svn commit: r1572867 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
Author: markt Date: Fri Feb 28 08:06:35 2014 New Revision: 1572867 URL: http://svn.apache.org/r1572867 Log: Correct vulnerability type. Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1572867&r1=1572866&r2=1572867&view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Fri Feb 28 08:06:35 2014 @@ -378,7 +378,7 @@ -Important: Information disclosure +Important: Denial of service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322"; rel="nofollow">CVE-2013-4322 Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1572867&r1=1572866&r2=1572867&view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Fri Feb 28 08:06:35 2014 @@ -373,7 +373,7 @@ -Important: Information disclosure +Important: Denial of service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322"; rel="nofollow">CVE-2013-4322 Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1572867&r1=1572866&r2=1572867&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Fri Feb 28 08:06:35 2014 @@ -319,7 +319,7 @@ -Important: Information disclosure +Important: Denial of service http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322"; rel="nofollow">CVE-2013-4322 Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1572867&r1=1572866&r2=1572867&view=diff == --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Fri Feb 28 08:06:35 2014 @@ -101,7 +101,7 @@ Affects: 6.0.0 to 6.0.37 -Important: Information disclosure +Important: Denial of service CVE-2013-4322 The fix for CVE-2012-3544 was not complete. It did not cover the Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1572867&r1=1572866&r2=1572867&view=diff == --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Fri Feb 28 08:06:35 2014 @@ -89,7 +89,7 @@ that includes fixes for these issues, versions 7.0.48 to 7.0.49 are not included in the list of affected versions. -Important: Information disclosure +Important: Denial of service CVE-2013-4322 The fix for CVE-2012-3544 was not complete. It did not cover the Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1572867&r1=1572866&r2=1572867&view=diff == --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Fri Feb 28 08:06:35 2014 @@ -89,7 +89,7 @@ that includes a fix for this issue, versions 8.0.0-RC6 to 8.0.0-RC9 are not included in the list of affected versions. -Important: Information disclosure +Important: Denial of service CVE-2013-4322 The fix for CVE-2012-3544 was not complete. It did not cover the - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: svn commit: r1572867 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
Hello 2014-02-28 9:06 GMT+01:00 : > Author: markt > Date: Fri Feb 28 08:06:35 2014 > New Revision: 1572867 > > URL: http://svn.apache.org/r1572867 > Log: > Correct vulnerability type. > > For your information, there are also several typos with the year in that page : CVE-2013-4590 "This issue was identified by the Apache Tomcat security team on 29 October 2014 " CVE-2014-0033 "This issue was identified by the Apache Tomcat security team on 1 December 2014" CVE-2013-4322 "the second part by Saran Neti of TELUS Security Labs on 5 November 2014"
Re: svn commit: r1572867 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
On 28/02/2014 08:47, Cédric Couralet wrote: > Hello > > > 2014-02-28 9:06 GMT+01:00 : > >> Author: markt >> Date: Fri Feb 28 08:06:35 2014 >> New Revision: 1572867 >> >> URL: http://svn.apache.org/r1572867 >> Log: >> Correct vulnerability type. >> > For your information, there are also several typos with the year in that > page : > CVE-2013-4590 > "This issue was identified by the Apache Tomcat security team on 29 October > 2014 " > CVE-2014-0033 > "This issue was identified by the Apache Tomcat security team on 1 December > 2014" > CVE-2013-4322 > "the second part by Saran Neti of TELUS Security Labs on 5 November 2014" Thanks. Dates fixed. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1572888 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml
Author: markt Date: Fri Feb 28 09:12:00 2014 New Revision: 1572888 URL: http://svn.apache.org/r1572888 Log: Correct dates. Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1572888&r1=1572887&r2=1572888&view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Fri Feb 28 09:12:00 2014 @@ -400,7 +400,7 @@ The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS - Security Labs on 5 November 2014. It was made public on 25 February 2014. + Security Labs on 5 November 2013. It was made public on 25 February 2014. @@ -424,7 +424,7 @@ This issue was identified by the Apache Tomcat security team on 29 - October 2014 and made public on 25 February 2014. + October 2013 and made public on 25 February 2014. Affects: 6.0.0 to 6.0.37 @@ -447,7 +447,7 @@ This issue was identified by the Apache Tomcat security team on 1 - December 2014 and made public on 25 February 2014. + December 2013 and made public on 25 February 2014. Affects: 6.0.33 to 6.0.37 Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1572888&r1=1572887&r2=1572888&view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Fri Feb 28 09:12:00 2014 @@ -396,7 +396,7 @@ The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS - Security Labs on 5 November 2014. It was made public on 25 February 2014. + Security Labs on 5 November 2013. It was made public on 25 February 2014. @@ -420,7 +420,7 @@ This issue was identified by the Apache Tomcat security team on 29 - October 2014 and made public on 25 February 2014. + October 2013 and made public on 25 February 2014. Affects: 7.0.0 to 7.0.47 Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1572888&r1=1572887&r2=1572888&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Fri Feb 28 09:12:00 2014 @@ -342,7 +342,7 @@ The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS - Security Labs on 5 November 2014. It was made public on 25 February 2014. + Security Labs on 5 November 2013. It was made public on 25 February 2014. @@ -366,7 +366,7 @@ This issue was identified by the Apache Tomcat security team on 29 - October 2014 and made public on 25 February 2014. + October 2013 and made public on 25 February 2014. Affects: 8.0.0-RC1 to 8.0.0-RC5 Modified: tomcat/site/trunk/xdocs/security-6.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-6.xml?rev=1572888&r1=1572887&r2=1572888&view=diff == --- tomcat/site/trunk/xdocs/security-6.xml (original) +++ tomcat/site/trunk/xdocs/security-6.xml Fri Feb 28 09:12:00 2014 @@ -115,7 +115,7 @@ The first part of this issue was identified by the Apache Tomcat security team on 27 August 2013 and the second part by Saran Neti of TELUS - Security Labs on 5 November 2014. It was made public on 25 February 2014. + Security Labs on 5 November 2013. It was made public on 25 February 2014. Affects: 6.0.0 to 6.0.37 @@ -132,7 +132,7 @@ This was fixed in revision 1558828. This issue was identified by the Apache Tomcat security team on 29 - October 2014 and made public on 25 February 2014. + October 2013 and made public on 25 February 2014. Affects: 6.0.0 to 6.0.37 @@ -148,7 +148,7 @@ This was fixed in revision 1558822. This issue was identified by the Apache Tomcat security team on 1 - December 2014 and made public on 25 February 2014. + December 2013 and made public on 25 February 2014. Affects: 6.0.33 to 6.0.37 Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs
[VOTE] Release Apache Tomcat Connectors 1.2.39
Hi, Apache Tomcat Connectors 1.2.39 release candidate is ready for vote at [1]. The build was done using tag [2]. This version fixes few bugs found in released version 1.2.37 and adds some new features like IPV6 support. The VOTE will remain open for at least 48 hours. The Apache Tomcat Connectors 1.2.39 is [ ] Stable, go ahead and release [ ] Broken because of ... [1] http://people.apache.org/~mturk/tomcat-connectors/jk-1.2.39/ [2] https://svn.apache.org/repos/asf/tomcat/jk/tags/JK_1_2_39/ Regards -- ^TM - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56190] Connection keep-alive not working with asynchronous servlet
https://issues.apache.org/bugzilla/show_bug.cgi?id=56190 Francois-Xavier Bonnet changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- --- Comment #4 from Francois-Xavier Bonnet --- Thanks for your answers. I had a closer look at the specifications and there is no problem about the keep-alive header. About the "Transfer-Encoding: chunked" header, in my test I am just writing "Hello world" in the response (should be small enough for the buffer), there is no flush so when I call AsyncContext.complete() method the content size is perfectly known and I would expect the server to set the content-length header and not to use chunked content encoding. According to servlet 3.0 specification "The content length is automatically set if the entire response fits inside the response buffer." http://docs.oracle.com/javaee/6/api/javax/servlet/http/HttpServlet.html#doGet(javax.servlet.http.HttpServletRequest, javax.servlet.http.HttpServletResponse) Just to explain how I found this issue: I was doing some tests with Apache Benchmark. I was surprised to see that the performance of Tomcat were not good compared to other servlet containers, then I noticed that keep-alive was not working with tomcat while it was with other servlet containers like Jetty. It looks like ab disables keep-alive when the response is chunked. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56190] Connection keep-alive not working with asynchronous servlet
https://issues.apache.org/bugzilla/show_bug.cgi?id=56190 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #5 from Mark Thomas --- Please re-read comment#3 -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56190] Connection keep-alive not working with asynchronous servlet
https://issues.apache.org/bugzilla/show_bug.cgi?id=56190 --- Comment #6 from Francois-Xavier Bonnet --- I did. I know the response is committed when you call AsyncContext.complete() but at this point the response body is fully written. The specification is clear about that: "Completes the asynchronous operation that was started on the request that was used to initialze this AsyncContext, closing the response that was used to initialize this AsyncContext." http://docs.oracle.com/javaee/6/api/javax/servlet/AsyncContext.html#complete() -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Backporting security fixes to Debian
Hi, I'm preparing a security update for the Tomcat 7 package in Debian and I need some help with the fix for CVE-2013-2071 [1]. The tomcat7 package in the stable Debian distribution is based on the version 7.0.28. I applied the revisions 1471372 [2] and 1475792 [3] but I get 3 failing tests: Testcase: testTimeoutListenerCompleteDispatch took 3.188 sec FAILED expected:<500> but was:<200> junit.framework.AssertionFailedError: expected:<500> but was:<200> at org.apache.catalina.valves.TesterAccessLogValve.validateAccessLog(TesterAccessLogValve.java:80) at org.apache.catalina.core.TestAsyncContextImpl.doTestTimeout(TestAsyncContextImpl.java:468) at org.apache.catalina.core.TestAsyncContextImpl.testTimeoutListenerCompleteDispatch(TestAsyncContextImpl.java:395) Testcase: testDispatchErrorSingleThenComplete took 1.217 sec FAILED Uri: /stage1, Status: 200, Time: 1043 junit.framework.AssertionFailedError: Uri: /stage1, Status: 200, Time: 1043 at org.apache.catalina.valves.TesterAccessLogValve.validateAccessLog(TesterAccessLogValve.java:83) at org.apache.catalina.core.TestAsyncContextImpl.doTestDispatchError(TestAsyncContextImpl.java:919) at org.apache.catalina.core.TestAsyncContextImpl.testDispatchErrorSingleThenComplete(TestAsyncContextImpl.java:837) Testcase: testMemberArrival took 4.125 sec FAILED Checking member arrival length (Listener-10) expected:<9> but was:<8> junit.framework.AssertionFailedError: Checking member arrival length (Listener-10) expected:<9> but was:<8> at org.apache.catalina.tribes.group.TestGroupChannelMemberArrival.testMemberArrival(TestGroupChannelMemberArrival.java:80) Anyone knows what other commits should be applied to fix these errors? Thank you, Emmanuel Bourg [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=54178 [2] http://svn.apache.org/r1471372 [3] http://svn.apache.org/r1475792 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56201] New: Comet connector
https://issues.apache.org/bugzilla/show_bug.cgi?id=56201 Bug ID: 56201 Summary: Comet connector Product: Tomcat 7 Version: 7.0.23 Hardware: Sun OS: Solaris Status: NEW Severity: normal Priority: P2 Component: Connectors Assignee: dev@tomcat.apache.org Reporter: bennett.schnei...@tekcomms.com Created attachment 31357 --> https://issues.apache.org/bugzilla/attachment.cgi?id=31357&action=edit Patch to set comet to false in recycleInternal org.apache.coyote.http11.Http11AprProcessor objects are not being properly recycled prior to insertion into the ConnectionHandler's reycledProcessors. Specifically, Http11AprProcessor.comet is not set to false. When an Http11AprProcessor is returned from the recycledProcessors with this flag set to true, the connection is immediately aborted by tomcat. We have both comet and traditional http connections occurring to the same tomcat and when in this state the manifestation is that periodically the client connection is aborted. Resetting the above mentioned flag in recycleInternal seems to address the issue, although we haven't tracked down the exact cause of the missing COMET_END that would have avoided this. See attached diff for the change. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56201] Comet connector
https://issues.apache.org/bugzilla/show_bug.cgi?id=56201 Konstantin Kolinko changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |DUPLICATE --- Comment #1 from Konstantin Kolinko --- > Version: 7.0.23 The current version of Tomcat 7 is 7.0.52. As of now, you patch is wrong. The "comet" flag does not belong to Http11AprProcessor. It belongs to its parent class, AbstractHttp11Processor, and is properly reset in AbstractHttp11Processor.recycle(..) That specific line originates from r1373667 that was a fix for bug 53697 (18 months ago). *** This bug has been marked as a duplicate of bug 53697 *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 53697] java.lang.NullPointerException at org.apache.coyote.http11.Http11AprProcessor.actionInternal(Http11AprProcessor.java:277)
https://issues.apache.org/bugzilla/show_bug.cgi?id=53697 Konstantin Kolinko changed: What|Removed |Added CC||bennett.schneider@tekcomms. ||com --- Comment #9 from Konstantin Kolinko --- *** Bug 56201 has been marked as a duplicate of this bug. *** -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
