The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.47.
Please note that Tomcat 8.x users should normally be using 8.5.x
releases in preference to 8.0.x releases. The Apache Tomcat team
announced that support for Apache Tomcat 8.0.x will end on
30 June 2018.
Apache
Mark,
Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
are not supported, but are they exploitable by this vulnerability?
Thx
Mike
On 3 October 2017 at 11:55, Mark Thomas wrote:
> CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Tuesday, October 03, 2017 4:10 PM
To: Tomcat Users List
Subject: Re: Mapping role names to groups
On 03/10/17 14:01, Sebastian Trost wrote:
>> Hi!
>>
>> I was looking for a way to map security
On 04/10/17 08:27, Michael Smith wrote:
> Mark,
>
> Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
> are not supported, but are they exploitable by this vulnerability?
I don't know. I haven't tested them and I don't plan to test them.
My expectation is that 6.x and
On 04.10.2017 10:20, Sebastian Trost wrote:
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Tuesday, October 03, 2017 4:10 PM
To: Tomcat Users List
Subject: Re: Mapping role names to groups
On 03/10/17 14:01, Sebastian Trost wrote:
Hi!
I
On 04.10.2017 07:40, Peter Kreuser wrote:
Peter Kreuser
Am 04.10.2017 um 02:44 schrieb Christopher Schultz
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Laurant,
On 10/3/17 5:17 PM, Laurent Perez wrote:
I'm using apache+mod_proxy+mod_rewrite as a tomcat
On 04/10/17 09:20, Sebastian Trost wrote:
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: Tuesday, October 03, 2017 4:10 PM
> To: Tomcat Users List
> Subject: Re: Mapping role names to groups
>
> On 03/10/17 14:01, Sebastian Trost
Jetty also makes it very easy to scan jar for @WebServlet, @WebFilter,
@WebListener via AnnotationConfiguration.
http://www.eclipse.org/jetty/documentation/9.4.x/configuring-webapps.html
On Wed, Oct 4, 2017 at 12:53 AM, Brian Toal wrote:
> The chain [1] left of with:
>
On 4 October 2017 06:40:24 BST, Peter Kreuser wrote:
>
>Peter Kreuser
>
>> Am 04.10.2017 um 02:44 schrieb Christopher Schultz
>:
>>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Laurant,
>>
>>> On 10/3/17 5:17 PM, Laurent Perez
On 04.10.2017 02:44, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Laurant,
On 10/3/17 5:17 PM, Laurent Perez wrote:
I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A
"foo" war is deployed at /foo context path under tomcat. The /foo
path is not
The chain [1] left of with:
"The relevant language is in section 8.2.1
If a framework wants its META-INF/web-fragment.xml honored in such a way
that it augments a web application's web.xml, the framework must be bundled
within the web application's WEB-INF/lib directory
Therefore, Tomcat 8.0
On 04/10/17 08:53, Brian Toal wrote:
> The chain [1] left of with:
> "The relevant language is in section 8.2.1
>
>
> If a framework wants its META-INF/web-fragment.xml honored in such a way
> that it augments a web application's web.xml, the framework must be bundled
> within the web
Hello,
2017-10-04 4:52 GMT+03:00 Caldarale, Charles R :
>
> > From: Baron Fujimoto [mailto:ba...@hawaii.edu]
> > Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code
Execution
> via JSP upload
>
> > I haven't seen an announcement for 8.0.47, nor does the
Thanks Mark and Christopher
On Wed, Oct 4, 2017 at 6:12 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Murthy,
>
> On 10/3/17 7:38 AM, s v n trimurthulu wrote:
> > At present we are using 7.0.x in our production environment.
Hello all..
I am going to do my best to describe my problem. Hopefully someone will
have some sort of insight.
Tomcat 7.0.41 (working on updating that)
Java 1.6 (Working on getting this updated to the latest minor release)
RHEL Linux
I inherited an opti-tenant setup. Individual user accounts
-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, October 04, 2017 11:14 AM
To: users@tomcat.apache.org
Subject: Re: Mapping role names to groups
> On 04.10.2017 10:20, Sebastian Trost wrote:
>> -Original Message-
>> From: Mark Thomas
I've read the migration manuals and have tried to make the changes to
my configuration to work correctly in tomcat v8.5, but it's not. I'm
not an experton XML files and JDK so please help me. I'm sure this is crazy
simple
for you experts.
The server.xml conf file is OK between the two
Hi,
I was hoping to get some help/suggestion since I have nearly exhausted all
options (at least, I have tried quite a few items).
I have an instrumentation agent which i want to load after the VM starts
tomcat. I have no problem loading the agent itself.
What I am having issues with is the
On 04/10/17 13:51, TurboChargedDad . wrote:
> Hello all..
> I am going to do my best to describe my problem. Hopefully someone will
> have some sort of insight.
>
> Tomcat 7.0.41 (working on updating that)
> Java 1.6 (Working on getting this updated to the latest minor release)
> RHEL Linux
>
On 4 October 2017 15:17:25 BST, Mark Thomas wrote:
>On 04/10/17 13:51, TurboChargedDad . wrote:
>> Hello all..
>> I am going to do my best to describe my problem. Hopefully someone
>will
>> have some sort of insight.
>>
>> Tomcat 7.0.41 (working on updating that)
>> Java 1.6
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.82.
Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Expression Language and Java
WebSocket technologies.
This release contains a number of bug fixes and
2017-09-28 19:56 GMT+03:00 Konstantin Kolinko :
> 2017-09-26 11:57 GMT+03:00 Oliver Heister :
>> 2. Currently MITM attacks by evil ISPs or WiFi networks are possible
>> against people downloading tomcat from
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 12:54 PM, James H. H. Lampert wrote:
> I wrote:
>>> I mean, I know that I need to get HTTPAPI and Tomcat speaking
>>> the same language, but where do I begin?
> Here's what I got back when I ran the SSLLabs server test on the
>
2017-10-04 17:53 GMT+03:00 Aquatic Safaris Diver :
>
> I've read the migration manuals and have tried to make the changes to
> my configuration to work correctly in tomcat v8.5, but it's not. I'm
> not an experton XML files and JDK so please help me. I'm sure this is
... are now (mostly) available:
http://tomcat.apache.org/presentations.html
I thought Jean-Frederic sent me his slides but I can't find the e-mail.
I'm sure one of us will update that page shortly.
Enjoy!
Mark
-
To
I wrote:
I mean, I know that I need to get HTTPAPI and Tomcat speaking the
same language, but where do I begin?
Here's what I got back when I ran the SSLLabs server test on the cloud
server:
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
Thanks for the suggestions. Pulling the various suggestions so far we have:
- Frankfurt, Germany
- Paris, France
- Washington DC, USA
- Manchester, UK
With some of those locations coming with a venue provided and/or
potential for sponsorship.
My current thinking (and this is just my personal
My initial reads about BIO vs NIO seems to involve terminating SSL at the
tomcat instance. Which we do not do. Am I running off into the weeds with
that?
Thanks,
TCD
On Wed, Oct 4, 2017 at 9:17 AM, Mark Thomas wrote:
> On 04/10/17 13:51, TurboChargedDad . wrote:
> >
Christopher Schultz (Tomcat list guru) wrote:
Looks like your server only has ECDHE-based suites available, and the
client supports none of those. Can you post your
configuration from conf/server.xml?
Yes, and I can also post something else.
I found the Java source for your own "SSLInfo"
On 10/4/17, 12:26 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
. . .
Okay so you are in no way interfering with the defaults. That means
you'll get (depending upon your exact versions of various things) a
Tomcat which supports TLSv1 or later, and most
Perhaps I am not wording my question correctly.
Today we have...
[Prxoy 1] | [Proxy 2] ---> [Apache ---> tomcat1]
(HTTPS) (HTTPS) (HTTPS) --> (AJP) -->
So we send the information from the proxies over https to the instance
running the tomcat server.
The SSL is terminated by
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 3:15 PM, James H. H. Lampert wrote:
> Christopher Schultz (Tomcat list guru) wrote:
/me bows
>> Looks like your server only has ECDHE-based suites available, and
>> the client supports none of those. Can you post your
>>
Thanks for the replies. The jsessionid/cookie tracking mode is not really
part of the problem, sorry about that.
Obviously I'm thinking about renaming the war but the rewriting is really
used, for example seo friendly urls like /bar/steps/1 internally rewrite to
On 04/10/17 19:26, TurboChargedDad . wrote:
> My initial reads about BIO vs NIO seems to involve terminating SSL at the
> tomcat instance. Which we do not do. Am I running off into the weeds with
> that?
Yes. The NIO AJP connector is a drop in replacement for the BIO AJP
connector.
Hi
Am 04.10.2017 um 19:27 schrieb Mark Thomas:
> ... are now (mostly) available:
>
> http://tomcat.apache.org/presentations.html
>
> I thought Jean-Frederic sent me his slides but I can't find the e-mail.
> I'm sure one of us will update that page shortly.
Reverse Proxies, Load-Balancing &
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 3:44 PM, James H. H. Lampert wrote:
> On 10/4/17, 12:26 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> James,
> . . .
>> Okay so you are in no way interfering with the defaults. That
>>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 12:54 PM, James H. H. Lampert wrote:
> On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the
> operating system's SSL support (which was how I thought it worked),
> and directed to look through the system values to see what
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
TCD,
On 10/4/17 3:45 PM, TurboChargedDad . wrote:
> Perhaps I am not wording my question correctly.
Can you confirm that the connection-pool exhaustion appears to be
happening on the AJP client (httpd/mod_proxy_ajp) and NOT on the
server
On 4 October 2017 21:28:24 BST, Stefan Mayr wrote:
>Hi
>
>Am 04.10.2017 um 19:27 schrieb Mark Thomas:
>> ... are now (mostly) available:
>>
>> http://tomcat.apache.org/presentations.html
>>
>> I thought Jean-Frederic sent me his slides but I can't find the
>e-mail.
>> I'm
39 matches
Mail list logo