[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings
https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
--- Comment #10 from Markus Schlegel ---
We are also facing this strange log entry since we upgraded Tomcat recently.
I have read through this issue's description and comments, but the changed text
in 8.5.96 alone does not help in my opinion. I really required to debug and
read through the respective code sections in order to get an understanding of
this log statement.
Now I understand the reasoning behind it, but I still have a problem with that.
Let me explain why.
We are configuring our (embedded) Tomcat's SSL since years with the following
code:
...
Connector sslConnector = new
Connector("org.apache.coyote.http11.Http11Nio2Protocol");
sslConnector.setPort(sslPort);
sslConnector.setSecure(true);
sslConnector.setScheme("https");
sslConnector.setProperty("ciphers",
"HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:-DH:+ECDH");
sslConnector.setProperty("sslEnabledProtocols", "TLSv1.2");
sslConnector.setProperty("useServerCipherSuiteOrder", "true");
...
We explicitly set the ciphers configuration since the default config which
comes with Tomcat still includes the (normal) Diffie-Helman ciphers which are
considered to be insecure (but not the ECDH's!).
There is still nothing wrong with that config as far as I could understand.
Nevertheless, there is now a warning in the logfile which we CAN'T TURN OFF
since we use our custom ciphers configuration, which leds "warnOnSkip" being
set to true.
Those skipped ciphers are of no interest for us or our customers since they
appear only because Tomcat - as of my understanding - uses the ciphers-set from
OpenSSL to build the complete list of theoretically available ciphers.
It would help us with explaining this to the customers if the log statement
would be logged on level "debug" rather than as a "warning" or if we had a way
to turn off logging it.
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings
https://bz.apache.org/bugzilla/show_bug.cgi?id=67628
--- Comment #11 from Michael Osipov ---
(In reply to Markus Schlegel from comment #10)
> We are also facing this strange log entry since we upgraded Tomcat recently.
> I have read through this issue's description and comments, but the changed
> text in 8.5.96 alone does not help in my opinion. I really required to debug
> and read through the respective code sections in order to get an
> understanding of this log statement.
> Now I understand the reasoning behind it, but I still have a problem with
> that. Let me explain why.
> We are configuring our (embedded) Tomcat's SSL since years with the
> following code:
>
> ...
> Connector sslConnector = new
> Connector("org.apache.coyote.http11.Http11Nio2Protocol");
> sslConnector.setPort(sslPort);
> sslConnector.setSecure(true);
> sslConnector.setScheme("https");
> sslConnector.setProperty("ciphers",
> "HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!kRSA:-DH:+ECDH");
> sslConnector.setProperty("sslEnabledProtocols", "TLSv1.2");
> sslConnector.setProperty("useServerCipherSuiteOrder", "true");
> ...
>
> We explicitly set the ciphers configuration since the default config which
> comes with Tomcat still includes the (normal) Diffie-Helman ciphers which
> are considered to be insecure (but not the ECDH's!).
> There is still nothing wrong with that config as far as I could understand.
> Nevertheless, there is now a warning in the logfile which we CAN'T TURN OFF
> since we use our custom ciphers configuration, which leds "warnOnSkip" being
> set to true.
> Those skipped ciphers are of no interest for us or our customers since they
> appear only because Tomcat - as of my understanding - uses the ciphers-set
> from OpenSSL to build the complete list of theoretically available ciphers.
>
> It would help us with explaining this to the customers if the log statement
> would be logged on level "debug" rather than as a "warning" or if we had a
> way to turn off logging it.
I have raised more or less the same concern and how it can be solved...
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) 04/04: Fix BZ 68119 - Refactor for improved performance during type conversion
On 27/11/2023 19:38, Rémy Maucherat wrote:
On Mon, Nov 27, 2023 at 7:29 PM wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 8df7a3a95babb12fc38b8efa7eb938877ef38485
Author: Mark Thomas
AuthorDate: Mon Nov 27 14:01:49 2023 +
Fix BZ 68119 - Refactor for improved performance during type conversion
https://bz.apache.org/bugzilla/show_bug.cgi?id=68119
---
java/javax/el/CompositeELResolver.java | 47 +++---
webapps/docs/changelog.xml | 8 ++
2 files changed, 52 insertions(+), 3 deletions(-)
diff --git a/java/javax/el/CompositeELResolver.java
b/java/javax/el/CompositeELResolver.java
index ee14d6bcc3..2280f9a805 100644
--- a/java/javax/el/CompositeELResolver.java
+++ b/java/javax/el/CompositeELResolver.java
@@ -17,13 +17,16 @@
package javax.el;
import java.beans.FeatureDescriptor;
+import java.util.HashSet;
import java.util.Iterator;
import java.util.NoSuchElementException;
import java.util.Objects;
+import java.util.Set;
public class CompositeELResolver extends ELResolver {
private static final Class SCOPED_ATTRIBUTE_EL_RESOLVER;
+private static final Set KNOWN_NON_TYPE_CONVERTING_RESOLVERS = new
HashSet<>();
static {
Class clazz = null;
try {
@@ -32,15 +35,39 @@ public class CompositeELResolver extends ELResolver {
// Ignore. This is expected if using the EL stand-alone
}
SCOPED_ATTRIBUTE_EL_RESOLVER = clazz;
+
+// EL API Resolvers
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add(ArrayELResolver.class.getName());
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add(BeanELResolver.class.getName());
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add(BeanNameELResolver.class.getName());
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add(ListELResolver.class.getName());
+KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add(MapELResolver.class.getName());
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add(ResourceBundleELResolver.class.getName());
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add(StaticFieldELResolver.class.getName());
+// JSP API Resolvers - referenced by name to avoid creating dependency
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add("jakarta.servlet.jsp.el.ImplicitObjectELResolver");
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add("jakarta.servlet.jsp.el.ScopedAttributeELResolver");
+// Tomcat internal resolvers - referenced by name to avoid creating
dependency
+
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add("org.apache.jasper.el.JasperELResolver$GraalBeanELResolver");
It's not there in 8.5.
Ack. I had the change locally for testing but forgot to commit it. I'll
so that now.
Mark
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 8.5.x updated: Remove Graal resolver as it is not present in 8.5.x
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new 632d0e996e Remove Graal resolver as it is not present in 8.5.x
632d0e996e is described below
commit 632d0e996e2f9b5ba3d7ad4105457ba10dfd98c4
Author: Mark Thomas
AuthorDate: Tue Nov 28 09:18:42 2023 +
Remove Graal resolver as it is not present in 8.5.x
---
java/javax/el/CompositeELResolver.java | 1 -
1 file changed, 1 deletion(-)
diff --git a/java/javax/el/CompositeELResolver.java
b/java/javax/el/CompositeELResolver.java
index 2280f9a805..9f06aff0ee 100644
--- a/java/javax/el/CompositeELResolver.java
+++ b/java/javax/el/CompositeELResolver.java
@@ -48,7 +48,6 @@ public class CompositeELResolver extends ELResolver {
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add("jakarta.servlet.jsp.el.ImplicitObjectELResolver");
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add("jakarta.servlet.jsp.el.ScopedAttributeELResolver");
// Tomcat internal resolvers - referenced by name to avoid creating
dependency
-
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add("org.apache.jasper.el.JasperELResolver$GraalBeanELResolver");
KNOWN_NON_TYPE_CONVERTING_RESOLVERS.add("org.apache.el.stream.StreamELResolverImpl");
}
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings
https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #12 from Mark Thomas --- @Markus - suggestions on improving the text of the docs and or the message welcome. I don't think logging this at debug is an option. That the actual ciphers used change depending on which TLS implementation is used potentially has security implications so I think we have to visibly log something. We can log any combination of: - the requested configuration - the list of ciphers the requested configuration maps to - the list of ciphers actually used - the list of ciphers requested but not supported If you want to silence the warning, then you can explicitly list the ciphers you want to use but that has its own drawbacks. I haven't run the default Tomcat TLS configuration against the SSL Labs scanner for a while. I'll do that and see if adjustments are required. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings
https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #13 from Markus Schlegel --- > I haven't run the default Tomcat TLS configuration against the SSL Labs > scanner > for a while. I'll do that and see if adjustments are required. SSL-Labs still gives rating "B" if DH ciphers are enabled. For information about DH ciphers, see https://weakdh.org/ -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) 03/08: Code clean - formatting. No functional change.
Mark,
On 11/25/23 08:40, Mark Thomas wrote:
On 25/11/2023 07:59, Rémy Maucherat wrote:
On Fri, Nov 24, 2023 at 6:17 PM wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit b91af3e5c32d154e26dbf8f1a19c84d301ce8e1e
Author: Mark Thomas
AuthorDate: Fri Nov 24 16:54:27 2023 +
Code clean - formatting. No functional change.
Primarily to reduce IDE warnings from generated code.
jextract is really bad for this. OTOH, fixing them is not practical
since they will reappear every time this is regenerated for any
reason. So could it be ignored instead ?
I did look at options for ignoring the warnings.
You can't tell Eclipse to ignore warnings in a given file/package.
We could add @SuppressWarnings("...") but that means manually editing
each file.
$ jextract ...
$ sed ...
?
-chris
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) 03/08: Code clean - formatting. No functional change.
On 28/11/2023 14:17, Christopher Schultz wrote:
Mark,
On 11/25/23 08:40, Mark Thomas wrote:
On 25/11/2023 07:59, Rémy Maucherat wrote:
On Fri, Nov 24, 2023 at 6:17 PM wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit b91af3e5c32d154e26dbf8f1a19c84d301ce8e1e
Author: Mark Thomas
AuthorDate: Fri Nov 24 16:54:27 2023 +
Code clean - formatting. No functional change.
Primarily to reduce IDE warnings from generated code.
jextract is really bad for this. OTOH, fixing them is not practical
since they will reappear every time this is regenerated for any
reason. So could it be ignored instead ?
I did look at options for ignoring the warnings.
You can't tell Eclipse to ignore warnings in a given file/package.
We could add @SuppressWarnings("...") but that means manually editing
each file.
$ jextract ...
$ sed ...
That would work. Personally, I find using the IDE clean-up a lot easier
but I have no strong preference for how we solve this problem as long as
we have an easy way to silence these warnings when we need to.
Mark
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: (tomcat) 03/08: Code clean - formatting. No functional change.
On Tue, Nov 28, 2023 at 3:18 PM Christopher Schultz
wrote:
>
> Mark,
>
> On 11/25/23 08:40, Mark Thomas wrote:
> > On 25/11/2023 07:59, Rémy Maucherat wrote:
> >> On Fri, Nov 24, 2023 at 6:17 PM wrote:
> >>>
> >>> This is an automated email from the ASF dual-hosted git repository.
> >>>
> >>> markt pushed a commit to branch main
> >>> in repository https://gitbox.apache.org/repos/asf/tomcat.git
> >>>
> >>> commit b91af3e5c32d154e26dbf8f1a19c84d301ce8e1e
> >>> Author: Mark Thomas
> >>> AuthorDate: Fri Nov 24 16:54:27 2023 +
> >>>
> >>> Code clean - formatting. No functional change.
> >>>
> >>> Primarily to reduce IDE warnings from generated code.
> >>
> >> jextract is really bad for this. OTOH, fixing them is not practical
> >> since they will reappear every time this is regenerated for any
> >> reason. So could it be ignored instead ?
> >
> > I did look at options for ignoring the warnings.
> >
> > You can't tell Eclipse to ignore warnings in a given file/package.
> >
> > We could add @SuppressWarnings("...") but that means manually editing
> > each file.
>
> $ jextract ...
> $ sed ...
>
> ?
Also upgrade jextract and regenerate since they do improve the output
once in a while. Clearly this is not a big priority though.
Rémy
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1914181 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-8.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-8.xml xdo
Author: markt Date: Tue Nov 28 15:26:33 2023 New Revision: 1914181 URL: http://svn.apache.org/viewvc?rev=1914181&view=rev Log: Add CVE-2023-46589 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-11.html tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-11.xml tomcat/site/trunk/xdocs/security-8.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-10.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1914181&r1=1914180&r2=1914181&view=diff == --- tomcat/site/trunk/docs/security-10.html (original) +++ tomcat/site/trunk/docs/security-10.html Tue Nov 28 15:26:33 2023 @@ -42,7 +42,25 @@ Table of Contents -Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Apache Tomcat 10.1.8Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apach e Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat +Fixed in Apache Tomcat 10.1.16Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Apache Tomcat 10.1.8Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache T omcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat + 2023-11-14 Fixed in Apache Tomcat 10.1.16 + +Important: Request smuggling + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46589"; rel="nofollow">CVE-2023-46589 + +Tomcat did not correctly parse HTTP trailer headers. A specially crafted + trailer header that exceeded the header size limit could cause Tomcat to + treat a single request as multiple requests leading to the possibility of + request smuggling when behind a reverse proxy. + +This was fixed with commit + https://github.com/apache/tomcat/commit/b5776d769bffeade865061bc8ecbeb2b56167b08";>b5776d76. + +This issue was reported to the Tomcat Security Team on 20 October 2023. + The issue was made public on 28 November 2023. + +Affects: 10.1.0-M1 to 10.1.15 + 2023-10-10 Fixed in Apache Tomcat 10.1.14 Important: Request smuggling Modified: tomcat/site/trunk/docs/security-11.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-11.html?rev=1914181&r1=1914180&r2=1914181&view=diff == --- tomcat/site/trunk/docs/security-11.html (original) +++ tomcat/site/trunk/docs/security-11.html Tue Nov 28 15:26:33 2023 @@ -103,6 +103,22 @@ Affects: 11.0.0-M1 to 11.0.0-M10 +Important: Request smuggling + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-46589"; rel="nofollow">CVE-2023-46589 + +Tomcat did not correctly parse HTTP trailer headers. A specially crafted + trailer header that exceeded the header size limit could cause Tomcat to + treat a single request as multiple requests leading to the possibility of + request smuggling when behind a reverse proxy. + +This was fixed with commit + https://github.com/apache/tomcat/commit/6f181e1062a472bc5f0234980f66cbde42c1041b";>6f181e10. + +This issue was reported to the Tomcat Security Team on 20 October 2023. + The issue was made public on 28 November 2023. + +Affects: 11.0.0-M1 to 11.0.0-M10 + 2023-05-09 Fixed in Apache Tomcat 11.0.0-M6 Important: Information disclosure
[SECURITY] CVE-2023-46589 Apache Tomcat - Request Smuggling
CVE-2023-46589 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.15 Apache Tomcat 9.0.0-M1 to 9.0.82 Apache Tomcat 8.5.0 to 8.5.95 Description: Tomcat did not correctly parse HTTP trailer headers. A specially crafted trailer header that exceeded the header size limit could cause Tomcat to treat a single request as multiple requests leading to the possibility of request smuggling when behind a reverse proxy. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M11 or later - Upgrade to Apache Tomcat 10.1.16 or later - Upgrade to Apache Tomcat 9.0.83 or later - Upgrade to Apache Tomcat 8.5.96 or later Credit: This vulnerability was reported responsibly to the Tomcat security team by Norihito Aimoto (OSSTech Corporation). History: 2023-11-28 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 68119] Significant overhead in javax.el.CompositeELResolver.convertToType
https://bz.apache.org/bugzilla/show_bug.cgi?id=68119 --- Comment #2 from John Engebretson --- Thanks, I was indeed able to build from source, and 9.84 shows a *dramatic* decrease in latency under high cpu. The data is from a low-quality test in the development environment but I'm quite happy. Will update with prod data when we get it deployed, probably in January. Heap dump confirms that the array size is zero. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 67628] OpenSSLCipherConfigurationParser#parse() produces misleading false positive cipher warnings
https://bz.apache.org/bugzilla/show_bug.cgi?id=67628 --- Comment #14 from Mark Thomas --- Hmm. I think we need to move the ciphers part of this discussion to the users list. With a recent version of OpenSSL, Tomcat's default returns 112 ciphers. Adding ":-DH" reduces that to 83 and adding ":-DH:+ECDH" makes no difference compared to just to ":-DH". Looking at what "DH" and "ECDH" return on their own, I think you might want to look at your cipher configuration. I get an SSL Labs rating of "A" with Tomcat's default ciphers for Tomcat 11 + Java 21 (OpenSSl and JSSE), Tomcat 8 + Java 11 (OpenSSL and JSSE), Tomcat 8 + Java 8 (JSSE) Looking at the results from SSL Labs, adding ":-CBC" looks like something worth considering. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1914188 - in /tomcat/site/trunk: docs/security-8.html xdocs/security-8.xml
Author: markt Date: Tue Nov 28 18:44:02 2023 New Revision: 1914188 URL: http://svn.apache.org/viewvc?rev=1914188&view=rev Log: Fix typo Modified: tomcat/site/trunk/docs/security-8.html tomcat/site/trunk/xdocs/security-8.xml Modified: tomcat/site/trunk/docs/security-8.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-8.html?rev=1914188&r1=1914187&r2=1914188&view=diff == --- tomcat/site/trunk/docs/security-8.html (original) +++ tomcat/site/trunk/docs/security-8.html Tue Nov 28 18:44:02 2023 @@ -42,8 +42,8 @@ Table of Contents -Fixed in Apache Tomcat 8.5.95Fixed in Apache Tomcat 8.5.94Fixed in Apache Tomcat 8.5.93Fixed in Apache Tomcat 8.5.89Fixed in Apache Tomcat 8.5.88Fixed in Apache Tomcat 8.5.86Fixed in Apache Tomcat 8.5.85Fixed in Apache Tomcat 8.5.84Fixed in Apache Tomcat 8.5.83Fixed in Apache Tomcat 8.5.82Fixed in Apache Tomcat 8.5.79Fixed in Apache Tomcat 8.5.78Fixed in Apache Tomcat 8.5.76Fixed in Apache Tomcat 8.5.75Fixed in Apache Tomcat 8.5.72Fixed in Apache Tomcat 8.5.68Fixed in Apache Tomcat 8.5.66Fixed in Apache Tomcat 8.5.65Fixed in Apache Tomcat 8.5.64Fixed in Apache Tomcat 8.5.63Fixed in Apache Tomcat 8.5.60Fixed in Apache Tomcat 8.5.58Fixed in Apache Tomcat 8.5.57Fixed in Apache Tomcat 8.5.56Fixed in Apache Tomcat >8.5.55Fixed in Apache >Tomcat 8.5.51Fixed in >Apache Tomcat 8.5.50href="#Fixed_in_Apache_Tomcat_8.5.49">Fixed in Apache Tomcat >8.5.49Fixed in Apache >Tomcat 8.5.41Fixed in >Apache Tomcat 8.5.40href="#Fixed_in_Apache_Tomcat_8.5.38">Fixed in Apache Tomcat >8.5.38Fixed in Apache >Tomcat 8.5.34Fixed in >Apache Tomcat 8.0.53href="#Fixed_in_Apache_Tomcat_8.5.32">Fixed in Apache Tomcat >8.5.32Fixed in Apache >Tomcat 8.0.52Fixed in >Apache Tomcat 8.5.31 Fixed in Apache Tomcat 8.0.50Fixed in Apache Tomcat 8.5.28Fixed in Apache Tomcat 8.0.48Fixed in Apache Tomcat 8.5.24Fixed in Apache Tomcat 8.0.47Fixed in Apache Tomcat 8.5.23Fixed in Apache Tomcat 8.0.45Fixed in Apache Tomcat 8.5.16Fixed in Apache Tomcat 8.0.44Fixed in Apache Tomcat 8.5.15Fixed in Apache Tomcat 8.0.43Fixed in Apache Tomcat 8.5.13< /li>Fixed in Apache Tomcat 8.0.42Fixed in Apache Tomcat 8.5.12Fixed in Apache Tomcat 8.0.41Fixed in Apache Tomcat 8.5.11Fixed in Apache Tomcat 8.5.9Fixed in Apache Tomcat 8.0.39Fixed in Apache Tomcat 8.5.8Fixed in Apache Tomcat 8.5.5 and 8.0.37Fixed in Apache Tomcat 8.5.3 and 8.0.36Fixed in Apache Tomcat 8.0.32Fixed in Apache Tomcat 8.0.30Fixed in Apache Tomcat 8.0.27href="#Fixed_in_Apache_Tomcat_8.0.17">Fixed in Apache Tomcat >8.0.17Fixed in Apache >Tomcat 8.0.9Fixed in >Apache Tomcat 8.0.8Fixed >in Apache Tomcat 8.0.5href="#Fixed_in_Apache_Tomcat_8.0.3">Fixed in Apache Tomcat >8.0.3Fixed in >Apache Tomcat 8.0.0-RC10href="#Fixed_in_Apache_Tomcat_8.0.0-RC3">Fixed in Apache Tomcat >8.0.0-RC3Not a >vulnerability in Tomcathref="#Not_a_vulnerability_in_Tomcat">Not a vulnerability in >Tomcat - 2023-11-13 Fixed in Apache Tomcat 8.5.95 +Fixed in Apache Tomcat 8.5.96Fixed in Apache Tomcat 8.5.94Fixed in Apache Tomcat 8.5.93Fixed in Apache Tomcat 8.5.89Fixed in Apache Tomcat 8.5.88Fixed in Apache Tomcat 8.5.86Fixed in Apache Tomcat 8.5.85Fixed in Apache Tomcat 8.5.84Fixed in Apache Tomcat 8.5.83Fixed in Apache Tomcat 8.5.82Fixed in Apache Tomcat 8.5.79Fixed in Apache Tomcat 8.5.78Fixed in Apache Tomcat 8.5.76Fixed in Apache Tomcat 8.5.75Fixed in Apache Tomcat 8.5.72Fixed in Apache Tomcat 8.5.68Fixed in Apache Tomcat 8.5.66Fixed in Apache Tomcat 8.5.65Fixed in Apache Tomcat 8.5.64Fixed in Apache Tomcat 8.5.63Fixed in Apache Tomcat 8.5.60Fixed in Apache Tomcat 8.5.58Fixed in Apache Tomcat 8.5.57Fixed in Apache Tomcat 8.5.56Fixed in Apache Tomcat >8.5.55Fixed in Apache >Tomcat 8.5.51Fixed in >Apache Tomcat 8.5.50href="#Fixed_in_Apache_Tomcat_8.5.49">Fixed in Apache Tomcat >8.5.49Fixed in Apache >Tomcat 8.5.41Fixed in >Apache Tomcat 8.5.40href="#Fixed_in_Apache_Tomcat_8.5.38">Fixed in Apache Tomcat >8.5.38Fixed in Apache >Tomcat 8.5.34Fixed in >Apache Tomcat 8.0.53href="#Fixed_in_Apache_Tomcat_8.5.32">Fixed in Apache Tomcat >8.5.32Fixed in Apache >Tomcat 8.0.52Fixed in >Apache Tomcat 8.5.31 Fixed in Apache Tomcat 8.0.50Fixed in Apache Tomcat 8.5.28Fixed in Apache Tomcat 8.0.48Fixed in Apache Tomcat 8.5.24Fixed in Apache Tomcat 8.0.47Fixed in Apache Tomcat 8.5.23Fixed in Apache Tomcat 8.0.45Fixed in Apache Tomcat 8.5.16Fixed in Apache Tomcat 8.0.44Fixed in Apache Tomcat 8.5.15Fixed in Apache Tomcat 8.0.43Fixed in Apache Tomcat 8.5.13< /li>Fixed in Apache Tomcat 8.0.42Fixed in Apache Tomcat 8.5.12Fixed in Apache Tomcat 8.0.41Fixed in Apache Tomcat 8.5.11Fixed in Apache Tomcat 8.5.9Fixed in Apache Tomcat 8.0.39Fixed in Apache Tomcat 8.5.8Fixed in Apache Tomcat 8.5.5 and 8.0.37Fixed in Apache Tomcat 8.5.3 and 8.0.36Fixed in A
