[Bug 66026] Jars blocked
https://bz.apache.org/bugzilla/show_bug.cgi?id=66026 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #5 from Mark Thomas --- If your custom class loader is locking files then that is an issue for your custom class loader. JARs placed in $CATALINA_BASE/lib will be locked by Tomcat's common class loader. This is not a bug. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66023] Getting requestbody as inputstream fails when upgrading to h2c
https://bz.apache.org/bugzilla/show_bug.cgi?id=66023 --- Comment #5 from Remy Maucherat --- It doesn't work because, although a SavedRequestInputFilter is set using setInputBuffer on the Request, the available() method uses an action to check the internal buffer, which now goes to the new processor (for HTTP/2 it's a StreamProcessor) while only Http11Processor has the correct behavior for the callback. So some additional "fix" is needed, maybe intercept the callback in Request.action to provide the correct result for available when a SavedRequestInputFilter is set (rather than delegate to the hook as usual). However, I don't like the fix and there might be other similar cases. Since overall this buffering may be very inefficient, I would prefer choosing to not upgrade when a request body is present. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66032] New: Tomcat 8.5.61 vulnerable to CVE-2018-11784
https://bz.apache.org/bugzilla/show_bug.cgi?id=66032 Bug ID: 66032 Summary: Tomcat 8.5.61 vulnerable to CVE-2018-11784 Product: Tomcat 8 Version: 8.5.61 Hardware: HP OS: Linux Status: NEW Severity: normal Priority: P2 Component: Catalina Assignee: dev@tomcat.apache.org Reporter: cristian.ce...@nexigroup.com Target Milestone: Hello, we upgraded our Tomcat version from 7.0.78 prior to 7.0.96 and then to 8.5.61 because we know that those releases were not affected by vulnerability CVE-2018-11784, in fact, CVE says: "When the default servlet in Apache Tomcat versions 9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to 7.0.90 returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. " but, after both the upgrades, the vulnerability was re-checked and the company which scans our applications says that it is still present. We run Tomcat 8.5.61 on RHV virtual machines with Red Hat Enterprise Linux Server release 7.3 (Maipo) kernel 3.10.0-514.26.2.el7.x86_64. Are anyone aware of this issue? Do we do anything wrong? Thanks in advance, cristian -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66032] Tomcat 8.5.61 vulnerable to CVE-2018-11784
https://bz.apache.org/bugzilla/show_bug.cgi?id=66032 cristian changed: What|Removed |Added CC||cristian.ce...@nexigroup.co ||m --- Comment #1 from cristian --- Created attachment 38264 --> https://bz.apache.org/bugzilla/attachment.cgi?id=38264&action=edit latest vulnerability re-check -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66032] Tomcat 8.5.61 vulnerable to CVE-2018-11784
https://bz.apache.org/bugzilla/show_bug.cgi?id=66032 Michael Osipov changed: What|Removed |Added CC||micha...@apache.org --- Comment #2 from Michael Osipov --- Upgrade to Tomcat 8.5.78 first. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 66032] Tomcat 8.5.61 vulnerable to CVE-2018-11784
https://bz.apache.org/bugzilla/show_bug.cgi?id=66032 Mark Thomas changed: What|Removed |Added Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #3 from Mark Thomas --- I have confirmed that CVE-2018-11784 is fixed in Tomcat 8.5.61 and is still present in 8.5.33 (built from source and retested the original reproducer). If you can reproduce this issue on a clean installation of Apache Tomcat from the ASF using a version that CVE-2018-11784 states contains the fix then you should report that PRIVATELY to secur...@tomcat.apache.org and include the full set of steps to recreate the issue from a clean install. Note: CVE-2018-11784 can be reproduced with a clean Tomcat installation and telnet. No additional configuration or web applications are required. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Remove the customer UTF-8 decoder.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new a9ca10266b Remove the customer UTF-8 decoder.
a9ca10266b is described below
commit a9ca10266bd5cf2919f59b1916ee786c01e2a033
Author: Mark Thomas
AuthorDate: Tue Apr 26 18:01:51 2022 +0100
Remove the customer UTF-8 decoder.
The issues this was introduced to work around were fixed in early Java 8
releases. Now the minimum Java version is 11, we can be sure we don't
need the custom decoder.
Retain the test that checks the JVM provided decoder to catch any
regressions.
---
java/org/apache/tomcat/util/buf/B2CConverter.java | 10 +-
java/org/apache/tomcat/util/buf/Utf8Decoder.java | 299 --
java/org/apache/tomcat/websocket/WsFrameBase.java | 6 +-
test/org/apache/tomcat/util/buf/TestUtf8.java | 9 -
webapps/docs/changelog.xml| 6 +
5 files changed, 10 insertions(+), 320 deletions(-)
diff --git a/java/org/apache/tomcat/util/buf/B2CConverter.java
b/java/org/apache/tomcat/util/buf/B2CConverter.java
index 532c209ec9..c7fd4b67b7 100644
--- a/java/org/apache/tomcat/util/buf/B2CConverter.java
+++ b/java/org/apache/tomcat/util/buf/B2CConverter.java
@@ -24,7 +24,6 @@ import java.nio.charset.Charset;
import java.nio.charset.CharsetDecoder;
import java.nio.charset.CoderResult;
import java.nio.charset.CodingErrorAction;
-import java.nio.charset.StandardCharsets;
import java.util.Locale;
import org.apache.tomcat.util.res.StringManager;
@@ -90,14 +89,7 @@ public class B2CConverter {
} else {
action = CodingErrorAction.REPORT;
}
-// Special case. Use the Apache Harmony based UTF-8 decoder because it
-// - a) rejects invalid sequences that the JVM decoder does not
-// - b) fails faster for some invalid sequences
-if (charset.equals(StandardCharsets.UTF_8)) {
-decoder = new Utf8Decoder();
-} else {
-decoder = charset.newDecoder();
-}
+decoder = charset.newDecoder();
decoder.onMalformedInput(action);
decoder.onUnmappableCharacter(action);
}
diff --git a/java/org/apache/tomcat/util/buf/Utf8Decoder.java
b/java/org/apache/tomcat/util/buf/Utf8Decoder.java
deleted file mode 100644
index 932e88c764..00
--- a/java/org/apache/tomcat/util/buf/Utf8Decoder.java
+++ /dev/null
@@ -1,299 +0,0 @@
-/*
- * Licensed to the Apache Software Foundation (ASF) under one or more
- * contributor license agreements. See the NOTICE file distributed with
- * this work for additional information regarding copyright ownership.
- * The ASF licenses this file to You under the Apache License, Version 2.0
- * (the "License"); you may not use this file except in compliance with
- * the License. You may obtain a copy of the License at
- *
- * http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- */
-package org.apache.tomcat.util.buf;
-
-import java.nio.ByteBuffer;
-import java.nio.CharBuffer;
-import java.nio.charset.CharsetDecoder;
-import java.nio.charset.CoderResult;
-import java.nio.charset.StandardCharsets;
-
-/**
- * Decodes bytes to UTF-8. Extracted from Apache Harmony and modified to reject
- * code points from U+D800 to U+DFFF as per RFC3629. The standard Java decoder
- * does not reject these. It has also been modified to reject code points
- * greater than U+10 which the standard Java decoder rejects but the
harmony
- * one does not.
- */
-public class Utf8Decoder extends CharsetDecoder {
-
-// The next table contains information about UTF-8 charset and
-// correspondence of 1st byte to the length of sequence
-// For information please visit http://www.ietf.org/rfc/rfc3629.txt
-//
-// Please note, o means 0, actually.
-// ---
-// 0 1 2 3 Value
-// ---
-// oxxx 0xxx
-// 11oy 1oxx 0yyy yyxx
-// 111o 1oyy 1oxx yyxx
-// ouuu 1ouu 1oyy 1oxx 000u yyxx
-private static final int remainingBytes[] = {
-// 1oww
--1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
--1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, -1,
--1, -1, -1, -1, -1,
[tomcat] branch main updated: Fix typo
This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 9ed253675b Fix typo 9ed253675b is described below commit 9ed253675b725ae1b61503fdad3fffd1e752e510 Author: Mark Thomas AuthorDate: Tue Apr 26 19:07:36 2022 +0100 Fix typo --- webapps/docs/changelog.xml | 9 + 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 01949d0425..3df044a28f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -138,10 +138,11 @@ the research into this issue. (markt) -Remove the custom UTF-decoder that was introduced to work around various -UTF-8 decoding bugs in Java. These issues were fixed in early Java 8 -releases. Now the minimum Java version is 11, we can be sure that Tomcat -will not be running on a JRE where these issues are present. (markt) +Remove the custom UTF-8 decoder that was introduced to work around +various UTF-8 decoding bugs in Java. These issues were fixed in early +Java 8 releases. Now the minimum Java version is 11, we can be sure that +Tomcat will not be running on a JRE where these issues are present. +(markt) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[GitHub] [tomcat-training] dependabot[bot] opened a new pull request, #4: Bump grunt from 1.0.2 to 1.5.2
dependabot[bot] opened a new pull request, #4: URL: https://github.com/apache/tomcat-training/pull/4 Bumps [grunt](https://github.com/gruntjs/grunt) from 1.0.2 to 1.5.2. Release notes Sourced from https://github.com/gruntjs/grunt/releases";>grunt's releases. v1.5.2 Update Changelog 7f15fd5 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1743";>#1743 from gruntjs/cleanup-link b0ec6e1 Clean up link handling 433f91b https://github.com/gruntjs/grunt/compare/v1.5.1...v1.5.2";>https://github.com/gruntjs/grunt/compare/v1.5.1...v1.5.2 v1.5.1 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1742";>#1742 from gruntjs/update-symlink-test ad22608 Fix symlink test 0652305 https://github.com/gruntjs/grunt/compare/v1.5.0...v1.5.1";>https://github.com/gruntjs/grunt/compare/v1.5.0...v1.5.1 v1.5.0 Updated changelog b2b2c2b Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1740";>#1740 from gruntjs/update-deps-22-10 3eda6ae Update testing matrix 47d32de More updates 2e9161c Remove console log 04b960e Update dependencies, tests... aad3d45 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1736";>#1736 from justlep/main fdc7056 support .cjs extension e35fe54 https://github.com/gruntjs/grunt/compare/v1.4.1...v1.5.0";>https://github.com/gruntjs/grunt/compare/v1.4.1...v1.5.0 v1.4.1 Update Changelog e7625e5 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1731";>#1731 from gruntjs/update-options 5d67e34 Fix ci install d13bf88 Switch to Actions 08896ae Update grunt-known-options eee0673 Add note about a breaking change 1b6e288 https://github.com/gruntjs/grunt/compare/v1.4.0...v1.4.1";>https://github.com/gruntjs/grunt/compare/v1.4.0...v1.4.1 v1.4.0 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1728";>#1728 from gruntjs/update-deps-changelog 63b2e89 Update changelog and util dep 106ed17 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1727";>#1727 from gruntjs/update-deps-apr 49de70b Update CLI and nodeunit 47cf8b6 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1722";>#1722 from gruntjs/update-through e86db1c Update deps 4952368 https://github.com/gruntjs/grunt/compare/v1.3.0...v1.4.0";>https://github.com/gruntjs/grunt/compare/v1.3.0...v1.4.0 v1.3.0 Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1720";>#1720 from gruntjs/update-changelog-deps faab6be Update Changelog and legacy-util dependency 520fedb Merge pull request https://github-redirect.dependabot.com/gruntjs/grunt/issues/1719";>#1719 from gruntjs/yaml-refactor 7e669ac Switch to use safeLoad for loading YML files via file.readYAML. e350cea ... (truncated) Changelog Sourced from https://github.com/gruntjs/grunt/blob/main/CHANGELOG";>grunt's changelog. v1.5.2 date: 2022-04-12 changes: - Unlink symlinks when copy destination is a symlink. v1.5.1 date: 2022-04-11 changes: - Fixed symlink destination handling. v1.5.0 date: 2022-04-10 changes: - Updated dependencies. - Add symlink handling for copying files. v1.4.1 date: 2021-05-24 changes: - Fix --preload option to be a known option - Switch to GitHub Actions v1.4.0 date: 2021-04-21 changes: - Security fixes in production and dev dependencies - Liftup/Liftoff upgrade breaking change. Update your scripts to use --preload instead of --require. Ref: https://github.com/js-cli/js-liftoff/commit/e7a969d6706e730d90abb4e24d3cb4d3bce06ddb";>https://github.com/js-cli/js-liftoff/commit/e7a969d6706e730d90abb4e24d3cb4d3bce06ddb. v1.3.0 date: 2020-08-18 changes: - Switch to use safeLoad for loading YML files via file.readYAML. - Upgrade legacy-log to ~3.0.0. - Upgrade legacy-util to ~2.0.0. v1.2.1 date: 2020-07-07 changes: - Remove path-is-absolute dependency. (PR: https://github-redirect.dependabot.com/gruntjs/grunt/pull/1715";>gruntjs/grunt#1715) v1.2.0 date: 2020-07-03 changes: - Allow usage of grunt plugins that are located in any location that is visible to Node.js and NPM, instead of node_modules directly inside package that have a dev dependency to these plugins. (PR: https://github-redirect.dependabot.com/gruntjs/grunt/pull/1677";>gruntjs/grunt#1677) - Removed coffeescript from dependencies. To ease transition, if coffeescript is still around, Grunt will attempt to load it. If it is not, and the user loads a CoffeeScript file, Grunt will print a useful error indicating that the coffeescript package should be installed as a dev dependency. This is considerably more user-frien
[tomcat-training] branch dependabot/npm_and_yarn/grunt-1.5.2 created (now 8111ba4)
This is an automated email from the ASF dual-hosted git repository. github-bot pushed a change to branch dependabot/npm_and_yarn/grunt-1.5.2 in repository https://gitbox.apache.org/repos/asf/tomcat-training.git at 8111ba4 Bump grunt from 1.0.2 to 1.5.2 No new revisions were added by this update. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
