date:20240923

svn commit: r1920855 - in /tomcat/site/trunk: docs/security-jk.html xdocs/security-jk.xml

2024-09-23 Thread markt

Author: markt
Date: Mon Sep 23 10:40:16 2024
New Revision: 1920855

URL: http://svn.apache.org/viewvc?rev=1920855&view=rev
Log:
Add CVE-2024-46544

Modified:
tomcat/site/trunk/docs/security-jk.html
tomcat/site/trunk/xdocs/security-jk.xml

Modified: tomcat/site/trunk/docs/security-jk.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-jk.html?rev=1920855&r1=1920854&r2=1920855&view=diff
==
--- tomcat/site/trunk/docs/security-jk.html (original)
+++ tomcat/site/trunk/docs/security-jk.html Mon Sep 23 10:40:16 2024
@@ -1,6 +1,6 @@
 
 Apache Tomcat® - Apache Tomcat JK Connectors 
vulnerabilitieshttps://www.apachecon.com/event-images/snippet.js";>http://tomcat.apache.org/";>Apache 
Tomcat®https://www.apache.org/foundation/contributing.html"; target="_blank" 
class="pull-left">https://www.apache.
 org/images/SupportApache-small.png" class="support-asf" alt="Support 
Apache">http://www.apache.org/"; target="_blank" 
class="pull-left">https://www.google.com/search"; method="get">GOApache TomcatHomeTaglibsMaven 
PluginDownloadWhich version?Tomcat 11 (beta)https://tomcat.apache.org/download-10.cgi";>Tomcat 10https://tomcat.apache.org/download-90.cgi";>Tomcat 9https://tomcat.apache.org/download-migration.cgi";>Tomcat Migration Tool 
for Jakarta EEhttps://tomcat.apache.org/download-connectors.cgi";>Tomcat 
Connectorshttps://tomcat.apache.org/download-native.cgi";>Tomcat 
Nativehttps://tomcat.apache.org/download-taglibs.cgi";>Taglibshttps://archive.apache.org/dist/tomcat/";>ArchivesDocumentationTomcat 11.0 (beta)Tomcat 10.1Tomcat 9.0UpgradingTomcat ConnectorsTomcat Native 2Tomcat Native 1.3https://cwiki.apache.org/confluence/display/TOMCAT";>WikiMigration GuidePresentationshttps://cwiki.apache.org/confluence/x/Bi8lBg";>SpecificationsProblems?Security ReportsFind helphttps://cwiki.apache.org/confluence/display/TOMCAT/FAQ";>FAQMailing ListsBug 
DatabaseIRCGet 
InvolvedOverviewSource codeBuildbotTools
 Mediahttps://twitter.com/theapachetomcat";>Twitterhttps://www.youtube.com/c/ApacheTomcatOfficial";>YouTubehttps://blogs.apache.org/tomcat/";>BlogMiscWho We Arehttps://www.redbubble.com/people/comdev/works/30885254-apache-tomcat";>SwagHeritagehttp://www.apache.org";>Apache HomeResourcesContactLegalhttps://privacy.apache.org/policies/privacy-policy-public.html";>Privacyhttps://www.apache.org/foundation/contributing.html";>Support 
Apachehttps://www.apache.org/foundation/sponsorship.html";>Sponsorshiphttp://www.apache.org/foundation/thanks.html";>Thankshttp://www
 .apache.org/licenses/">LicenseContentTable of Contents
-Apache Tomcat 
JK Connectors vulnerabilitiesFixed in Apache Tomcat JK 
Connector 1.2.49Fixed in Apache Tomcat JK 
Connector 1.2.46Fixed in Apache Tomcat JK 
Connector 1.2.43Fixed in Apache Tomcat JK 
Connector 1.2.42Fixed in Apache Tomcat JK 
Connector 1.2.41Fixed in Apache Tomcat JK 
Connector 1.2.27Fixed in Apache Tomcat JK 
Connector 1.2.23Fixed in Apache Tomcat JK 
Connector 1.2.21Fixed in Apache Tomcat JK 
Connector 1.2.16
+Apache Tomcat 
JK Connectors vulnerabilitiesFixed in Apache Tomcat JK 
Connector 1.2.50Fixed in Apache Tomcat JK 
Connector 1.2.49Fixed in Apache Tomcat JK 
Connector 1.2.46Fixed in Apache Tomcat JK 
Connector 1.2.43Fixed in Apache Tomcat JK 
Connector 1.2.42Fixed in Apache Tomcat JK 
Connector 1.2.41Fixed in Apache Tomcat JK 
Connector 1.2.27Fixed in Apache Tomcat JK 
Connector 1.2.23Fixed in Apache Tomcat JK 
Connector 1.2.21Fixed in Apache Tomcat JK 
Connector 1.2.16
 Apache Tomcat JK 
Connectors vulnerabilities
 This page lists all security vulnerabilities fixed in released versions
of Apache Tomcat Jk Connectors. Each vulnerability is given a
@@ -15,6 +15,24 @@
vulnerabilities to the Tomcat
Security Team.
 
+  Fixed in Apache 
Tomcat JK Connector 1.2.50
+Moderate: Information disclosure / Denial of service
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-46544"; 
rel="nofollow">CVE-2024-46544
+
+Incorrect default permissions for the memory mapped file configured by
+   the JkShmFile directive on Unix like systems allows local
+   users to view and/or modify the contents of the shared memory containing
+   mod_jk configuration and status information. This could result in
+   information disclosure and/or denial of service.
+
+This was fixed with commit
+   https://github.com/apache/tomcat-connectors/commit/d55706e92b65018c2e4c7ab14014a996b0174966";>d55706e9.
+
+This issue was identified by the Tomcat Security Team on 6 August 2024.
+   The issue was made public on 23 September 2024.
+
+Affects: JK 1.2.9-1.2.49 (mod_jk on Unix like platforms only)
+
   Fixed in Apache 
Tomcat JK Connector 1.2.49
 Important: Information disclosure
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41081"; 
rel="nofollow">CVE-2023-41081

Modified: tomcat/site/trunk/xdocs/security-jk.xml
URL: 
http://

[SECURITY] CVE-2024-46544 Apache mod_jk - Information Disclosure / Denial of Service

2024-09-23 Thread Mark Thomas


CVE-2024-46544 Apache mod_jk - Information Disclosure / DoS

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- JK 1.2.9-1.2.49 (mod_jk on Unix like platforms only)

Description:
Incorrect default permissions for the memory mapped file configured by 
the JkShmFile directive on Unix like systems allows local users to view 
and/or modify the contents of the shared memory containing mod_jk 
configuration and status information. This could result in information 
disclosure and/or denial of service.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to mod_jk 1.2.50 or later

History:
2024-09-23 Original advisory

References:
[1] https://tomcat.apache.org/security-jk.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 9.0.x updated: Test manager webapp Servlets

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new 8262d874c0 Test manager webapp Servlets
8262d874c0 is described below

commit 8262d874c00ead3de148fa7c260a28b14b3586a9
Author: remm 
AuthorDate: Mon Sep 23 13:28:52 2024 +0200

Test manager webapp Servlets

To be expanded with operations (deploy, store config, SSL are
possibilities).
---
 .../authenticator/TestBasicAuthParser.java |   6 +-
 .../apache/catalina/manager/TestManagerWebapp.java | 199 +
 2 files changed, 202 insertions(+), 3 deletions(-)

diff --git a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java 
b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
index 0e0d9cac4d..b11e23774e 100644
--- a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
+++ b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
@@ -438,7 +438,7 @@ public class TestBasicAuthParser {
  * for BASIC Authentication.
  * Note: only used internally, so no need to validate arguments.
  */
-private static final class BasicAuthHeader {
+public static final class BasicAuthHeader {
 
 private static final byte[] HEADER =
 "authorization: ".getBytes(StandardCharsets.ISO_8859_1);
@@ -448,7 +448,7 @@ public class TestBasicAuthParser {
 /*
  * This method creates a valid base64 blob
  */
-private BasicAuthHeader(String method, String username,
+public BasicAuthHeader(String method, String username,
 String password) {
 this(method, username, password, null);
 }
@@ -529,7 +529,7 @@ public class TestBasicAuthParser {
 }
 }
 
-private ByteChunk getHeader() {
+public ByteChunk getHeader() {
 return authHeader;
 }
 }
diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
new file mode 100644
index 00..f450f459f7
--- /dev/null
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -0,0 +1,199 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.manager;
+
+import java.io.File;
+import java.io.PrintWriter;
+
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.catalina.startup.SimpleHttpClient.CRLF;
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.TestBasicAuthParser.BasicAuthHeader;
+import org.apache.catalina.realm.MemoryRealm;
+import org.apache.catalina.realm.MessageDigestCredentialHandler;
+import org.apache.catalina.startup.SimpleHttpClient;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+public class TestManagerWebapp extends TomcatBaseTest {
+
+public static final String CONFIG = ""
++ "http://tomcat.apache.org/xml\"";
++ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"";
++ " 
xsi:schemaLocation=\"http://tomcat.apache.org/xml/tomcat-users.xsd\"";
++ " version=\"1.0\">"
++ ""
++ ""
++ "";
+
+/**
+ * Integration test for the manager webapp (verify all main Servlets are 
working).
+ * @throws Exception if an error occurs
+ */
+@Test
+public void testServlets() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File configFile = new File(getTemporaryDirectory(), 
"tomcat-users-manager.xml");
+try (PrintWriter writer = new PrintWriter(configFile)) {
+writer.write(CONFIG);
+}
+addDeleteOnTearDown(configFile);
+
+MemoryRealm memoryRealm = new MemoryRealm();
+memoryRealm.setCredentialHandler(new MessageDigestCredentialHandler());
+memoryRealm.setPathname(configFile.getAbsolutePath());
+
+// Add manager webapp
+File appDir = new File(System.getProperty("tomcat.test.basedir"), 
"webapps/

(tomcat) branch 10.1.x updated: Test manager webapp Servlets

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
 new 45caced2a5 Test manager webapp Servlets
45caced2a5 is described below

commit 45caced2a59e9adc995d617ebbe57050e756b04e
Author: remm 
AuthorDate: Mon Sep 23 13:28:52 2024 +0200

Test manager webapp Servlets

To be expanded with operations (deploy, store config, SSL are
possibilities).
---
 .../authenticator/TestBasicAuthParser.java |   6 +-
 .../apache/catalina/manager/TestManagerWebapp.java | 199 +
 2 files changed, 202 insertions(+), 3 deletions(-)

diff --git a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java 
b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
index 0e0d9cac4d..b11e23774e 100644
--- a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
+++ b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
@@ -438,7 +438,7 @@ public class TestBasicAuthParser {
  * for BASIC Authentication.
  * Note: only used internally, so no need to validate arguments.
  */
-private static final class BasicAuthHeader {
+public static final class BasicAuthHeader {
 
 private static final byte[] HEADER =
 "authorization: ".getBytes(StandardCharsets.ISO_8859_1);
@@ -448,7 +448,7 @@ public class TestBasicAuthParser {
 /*
  * This method creates a valid base64 blob
  */
-private BasicAuthHeader(String method, String username,
+public BasicAuthHeader(String method, String username,
 String password) {
 this(method, username, password, null);
 }
@@ -529,7 +529,7 @@ public class TestBasicAuthParser {
 }
 }
 
-private ByteChunk getHeader() {
+public ByteChunk getHeader() {
 return authHeader;
 }
 }
diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
new file mode 100644
index 00..f450f459f7
--- /dev/null
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -0,0 +1,199 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.manager;
+
+import java.io.File;
+import java.io.PrintWriter;
+
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.catalina.startup.SimpleHttpClient.CRLF;
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.TestBasicAuthParser.BasicAuthHeader;
+import org.apache.catalina.realm.MemoryRealm;
+import org.apache.catalina.realm.MessageDigestCredentialHandler;
+import org.apache.catalina.startup.SimpleHttpClient;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+public class TestManagerWebapp extends TomcatBaseTest {
+
+public static final String CONFIG = ""
++ "http://tomcat.apache.org/xml\"";
++ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"";
++ " 
xsi:schemaLocation=\"http://tomcat.apache.org/xml/tomcat-users.xsd\"";
++ " version=\"1.0\">"
++ ""
++ ""
++ "";
+
+/**
+ * Integration test for the manager webapp (verify all main Servlets are 
working).
+ * @throws Exception if an error occurs
+ */
+@Test
+public void testServlets() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File configFile = new File(getTemporaryDirectory(), 
"tomcat-users-manager.xml");
+try (PrintWriter writer = new PrintWriter(configFile)) {
+writer.write(CONFIG);
+}
+addDeleteOnTearDown(configFile);
+
+MemoryRealm memoryRealm = new MemoryRealm();
+memoryRealm.setCredentialHandler(new MessageDigestCredentialHandler());
+memoryRealm.setPathname(configFile.getAbsolutePath());
+
+// Add manager webapp
+File appDir = new File(System.getProperty("tomcat.test.basedir"), 
"webapp

svn commit: r1920861 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-9.xml

2024-09-23 Thread markt

Author: markt
Date: Mon Sep 23 12:53:20 2024
New Revision: 1920861

URL: http://svn.apache.org/viewvc?rev=1920861&view=rev
Log:
Add CVE-2024-38286

Modified:
tomcat/site/trunk/docs/security-10.html
tomcat/site/trunk/docs/security-11.html
tomcat/site/trunk/docs/security-9.html
tomcat/site/trunk/xdocs/security-10.xml
tomcat/site/trunk/xdocs/security-11.xml
tomcat/site/trunk/xdocs/security-9.xml

Modified: tomcat/site/trunk/docs/security-10.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1920861&r1=1920860&r2=1920861&view=diff
==
--- tomcat/site/trunk/docs/security-10.html (original)
+++ tomcat/site/trunk/docs/security-10.html Mon Sep 23 12:53:20 2024
@@ -62,6 +62,20 @@
 
 Affects: 10.1.0-M1 to 10.1.24
 
+Important: Denial of Service
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38286"; 
rel="nofollow">CVE-2024-38286
+
+Tomcat, under certain configurations on any platform, allows an attacker
+   to cause an OutOfMemoryError by abusing the TLS handshake process.
+
+This was fixed with commit
+   https://github.com/apache/tomcat/commit/3344c17cef094da4bb616f4186ed32039627b543";>3344c17c.
+
+This issue was reported to the Tomcat Security Team on 4 June 2024. The
+   issue was made public on 23 September 2024.
+
+Affects: 10.1.0-M1 to 10.1.24
+
   2024-02-19 Fixed in Apache Tomcat 10.1.19
   
 Important: Denial of Service

Modified: tomcat/site/trunk/docs/security-11.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-11.html?rev=1920861&r1=1920860&r2=1920861&view=diff
==
--- tomcat/site/trunk/docs/security-11.html (original)
+++ tomcat/site/trunk/docs/security-11.html Mon Sep 23 12:53:20 2024
@@ -56,6 +56,20 @@
 
 Affects: 11.0.0-M1 to 11.0.0-M20
 
+Important: Denial of Service
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38286"; 
rel="nofollow">CVE-2024-38286
+
+Tomcat, under certain configurations on any platform, allows an attacker
+   to cause an OutOfMemoryError by abusing the TLS handshake process.
+
+This was fixed with commit
+   https://github.com/apache/tomcat/commit/3197862639732e16ec1164557bcd289ebc116c93";>31978626.
+
+This issue was reported to the Tomcat Security Team on 4 June 2024. The
+   issue was made public on 23 September 2024.
+
+Affects: 11.0.0-M1 to 11.0.0-M20
+
   2024-02-19 Fixed in Apache Tomcat 11.0.0-M17
   
 Important: Denial of Service

Modified: tomcat/site/trunk/docs/security-9.html
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-9.html?rev=1920861&r1=1920860&r2=1920861&view=diff
==
--- tomcat/site/trunk/docs/security-9.html (original)
+++ tomcat/site/trunk/docs/security-9.html Mon Sep 23 12:53:20 2024
@@ -56,6 +56,20 @@
 
 Affects: 9.0.0-M1 to 9.0.89
 
+Important: Denial of Service
+   http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-38286"; 
rel="nofollow">CVE-2024-38286
+
+Tomcat, under certain configurations on any platform, allows an attacker
+   to cause an OutOfMemoryError by abusing the TLS handshake process.
+
+This was fixed with commit
+   https://github.com/apache/tomcat/commit/76c5cce6f0bcef14b0c21c38910371ca7d322d13";>76c5cce6.
+
+This issue was reported to the Tomcat Security Team on 4 June 2024. The
+   issue was made public on 23 September 2024.
+
+Affects: 9.0.13 to 9.0.89
+
   2024-02-19 Fixed in Apache Tomcat 9.0.86
   
 Important: Denial of Service

Modified: tomcat/site/trunk/xdocs/security-10.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-10.xml?rev=1920861&r1=1920860&r2=1920861&view=diff
==
--- tomcat/site/trunk/xdocs/security-10.xml (original)
+++ tomcat/site/trunk/xdocs/security-10.xml Mon Sep 23 12:53:20 2024
@@ -75,6 +75,20 @@
 
 Affects: 10.1.0-M1 to 10.1.24
 
+Important: Denial of Service
+   CVE-2024-38286
+
+Tomcat, under certain configurations on any platform, allows an attacker
+   to cause an OutOfMemoryError by abusing the TLS handshake process.
+
+This was fixed with commit
+   .
+
+This issue was reported to the Tomcat Security Team on 4 June 2024. The
+   issue was made public on 23 September 2024.
+
+Affects: 10.1.0-M1 to 10.1.24
+
   
 
   

Modified: tomcat/site/trunk/xdocs/security-11.xml
URL: 
http://svn.apache.org/viewvc/tomcat/site/trunk/xdocs/security-11.xml?rev=1920861&r1=1920860&r2=1920861&view=diff
==
--- tomcat/site/trunk/xdocs/security-11.xml (original)
+++ tomcat/site/trunk/xdocs/security-11.xml Mon Sep 23 12:53:20 2024
@@ -69,6 +6

(tomcat) branch 9.0.x updated: jakarta -> javax

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new 31c741f861 jakarta -> javax
31c741f861 is described below

commit 31c741f86170e2aa7216f675b561322a1f152ddb
Author: remm 
AuthorDate: Mon Sep 23 14:53:28 2024 +0200

jakarta -> javax
---
 test/org/apache/catalina/manager/TestManagerWebapp.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
index f08532eff7..575f933a1f 100644
--- a/test/org/apache/catalina/manager/TestManagerWebapp.java
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -19,7 +19,7 @@ package org.apache.catalina.manager;
 import java.io.File;
 import java.io.PrintWriter;
 
-import jakarta.servlet.http.HttpServletResponse;
+import javax.servlet.http.HttpServletResponse;
 
 import org.junit.Assert;
 import org.junit.Test;


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[SECURITY] CVE-2024-38286 Apache Tomcat - Denial of Service

2024-09-23 Thread Mark Thomas


CVE-2024-38286 Apache Tomcat - Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M20
Apache Tomcat 10.1.0-M1 to 10.1.24
Apache Tomcat 9.0.13 to 9.0.89

Description:
Tomcat, under certain configurations on any platform, allows an attacker 
to cause an OutOfMemoryError by abusing the TLS handshake process.


Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 11.0.0-M21 or later
- Upgrade to Apache Tomcat 10.1.25 or later
- Upgrade to Apache Tomcat 9.0.90 or later

Credit:
This vulnerability was reported responsibly to the Tomcat security team 
by Ozaki, North Grid Corporation


History:
2024-07-03 Original advisory

References:
[1] https://tomcat.apache.org/security-11.html
[2] https://tomcat.apache.org/security-10.html
[3] https://tomcat.apache.org/security-9.html

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 69333] Unnecessary code in generated JSPs

2024-09-23 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=69333

--- Comment #6 from Christopher Schultz  ---
I'm fairly sure that try/catch/finally don't add any overhead in terms of
method-code-bytes. It expands the size of the exception-handling table, but it
doesn't reduce code size. Perhaps overall .class file size, sure.

Usually complaints about JSPs are due to a single method becoming too long to
fit into the .class file format.

In your case, you were concerned about code cache usage which, I think, will
still be the same with or without the try/catch/finally blocks.

I'm not saying there isn't a change worth making here; quite the contrary. Any
simplification of any code is always a win IMHO. I just want to make sure to
manage expectations of what any change will actually accomplish.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 69333] Unnecessary code in generated JSPs

2024-09-23 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=69333

--- Comment #5 from Mark Thomas  ---
Looking at the generated source and the code the generates it, I don't see why
we need the try/catch/finally.

Local testing indicates we can remove the try/catch/finally. We can also remove
the 3-arg releaseTag() method and call the 2-arg directly.

I have a few more tests to run but should be in a position to commit the fix
tomorrow if the tests go well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 69333] Unnecessary code in generated JSPs

2024-09-23 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=69333

--- Comment #7 from John Engebretson  ---
> I just want to make sure to manage expectations of what any change will 
> actually accomplish.

Understood, agreed, and appreciated.  :)

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Coyote Request getRequestId()

2024-09-23 Thread Mark Thomas


On 23/09/2024 04:28, Igal Sapir wrote:

Hello,

The current implementation of getRequestId() is optimized for speed and
generates IDs that are unique to a running instance of Tomcat.

But most server configurations nowadays require uniqueness across the whole
system, and currently we do not offer that as:

1. Request IDs are only unique to a running Tomcat instance

2. Request IDs are reset to 0 each time Tomcat is restarted

3. Request IDs are sometimes generated by another system like a load
balancer or reverse proxy, and passed around via the HTTP header
"X-Request-Id"

I want to propose a patch that would:

1. Check for HTTP header "X-Request-Id" and if valid (e.g. does not attempt
SQL or XSS injection etc.) returns it



That is behaviour we'd typically place in a Valve or Filter. Possibly an 
extension to the RemoteIp[Valve|Filter] ?


Rather than us validate it, I'd make processing it optional and the 
admins responsibility to ensure it is trusted if they opt to process it.



2. Generates a URL-safe Base64-encoded UUID (22 CaSe sensitive characters)


How expensive is that process compared to the existing mechanism?



The value will be set to the requestId private variable to ensure
consistent return value for multiple calls on the same Request.

I have the code ready, but wanted to discuss the matter here first.


The Servlet spec requires only that the ID is unique for the lifetime of 
the container.


How will this interact with ServletRequest.getRequestId() and the 
associated methods?


Should we make the request ID generator a pluggable component? If so, of 
what?


Mark


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch main updated: Fix NIO2

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 1c818eee25 Fix NIO2
1c818eee25 is described below

commit 1c818eee25eec2630ccbd657374642b354277301
Author: remm 
AuthorDate: Mon Sep 23 14:46:55 2024 +0200

Fix NIO2
---
 test/org/apache/catalina/manager/TestManagerWebapp.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
index f450f459f7..f08532eff7 100644
--- a/test/org/apache/catalina/manager/TestManagerWebapp.java
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -182,7 +182,7 @@ public class TestManagerWebapp extends TomcatBaseTest {
 client.connect();
 client.processRequest(true);
 Assert.assertEquals(HttpServletResponse.SC_OK, client.getStatusCode());
-
Assert.assertTrue(client.getResponseBody().contains("-auto-1-Acceptor"));
+Assert.assertTrue(client.getResponseBody().contains("http-"));
 
 client.setRequest(new String[] {
 "GET /manager/text/list HTTP/1.1" + CRLF +


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 11.0.x updated: Fix NIO2

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
 new 72c86639b1 Fix NIO2
72c86639b1 is described below

commit 72c86639b1196c9f3b57ba8b36c746f779b0821e
Author: remm 
AuthorDate: Mon Sep 23 14:46:55 2024 +0200

Fix NIO2
---
 test/org/apache/catalina/manager/TestManagerWebapp.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
index f450f459f7..f08532eff7 100644
--- a/test/org/apache/catalina/manager/TestManagerWebapp.java
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -182,7 +182,7 @@ public class TestManagerWebapp extends TomcatBaseTest {
 client.connect();
 client.processRequest(true);
 Assert.assertEquals(HttpServletResponse.SC_OK, client.getStatusCode());
-
Assert.assertTrue(client.getResponseBody().contains("-auto-1-Acceptor"));
+Assert.assertTrue(client.getResponseBody().contains("http-"));
 
 client.setRequest(new String[] {
 "GET /manager/text/list HTTP/1.1" + CRLF +


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 9.0.x updated: Fix NIO2

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
 new c6af22abee Fix NIO2
c6af22abee is described below

commit c6af22abeef83111a5e8041cc60cd61257e0a50d
Author: remm 
AuthorDate: Mon Sep 23 14:46:55 2024 +0200

Fix NIO2
---
 test/org/apache/catalina/manager/TestManagerWebapp.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
index f450f459f7..f08532eff7 100644
--- a/test/org/apache/catalina/manager/TestManagerWebapp.java
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -182,7 +182,7 @@ public class TestManagerWebapp extends TomcatBaseTest {
 client.connect();
 client.processRequest(true);
 Assert.assertEquals(HttpServletResponse.SC_OK, client.getStatusCode());
-
Assert.assertTrue(client.getResponseBody().contains("-auto-1-Acceptor"));
+Assert.assertTrue(client.getResponseBody().contains("http-"));
 
 client.setRequest(new String[] {
 "GET /manager/text/list HTTP/1.1" + CRLF +


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 10.1.x updated: Fix NIO2

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
 new a3e11cb61c Fix NIO2
a3e11cb61c is described below

commit a3e11cb61ca402334e429b540aa15e9e4f32ae21
Author: remm 
AuthorDate: Mon Sep 23 14:46:55 2024 +0200

Fix NIO2
---
 test/org/apache/catalina/manager/TestManagerWebapp.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
index f450f459f7..f08532eff7 100644
--- a/test/org/apache/catalina/manager/TestManagerWebapp.java
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -182,7 +182,7 @@ public class TestManagerWebapp extends TomcatBaseTest {
 client.connect();
 client.processRequest(true);
 Assert.assertEquals(HttpServletResponse.SC_OK, client.getStatusCode());
-
Assert.assertTrue(client.getResponseBody().contains("-auto-1-Acceptor"));
+Assert.assertTrue(client.getResponseBody().contains("http-"));
 
 client.setRequest(new String[] {
 "GET /manager/text/list HTTP/1.1" + CRLF +


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch main updated: trimCredentials was removed

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new 13665c1d45 trimCredentials was removed
13665c1d45 is described below

commit 13665c1d456aff625648b7141f261907c0b6fb3d
Author: remm 
AuthorDate: Mon Sep 23 11:07:44 2024 +0200

trimCredentials was removed
---
 java/org/apache/catalina/authenticator/mbeans-descriptors.xml | 4 
 1 file changed, 4 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/mbeans-descriptors.xml 
b/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
index bcb6601bc3..cb4b4f77bb 100644
--- a/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
@@ -67,10 +67,6 @@
description="The name of the LifecycleState that this component 
is currently in"
type="java.lang.String"
writeable="false"/>
-
-
   
 
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch 11.0.x updated: trimCredentials was removed

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
 new 7e7178a36e trimCredentials was removed
7e7178a36e is described below

commit 7e7178a36eabe5a434bbf32eae8dae65b1d3ef74
Author: remm 
AuthorDate: Mon Sep 23 11:07:44 2024 +0200

trimCredentials was removed
---
 java/org/apache/catalina/authenticator/mbeans-descriptors.xml | 4 
 1 file changed, 4 deletions(-)

diff --git a/java/org/apache/catalina/authenticator/mbeans-descriptors.xml 
b/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
index bcb6601bc3..cb4b4f77bb 100644
--- a/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
+++ b/java/org/apache/catalina/authenticator/mbeans-descriptors.xml
@@ -67,10 +67,6 @@
description="The name of the LifecycleState that this component 
is currently in"
type="java.lang.String"
writeable="false"/>
-
-
   
 
 


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch main updated: Test manager webapp Servlets

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/main by this push:
 new fc9230ee9b Test manager webapp Servlets
fc9230ee9b is described below

commit fc9230ee9b466d7752859006e513e8efb89e2641
Author: remm 
AuthorDate: Mon Sep 23 13:28:52 2024 +0200

Test manager webapp Servlets

To be expanded with operations (deploy, store config, SSL are
possibilities).
---
 .../authenticator/TestBasicAuthParser.java |   6 +-
 .../apache/catalina/manager/TestManagerWebapp.java | 199 +
 2 files changed, 202 insertions(+), 3 deletions(-)

diff --git a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java 
b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
index 514603ab9c..5688aa82b9 100644
--- a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
+++ b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
@@ -406,7 +406,7 @@ public class TestBasicAuthParser {
  * for BASIC Authentication.
  * Note: only used internally, so no need to validate arguments.
  */
-private static final class BasicAuthHeader {
+public static final class BasicAuthHeader {
 
 private static final byte[] HEADER =
 "authorization: ".getBytes(StandardCharsets.ISO_8859_1);
@@ -416,7 +416,7 @@ public class TestBasicAuthParser {
 /*
  * This method creates a valid base64 blob
  */
-private BasicAuthHeader(String method, String username,
+public BasicAuthHeader(String method, String username,
 String password) {
 this(method, username, password, null);
 }
@@ -497,7 +497,7 @@ public class TestBasicAuthParser {
 }
 }
 
-private ByteChunk getHeader() {
+public ByteChunk getHeader() {
 return authHeader;
 }
 }
diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
new file mode 100644
index 00..f450f459f7
--- /dev/null
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -0,0 +1,199 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.manager;
+
+import java.io.File;
+import java.io.PrintWriter;
+
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.catalina.startup.SimpleHttpClient.CRLF;
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.TestBasicAuthParser.BasicAuthHeader;
+import org.apache.catalina.realm.MemoryRealm;
+import org.apache.catalina.realm.MessageDigestCredentialHandler;
+import org.apache.catalina.startup.SimpleHttpClient;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+public class TestManagerWebapp extends TomcatBaseTest {
+
+public static final String CONFIG = ""
++ "http://tomcat.apache.org/xml\"";
++ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"";
++ " 
xsi:schemaLocation=\"http://tomcat.apache.org/xml/tomcat-users.xsd\"";
++ " version=\"1.0\">"
++ ""
++ ""
++ "";
+
+/**
+ * Integration test for the manager webapp (verify all main Servlets are 
working).
+ * @throws Exception if an error occurs
+ */
+@Test
+public void testServlets() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File configFile = new File(getTemporaryDirectory(), 
"tomcat-users-manager.xml");
+try (PrintWriter writer = new PrintWriter(configFile)) {
+writer.write(CONFIG);
+}
+addDeleteOnTearDown(configFile);
+
+MemoryRealm memoryRealm = new MemoryRealm();
+memoryRealm.setCredentialHandler(new MessageDigestCredentialHandler());
+memoryRealm.setPathname(configFile.getAbsolutePath());
+
+// Add manager webapp
+File appDir = new File(System.getProperty("tomcat.test.basedir"), 
"webapps/ma

(tomcat) branch 11.0.x updated: Test manager webapp Servlets

2024-09-23 Thread remm

This is an automated email from the ASF dual-hosted git repository.

remm pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
 new bd095d2144 Test manager webapp Servlets
bd095d2144 is described below

commit bd095d2144f791e00188fa9e9bbaf37d60bcb051
Author: remm 
AuthorDate: Mon Sep 23 13:28:52 2024 +0200

Test manager webapp Servlets

To be expanded with operations (deploy, store config, SSL are
possibilities).
---
 .../authenticator/TestBasicAuthParser.java |   6 +-
 .../apache/catalina/manager/TestManagerWebapp.java | 199 +
 2 files changed, 202 insertions(+), 3 deletions(-)

diff --git a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java 
b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
index 514603ab9c..5688aa82b9 100644
--- a/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
+++ b/test/org/apache/catalina/authenticator/TestBasicAuthParser.java
@@ -406,7 +406,7 @@ public class TestBasicAuthParser {
  * for BASIC Authentication.
  * Note: only used internally, so no need to validate arguments.
  */
-private static final class BasicAuthHeader {
+public static final class BasicAuthHeader {
 
 private static final byte[] HEADER =
 "authorization: ".getBytes(StandardCharsets.ISO_8859_1);
@@ -416,7 +416,7 @@ public class TestBasicAuthParser {
 /*
  * This method creates a valid base64 blob
  */
-private BasicAuthHeader(String method, String username,
+public BasicAuthHeader(String method, String username,
 String password) {
 this(method, username, password, null);
 }
@@ -497,7 +497,7 @@ public class TestBasicAuthParser {
 }
 }
 
-private ByteChunk getHeader() {
+public ByteChunk getHeader() {
 return authHeader;
 }
 }
diff --git a/test/org/apache/catalina/manager/TestManagerWebapp.java 
b/test/org/apache/catalina/manager/TestManagerWebapp.java
new file mode 100644
index 00..f450f459f7
--- /dev/null
+++ b/test/org/apache/catalina/manager/TestManagerWebapp.java
@@ -0,0 +1,199 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.manager;
+
+import java.io.File;
+import java.io.PrintWriter;
+
+import jakarta.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import static org.apache.catalina.startup.SimpleHttpClient.CRLF;
+import org.apache.catalina.Context;
+import org.apache.catalina.authenticator.TestBasicAuthParser.BasicAuthHeader;
+import org.apache.catalina.realm.MemoryRealm;
+import org.apache.catalina.realm.MessageDigestCredentialHandler;
+import org.apache.catalina.startup.SimpleHttpClient;
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+
+public class TestManagerWebapp extends TomcatBaseTest {
+
+public static final String CONFIG = ""
++ "http://tomcat.apache.org/xml\"";
++ " xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"";
++ " 
xsi:schemaLocation=\"http://tomcat.apache.org/xml/tomcat-users.xsd\"";
++ " version=\"1.0\">"
++ ""
++ ""
++ "";
+
+/**
+ * Integration test for the manager webapp (verify all main Servlets are 
working).
+ * @throws Exception if an error occurs
+ */
+@Test
+public void testServlets() throws Exception {
+Tomcat tomcat = getTomcatInstance();
+
+File configFile = new File(getTemporaryDirectory(), 
"tomcat-users-manager.xml");
+try (PrintWriter writer = new PrintWriter(configFile)) {
+writer.write(CONFIG);
+}
+addDeleteOnTearDown(configFile);
+
+MemoryRealm memoryRealm = new MemoryRealm();
+memoryRealm.setCredentialHandler(new MessageDigestCredentialHandler());
+memoryRealm.setPathname(configFile.getAbsolutePath());
+
+// Add manager webapp
+File appDir = new File(System.getProperty("tomcat.test.basedir"), 
"webapp

[Bug 69337] New: Your City Wire - Where the world meets!

2024-09-23 Thread bugzilla

https://bz.apache.org/bugzilla/show_bug.cgi?id=69337

Bug ID: 69337
   Summary: Your City Wire - Where the world meets!
   Product: Tomcat Native
   Version: unspecified
  Hardware: PC
OS: Mac OS X 10.1
Status: NEW
  Severity: normal
  Priority: P2
 Component: Documentation
  Assignee: dev@tomcat.apache.org
  Reporter: jerrynorberg1...@gmail.com
  Target Milestone: ---

Created attachment 39872
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=39872&action=edit
YourCityWire

Welcome to YourCityWire – your trusted source for local news and updates. Stay
informed on the latest events, politics, business, and culture in your
community with timely, accurate, and unbiased reporting. Stay connected with
your city through us!

Visit - https://yourcitywire.com/

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1920855 - in /tomcat/site/trunk: docs/security-jk.html xdocs/security-jk.xml

[SECURITY] CVE-2024-46544 Apache mod_jk - Information Disclosure / Denial of Service

(tomcat) branch 9.0.x updated: Test manager webapp Servlets

(tomcat) branch 10.1.x updated: Test manager webapp Servlets

svn commit: r1920861 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-9.xml

(tomcat) branch 9.0.x updated: jakarta -> javax

[SECURITY] CVE-2024-38286 Apache Tomcat - Denial of Service

[Bug 69333] Unnecessary code in generated JSPs

[Bug 69333] Unnecessary code in generated JSPs

[Bug 69333] Unnecessary code in generated JSPs

Re: Coyote Request getRequestId()

(tomcat) branch main updated: Fix NIO2

(tomcat) branch 11.0.x updated: Fix NIO2

(tomcat) branch 9.0.x updated: Fix NIO2

(tomcat) branch 10.1.x updated: Fix NIO2

(tomcat) branch main updated: trimCredentials was removed

(tomcat) branch 11.0.x updated: trimCredentials was removed

(tomcat) branch main updated: Test manager webapp Servlets

(tomcat) branch 11.0.x updated: Test manager webapp Servlets

[Bug 69337] New: Your City Wire - Where the world meets!

20 matches

Site Navigation

Mail list logo

Footer information