Bug report for Tomcat 7 [2018/07/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |50944|Ver|Blk|2011-03-18|JSF: java.lang.NullPointerException at com.sun.fac| |53553|New|Enh|2012-07-16|[PATCH] Deploy uploaded WAR with context.xml from | |53620|New|Enh|2012-07-30|[juli] delay opening a file until something gets l| |54499|New|Enh|2013-01-29|Implementation of Extensible EL Interpreter | |54802|New|Enh|2013-04-04|Provide location information for exceptions thrown| |55104|New|Enh|2013-06-16|Allow passing arguments with spaces to Commons Dae| |55470|New|Enh|2013-08-23|Help users for ClassNotFoundExceptions during star| |55477|New|Enh|2013-08-23|Add a solution to map an realm name to a security | |56148|New|Enh|2014-02-17|support (multiple) ocsp stapling | |56181|New|Enh|2014-02-23|RemoteIpValve & RemoteIpFilter: HttpServletRequest| |56300|New|Enh|2014-03-22|[Tribes] No useful examples, lack of documentation| |56438|New|Enh|2014-04-21|If jar scan does not find context config or TLD co| |56614|New|Enh|2014-06-12|Add a switch to ignore annotations detection on ta| |56787|New|Enh|2014-07-29|Simplified jndi name parsing | |57367|New|Enh|2014-12-18|If JAR scan experiences a stack overflow, give the| |57827|New|Enh|2015-04-17|Enable adding/removing of members via jmx in a sta| |57872|New|Enh|2015-04-29|Do not auto-switch session cookie to version=1 due| |57892|New|Enh|2015-05-05|Log once a warning if a symbolic link is ignored (| |58338|New|Nor|2015-09-07|BasicDataSourceFactory uses wrong attribute name | |59716|New|Enh|2016-06-17|Allow JNDI configuration of CorsFilter| |60597|New|Enh|2017-01-17|Add ability to set cipher suites for websocket cli| +-+---+---+--+--+ | Total 21 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 8 [2018/07/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |53737|Opn|Enh|2012-08-18|Use ServletContext.getJspConfigDescriptor() in Jas| |53930|New|Enh|2012-09-24|allow capture of catalina stdout/stderr to a comma| |54741|New|Enh|2013-03-22|Add org.apache.catalina.startup.Tomcat#addWebapp(S| |55243|New|Enh|2013-07-11|Add special search string for nested roles| |55252|New|Enh|2013-07-12|Separate Ant and command-line wrappers for JspC | |55383|New|Enh|2013-08-07|Improve markup and design of Tomcat's HTML pages | |9|New|Enh|2013-09-14|UserDatabaseRealm enhacement: may use local JNDI | |55675|New|Enh|2013-10-18|Checking and handling invalid configuration option| |55788|New|Enh|2013-11-16|TagPlugins should key on tag QName rather than imp| |55969|New|Enh|2014-01-07|Security-related enhancements to the Windows Insta| |56166|New|Enh|2014-02-20|Suggestions for exception handling (avoid potentia| |56361|New|Enh|2014-04-08|org.apache.tomcat.websocket.WsWebSocketContainer#b| |56398|New|Enh|2014-04-11|Support Arquillian-based unit testing | |56399|New|Enh|2014-04-11|Re-factor request/response recycling so Coyote and| |56402|New|Enh|2014-04-11|Add support for HTTP Upgrade to AJP components| |56448|New|Enh|2014-04-23|Implement a robust solution for client initiated S| |56522|Opn|Enh|2014-05-14|jasper-el 8 does not comply to EL Spec 3.0 regardi| |56546|New|Enh|2014-05-19|Improve thread trace logging in WebappClassLoader.| |56713|New|Enh|2014-07-12|Limit time that incoming request waits while webap| |56724|New|Enh|2014-07-15|Restart Container background thread if it died une| |56890|Inf|Maj|2014-08-26|getRealPath returns null | |56966|New|Enh|2014-09-11|AccessLogValve's elapsed time has 15ms precision o| |57130|New|Enh|2014-10-22|Allow digest.sh to accept password from a file or | |57287|New|Enh|2014-11-29|Sort files listed by DefaultServlet | |57421|New|Enh|2015-01-07|Farming default directories | |57486|New|Enh|2015-01-23|Improve reuse of ProtectedFunctionMapper instances| |57665|New|Enh|2015-03-05|support x-forwarded-host | |57701|New|Enh|2015-03-13|Implement "[Redeploy]" button for a web applicatio| |57830|New|Enh|2015-04-18|Add support for ProxyProtocol | |58052|Opn|Enh|2015-06-19|RewriteValve: Implement additional RewriteRule dir| |58072|New|Enh|2015-06-23|ECDH curve selection | |58143|Opn|Enh|2015-07-15|The WebppClassLoader doesn't call transformers on | |58577|New|Enh|2015-11-03|JMX Proxy Servlet can't handle overloaded methods | |58837|New|Enh|2016-01-12|support "X-Content-Security-Policy" a.k.a as "CSP"| |58935|Opn|Enh|2016-01-29|Re-deploy from war without deleting context | |59232|New|Enh|2016-03-24|Make the context name of an app available via JNDI| |59423|New|Enh|2016-05-03|amend "No LoginModules configured for ..." with hi| |59758|New|Enh|2016-06-27|Add http proxy username-password credentials suppo| |60281|Ver|Nor|2016-10-20|Pathname of uploaded WAR file should not be contai| |60721|Ver|Nor|2017-02-10|Unable to find key spec if more applications use b| |60781|New|Nor|2017-02-27|Access Log Valve does not escape the same as mod_l| |60849|New|Enh|2017-03-13|Tomcat NIO Connector not able to handle SSL renego| |61668|Ver|Min|2017-10-26|Possible NullPointerException in org.apache.coyote| |61877|New|Enh|2017-12-08|use web.xml from CATALINA_HOME by default | |61917|New|Enh|2017-12-19|AddDefaultCharsetFilter only supports text/* respo| |62150|New|Enh|2018-03-01|Behavior of relative paths with RequestDispatcher | |62214|New|Enh|2018-03-22|The "userSubtree=true" and "roleSubtree=true" in J| |62245|New|Enh|2018-04-02|[Documentation] Mention contextXsltFile in Default| |62376|Inf|Nor|2018-05-15|PropertyNotFoundException since 8.5.25| |62496|New|Enh|2018-06-27|Add possibility write remote user/auth type to res| |62539|New|Nor|2018-07-14|WsSession cannot be GC while send close message ti| |62547|
Bug report for Tomcat Connectors [2018/07/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47327|New|Enh|2009-06-07|Return tomcat authenticated user back to mod_jk (A| |47750|New|Maj|2009-08-27|ISAPI: Loss of worker settings when changing via j| |47795|New|Maj|2009-09-07|service sticky_session not being set correctly wit| |48564|New|Enh|2010-01-18|Allow to turn off retries for LB worker | |48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv| |49063|New|Enh|2010-04-07|Please add JkStripSession status in jk-status work| |49822|New|Enh|2010-08-25|Add hash lb worker method | |49903|New|Enh|2010-09-09|Make workers file reloadable | |52483|New|Enh|2012-01-18|Print JkOptions's options in log file and jkstatus| |53883|New|Maj|2012-09-17|isapi_redirect v 1.2.37 crashes w3wp.exe on the p| |53977|New|Maj|2012-10-07|32bits isapi connector cannot work in wow64 mode | |54027|New|Cri|2012-10-18|isapi send request to outside address instead of i| |54117|New|Maj|2012-11-08|access violation exception in isapi_redirect.dll | |54621|New|Enh|2013-02-28|[PATCH] custom mod_jk availability checks | |56489|New|Enh|2014-05-05|Include a directory for configuration files | |56576|New|Enh|2014-05-29|Websocket support | |57402|New|Enh|2014-12-30|Provide correlation ID between mod_jk log and acce| |57403|New|Enh|2014-12-30|Persist configuration changes made via status work| |57407|New|Enh|2014-12-31|Make session_cookie, session_path and session_cook| |57790|New|Enh|2015-04-03|Check worker names for typos | |57946|New|Nor|2015-05-23|Configuration example for mod_jk should be updated| |58287|New|Nor|2015-08-26|Questionable use of "Global" objects on Windows | |59897|New|Nor|2016-07-25|Buffer Overflow in FD_SET in nb_connect (jk_connec| |60240|New|Min|2016-10-11|Duplicate initialization log entry in mod_jk.log | |60745|New|Nor|2017-02-18|False positive: Somebody try to hack into the site| |61476|New|Enh|2017-09-01|Allow reset of an individual worker stat value| |61621|New|Enh|2017-10-15|Content-Type is forced to lowercase when it goes t| |62093|New|Enh|2018-02-09|Allow use_server_errors to apply to specific statu| |62169|New|Nor|2018-03-09|Not able to compile mod_jk on MacOS | |62408|New|Nor|2018-05-24|(New feature) Make configurable the number of retr| |62459|New|Nor|2018-06-15|mod_jk: Forwarding URLs containing escaped slashes| +-+---+---+--+--+ | Total 32 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Modules [2018/07/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen| |51595|Inf|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho| |51879|Inf|Enh|2011-09-22|Improve access to Native Connection Methods | |52024|Inf|Enh|2011-10-13|Custom interceptor to support automatic failover o| |53199|Inf|Enh|2012-05-07|Refactor ConnectionPool to use ScheduledExecutorSe| |54437|New|Enh|2013-01-16|Update PoolProperties javadoc for ConnectState int| |54929|Inf|Nor|2013-05-05|jdbc-pool cannot be used with Java 1.5, "java.lang| |55078|New|Nor|2013-06-07|Configuring a DataSource Resource with dataSourceJ| |55662|New|Enh|2013-10-17|Add a way to set an instance of java.sql.Driver di| |56046|New|Enh|2014-01-21|org.apache.tomcat.jdbc.pool.XADataSource InitSQL p| |56088|New|Maj|2014-01-29|AbstractQueryReport$StatementProxy throws exceptio| |56310|Inf|Maj|2014-03-25|PooledConnection and XAConnection not handled corr| |56586|New|Nor|2014-06-02|initSQL should be committed if defaultAutoCommit =| |56775|New|Nor|2014-07-28|PoolCleanerTime schedule issue| |56779|New|Nor|2014-07-28|Allow multiple connection initialization statement| |56790|New|Nor|2014-07-29|Resizing pool.maxActive to a higher value at runti| |56798|New|Nor|2014-07-31|Idle eviction strategy could perform better (and i| |56804|New|Nor|2014-08-02|Use a default validationQueryTimeout other than "f| |56805|New|Nor|2014-08-02|datasource.getConnection() may be unnecessarily bl| |56837|New|Nor|2014-08-11|if validationQuery have error with timeBetweenEvic| |56970|New|Nor|2014-09-11|MaxActive vs. MaxTotal for commons-dbcp and tomcat| |56974|New|Nor|2014-09-12|jdbc-pool validation query defaultAutoCommit statu| |57460|New|Nor|2015-01-19|[DB2]Connection broken after few hours but not rem| |57729|New|Enh|2015-03-20|Add QueryExecutionReportInterceptor to log query e| |58489|Opn|Maj|2015-10-08|QueryStatsComparator throws IllegalArgumentExcepti| |59077|New|Nor|2016-02-26|DataSourceFactory creates a neutered data source | |59569|New|Nor|2016-05-18|isWrapperFor/unwrap implementations incorrect | |59879|New|Nor|2016-07-18|StatementCache interceptor returns ResultSet objec| |60195|New|Nor|2016-10-02|No javadoc in Maven Central | |60522|New|Nor|2016-12-27|An option for setting if the transaction should be| |60524|Inf|Nor|2016-12-28|NPE in SlowQueryReport in tomcat-jdbc-7.0.68 | |60645|New|Nor|2017-01-25|StatementFinalizer is not thread-safe | |61032|New|Nor|2017-04-24|min pool size is not being respected | |61103|New|Nor|2017-05-18|StatementCache potentially caching non-functional | |61302|New|Enh|2017-07-15|Refactoring of DataSourceProxy| |61303|New|Enh|2017-07-15|Refactoring of ConnectionPool | |62432|New|Nor|2018-06-06|Memory Leak in Statement Finalizer? | +-+---+---+--+--+ | Total 37 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Native [2018/07/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |53940|New|Enh|2012-09-27|Added support for new CRL loading after expiration| |56378|New|Nor|2014-04-09|Cert load fails if cert is located in path with no| |57815|New|Enh|2015-04-15|Improve error message when OpenSSL does not suppor| |58194|Inf|Maj|2015-07-30|Tomcat crash EXCEPTION_ACCESS_VIOLATION in tcnativ| |59286|New|Nor|2016-04-07|Socket binding failures when using APR| +-+---+---+--+--+ | Total5 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Taglibs [2018/07/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field | |38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)| |42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements | |46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l| |48333|New|Enh|2009-12-02|TLD generator | |57548|New|Min|2015-02-08|Auto-generate the value for org.apache.taglibs.sta| |57684|New|Min|2015-03-10|Version info should be taken from project version | |59359|New|Enh|2016-04-20|(Task) Extend validity period for signing KEY - be| |59668|New|Nor|2016-06-06|x:forEach retains the incorrect scope when used in| |61875|New|Nor|2017-12-08|Investigate whether Xalan can be removed | +-+---+---+--+--+ | Total 10 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 9 [2018/07/22]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |57505|New|Enh|2015-01-27|Add integration tests for JspC| |57661|New|Enh|2015-03-04|Delay sending of 100 continue response until appli| |58242|New|Enh|2015-08-13|Scanning jars in classpath to get annotations in p| |58530|New|Enh|2015-10-23|Proposal for new Manager HTML GUI | |58548|New|Enh|2015-10-26|support certifcate transparency | |58590|New|Enh|2015-11-05|org.apache.catalina.realm.MemoryRealm can use back| |58859|New|Enh|2016-01-14|Allow to limit charsets / encodings supported by T| |59203|New|Enh|2016-03-21|Try to call Thread.interrupt before calling Thread| |59344|Ver|Enh|2016-04-18|PEM file support for JSSE | |59750|New|Enh|2016-06-24|Amend "authenticate" method with context by means | |59901|New|Enh|2016-07-26|Reduce I/O associated with JSP compilation| |60997|New|Enh|2017-04-17|Enhance SemaphoreValve to support denied status an| |61171|New|Enh|2017-06-09|Add port offset attribute (portOffset?) to Server | |61692|New|Enh|2017-10-28|CGIServlet should handle additional HTTP methods, | |61971|New|Enh|2018-01-06|documentation for using tomcat with systemd | |62048|New|Enh|2018-01-25|Missing logout function in Manager and Host-Manage| |62072|New|Enh|2018-02-01|Add support for request compression | |62140|New|Enh|2018-02-27|catalina.sh should document the verbs it accepts a| |62312|New|Enh|2018-04-18|Add Proxy Authentication support to websocket clie| |62405|New|Enh|2018-05-23|Add Rereadable Request Filter | |62488|New|Enh|2018-06-25|Obtain dependencies from Maven Central where possi| |62558|New|Enh|2018-07-20|Tomcat Russian localization | +-+---+---+--+--+ | Total 22 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1836421 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml
Author: jfclere Date: Sun Jul 22 07:26:01 2018 New Revision: 1836421 URL: http://svn.apache.org/viewvc?rev=1836421&view=rev Log: add the missing CVE to Tomcat 8.0.x release. Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1836421&r1=1836420&r2=1836421&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Sun Jul 22 07:26:01 2018 @@ -228,6 +228,9 @@ Fixed in Apache Tomcat 8.5.32 +Fixed in Apache Tomcat 8.0.52 + + Fixed in Apache Tomcat 8.0.50 @@ -373,8 +376,28 @@ -not yet released Fixed in Apache Tomcat 8.0.53 +6 July 2018 Fixed in Apache Tomcat 8.0.53 + + + +Low: host name verification missing in WebSocket client + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034"; rel="nofollow">CVE-2018-8034 + + + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1833759";>1833759. + + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 8.0.0.RC1 to 8.0.52 @@ -399,7 +422,7 @@ -not yet released Fixed in Apache Tomcat 8.5.32 +26 June 2018 Fixed in Apache Tomcat 8.5.32 @@ -424,6 +447,33 @@ + +08 May 2018 Fixed in Apache Tomcat 8.0.52 + + + + +Important: A bug in the UTF-8 decoder can lead to DoS + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336"; rel="nofollow">CVE-2018-1336 + + + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1830375";>1830375. + + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 8.0.0.RC1 to 8.0.51 + + + 13 February 2018 Fixed in Apache Tomcat 8.0.50 Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1836421&r1=1836420&r2=1836421&view=diff == --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Sun Jul 22 07:26:01 2018 @@ -50,7 +50,20 @@ - + + +Low: host name verification missing in WebSocket client + CVE-2018-8034 + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + +This was fixed in revision 1833759. + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 8.0.0.RC1 to 8.0.52 Low: CORS filter has insecure defaults CVE-2018-8014 @@ -68,7 +81,7 @@ - + Low: CORS filter has insecure defaults CVE-2018-8014 @@ -86,6 +99,24 @@ + + +Important: A bug in the UTF-8 decoder can lead to DoS + CVE-2018-1336 + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + +This was fixed in revision 1830375. + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 8.0.0.RC1 to 8.0.51 + + + Important: Security constraint annotations applied too - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 62169] Not able to compile mod_jk on MacOS
https://bz.apache.org/bugzilla/show_bug.cgi?id=62169 --- Comment #3 from Michael Osipov <1983-01...@gmx.net> --- (In reply to Christopher Schultz from comment #2) > Since you are using the libtool bundled with XAMPP, I think this is not a > bug in the mod_jk distribution... it's likely a problem with XAMPP's libtool. > > Can you try again with an httpd source package from httpd.apache.org and see > if that works? I fully agree with that, or better yet use the most recent libtool provided by libtoolize. Your YAMPP is a third-party bundle we don't support. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1836426 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml
Author: jfclere Date: Sun Jul 22 08:11:28 2018 New Revision: 1836426 URL: http://svn.apache.org/viewvc?rev=1836426&view=rev Log: Add tc8.5.x missing CVE. Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1836426&r1=1836425&r2=1836426&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Sun Jul 22 08:11:28 2018 @@ -231,6 +231,9 @@ Fixed in Apache Tomcat 8.0.52 +Fixed in Apache Tomcat 8.5.31 + + Fixed in Apache Tomcat 8.0.50 @@ -427,6 +430,47 @@ +Important: Due to a mishandling of close in NIO/NIO2 connectors user + sessions can get mixed up + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037"; rel="nofollow">CVE-2018-8037 + + + +A bug in the tracking of connection closures can lead to reuse of user + sessions in a new connection + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1833907";>1833907. + + +This issue was reported to the Apache Tomcat Security Team by Dmitry + Treskunov on 16 June 2018 and made public on 22 July 2018. + + +Affects: 8.5.5 to 8.5.31 + + + +Low: host name verification missing in WebSocket client + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034"; rel="nofollow">CVE-2018-8034 + + + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1833758";>1833758. + + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 8.5.0 to 8.5.31 + + + Low: CORS filter has insecure defaults http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014"; rel="nofollow">CVE-2018-8014 @@ -474,6 +518,33 @@ + +4 May 2018 Fixed in Apache Tomcat 8.5.31 + + + + +Important: A bug in the UTF-8 decoder can lead to DoS + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336"; rel="nofollow">CVE-2018-1336 + + + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1830374";>1830374. + + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 8.5.0 to 8.5.30 + + + 13 February 2018 Fixed in Apache Tomcat 8.0.50 Modified: tomcat/site/trunk/xdocs/security-8.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-8.xml?rev=1836426&r1=1836425&r2=1836426&view=diff == --- tomcat/site/trunk/xdocs/security-8.xml (original) +++ tomcat/site/trunk/xdocs/security-8.xml Sun Jul 22 08:11:28 2018 @@ -83,6 +83,33 @@ +Important: Due to a mishandling of close in NIO/NIO2 connectors user + sessions can get mixed up + CVE-2018-8037 + +A bug in the tracking of connection closures can lead to reuse of user + sessions in a new connection + +This was fixed in revision 1833907. + +This issue was reported to the Apache Tomcat Security Team by Dmitry + Treskunov on 16 June 2018 and made public on 22 July 2018. + +Affects: 8.5.5 to 8.5.31 + +Low: host name verification missing in WebSocket client + CVE-2018-8034 + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + +This was fixed in revision 1833758. + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 8.5.0 to 8.5.31 + Low: CORS filter has insecure defaults CVE-2018-8014 @@ -117,6 +144,24 @@ + + +Important: A bug in the UTF-8 decoder can lead to DoS + CVE-2018-1336 + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + +This was fixed in revision 1830374. + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 8.5.0 to 8.5.30 + + + Important: Security constraint annotations applied too - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1836429 - in /tomcat/site/trunk: docs/security-7.html xdocs/security-7.xml
Author: jfclere Date: Sun Jul 22 08:58:25 2018 New Revision: 1836429 URL: http://svn.apache.org/viewvc?rev=1836429&view=rev Log: Add the missing CVE. Modified: tomcat/site/trunk/docs/security-7.html tomcat/site/trunk/xdocs/security-7.xml Modified: tomcat/site/trunk/docs/security-7.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-7.html?rev=1836429&r1=1836428&r2=1836429&view=diff == --- tomcat/site/trunk/docs/security-7.html (original) +++ tomcat/site/trunk/docs/security-7.html Sun Jul 22 08:58:25 2018 @@ -222,9 +222,15 @@ Apache Tomcat 7.x vulnerabilities +Fixed in Apache Tomcat 7.0.90 + + Fixed in Apache Tomcat 7.0.89 +Fixed in Apache Tomcat 7.0.88 + + Fixed in Apache Tomcat 7.0.85 @@ -396,8 +402,34 @@ + +7 July 2018 Fixed in Apache Tomcat 7.0.90 + + + + +Low: host name verification missing in WebSocket client + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034"; rel="nofollow">CVE-2018-8034 + + + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1833760";>1833760. + + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 7.0.25 to 7.0.88 + + + -not yet released Fixed in Apache Tomcat 7.0.89 +not released Fixed in Apache Tomcat 7.0.89 @@ -422,6 +454,33 @@ + +16 May 2018 Fixed in Apache Tomcat 7.0.88 + + + + +Important: A bug in the UTF-8 decoder can lead to DoS + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336"; rel="nofollow">CVE-2018-1336 + + + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + + +This was fixed in revision http://svn.apache.org/viewvc?view=rev&rev=1830376";>1830376. + + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + + +Affects: 7.0.28 to 7.0.88 + + + 13 February 2018 Fixed in Apache Tomcat 7.0.85 Modified: tomcat/site/trunk/xdocs/security-7.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-7.xml?rev=1836429&r1=1836428&r2=1836429&view=diff == --- tomcat/site/trunk/xdocs/security-7.xml (original) +++ tomcat/site/trunk/xdocs/security-7.xml Sun Jul 22 08:58:25 2018 @@ -50,7 +50,24 @@ - + + +Low: host name verification missing in WebSocket client + CVE-2018-8034 + +The host name verification when using TLS with the WebSocket client was + missing. It is now enabled by default. + +This was fixed in revision 1833760. + +This issue was reported publicly on 11 June 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 7.0.25 to 7.0.88 + + + + Low: CORS filter has insecure defaults CVE-2018-8014 @@ -68,6 +85,24 @@ + + +Important: A bug in the UTF-8 decoder can lead to DoS + CVE-2018-1336 + +An improper handing of overflow in the UTF-8 decoder with + supplementary characters can lead to an infinite loop in the + decoder causing a Denial of Service. + +This was fixed in revision 1830376. + +This issue was reported publicly on 6 April 2018 and formally announced as + a vulnerability on 22 July 2018. + +Affects: 7.0.28 to 7.0.88 + + + Important: Security constraint annotations applied too - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2018-1336 Apache Tomcat - Denial of Service
CVE-2018-1336 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7 Apache Tomcat 8.5.0 to 8.5.30 Apache Tomcat 8.0.0.RC1 to 8.0.51 Apache Tomcat 7.0.28 to 7.0.86 Description: An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.7 or later. - Upgrade to Apache Tomcat 8.5.32 or later. - Upgrade to Apache Tomcat 8.0.52 or later. - Upgrade to Apache Tomcat 7.0.90 or later. History: 2018-07-22 Original advisory References: [1] http://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2018-8037 Apache Tomcat - Information Disclosure
CVE-2018-8037 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 Apache Tomcat 8.5.5 to 8.5.31 Description: A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.10 or later. - Upgrade to Apache Tomcat 8.5.32 or later. History: 2018-07-22 Original advisory References: [1] http://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2018-8034 Apache Tomcat - Security Constraint Bypass
CVE-2018-8034 Apache Tomcat - Security Constraint Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9 Apache Tomcat 8.5.0 to 8.5.31 Apache Tomcat 8.0.0.RC1 to 8.0.52 Apache Tomcat 7.0.35 to 7.0.88 Description: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.10 or later. - Upgrade to Apache Tomcat 8.5.32 or later. - Upgrade to Apache Tomcat 8.0.53 or later. - Upgrade to Apache Tomcat 7.0.90 or later. History: 2018-07-22 Original advisory References: [1] http://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GUMP@vmgump-vm3]: Project tomcat-tc8.0.x-test-nio2 (in module tomcat-8.0.x) failed
To whom it may engage... This is an automated request, but not an unsolicited one. For more information please visit http://gump.apache.org/nagged.html, and/or contact the folk at gene...@gump.apache.org. Project tomcat-tc8.0.x-test-nio2 has an issue affecting its community integration. This issue affects 1 projects, and has been outstanding for 176 runs. The current state of this project is 'Failed', with reason 'Build Failed'. For reference only, the following projects are affected by this: - tomcat-tc8.0.x-test-nio2 : Tomcat 8.x, a web server implementing the Java Servlet 3.1, ... Full details are available at: http://vmgump-vm3.apache.org/tomcat-8.0.x/tomcat-tc8.0.x-test-nio2/index.html That said, some information snippets are provided here. The following annotations (debug/informational/warning/error messages) were provided: -INFO- Failed with reason build failed -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-8.0.x/output/logs-NIO2 -INFO- Project Reports in: /srv/gump/public/workspace/tomcat-8.0.x/output/test-tmp-NIO2/logs -WARNING- No directory [/srv/gump/public/workspace/tomcat-8.0.x/output/test-tmp-NIO2/logs] The following work was performed: http://vmgump-vm3.apache.org/tomcat-8.0.x/tomcat-tc8.0.x-test-nio2/gump_work/build_tomcat-8.0.x_tomcat-tc8.0.x-test-nio2.html Work Name: build_tomcat-8.0.x_tomcat-tc8.0.x-test-nio2 (Type: Build) Work ended in a state of : Failed Elapsed: 21 mins 10 secs Command Line: /usr/lib/jvm/java-8-oracle/bin/java -Djava.awt.headless=true -Dbuild.sysclasspath=only -Dsun.zip.disableMemoryMapping=true org.apache.tools.ant.Main -Dgump.merge=/srv/gump/public/gump/work/merge.xml -Djunit.jar=/srv/gump/public/workspace/junit/target/junit-4.13-SNAPSHOT.jar -Djava.net.preferIPv4Stack=/srv/gump/public/workspace/tomcat-8.0.x/true -Dobjenesis.jar=/srv/gump/public/workspace/objenesis/main/target/objenesis-2.7-SNAPSHOT.jar -Dtest.reports=output/logs-NIO2 -Dexecute.test.nio2=true -Dexamples.sources.skip=true -Dbase.path=/srv/gump/public/workspace/tomcat-8.0.x/tomcat-build-libs -Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.7.3a-201803300640/ecj-4.7.3a.jar -Dtest.relaxTiming=true -Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/daemon/target/commons-daemon-1.1.1-SNAPSHOT.jar -Dtest.temp=output/test-tmp-NIO2 -Dtest.accesslog=true -Dexecute.test.nio=false -Dtest.openssl.path=/srv/gump/public/workspace/openssl-1.0.2/dest-20180723/bin/openssl -Dexe cute.test.bio=false -Dexecute.test.apr=false -Dtest.excludePerformance=true -Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-3.7-SNAPSHOT.jar -Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar -Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test [Working Directory: /srv/gump/public/workspace/tomcat-8.0.x] CLASSPATH: /usr/lib/jvm/java-8-oracle/lib/tools.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/webapps/examples/WEB-INF/classes:/srv/gump/public/workspace/tomcat-8.0.x/output/testclasses:/srv/gump/public/workspace/ant/dist/lib/ant.jar:/srv/gump/public/workspace/ant/dist/lib/ant-launcher.jar:/srv/gump/public/workspace/ant/dist/lib/ant-jmf.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit.jar:/srv/gump/public/workspace/ant/dist/lib/ant-junit4.jar:/srv/gump/public/workspace/ant/dist/lib/ant-swing.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-resolver.jar:/srv/gump/public/workspace/ant/dist/lib/ant-apache-xalan2.jar:/srv/gump/public/workspace/xml-commons/java/build/resolver.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/bin/bootstrap.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/bin/tomcat-juli.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/annotations-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/servlet-api.ja r:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/jsp-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/el-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/websocket-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-ant.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-storeconfig.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/tomcat-coyote.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/jasper.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/jasper-el.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-tribes.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/catalina-ha.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/tomcat-api.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/tomcat-jni.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/bu ild/lib/tomcat-util.jar:/srv/gump/public/workspace/tomcat-8.0.x/output/build/lib/tomcat-util-scan.jar:/srv/gump/public/workspace/tomcat-8.0.x/output
