> proof-of-concept code, but I do not believe it if/was vulnerable to
> this CVE.
>
> -chris
>>
>> -
>>
>>
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TguwACgkQHPApP6U8
pFh2ZhAAgCmtJ6pX5pnuirfhc7lGP+1wCYVnpXlDHWBfDuaBBbzo6qgDyaS/bIOQ
xHAiROr2zCRmwkMVtWu+8Sxrs3uYpO4lorlQ7ehSTzQzfFjD00KIyxafrIE+IyRo
6EyQpRrWQFNa4jF5EQgJCmO+UCVjCxzPNKCl/qjJCwz4/q5FWKougEqzMTpol3g1
x9+dU9yKDi1AUwpQLQI9XY/WYqCknwag/E/sTmZ77nLTZvXP+pwJ1ocACq/Y+jYe
a2TpRs7EY6xPtpexOKLhqUKbbh4tbGIinVElLoCOYlvCox3rGfOQi99Dr2oOe4IN
Gm7D2qPYlGkJAEr5lO7ipF0UviojzWJju5Y/YgpUAEvFwYThnymSxbMOq5nPWfuv
MRXxt1oRv96UJTWLI2kmbVFigA1VJKxkiCZQBK0pdYHxpnUbXJgxaOOqNuIunM3S
bh/zWN+DfUsNVRqXLekuizFpaVRw7v5KwPOmzsNr8jSUVCwKRRYYCuwnQonicRds
DghLpGHx4vQbC1KvzRbKZ4Hwx3f4XqXQesMHVS9NkC2PYR1hrrpxYlzLjIAEzvg4
UfSOTsF3+wwxbYT4HabCQbVrprd+huLctHTZONy/XZec4qUszTFBPwdlNc4578Q7
SQrKZpyvfRn8KPyTvMfkODCLvuZzOg3FNTt9ek/VYhLzWjOKNSc=
=RjHm
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro 
Thank you Chris for the answer. The EOL date and its policy made me wonder
if the CVE was tested it against that version.

Is there any place I can get a POC version of the CVE test case so that I
can do the test myself against version 8.0.53?

On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Martin,
>
> On 10/1/19 10:35, Martin Cocaro wrote:
> > Apache Tomcat Users Team,
> >
> > The purpose of this email is to request information regarding
> > Apache Tomcat CVE-2018-8037
> >  possibly affecting
> > version 8.0.X (particularly 8.0.53). The CVE was made public on
> > 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> > EOL date of Tomcat 8.0.X was 30-Jun-2018.
> >
> > Reaching out to you to get confirmation on whether the CVE is
> > confirmed to not affect the version 8.0.X or if the CVE was not
> > tested against such version at all as its EOL date preceded the
> > public disclosure.
> >
> > Your help on this matter would be greatly appreciated.
>
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see the
> same thing, except that they provide a *range* of versions instead of
> just the individual ones affected.
>
> No Tomcat 8.0.x versions appear in the list.
>
> I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> code, but I do not believe it if/was vulnerable to this CVE.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TdBoACgkQHPApP6U8
> pFgGRBAAnQ9R4NpHSQUQ+/rfo6Vlf9kJTF9QgnxzrYavUBfFgg97SbfttLYsaN63
> +MzyciyLRepi1iESqllHi16R8Yn9JhRZzkhqSue3t7IkybkcKlOJDJXjptqJn6cb
> Hp9CooAUlU1xt1zfA6w+r3/loXYuj+C1153dw9OqC725N0LsDxG6xvPD5tWhBwP7
> 3eOMCVzZq/ikVuXeALauhQFnOKywLfOQZWwktHEsX2gmXy9oV+tMwAoljjTqp7JR
> atbUg4EuWpoV6pPTTKSmAEfLXvYcyBY9pcsgEaJJHhdgBqdppi9MP/vqHlXPuMXr
> Ps2tkTQJ3NC3UZMKe0MHy6TzbsFzDIVdfRL8kJ6lMSQzufYQF4pHsJyBF8cbZjAT
> LUT5YffGRMLc5F5oZd5KagVNfL6OZqX3GxaJ9lum9tOTLvlyO4F6ekfhX/mXjhzN
> w62cJrdIy6ZjVlGsGaQYizotbkIAiw2VkvOC8OZgd61qZPmGg74uiPTwuY67bCPH
> BjFgXqmQiOILkIGRZVyoevn7wZ4oGixp1GU5O3k1mCI2pnpyKN2M36RvHkgWtewc
> +8TGMEUxRIV4kiJg8Q5v6OCK3puZI7ujCn2eKpbHls8tBMNvsmd5ql8dxzPF+zNb
> H8+xADEJhD+zNtqQBhWFMGnU3tMtqttZMk7chKMv7gWG0sK5v5w=
> =mT+v
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro 
Thank you for the confirmation! Much appreciated.

On Tue, Oct 1, 2019 at 12:46 PM Mark Thomas  wrote:

> > Martin,
> >
> > On 10/1/19 10:35, Martin Cocaro wrote:
> >> Apache Tomcat Users Team,
> >
> >> The purpose of this email is to request information regarding
> >> Apache Tomcat CVE-2018-8037
> >>  possibly affecting
> >> version 8.0.X (particularly 8.0.53). The CVE was made public on
> >> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> >> EOL date of Tomcat 8.0.X was 30-Jun-2018.
> >
> >> Reaching out to you to get confirmation on whether the CVE is
> >> confirmed to not affect the version 8.0.X or if the CVE was not
> >> tested against such version at all as its EOL date preceded the
> >> public disclosure.
> >
> >> Your help on this matter would be greatly appreciated.
> >
> > That source you are reading (securityfocus) lists all of the
> > vulnerable versions. If you look at the Mitre report, you'll see the
> > same thing, except that they provide a *range* of versions instead of
> > just the individual ones affected.
> >
> > No Tomcat 8.0.x versions appear in the list.
> >
> > I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> > code, but I do not believe it if/was vulnerable to this CVE.
>
> I've just been reading through the internal discussion for
> CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was
> vulnerable.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Release of Tomcat 8.5.46, EOL of 8.5.x?

2019-10-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Mark,

On 9/27/19 12:18, Mark Thomas wrote:
> On 27/09/2019 14:38, KM wrote:
>> I saw the announcement of the latest 8.5.x version of Tomcat.
>> Has anyone heard of an EOL date for Tomcat 8.5.x?  I haven't seen
>> anything about it anywhere.  I saw 8.0.x was EOL.  We are using
>> embedded Tomcat 8.5 now and want to upgrade to the latest.
>>
>> We were considering upgrading to 9.0.x, but were wondering how
>> much official time we had before it was required.
>>
>> Thanks in advance for any information.
>
> There is no official date.
>
> The Tomcat project maintains 3 major versions in parallel.
> Currently these are: - 9.0.x - 8.5.x - 7.0.x
>
> We always provide at least 12 months notice of EOL.
>
> Major releases are aligned with releases of the Servlet
> specification. The current timetable for the next Servlet spec is
> TBD.
>
> We haven't even announced EOL for 7.0.x yet so you have: - x years
> until Tomcat 10 / Servlet 4.next is released - 1 year for 7.0.x
> EOL

That should be "x+1 year for 7.0.x EOL".

> - y years until Tomcat 11 / Servlet 4.next+1 is released - 1 year
> for 8.5.x EOL

Similarly, that should be "y+1 year for 8.5.x EOL".

> Taking low estimates for x and y of 1 and 2 respectively, you have
> at least 5 years before 8.5.x is EOL.
>
> Take that figure as an "Engineering Estimate". Also known as a
> "wild guess".

It's also worth noting that we have had two ".5" releases over the
past two decades, and those have accelerated the EOL dates of their
predecessors. I'm specifically speaking of Tomcat 5.5 and 8.5, both of
which caused 5.0 and 8.0 so be sunsetted somewhat "early" from the
usual length of time a Tomcat release would normally be supported.

In both cases, the ".5" releases were seen as (a) breaking changes
from their respective ".0" releases and (b) far superior in terms of
technology (or features) and/or compatibility with later versions.

Tomcat 8.0 died early because of significant changes to the Connector
architecture to support H2 (and, somewhat belatedly, Websocket)
including the abandoning of the blocking-IO connectors. Tomcat 9.0 had
to be delayed due to the delays in the release of the Java EE Servlet
4.0 specification. It became obvious that Tomcat 8.5 would be more
useful to the community over the long-term so the decision was made to
build a ".5" version and move forward. Tomcat 8.5 represents all of
the great things in Tomcat 9.0 that didn't depend upon the Servlet API
release but were in great demand by the community. Tomcat 9.0 was
released shortly thereafter with many of the same features, plus
support for Servlet 4.0.

It's conceivable that Tomcat 9.0 may receive the same treatment when
Tomcat 10 begins to take shape, but my "engineering estimate" is that
it's quite unlikely.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TeYUACgkQHPApP6U8
pFgrJBAApRUp9dDKympIFQp+TRRNVDVlu8pEqoIs3ok0hMPxlMkaF9ObUyyerKuV
ROxdMtcHe85KPMJRyf+xzTZdcjGZ8t3OwmzAOui6nhJjhAJYxwbUGaGO6U+hxCnF
9pJT/JNi2JR2+yPIbMATIBghi3Nsuc4iL3Wd70a+Y3x8mtiT+hluISjgcICC4Xh9
HJPM/punZ6al6+E3X0mZaJTfpOrB8uv4DFapKLYIJIOYKTUkC40U2qqoXy+3ut1v
LFHBZy7BU98zTUwd2AAAQBS2eo7u7hpmeibC12avJANY4Nnbo7RbTCltkrCwKzs3
1YUFK+dKCdCMUsZPnRQ2dOC/ubp+MAGxOtU0wleD7GBHz3j4lHqee5E/2oeIqjaN
wMdnhOiDtc/Wxq03jmZ9K88AJp9nVm22MOGImcT9l0cGlqE+/vq85qIFEK2FyOK2
sSdOwt4NQEPUn1/97tVgNbHQVAXPnToeepEkma1LqCxBgS44aj45JGXK6GAloHbE
QDzhAXHURT9QDc9uplQAZ2sieJpm2V0KuLYhXGnDS+pIGUuTNnqNJ3vPRGpNZm+3
JUD1nhMY2JdGBzmUqL6iJkZ2ldf49jLZqFLV+Orns4cFlLlHn47qVUMOHDRt9cpF
VL23ZLksScIQ2xMxl6gVOLfVitRafHgQjb/eU/bcdNRkOgFqYyA=
=h5i6
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Mark Thomas 
> Martin,
> 
> On 10/1/19 10:35, Martin Cocaro wrote:
>> Apache Tomcat Users Team,
> 
>> The purpose of this email is to request information regarding
>> Apache Tomcat CVE-2018-8037
>>  possibly affecting
>> version 8.0.X (particularly 8.0.53). The CVE was made public on
>> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
>> EOL date of Tomcat 8.0.X was 30-Jun-2018.
> 
>> Reaching out to you to get confirmation on whether the CVE is
>> confirmed to not affect the version 8.0.X or if the CVE was not
>> tested against such version at all as its EOL date preceded the
>> public disclosure.
> 
>> Your help on this matter would be greatly appreciated.
> 
> That source you are reading (securityfocus) lists all of the
> vulnerable versions. If you look at the Mitre report, you'll see the
> same thing, except that they provide a *range* of versions instead of
> just the individual ones affected.
> 
> No Tomcat 8.0.x versions appear in the list.
> 
> I haven't personally tested Tomcat 8.0.x against any proof-of-concept
> code, but I do not believe it if/was vulnerable to this CVE.

I've just been reading through the internal discussion for
CVE-2018-8037. The conclusion was that neither 8.0.x nor 7.0.x was
vulnerable.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Martin,

On 10/1/19 10:35, Martin Cocaro wrote:
> Apache Tomcat Users Team,
>
> The purpose of this email is to request information regarding
> Apache Tomcat CVE-2018-8037
>  possibly affecting
> version 8.0.X (particularly 8.0.53). The CVE was made public on
> 22-July-2018, after being privately disclosed on 16-Jun-2018. The
> EOL date of Tomcat 8.0.X was 30-Jun-2018.
>
> Reaching out to you to get confirmation on whether the CVE is
> confirmed to not affect the version 8.0.X or if the CVE was not
> tested against such version at all as its EOL date preceded the
> public disclosure.
>
> Your help on this matter would be greatly appreciated.

That source you are reading (securityfocus) lists all of the
vulnerable versions. If you look at the Mitre report, you'll see the
same thing, except that they provide a *range* of versions instead of
just the individual ones affected.

No Tomcat 8.0.x versions appear in the list.

I haven't personally tested Tomcat 8.0.x against any proof-of-concept
code, but I do not believe it if/was vulnerable to this CVE.

- -chris
-BEGIN PGP SIGNATURE-
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2TdBoACgkQHPApP6U8
pFgGRBAAnQ9R4NpHSQUQ+/rfo6Vlf9kJTF9QgnxzrYavUBfFgg97SbfttLYsaN63
+MzyciyLRepi1iESqllHi16R8Yn9JhRZzkhqSue3t7IkybkcKlOJDJXjptqJn6cb
Hp9CooAUlU1xt1zfA6w+r3/loXYuj+C1153dw9OqC725N0LsDxG6xvPD5tWhBwP7
3eOMCVzZq/ikVuXeALauhQFnOKywLfOQZWwktHEsX2gmXy9oV+tMwAoljjTqp7JR
atbUg4EuWpoV6pPTTKSmAEfLXvYcyBY9pcsgEaJJHhdgBqdppi9MP/vqHlXPuMXr
Ps2tkTQJ3NC3UZMKe0MHy6TzbsFzDIVdfRL8kJ6lMSQzufYQF4pHsJyBF8cbZjAT
LUT5YffGRMLc5F5oZd5KagVNfL6OZqX3GxaJ9lum9tOTLvlyO4F6ekfhX/mXjhzN
w62cJrdIy6ZjVlGsGaQYizotbkIAiw2VkvOC8OZgd61qZPmGg74uiPTwuY67bCPH
BjFgXqmQiOILkIGRZVyoevn7wZ4oGixp1GU5O3k1mCI2pnpyKN2M36RvHkgWtewc
+8TGMEUxRIV4kiJg8Q5v6OCK3puZI7ujCn2eKpbHls8tBMNvsmd5ql8dxzPF+zNb
H8+xADEJhD+zNtqQBhWFMGnU3tMtqttZMk7chKMv7gWG0sK5v5w=
=mT+v
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Additional Information on Apache Tomcat CVE-2018-8037

2019-10-01 Thread Martin Cocaro 
Apache Tomcat Users Team,

The purpose of this email is to request information regarding Apache Tomcat
CVE-2018-8037  possibly
affecting version 8.0.X (particularly 8.0.53). The CVE was made public on
22-July-2018, after being privately disclosed on 16-Jun-2018. The EOL date
of Tomcat 8.0.X was 30-Jun-2018.

Reaching out to you to get confirmation on whether the CVE is confirmed to
not affect the version 8.0.X or if the CVE was not tested against such
version at all as its EOL date preceded the public disclosure.

Your help on this matter would be greatly appreciated.

Thanks,
Martin