DO NOT REPLY [Bug 49161] Unknown Publisher when installing tomcat 6.0.26
https://issues.apache.org/bugzilla/show_bug.cgi?id=49161 Mark Thomas changed: What|Removed |Added Severity|major |enhancement --- Comment #1 from Mark Thomas 2010-04-21 03:13:43 EDT --- The ASF has no such organisation wide signing certificate. This is something that has been under discussion but needs a fair amount of infrastructure and process put in place to implement securely. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[ANN] Apache Tomcat 5.5.29 released
The Apache Tomcat Team announces the immediate availability of Apache Tomcat 5.5.29 stable. Apache Tomcat 5.5.29 incorporates numerous bug fixes and fixes for four low severity security vulnerabilities. Please refer to the change log for the list of changes: http://tomcat.apache.org/tomcat-5.5-doc/changelog.html Please refer to the Tomcat 5 security page for the list of security fixes in this release: http://tomcat.apache.org/security-5.html Downloads: http://tomcat.apache.org/download-55.cgi Thank you, The Apache Tomcat Team - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r936270 - in /tomcat/site/trunk: docs/lists.html xdocs/lists.xml
Author: markt Date: Wed Apr 21 11:50:42 2010 New Revision: 936270 URL: http://svn.apache.org/viewvc?rev=936270&view=rev Log: Add RSS feeds from MarkMail for each of our mailing lists Modified: tomcat/site/trunk/docs/lists.html tomcat/site/trunk/xdocs/lists.xml Modified: tomcat/site/trunk/docs/lists.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/lists.html?rev=936270&r1=936269&r2=936270&view=diff == --- tomcat/site/trunk/docs/lists.html (original) +++ tomcat/site/trunk/docs/lists.html Wed Apr 21 11:50:42 2010 @@ -237,8 +237,8 @@ helping with the development and debuggi Formatted archives are available in several places including http://mail-archives.apache.org/mod_mbox/";>the Apache Mail Archives, http://marc.theaimsgroup.com/";>MARC, http://www.nabble.com/";>Nabble, and -http://tomcat.markmail.org/";>MarkMail. -The raw mbox files are also http://tomcat.apache.org/mail/";>available. +http://tomcat.markmail.org/";>MarkMail. The raw mbox files +are also http://tomcat.apache.org/mail/";>available. You can also use the mail-to-news nntp://news.gmane.org/";>gateway offered by http://news.gmane.org/index.php?match=gmane.comp.apache";>GMANE @@ -362,6 +362,12 @@ Tomcat questions to Eric or Rick themsel and at http://old.nabble.com/Tomcat---User-f342.html";>Nabble. + + RSS: + at http://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Eusers";> + MarkMail + + @@ -433,6 +439,12 @@ other project announcements. Apache. + + RSS: + at http://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Eannounce";> + MarkMail + + @@ -533,6 +545,12 @@ issues. Other questions will be ignored. and at http://old.nabble.com/Tomcat---Dev-f341.html";>Nabble. + + RSS: + at http://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Edev";> + MarkMail + + @@ -630,6 +648,12 @@ and how they can be used. (http://markmail.org/list/org.apache.jakarta.taglibs-user/";>older). + + RSS: + at http://jakarta.markmail.org/atom/+list:org%2Eapache%2Ejakarta%2Etaglibs-user";> + MarkMail + + Modified: tomcat/site/trunk/xdocs/lists.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/lists.xml?rev=936270&r1=936269&r2=936270&view=diff == --- tomcat/site/trunk/xdocs/lists.xml (original) +++ tomcat/site/trunk/xdocs/lists.xml Wed Apr 21 11:50:42 2010 @@ -48,8 +48,8 @@ helping with the development and debuggi href="http://mail-archives.apache.org/mod_mbox/";>the Apache Mail Archives, http://marc.theaimsgroup.com/";>MARC, http://www.nabble.com/";>Nabble, and -http://tomcat.markmail.org/";>MarkMail. -The raw mbox files are also http://tomcat.apache.org/mail/";>available. +http://tomcat.markmail.org/";>MarkMail. The raw mbox files +are also http://tomcat.apache.org/mail/";>available. You can also use the mail-to-news http://old.nabble.com/Tomcat---User-f342.html";>Nabble. + + RSS: + at http://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Eusers";> + MarkMail + + @@ -190,6 +197,13 @@ other project announcements. Apache. + + RSS: + at http://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Eannounce";> + MarkMail + + @@ -263,6 +277,13 @@ issues. Other questions will be ignored. and at http://old.nabble.com/Tomcat---Dev-f341.html";>Nabble. + + RSS: + at http://tomcat.markmail.org/atom/+list:org%2Eapache%2Etomcat%2Edev";> + MarkMail + + @@ -332,6 +353,13 @@ and how they can be used. (http://markmail.org/list/org.apache.jakarta.taglibs-user/";>older). + + RSS: + at http://jakarta.markmail.org/atom/+list:org%2Eapache%2Ejakarta%2Etaglibs-user";> + MarkMail + + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r936274 - /tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt
Author: markt Date: Wed Apr 21 12:07:05 2010 New Revision: 936274 URL: http://svn.apache.org/viewvc?rev=936274&view=rev Log: Minor fixes Modified: tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt Modified: tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt URL: http://svn.apache.org/viewvc/tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt?rev=936274&r1=936273&r2=936274&view=diff == --- tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt (original) +++ tomcat/trunk/TOMCAT-7-RELEASE-PLAN.txt Wed Apr 21 12:07:05 2010 @@ -32,7 +32,7 @@ - Section 4.5 - Compliant - Section 4.6 - TODO getResource() & META-INF/resources - Section 4.7 to 4.8 - Compliant - - Sections 5 to 7 + - Sections 5 to 7 - Compliant - Section 8 - in progress 8.1 - Compliant 8.2 - TODO - ServletContainerInitializer @@ -60,7 +60,7 @@ 7. Create tc7.0.x\trunk from trunk at first stable release -8. Nice to haves in first Tomcat 7 stable release inc. MBeans - - Lifecycle clean-up for init()/destroy() +8. Nice to haves in first Tomcat 7 stable release + - Lifecycle clean-up for init()/destroy() inc. MBeans - Remove old, unused code - Clean up internal API (eg remove unused params from methods) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r936289 - in /tomcat/trunk: java/org/apache/catalina/core/StandardThreadExecutor.java webapps/docs/changelog.xml webapps/docs/config/executor.xml
Author: jfclere
Date: Wed Apr 21 12:55:19 2010
New Revision: 936289
URL: http://svn.apache.org/viewvc?rev=936289&view=rev
Log:
Fix for 43642.
Modified:
tomcat/trunk/java/org/apache/catalina/core/StandardThreadExecutor.java
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/webapps/docs/config/executor.xml
Modified: tomcat/trunk/java/org/apache/catalina/core/StandardThreadExecutor.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/core/StandardThreadExecutor.java?rev=936289&r1=936288&r2=936289&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/core/StandardThreadExecutor.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/core/StandardThreadExecutor.java Wed
Apr 21 12:55:19 2010
@@ -74,6 +74,11 @@ public class StandardThreadExecutor exte
protected String name;
/**
+ * prestart threads?
+ */
+protected boolean prestartminSpareThreads = false;
+
+/**
* The maximum number of elements that can queue up before we reject them
*/
protected int maxQueueSize = Integer.MAX_VALUE;
@@ -101,6 +106,9 @@ public class StandardThreadExecutor exte
taskqueue = new TaskQueue(maxQueueSize);
TaskThreadFactory tf = new
TaskThreadFactory(namePrefix,daemon,getThreadPriority());
executor = new ThreadPoolExecutor(getMinSpareThreads(),
getMaxThreads(), maxIdleTime, TimeUnit.MILLISECONDS,taskqueue, tf);
+if (prestartminSpareThreads) {
+executor.prestartAllCoreThreads();
+}
taskqueue.setParent(executor);
setState(LifecycleState.STARTING);
@@ -172,6 +180,10 @@ public class StandardThreadExecutor exte
return name;
}
+public boolean isPrestartminSpareThreads() {
+
+return prestartminSpareThreads;
+}
public void setThreadPriority(int threadPriority) {
this.threadPriority = threadPriority;
}
@@ -205,6 +217,10 @@ public class StandardThreadExecutor exte
}
}
+public void setPrestartminSpareThreads(boolean prestartminSpareThreads) {
+this.prestartminSpareThreads = prestartminSpareThreads;
+}
+
public void setName(String name) {
this.name = name;
}
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=936289&r1=936288&r2=936289&view=diff
==
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Apr 21 12:55:19 2010
@@ -35,6 +35,9 @@
+
+43642: Add prestartminSpareThreads attribute for Executor.
(jfclere)
+
Update Servlet support to the Servlet 3.0 specification. Note
asynchronous support is not yet complete. (markt/fhanik)
Modified: tomcat/trunk/webapps/docs/config/executor.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/config/executor.xml?rev=936289&r1=936288&r2=936289&view=diff
==
--- tomcat/trunk/webapps/docs/config/executor.xml (original)
+++ tomcat/trunk/webapps/docs/config/executor.xml Wed Apr 21 12:55:19 2010
@@ -102,6 +102,10 @@
(int) The number of milliseconds before an idle thread shutsdown,
unless the number of active threads are less
or equal to minSpareThreads. Default value is 6(1
minute)
+
+ (boolean) Whether minSpareThreads should be started when starting the
Executor or not,
+ the default is false
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 48385] Expose RSS feed for tomcat releases
https://issues.apache.org/bugzilla/show_bug.cgi?id=48385 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution||FIXED --- Comment #1 from Mark Thomas 2010-04-21 11:22:15 EDT --- RSS feeds for all the mailing lists have been added to http://tomcat.apache.org/lists.html The changes should be visible in a few hours once the main web servers sync up. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49164] New: junit test ignores failures in threads
https://issues.apache.org/bugzilla/show_bug.cgi?id=49164 Summary: junit test ignores failures in threads Product: Tomcat 7 Version: trunk Platform: All OS/Version: All Status: NEW Severity: minor Priority: P2 Component: Cluster AssignedTo: dev@tomcat.apache.org ReportedBy: felix.schumac...@internetallee.de Created an attachment (id=25328) --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25328) channel exceptions from different threads to main junit thread org.apache.catalina.tribes.test.interceptors.TestOrderInterceptor#testOrder2 starts a few threads to test concurrently sending events to one destination. It tries to make the junit test case fail in case of an exception. Junit will not see those failures, since they are in different threads. Attached patch will channel the exception to main junit thread, which can call fail() if exceptions were catched. It will log only the first exception in the queue. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 49165] New: Enhancement - Allow %{TIME_FORMAT}t As Configuration for AccessLogValve
https://issues.apache.org/bugzilla/show_bug.cgi?id=49165
Summary: Enhancement - Allow %{TIME_FORMAT}t As Configuration
for AccessLogValve
Product: Tomcat 7
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: apache_bugzi...@zwiers.ca
AccessLogValve.DateAndTimeElement() can currently be configured only with %t
which output the date/time in Common Log Format.
By adding the capability to configure with %{TIME_FORMAT}, one could override
(at least) the timeFormatter property of the class ... or it could go further
and allow overriding of all the [day, month, year, time]Formatter properties.
Justification for enhancement: The log currenlty provide the ability to log
processing time in millis (via %T), but an accurate log of the order in which
requests are received cannot be determined without the capabilities of logging
a a format with milliseconds using the %t element.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r936539 - in /tomcat/trunk: java/org/apache/catalina/authenticator/ webapps/docs/
Author: markt
Date: Wed Apr 21 22:11:29 2010
New Revision: 936539
URL: http://svn.apache.org/viewvc?rev=936539&view=rev
Log:
Fix CVE-2010-1157.
Prevent possible disclosure of host name or IP address via the HTTP
WWW-Authenticate header when using BASIC or DIGEST authentication.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/trunk/webapps/docs/realm-howto.xml
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=936539&r1=936538&r2=936539&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Apr 21 22:11:29 2010
@@ -107,6 +107,11 @@ public abstract class AuthenticatorBase
protected static final String AUTH_HEADER_NAME = "WWW-Authenticate";
/**
+ * Default authentication realm name.
+ */
+protected static final String REALM_NAME = "Authentication required";
+
+/**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* java.security.MessageDigest class on your platform.
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=936539&r1=936538&r2=936539&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
Wed Apr 21 22:11:29 2010
@@ -165,9 +165,7 @@ public class BasicAuthenticator
StringBuilder value = new StringBuilder(16);
value.append("Basic realm=\"");
if (config.getRealmName() == null) {
-value.append(request.getServerName());
-value.append(':');
-value.append(Integer.toString(request.getServerPort()));
+value.append(REALM_NAME);
} else {
value.append(config.getRealmName());
}
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=936539&r1=936538&r2=936539&view=diff
==
---
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Wed Apr 21 22:11:29 2010
@@ -408,8 +408,7 @@ public class DigestAuthenticator
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
-realmName = request.getServerName() + ":"
-+ request.getServerPort();
+realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
Modified: tomcat/trunk/webapps/docs/realm-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/realm-howto.xml?rev=936539&r1=936538&r2=936539&view=diff
==
--- tomcat/trunk/webapps/docs/realm-howto.xml (original)
+++ tomcat/trunk/webapps/docs/realm-howto.xml Wed Apr 21 22:11:29 2010
@@ -209,7 +209,11 @@ java org.apache.catalina.realm.RealmBase
{cleartext-password} must be replaced with
{username}:{realm}:{cleartext-password}. For example, in a
development environment this might take the form
- testUser:localhost:8080:testPassword.
+ testUser:Authentication required:testPassword. The value for
+ {realm} is taken from the
+ element of the web application's . If
+ not specified in web.xml, the default value of Authentication
+ required is used.
To use either of the above techniques, the
$CATALINA_HOME/lib/catalina.jar and
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r936540 - in /tomcat/tc6.0.x/trunk: java/org/apache/catalina/authenticator/ webapps/docs/
Author: markt
Date: Wed Apr 21 22:12:05 2010
New Revision: 936540
URL: http://svn.apache.org/viewvc?rev=936540&view=rev
Log:
Fix CVE-2010-1157.
Prevent possible disclosure of host name or IP address via the HTTP
WWW-Authenticate header when using BASIC or DIGEST authentication.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=936540&r1=936539&r2=936540&view=diff
==
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Apr 21 22:12:05 2010
@@ -99,6 +99,11 @@ public abstract class AuthenticatorBase
/**
+ * Default authentication realm name.
+ */
+protected static final String REALM_NAME = "Authentication required";
+
+/**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* java.security.MessageDigest class on your platform.
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=936540&r1=936539&r2=936540&view=diff
==
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/BasicAuthenticator.java
Wed Apr 21 22:12:05 2010
@@ -194,9 +194,7 @@ public class BasicAuthenticator
CharChunk authenticateCC = authenticate.getCharChunk();
authenticateCC.append("Basic realm=\"");
if (config.getRealmName() == null) {
-authenticateCC.append(request.getServerName());
-authenticateCC.append(':');
-authenticateCC.append(Integer.toString(request.getServerPort()));
+authenticateCC.append(REALM_NAME);
} else {
authenticateCC.append(config.getRealmName());
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=936540&r1=936539&r2=936540&view=diff
==
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/authenticator/DigestAuthenticator.java
Wed Apr 21 22:12:05 2010
@@ -406,8 +406,7 @@ public class DigestAuthenticator
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
-realmName = request.getServerName() + ":"
-+ request.getServerPort();
+realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=936540&r1=936539&r2=936540&view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Wed Apr 21 22:12:05 2010
@@ -41,6 +41,11 @@
+
+Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
+address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
+authentication. (markt)
+
Include context name when reporting memory leaks to aid root cause
identification. (markt)
Modified: tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml?rev=936540&r1=936539&r2=936540&view=diff
==
--- tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/realm-howto.xml Wed Apr 21 22:12:05 2010
@@ -209,7 +209,11 @@ java org.apache.catalina.realm.RealmBase
{cleartext-password} must be replaced with
{username}:{realm}:{cleartext-password}. For example, in a
development environment this m
svn commit: r936541 - in /tomcat/tc5.5.x/trunk/container: catalina/src/share/org/apache/catalina/authenticator/ webapps/docs/
Author: markt
Date: Wed Apr 21 22:13:26 2010
New Revision: 936541
URL: http://svn.apache.org/viewvc?rev=936541&view=rev
Log:
Fix CVE-2010-1157.
Prevent possible disclosure of host name or IP address via the HTTP
WWW-Authenticate header when using BASIC or DIGEST authentication.
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java?rev=936541&r1=936540&r2=936541&view=diff
==
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java
Wed Apr 21 22:13:26 2010
@@ -99,6 +99,11 @@ public abstract class AuthenticatorBase
/**
+ * Default authentication realm name.
+ */
+protected static final String REALM_NAME = "Authentication required";
+
+/**
* The message digest algorithm to be used when generating session
* identifiers. This must be an algorithm supported by the
* java.security.MessageDigest class on your platform.
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java?rev=936541&r1=936540&r2=936541&view=diff
==
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/BasicAuthenticator.java
Wed Apr 21 22:13:26 2010
@@ -194,9 +194,7 @@ public class BasicAuthenticator
CharChunk authenticateCC = authenticate.getCharChunk();
authenticateCC.append("Basic realm=\"");
if (config.getRealmName() == null) {
-authenticateCC.append(request.getServerName());
-authenticateCC.append(':');
-authenticateCC.append(Integer.toString(request.getServerPort()));
+authenticateCC.append(REALM_NAME);
} else {
authenticateCC.append(config.getRealmName());
}
Modified:
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java?rev=936541&r1=936540&r2=936541&view=diff
==
---
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
(original)
+++
tomcat/tc5.5.x/trunk/container/catalina/src/share/org/apache/catalina/authenticator/DigestAuthenticator.java
Wed Apr 21 22:13:26 2010
@@ -406,8 +406,7 @@ public class DigestAuthenticator
// Get the realm name
String realmName = config.getRealmName();
if (realmName == null)
-realmName = request.getServerName() + ":"
-+ request.getServerPort();
+realmName = REALM_NAME;
byte[] buffer = null;
synchronized (md5Helper) {
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=936541&r1=936540&r2=936541&view=diff
==
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Wed Apr 21
22:13:26 2010
@@ -51,6 +51,11 @@
+Fix CVE-2010-1157. Prevent possible disclosure of host name or IP
+address via the HTTP WWW-Authenticate header when using BASIC or DIGEST
+authentication. (markt)
+
+
44041, 48694: Fix duplicate class definition
under load. Avoid possible deadlock in class loading.
(markt/kkolinko)
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/realm-howto.xm
svn commit: r936542 - in /tomcat/site/trunk: docs/security-5.html docs/security-6.html xdocs/security-5.xml xdocs/security-6.xml
Author: markt Date: Wed Apr 21 22:15:46 2010 New Revision: 936542 URL: http://svn.apache.org/viewvc?rev=936542&view=rev Log: Add CVE-2010-1157 Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/xdocs/security-5.xml tomcat/site/trunk/xdocs/security-6.xml Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=936542&r1=936541&r2=936542&view=diff == --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Wed Apr 21 22:15:46 2010 @@ -192,6 +192,9 @@ Apache Tomcat 5.x vulnerabilities +Fixed in subversion for Apache Tomcat 5.5.x + + Fixed in Apache Tomcat 5.5.29 @@ -302,6 +305,56 @@ + +Fixed in subversion for Apache Tomcat 5.5.x + + + + + + + + + + +Note: These issues will be fixed in 5.5.30 but that version has not + yet been released. + + + +Low: Information disclosure in authentication headers + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157";> + CVE-2010-1157 + + +The WWW-Authenticate HTTP header for BASIC and DIGEST + authentication includes a realm name. If a +element is specified for the application + in web.xml it will be used. However, a + is not specified then Tomcat will generate realm name using the code + snippet request.getServerName() + ":" + + request.getServerPort(). In some circumstances this can expose + the local host name or IP address of the machine running Tomcat. + + +This was fixed in + http://svn.apache.org/viewvc?rev=936541&view=rev";> + revision 936541. + + + + + + + + + + + + + + + Fixed in Apache Tomcat 5.5.29 Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=936542&r1=936541&r2=936542&view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Wed Apr 21 22:15:46 2010 @@ -192,6 +192,9 @@ Apache Tomcat 6.x vulnerabilities +Fixed in subversion for Apache Tomcat 6.0.x + + Fixed in Apache Tomcat 6.0.24 @@ -275,6 +278,56 @@ + +Fixed in subversion for Apache Tomcat 6.0.x + + + + + + + + + + +Note: These issues will be fixed in 6.0.27 but that version has not + yet been released. + + + +Low: Information disclosure in authentication headers + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157";> + CVE-2010-1157 + + +The WWW-Authenticate HTTP header for BASIC and DIGEST + authentication includes a realm name. If a + element is specified for the application + in web.xml it will be used. However, a + is not specified then Tomcat will generate realm name using the code + snippet request.getServerName() + ":" + + request.getServerPort(). In some circumstances this can expose + the local host name or IP address of the machine running Tomcat. + + +This was fixed in + http://svn.apache.org/viewvc?rev=936540&view=rev";> + revision 936540. + + + + + + + + + + + + + + + Fixed in Apache Tomcat 6.0.24 Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=936542&r1=936541&r2=936542&view=diff == --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Wed Apr 21 22:15:46 2010 @@ -46,6 +46,31 @@ --> + + +Note: These issues will be fixed in 5.5.30 but that version has not + yet been released. + +Low: Information disclosure in authentication headers + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1157";> + CVE-2010-1157 + +The WWW-Authenticate HTTP header for BASIC and DIGEST + authentication includes a realm name. If a + element is specified for the application + in web.xml it will be used. However, a + is not specified then Tomcat will generate realm name using the code + snippet request.getServerName() + ":" + + request.getServerPort(). In some circumstances this can expose + the local host name or IP address of the machine running Tomcat. + + +This was fixed in + http://svn.apache.org/viewvc?rev=936541&view=rev";> + revision 936541. + + + Low: Arbitrary file deletion and/or alteration on deploy Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=936542&r1=936541&r2=936542&view=diff ==
[SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2010-1157: Apache Tomcat information disclosure vulnerability Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 6.0.0 to 6.0.26 - - Tomcat 5.5.0 to 5.5.29 Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be affected. Description: The "WWW-Authenticate" header for BASIC and DIGEST authentication includes a realm name. If a element is specified for the application in web.xml it will be used. However, a is not specified then Tomcat will generate one using the code snippet: request.getServerName() + ":" + request.getServerPort() In some circumstances this can expose the local hostname or IP address of the machine running Tomcat. Example: GET /application/j_security_check HTTP/1.0 HTTP/1.1 401 Unauthorized Server: Apache-Coyote/1.1 WWW-Authenticate: Basic realm="tomcat01:8080" Content-Type: text/html;charset=utf-8 Content-Length: 954 Date: Thu, 31 Dec 2009 12:18:11 GMT Connection: close Mitigation: Administrators of web applications that use BASIC or DIGEST authentication are recommended to set an appropriate realm name in the web application's web.xml file. Alternatively, the following patches may be used to change the default realm to "Authentication required" (without the quotes): - - Tomcat 6.0.x: http://svn.apache.org/viewvc?view=rev&rev=936540 - - Tomcat 5.5.x: http://svn.apache.org/viewvc?view=rev&rev=936541 These patches will be included in the next releases of Tomcat 5.5.x and Tomcat 6.0.x. No release date has been set for the next Tomcat 5.5.x and Tomcat 6.0.x releases. Credit: This issue was discovered by Deniz Cevik. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html The Apache Tomcat Security Team -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJLz3o5AAoJEBDAHFovYFnn7NgP/jyjnqK98FfruhzL0eB/b748 7EYP8k//kbmq8SIYyDkHkmlGfDNE+epxLudgSLbwg8QJdNG50JHwjTzAcclPCyu6 jx3NuJVKxn8KloD3rmxhrIItLG/yQ50JP3tnNO3xC4pS4j8dzdrTS2lFPXxcna6e o9rMUwPLTEsLvNhd93sUIpdXuLhG9TP7dOeAD737ybvmRcz612igGyyT3hVUeGsK TvJ+uzZTLJi+Wz0UMRdseqsgp1OW2DeMyao67bPaUrbX9EfLA+yUfXV6TRByT4C5 S5BB3mTz8WBgWkscCmKB0mqmtiPfv7PxlRDfMyPAkFhezPAnL5UD4fSZ3Aes8rTO IF6CM/lWXm+eMECVwuIh7RdiPJtpe/1ZTQ2EtAQ/JZOIoDX2sKNF92opGeNiZPp9 P78tfksI23tLNJeDcJmL1a2L1yP8pcvAnd6AhYwZPc+LoZBKOsqEMMDU9CmbT3LY 2Fyn8h5yV9Fql9TR9J87aB9BDcQ5vqtdJ17qO20ur54SockI/oNi45tpDf76sJQB 0iOVY1MDu9J4c3xvtmWrdsAZF8VFDhW8nXdKOATh2cVQg/P4aELW2eyGUbiL5hLZ EWgiZRQWm815MqEwikbztMON4OipensBx1wNuKvj2VKs3VK8tkSuXigViOCTYo+c mm73gFAt6VWTF5sbfTuA =mtgX -END PGP SIGNATURE- - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r936589 - /tomcat/tc5.5.x/trunk/STATUS.txt
Author: kkolinko Date: Thu Apr 22 01:10:50 2010 New Revision: 936589 URL: http://svn.apache.org/viewvc?rev=936589&view=rev Log: veto and propose another patch Modified: tomcat/tc5.5.x/trunk/STATUS.txt Modified: tomcat/tc5.5.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=936589&r1=936588&r2=936589&view=diff == --- tomcat/tc5.5.x/trunk/STATUS.txt (original) +++ tomcat/tc5.5.x/trunk/STATUS.txt Thu Apr 22 01:10:50 2010 @@ -48,9 +48,24 @@ PATCHES PROPOSED TO BACKPORT: Port of r439565, r832102 & r904834 http://people.apache.org/~markt/patches/2010-01-30-bug47878-tc5.patch +1: markt + -1: kkolinko: (I think the patch to JspServletWrapper#service() method is wrong. + + One thing that surely is wrong there: when FileNotFoundException is caught after + compile() we may respond with response.sendError(SC_NOT_FOUND). + This sendError() call should be followed by return, but instead we + fall down to execute theServlet.service() method. + Actually that sendError() is not needed, as we can just rethrow the FNFE: + our caller - JspServlet#serviceJspFile() - will catch it and report. + + I propose a corrected patch below. I replaced the proposed changes to + JspServletWrapper#service() with the current code from 6.0.x. + ) + + Corrected patch based on Mark's one: + http://people.apache.org/~kkolinko/patches/2010-04-22_tc55_bug47878.patch + +1: kkolinko -1: - kkolinko - Just a note: This issue won't affect configurations where Jasper - runs with development=false. + * Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48179 Improve processing of TLD cache file - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r936592 - /tomcat/tc6.0.x/trunk/STATUS.txt
Author: kkolinko
Date: Thu Apr 22 01:30:19 2010
New Revision: 936592
URL: http://svn.apache.org/viewvc?rev=936592&view=rev
Log:
votes
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=936592&r1=936591&r2=936592&view=diff
==
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Apr 22 01:30:19 2010
@@ -170,7 +170,7 @@ PATCHES PROPOSED TO BACKPORT:
* Fix cross-context session expiration
http://svn.apache.org/viewvc?rev=926716&view=rev
- +1: markt
+ +1: markt, kkolinko
-1:
* Add support for displaying the Spring Security user name in the manager app
@@ -218,6 +218,7 @@ PATCHES PROPOSED TO BACKPORT:
Alternative patch:
Note: This was applied to 5.5 in r934922
+ No need to apply this to trunk, because there are no Workers in trunk.
https://issues.apache.org/bugzilla/attachment.cgi?id=25225
+1: kkolinko
-1:
@@ -239,6 +240,11 @@ PATCHES PROPOSED TO BACKPORT:
http://people.apache.org/~markt/patches/2010-04-08-bug48379.patch
+1: markt, kfujino
-1:
+ kkolinko: Re: @@ -2252,22 +2252,11 @@ patch to Request.java:
+There is (context == null) check just below the changed lines. Either
+that check is not needed, or the changed code may throw an NPE on
+context.getSessionCookieName() call.
+
* https://issues.apache.org/bugzilla/show_bug.cgi?id=49081
"#${1+1}" should evaluate to "#2"
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r936270 - in /tomcat/site/trunk: docs/lists.html xdocs/lists.xml
2010/4/21 : > Author: markt > Date: Wed Apr 21 11:50:42 2010 > New Revision: 936270 > > URL: http://svn.apache.org/viewvc?rev=936270&view=rev > Log: > Add RSS feeds from MarkMail for each of our mailing lists > > Modified: > tomcat/site/trunk/docs/lists.html > tomcat/site/trunk/xdocs/lists.xml > >(...) > @@ -332,6 +353,13 @@ and how they can be used. > ( href="http://markmail.org/list/org.apache.jakarta.taglibs-user/";>older). > > > + > + RSS: > + at + > href="http://jakarta.markmail.org/atom/+list:org%2Eapache%2Ejakarta%2Etaglibs-user";> > + MarkMail > + > + It is interesting that at MarkMail the new taglibs-user list still operates under its old name "org.apache.jakarta.taglibs-user", and not the new one "org.apache.tomcat.taglibs-user". Thus the old name in the RSS feed. Maybe that is good. Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
