DO NOT REPLY [Bug 48584] Error or ACCESS_VIOLATION on shutdown
https://issues.apache.org/bugzilla/show_bug.cgi?id=48584 --- Comment #5 from Rainer Jung 2010-01-24 01:41:27 UTC --- I get the same result as Mark Eggers, i.e. the Exception in the log but no hotspot error file. Microsoft Windows XP Professional Version5.1.2600 Service Pack 3 Build 2600 German JRE 1.6.0_18 Interestingly in my case there is a localized message: 24.01.2010 10:38:45 org.apache.tomcat.util.net.AprEndpoint$Acceptor run SCHWERWIEGEND: Socket accept failed org.apache.tomcat.jni.Error: Ein Blockierungsvorgang wurde durch einen Aufruf von WSACancelBlockingCall unterbrochen. at org.apache.tomcat.jni.Socket.accept(Native Method) at org.apache.tomcat.util.net.AprEndpoint$Acceptor.run(AprEndpoint.java:1156) at java.lang.Thread.run(Unknown Source) So maybe it has to do with the Russian localization? I also tried once with the security manager, same behavior. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r902650 - in /tomcat/tc5.5.x/trunk/container: catalina/src/share/org/apache/catalina/loader/ catalina/src/share/org/apache/catalina/startup/ webapps/docs/
Author: markt
Date: Sun Jan 24 21:43:11 2010
New Revision: 902650
URL: http://svn.apache.org/viewvc?rev=902650&view=rev
Log:
Various related (un)deploy improvements including:
- better handling of failed (un)deployment
- adding checking for invalid zip file entries that don't make sense in a WAR
file
- improved validation of WAR file names.
These changes address CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902.
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/LocalStrings.properties
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/startup/ContextConfig.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/startup/ExpandWar.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/startup/HostConfig.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/startup/LocalStrings.properties
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/LocalStrings.properties?rev=902650&r1=902649&r2=902650&view=diff
==
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/LocalStrings.properties
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/LocalStrings.properties
Sun Jan 24 21:43:11 2010
@@ -28,8 +28,10 @@
standardLoader.removeRepository=Removing repository {0}
standardLoader.starting=Starting this Loader
standardLoader.stopping=Stopping this Loader
+webappClassLoader.illegalJarPath=Illegal JAR entry detected with name {0}
webappClassLoader.stopped=Illegal access: this web application instance has
been stopped already. Could not load {0}. The eventual following stack trace
is caused by an error thrown for debugging purposes as well as to attempt to
terminate the thread which caused the illegal access, and has no functional
impact.
webappClassLoader.readError=Resource read error: Could not load {0}.
+webappClassLoader.validationErrorJarPath=Unable to validate JAR entry with
name {0}
webappClassLoader.wrongVersion=(unable to load class {0})
webappLoader.addRepository=Adding repository {0}
webappLoader.deploy=Deploying class repositories to work directory {0}
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java?rev=902650&r1=902649&r2=902650&view=diff
==
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/loader/WebappClassLoader.java
Sun Jan 24 21:43:11 2010
@@ -358,6 +358,7 @@
* Path where resources loaded from JARs will be extracted.
*/
protected File loaderDir = null;
+protected String canonicalLoaderDir = null;
/**
@@ -551,6 +552,19 @@
*/
public void setWorkDir(File workDir) {
this.loaderDir = new File(workDir, "loader");
+if (loaderDir == null) {
+canonicalLoaderDir = null;
+} else {
+try {
+canonicalLoaderDir = loaderDir.getCanonicalPath();
+if (!canonicalLoaderDir.endsWith(File.separator)) {
+canonicalLoaderDir += File.separator;
+}
+} catch (IOException ioe) {
+canonicalLoaderDir = null;
+}
+}
+
}
/**
@@ -2118,6 +2132,18 @@
(".class"))) {
resourceFile = new File
(loaderDir, jarEntry2.getName());
+try {
+if
(!resourceFile.getCanonicalPath().startsWith(
+canonicalLoaderDir)) {
+throw new IllegalArgumentException(
+
sm.getString("webappClassLoader.illegalJarPath",
+
jarEntry2.getName()));
+}
+} catch (IOException ioe) {
+throw new IllegalArgumentException(
+
sm.getString("webappClassLoader.validationErrorJarPa
svn commit: r902653 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml
Author: markt Date: Sun Jan 24 21:51:32 2010 New Revision: 902653 URL: http://svn.apache.org/viewvc?rev=902653&view=rev Log: Update for CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902. Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=902653&r1=902652&r2=902653&view=diff == --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Sun Jan 24 21:51:32 2010 @@ -262,6 +262,91 @@ + +Fixed in subversion for Apache Tomcat 5.5.x + + + + + + + + + + +Note: These issues will be fixed in 5.5.29 but that version has not yet + been released. + + + +Low: Arbitrary file deletion and/or alteration on deploy + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693";> + CVE-2009-2693 + + +When deploying WAR files, the WAR files were not checked for directory + traversal attempts. This allows an attacker to create arbitrary content + outside of the web root by including entries such as + ../../bin/catalina.sh in the WAR. + +This was fixed in + http://svn.apache.org/viewvc?rev=902650&view=rev";> + revision 902650. + +Affects: 5.5.0-5.5.28 + + +Low: Insecure partial deploy after failed deploy + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901";> + CVE-2009-2901 + + +By default, Tomcat automatically deploys any directories placed in a + host's appBase. This behaviour is controlled by the autoDeploy attribute + of a host which defaults to true. After a failed undeploy, the remaining + files will be deployed as a result of the autodeployment process. + Depending on circumstances, files normally protected by one or more + security constraints may be deployed without those security constraints, + making them accessible without authentication. + +This was fixed in + http://svn.apache.org/viewvc?rev=902650&view=rev";> + revision 902650. + +Affects: 5.5.0-5.5.28 + + +Low: Unexpected file deletion in work directory + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2902";> + CVE-2009-2902 + + +When deploying WAR files, the WAR file names were not checked for + directory traversal attempts. For example, deploying and undeploying + ...war allows an attacker to cause the deletion of the + current contents of the host's work directory which may cause problems + for currently running applications. + +This was fixed in + http://svn.apache.org/viewvc?rev=902650&view=rev";> + revision 902650. + +Affects: 5.5.0-5.5.28 + + + + + + + + + + + + + + + Fixed in Apache Tomcat 5.5.28 Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=902653&r1=902652&r2=902653&view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Sun Jan 24 21:51:32 2010 @@ -212,8 +212,8 @@ - -Not fixed in Apache Tomcat 6.0.x + +Fixed in Apache Tomcat 6.0.24 @@ -222,13 +222,69 @@ - + +Note: These issues were fixed in Apache Tomcat 6.0.21 but the + release votes for the 6.0.21, 6.0.22 and 6.0.23 release candidates did + not pass. Therefore, although users must download 6.0.24 to obtain a + version that includes fixes for these issues, versions 6.0.21 onwards + are not included in the list of affected versions. + + + +Low: Arbitrary file deletion and/or alteration on deploy + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2693";> + CVE-2009-2693 + + +When deploying WAR files, the WAR files were not checked for directory + traversal attempts. This allows an attacker to create arbitrary content + outside of the web root by including entries such as + ../../bin/catalina.sh in the WAR. + +This was fixed in + http://svn.apache.org/viewvc?rev=892815&view=rev";> + revision 892815. + +Affects: 6.0.0-6.0.20 + + +Low: Insecure partial deploy after failed deploy + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2901";> + CVE-2009-2901 + + +By default, Tomcat automatically deploys any directories placed in a + host's appBase. This behaviour is controlled by the autoDeploy attribute + of a host which defaults to true. After a failed undeploy, the remaining + files will be deployed as a result of the autodeployment process. + Depending o
[SECURITY] CVE-2009-2693 Apache Tomcat unexpected file deletion and/or alteration
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-3548: Apache Tomcat unexpected file deletion and/or alteration Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815&view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650&view=rev Note: the patches also address CVE-2009-2901 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: A WAR file that contains the following entry will overwrite the standard Windows start-up script when deployed on a default Tomcat installation: ../../bin/catalina.bat Credit: This issue was reported to the Apache Tomcat security team by Marc Schoenefeld of the Red Hat Security Response Team References: [1] http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMF6AAoJEBDAHFovYFnniGcP/j9ZyFlLdzcTxJLqqWyAOdUt J1jF8vZTIqkf/vFyrRxLgw9ihaKZQ1wpd9U3vdHulcIsuAeBtiZgIhlXKItJiTLf ImsEl5a3w3Ucp2Z71/IIRxmcffz/zIjgdzmhmnRDEhiHz/wiygpRr7X1M8ZgZVXe itxFDhZu7ccWDTwUkxOoFuG6CWxb6/red3l5CaL4OtcWBTZ1aqQ5M1Io62pWErLI 6F/xuGTvWn4AeXaNEgJOGFZLLyX06WQJSzaJXh/tPqI153mk5Or63m03uJy9wHqa p7ULRvRNSZ57m8L08e397uCjvu4CPGf1Rm0dDDART7UaLF1Q13gP9O6DPCS88wN+ ypgZTERSG9t0iMHZCKNjH1huRJDVPkEJwvGdtH0wGzFwg5S+oJ/J5ETW29dQ/JUR pt1U1Xz6RnzFFgQR4Xomdc4SPysDFOIAexi8dkZPDcafN7YyiMQTRyU3iNRuoaR1 Y32qWfqJrmVDWQ1J4BLYsrLrpgZ0s5ccq6omz36lbH+3blyVPf1th84lWg9GG6lo W3qsnJIpNfxLi9II9sDxbVpUJXLVbJmBexUDR3z9BayowNtBlwMWXEZluctGe2DO hIkNB0D33AJvMD7wY80tnXY/hH3X5Vs+ZePEmu7TQB1KXzTinEbVdNVPF8/8woaL 7iN004jxhnUxQc8Fgwj4 =/B5h -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2009-2902 Apache Tomcat unexpected file deletion in work directory
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-2902: Apache Tomcat unexpected file deletion in work directory Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: When deploying WAR files, the WAR file names were not checked for directory traversal attempts. This allows an attacker to cause the deletion of the current contents of the host's work directory which may cause problems for currently running applications. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815&view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650&view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2901. Alternatively, users of all Tomcat versions may mitigate this issue by manually validating the contents of untrusted WAR files before deployment. Example: Deploying and undeploying a WAR named "...war" causes the all files and subdirectories in "work//" to be removed. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGKAAoJEBDAHFovYFnnU3sP/2qKA+k8nmXoowqeUKfgTZyg EJAtLvuTHFViDFeA7tDrh18pMzWUfPCu/sU8qXaiY71Dw6Fa8zcJ1SksP/WB4jmN UDuSj9vm5INxjbANnniSpZ5+tfLukPz9I3vFIIpmT4xO2aGnbqTUWPmVb2Oitapp ePH35D0OldLIL8O4TmdTK5LPw/qufbvEtegTlryJeyO9kWvqmK54W2cs60i+txiD zwzoRJgmNd7e/DS8+jrGrSFgLiFQlEQraQ99OvvU9bi7DofEUA1HuxPV94Ck8oMc xbcNlAgSMuqc0PuIff68rXP3M/4M96j/BFRRLsAqUPfXBZQBZ6vc/uOVG2JriIQU psksw1zTf8pbUTtuY6EUry3SspTHWcMGJfoxtrXa0nVxGnTg5XI/joipbCbbcF6p 0npKt3IIEH6JYtZ2DbSO0w6QjFnCVV5v0mB1LrMQDy0SzfcYf6G0MnmD6hLYNsdz 83TRgicGCfcSqZdiZDJ2Kngwnjl/oHYx2A1SVOc4q0NoIlFnzF9qMqiLM5hM87LT 3FaFsDmeFwhUxo4JRGAFA+ft1UrYufCvCQy+ZW6fxPIW2Qz9aEq63MDVojdd2yf7 Z9JApNAiO6q1cJukOaworJiv1cbcZHp0SaWDJQIo4VFT2APD2DFU79vCseIusX4e jcy9btzWclss+2hAA/XQ =kJa8 -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2009-2901 Apache Tomcat insecure partial deploy after failed undeploy
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-2901: Apache Tomcat insecure partial deploy after failed undeploy Severity: Low Vendor: The Apache Software Foundation Versions Affected: Tomcat 5.5.0 to 5.5.28 Tomcat 6.0.0 to 6.0.20 The unsupported Tomcat 3.x, 4.x and 5.0.x versions may be also affected. Description: By default, Tomcat automatically deploys any directories placed in a host's appBase. This behaviour is controlled by the autoDeploy attribute of a host which defaults to true. After a failed undeploy, the remaining files will be deployed as a result of the autodeployment process. Depending on circumstances, files normally protected by one or more security constraints may be deployed without those security constraints, making them accessible without authentication. Mitigation: 6.0.x users should upgrade to 6.0.24 or apply this patch: http://svn.apache.org/viewvc?rev=892815&view=rev 5.5.x users should upgrade to 5.5.29 when released or apply this patch: http://svn.apache.org/viewvc?rev=902650&view=rev Note: the patches also address CVE-2009-2693 and CVE-2009-2902. Alternatively, users of all Tomcat versions may mitigate this issue by manually ensuring that an undeploy removes all files. If one or more files cannot be deleted, it may be necessary to stop Tomcat before the files can be deleted. Credit: This issue was discovered by the Apache Tomcat security team References: [1] http://tomcat.apache.org/security.html Mark Thomas -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLXMGYAAoJEBDAHFovYFnnwXgP/RAhAkPwPP9R3S5xM/mtZj+l cQacLI/8FdPOluVUIYNuPP2ti3v2STJyhUMOYVMQIpf7Why4fFiLaIOLZWDS04Gb UfTQfcFIQlh69h3xQBgkEeSHNegxGLRvl8sLrhLTmaLug4qn8JW81sZnO+9PejmD CgZKCq2ALqIvNmEU7nZTz/5xzll88O+b8P5UQqDGM9r1Z8fO8oCUood1n2hVdZAb PoLn7CKqMtb2psGvYWqYDNeB5mRVhHnqUdtQzQy3Sy6C8YBxkmm9HWOZjoAvjMaa X4N5THNyhXwdfNo9r6CClEiaQM6AK+jRl8SyeNiGNgNHT3Knhn9ANVUcRomRXgJm dsKKz0wBN/zVp7ux5FLlK9O/a7VNniYMFRwg71Na9KQY6/oRlxpOU9zgWqI9Co9V LD8g0EWliabOCv3nREDYqwrJq75ffS5TwK8mqWNlW/0gszDex34kVqnS06hMY1HT OK5Ip1cYhUZLlcfwkmN6tBxBozCteO/Nrfh6HEahc0MXVJXbZxDXLvWtDNSrBMSY Hqt9suXYom1rCxtFdBDtgXctAnB4UrADRxC4w/e7kZ+v3MRMtzl1UG/6cJDQtQ9f Iwt51lECjIW6LqEpSIMTs/v5h9ueSPhY/n7GWNloSqCUgA0XL5sw5lYkGsMmS4Sh dkab23FgmsfqGqZYUGzv =vcr6 -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Taglibs [2010/01/24]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |27717|New|Maj|2004-03-16| very slow in JSTL 1.1 | |33934|New|Cri|2005-03-09|[standard] memory leak in jstl c:set tag | |38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field | |38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)| |42413|New|Nor|2007-05-14|[PATCH] Log Taglib enhancements | |43640|New|Nor|2007-10-16|Move the tests package to JUnit | |45197|Ass|Nor|2008-06-12|Need to support the JSTL 1.2 specification| |46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l| |48333|New|Nor|2009-12-02|TLD generator | +-+---+---+--+--+ | Total9 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 6 [2010/01/24]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |39661|Opn|Enh|2006-05-25|Please document JULI FileHandler configuration pro| |41128|Inf|Enh|2006-12-07|Reference to java Thread name from RequestProcesso| |41679|New|Enh|2007-02-22|SemaphoreValve should be able to filter on url pat| |41791|New|Enh|2007-03-07|Tomcat behaves inconsistently concerning flush-pac| |41883|Ass|Enh|2007-03-18|use abstract wrapper instead of plain X509Certific| |41944|New|Enh|2007-03-25|Start running the RAT tool to see where we're miss| |41992|New|Enh|2007-03-30|Need ability to set OS process title | |42463|New|Enh|2007-05-20|"crossContext" and classloader issues - pls amend | |43001|New|Enh|2007-07-30|JspC lacks setMappedFile and setDie for use in Ant| |43003|New|Enh|2007-07-30|Separate dependent component download and build ta| |43400|New|Enh|2007-09-14|enum support for tag libs | |43497|New|Enh|2007-09-26|Add ability to escape rendered output of JSP expre| |43548|Opn|Enh|2007-10-04|xml schema for tomcat-users.xml | |43642|New|Enh|2007-10-17|Add prestartminSpareThreads attribute for Executor| |43682|New|Enh|2007-10-23|JULI: web-inf/classes/logging.properties to suppor| |43742|New|Enh|2007-10-30|.tag compiles performed one at a time -- extremel| |43790|Ass|Enh|2007-11-03|concurrent access issue on TagHandlerPool | |43979|New|Enh|2007-11-27|Add abstraction for Java and Classfile output | |44047|New|Enh|2007-12-10|Provide a way for Tomcat to serve up error pages w| |44106|New|Enh|2007-12-19|autodeploy configures directories which do not con| |44199|New|Enh|2008-01-10|expose current backlog queue size | |44225|New|Enh|2008-01-14|SSL connector tries to load the private keystore f| |44264|New|Enh|2008-01-18|Clustering - Support for disabling multicasting an| |44265|New|Enh|2008-01-18|Improve JspWriterImpl performance with "inline" su| |44284|New|Enh|2008-01-23|Support java.lang.Iterable in c:forEach tag | |44294|New|Enh|2008-01-25|Support for EL functions with varargs | |44299|New|Enh|2008-01-26|Provider manager app with a log out button| |44312|New|Enh|2008-01-28|Warn when overwritting docBase of the default Host| |44598|New|Enh|2008-03-13|JAASRealm is suppressing Exceptions | |44645|New|Enh|2008-03-20|[Patch] JNDIRealm - Doesn't support JNDI "java.nam| |44787|New|Enh|2008-04-09|provide more error context on "java.lang.IllegalSt| |44818|New|Enh|2008-04-13|tomcat hangs with GET when content-length is defin| |45014|New|Enh|2008-05-15|Request and Response classes should have wrappers | |45282|New|Enh|2008-06-25|NioReceiver doesn't close cleanly, leaving sockets| |45283|Opn|Enh|2008-06-25|Allow multiple authenticators to be added to pipel| |45428|New|Enh|2008-07-18|warn if the tomcat stop doesn't complete | |45654|New|Enh|2008-08-19|use static methods and attributes in a direct way!| |45731|New|Enh|2008-09-02|Enhancement request : pluggable httpsession cache | |45794|New|Enh|2008-09-12|Patch causes JNDIRealm to bind with user entered c| |45832|New|Enh|2008-09-18|add DIGEST authentication support to Ant tasks| |45871|New|Enh|2008-09-23|Support for salted and digested patches in DataSou| |45878|New|Enh|2008-09-24|Generated jars do not contain proper manifests or | |45879|Opn|Enh|2008-09-24|Windows installer fails to install NOTICE and RELE| |45931|Opn|Enh|2008-10-01|trimSpaces incorrectly modifies output| |45995|New|Enh|2008-10-13|RFE - MIME type extension not case sensitive | |46173|New|Enh|2008-11-09|Small patch for manager app: Setting an optional c| |46263|New|Enh|2008-11-21|Tomcat reloading of context does not update contex| |46264|New|Enh|2008-11-21|Shutting down tomcat with large number of contexts| |46284|New|Enh|2008-11-24|Add flag to DeltaManager that blocks processing cl| |46323|New|Enh|2008-12-02|NTLM Authentication for Microsoft Active Directory| |46350|New|Enh|2008-12-05|Maven repository should contain source bundles| |46451|
Bug report for Tomcat 7 [2010/01/24]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |48222|New|Enh|2009-11-18|Source JARs empty in maven central| |48240|New|Nor|2009-11-19|Tomcat-Lite missing @Override markers | |48268|New|Nor|2009-11-23|Patch to fix generics in tomcat-lite | |48297|New|Nor|2009-11-28|webservices.ServiceRefFactory.initHandlerChain add| |48358|New|Enh|2009-12-09|JSP-unloading reloaded| |48392|New|Cri|2009-12-15|jdbc-pool is not returning the proxied connection | |48414|New|Nor|2009-12-19|Use of Class.forName may not work well in osgi env| |48550|New|Enh|2010-01-14|Update examples and default server.xml to use UTF-| |48551|New|Enh|2010-01-14|StringCache: Use entrySet() rather than keySet() +| |48563|New|Nor|2010-01-17|Dist build of trunk (Tomcat 7) fails because extra| +-+---+---+--+--+ | Total 10 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Connectors [2010/01/24]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |34526|Opn|Nor|2005-04-19|Truncated content in decompressed requests from mo| |35959|Opn|Enh|2005-08-01|mod_jk not independant of UseCanonicalName| |36155|Opn|Nor|2005-08-12|tomcat chooses wrong host if using mod_jk | |36169|New|Enh|2005-08-12|[PATCH] Enable chunked encoding for requests in II| |38895|New|Nor|2006-03-08|Http headers with an underscore "_" change into hy| |39967|Inf|Nor|2006-07-05|mod_jk gives segmentation fault when apache is sta| |40208|Inf|Nor|2006-08-08|Request-Dump when ErrorDocument in httpd.conf is a| |41170|Inf|Nor|2006-12-13|single crlf in header termination crashes app.| |41923|Opn|Nor|2007-03-21|Tomcat doesnt recognized client abort | |42366|Inf|Nor|2007-05-09|Memory leak in newer mod_jk version when connectio| |42554|Opn|Nor|2007-05-31|mod_ssl + mod_jk with status_worker does not work | |43303|New|Enh|2007-09-04|Versioning under Windows not reported by many conn| |43968|New|Enh|2007-11-26|[patch] support ipv6 with mod_jk | |44290|New|Nor|2008-01-24|mod_jk/1.2.26: retry is not useful for an importan| |44349|New|Maj|2008-02-04|mod_jk/1.2.26 module does not read worker.status.s| |44379|New|Enh|2008-02-07|convert the output of strftime into UTF-8 | |44454|New|Nor|2008-02-19|busy count reported in mod_jk inflated, causes inc| |44571|New|Enh|2008-03-10|Limits busy per worker to a threshold | |45063|New|Nor|2008-05-22|JK-1.2.26 IIS ISAPI filter issue when running diff| |45313|New|Nor|2008-06-30|mod_jk 1.2.26 & apache 2.2.9 static compiled on so| |45395|New|Min|2008-07-14|MsgAjp dump method does not dump packet when being| |46337|New|Nor|2008-12-04|real worker name is wrong | |46406|New|Enh|2008-12-16|Supporting relative paths in isapi_redirect.proper| |46503|New|Nor|2009-01-09|Garbage characters in cluster domain field| |46632|New|Nor|2009-01-29|mod_jk's sockets close prematurely when the server| |46676|New|Enh|2009-02-09|Configurable test request for Watchdog thread | |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47038|New|Enh|2009-04-15|USE_FLOCK_LK redefined compiler warning when using| |47327|New|Enh|2009-06-07|remote_user not logged in apache logfile | |47617|New|Enh|2009-07-31|include time spent doing ajp_get_endpoint() in err| |47678|New|Nor|2009-08-11|Unable to allocate shared memory when using isapi_| |47679|New|Nor|2009-08-11|Not all headers get passed to Tomcat server from i| |47692|New|Blk|2009-08-12|Can not compile mod_jk with apache2.0.63 and tomca| |47714|New|Cri|2009-08-20|Reponse mixed between users | |47750|New|Maj|2009-08-27|Loss of worker settings when changing via jkstatus| |47795|New|Maj|2009-09-07|service sticky_session not being set correctly wit| |47840|New|Min|2009-09-14|A broken worker name is written in the log file. | |48169|New|Nor|2009-11-10|two second delay for cgi scripts mixed with mod_jk| |48191|New|Maj|2009-11-13|Problem with mod_jk 1.2.28 - Can not render up the| |48223|New|Nor|2009-11-18|IIS Logs HTTP status code 200 instead of error cod| |48490|New|Nor|2010-01-05|Changing a node to stopped in uriworkermap.propert| |48501|New|Enh|2010-01-07|Log rotation for ISAPI Redirector | |48513|New|Enh|2010-01-09|IIS Quick setup instructions | |48564|New|Nor|2010-01-18|Unable to turn off retries for LB worker | +-+---+---+--+--+ | Total 44 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 5 [2010/01/24]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |27122|Opn|Enh|2004-02-20|IE plugins cannot access components through Tomcat| |28039|Opn|Enh|2004-03-30|Cluster Support for SingleSignOn | |29494|Inf|Enh|2004-06-10|No way to set PATH when running as a service on Wi| |33262|Inf|Enh|2005-01-27|Service Manager autostart should check for adminis| |33453|Opn|Enh|2005-02-08|Jasper should recompile JSP files whose datestamps| |33671|Opn|Enh|2005-02-21|Manual Windows service installation with custom na| |34801|New|Enh|2005-05-08|PATCH: CGIServlet does not terminate child after a| |34805|Ass|Enh|2005-05-08|warn about invalid security constraint url pattern| |34868|Ass|Enh|2005-05-11|allow to register a trust store for a session that| |35054|Inf|Enh|2005-05-25|warn if appBase is not existing as a File or direc| |36133|Inf|Enh|2005-08-10|Support JSS SSL implementation| |36362|New|Enh|2005-08-25|missing check for Java reserved keywords in tag fi| |36569|Inf|Enh|2005-09-09|Redirects produce illegal URL's | |36837|Inf|Enh|2005-09-28|Looking for ProxyHandler implementation of Http re| |36922|Inf|Enh|2005-10-04|setup.sh file mis-advertised and missing | |37018|Ass|Enh|2005-10-11|Document how to use tomcat-SSL with a pkcs11 token| |37334|Inf|Enh|2005-11-02|Realm digest property not aligned with the adminis| |37449|Opn|Enh|2005-11-10|Two UserDatabaseRealm break manager user | |37485|Inf|Enh|2005-11-14|I'd like to run init SQL after JDBC Connection cre| |37847|Ass|Enh|2005-12-09|Allow User To Optionally Specify Catalina Output F| |38216|Inf|Enh|2006-01-10|Extend Jmxproxy to allow call of MBean Operations | |38268|Inf|Enh|2006-01-13|User friendly: Need submit button on adding/deleti| |38360|Inf|Enh|2006-01-24|Domain for session cookies| |38546|Inf|Enh|2006-02-07|Google bot sends invalid If-Modifed-Since Header, | |38577|Inf|Enh|2006-02-08|Enhance logging of security failures | |38743|New|Min|2006-02-21|when using APR, JKS options are silently ignored | |38916|Inf|Enh|2006-03-10|HttpServletRequest cannot handle multipart request| |39053|Inf|Enh|2006-03-21|include Tomcat embedded sample| |39309|Opn|Enh|2006-04-14|tomcat can't compile big jsp, hitting a compiler l| |39740|New|Enh|2006-06-07|semi-colon ; isn't allowed as a query argument sep| |39862|Inf|Enh|2006-06-22|provide support for protocol-independent GenericSe| |40211|Inf|Enh|2006-08-08|Compiled JSP don't indent HTML code | |40218|New|Enh|2006-08-08|JNDI realm - recursive group/role matching| |40222|Inf|Enh|2006-08-09|Default Tomcat configuration alows easy session hi| |40402|New|Enh|2006-09-03|Manager should display Exceptions | |40510|New|Enh|2006-09-14|installer does not create shortcuts for all users | |40712|New|Enh|2006-10-10|Realm admin error.| |40728|Inf|Enh|2006-10-11|Catalina MBeans use non-serializable classes | |40766|New|Enh|2006-10-16|Using an unsecure jsessionid with mod_proxy_ajp ov| |40881|Opn|Enh|2006-11-02|Unable to receive message through TCP channel -> | |41007|Opn|Enh|2006-11-20|Can't define customized 503 error page| |41179|New|Enh|2006-12-15|400 Bad Request response during auto re-deployment| |41227|Opn|Enh|2006-12-21|When the jasper compiler fails to compile a JSP, i| |41337|Opn|Enh|2007-01-10|Display an error page if no cert is available on C| |41496|New|Enh|2007-01-30|set a security provider for jsse in a connector co| |41498|New|Enh|2007-01-30|allRolesMode Realm configuration option not docume| |41539|Inf|Enh|2007-02-05|NullPointerException during Embedded tomcat restar| |41673|New|Enh|2007-02-21|Jasper output the message of compiling error using| |41697|Ver|Enh|2007-02-25|make visible in debug output if charset from brows| |41709|Inf|Enh|2007-02-26|When calling the API that relates to the buffer af| |41718|New|Enh|2007-02-27|Status 302 response to GET request has no body whe| |42390|
Bug report for Tomcat Native [2010/01/24]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |38372|Inf|Cri|2006-01-25|tcnative-1.dll response overflow corruption, parti| |41361|New|Nor|2007-01-14|Content lost when read by a slow client. | |42090|New|Cri|2007-04-11|tcnative badly handles some OpenSSL disconnections| |45392|New|Nor|2008-07-14|No OCSP support for client SSL verification | |46041|New|Cri|2008-10-20|Tomcat service is terminated unexpectedly (tcnativ| |46179|New|Maj|2008-11-10|apr ssl client authentication | |46571|New|Nor|2009-01-21|tcnative blocks in APR poll on Solaris| |47319|New|Nor|2009-06-05|With APR, getRemoteHost() returns NULL for unknown| |47851|New|Nor|2009-09-16|thread-safety issues in the TC native Java code | |48253|New|Min|2009-11-20|Tomcat Native patch - adding dynamic locking callb| |48584|New|Min|2010-01-20|Error or ACCESS_VIOLATION on shutdown | +-+---+---+--+--+ | Total 11 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r902711 - /tomcat/tc5.5.x/trunk/STATUS.txt
Author: kkolinko Date: Mon Jan 25 05:15:53 2010 New Revision: 902711 URL: http://svn.apache.org/viewvc?rev=902711&view=rev Log: votes Modified: tomcat/tc5.5.x/trunk/STATUS.txt Modified: tomcat/tc5.5.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=902711&r1=902710&r2=902711&view=diff == --- tomcat/tc5.5.x/trunk/STATUS.txt (original) +++ tomcat/tc5.5.x/trunk/STATUS.txt Mon Jan 25 05:15:53 2010 @@ -109,7 +109,7 @@ * Provide new option to allow = in cookie values http://people.apache.org/~markt/patches/2009-11-17-cookie-allow-equals.patch - +1: markt + +1: markt, kkolinko -1: * Alternative fix for CVE-2009-3555 SSL MITN @@ -117,7 +117,7 @@ technically possible an attack may succeed before the socket is closed The new patch only logs failed server initiated negotiations. http://people.apache.org/~markt/patches/2009-11-20-cve2009-3555-v2.patch - +1: markt, rjung + +1: markt, rjung, kkolinko -1: * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47609 @@ -242,7 +242,7 @@ +1: -1: - Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48004 +* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48004 Allow applications to set the Server header http://svn.apache.org/viewvc?rev=898527&view=rev +1: markt @@ -252,5 +252,5 @@ Prevent possible NPE in JNDIRealm when user does not exist Patch provided by Kevin Conaway http://svn.apache.org/viewvc?rev=898558&view=rev - +1: markt + +1: markt, kkolinko -1: - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
