Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-15 Thread Harish Krishnan
examples in tomcat) of the webapp. If i know how to do this on the mentioned tomcat webapps, then i can apply the same for my webapps too. Looking for your response & help here. regards Harish Krishnan On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish@gmail.com> wrot

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-11 Thread Harish Krishnan
rected to examples/. Not sure what i am missing here. Same behavior is seen on my web application too. Please let me know where i am doing wrong & help me on how to disable the redirect for the root of webapps. regards Harish Krishnan On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < ch.

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-14 Thread Harish Krishnan
Any help on my previous question is really appreciated. Thank You! On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish@gmail.com> wrote: > Thanks again for the reply, Chris & Violeta! > Thanks for clarifying what the "protected directory" is, even i gues

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-19 Thread Harish Krishnan
Thanks a lot for the clear explanation, Mark. I have all my questions answered, appreciate your help & you guys are Great! My apologies for the previous follow-up emails, I am still a novice in tomcat & failed in understanding the exact fix quicker. regards Harish Krishnan On Wed, Mar

Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-07 Thread Harish Krishnan
Am i missing anything here ? Please help me understand the exact fix for this issue. regards Harish Krishnan

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-07 Thread Harish Krishnan
404. I have set the context attribute (mapperContextRootRedirectEnabled) as well - My question simply boils down to, What additional setting i need to do for the above redirect to NOT happen. Thanks for your help. regards Harish Krishnan On Mon, Mar 7, 2016 at 12:42 PM, Mark Th

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

2016-03-08 Thread Harish Krishnan
re context attribute was set, will completely be disabled. You mentioned that only "protected directories" inside the deployed web application is covered in this CVE fix. Can you please help me understand what this protected directories are & how to configure this in tomcat ? regards Harish

Enforcing server preference for cipher suites

2017-10-09 Thread Harish Krishnan
to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked. As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC... Regard Harish

Re: Enforcing server preference for cipher suites

2017-10-10 Thread Harish Krishnan
? Sent from my iPhone > On Oct 9, 2017, at 11:51 PM, Peter Kreuser <l...@kreuser.name> wrote: > > Harish, > > >> Am 10.10.2017 um 00:00 schrieb Harish Krishnan <harish@gmail.com>: >> >> Thanks for the response, Chris. >> >> Below

Re: Enforcing server preference for cipher suites

2017-10-13 Thread Harish Krishnan
for the great support. I have another query (different topic) coming shortly...:-) Sent from my iPhone > On Oct 12, 2017, at 7:59 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harish, > &

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-25 Thread Harish Krishnan
Thank you for the response and confirmation, Mark. Sent from my iPhone > On Sep 25, 2017, at 12:36 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 25/09/17 18:12, Harish Krishnan wrote: >> Hi Mark, >> >> Thanks for the timely updates. >> My unders

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-29 Thread Harish Krishnan
rly next week. > > Mark > > >> On 26/09/17 02:22, Harish Krishnan wrote: >> Thank you for the response and confirmation, Mark. >> >> Sent from my iPhone >> >>>> On Sep 25, 2017, at 12:36 PM, Mark Thomas <ma...@apache.org> wrote: &g

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

2017-09-25 Thread Harish Krishnan
Hi Mark, Thanks for the timely updates. My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct? The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616). When can we expect the new update for 7.x? Sent from my

Re: Enforcing server preference for cipher suites

2017-10-09 Thread Harish Krishnan
ltz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harish, > > On 10/9/17 12:31 PM, Harish Krishnan wrote: > > Need your expert input here. Not sure what I am doing wrong, but I > > cannot get this server preference cipher suites feature

Re: Enforcing server preference for cipher suites

2017-10-11 Thread Harish Krishnan
. Sent from my iPhone > On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko <knst.koli...@gmail.com> > wrote: > > 2017-10-09 19:31 GMT+03:00 Harish Krishnan <harish@gmail.com>: >> Hi All, >> >> Need your expert input here. >> Not sure what I am doing

Re: Enforcing server preference for cipher suites

2017-10-12 Thread Harish Krishnan
for the timely response and help! Sent from my iPhone > On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko <knst.koli...@gmail.com> > wrote: > > 2017-10-09 19:31 GMT+03:00 Harish Krishnan <harish@gmail.com>: >> Hi All, >> >> Need your expert input here.

Re: Questions on recent CVE fixes

2018-03-14 Thread Harish Krishnan
Thanks for the response and confirmation, Mark. On Wed, Mar 14, 2018 at 12:24 AM, Mark Thomas <ma...@apache.org> wrote: > On 14/03/2018 01:04, Harish Krishnan wrote: > >> Hi All, >> >> Thanks for all the help and work you great people do. >> >> My qu

Questions on recent CVE fixes

2018-03-13 Thread Harish Krishnan
this include the empty ("") string to make our usage vulnerable too? regards Harish Krishnan