[Bug 60400] HttpServletRequest.getReader doesn't correctly read data

2016-11-22 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60400

--- Comment #1 from Violeta Georgieva  ---
Hi,

I was not able to reproduce the issue with the provided example.
I received:
- input with size 12289
- output with size 12302. The output contains two rows:
  - the first one contains information for the input and output size: 12289
12289
  - the second one contains the input that was sent.

If I remove the first line then the both files are identical.

Regards,
Violeta

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 60381] Inconsistent toString() in ValveBase and RealmBase

2016-11-22 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60381

--- Comment #3 from Michael Osipov <1983-01...@gmx.net> ---
(In reply to Mark Thomas from comment #2)
> The toString() implementations have been pretty much unchanged since the
> lifecycle refactoring in 7.0.x. While users shouldn't not be expecting these
> to be in any particular format, the chances are that there that some users
> are expecting the current format. Therefore, we can look at this for trunk
> but I don't think it should be back-ported.

I do not even expect some specific format, but rather a consistent approach.
Don't you think it is worthwile to port back to 8.5? This is going to be
supported for a long time compared to 6.0/7.0.

> My current thinking for a standardised format is:
> SimpleClassName[container.toString()] / SimpleClassName[Container is null]

Do you think that the simple class name is sufficient? I was used to #getInfo()
previously which has the FQCN, and this method is gone. Consider that people
might copy Tomcat's standard component into their source tree, modify code and
package but leave class name as-is. Still, this is good compromise.

> If we make more use of the Contained interface, it should be possible to do
> this as a single utility method e.g.:
> o.a.c.util.DebugUtil.containedToString(Contained)
>
> Maybe
> o.a.c.util.DebugUtil.containedToString(Object, Container)
> as well for those objects that don't/can't implement Contained.

This make defitively sense!

> Which means we might not need to expand the use of Contained anyway. I need
> to spend some time thinking about how much sense that does or doesn't make.

I have noticed that a lot of components which use Container do not implement
Contained at all. Is there a legacy reason for that? It seems awkward.

It might be worth considering deprecating RealmBase#getName() since only
toString() uses it and it is likely to be superseded.

Moreover, toString() has to be well crafted if it is used in MBeans/JMX or log
statements to clearly identify the component itself and its location in the
server tree.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[SECURITY] CVE-2016-8735 Apache Tomcat Remote Code Execution

2016-11-22 Thread Mark Thomas
CVE-2016-8735 Apache Tomcat Remote Code Execution

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
Earlier, unsupported versions may also be affected.

Description
The JmxRemoteLifecycleListener was not updated to take account of
Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using
this listener remained vulnerable to a similar remote code execution
vulnerability. This issue has been rated as important rather than
critical due to the small number of installations using this listener
and that it would be highly unusual for the JMX ports to be accessible
to an attacker even when the listener is used.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M13 or later
  (Apache Tomcat 9.0.0.M12 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.8 or later
  (Apache Tomcat 8.5.7 has the fix but was not released)
- Upgrade to Apache Tomcat 8.0.39 or later
- Upgrade to Apache Tomcat 7.0.73 or later
- Upgrade to Apache Tomcat 6.0.48 or later

Credit:
This issue was discovered by Pierre Ernst and reported responsibly to
the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure

2016-11-22 Thread Mark Thomas
CVE-2016-6816 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Apache Tomcat 8.0.0.RC1 to 8.0.38
Apache Tomcat 7.0.0 to 7.0.72
Apache Tomcat 6.0.0 to 6.0.47
Earlier, unsupported versions may also be affected.

Description
The code that parsed the HTTP request line permitted invalid characters.
This could be exploited, in conjunction with a proxy that also permitted
the invalid characters but with a different interpretation, to inject
data into the HTTP response. By manipulating the HTTP response the
attacker could poison a web-cache, perform an XSS attack and/or obtain
sensitive information from requests other then their own.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M13 or later
  (Apache Tomcat 9.0.0.M12 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.8 or later
  (Apache Tomcat 8.5.7 has the fix but was not released)
- Upgrade to Apache Tomcat 8.0.39 or later
- Upgrade to Apache Tomcat 7.0.73 or later
- Upgrade to Apache Tomcat 6.0.48 or later

Credit:
This issue was discovered by Regis Leroy from Makina Corpus.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[SECURITY] CVE-2016-6817 Apache Tomcat Denial of Service

2016-11-22 Thread Mark Thomas
CVE-2016-6817 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M11
Apache Tomcat 8.5.0 to 8.5.6
Earlier versions are not affected.

Description
The HTTP/2 header parser entered an infinite loop if a header was
received that was larger than the available buffer. This made a denial
of service attack possible.

Mitigation
Users of affected versions should apply one of the following mitigations
- Upgrade to Apache Tomcat 9.0.0.M13 or later
  (Apache Tomcat 9.0.0.M12 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.8 or later
  (Apache Tomcat 8.5.7 has the fix but was not released)

Credit:
This issue was reported as a bug and the security implications
identified by the Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn commit: r1770815 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s

2016-11-22 Thread markt
Author: markt
Date: Tue Nov 22 09:42:06 2016
New Revision: 1770815

URL: http://svn.apache.org/viewvc?rev=1770815&view=rev
Log:
Publish:
CVE-2016-6816
CVE-2016-6817
CVE-2016-8735

Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-6.xml
tomcat/site/trunk/xdocs/security-7.xml
tomcat/site/trunk/xdocs/security-8.xml
tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-6.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1770815&r1=1770814&r2=1770815&view=diff
==
--- tomcat/site/trunk/docs/security-6.html (original)
+++ tomcat/site/trunk/docs/security-6.html Tue Nov 22 09:42:06 2016
@@ -219,6 +219,9 @@
 Apache Tomcat 6.x 
vulnerabilities
 
 
+Fixed in Apache Tomcat 6.0.48
+
+
 Fixed in Apache Tomcat 6.0.47
 
 
@@ -334,6 +337,61 @@
 
   
 
+
+15 November 2016 Fixed in Apache Tomcat 
6.0.48
+
+
+
+
+Important: Remote Code Execution
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735"; 
rel="nofollow">CVE-2016-8735
+
+
+
+The JmxRemoteLifecycleListener was not updated to take
+   account of Oracle's fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427"; 
rel="nofollow">CVE-2016-3427. Therefore, Tomcat
+   installations using this listener remained vulnerable to a similar 
remote
+   code execution vulnerability. This issue has been rated as important
+   rather than critical due to the small number of installations using this
+   listener and that it would be highly unusual for the JMX ports to be
+   accessible to an attacker even when the listener is used.
+
+
+This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1767684";>1767684.
+
+
+This issue was reported to the Apache Tomcat Security Team on 19 October
+   2016 and made public on 22 November 2016.
+
+
+Affects: 6.0.0 to 6.0.47
+
+
+
+Important: Information Disclosure
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816"; 
rel="nofollow">CVE-2016-6816
+
+
+
+The code that parsed the HTTP request line permitted invalid characters.
+   This could be exploited, in conjunction with a proxy that also permitted
+   the invalid characters but with a different interpretation, to inject
+   data into the HTTP response. By manipulating the HTTP response the
+   attacker could poison a web-cache, perform an XSS attack and/or obtain
+   sensitive information from requests other then their own.
+
+
+This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1767683";>1767683.
+
+
+This issue was reported to the Apache Tomcat Security Team on 11
+   October 2016 and made public on 22 November 2016.
+
+
+Affects: 6.0.0 to 6.0.47
+
+  
+
 
 16 October 2016 Fixed in Apache Tomcat 
6.0.47
 

Modified: tomcat/site/trunk/docs/security-7.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1770815&r1=1770814&r2=1770815&view=diff
==
--- tomcat/site/trunk/docs/security-7.html (original)
+++ tomcat/site/trunk/docs/security-7.html Tue Nov 22 09:42:06 2016
@@ -219,6 +219,9 @@
 Apache Tomcat 7.x 
vulnerabilities
 
 
+Fixed in Apache Tomcat 7.0.73
+
+
 Fixed in Apache Tomcat 7.0.72
 
 
@@ -360,6 +363,61 @@
 
   
 
+
+14 November 2016 Fixed in Apache Tomcat 
7.0.73
+
+
+
+
+Important: Remote Code Execution
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735"; 
rel="nofollow">CVE-2016-8735
+
+
+
+The JmxRemoteLifecycleListener was not updated to take
+   account of Oracle's fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427"; 
rel="nofollow">CVE-2016-3427. Therefore, Tomcat
+   installations using this listener remained vulnerable to a similar 
remote
+   code execution vulnerability. This issue has been rated as important
+   rather than critical due to the small number of installations using this
+   listener and that it would be highly unusual for the JMX ports to be
+   accessible to an attacker even when the listener is used.
+
+
+This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1767676";>1767676.
+
+
+This issue was reported to the Apache Tomcat Security Team on 19 October
+   2016 and made public on 22 November 2016.
+
+
+Affects: 7.0.0 to 7.0.72
+
+
+
+Important: Information Disclosure
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816"; 
rel="nofollow">CVE-2016-6816
+
+
+
+The code that parsed the HTTP request line permitted invalid characters.
+   This could be exploited, in conjunction with a proxy that also permitted
+   the invalid characters but with a different in

svn propchange: r1767641 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767641
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:43:55 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:43:55 2016
@@ -1,2 +1,3 @@
 Add additional checks for valid characters to the HTTP request line
 parsing so invalid request lines are rejected sooner.
+This is the fix for CVE-2016-6816


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767645 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767645
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:45:07 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:45:07 2016
@@ -1,2 +1,3 @@
 Add additional checks for valid characters to the HTTP request line
 parsing so invalid request lines are rejected sooner.
+This is the fix for CVE-2016-6816


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767675 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767675
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:45:22 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:45:22 2016
@@ -1,2 +1,3 @@
 Add additional checks for valid characters to the HTTP request line
 parsing so invalid request lines are rejected sooner.
+This is the fix for CVE-2016-6816


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767653 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767653
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:44:39 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:44:39 2016
@@ -1,2 +1,3 @@
 Add additional checks for valid characters to the HTTP request line
 parsing so invalid request lines are rejected sooner.
+This is the fix for CVE-2016-6816


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767683 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767683
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:45:43 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:45:43 2016
@@ -1,2 +1,3 @@
 Add additional checks for valid characters to the HTTP request line
 parsing so invalid request lines are rejected sooner.
+This is the fix for CVE-2016-6816


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1765794 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1765794
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:46:21 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:46:21 2016
@@ -2,3 +2,4 @@ Fix https://bz.apache.org/bugzilla/show_
 
 The header read buffer needs to be at least the size of the largest
 header.
+This is the fix for CVE-2016-6817


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1765798 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1765798
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:46:40 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:46:40 2016
@@ -1,3 +1,4 @@
 Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60232
 
 The header read buffer needs to be at least the size of the largest header.
+This is the fix for CVE-2016-6817


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767644 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767644
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:47:14 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:47:14 2016
@@ -1 +1,2 @@
 Explicitly configure allowed credential types
+This is the fix for CVE-2016-8735


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767646 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767646
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:47:30 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:47:30 2016
@@ -1 +1,2 @@
 Explicitly configure allowed credential types
+This is the fix for CVE-2016-8735


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767676 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767676
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:47:56 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:47:56 2016
@@ -1 +1,2 @@
 Explicitly configure allowed credential types
+This is the fix for CVE-2016-8735


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767656 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767656
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:47:43 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:47:43 2016
@@ -1 +1,2 @@
 Explicitly configure allowed credential types
+This is the fix for CVE-2016-8735


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



svn propchange: r1767684 - svn:log

2016-11-22 Thread markt
Author: markt
Revision: 1767684
Modified property: svn:log

Modified: svn:log at Tue Nov 22 09:48:13 2016
--
--- svn:log (original)
+++ svn:log Tue Nov 22 09:48:13 2016
@@ -1 +1,2 @@
 Explicitly configure allowed credential types
+This is the fix for CVE-2016-8735


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 60380] HttpServletRequest#logout() never calls TomcatPrincipal#logout()

2016-11-22 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60380

--- Comment #5 from Mark Thomas  ---
The reason is java.lang.StackOverflowError and anything similar that may be
added / discovered.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org



[Bug 60400] HttpServletRequest.getReader doesn't correctly read data

2016-11-22 Thread bugzilla
https://bz.apache.org/bugzilla/show_bug.cgi?id=60400

--- Comment #2 from clem...@guillaume.bzh ---
Created attachment 34466
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=34466&action=edit
server configuration

Here is what I get:

-rw-r--r-- 1 cguillaume cguillaume 12289 Nov 22 10:30 input
-rw-r--r-- 1 cguillaume cguillaume 21302 Nov 22 10:30 output

First line: 12289 21289

It seems to happen only when using the apr connector. I attached my server.xml.
The apr version I'm using is:
INFO: Loaded APR based Apache Tomcat Native library 1.2.10 using APR version
1.5.2.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org