Re: [VOTE] Release Apache Tomcat 7.0.8
On 04.02.2011 14:52, Mark Thomas wrote: The proposed Apache Tomcat 7.0.8 release is now available for voting. It can be obtained from: http://people.apache.org/~markt/dev/tomcat-7/v7.0.8/ The svn tag is: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/tags/TOMCAT_7_0_8/ The proposed 7.0.8 release is: [ ] Broken - do not release [ ] Alpha - go ahead and release as 7.0.8 Alpha [ ] Beta - go ahead and release as 7.0.8 Beta [X] Stable - go ahead and release as 7.0.8 Stable +1 just for the records, I saw that you are already proceeding. Regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067462 - in /tomcat/tc5.5.x/trunk: ./ connectors/util/java/org/apache/tomcat/util/net/jsse/ container/webapps/docs/
Author: kkolinko
Date: Sat Feb 5 16:05:35 2011
New Revision: 1067462
URL: http://svn.apache.org/viewvc?rev=1067462&view=rev
Log:
Remove JSSE13Factory, JSSE13SocketFactory classes, because
- TC 5.5 runs on JRE 1.4+ and that comes bundled with JSSE 1.4,
so these classes are no more needed.
- JSSE13SocketFactory directly references com.sun.net.* classes in its
source code without using reflection, which impedes compiling.
Rather than fixing it I am removing the unneeded class.
Removed:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13Factory.java
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=1067462&r1=1067461&r2=1067462&view=diff
==
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Sat Feb 5 16:05:35 2011
@@ -25,22 +25,6 @@ $Id$
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Remove JSSE13Factory, JSSE13SocketFactory classes,
- because
-- TC 5.5 runs on JRE 1.4+ and that comes bundled with JSSE 1.4,
- so these classes are no more needed.
-- JSSE13SocketFactory directly references com.sun.net.* classes in its
- source code without using reflection, and that causes compilation failure
- with my IDE/JRE settings.
- 1)
-svn delete
connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13Factory.java
-svn delete
connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java
- 2)
-
http://people.apache.org/~kkolinko/patches/2010-03-06_tc55_remove_JSSE13Factory_v2.patch
- +1: kkolinko, markt, pero
- -O: jim
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50325
Use JVM provided solutions to CVE-2009-3555 if available (i.e. RFC 5746
support)
Modified:
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java?rev=1067462&r1=1067461&r2=1067462&view=diff
==
---
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
(original)
+++
tomcat/tc5.5.x/trunk/connectors/util/java/org/apache/tomcat/util/net/jsse/JSSEImplementation.java
Sat Feb 5 16:05:35 2011
@@ -58,17 +58,8 @@ public class JSSEImplementation extends
logger.debug("Error getting factory: " + JSSE15Factory,
ex);
}
}
-if(factory == null && JdkCompat.isJava14() ) {
-try {
-Class factcl = Class.forName(JSSE14Factory);
-factory = (JSSEFactory)factcl.newInstance();
-} catch(Exception ex) {
-if(logger.isDebugEnabled()) {
-logger.debug("Error getting factory: " + JSSE14Factory,
ex);
-}
-}
-} if(factory == null) {
-factory = new JSSE13Factory();
+if(factory == null) {
+factory = new JSSE14Factory();
}
}
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=1067462&r1=1067461&r2=1067462&view=diff
==
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Sat Feb 5
16:05:35 2011
@@ -78,6 +78,14 @@
+
+
+
+Remove JSSE13Factory, JSSE13SocketFactory
+classes, as Tomcat 5.5 always runs on JRE 1.4 or later. (kkolinko)
+
+
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1066313 - svn:log
Author: markt Revision: 1066313 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:03:49 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:03:49 2011 @@ -1,2 +1,3 @@ Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50631 InternalNioInputBuffer should honor maxHttpHeadSize +This addresses CVE-2011-0534 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1057279 - svn:log
Author: markt Revision: 1057279 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:05:06 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:05:06 2011 @@ -1 +1,2 @@ -More filtering +Prevent XSS in Manager application +This addresses CVE-2011-0013 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1066244 - svn:log
Author: markt Revision: 1066244 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:06:36 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:06:36 2011 @@ -1 +1,2 @@ Improve HTTP specification compliance +This works-around the Oracle JVM bug that triggers a DoS. CVE currently not assigned. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067498 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml
Author: markt Date: Sat Feb 5 20:09:04 2011 New Revision: 1067498 URL: http://svn.apache.org/viewvc?rev=1067498&view=rev Log: Correct revision Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1067498&r1=1067497&r2=1067498&view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Sat Feb 5 20:09:04 2011 @@ -303,8 +303,8 @@ using a carefully crafted request. This was fixed in - http://svn.apache.org/viewvc?rev=1066313&view=rev";> - revision 1066313. + http://svn.apache.org/viewvc?rev=1065939&view=rev";> + revision 1065939. This was identified by the Tomcat security team on 27 Feb 2011 and made public on 5 Feb 2011. Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1067498&r1=1067497&r2=1067498&view=diff == --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Sat Feb 5 20:09:04 2011 @@ -42,8 +42,8 @@ using a carefully crafted request. This was fixed in - http://svn.apache.org/viewvc?rev=1066313&view=rev";> - revision 1066313. + http://svn.apache.org/viewvc?rev=1065939&view=rev";> + revision 1065939. This was identified by the Tomcat security team on 27 Feb 2011 and made public on 5 Feb 2011. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1065939 - svn:log
Author: markt Revision: 1065939 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:10:02 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:10:02 2011 @@ -1,2 +1,3 @@ Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50631 InternalNioInputBuffer should honor maxHttpHeadSize +This addresses CVE-2011-0534 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1022134 - svn:log
Author: markt Revision: 1022134 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:11:32 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:11:32 2011 @@ -1 +1,2 @@ -Avoid unnecessary cast +Ensure work dir attribute is made read-only +CVE-2010-3718 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1057270 - svn:log
Author: markt Revision: 1057270 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:12:11 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:12:11 2011 @@ -1 +1,3 @@ -filter input of manager app servlets +Prevent XSS in Manager application +CVE-2011-0013 + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1022560 - svn:log
Author: markt Revision: 1022560 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:12:38 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:12:38 2011 @@ -1 +1,2 @@ -Code clean-up. +Ensure work dir attribute is made read-only +CVE-2010-3718 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1066315 - svn:log
Author: markt Revision: 1066315 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:13:30 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:13:30 2011 @@ -1 +1,2 @@ Improve HTTP specification compliance +This works-around the Oracle JVM bug that triggers a DoS. CVE currently not assigned. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1067501 - in /tomcat/site/trunk: docs/security-5.html xdocs/security-5.xml
Author: markt Date: Sat Feb 5 20:15:30 2011 New Revision: 1067501 URL: http://svn.apache.org/viewvc?rev=1067501&view=rev Log: Correct revision Modified: tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/xdocs/security-5.xml Modified: tomcat/site/trunk/docs/security-5.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-5.html?rev=1067501&r1=1067500&r2=1067501&view=diff == --- tomcat/site/trunk/docs/security-5.html (original) +++ tomcat/site/trunk/docs/security-5.html Sat Feb 5 20:15:30 2011 @@ -351,8 +351,8 @@ manager pages. This was fixed in - http://svn.apache.org/viewvc?rev=1057279&view=rev";> - revision 1057279. + http://svn.apache.org/viewvc?rev=1057518&view=rev";> + revision 1057518. This was identified by the Tomcat security team on 12 Nov 2010 and made public on 5 Feb 2011. Modified: tomcat/site/trunk/xdocs/security-5.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-5.xml?rev=1067501&r1=1067500&r2=1067501&view=diff == --- tomcat/site/trunk/xdocs/security-5.xml (original) +++ tomcat/site/trunk/xdocs/security-5.xml Sat Feb 5 20:15:30 2011 @@ -58,8 +58,8 @@ manager pages. This was fixed in - http://svn.apache.org/viewvc?rev=1057279&view=rev";> - revision 1057279. + http://svn.apache.org/viewvc?rev=1057518&view=rev";> + revision 1057518. This was identified by the Tomcat security team on 12 Nov 2010 and made public on 5 Feb 2011. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1057518 - svn:log
Author: markt Revision: 1057518 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:15:46 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:15:46 2011 @@ -1 +1,2 @@ -Improve filtering +Prevent XSS in Manager application +CVE-2011-0013 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1027610 - svn:log
Author: markt Revision: 1027610 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:16:14 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:16:14 2011 @@ -1 +1,2 @@ -Avoid unnecessary cast +Ensure work dir attribute is made read-only +CVE-2010-3718 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1066318 - svn:log
Author: markt Revision: 1066318 Modified property: svn:log Modified: svn:log at Sat Feb 5 20:16:38 2011 -- --- svn:log (original) +++ svn:log Sat Feb 5 20:16:38 2011 @@ -1 +1,2 @@ Improve HTTP specification compliance +This works-around the Oracle JVM bug that triggers a DoS. CVE currently not assigned. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
DO NOT REPLY [Bug 25060] Reloading context orphans currently open jndi datasource connections
https://issues.apache.org/bugzilla/show_bug.cgi?id=25060 --- Comment #6 from Cyril Bonté 2011-02-05 16:32:22 EST --- Hi, I wanted to open a bug report but finally found this old one. (In reply to comment #4) > I agree with Glenn that it is possible that some explicit clean-up could be > performed using a Context LifeCycle Listener but this is a 'nice to have'. > Therefore, since there is no memory leak here, I am changing this issue to an > enhancement. I don't totally agree because some pool configurations can cause a memory leak (due to a thread leak). For example, when DBCP is configured with timeBetweenEvictionRunsMillis > 0, the thread won't stop at reload. After several reloads, PermGen becomes full. This is still true with Tomcat 7. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
