Re: Most recent security-related update to 8.5? And setting up access to Manager?
On Mon, Jun 21, 2021 at 12:42:56PM -0400, Christopher Schultz wrote: > On 6/19/21 11:31, James H. H. Lampert wrote: [snip] > > Also, while I'm here, can somebody point me to an example of how to code > > the Manager's RemoteAddrValve setting to allow access from, say, two or > > three arbitrary IP addresses? > > Take a look at the example configuration that ships with the Manager. It > already includes 2 specific IPs and one range. It's a regular > expression. If you aren't too good with those, find someone who is or > give a specific example and someone here can probably help. If you aren't too good at REs, or you just think that a long chain of ORed subexpressions, each of which contains far too many escaped dots, is too horrible to contemplate, you may also want to take a look at RemoteCIDRValve instead. https://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#Remote_CIDR_Valve I got so tired of those eye-watering IP address REs that I wrote my own CIDR-based Valve some years ago, but I'm happy to discover that I can now throw it away and use one that ships with Tomcat. -- Mark H. Wood Lead Technology Analyst University Library Indiana University - Purdue University Indianapolis 755 W. Michigan Street Indianapolis, IN 46202 317-274-0749 www.ulib.iupui.edu signature.asc Description: PGP signature
Re: Most recent security-related update to 8.5? And setting up access to Manager?
On 6/21/21 9:42 AM, Christopher Schultz wrote: I think it depends upon your environment, honestly. There were many organizations where the "AJP endpoint is trusting, because that's what it's for" announcement was a real surprise and represented a must-fix issue immediately. That was not the case for my $work, where we were already protecting our AJP connections and not allowing just anyone to connect. If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there. We don't, so far as I'm aware, use AJP or h2c. The only enabled connectors are HTTPS (still coded as a Tomcat 7.0 connector and using a Java Keystore) and Shutdown. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Most recent security-related update to 8.5? And setting up access to Manager?
James, On 6/19/21 11:31, James H. H. Lampert wrote: We are finally migrating customer installations from 7 to 8.5. Would anybody happen to know, off the top of his or her head, what the most recent security-related update to 8.5 is? I know that 68 is the most recent release, but what's the most recent one that addresses a significant security issue? I think it depends upon your environment, honestly. There were many organizations where the "AJP endpoint is trusting, because that's what it's for" announcement was a real surprise and represented a must-fix issue immediately. That was not the case for my $work, where we were already protecting our AJP connections and not allowing just anyone to connect. If you are using h2c, you'll definitely want to 8.5.63 or later, as there is a critical fix there. Also, while I'm here, can somebody point me to an example of how to code the Manager's RemoteAddrValve setting to allow access from, say, two or three arbitrary IP addresses? Take a look at the example configuration that ships with the Manager. It already includes 2 specific IPs and one range. It's a regular expression. If you aren't too good with those, find someone who is or give a specific example and someone here can probably help. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Most recent security-related update to 8.5? And setting up access to Manager?
On Sat, Jun 19, 2021, 10:31 James H. H. Lampert wrote: > We are finally migrating customer installations from 7 to 8.5. > > Would anybody happen to know, off the top of his or her head, what the > most recent security-related update to 8.5 is? > > I know that 68 is the most recent release, but what's the most recent > one that addresses a significant security issue? > https://tomcat.apache.org/security-8.html https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.68_(schultz) Also, while I'm here, can somebody point me to an example of how to code > the Manager's RemoteAddrValve setting > Always best to create a (separate) dedicated thread for an unrelated topic.
Most recent security-related update to 8.5? And setting up access to Manager?
We are finally migrating customer installations from 7 to 8.5. Would anybody happen to know, off the top of his or her head, what the most recent security-related update to 8.5 is? I know that 68 is the most recent release, but what's the most recent one that addresses a significant security issue? Also, while I'm here, can somebody point me to an example of how to code the Manager's RemoteAddrValve setting to allow access from, say, two or three arbitrary IP addresses? (And yes, this is also an excuse to double-check that my List traffic is getting through with DMARC enforcement turned on.) -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org