Thanks very much for your speedy and helpful reply, Mark.
Stupidly, I had forgotten to re-subscribe to the mailing list, so I
found your reply in the archive and cannot reply to it in-line!
not really!
I stumbled across
https://logging.apache.org/log4j/2.x/log4j-appserver/index.html.
This
Thank you Martin.
1,2 and 3 (All) are working.
Ramesh
On Tue, Mar 17, 2020 at 6:01 PM Martin Grigorov
wrote:
> Hi,
>
> On Tue, Mar 17, 2020 at 6:34 PM RK Ashburn
> wrote:
>
> > Hi Tomcat 7 team,
> > We have been using tomcat 7.0.99 and now we upgraded to 7.0.100 and our
> web
> > applicatio
On 3/17/20 3:50 PM, Mark Thomas wrote:
The XXS might be valid. I assume the tool provided a sample URL you
could use to validate the finding. That should point you in the right
direction but feel free to ask here if more help is required.
Near as I can tell, it did but it didn't provide a sample
Tomcat does not allow DELETE by default? I’m using 8.0.x with Jersey and I
don’t think I used any config to enable it.
On Tue, 17 Mar 2020 at 23.50, Mark Thomas wrote:
> On March 17, 2020 10:31:06 PM UTC, "James H. H. Lampert" <
> jam...@touchtonecorp.com> wrote:
> >
> >On 3/17/20 3:18 PM, Marty
Thank guys for your hard work. With this version, I can use h2, compress
and rewrite all together.
On Tue, Mar 17, 2020 at 10:05 AM Mark Thomas wrote:
> The Apache Tomcat team announces the immediate availability of Apache
> Tomcat 9.0.33.
>
> Apache Tomcat 9 is an open source software implement
On March 17, 2020 10:31:06 PM UTC, "James H. H. Lampert"
wrote:
>
>On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
>> why should DELETE or OPTIONS not be enabled? They are standard HTTP
>methods.
>
>True, but (quoting the audit report)
>> . . . [DELETE] may allow a remote attacker to delete arbitr
On 3/17/20 3:34 PM, Martin Grigorov wrote:
Reading the quoted text I'd suggest you to throw this tool in the bin.
I hope you didn't pay for it.
Are you suggesting that we throw a paying customer "in the bin?"
It is not OUR audit; it is the CUSTOMER's audit (the report
self-identifies as being
On Wed, Mar 18, 2020 at 12:31 AM James H. H. Lampert <
jam...@touchtonecorp.com> wrote:
>
> On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
> > why should DELETE or OPTIONS not be enabled? They are standard HTTP
> methods.
>
> True, but (quoting the audit report)
> > . . . [DELETE] may allow a remo
On 3/17/20 3:18 PM, Martynas Jusevičius wrote:
why should DELETE or OPTIONS not be enabled? They are standard HTTP methods.
True, but (quoting the audit report)
. . . [DELETE] may allow a remote attacker to delete arbitrary files . . . .
and (again quoting the report)
Web servers that resp
Hi,
why should DELETE or OPTIONS not be enabled? They are standard HTTP methods.
On Tue, Mar 17, 2020 at 11:05 PM James H. H. Lampert
wrote:
>
> Ladies and Gentlemen:
>
> One of our customers did a security audit on the Tomcat server we
> maintain on their system, and it found a few issues:
>
>
Ladies and Gentlemen:
One of our customers did a security audit on the Tomcat server we
maintain on their system, and it found a few issues:
First, it found a cross-site scripting vulnerability.
Second, it found the HTTP DELETE method enabled.
Third, it found a click-jacking vulnerability.
Hi,
On Tue, Mar 17, 2020 at 9:22 PM
wrote:
> We have a team having issues with Tomcat, AJP, and switching to IPv6. They
> are currently running version 9.0.31. Below are the errors being received:
>
> [Tue Mar 17 10:50:38 2020] [1412:139846332929792] [error]
> ajp_service::jk_ajp_common.c (2796)
Hi,
On Tue, Mar 17, 2020 at 6:34 PM RK Ashburn
wrote:
> Hi Tomcat 7 team,
> We have been using tomcat 7.0.99 and now we upgraded to 7.0.100 and our web
> applications stopped working.
>
> Here are changes that we noted from release notes and took action:
>
> 1. Updated AJP connector setting and
Ah, some problems are arising because, I suppose, the startup process wants to
create or touch something in ../logs and that's now all the way over in
/var/lib/tomcat8. How do I move on from here?
On 3/17/20, 4:40 PM, "Maxfield, Rebecca A" wrote:
I see it now in /usr/share/tomcat8/bin, t
I see it now in /usr/share/tomcat8/bin, thank you! Can I just run startup.sh
from there or is that not right?
On 3/17/20, 4:37 PM, "André Warnier (tomcat/perl)" wrote:
On 17.03.2020 21:18, Maxfield, Rebecca A wrote:
> Both are Linux. The new is Debian, the old ??
On a Debian L
On 17.03.2020 21:18, Maxfield, Rebecca A wrote:
Both are Linux. The new is Debian, the old ??
On a Debian Linux system, tomcat 8 installed via the standard Debian package manager
results in some files appearing in the following directories (and maybe others)
- /etc/tomcat8
- /usr/share/tomcat
Both are Linux. The new is Debian, the old ??
On 3/17/20, 4:03 PM, "André Warnier (tomcat/perl)" wrote:
On 17.03.2020 19:52, Maxfield, Rebecca A wrote:
> Hello,
>
> I manage a project that currently runs on Tomcat 7 but is migrating to a
new server where Tomcat 8 was installed
On 17.03.2020 19:52, Maxfield, Rebecca A wrote:
Hello,
I manage a project that currently runs on Tomcat 7 but is migrating to a new
server where Tomcat 8 was installed by the server admin. When I navigate to the
/var/lib/tomcat8 folder, I don’t see a ./bin folder or any startup.sh or
similar.
We have a team having issues with Tomcat, AJP, and switching to IPv6. They are
currently running version 9.0.31. Below are the errors being received:
[Tue Mar 17 10:50:38 2020] [1412:139846332929792] [error]
ajp_service::jk_ajp_common.c (2796): (Greenworker1) connecting to tomcat failed
(rc=-3,
Hello,
I manage a project that currently runs on Tomcat 7 but is migrating to a new
server where Tomcat 8 was installed by the server admin. When I navigate to the
/var/lib/tomcat8 folder, I don’t see a ./bin folder or any startup.sh or
similar. Is this something that has changed from Tomcat 7
On 17/03/2020 17:56, Amit Pande wrote:
> Using Tomcat 9.0.31.
>
> When using large JSON payload (little less than 2 MB) for POST
requests, randomly (all random failures seen are on Windows and not on
*ix), we are seeing:
>
> JSON parse error: Unexpected end-of-input in VALUE_STRING; nested
exceptio
Using Tomcat 9.0.31.
When using large JSON payload (little less than 2 MB) for POST requests,
randomly (all random failures seen are on Windows and not on *ix), we are
seeing:
JSON parse error: Unexpected end-of-input in VALUE_STRING; nested exception is
com.fasterxml.jackson.databind.JsonMapp
Hi Tomcat 7 team,
We have been using tomcat 7.0.99 and now we upgraded to 7.0.100 and our web
applications stopped working.
Here are changes that we noted from release notes and took action:
1. Updated AJP connector setting and added secretRequired="false"
However below are still issues, could
Great, I just saw that :-)
On 17/03/2020 11:24, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Manuel.
On 3/17/20 09:25, Manuel Dominguez Sarmiento wrote:
Hi Mark, when is 9.0.32 expected to be released? We've seen this
issue reported by several users, even if we h
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Manuel.
On 3/17/20 09:25, Manuel Dominguez Sarmiento wrote:
> Hi Mark, when is 9.0.32 expected to be released? We've seen this
> issue reported by several users, even if we haven't run into this
> particular case directly (yet)
9.0.33 was announced
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.53.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and Java Authentication Service Provider Interface for
Containers t
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.33.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.33 is a bugfix and feat
> Am 17.03.2020 um 12:21 schrieb Mark Thomas :
>
> On 17/03/2020 09:29, Marek Neumann wrote:
>> Hi Mark,
>>
>> I tested with 8.5.53 and the problem still persists. Any idea what we can do?
>
> Provide us with the simplest possible set of steps to recreate this so
> we can figure out what the r
Hi Mark, when is 9.0.32 expected to be released? We've seen this issue
reported by several users, even if we haven't run into this particular
case directly (yet)
On 17/03/2020 09:51, Mark Thomas wrote:
https://bz.apache.org/bugzilla/show_bug.cgi?id=64202
Mark
On 17/03/2020 11:46, Srijith Koc
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.0.0-M3.
Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specificat
https://bz.apache.org/bugzilla/show_bug.cgi?id=64202
Mark
On 17/03/2020 11:46, Srijith Kochunni wrote:
> Hi All,
>
>
>
> This is to seek help on a strange issue that we are observing. We
> recently did a minor upgrade of Tomcat from 9.0.30 to 9.0.31, in our
> application, in order
Hi All,
This is to seek help on a strange issue that we are observing. We
recently did a minor upgrade of Tomcat from 9.0.30 to 9.0.31, in our
application, in order to address vulnerability in AJP connector. Ever since
then we have started seeing upload failures with our upload serv
On 17/03/2020 06:05, Brian Burch wrote:
> I have a very frozen and stable tomcat 7.0.68 system with a lot of apps.
> It was build from source and uses the extras tomcat-juli.jar with
> log4j-1.2.17.jar.
>
> Both tomcat and my webapps log successfully via log4j (except, of
> course, the access log
On 17/03/2020 09:29, Marek Neumann wrote:
> Hi Mark,
>
> I tested with 8.5.53 and the problem still persists. Any idea what we can do?
Provide us with the simplest possible set of steps to recreate this so
we can figure out what the root cause is. At a guess, you aren't using
the EL API provided
Hi Mark,
I tested with 8.5.53 and the problem still persists. Any idea what we can do?
Thanks,
Marek
> Am 28.02.2020 um 12:36 schrieb Mark Thomas :
>
> On 28/02/2020 10:57, Marek Neumann wrote:
>> After going to the latest 8.5 release we have problems with jasper compiling
>> jsps:
>>
>> [WA
35 matches
Mail list logo