[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-11 Thread GitBox 


michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r686570618



##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
 }
 
 @Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
   I wonder whether TLS allows preemptive auth at all.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: openssl-3.0.0 test failures with 9.0.x (I have not checked the other branches)

2021-08-11 Thread jean-frederic clere 

On 10/08/2021 14:02, jean-frederic clere wrote:

Hi,

I have the following failure with ant test:
    [concat] 
TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.APR.txt
    [concat] 
TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO.txt
    [concat] 
TEST-org.apache.tomcat.util.net.TestSSLHostConfigCompat.NIO2.txt
    [concat] 
TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.APR.txt
    [concat] 
TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO.txt
    [concat] 
TEST-org.apache.tomcat.util.net.openssl.ciphers.TestCipher.NIO2.txt
    [concat] 
TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.APR.txt 

    [concat] 
TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO.txt 

    [concat] 
TEST-org.apache.tomcat.util.net.openssl.ciphers.TestOpenSSLCipherConfigurationParser.NIO2.txt 



The ciphers ones are not new for me on fedora, the 
TestSSLHostConfigCompat ones look new, is anyone seeing those?

I was trying with openssl/"master".


For the TestSSLHostConfigCompat it is due to a patch I was planning to 
commit later. So forget those ones.


--
Cheers

Jean-Frederic


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] abdulmuqsith opened a new issue #23: Vulnerability with Apache Commons Compress v1.20

2021-08-11 Thread GitBox 


abdulmuqsith opened a new issue #23:
URL: https://github.com/apache/tomcat-jakartaee-migration/issues/23


   The Apache Commons Compress v1.20 library included in this library has 
following CVEs associated:
   
   
   
   
   
     | Identifier | Published | Overall Score
   -- | -- | -- | --
     | NVD CVE-2021-35516 (BDSA-2021-2075) | Jul 13, 2021 | 7.5 High
     | NVD CVE-2021-35517 (BDSA-2021-2078) | Jul 13, 2021 | 7.5 High
     | NVD CVE-2021-36090 (BDSA-2021-2073) | Jul 13, 2021 | 7.5 High
     | NVD CVE-2021-35515 (BDSA-2021-2076) | Jul 13, 2021 | 7.5 High
   
   
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 8.5.70

2021-08-11 Thread Konstantin Kolinko 
пн, 9 авг. 2021 г. в 23:05, Mark Thomas :
>
> The proposed Apache Tomcat 8.5.70 release is now available for voting.
>
> Chris was having some difficulties before the weekend getting the
> release to build. He hasn't had time to get to the bottom of these
> issues and time is ticking on so I took a look. I had different issues
> on Windows but was still unable to complete the release. With the
> addition of JSign, we have the option to build a full release on Linux
> so I tried that and it was successful. If successful, this will be the
> first release for a very long time built on Linux.
>
> Given the above, additional scrutiny on the release artefacts targetted
> at Windows would be welcome.
>
> The notable changes compared to the 8.5.69 release are:
>
> - Correct a regression in the previous release in the HTTP/2 flow
>control window management along with additional improvements to HTTP/2
>flow control
>
> - Make the CorsFilter simpler to extend
>
> - To avoid unnecessary cache revalidation, do not add an HTTP Expires
>header when setting adding an HTTP header of CacheControl: private
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://ci.apache.org/projects/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.70/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1329/
>
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.70
> 3d2e8b1964d4dff3c0656618edc0b09d0d5634b8
>
> The proposed 8.5.70 release is:
> [ ] Broken - do not release
> [x] Stable - go ahead and release as 8.5.70

Tested on Windows 10.
- Smoke testing OK (with 32-bit Java 7u80 from Oracle)
- Unit tests OK (32-bit Java 7u80 from Oracle,  64-bit Java 8u292 from
AdoptOpenJDK, Java 11.0.12 from Eclipse Temurin - former AdoptOpenJDK,
Java 16.0.2 from OpenJDK).

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20

2021-08-11 Thread GitBox 


ebourg commented on issue #23:
URL: 
https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897000783


   Only CVE-2021-36090 is relevant here, we only use the zip archive 
implementation of Commons Compress.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] rrodewald commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-11 Thread GitBox 


rrodewald commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687058556



##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
 }
 
 @Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
   I'm not sure either. Browsers definitely want a challenge first. I just 
tried to mimic the current behaviour as close as possible - the code is 
unchanged from what was in `AuthenticatorBase` before.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] markt-asf commented on issue #23: Vulnerability with Apache Commons Compress v1.20

2021-08-11 Thread GitBox 


markt-asf commented on issue #23:
URL: 
https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897054343


   Relevant how? How does an attacker exploit this?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat] michael-o commented on a change in pull request #444: Delegate check for preemptive authentication from AuthenticatorBase to affected Authenticators

2021-08-11 Thread GitBox 


michael-o commented on a change in pull request #444:
URL: https://github.com/apache/tomcat/pull/444#discussion_r687092579



##
File path: java/org/apache/catalina/authenticator/SSLAuthenticator.java
##
@@ -104,7 +104,7 @@ protected String getAuthMethod() {
 }
 
 @Override
-protected boolean isPreemptiveAuthRequest(Request request) {
+protected boolean isPreemptiveAuthPossible(Request request) {

Review comment:
   I have just read RFC 5246 and RFC 8466 and there is no single definition 
of a preemptive Client Cert auth. So the server has to send 
`CertificateRequest` first. Since HTTP authz checks come after TLS, I fail to 
understand the previous code. Maybe @markt-asf can enlighted us.




-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] ebourg commented on issue #23: Vulnerability with Apache Commons Compress v1.20

2021-08-11 Thread GitBox 


ebourg commented on issue #23:
URL: 
https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897111748


   Very vaguely relevant, the tool would have to be used on an untrusted war, 
but that's not really the use case intended.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[GitHub] [tomcat-jakartaee-migration] abdulmuqsith commented on issue #23: Vulnerability with Apache Commons Compress v1.20

2021-08-11 Thread GitBox 


abdulmuqsith commented on issue #23:
URL: 
https://github.com/apache/tomcat-jakartaee-migration/issues/23#issuecomment-897316898


   Vulnerability scanning tools are reporting Tomcat as vulnerable even though 
this CVE is very unlikely to be exploited. Any plans to upgrade Commons 
Compress?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org



-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org