[Bug 60400] HttpServletRequest.getReader doesn't correctly read data
https://bz.apache.org/bugzilla/show_bug.cgi?id=60400 --- Comment #1 from Violeta Georgieva --- Hi, I was not able to reproduce the issue with the provided example. I received: - input with size 12289 - output with size 12302. The output contains two rows: - the first one contains information for the input and output size: 12289 12289 - the second one contains the input that was sent. If I remove the first line then the both files are identical. Regards, Violeta -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 60381] Inconsistent toString() in ValveBase and RealmBase
https://bz.apache.org/bugzilla/show_bug.cgi?id=60381 --- Comment #3 from Michael Osipov <1983-01...@gmx.net> --- (In reply to Mark Thomas from comment #2) > The toString() implementations have been pretty much unchanged since the > lifecycle refactoring in 7.0.x. While users shouldn't not be expecting these > to be in any particular format, the chances are that there that some users > are expecting the current format. Therefore, we can look at this for trunk > but I don't think it should be back-ported. I do not even expect some specific format, but rather a consistent approach. Don't you think it is worthwile to port back to 8.5? This is going to be supported for a long time compared to 6.0/7.0. > My current thinking for a standardised format is: > SimpleClassName[container.toString()] / SimpleClassName[Container is null] Do you think that the simple class name is sufficient? I was used to #getInfo() previously which has the FQCN, and this method is gone. Consider that people might copy Tomcat's standard component into their source tree, modify code and package but leave class name as-is. Still, this is good compromise. > If we make more use of the Contained interface, it should be possible to do > this as a single utility method e.g.: > o.a.c.util.DebugUtil.containedToString(Contained) > > Maybe > o.a.c.util.DebugUtil.containedToString(Object, Container) > as well for those objects that don't/can't implement Contained. This make defitively sense! > Which means we might not need to expand the use of Contained anyway. I need > to spend some time thinking about how much sense that does or doesn't make. I have noticed that a lot of components which use Container do not implement Contained at all. Is there a legacy reason for that? It seems awkward. It might be worth considering deprecating RealmBase#getName() since only toString() uses it and it is likely to be superseded. Moreover, toString() has to be well crafted if it is used in MBeans/JMX or log statements to clearly identify the component itself and its location in the server tree. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2016-8735 Apache Tomcat Remote Code Execution
CVE-2016-8735 Apache Tomcat Remote Code Execution Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M11 Apache Tomcat 8.5.0 to 8.5.6 Apache Tomcat 8.0.0.RC1 to 8.0.38 Apache Tomcat 7.0.0 to 7.0.72 Apache Tomcat 6.0.0 to 6.0.47 Earlier, unsupported versions may also be affected. Description The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. This issue has been rated as important rather than critical due to the small number of installations using this listener and that it would be highly unusual for the JMX ports to be accessible to an attacker even when the listener is used. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M13 or later (Apache Tomcat 9.0.0.M12 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.8 or later (Apache Tomcat 8.5.7 has the fix but was not released) - Upgrade to Apache Tomcat 8.0.39 or later - Upgrade to Apache Tomcat 7.0.73 or later - Upgrade to Apache Tomcat 6.0.48 or later Credit: This issue was discovered by Pierre Ernst and reported responsibly to the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2016-6816 Apache Tomcat Information Disclosure
CVE-2016-6816 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M11 Apache Tomcat 8.5.0 to 8.5.6 Apache Tomcat 8.0.0.RC1 to 8.0.38 Apache Tomcat 7.0.0 to 7.0.72 Apache Tomcat 6.0.0 to 6.0.47 Earlier, unsupported versions may also be affected. Description The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M13 or later (Apache Tomcat 9.0.0.M12 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.8 or later (Apache Tomcat 8.5.7 has the fix but was not released) - Upgrade to Apache Tomcat 8.0.39 or later - Upgrade to Apache Tomcat 7.0.73 or later - Upgrade to Apache Tomcat 6.0.48 or later Credit: This issue was discovered by Regis Leroy from Makina Corpus. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2016-6817 Apache Tomcat Denial of Service
CVE-2016-6817 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M11 Apache Tomcat 8.5.0 to 8.5.6 Earlier versions are not affected. Description The HTTP/2 header parser entered an infinite loop if a header was received that was larger than the available buffer. This made a denial of service attack possible. Mitigation Users of affected versions should apply one of the following mitigations - Upgrade to Apache Tomcat 9.0.0.M13 or later (Apache Tomcat 9.0.0.M12 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.8 or later (Apache Tomcat 8.5.7 has the fix but was not released) Credit: This issue was reported as a bug and the security implications identified by the Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1770815 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s
Author: markt Date: Tue Nov 22 09:42:06 2016 New Revision: 1770815 URL: http://svn.apache.org/viewvc?rev=1770815&view=rev Log: Publish: CVE-2016-6816 CVE-2016-6817 CVE-2016-8735 Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1770815&r1=1770814&r2=1770815&view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Tue Nov 22 09:42:06 2016 @@ -219,6 +219,9 @@ Apache Tomcat 6.x vulnerabilities +Fixed in Apache Tomcat 6.0.48 + + Fixed in Apache Tomcat 6.0.47 @@ -334,6 +337,61 @@ + +15 November 2016 Fixed in Apache Tomcat 6.0.48 + + + + +Important: Remote Code Execution + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735"; rel="nofollow">CVE-2016-8735 + + + +The JmxRemoteLifecycleListener was not updated to take + account of Oracle's fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427"; rel="nofollow">CVE-2016-3427. Therefore, Tomcat + installations using this listener remained vulnerable to a similar remote + code execution vulnerability. This issue has been rated as important + rather than critical due to the small number of installations using this + listener and that it would be highly unusual for the JMX ports to be + accessible to an attacker even when the listener is used. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1767684";>1767684. + + +This issue was reported to the Apache Tomcat Security Team on 19 October + 2016 and made public on 22 November 2016. + + +Affects: 6.0.0 to 6.0.47 + + + +Important: Information Disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816"; rel="nofollow">CVE-2016-6816 + + + +The code that parsed the HTTP request line permitted invalid characters. + This could be exploited, in conjunction with a proxy that also permitted + the invalid characters but with a different interpretation, to inject + data into the HTTP response. By manipulating the HTTP response the + attacker could poison a web-cache, perform an XSS attack and/or obtain + sensitive information from requests other then their own. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1767683";>1767683. + + +This issue was reported to the Apache Tomcat Security Team on 11 + October 2016 and made public on 22 November 2016. + + +Affects: 6.0.0 to 6.0.47 + + + 16 October 2016 Fixed in Apache Tomcat 6.0.47 Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1770815&r1=1770814&r2=1770815&view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Tue Nov 22 09:42:06 2016 @@ -219,6 +219,9 @@ Apache Tomcat 7.x vulnerabilities +Fixed in Apache Tomcat 7.0.73 + + Fixed in Apache Tomcat 7.0.72 @@ -360,6 +363,61 @@ + +14 November 2016 Fixed in Apache Tomcat 7.0.73 + + + + +Important: Remote Code Execution + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8735"; rel="nofollow">CVE-2016-8735 + + + +The JmxRemoteLifecycleListener was not updated to take + account of Oracle's fix for http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3427"; rel="nofollow">CVE-2016-3427. Therefore, Tomcat + installations using this listener remained vulnerable to a similar remote + code execution vulnerability. This issue has been rated as important + rather than critical due to the small number of installations using this + listener and that it would be highly unusual for the JMX ports to be + accessible to an attacker even when the listener is used. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1767676";>1767676. + + +This issue was reported to the Apache Tomcat Security Team on 19 October + 2016 and made public on 22 November 2016. + + +Affects: 7.0.0 to 7.0.72 + + + +Important: Information Disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6816"; rel="nofollow">CVE-2016-6816 + + + +The code that parsed the HTTP request line permitted invalid characters. + This could be exploited, in conjunction with a proxy that also permitted + the invalid characters but with a different in
svn propchange: r1767641 - svn:log
Author: markt Revision: 1767641 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:43:55 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:43:55 2016 @@ -1,2 +1,3 @@ Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. +This is the fix for CVE-2016-6816 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767645 - svn:log
Author: markt Revision: 1767645 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:45:07 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:45:07 2016 @@ -1,2 +1,3 @@ Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. +This is the fix for CVE-2016-6816 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767675 - svn:log
Author: markt Revision: 1767675 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:45:22 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:45:22 2016 @@ -1,2 +1,3 @@ Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. +This is the fix for CVE-2016-6816 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767653 - svn:log
Author: markt Revision: 1767653 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:44:39 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:44:39 2016 @@ -1,2 +1,3 @@ Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. +This is the fix for CVE-2016-6816 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767683 - svn:log
Author: markt Revision: 1767683 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:45:43 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:45:43 2016 @@ -1,2 +1,3 @@ Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. +This is the fix for CVE-2016-6816 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1765794 - svn:log
Author: markt Revision: 1765794 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:46:21 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:46:21 2016 @@ -2,3 +2,4 @@ Fix https://bz.apache.org/bugzilla/show_ The header read buffer needs to be at least the size of the largest header. +This is the fix for CVE-2016-6817 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1765798 - svn:log
Author: markt Revision: 1765798 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:46:40 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:46:40 2016 @@ -1,3 +1,4 @@ Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60232 The header read buffer needs to be at least the size of the largest header. +This is the fix for CVE-2016-6817 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767644 - svn:log
Author: markt Revision: 1767644 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:47:14 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:47:14 2016 @@ -1 +1,2 @@ Explicitly configure allowed credential types +This is the fix for CVE-2016-8735 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767646 - svn:log
Author: markt Revision: 1767646 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:47:30 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:47:30 2016 @@ -1 +1,2 @@ Explicitly configure allowed credential types +This is the fix for CVE-2016-8735 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767676 - svn:log
Author: markt Revision: 1767676 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:47:56 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:47:56 2016 @@ -1 +1,2 @@ Explicitly configure allowed credential types +This is the fix for CVE-2016-8735 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767656 - svn:log
Author: markt Revision: 1767656 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:47:43 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:47:43 2016 @@ -1 +1,2 @@ Explicitly configure allowed credential types +This is the fix for CVE-2016-8735 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1767684 - svn:log
Author: markt Revision: 1767684 Modified property: svn:log Modified: svn:log at Tue Nov 22 09:48:13 2016 -- --- svn:log (original) +++ svn:log Tue Nov 22 09:48:13 2016 @@ -1 +1,2 @@ Explicitly configure allowed credential types +This is the fix for CVE-2016-8735 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 60380] HttpServletRequest#logout() never calls TomcatPrincipal#logout()
https://bz.apache.org/bugzilla/show_bug.cgi?id=60380 --- Comment #5 from Mark Thomas --- The reason is java.lang.StackOverflowError and anything similar that may be added / discovered. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 60400] HttpServletRequest.getReader doesn't correctly read data
https://bz.apache.org/bugzilla/show_bug.cgi?id=60400 --- Comment #2 from clem...@guillaume.bzh --- Created attachment 34466 --> https://bz.apache.org/bugzilla/attachment.cgi?id=34466&action=edit server configuration Here is what I get: -rw-r--r-- 1 cguillaume cguillaume 12289 Nov 22 10:30 input -rw-r--r-- 1 cguillaume cguillaume 21302 Nov 22 10:30 output First line: 12289 21289 It seems to happen only when using the apr connector. I attached my server.xml. The apr version I'm using is: INFO: Loaded APR based Apache Tomcat Native library 1.2.10 using APR version 1.5.2. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org