[jira] [Created] (MTOMCAT-323) Avoid using plaintext Keystore password in source code
Ying Zhang created MTOMCAT-323: -- Summary: Avoid using plaintext Keystore password in source code Key: MTOMCAT-323 URL: https://issues.apache.org/jira/browse/MTOMCAT-323 Project: Apache Tomcat Maven Plugin Issue Type: Improvement Reporter: Ying Zhang We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[jira] [Updated] (MTOMCAT-323) Avoid using plaintext Keystore password in source code
[ https://issues.apache.org/jira/browse/MTOMCAT-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ying Zhang updated MTOMCAT-323: --- Description: We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. *Vulnerability Description* In file tomcat/test/org/apache/tomcat/util/net/TesterSupport.java, use hard code password at Line 179. *Security Impact:* Keystore password should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. The product transmits or stores authentication credentials, but it uses an insecure way that is susceptible to unauthorized interception and/or retrieval. We understand it is in the TestSupport file, but should it at least give some "reminder" to users for avoiding the misuses *Useful Resources*: [https://cwe.mitre.org/data/definitions/321.html] [https://cwe.mitre.org/data/definitions/522.html] [https://www.baeldung.com/java-keystore] *Solution we suggest* To be managed safely, passwords or secret keys should be stored in separate configuration files or keystores. The Keystore password is better to load from the locally set files instead of directly set in the code. *Please share with us your opinions/comments if there is any* Is the bug report helpful? was:We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. > Avoid using plaintext Keystore password in source code > > > Key: MTOMCAT-323 > URL: https://issues.apache.org/jira/browse/MTOMCAT-323 > Project: Apache Tomcat Maven Plugin > Issue Type: Improvement >Reporter: Ying Zhang >Priority: Major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file tomcat/test/org/apache/tomcat/util/net/TesterSupport.java, use hard > code password at Line 179. > *Security Impact:* > Keystore password should not be kept in the source code. The source code can > be widely shared in an enterprise environment, and is certainly shared in > open source. The product transmits or stores authentication credentials, but > it uses an insecure way that is susceptible to unauthorized interception > and/or retrieval. We understand it is in the TestSupport file, but should it > at least give some "reminder" to users for avoiding the misuses > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/321.html] > [https://cwe.mitre.org/data/definitions/522.html] > [https://www.baeldung.com/java-keystore] > *Solution we suggest* > To be managed safely, passwords or secret keys should be stored in separate > configuration files or keystores. The Keystore password is better to load > from the locally set files instead of directly set in the code. > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[jira] [Resolved] (MTOMCAT-323) Avoid using plaintext Keystore password in source code
[ https://issues.apache.org/jira/browse/MTOMCAT-323?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Mark Thomas resolved MTOMCAT-323. - Resolution: Invalid I am frankly astonished that anyone involved in security research would think that this is a security vulnerability. The code in question is clearly test code. There is zero security risk associated with this code. This report is not helpful at all. Such reports serve only to waste the valuable time of our volunteer communities. Given that you indicate that you are using vulnerability scanning tools, please note that - due to the high level of false positives - the Apache Software Foundation automatically rejects any vulnerability report consisting solely of output from a vulnerability scanning tool. The Apache Software Foundation only accepts such reports when accompanied by manual analysis that demonstrates that the claimed vulnerability exists and is exploitable. Further reports along similar lines are lines are likely to be resolved as invalid with no further comment. > Avoid using plaintext Keystore password in source code > > > Key: MTOMCAT-323 > URL: https://issues.apache.org/jira/browse/MTOMCAT-323 > Project: Apache Tomcat Maven Plugin > Issue Type: Improvement >Reporter: Ying Zhang >Priority: Major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file tomcat/test/org/apache/tomcat/util/net/TesterSupport.java, use hard > code password at Line 179. > *Security Impact:* > Keystore password should not be kept in the source code. The source code can > be widely shared in an enterprise environment, and is certainly shared in > open source. The product transmits or stores authentication credentials, but > it uses an insecure way that is susceptible to unauthorized interception > and/or retrieval. We understand it is in the TestSupport file, but should it > at least give some "reminder" to users for avoiding the misuses > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/321.html] > [https://cwe.mitre.org/data/definitions/522.html] > [https://www.baeldung.com/java-keystore] > *Solution we suggest* > To be managed safely, passwords or secret keys should be stored in separate > configuration files or keystores. The Keystore password is better to load > from the locally set files instead of directly set in the code. > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[jira] [Comment Edited] (MTOMCAT-323) Avoid using plaintext Keystore password in source code
[ https://issues.apache.org/jira/browse/MTOMCAT-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280270#comment-17280270 ] Mark Thomas edited comment on MTOMCAT-323 at 2/6/21, 7:50 PM: -- I am frankly astonished that anyone involved in security research would think that this is a security vulnerability. The code in question is clearly test code. There is zero security risk associated with this code. This report is not helpful at all. Such reports serve only to waste the valuable time of our volunteer communities. Given that you indicate that you are using vulnerability scanning tools, please note that - due to the high level of false positives - the Apache Software Foundation automatically rejects any vulnerability report consisting solely of output from a vulnerability scanning tool. The Apache Software Foundation only accepts such reports when accompanied by manual analysis that demonstrates that the claimed vulnerability exists and is exploitable. Further reports along similar lines are likely to be resolved as invalid with no further comment. was (Author: markt): I am frankly astonished that anyone involved in security research would think that this is a security vulnerability. The code in question is clearly test code. There is zero security risk associated with this code. This report is not helpful at all. Such reports serve only to waste the valuable time of our volunteer communities. Given that you indicate that you are using vulnerability scanning tools, please note that - due to the high level of false positives - the Apache Software Foundation automatically rejects any vulnerability report consisting solely of output from a vulnerability scanning tool. The Apache Software Foundation only accepts such reports when accompanied by manual analysis that demonstrates that the claimed vulnerability exists and is exploitable. Further reports along similar lines are lines are likely to be resolved as invalid with no further comment. > Avoid using plaintext Keystore password in source code > > > Key: MTOMCAT-323 > URL: https://issues.apache.org/jira/browse/MTOMCAT-323 > Project: Apache Tomcat Maven Plugin > Issue Type: Improvement >Reporter: Ying Zhang >Priority: Major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file tomcat/test/org/apache/tomcat/util/net/TesterSupport.java, use hard > code password at Line 179. > *Security Impact:* > Keystore password should not be kept in the source code. The source code can > be widely shared in an enterprise environment, and is certainly shared in > open source. The product transmits or stores authentication credentials, but > it uses an insecure way that is susceptible to unauthorized interception > and/or retrieval. We understand it is in the TestSupport file, but should it > at least give some "reminder" to users for avoiding the misuses > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/321.html] > [https://cwe.mitre.org/data/definitions/522.html] > [https://www.baeldung.com/java-keystore] > *Solution we suggest* > To be managed safely, passwords or secret keys should be stored in separate > configuration files or keystores. The Keystore password is better to load > from the locally set files instead of directly set in the code. > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[jira] [Commented] (MTOMCAT-323) Avoid using plaintext Keystore password in source code
[ https://issues.apache.org/jira/browse/MTOMCAT-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280273#comment-17280273 ] Mark Thomas commented on MTOMCAT-323: - In my astonishment I forgot to mention that potential security vulnerability reports should *NEVER* be reported via a public bug tracker. Instructions for the correct process may be found at: [http://www.apache.org/security/] > Avoid using plaintext Keystore password in source code > > > Key: MTOMCAT-323 > URL: https://issues.apache.org/jira/browse/MTOMCAT-323 > Project: Apache Tomcat Maven Plugin > Issue Type: Improvement >Reporter: Ying Zhang >Priority: Major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file tomcat/test/org/apache/tomcat/util/net/TesterSupport.java, use hard > code password at Line 179. > *Security Impact:* > Keystore password should not be kept in the source code. The source code can > be widely shared in an enterprise environment, and is certainly shared in > open source. The product transmits or stores authentication credentials, but > it uses an insecure way that is susceptible to unauthorized interception > and/or retrieval. We understand it is in the TestSupport file, but should it > at least give some "reminder" to users for avoiding the misuses > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/321.html] > [https://cwe.mitre.org/data/definitions/522.html] > [https://www.baeldung.com/java-keystore] > *Solution we suggest* > To be managed safely, passwords or secret keys should be stored in separate > configuration files or keystores. The Keystore password is better to load > from the locally set files instead of directly set in the code. > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? > -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 65126] New: A security vulnerability cve-2020-1971 in Tomcat dependency Library in version 9.0.40.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65126 Bug ID: 65126 Summary: A security vulnerability cve-2020-1971 in Tomcat dependency Library in version 9.0.40. Product: Tomcat 9 Version: 9.0.39 Hardware: PC Status: NEW Severity: normal Priority: P2 Component: Util Assignee: dev@tomcat.apache.org Reporter: 951367...@qq.com Target Milestone: - Hello, I found a security vulnerability cve-2020-1971 in Tomcat dependency Library in version 9.0.40. How can I fix it? Or when can a fixed version be available Look forword to your soonest reply. Best Regards. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Taglibs [2021/02/07]
+---+
| Bugzilla Bug ID |
| +-+
| | Status: UNC=Unconfirmed NEW=New ASS=Assigned|
| | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) |
| | +-+
| | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major |
| | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial |
| | | +-+
| | | | Date Posted |
| | | | +--+
| | | | | Description |
| | | | | |
|38193|Ass|Enh|2006-01-09|[RDC] BuiltIn Grammar support for Field |
|38600|Ass|Enh|2006-02-10|[RDC] Enable RDCs to be used in X+V markup (X+RDC)|
|42413|New|Enh|2007-05-14|[PATCH] Log Taglib enhancements |
|46052|New|Nor|2008-10-21|SetLocaleSupport is slow to initialize when many l|
|48333|New|Enh|2009-12-02|TLD generator |
|57548|New|Min|2015-02-08|Auto-generate the value for org.apache.taglibs.sta|
|57684|New|Min|2015-03-10|Version info should be taken from project version |
|59359|New|Enh|2016-04-20|(Task) Extend validity period for signing KEY - be|
|59668|New|Nor|2016-06-06|x:forEach retains the incorrect scope when used in|
|61875|New|Nor|2017-12-08|Investigate whether Xalan can be removed |
|64649|New|Nor|2020-08-06|XSLT transformation - document('') doesn't return |
+-+---+---+--+--+
| Total 11 bugs |
+---+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 7 [2021/02/07]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |55470|New|Enh|2013-08-23|Help users for ClassNotFoundExceptions during star| |55477|New|Enh|2013-08-23|Add a solution to map a realm name to a security r| |56148|New|Enh|2014-02-17|support (multiple) ocsp stapling | |56300|New|Enh|2014-03-22|[Tribes] No useful examples, lack of documentation| |56438|New|Enh|2014-04-21|If jar scan does not find context config or TLD co| |56614|New|Enh|2014-06-12|Add a switch to ignore annotations detection on ta| |56787|New|Enh|2014-07-29|Simplified jndi name parsing | |57367|New|Enh|2014-12-18|If JAR scan experiences a stack overflow, give the| |57827|New|Enh|2015-04-17|Enable adding/removing of members via jmx in a sta| |57872|New|Enh|2015-04-29|Do not auto-switch session cookie to version=1 due| |60597|New|Enh|2017-01-17|Add ability to set cipher suites for websocket cli| |63167|New|Enh|2019-02-12|Network Requirements To Resolve No Members Active | +-+---+---+--+--+ | Total 12 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Native [2021/02/07]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |62911|New|Enh|2018-11-15|Add support for proxying ocsp requests via ProxyH| |64826|New|Maj|2020-10-19|libtcnative prompts for private key password in so| |64862|New|Enh|2020-10-30|Improve LibreSSL support | +-+---+---+--+--+ | Total3 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 9 [2021/02/07]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |53602|Ver|Enh|2012-07-25|Support for HTTP status code 451 | |57505|New|Enh|2015-01-27|Add integration tests for JspC| |58530|New|Enh|2015-10-23|Proposal for new Manager HTML GUI | |58548|Inf|Enh|2015-10-26|support certifcate transparency | |58859|New|Enh|2016-01-14|Allow to limit charsets / encodings supported by T| |59750|New|Enh|2016-06-24|Amend "authenticate" method with context by means | |60997|New|Enh|2017-04-17|Enhance SemaphoreValve to support denied status an| |61971|New|Enh|2018-01-06|documentation for using tomcat with systemd | |62048|New|Enh|2018-01-25|Missing logout function in Manager and Host-Manage| |62072|New|Enh|2018-02-01|Add support for request compression | |62312|New|Enh|2018-04-18|Add Proxy Authentication support to websocket clie| |62405|New|Enh|2018-05-23|Add Rereadable Request Filter | |62488|New|Enh|2018-06-25|Obtain dependencies from Maven Central where possi| |62611|Inf|Enh|2018-08-09|Compress log files after rotation | |62723|New|Enh|2018-09-14|Clarify "channelSendOptions" value in cluster docu| |62773|New|Enh|2018-09-28|Change DeltaManager to handle session deserializat| |62814|New|Enh|2018-10-10|Use readable names for cluster channel/map options| |62843|New|Enh|2018-10-22|Tomcat Russian localization | |62964|Inf|Enh|2018-11-29|Add RFC7807 conformant Problem Details for HTTP st| |63023|New|Enh|2018-12-20|Provide a way to load SecurityProviders into the s| |63049|New|Enh|2018-12-31|Add support in system properties override from com| |63237|New|Enh|2019-03-06|Consider processing mbeans-descriptors.xml at comp| |63389|New|Enh|2019-04-27|Enable Servlet Warmup for Containerization| |63493|New|Enh|2019-06-10|enhancement - add JMX counters to monitor authenti| |63505|New|Enh|2019-06-14|enhancement - support of stored procedures for Dat| |63545|New|Enh|2019-07-06|enhancement - add a new pattern attribute for logg| |63943|Opn|Enh|2019-11-20|Add possibility to overwrite remote port with info| |63983|Ver|Cri|2019-12-03|Jasper builds-up open files until garbage collecti| |64144|New|Enh|2020-02-14|Add an option for rejecting requests that have bot| |64230|New|Enh|2020-03-15|Allow to configure session manager to skip expirin| |64395|New|Enh|2020-04-30|Windows Installer should offer an option to select| |64762|Inf|Reg|2020-09-23|CoyoteInputStream getInputStream() read (wait afte| |64771|Inf|Maj|2020-09-26|Windows CPU processor always running by a thread r| |64938|New|Nor|2020-11-27|response.setCharacterEncoding(null) should clear p| |65126|New|Nor|2021-02-07|A security vulnerability cve-2020-1971 in Tomcat d| +-+---+---+--+--+ | Total 35 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat 8 [2021/02/07]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |55243|New|Enh|2013-07-11|Add special search string for nested roles| |55383|New|Enh|2013-08-07|Improve markup and design of Tomcat's HTML pages | |55675|New|Enh|2013-10-18|Checking and handling invalid configuration option| |55788|New|Enh|2013-11-16|TagPlugins should key on tag QName rather than imp| |56166|New|Enh|2014-02-20|Suggestions for exception handling (avoid potentia| |56398|New|Enh|2014-04-11|Support Arquillian-based unit testing | |56402|New|Enh|2014-04-11|Add support for HTTP Upgrade to AJP components| |56448|New|Enh|2014-04-23|Implement a robust solution for client initiated S| |56522|Opn|Enh|2014-05-14|jasper-el 8 does not comply to EL Spec 3.0 regardi| |56546|New|Enh|2014-05-19|Improve thread trace logging in WebappClassLoader.| |56713|New|Enh|2014-07-12|Limit time that incoming request waits while webap| |57130|New|Enh|2014-10-22|Allow digest.sh to accept password from a file or | |57421|New|Enh|2015-01-07|Farming default directories | |57486|New|Enh|2015-01-23|Improve reuse of ProtectedFunctionMapper instances| |57701|New|Enh|2015-03-13|Implement "[Redeploy]" button for a web applicatio| |57830|New|Enh|2015-04-18|Add support for ProxyProtocol | |58052|Opn|Enh|2015-06-19|RewriteValve: Implement additional RewriteRule dir| |58072|New|Enh|2015-06-23|ECDH curve selection | |58837|New|Enh|2016-01-12|support "X-Content-Security-Policy" a.k.a as "CSP"| |58935|Opn|Enh|2016-01-29|Re-deploy from war without deleting context | |59232|New|Enh|2016-03-24|Make the context name of an app available via JNDI| |59758|New|Enh|2016-06-27|Add http proxy username-password credentials suppo| |60849|New|Enh|2017-03-13|Tomcat NIO Connector not able to handle SSL renego| |61877|New|Enh|2017-12-08|use web.xml from CATALINA_HOME by default | |61917|New|Enh|2017-12-19|AddDefaultCharsetFilter only supports text/* respo| |62150|New|Enh|2018-03-01|Behavior of relative paths with RequestDispatcher | |62214|New|Enh|2018-03-22|The "userSubtree=true" and "roleSubtree=true" in J| |62245|New|Enh|2018-04-02|[Documentation] Mention contextXsltFile in Default| |63080|New|Enh|2019-01-16|Support rfc7239 Forwarded header | |63195|Inf|Enh|2019-02-21|Add easy way to test RemoteIpValve works properly | +-+---+---+--+--+ | Total 30 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Modules [2021/02/07]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |50571|Inf|Nor|2011-01-11|Tomcat 7 JDBC connection pool exception enhancemen| |51595|Inf|Nor|2011-08-01|org.apache.tomcat.jdbc.pool.jmx.ConnectionPool sho| |51879|Inf|Enh|2011-09-22|Improve access to Native Connection Methods | |52024|Inf|Enh|2011-10-13|Custom interceptor to support automatic failover o| |53199|Inf|Enh|2012-05-07|Refactor ConnectionPool to use ScheduledExecutorSe| |54437|New|Enh|2013-01-16|Update PoolProperties javadoc for ConnectState int| |54929|Inf|Nor|2013-05-05|jdbc-pool cannot be used with Java 1.5, "java.lang| |55078|New|Nor|2013-06-07|Configuring a DataSource Resource with dataSourceJ| |55662|New|Enh|2013-10-17|Add a way to set an instance of java.sql.Driver di| |56046|New|Enh|2014-01-21|org.apache.tomcat.jdbc.pool.XADataSource InitSQL p| |56088|New|Maj|2014-01-29|AbstractQueryReport$StatementProxy throws exceptio| |56310|Inf|Maj|2014-03-25|PooledConnection and XAConnection not handled corr| |56586|New|Nor|2014-06-02|initSQL should be committed if defaultAutoCommit =| |56775|New|Nor|2014-07-28|PoolCleanerTime schedule issue| |56779|New|Nor|2014-07-28|Allow multiple connection initialization statement| |56790|New|Nor|2014-07-29|Resizing pool.maxActive to a higher value at runti| |56798|New|Nor|2014-07-31|Idle eviction strategy could perform better (and i| |56804|New|Nor|2014-08-02|Use a default validationQueryTimeout other than "f| |56805|New|Nor|2014-08-02|datasource.getConnection() may be unnecessarily bl| |56837|New|Nor|2014-08-11|if validationQuery have error with timeBetweenEvic| |56970|New|Nor|2014-09-11|MaxActive vs. MaxTotal for commons-dbcp and tomcat| |57460|New|Nor|2015-01-19|[DB2]Connection broken after few hours but not rem| |57729|New|Enh|2015-03-20|Add QueryExecutionReportInterceptor to log query e| |58489|Opn|Maj|2015-10-08|QueryStatsComparator throws IllegalArgumentExcepti| |59077|New|Nor|2016-02-26|DataSourceFactory creates a neutered data source | |59569|New|Nor|2016-05-18|isWrapperFor/unwrap implementations incorrect | |59879|New|Nor|2016-07-18|StatementCache interceptor returns ResultSet objec| |60195|New|Nor|2016-10-02|No javadoc in Maven Central | |60522|New|Nor|2016-12-27|An option for setting if the transaction should be| |60524|Inf|Nor|2016-12-28|NPE in SlowQueryReport in tomcat-jdbc-7.0.68 | |60645|New|Nor|2017-01-25|StatementFinalizer is not thread-safe | |61032|New|Nor|2017-04-24|min pool size is not being respected | |61103|New|Nor|2017-05-18|StatementCache potentially caching non-functional | |61302|New|Enh|2017-07-15|Refactoring of DataSourceProxy| |61303|New|Enh|2017-07-15|Refactoring of ConnectionPool | |62432|New|Nor|2018-06-06|Memory Leak in Statement Finalizer? | |62598|New|Enh|2018-08-04|support pool with multiple JDBC data sources | |62910|Inf|Nor|2018-11-15|tomcat-jdbc global pool transaction problem | |63612|Inf|Cri|2019-07-26|PooledConnection#connectUsingDriver, Thread.curren| |63705|New|Nor|2019-08-29|The tomcat pool doesn't register all connection th| |64083|New|Nor|2020-01-17|JDBC pool keeps closed connection as available| |64107|New|Maj|2020-01-30|PreparedStatements correctly closed are not return| |64231|New|Nor|2020-03-16|Tomcat jdbc pool behaviour| |64570|New|Nor|2020-07-01|Transaction not rollbacked if autocommit is false | |64809|New|Nor|2020-10-13|Connection properties not reset to defaults when C| +-+---+---+--+--+ | Total 45 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Bug report for Tomcat Connectors [2021/02/07]
+---+ | Bugzilla Bug ID | | +-+ | | Status: UNC=Unconfirmed NEW=New ASS=Assigned| | | OPN=ReopenedVER=Verified(Skipped Closed/Resolved) | | | +-+ | | | Severity: BLK=Blocker CRI=Critical REG=Regression MAJ=Major | | | | MIN=Minor NOR=NormalENH=Enhancement TRV=Trivial | | | | +-+ | | | | Date Posted | | | | | +--+ | | | | | Description | | | | | | | |46767|New|Enh|2009-02-25|mod_jk to send DECLINED in case no fail-over tomca| |47327|New|Enh|2009-06-07|Return tomcat authenticated user back to mod_jk (A| |47750|New|Maj|2009-08-27|ISAPI: Loss of worker settings when changing via j| |48830|New|Nor|2010-03-01|IIS shutdown blocked in endpoint service when serv| |49822|New|Enh|2010-08-25|Add hash lb worker method | |49903|New|Enh|2010-09-09|Make workers file reloadable | |52483|New|Enh|2012-01-18|Print JkOptions's options in log file and jkstatus| |54621|New|Enh|2013-02-28|[PATCH] custom mod_jk availability checks | |56489|New|Enh|2014-05-05|Include a directory for configuration files | |56576|New|Enh|2014-05-29|Websocket support | |57402|New|Enh|2014-12-30|Provide correlation ID between mod_jk log and acce| |57403|New|Enh|2014-12-30|Persist configuration changes made via status work| |57407|New|Enh|2014-12-31|Make session_cookie, session_path and session_cook| |57790|New|Enh|2015-04-03|Check worker names for typos | |61476|New|Enh|2017-09-01|Allow reset of an individual worker stat value| |61621|New|Enh|2017-10-15|Content-Type is forced to lowercase when it goes t| |62093|New|Enh|2018-02-09|Allow use_server_errors to apply to specific statu| |63808|Opn|Enh|2019-10-05|the fact that JkMount makes other directives ineff| |64775|New|Nor|2020-09-28|mod_jk is sending both Content-Length and Transfer| |64878|New|Nor|2020-11-06|Can not determine the proper size for pid_t / pthr| +-+---+---+--+--+ | Total 20 bugs | +---+ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
