Are Apache versions cumulative ?

Hi there, Sorry to trouble you folks but I could not find on Google any proof/info that state Apache Tomcat fixes are cumulative. I have a customer asking me if fixes listed in https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.109 cumulative ? E.g. Cumulative as meaning fixes

Re: CVE-2022-29885

thank you Mark Le 2022-06-22 à 11:52, Mark Thomas a écrit : On 22/06/2022 10:18, Stephane Passignat wrote: Hello, I'm trying to understand this CVE and EncryptInterceptor. So far my understanding is EncryptInterceptor is used in clustered environment. Am I right ? Reading the content of

Re: Are Apache versions cumulative ?

On 22/06/2022 09:20, Jason Tan wrote: Hi there, Sorry to trouble you folks but I could not find on Google any proof/info that state Apache Tomcat fixes are cumulative. I have a customer asking me if fixes listed in https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.109

CVE-2022-29885

Hello, I'm trying to understand this CVE and EncryptInterceptor. So far my understanding is EncryptInterceptor is used in clustered environment. Am I right ? Reading the content of the commit and release content, that's only look like a documentation issue. Are there really any DDOS

Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

Hi team, Any help on this ? Further this exe(*abc.exe*) downloads when i hit on the url* http://server_name/abc.exe/ * and is happening only in *Tomcat *not with *IIS*. Tomcat : *http:///abc.exe* -- exe is not getting downloaded *http:///abc.exe/*-- exe

AW: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

Hello, if I place e.g. calc.exe in the root folder of a stock Tomcat, it doesn’t seem to work: curl http://localhost/calc.exe -vv --> exe is found curl http://localhost/calc.exe/ -vv --> I receive a 404 error It seems your application is somehow allowing the download or your configuration.

Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

On 22/06/2022 10:37, bharath Kumar wrote: Hi team, Any help on this ? Further this exe(*abc.exe*) downloads when i hit on the url* http://server_name/abc.exe/ * and is happening only in *Tomcat *not with *IIS*. Tomcat : *http:///abc.exe* -- exe is not

RE: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

Hi all, As a side note, can we all try not to have a URL with something like “abc.exe” in? Several firewall implementations will refuse to navigate there, even though we all know the intention is not to have it download. Trying to explain that to some people is more difficult than avoiding

Re: CVE-2022-29885

On 22/06/2022 10:18, Stephane Passignat wrote: Hello, I'm trying to understand this CVE and EncryptInterceptor. So far my understanding is EncryptInterceptor is used in clustered environment. Am I right ? Reading the content of the commit and release content, that's only look like a

RE: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

After a quick meeting with client this may be a moot point. On this page: https://tomcat.apache.org/tomcat-8.5-doc/windows-service-howto.html I saw command line references (and as I'm reviewing, it's becoming more clear that I'm not understanding use) for: -User User account used for

Re: How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

On 22/06/2022 17:02, paul@stgconsulting.com wrote: Hello all, I been tasked with researching options for running Tomcat 8.5.x as a windows service, but with a different user. I need to know what minimum rights for user would be, and also how to pass user & password. I think I see how to

How to configure Tomcat 8.5.x to run in with a different windows service user, and what are minimum permissions

Hello all, I been tasked with researching options for running Tomcat 8.5.x as a windows service, but with a different user. I need to know what minimum rights for user would be, and also how to pass user & password. I think I see how to pass user and password. I don't see how to encrypt

Precompile JSP error using webapp-jspc.ant.xml (tomcat stuffed)

Hi, I'm trying to precompile a JSF application, I follow the instructions on https://tomcat.apache.org/tomcat-9.0-doc/graal.html. I got a lot of errors like Caused by: java.lang.ClassCastException: class com.sun.faces.taglib.jsf_core.CoreValidator cannot be cast to class