On 13.02.20 11:17, Olaf Kock wrote:
> On 13.02.20 10:36, kohm...@iris.eonet.ne.jp wrote:
>> On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:
>>> Check in the file (tomcat_dir)/conf/server.xml, the Connector :
>>>     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" /> 
>> The setting is the same as mine.
>> I have use server.xml used in 8.5.50. In case of 8.5.50, I have no
>> problem.
>> Please notice, I have been using Tomcat for 5 years with updates.
>> Why this time?
> Because this time, security relevant defaults changed: See these recent
> commits on the git mirror:
> https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262
> https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262

Or, even better digestible (I hit 'send' too early):

Mark's announcement of the availability contained:

> - AJP defaults changed to listen the loopback address, require a
secret and to be disabled in the sample server.xml

And the changelog on
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html for 8.5.51
contains this information on AJP:

  * Update: Disable (comment out in server.xml) the AJP/1.3 connector by
    default. (markt)
  * Update: Change the default bind address for the AJP/1.3 connector to
    be the loopback address. (markt)
  * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector
    to |secret| and add a new attribute |secretRequired| that defaults
    to |true|. When |secretRequired| is |true| the AJP/1.3 Connector
    will not start unless the |secret| attribute is configured to a
    non-null, non-zero length String. (markt)
  * Add: Add a new attribute, |allowedRequestAttributesPattern| to the
    AJP/1.3 Connector. Requests with unrecognised attributes will be
    blocked with a 403. (markt)

There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31
available" thread on this changed default that might give you some

I hope, this helps,


Reply via email to