https://bz.apache.org/bugzilla/show_bug.cgi?id=63331
Bug ID: 63331
Summary: Tomcat crash, Problematic Frame:
org.apache.tomcat.util.log.SystemLogHandler.println
Product: Tomcat 9
Version: 9.0.16
Hardware: PC
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331
Mark Thomas changed:
What|Removed |Added
Resolution|--- |INVALID
Status|NEW
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 7254a63 Fix checkstyle warnings
7254a63 is describ
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new 806195b Revert local change made for load testing
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 7fc16d1 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63320
Ensure that StatementCache caches statements that in
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 9ea280c Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=63320
Ensure that StatementCache caches statements that i
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 806195b Revert local change made for load testing
new 44ec74c Escape debug output to aid readability
new 25
Author: markt
Date: Wed Apr 10 11:02:51 2019
New Revision: 1857239
URL: http://svn.apache.org/viewvc?rev=1857239&view=rev
Log:
Add details of CVE-2019-0232
Modified:
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
CVE-2019-0232 Apache Tomcat Remote Code Execution on Windows
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.17
Apache Tomcat 8.5.0 to 8.5.39
Apache Tomcat 7.0.0 to 7.0.93
Description:
When running on Windows with enableCmdLineArgument
The Buildbot has detected a new failure on builder tomcat-7-trunk while
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-7-trunk/builds/1319
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The AnyBranchSchedu
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new bd4f326 Correct backport for Java 6
bd4f326 is des
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 9b0004c (commit)
This tag includes the following new commits:
new 9b0004c Tag 9.0.18
The 1 revisions listed abov
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 9b0004cf29f0a53e816d1047d9b25c03f0e295b5
Author: Mark Thomas
AuthorDate: Wed Apr 10 12:57:17 2019 +0100
Tag 9.0.18
---
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 03272c8 Fix failing test
03272c8 is described be
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new e451c30 Fix failing test
e451c30 is described belo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 7b961c2 Fix failing test
7b961c2 is described belo
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
*** WARNING: tag 9.0.18 was deleted! ***
was 9b0004c Tag 9.0.18
This change permanently discards the following revisions:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 0862607 (commit)
This tag includes the following new commits:
new 0862607 Tag 9.0.18
The 1 revisions listed abov
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 9.0.18
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 0862607e5da91a7c476a6350288d8d8a9380f556
Author: Mark Thomas
AuthorDate: Wed Apr 10 13:36:27 2019 +0100
Tag 9.0.18
---
The Buildbot has detected a restored build on builder tomcat-7-trunk while
building tomcat. Full details are available at:
https://ci.apache.org/builders/tomcat-7-trunk/builds/1320
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The AnyBranchSch
Author: markt
Date: Wed Apr 10 13:13:30 2019
New Revision: 33545
Log:
Upload 9.0.18 for release
Added:
dev/tomcat/tomcat-9/v9.0.18/
dev/tomcat/tomcat-9/v9.0.18/KEYS
dev/tomcat/tomcat-9/v9.0.18/README.html
dev/tomcat/tomcat-9/v9.0.18/RELEASE-NOTES
dev/tomcat/tomcat-9/v9.0.18/bi
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new 0c21aac Increment version for next development c
The proposed Apache Tomcat 9.0.18 release is now available for voting.
The major changes compared to the 9.0.17 release are:
- Fix for CVE-2019-0232 a RCE vulnerability on Windows
- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
now supported if used with a ECJ version wi
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 8.5.40
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 5ec070352b283535946327b44228b610a27a76c5
Author: Mark Thomas
AuthorDate: Wed Apr 10 15:26:13 2019 +0100
Tag 8.5.40
---
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 8.5.40
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 5ec0703 (commit)
This tag includes the following new commits:
new 5ec0703 Tag 8.5.40
The 1 revisions listed abov
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new d58aa08 Add vectoring for NIO
d58aa08 is describe
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new d71b285 Increment version number for next developm
Author: markt
Date: Wed Apr 10 14:57:10 2019
New Revision: 33547
Log:
Upload 8.5.40 for voting
Added:
dev/tomcat/tomcat-8/v8.5.40/
dev/tomcat/tomcat-8/v8.5.40/KEYS
dev/tomcat/tomcat-8/v8.5.40/README.html
dev/tomcat/tomcat-8/v8.5.40/RELEASE-NOTES
dev/tomcat/tomcat-8/v8.5.40/bin
The proposed Apache Tomcat 8.5.40 release is now available for voting.
The major changes compared to the 8.5.39 release are:
- Fix for CVE-2019-0232 a RCE vulnerability on Windows
- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
now supported if used with a ECJ version wi
On 10/04/2019 14:44, Mark Thomas wrote:
> The proposed 9.0.18 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.18
Unit tests pass for NIO, NIO2 and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21
Mark
--
On 10/04/2019 15:58, Mark Thomas wrote:
> The proposed 8.5.40 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 8.5.40
Unit tests pass for NIO, NIO2 and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21
Mark
--
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
Bug ID: 6
Summary: JAASRealm needs to override isAvailable method to
prevent LockOutRealm to lock the user in case JAAS
login modules are unavailable
Product: Tomcat 8
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
Bug ID: 63334
Summary: LockOutRealm will continue to invoke inner user realms
even when the user is lockout
Product: Tomcat 8
Version: 8.5.x-trunk
Hardware: PC
https://bz.apache.org/bugzilla/show_bug.cgi?id=63335
Bug ID: 63335
Summary: OneLineFormatter will append new space so that the
exception stacktrace is shifted but it will not do
that for all lines
Product: Tomcat 8
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
Bug ID: 63336
Summary: Currently there is no way to know in form error page
that the user was not authenticated because it was
locked out
Product: Tomcat 8
Vers
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
Mark Thomas changed:
What|Removed |Added
OS||All
Resolution|---
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new a7832e0 Update RM
a7832e0 is described below
comm
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
Mark Thomas changed:
What|Removed |Added
OS||All
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #2 from Mark Thomas ---
Sorry about the typo
"... in use and its configuration."
--
You are receiving this mail because:
You are the assignee for the bug.
-
To u
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to tag 7.0.94
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
at 9ddb14a (commit)
This tag includes the following new commits:
new 9ddb14a Tag 7.0.94
The 1 revisions listed abov
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to tag 7.0.94
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 9ddb14a0e76080feee34f3eca89e5413b93852f9
Author: Mark Thomas
AuthorDate: Wed Apr 10 17:40:23 2019 +0100
Tag 7.0.94
---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #3 from jchobanto...@yahoo.com ---
I’m sorry but the fix is not going to expose anything to the user - the end
user still is going to get unauthenticated but we are going to invoke our inner
realms like JAASRealm which is not needed
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
--- Comment #2 from jchobanto...@yahoo.com ---
Ok, forget about modifying the basic ream to report the error - the application
could have 401 error page and put that information itself - again the request
is to add http request attribute so that
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #4 from Mark Thomas ---
Please read up on timing attacks.
A Map lookup following by a return will be noticeably faster than the
authentication process.
Your proposed change would enable an attacker to determine:
- if an account wa
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 7.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/7.0.x by this push:
new ca838df Increment version for next development cyc
Author: markt
Date: Wed Apr 10 17:15:53 2019
New Revision: 33551
Log:
Upload 7.0.94 for voting
Added:
dev/tomcat/tomcat-7/v7.0.94/
dev/tomcat/tomcat-7/v7.0.94/KEYS
dev/tomcat/tomcat-7/v7.0.94/README.html
dev/tomcat/tomcat-7/v7.0.94/RELEASE-NOTES
dev/tomcat/tomcat-7/v7.0.94/bin
Added: dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512
==
--- dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-adapters.jar.sha512
(added)
+++ dev/tomcat/tomcat-7/v7.0.94/bin/extras/tomcat-juli-ada
The proposed Apache Tomcat 7.0.94 release is now available for voting.
The major changes compared to the 7.0.93 release are:
- Fix for CVE-2019-0232 a RCE vulnerability on Windows
- Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
now supported if used with a ECJ version wi
On 10/04/2019 18:22, Mark Thomas wrote:
> The proposed 7.0.94 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 7.0.94 Stable
Unit tests pass for BIO, NIO and APR/Native on Windows, Linux and MacOS
with Tomcat-Native 1.2.21
Mark
On 09/04/2019 19:08, Violeta Georgieva wrote:
> На вт, 9.04.2019 г. в 20:45 ч. Mark Thomas написа:
>>
>> Hi all,
>>
>> I'm a bit behind again this month - mainly because I was at the http
>> workshop last week (very useful - a write-up is on the way). I've been
>> through the open bugs and resolve
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
--- Comment #3 from Mark Thomas ---
See this thread in the archives:
http://tomcat.markmail.org/thread/4garqvcph2ci3j5m
The isLocked() method of the Realm was made public and exposed via JMX to
support this sort of custom feature. unlock() is
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #5 from jchobanto...@yahoo.com ---
Thank you for clarifying your point that attacker could determine there is a
lockout realm installed based on the speed of the request/response, although
this is questionable as if you are dealing w
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
Mark Thomas changed:
What|Removed |Added
OS||All
--- Comment #1 from Mark Thomas ---
https://bz.apache.org/bugzilla/show_bug.cgi?id=63336
--- Comment #4 from jchobanto...@yahoo.com ---
Thank you for pointing out that isLocked() and unlock() methods are public - I
already know that. Even with this information I need to provide custom
LockOutRealm in order to see the real reason why
On Wed, Apr 10, 2019 at 3:44 PM Mark Thomas wrote:
> The proposed 9.0.18 release is:
> [ ] Broken - do not release
> [X] Stable - go ahead and release as 9.0.18
>
> Rémy
https://bz.apache.org/bugzilla/show_bug.cgi?id=63331
--- Comment #2 from Christopher Schultz ---
Or bad hardware.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr.
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new bc714fd Add asynchronous IO API for NIO
bc714fd i
rmaucher commented on issue #153: Add async API for NIO
URL: https://github.com/apache/tomcat/pull/153#issuecomment-481834218
Since I got no objections, I merged the code.
This is an automated message from the Apache Git Servi
rmaucher closed pull request #153: Add async API for NIO
URL: https://github.com/apache/tomcat/pull/153
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
jchobantonov opened a new pull request #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157
This is an automated message from the Apache Git Service.
To respond to the mes
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
--- Comment #2 from jchobanto...@yahoo.com ---
Pull request: https://github.com/apache/tomcat/pull/157
--
You are receiving this mail because:
You are the assignee for the bug.
--
https://bz.apache.org/bugzilla/show_bug.cgi?id=63334
--- Comment #6 from Christopher Schultz ---
Realms aren't difficult to write, including a simple realm like the
LockOutRealm.
Feel free to implement your own Realm which meets your requirements. If you'd
like, you can propose a patch, but I do
On 4/10/2019 10:22 AM, Mark Thomas wrote:
The proposed 7.0.94 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 7.0.94 Stable
Unit tests pass for BIO, NIO, and APR on Ubuntu 18.04 with Java
1.6u45/1.7u80 and TC-Native-1.2.21
Igal
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481842267
No explanation?
-1
This is an automated message fro
michael-o commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481843426
I agree with @ChristopherSchultz .
This is an automated message fro
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481845121
the explanation of the reason is here
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
--
On 4/10/2019 6:44 AM, Mark Thomas wrote:
The proposed 9.0.18 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 9.0.18
Unit tests pass for NIO, NIO2, and APR on Ubuntu 18.04 with Java 1.8u202
and TC-Native 1.2.21
Igal
-
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481847793
But an explanation should be included with all PRs. What if BZ is deleted?
(It shouldn't be, but there's no reason to make
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481848050
Code comments would be helpful, here, too.
This is an auto
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481849557
Code comments are exactly the same as what tomcat source code have for
DataSourceRealm, not sure what else do you need as a comme
isapir commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850076
I think that it'd be cleaner/more readable if `invocationSuccess` is
initialized with `false` value and only set to `true` upon success
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850427
The low-quality of the existing code and/or documentation is not an excuse
for maintaining that level of quality.
ChristopherSchultz commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481850875
> I think that it'd be cleaner/more readable if `invocationSuccess` is
initialized with `false` value and only set to `true
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481851585
> I think that it'd be cleaner/more readable if `invocationSuccess` is
initialized with `false` value and only set to `true` upon
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481852195
> The low-quality of the existing code and/or documentation is not an excuse
for maintaining that level of quality.
Ok, le
isapir commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481853982
> To reduce the number of changed lines and opportunities for mistakes,
there could be a local flag for success which is copied to the
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481860226
> But these lines are all in the same transaction, no?
Yes they are - there is no need to use local variable as well - it i
isapir commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481861275
> Ok, let me know what you think we should put as a comment additionally
that is so greatly missed and it is not obvious enough for you
jchobantonov commented on issue #157:
https://bz.apache.org/bugzilla/show_bug.cgi?id=6
URL: https://github.com/apache/tomcat/pull/157#issuecomment-481872313
@isapir @ChristopherSchultz I have added more comments hope this helps
-
Am 09.04.2019 um 19:45 schrieb Mark Thomas:
Hi all,
I'm a bit behind again this month - mainly because I was at the http
workshop last week (very useful - a write-up is on the way).
I'm very keen on reading your notes. On the httpd dev list Bill
mentioned three links to notes taken by Daniel
On 4/10/2019 7:58 AM, Mark Thomas wrote:
The proposed 8.5.40 release is:
[ ] Broken - do not release
[X] Stable - go ahead and release as 8.5.40
Unit tests pass for NIO, NIO2, and APR on Windows 10 with Java 1.8u181
and TC-Native 1.2.21 and Ubuntu 18.04 with Java 1.8u202 and TC-Native 1.2.21
2019年4月10日(水) 22:44 Mark Thomas :
> The proposed Apache Tomcat 9.0.18 release is now available for voting.
>
> The major changes compared to the 9.0.17 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
2019年4月10日(水) 23:58 Mark Thomas :
> The proposed Apache Tomcat 8.5.40 release is now available for voting.
>
> The major changes compared to the 8.5.39 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
2019年4月11日(木) 2:22 Mark Thomas :
> The proposed Apache Tomcat 7.0.94 release is now available for voting.
>
> The major changes compared to the 7.0.93 release are:
>
> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
>
> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are also
84 matches
Mail list logo
