[ANN] Apache Tomcat 8.0.47 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.0.47. Please note that Tomcat 8.x users should normally be using 8.5.x releases in preference to 8.0.x releases. The Apache Tomcat team announced that support for Apache Tomcat 8.0.x will end on 30 June 2018. Apache

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

Mark, Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they are not supported, but are they exploitable by this vulnerability? Thx Mike On 3 October 2017 at 11:55, Mark Thomas wrote: > CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload >

RE: Mapping role names to groups

-Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 03, 2017 4:10 PM To: Tomcat Users List Subject: Re: Mapping role names to groups On 03/10/17 14:01, Sebastian Trost wrote: >> Hi! >> >> I was looking for a way to map security

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

On 04/10/17 08:27, Michael Smith wrote: > Mark, > > Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they > are not supported, but are they exploitable by this vulnerability? I don't know. I haven't tested them and I don't plan to test them. My expectation is that 6.x and

Re: Mapping role names to groups

On 04.10.2017 10:20, Sebastian Trost wrote: -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, October 03, 2017 4:10 PM To: Tomcat Users List Subject: Re: Mapping role names to groups On 03/10/17 14:01, Sebastian Trost wrote: Hi! I

Re: encodeURL, jsessionid and mod_rewrite ?

On 04.10.2017 07:40, Peter Kreuser wrote: Peter Kreuser Am 04.10.2017 um 02:44 schrieb Christopher Schultz : -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Laurant, On 10/3/17 5:17 PM, Laurent Perez wrote: I'm using apache+mod_proxy+mod_rewrite as a tomcat

Re: Mapping role names to groups

On 04/10/17 09:20, Sebastian Trost wrote: > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Tuesday, October 03, 2017 4:10 PM > To: Tomcat Users List > Subject: Re: Mapping role names to groups > > On 03/10/17 14:01, Sebastian Trost

Re: Embedded tomcat does not find web-fragment in jars outside web-inf\lib continued...

Jetty also makes it very easy to scan jar for @WebServlet, @WebFilter, @WebListener via AnnotationConfiguration. http://www.eclipse.org/jetty/documentation/9.4.x/configuring-webapps.html On Wed, Oct 4, 2017 at 12:53 AM, Brian Toal wrote: > The chain [1] left of with: >

Re: encodeURL, jsessionid and mod_rewrite ?

On 4 October 2017 06:40:24 BST, Peter Kreuser wrote: > >Peter Kreuser > >> Am 04.10.2017 um 02:44 schrieb Christopher Schultz >: >> >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Laurant, >> >>> On 10/3/17 5:17 PM, Laurent Perez

Re: encodeURL, jsessionid and mod_rewrite ?

On 04.10.2017 02:44, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Laurant, On 10/3/17 5:17 PM, Laurent Perez wrote: I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A "foo" war is deployed at /foo context path under tomcat. The /foo path is not

Embedded tomcat does not find web-fragment in jars outside web-inf\lib continued...

The chain [1] left of with: "The relevant language is in section 8.2.1 If a framework wants its META-INF/web-fragment.xml honored in such a way that it augments a web application's web.xml, the framework must be bundled within the web application's WEB-INF/lib directory Therefore, Tomcat 8.0

Re: Embedded tomcat does not find web-fragment in jars outside web-inf\lib continued...

On 04/10/17 08:53, Brian Toal wrote: > The chain [1] left of with: > "The relevant language is in section 8.2.1 > > > If a framework wants its META-INF/web-fragment.xml honored in such a way > that it augments a web application's web.xml, the framework must be bundled > within the web

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP upload

Hello, 2017-10-04 4:52 GMT+03:00 Caldarale, Charles R : > > > From: Baron Fujimoto [mailto:ba...@hawaii.edu] > > Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code Execution > via JSP upload > > > I haven't seen an announcement for 8.0.47, nor does the

Re: Can i use tomcat 9.0.x version in production

Thanks Mark and Christopher On Wed, Oct 4, 2017 at 6:12 AM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Murthy, > > On 10/3/17 7:38 AM, s v n trimurthulu wrote: > > At present we are using 7.0.x in our production environment.

AJP connection pool issue bug?

Hello all.. I am going to do my best to describe my problem. Hopefully someone will have some sort of insight. Tomcat 7.0.41 (working on updating that) Java 1.6 (Working on getting this updated to the latest minor release) RHEL Linux I inherited an opti-tenant setup. Individual user accounts

RE: Mapping role names to groups

-Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, October 04, 2017 11:14 AM To: users@tomcat.apache.org Subject: Re: Mapping role names to groups > On 04.10.2017 10:20, Sebastian Trost wrote: >> -Original Message- >> From: Mark Thomas

migration from tomcat 7.0 to 8.5

I've read the migration manuals and have tried to make the changes to my configuration to work correctly in tomcat v8.5, but it's not.  I'm not an experton XML files and JDK so please help me.   I'm sure this is crazy simple for you experts. The server.xml conf file is OK between the two

Force ParallelWebappClassLoader to load instrumentation agent after VM starts

Hi, I was hoping to get some help/suggestion since I have nearly exhausted all options (at least, I have tried quite a few items). I have an instrumentation agent which i want to load after the VM starts tomcat. I have no problem loading the agent itself. What I am having issues with is the

Re: AJP connection pool issue bug?

On 04/10/17 13:51, TurboChargedDad . wrote: > Hello all.. > I am going to do my best to describe my problem. Hopefully someone will > have some sort of insight. > > Tomcat 7.0.41 (working on updating that) > Java 1.6 (Working on getting this updated to the latest minor release) > RHEL Linux >

Re: AJP connection pool issue bug?

On 4 October 2017 15:17:25 BST, Mark Thomas wrote: >On 04/10/17 13:51, TurboChargedDad . wrote: >> Hello all.. >> I am going to do my best to describe my problem. Hopefully someone >will >> have some sort of insight. >> >> Tomcat 7.0.41 (working on updating that) >> Java 1.6

[ANN] Apache Tomcat 7.0.82 released

The Apache Tomcat team announces the immediate availability of Apache Tomcat 7.0.82. Apache Tomcat is an open source software implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies. This release contains a number of bug fixes and

Re: Java 9 support + HSTS for tomcat.apache.org

2017-09-28 19:56 GMT+03:00 Konstantin Kolinko : > 2017-09-26 11:57 GMT+03:00 Oliver Heister : >> 2. Currently MITM attacks by evil ISPs or WiFi networks are possible >> against people downloading tomcat from >>

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 10/4/17 12:54 PM, James H. H. Lampert wrote: > I wrote: >>> I mean, I know that I need to get HTTPAPI and Tomcat speaking >>> the same language, but where do I begin? > Here's what I got back when I ran the SSLLabs server test on the >

Re: migration from tomcat 7.0 to 8.5

2017-10-04 17:53 GMT+03:00 Aquatic Safaris Diver : > > I've read the migration manuals and have tried to make the changes to > my configuration to work correctly in tomcat v8.5, but it's not. I'm > not an experton XML files and JDK so please help me. I'm sure this is

TomcatCon London slides and recordings

... are now (mostly) available: http://tomcat.apache.org/presentations.html I thought Jean-Frederic sent me his slides but I can't find the e-mail. I'm sure one of us will update that page shortly. Enjoy! Mark - To

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

I wrote: I mean, I know that I need to get HTTPAPI and Tomcat speaking the same language, but where do I begin? Here's what I got back when I ran the SSLLabs server test on the cloud server: Protocols TLS 1.3 No TLS 1.2 Yes TLS 1.1 Yes TLS 1.0 Yes SSL 3 No

Re: TomcatCon Where (and when) next?

Thanks for the suggestions. Pulling the various suggestions so far we have: - Frankfurt, Germany - Paris, France - Washington DC, USA - Manchester, UK With some of those locations coming with a venue provided and/or potential for sponsorship. My current thinking (and this is just my personal

Re: AJP connection pool issue bug?

My initial reads about BIO vs NIO seems to involve terminating SSL at the tomcat instance. Which we do not do. Am I running off into the weeds with that? Thanks, TCD On Wed, Oct 4, 2017 at 9:17 AM, Mark Thomas wrote: > On 04/10/17 13:51, TurboChargedDad . wrote: > >

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

Christopher Schultz (Tomcat list guru) wrote: Looks like your server only has ECDHE-based suites available, and the client supports none of those. Can you post your configuration from conf/server.xml? Yes, and I can also post something else. I found the Java source for your own "SSLInfo"

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

On 10/4/17, 12:26 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, . . . Okay so you are in no way interfering with the defaults. That means you'll get (depending upon your exact versions of various things) a Tomcat which supports TLSv1 or later, and most

Re: AJP connection pool issue bug?

Perhaps I am not wording my question correctly. Today we have... [Prxoy 1] | [Proxy 2] ---> [Apache ---> tomcat1] (HTTPS) (HTTPS) (HTTPS) --> (AJP) --> So we send the information from the proxies over https to the instance running the tomcat server. The SSL is terminated by

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 10/4/17 3:15 PM, James H. H. Lampert wrote: > Christopher Schultz (Tomcat list guru) wrote: /me bows >> Looks like your server only has ECDHE-based suites available, and >> the client supports none of those. Can you post your >>

Re: encodeURL, jsessionid and mod_rewrite ?

Thanks for the replies. The jsessionid/cookie tracking mode is not really part of the problem, sorry about that. Obviously I'm thinking about renaming the war but the rewriting is really used, for example seo friendly urls like /bar/steps/1 internally rewrite to

Re: AJP connection pool issue bug?

On 04/10/17 19:26, TurboChargedDad . wrote: > My initial reads about BIO vs NIO seems to involve terminating SSL at the > tomcat instance. Which we do not do. Am I running off into the weeds with > that? Yes. The NIO AJP connector is a drop in replacement for the BIO AJP connector.

Re: TomcatCon London slides and recordings

Hi Am 04.10.2017 um 19:27 schrieb Mark Thomas: > ... are now (mostly) available: > > http://tomcat.apache.org/presentations.html > > I thought Jean-Frederic sent me his slides but I can't find the e-mail. > I'm sure one of us will update that page shortly. Reverse Proxies, Load-Balancing &

Re: Problem: (GSKit) No compatible cipher suite available between SSL end points.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 10/4/17 3:44 PM, James H. H. Lampert wrote: > On 10/4/17, 12:26 PM, Christopher Schultz wrote: >> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 >> >> James, > . . . >> Okay so you are in no way interfering with the defaults. That >>

Re: [OT] Problem: (GSKit) No compatible cipher suite available between SSL end points.

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 James, On 10/4/17 12:54 PM, James H. H. Lampert wrote: > On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the > operating system's SSL support (which was how I thought it worked), > and directed to look through the system values to see what

Re: AJP connection pool issue bug?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 TCD, On 10/4/17 3:45 PM, TurboChargedDad . wrote: > Perhaps I am not wording my question correctly. Can you confirm that the connection-pool exhaustion appears to be happening on the AJP client (httpd/mod_proxy_ajp) and NOT on the server

Re: TomcatCon London slides and recordings

On 4 October 2017 21:28:24 BST, Stefan Mayr wrote: >Hi > >Am 04.10.2017 um 19:27 schrieb Mark Thomas: >> ... are now (mostly) available: >> >> http://tomcat.apache.org/presentations.html >> >> I thought Jean-Frederic sent me his slides but I can't find the >e-mail. >> I'm