Re: [VOTE] Release Apache Tomcat 8.5.93
Hi Han, Am 24.08.23 um 04:31 schrieb Han Li: On Aug 24, 2023, at 10:11, Rainer Jung wrote: Am 24.08.23 um 01:31 schrieb Mark Thomas: The proposed Apache Tomcat 8.5.93 release is now available for voting. The notable changes compared to 8.5.92 are: - If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. - Fix for FORM authentication open redirect - CVE-2023-41080 Along with lots of other bug fixes and improvements. For full details, see the changelog: https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.93/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1454 The tag is: https://github.com/apache/tomcat/tree/8.5.93/ 9d9aea65c435a38c737c1e600e6513f9d0980cf1 The proposed 8.5.93 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 8.5.93 (stable) Tests ongoing, but just a short note: The changelog still has the previous version .92 above the newest section instead of .93. For me this is not a show stopper and we can fix the online one after the release. The tags for TC 9, 10.1 and 11 do not have this problem. Everything looks fine to me, it's the latest .93 version. Maybe it's caused by your browser's local cache, you can try again after clearing local cache. BUT there is a typo `rlease` in version status. thanks for also checking. I meant the version of the changelog, that is shipped as part of the release, so the tagged one: https://github.com/apache/tomcat/blob/8.5.93/webapps/docs/changelog.xml or if you prefer the one that is included in the release files we produce (source tarballs and zips etc.). You probably looked at the one linked in the release vote mail above. That is a nightly changelog version and contains the post-release commit, which prepars for the next (upcoming) version. In this commit Mark had already fixed the wrong version number. Best regards, Rainer - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.93
> On Aug 24, 2023, at 17:28, Rainer Jung wrote: > > Hi Han, > > Am 24.08.23 um 04:31 schrieb Han Li: >>> On Aug 24, 2023, at 10:11, Rainer Jung wrote: >>> >>> Am 24.08.23 um 01:31 schrieb Mark Thomas: The proposed Apache Tomcat 8.5.93 release is now available for voting. The notable changes compared to 8.5.92 are: - If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. - Fix for FORM authentication open redirect - CVE-2023-41080 Along with lots of other bug fixes and improvements. For full details, see the changelog: https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.93/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1454 The tag is: https://github.com/apache/tomcat/tree/8.5.93/ 9d9aea65c435a38c737c1e600e6513f9d0980cf1 The proposed 8.5.93 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 8.5.93 (stable) >>> >>> Tests ongoing, but just a short note: The changelog still has the previous >>> version .92 above the newest section instead of .93. For me this is not a >>> show stopper and we can fix the online one after the release. The tags for >>> TC 9, 10.1 and 11 do not have this problem. >> Everything looks fine to me, it's the latest .93 version. Maybe it's caused >> by your browser's local cache, you can try again after clearing local cache. >> BUT there is a typo `rlease` in version status. > > thanks for also checking. I meant the version of the changelog, that is > shipped as part of the release, so the tagged one: > > https://github.com/apache/tomcat/blob/8.5.93/webapps/docs/changelog.xml > > or if you prefer the one that is included in the release files we produce > (source tarballs and zips etc.). > > You probably looked at the one linked in the release vote mail above. That > is a nightly changelog version and contains the post-release commit, which > prepars for the next (upcoming) version. In this commit Mark had already > fixed the wrong version number. Aha indeed. Thanks for point it out. I did misunderstand ; ) Han > > Best regards, > > Rainer > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix changelog rtext for old TC 11.0.0-M7
This is an automated email from the ASF dual-hosted git repository. rjung pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new 77a41c0bb3 Fix changelog rtext for old TC 11.0.0-M7 77a41c0bb3 is described below commit 77a41c0bb30fc62c575f15b19bd8479afabfe04f Author: Rainer Jung AuthorDate: Thu Aug 24 11:41:55 2023 +0200 Fix changelog rtext for old TC 11.0.0-M7 --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 7ab281bafe..33036ef6f4 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -423,7 +423,7 @@ - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 9.0.x updated: Fix type in changelog rtext for TC 9.0.80
This is an automated email from the ASF dual-hosted git repository. rjung pushed a commit to branch 9.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/9.0.x by this push: new 4c72584546 Fix type in changelog rtext for TC 9.0.80 4c72584546 is described below commit 4c72584546638fd8c0f8d0869cb7849d18057102 Author: Rainer Jung AuthorDate: Thu Aug 24 11:42:52 2023 +0200 Fix type in changelog rtext for TC 9.0.80 --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index ab70a809c5..200b0588c1 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -106,7 +106,7 @@ --> - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch 8.5.x updated: Fix type in changelog rtext for TC 8.5.93
This is an automated email from the ASF dual-hosted git repository. rjung pushed a commit to branch 8.5.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/8.5.x by this push: new ff62d0f0aa Fix type in changelog rtext for TC 8.5.93 ff62d0f0aa is described below commit ff62d0f0aa37e20481470f75b978272957c89316 Author: Rainer Jung AuthorDate: Thu Aug 24 11:43:13 2023 +0200 Fix type in changelog rtext for TC 8.5.93 --- webapps/docs/changelog.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 267070e325..472714636f 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -106,7 +106,7 @@ --> - + - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] branch 9.0.x updated: Temporary RM
On Wed, Aug 23, 2023 at 11:38 PM wrote: > > This is an automated email from the ASF dual-hosted git repository. > > markt pushed a commit to branch 9.0.x > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > The following commit(s) were added to refs/heads/9.0.x by this push: > new cabc280de9 Temporary RM > cabc280de9 is described below > > commit cabc280de9ce72d5e8286874e3a630bb4e9d9fe0 > Author: Mark Thomas > AuthorDate: Wed Aug 23 14:37:38 2023 -0700 > > Temporary RM I'm on PTO right now but could manage it with a better understanding of the schedule. Maybe this is for the best for this one ;) Rémy > --- > webapps/docs/changelog.xml | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml > index 0c09add2d3..925fd53fd7 100644 > --- a/webapps/docs/changelog.xml > +++ b/webapps/docs/changelog.xml > @@ -104,7 +104,7 @@ >They eventually become mixed with the numbered issues (i.e., numbered >issues do not "pop up" wrt. others). > --> > - > + > > > > > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.80
On 8/24/23 01:29, Mark Thomas wrote: [X] +1, Stable - go ahead and release as 9.0.80 Tested with openjdk version "17.0.8", tc-native 1.2.37 and openssl 3.0.9 -- Cheers Jean-Frederic - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [tomcat] 01/02: Avoid protocol relative redirects
Mark,
On 8/22/23 15:22, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch cve-2023-41080
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e3703c9abb8fe0d5602f6ba8a8f11d4b6940815a
Author: Mark Thomas
AuthorDate: Tue Aug 22 11:31:23 2023 -0700
Avoid protocol relative redirects
---
java/org/apache/catalina/authenticator/FormAuthenticator.java | 6 ++
webapps/docs/changelog.xml| 3 +++
2 files changed, 9 insertions(+)
diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java
b/java/org/apache/catalina/authenticator/FormAuthenticator.java
index 5487ec87a8..9dd5635ca8 100644
--- a/java/org/apache/catalina/authenticator/FormAuthenticator.java
+++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java
@@ -742,6 +742,12 @@ public class FormAuthenticator extends AuthenticatorBase {
sb.append('?');
sb.append(saved.getQueryString());
}
+
+// Avoid protocol relative redirects
+while (sb.length() > 1 && sb.charAt(1) == '/') {
+sb.deleteCharAt(0);
+}
Are there any previous guarantees that sb.charAt(0) is a '/'?
I'm wondering if we shouldn't just blindly delete the first character
instead of the second.
Unrelated, I wonder if this method still needs a StringBuilder at all.
-chris
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e4d3072d31..a45195dfc1 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -125,6 +125,9 @@
exceptions. As a consequence, the FailedRequestFilter has
been removed. (markt)
+
+Avoid protocol relative redirects in FORM authentication. (markt)
+
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 11.0.0-M11
On 23/08/2023 16:22, Mark Thomas wrote: The proposed 11.0.0-M11 release is: [ ] -1 Broken - do not release [X] +1 Alpha - go ahead and release as 11.0.0-M11 Tests pass on x64 Linux and M1 MacOS with Tomcat Native 1.2.38. There were three test failures on x64 Windows with Tomcat Natibe 2.0.5. I have traced these failures to issues with the newly added tests for parameter handling. The tests don't take acocunt of all of the OS differences. I have fixes for these tests that I'll commit shortly. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[tomcat] branch main updated: Fix test failures on Windows server
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 2083768d6b Fix test failures on Windows server
2083768d6b is described below
commit 2083768d6b78d3bd4dd0df4338adb2249daa3949
Author: Mark Thomas
AuthorDate: Thu Aug 24 11:28:50 2023 -0700
Fix test failures on Windows server
---
test/jakarta/servlet/ServletRequestParametersBaseTest.java | 3 ++-
test/jakarta/servlet/TestServletRequestParameters.java | 9 -
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/test/jakarta/servlet/ServletRequestParametersBaseTest.java
b/test/jakarta/servlet/ServletRequestParametersBaseTest.java
index 6a045c0217..20db0c92e9 100644
--- a/test/jakarta/servlet/ServletRequestParametersBaseTest.java
+++ b/test/jakarta/servlet/ServletRequestParametersBaseTest.java
@@ -37,7 +37,8 @@ public class ServletRequestParametersBaseTest extends
TomcatBaseTest {
protected Map>
parseReportedParameters(SimpleHttpClient client) {
Map> parameters = new LinkedHashMap<>();
if (client.isResponse200()) {
-String[] lines =
client.getResponseBody().split(System.lineSeparator());
+// Response is written using "\n" so need to split on that.
+String[] lines = client.getResponseBody().split("\n");
for (String line : lines) {
// Every line should be name=value
int equalsPos = line.indexOf('=');
diff --git a/test/jakarta/servlet/TestServletRequestParameters.java
b/test/jakarta/servlet/TestServletRequestParameters.java
index 3354eb07fd..44f4f60955 100644
--- a/test/jakarta/servlet/TestServletRequestParameters.java
+++ b/test/jakarta/servlet/TestServletRequestParameters.java
@@ -16,6 +16,7 @@
*/
package jakarta.servlet;
+import java.net.SocketException;
import java.nio.charset.StandardCharsets;
import org.junit.Assert;
@@ -54,7 +55,13 @@ public class TestServletRequestParameters extends
ServletRequestParametersBaseTe
client.setResponseBodyEncoding(StandardCharsets.UTF_8);
client.connect();
// Incomplete request will look timeout reading body and behave like a
client disconnect
-client.processRequest();
+// What the client will see will vary by OS. Expect errors.
+
+try {
+client.processRequest();
+} catch (SocketException e) {
+// Likely a connection reset.
+}
// Connection should be closed by the server.
//readLine() will receive an EOF reading the status line resuting in a
null
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.93
Mark, Thanks for RM'ing again. On 8/23/23 19:31, Mark Thomas wrote: The proposed Apache Tomcat 8.5.93 release is now available for voting. The notable changes compared to 8.5.92 are: - If an application or library sets both a non-500 error code and the jakarta.servlet.error.exception request attribute, use the provided error code during error page processing rather than assuming an error code of 500. - Fix for FORM authentication open redirect - CVE-2023-41080 Along with lots of other bug fixes and improvements. For full details, see the changelog: https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html It can be obtained from: https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.93/ The Maven staging repo is: https://repository.apache.org/content/repositories/orgapachetomcat-1454 The tag is: https://github.com/apache/tomcat/tree/8.5.93/ 9d9aea65c435a38c737c1e600e6513f9d0980cf1 The proposed 8.5.93 release is: [ ] Broken - do not release [ ] Stable - go ahead and release as 8.5.93 (stable) +1 for stable release Works on an application in a development environment. Details: * Environment * Java (build): openjdk version "1.8.0_372" OpenJDK Runtime Environment (Temurin)(build 1.8.0_372-b07) OpenJDK 64-Bit Server VM (Temurin)(build 25.372-b07, mixed mode) * Java (test): openjdk version "1.8.0_372" OpenJDK Runtime Environment (Temurin)(build 1.8.0_372-b07) OpenJDK 64-Bit Server VM (Temurin)(build 25.372-b07, mixed mode) * OS: Linux 5.10.0-25-amd64 x86_64 * cc: cc (Debian 10.2.1-6) 10.2.1 20210110 * make: GNU Make 4.3 * OpenSSL: OpenSSL 1.1.1 11 Sep 2018 * APR: 1.7.0 * * Valid SHA-512 signature for apache-tomcat-8.5.93.zip * Valid GPG signature for apache-tomcat-8.5.93.zip * Valid SHA-512 signature for apache-tomcat-8.5.93.tar.gz * Valid GPG signature for apache-tomcat-8.5.93.tar.gz * Valid SHA-512 signature for apache-tomcat-8.5.93.exe * Valid GPG signature for apache-tomcat-8.5.93.exe * Valid Windows Digital Signature for apache-tomcat-8.5.93.exe * Valid SHA512 signature for apache-tomcat-8.5.93-src.zip * Valid GPG signature for apache-tomcat-8.5.93-src.zip * Valid SHA512 signature for apache-tomcat-8.5.93-src.tar.gz * Valid GPG signature for apache-tomcat-8.5.93-src.tar.gz * * Binary Zip and tarball: Same * Source Zip and tarball: Same * * Building dependencies returned: 0 * tcnative builds cleanly * Tomcat builds cleanly * Junit Tests: PASSED - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.13
On 23/08/2023 16:28, Mark Thomas wrote: The proposed 10.1.13 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 10.1.13 Tests pass on x64 Linux and M1 MacOS with Tomcat Native 1.2.38 and x64 Windows with Tomcat Native 2.0.5. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1911900 - in /tomcat/site/trunk: docs/download-native.html xdocs/download-native.xml
Author: markt Date: Thu Aug 24 22:00:24 2023 New Revision: 1911900 URL: http://svn.apache.org/viewvc?rev=1911900&view=rev Log: Fix OpenSSL versions Modified: tomcat/site/trunk/docs/download-native.html tomcat/site/trunk/xdocs/download-native.xml Modified: tomcat/site/trunk/docs/download-native.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/download-native.html?rev=1911900&r1=1911899&r2=1911900&view=diff == --- tomcat/site/trunk/docs/download-native.html (original) +++ tomcat/site/trunk/docs/download-native.html Thu Aug 24 22:00:24 2023 @@ -12,8 +12,8 @@ [define v]2.0.5[end] [define w]1.2.38[end] -[define y]3.0.9[end] -[define z]1.1.1u[end] +[define y]3.0.10[end] +[define z]1.1.1v[end] https://downloads.apache.org/tomcat/tomcat-connectors/KEYS";>KEYS | [v] | [w] | Modified: tomcat/site/trunk/xdocs/download-native.xml URL: http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/download-native.xml?rev=1911900&r1=1911899&r2=1911900&view=diff == --- tomcat/site/trunk/xdocs/download-native.xml (original) +++ tomcat/site/trunk/xdocs/download-native.xml Thu Aug 24 22:00:24 2023 @@ -24,8 +24,8 @@ --> [define v]2.0.5[end] [define w]1.2.38[end] -[define y]3.0.9[end] -[define z]1.1.1u[end] +[define y]3.0.10[end] +[define z]1.1.1v[end] https://downloads.apache.org/tomcat/tomcat-connectors/KEYS";>KEYS | [v] | [w] | - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67061] New: SSLVerifyClient="optionalNoCA" still not doing what it should
https://bz.apache.org/bugzilla/show_bug.cgi?id=67061 Bug ID: 67061 Summary: SSLVerifyClient="optionalNoCA" still not doing what it should Product: Tomcat Native Version: 1.2.37 Hardware: PC OS: Linux Status: NEW Severity: normal Priority: P2 Component: Library Assignee: dev@tomcat.apache.org Reporter: ruedige...@yahoo.de Target Milestone: --- I want to use a self-signed client certificate. Thus, to avoid the checks along the certificate chain, I have set certificateVerification="optionalNoCA". For some reason, I only manage to establish a connection without ssl handshake problems, if I provide my (self-created) CA certificate used to sign said client certificate using caCertificateFile=... , as in the following server.xml excerpt: I have tested the following versions (from dockerhub): tomcat 8.5.0 tc-native 1.2.5 tomcat 9.0.0-M4 tc-native 1.2.5 tomcat 9.0.0-M27 tc-native 1.2.14 tomcat 9.0.79tc-native 1.2.38 tomcat 10.0.27 tc-native 1.2.35 I have read https://bz.apache.org/bugzilla/show_bug.cgi?id=59616 and https://bz.apache.org/bugzilla/show_bug.cgi?id=63894 so I was hoping all problems around optionalNoCA are fixed. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 9.0.80
On 23/08/2023 16:29, Mark Thomas wrote: The proposed 9.0.80 release is: [ ] -1, Broken - do not release [X] +1, Stable - go ahead and release as 9.0.80 Tests pass on x64 Linux, M1 MacOS and x64 Windiws with Tomcat Native 1.2.38. The APR tests were a little unstable but I think I know what is going on there. I need to tweak the test environment. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r63616 - in /release/tomcat/tomcat-connectors/native: 1.2.37/ 2.0.4/
Author: markt Date: Thu Aug 24 22:42:00 2023 New Revision: 63616 Log: Remove older releases from CDN Removed: release/tomcat/tomcat-connectors/native/1.2.37/ release/tomcat/tomcat-connectors/native/2.0.4/ - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 8.5.93
On 23/08/2023 16:31, Mark Thomas wrote: The proposed 8.5.93 release is: [ ] Broken - do not release [X] Stable - go ahead and release as 8.5.93 (stable) Tests pass on x64 Linux, M1 MacOS and x64 Windiws with Tomcat Native 1.2.38. The APR tests on Windows were a little unstable but I think I know what is going on there. I need to tweak the test environment. Mark - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [VOTE] Release Apache Tomcat 10.1.13
> On Aug 24, 2023, at 07:28, Mark Thomas wrote: > > The proposed Apache Tomcat 10.1.13 release is now available for > voting. > > The notable changes compared to 10.1.12 are: > > - If an application or library sets both a non-500 error code and the > jakarta.servlet.error.exception request attribute, use the > provided error code during error page processing rather than assuming > an error code of 500. > > - Fix for FORM authentication open redirect - CVE-2023-41080 > > > For full details, see the change log: > https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html > > Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 > without changes. Java EE applications designed for Tomcat 9 and earlier may > be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will > automatically convert them to Jakarta EE and copy them to the webapps > directory. > > It can be obtained from: > https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.13/ > > The Maven staging repo is: > https://repository.apache.org/content/repositories/orgapachetomcat-1452 > > The tag is: > https://github.com/apache/tomcat/tree/10.1.13 > 71dddc8a1b8fe1175a14e6dd98bb8af56c9ad75d > > The proposed 10.1.13 release is: > [ ] Broken - do not release > [X] Stable - go ahead and release as 10.1.13 Tests pass Han > > - > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67061] SSLVerifyClient="optionalNoCA" still not doing what it should
https://bz.apache.org/bugzilla/show_bug.cgi?id=67061 --- Comment #1 from ruedige...@yahoo.de --- On top, the problem also exists in my local installation (Ubuntu 20.04, Java 17): tomcat 9.0.55 tc-native 1.2.31 openssl 1.1.1f Here is the relevant longer excerpt from server.xml (the rest is unchanged from the default): If I remove the caCertificateFile attribute, I get handshake problems with my self-signed certificate. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
