svn commit: r1790789 - in /tomcat/trunk: java/org/apache/catalina/tribes/ java/org/apache/catalina/tribes/group/ java/org/apache/catalina/tribes/jmx/ webapps/docs/
Author: kfujino
Date: Mon Apr 10 08:03:39 2017
New Revision: 1790789
URL: http://svn.apache.org/viewvc?rev=1790789&view=rev
Log:
Add JMX support for Tribes component.
-TODO: Membership, Sender, Receiver, Interceptors.
Added:
tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java (with props)
tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannelMBean.java
(with props)
tomcat/trunk/java/org/apache/catalina/tribes/jmx/
tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java (with
props)
tomcat/trunk/java/org/apache/catalina/tribes/jmx/LocalStrings.properties
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
tomcat/trunk/webapps/docs/changelog.xml
Added: tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java?rev=1790789&view=auto
==
--- tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java (added)
+++ tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java Mon Apr 10
08:03:39 2017
@@ -0,0 +1,58 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.tribes;
+
+
+public interface JmxChannel {
+
+/**
+ * If set to true, this channel is registered with jmx.
+ * @return true if this channel will be registered with jmx.
+ */
+public boolean isJmxEnabled();
+
+/**
+ * If set to true, this channel is registered with jmx.
+ * @param jmxEnabled set to true if this channel should be registered with
jmx.
+ */
+public void setJmxEnabled(boolean jmxEnabled);
+
+/**
+ * Return the jmx domain which this channel is registered.
+ * @return jmxDomain
+ */
+public String getJmxDomain();
+
+/**
+ * Set the jmx domain which this channel should be registered.
+ * @param jmxDomain The jmx domain which this channel should be registered.
+ */
+public void setJmxDomain(String jmxDomain);
+
+/**
+ * Return the jmx prefix which will be used with channel ObjectName.
+ * @return jmxPrefix
+ */
+public String getJmxPrefix();
+
+/**
+ * Set the jmx prefix which will be used with channel ObjectName.
+ * @param jmxPrefix The jmx prefix which will be used with channel
ObjectName.
+ */
+public void setJmxPrefix(String jmxPrefix);
+
+}
Propchange: tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java
--
svn:eol-style = native
Modified: tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java?rev=1790789&r1=1790788&r2=1790789&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java Mon
Apr 10 08:03:39 2017
@@ -22,6 +22,8 @@ import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CopyOnWriteArrayList;
+import javax.management.ObjectName;
+
import org.apache.catalina.tribes.ByteMessage;
import org.apache.catalina.tribes.Channel;
import org.apache.catalina.tribes.ChannelException;
@@ -32,6 +34,7 @@ import org.apache.catalina.tribes.Channe
import org.apache.catalina.tribes.ChannelSender;
import org.apache.catalina.tribes.ErrorHandler;
import org.apache.catalina.tribes.Heartbeat;
+import org.apache.catalina.tribes.JmxChannel;
import org.apache.catalina.tribes.ManagedChannel;
import org.apache.catalina.tribes.Member;
import org.apache.catalina.tribes.MembershipListener;
@@ -42,6 +45,7 @@ import org.apache.catalina.tribes.group.
import org.apache.catalina.tribes.io.BufferPool;
import org.apache.catalina.tribes.io.ChannelData;
import org.apache.catalina.tribes.io.XByteBuffer;
+import org.apache.catalina.tribes.jmx.JmxRegistry;
import org.apache.catalina.tribes.util.Arrays;
import org.apache.catalina.tribes.util.Logs;
import org.apac
svn commit: r1790791 - in /tomcat/trunk/java/org/apache/catalina/tribes/membership: McastService.java McastServiceMBean.java
Author: kfujino
Date: Mon Apr 10 08:16:13 2017
New Revision: 1790791
URL: http://svn.apache.org/viewvc?rev=1790791&view=rev
Log:
Add MBean for Membership component.
Added:
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastServiceMBean.java
(with props)
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java?rev=1790791&r1=1790790&r2=1790791&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
Mon Apr 10 08:16:13 2017
@@ -21,6 +21,8 @@ import java.io.IOException;
import java.net.DatagramPacket;
import java.util.Properties;
+import javax.management.ObjectName;
+
import org.apache.catalina.tribes.Channel;
import org.apache.catalina.tribes.ChannelException;
import org.apache.catalina.tribes.ChannelMessage;
@@ -30,6 +32,7 @@ import org.apache.catalina.tribes.Member
import org.apache.catalina.tribes.MessageListener;
import org.apache.catalina.tribes.io.ChannelData;
import org.apache.catalina.tribes.io.XByteBuffer;
+import org.apache.catalina.tribes.jmx.JmxRegistry;
import org.apache.catalina.tribes.util.Arrays;
import org.apache.catalina.tribes.util.StringManager;
import org.apache.catalina.tribes.util.UUIDGenerator;
@@ -42,7 +45,8 @@ import org.apache.juli.logging.LogFactor
* This class is responsible for maintaining a list of active cluster nodes in
the cluster.
* If a node fails to send out a heartbeat, the node will be dismissed.
*/
-public class McastService implements
MembershipService,MembershipListener,MessageListener {
+public class McastService
+implements MembershipService,MembershipListener,MessageListener,
McastServiceMBean {
private static final Log log = LogFactory.getLog(McastService.class);
@@ -81,6 +85,11 @@ public class McastService implements Mem
private Channel channel;
/**
+ * the ObjectName of this McastService.
+ */
+private ObjectName oname = null;
+
+/**
* Create a membership service.
*/
public McastService() {
@@ -363,7 +372,11 @@ public class McastService implements Mem
impl.setChannel(channel);
impl.start(level);
-
+// register jmx
+JmxRegistry jmxRegistry = JmxRegistry.getRegistry(channel);
+if (jmxRegistry != null) {
+this.oname = jmxRegistry.registerJmx(",component=Membership",
this);
+}
}
@@ -375,6 +388,10 @@ public class McastService implements Mem
public void stop(int svc) {
try {
if ( impl != null && impl.stop(svc) ) {
+if (oname != null) {
+JmxRegistry.getRegistry(channel).unregisterJmx(oname);
+oname = null;
+}
impl.setChannel(null);
impl = null;
channel = null;
Added:
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastServiceMBean.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/membership/McastServiceMBean.java?rev=1790791&view=auto
==
---
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastServiceMBean.java
(added)
+++
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastServiceMBean.java
Mon Apr 10 08:16:13 2017
@@ -0,0 +1,60 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.tribes.membership;
+
+import java.util.Properties;
+
+import org.apache.catalina.tribes.Member;
+
+public interface McastServiceMBean {
+
+// Attributes
+public String getAddress();
+
+public int getPort();
+
+public long getFrequency();
+
+public long getDropTime();
+
+public String getBind();
+
+public int getTtl();
+
+public byte[] getDomain();
+
+public int getSoTimeout();
+
+publi
buildbot failure in on tomcat-trunk
The Buildbot has detected a new failure on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/2282 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1790789 Blamelist: kfujino BUILD FAILED: failed compile_1 Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1790792 - in /tomcat/trunk/java/org/apache/catalina/tribes: group/GroupChannel.java jmx/JmxRegistry.java
Author: kfujino
Date: Mon Apr 10 08:31:42 2017
New Revision: 1790792
URL: http://svn.apache.org/viewvc?rev=1790792&view=rev
Log:
Add cleanup codes of JmxRegistry and channel MBeans.
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java
Modified: tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java?rev=1790792&r1=1790791&r2=1790792&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java Mon
Apr 10 08:31:42 2017
@@ -22,6 +22,7 @@ import java.util.Iterator;
import java.util.List;
import java.util.concurrent.CopyOnWriteArrayList;
+import javax.management.MBeanServer;
import javax.management.ObjectName;
import org.apache.catalina.tribes.ByteMessage;
@@ -703,6 +704,28 @@ public class GroupChannel extends Channe
this.jmxPrefix = jmxPrefix;
}
+@Override
+public ObjectName preRegister(MBeanServer server, ObjectName name)
+throws Exception {
+// NOOP
+return null;
+}
+
+@Override
+public void postRegister(Boolean registrationDone) {
+// NOOP
+}
+
+@Override
+public void preDeregister() throws Exception {
+// NOOP
+}
+
+@Override
+public void postDeregister() {
+JmxRegistry.removeRegistry(this, true);
+}
+
/**
*
* Title: Interceptor Iterator
Modified: tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java?rev=1790792&r1=1790791&r2=1790792&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java (original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java Mon Apr
10 08:31:42 2017
@@ -17,6 +17,7 @@
package org.apache.catalina.tribes.jmx;
import java.lang.management.ManagementFactory;
+import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import javax.management.InstanceNotFoundException;
@@ -60,6 +61,15 @@ public class JmxRegistry {
return registry;
}
+public static void removeRegistry(Channel channel, boolean clear) {
+JmxRegistry registry = registryCache.get(channel.getName());
+if (registry == null) return;
+if (clear) {
+registry.clearMBeans();
+}
+registryCache.remove(channel.getName());
+}
+
private static ObjectName createBaseObjectName(String domain, String
prefix, String name) {
if (domain == null) {
log.warn(sm.getString("jmxRegistry.no.domain"));
@@ -109,4 +119,17 @@ public class JmxRegistry {
}
}
+private void clearMBeans() {
+String query = baseOname.toString() + ",*";
+try {
+ObjectName name = new ObjectName(query);
+Set onames = mbserver.queryNames(name, null);
+for (ObjectName objectName : onames) {
+unregisterJmx(objectName);
+}
+} catch (MalformedObjectNameException e) {
+log.error(sm.getString("jmxRegistry.objectName.failed", query), e);
+}
+}
+
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1790793 - /tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java
Author: kfujino
Date: Mon Apr 10 08:32:33 2017
New Revision: 1790793
URL: http://svn.apache.org/viewvc?rev=1790793&view=rev
Log:
followup for r1790792
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java
Modified: tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java?rev=1790793&r1=1790792&r2=1790793&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java (original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/JmxChannel.java Mon Apr 10
08:32:33 2017
@@ -16,8 +16,10 @@
*/
package org.apache.catalina.tribes;
+import javax.management.MBeanRegistration;
-public interface JmxChannel {
+
+public interface JmxChannel extends MBeanRegistration {
/**
* If set to true, this channel is registered with jmx.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 60362] Missing reason phrase in response
https://bz.apache.org/bugzilla/show_bug.cgi?id=60362 --- Comment #50 from Michael Osipov <1983-01...@gmx.net> --- (In reply to slavb18 from comment #49) > Cannot understand, why, without any reason, all legacy clients should be > broken with server update. They where already broken before. You just haven't noticed it. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 60362] Missing reason phrase in response
https://bz.apache.org/bugzilla/show_bug.cgi?id=60362 --- Comment #51 from slav...@gmail.com --- I agree, but there lot of "broken" software, working everywhere in the world Isn't too early to drop legacy support? Even apache 2.4 proxy stops working without reason phrase ProxyPass http://backend/test/ -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1790840 - in /tomcat/trunk/java/org/apache/catalina/tribes: group/GroupChannel.java jmx/JmxRegistry.java membership/McastService.java
Author: remm
Date: Mon Apr 10 14:44:02 2017
New Revision: 1790840
URL: http://svn.apache.org/viewvc?rev=1790840&view=rev
Log:
WS and fix NPE in testsuite.
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
Modified: tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java?rev=1790840&r1=1790839&r2=1790840&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/group/GroupChannel.java Mon
Apr 10 14:44:02 2017
@@ -133,7 +133,7 @@ public class GroupChannel extends Channe
private boolean jmxEnabled = true;
/**
- * the ObjectName of this channel.
+ * the ObjectName of this channel.
*/
private ObjectName oname = null;
Modified: tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java?rev=1790840&r1=1790839&r2=1790840&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java (original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/jmx/JmxRegistry.java Mon Apr
10 14:44:02 2017
@@ -45,6 +45,9 @@ public class JmxRegistry {
}
public static JmxRegistry getRegistry(Channel channel) {
+if (channel == null || channel.getName() == null) {
+return null;
+}
JmxRegistry registry = registryCache.get(channel.getName());
if (registry != null) return registry;
@@ -88,7 +91,7 @@ public class JmxRegistry {
}
return on;
}
-
+
public ObjectName registerJmx(String keyprop, Object bean) {
String oNameStr = baseOname.toString() + keyprop;
ObjectName oName = null;
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java?rev=1790840&r1=1790839&r2=1790840&view=diff
==
--- tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/tribes/membership/McastService.java
Mon Apr 10 14:44:02 2017
@@ -85,7 +85,7 @@ public class McastService
private Channel channel;
/**
- * the ObjectName of this McastService.
+ * the ObjectName of this McastService.
*/
private ObjectName oname = null;
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
buildbot success in on tomcat-trunk
The Buildbot has detected a restored build on builder tomcat-trunk while building . Full details are available at: https://ci.apache.org/builders/tomcat-trunk/builds/2285 Buildbot URL: https://ci.apache.org/ Buildslave for this Build: silvanus_ubuntu Build Reason: The AnyBranchScheduler scheduler named 'on-tomcat-commit' triggered this build Build Source Stamp: [branch tomcat/trunk] 1790840 Blamelist: remm Build succeeded! Sincerely, -The Buildbot - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2017-5651 Apache Tomcat Information Disclosure
CVE-2017-5651 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.x and earlier are not affected Description: The refactoring of the HTTP connectors for 8.5.x onwards, introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later Credit: This issue was reported publicly as Bug 60918 [1] and the security implications identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60918 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1790883 - in /tomcat/site/trunk: docs/security-6.html docs/security-7.html docs/security-8.html docs/security-9.html xdocs/security-6.xml xdocs/security-7.xml xdocs/security-8.xml xdocs/s
Author: markt Date: Mon Apr 10 19:14:17 2017 New Revision: 1790883 URL: http://svn.apache.org/viewvc?rev=1790883&view=rev Log: Announcements for - CVE-2017-5651 - CVE-2017-5650 - CVE-2017-5647 - CVE-2017-5648 Modified: tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-6.xml tomcat/site/trunk/xdocs/security-7.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-6.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-6.html?rev=1790883&r1=1790882&r2=1790883&view=diff == --- tomcat/site/trunk/docs/security-6.html (original) +++ tomcat/site/trunk/docs/security-6.html Mon Apr 10 19:14:17 2017 @@ -227,6 +227,9 @@ Apache Tomcat 6.x vulnerabilities +Fixed in Apache Tomcat 6.0.53 + + Fixed in Apache Tomcat 6.0.50 @@ -348,6 +351,38 @@ + +7 April 2017 Fixed in Apache Tomcat 6.0.53 + + + + +Important: Information Disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647"; rel="nofollow">CVE-2017-5647 + + + +A bug in the handling of the pipelined requests when send file was used + resulted in the pipelined request being lost when send file processing of + the previous request completed. This could result in responses appearing + to be sent for the wrong request. For example, a user agent that sent + requests A, B and C could see the correct response for request A, the + response for request C for request B and no response for request C. + + +This was fixed in revisions http://svn.apache.org/viewvc?view=rev&rev=1789024";>1789024, + http://svn.apache.org/viewvc?view=rev&rev=1789155";>1789155 + and http://svn.apache.org/viewvc?view=rev&rev=1789856";>1789856. + + +This issue was identified by the Apache Tomcat Security Team on 20 + March 2017 and made public on 10 April 2017. + + +Affects: 6.0.0 to 6.0.52 + + + not yet released Fixed in Apache Tomcat 6.0.50 Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1790883&r1=1790882&r2=1790883&view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Mon Apr 10 19:14:17 2017 @@ -227,6 +227,12 @@ Apache Tomcat 7.x vulnerabilities +Fixed in Apache Tomcat 7.0.77 + + +Fixed in Apache Tomcat 7.0.76 + + Fixed in Apache Tomcat 7.0.75 @@ -374,6 +380,66 @@ + +2 April 2017 Fixed in Apache Tomcat 7.0.77 + + + + +Important: Information Disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5647"; rel="nofollow">CVE-2017-5647 + + + +A bug in the handling of the pipelined requests when send file was used + resulted in the pipelined request being lost when send file processing of + the previous request completed. This could result in responses appearing + to be sent for the wrong request. For example, a user agent that sent + requests A, B and C could see the correct response for request A, the + response for request C for request B and no response for request C. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1789008";>1789008. + + +This issue was identified by the Apache Tomcat Security Team on 20 + March 2017 and made public on 10 April 2017. + + +Affects: 7.0.0 to 7.0.76 + + + + +16 March 2017 Fixed in Apache Tomcat 7.0.76 + + + + +Low: Information Disclosure + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648"; rel="nofollow">CVE-2017-5648 + + + +While investigating bug 60718, it was noticed that some calls to + application listeners did not use the appropriate facade object. When + running an untrusted application under a SecurityManager, it was + therefore possible for that untrusted application to retain a reference + to the request or response object and thereby access and/or modify + information associated with another web application. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1785777";>1785777. + + +This issue was identified by the Apache Tomcat Security Team on 20 + March 2017 and made public on 10 April 2017. + + +Affects: 7.0.0 to 7.0.75 + + + 24 January 2017 Fixed in Apache Tomcat 7.0.75 Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1790883&r1=1790882&r2=1790883&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/tr
[SECURITY] CVE-2017-5647 Apache Tomcat Information Disclosure
CVE-2017-5647 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.0.RC1 to 8.0.42 Apache Tomcat 7.0.0 to 7.0.76 Apache Tomcat 6.0.0 to 6.0.52 Description A bug in the handling of the pipelined requests when send file was used resulted in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. Mitigation: Users of the affected versions should apply one of the following mitigations: - Switch to the BIO HTTP where available - Disable send file - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later - Upgrade to Apache Tomcat 8.0.43 or later - Upgrade to Apache Tomcat 7.0.77 or later - Upgrade to Apache Tomcat 6.0.53 or later Credit: This issue was identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2017-5650 Apache Tomcat Denial of Service
CVE-2017-5650 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M18 Apache Tomcat 8.5.0 to 8.5.12 Apache Tomcat 8.0.x and earlier are not affected Description The handling of an HTTP/2 GOAWAY frame for a connection did not close streams associated with that connection that were currently waiting for a WINDOW_UPDATE before allowing the application to write more data. These waiting streams each consumed a thread. A malicious client could therefore construct a series of HTTP/2 requests that would consume all available processing threads. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M19 or later - Upgrade to Apache Tomcat 8.5.13 or later Credit: This issue was identified by Chun Han Hsiao and reported responsibly to the Tomcat security team. History: 2017-04-10 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2017-5648 Apache Tomcat Information Disclosure
CVE-2017-5648 Apache Tomcat Information Disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M17 Apache Tomcat 8.5.0 to 8.5.11 Apache Tomcat 8.0.0.RC1 to 8.0.41 Apache Tomcat 7.0.0 to 7.0.75 Apache Tomcat 6.0.x is not affected Description While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M18 or later - Upgrade to Apache Tomcat 8.5.12 or later - Upgrade to Apache Tomcat 8.0.42 or later - Upgrade to Apache Tomcat 7.0.76 or later Credit: This issue was identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [4] http://tomcat.apache.org/security-7.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Plans for 8.5.14 ?
Hi! Is there a plan to tag 8.5.14, not waiting for May 1st? My concern is regression in Manager web application, https://bz.apache.org/bugzilla/show_bug.cgi?id=60949 Best regards, Konstantin Kolinko - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1788546 - svn:log
Author: markt Revision: 1788546 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:50:46 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:50:46 2017 @@ -1,2 +1,3 @@ Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60918 When sendfile processing passes to the Poller for completion and then completes before Http11Processor.service() exists, the Processor is recycled which clears sendfileData causing the Processor to return CLOSED or OPEN rather than SENDFILE. +This is the fix for CVE-2017-5651 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1788544 - svn:log
Author: markt Revision: 1788544 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:51:08 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:51:08 2017 @@ -1,2 +1,3 @@ Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60918 When sendfile processing passes to the Poller for completion and then completes before Http11Processor.service() exists, the Processor is recycled which clears sendfileData causing the Processor to return CLOSED or OPEN rather than SENDFILE. +This is the fix for CVE-2017-5651 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1788480 - svn:log
Author: markt Revision: 1788480 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:54:53 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:54:53 2017 @@ -1 +1,2 @@ Close the streams as soon as we know the connection is closing +This is the fix for CVE-2017-5650 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1788460 - svn:log
Author: markt Revision: 1788460 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:55:13 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:55:13 2017 @@ -1 +1,2 @@ Close the streams as soon as we know the connection is closing +This is the fix for CVE-2017-5650 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1785777 - svn:log
Author: markt Revision: 1785777 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:55:59 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:55:59 2017 @@ -1 +1,2 @@ Ensure request and response facades are used when firing application listeners. +This is the fix for CVE-2017-5648 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1785776 - svn:log
Author: markt Revision: 1785776 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:56:18 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:56:18 2017 @@ -1 +1,2 @@ Ensure request and response facades are used when firing application listeners. +This is the fix for CVE-2017-5648 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1785775 - svn:log
Author: markt Revision: 1785775 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:56:37 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:56:37 2017 @@ -1 +1,2 @@ Ensure request and response facades are used when firing application listeners. +This is the fix for CVE-2017-5648 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1785774 - svn:log
Author: markt Revision: 1785774 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:56:59 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:56:59 2017 @@ -1 +1,2 @@ Ensure request and response facades are used when firing application listeners. +This is the fix for CVE-2017-5648 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1789856 - svn:log
Author: markt Revision: 1789856 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:58:07 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:58:07 2017 @@ -1 +1,2 @@ Ensure that the socket is returned only once to the poller. +This is part of the fix for CVE-2017-5647 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1789155 - svn:log
Author: markt Revision: 1789155 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:58:33 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:58:33 2017 @@ -1,3 +1,4 @@ Follow-up to r1789024 Need to add socket/processor to connection cache when sendfile is in progress so pipe-lined request is processed Add syncs to AprEndpoint so that only one thread can process a soocket at a time else the transfer between sendfile and normal processing can result in concurrent socket usage. +This is part of the fix for CVE-2017-5647 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1789024 - svn:log
Author: markt Revision: 1789024 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:59:20 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:59:20 2017 @@ -1 +1,2 @@ Improve sendfile handling when requests are pipelined. +This is part of the fix for CVE-2017-5647 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1789008 - svn:log
Author: markt Revision: 1789008 Modified property: svn:log Modified: svn:log at Mon Apr 10 20:59:44 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 20:59:44 2017 @@ -1 +1,2 @@ Improve sendfile handling when requests are pipelined. +This is the fix for CVE-2017-5647 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1788999 - svn:log
Author: markt Revision: 1788999 Modified property: svn:log Modified: svn:log at Mon Apr 10 21:00:03 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 21:00:03 2017 @@ -1 +1,2 @@ Improve sendfile handling when requests are pipelined. +This is the fix for CVE-2017-5647 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1788932 - svn:log
Author: markt Revision: 1788932 Modified property: svn:log Modified: svn:log at Mon Apr 10 21:00:22 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 21:00:22 2017 @@ -1 +1,2 @@ Improve sendfile handling when requests are pipelined. +This is the fix for CVE-2017-5647 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn propchange: r1788890 - svn:log
Author: markt Revision: 1788890 Modified property: svn:log Modified: svn:log at Mon Apr 10 21:00:43 2017 -- --- svn:log (original) +++ svn:log Mon Apr 10 21:00:43 2017 @@ -1 +1,2 @@ Improve sendfile handling when requests are pipelined. +This is the fix for CVE-2017-5647 - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
