[Bug 69504] CoyoteAdapter recycle request/response objects in "log()" method even if they are came from outside.
https://bz.apache.org/bugzilla/show_bug.cgi?id=69504 --- Comment #2 from Chen Jp --- propose extract recycling ops on external request/response from CoyoteAdapter#log. e.g. supposed implementation of CoyoteAdapter#checkRecycled: 1. access logging; 2. explicitly make sure req/resp were recycled. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] enhancement: RateLimitFilter - Provides an exact rate limiting mechanism [tomcat]
Chenjp commented on PR #794: URL: https://github.com/apache/tomcat/pull/794#issuecomment-2548168272 > You can't remove methods from the `RateLimiter` interface as it been included in a stable release. Updated -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch main updated: Update CDI information
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/main by this push: new c1e0648e01 Update CDI information c1e0648e01 is described below commit c1e0648e0184b581ec7b0cc0d7429427c5e14a2e Author: remm AuthorDate: Tue Dec 17 15:13:41 2024 +0100 Update CDI information --- webapps/docs/cdi.xml | 85 1 file changed, 6 insertions(+), 79 deletions(-) diff --git a/webapps/docs/cdi.xml b/webapps/docs/cdi.xml index 6a6f1a23b2..05983445c4 100644 --- a/webapps/docs/cdi.xml +++ b/webapps/docs/cdi.xml @@ -23,7 +23,7 @@ &project; -CDI 2, JAX-RS and dependent libraries support +CDI, JAX-RS and dependent libraries support @@ -42,11 +42,11 @@ - + -CDI 2 support is provided by the modules/owb optional module. -It packages the Apache OpenWebBeans project and allows adding CDI 2 support +CDI support is provided by the modules/owb optional module. +It packages the Apache OpenWebBeans project and allows adding CDI support to the Tomcat container. The build process of the module uses Apache Maven, and is not available as a binary bundle as it is built using a number of publicly available JARs. @@ -83,7 +83,7 @@ mvn clean && mvn package]]> It packages the Apache CXF project and allows adding JAX-RS support to individual webapps. The build process of the module uses Apache Maven, and is not available as a binary bundle as it is built using a number of -publicly available JARs. The support depends on CDI 2 support, which should +publicly available JARs. The support depends on CDI support, which should have previously been installed at either the container or webapp level. @@ -99,7 +99,7 @@ mvn clean && mvn package]]> -If the CDI 2 support is available at the container +If the CDI support is available at the container level, the JAR can also be placed in the Tomcat lib folder, but in that case the CXF Servlet declaration must be individually added in each webapp as needed (it is normally loaded by the web fragment that is @@ -108,79 +108,6 @@ mvn clean && mvn package]]> desired root path where JAX-RS resources will be available. - -The webapp as a whole should be processed by the Tomcat migration tool for -Jakarta EE. - - - - - - - -ASF artifacts are available that implement Eclipse Microprofile -specifications using CDI 2 extensions. Once the CDI 2 and JAX-RS support -is installed, they will be usable by individual webapps. - - - -The following implementations are available (reference: -org.apache.tomee.microprofile.TomEEMicroProfileListener) as -Maven artifacts which must be added to the webapp /WEB-INF/lib -folders: - - Configuration: -Maven artifact: -org.apache.geronimo.config:geronimo-config -CDI extension class: -org.apache.geronimo.config.cdi.ConfigExtension - - Fault Tolerance: -Maven artifact: -org.apache.geronimo.safeguard:safeguard-parent -CDI extension class: -org.apache.safeguard.impl.cdi.SafeguardExtension - - Health: -Maven artifact: -org.apache.geronimo:geronimo-health -CDI extension class: - org.apache.geronimo.microprofile.impl.health.cdi.GeronimoHealthExtension - - Metrics: -Maven artifact: -org.apache.geronimo:geronimo-metrics -CDI extension class: - org.apache.geronimo.microprofile.metrics.cdi.MetricsExtension - - OpenTracing: -Maven artifact: -org.apache.geronimo:geronimo-opentracing -CDI extension class: - org.apache.geronimo.microprofile.opentracing.microprofile.cdi.OpenTracingExtension - - OpenAPI: -Maven artifact: -org.apache.geronimo:geronimo-openapi -CDI extension class: - org.apache.geronimo.microprofile.openapi.cdi.GeronimoOpenAPIExtension - - Rest client: -Maven artifact: -org.apache.cxf:cxf-rt-rs-mp-client -CDI extension class: -org.apache.cxf.microprofile.client.cdi.RestClientExtension - - JSON Web Tokens: -Note: Fore reference only, unusable outside Apache TomEE; -Maven artifact: -org.apache.tomee:mp-jwt -CDI extension class: -org.apache.tomee.microprofile.jwt.cdi.MPJWTCDIExtension - - - - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 11.0.x updated: Update CDI information
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 11.0.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/11.0.x by this push: new d93a14b4d8 Update CDI information d93a14b4d8 is described below commit d93a14b4d804e458b85593f1be40b5b5c923238b Author: remm AuthorDate: Tue Dec 17 15:13:41 2024 +0100 Update CDI information --- webapps/docs/cdi.xml | 85 1 file changed, 6 insertions(+), 79 deletions(-) diff --git a/webapps/docs/cdi.xml b/webapps/docs/cdi.xml index 6a6f1a23b2..05983445c4 100644 --- a/webapps/docs/cdi.xml +++ b/webapps/docs/cdi.xml @@ -23,7 +23,7 @@ &project; -CDI 2, JAX-RS and dependent libraries support +CDI, JAX-RS and dependent libraries support @@ -42,11 +42,11 @@ - + -CDI 2 support is provided by the modules/owb optional module. -It packages the Apache OpenWebBeans project and allows adding CDI 2 support +CDI support is provided by the modules/owb optional module. +It packages the Apache OpenWebBeans project and allows adding CDI support to the Tomcat container. The build process of the module uses Apache Maven, and is not available as a binary bundle as it is built using a number of publicly available JARs. @@ -83,7 +83,7 @@ mvn clean && mvn package]]> It packages the Apache CXF project and allows adding JAX-RS support to individual webapps. The build process of the module uses Apache Maven, and is not available as a binary bundle as it is built using a number of -publicly available JARs. The support depends on CDI 2 support, which should +publicly available JARs. The support depends on CDI support, which should have previously been installed at either the container or webapp level. @@ -99,7 +99,7 @@ mvn clean && mvn package]]> -If the CDI 2 support is available at the container +If the CDI support is available at the container level, the JAR can also be placed in the Tomcat lib folder, but in that case the CXF Servlet declaration must be individually added in each webapp as needed (it is normally loaded by the web fragment that is @@ -108,79 +108,6 @@ mvn clean && mvn package]]> desired root path where JAX-RS resources will be available. - -The webapp as a whole should be processed by the Tomcat migration tool for -Jakarta EE. - - - - - - - -ASF artifacts are available that implement Eclipse Microprofile -specifications using CDI 2 extensions. Once the CDI 2 and JAX-RS support -is installed, they will be usable by individual webapps. - - - -The following implementations are available (reference: -org.apache.tomee.microprofile.TomEEMicroProfileListener) as -Maven artifacts which must be added to the webapp /WEB-INF/lib -folders: - - Configuration: -Maven artifact: -org.apache.geronimo.config:geronimo-config -CDI extension class: -org.apache.geronimo.config.cdi.ConfigExtension - - Fault Tolerance: -Maven artifact: -org.apache.geronimo.safeguard:safeguard-parent -CDI extension class: -org.apache.safeguard.impl.cdi.SafeguardExtension - - Health: -Maven artifact: -org.apache.geronimo:geronimo-health -CDI extension class: - org.apache.geronimo.microprofile.impl.health.cdi.GeronimoHealthExtension - - Metrics: -Maven artifact: -org.apache.geronimo:geronimo-metrics -CDI extension class: - org.apache.geronimo.microprofile.metrics.cdi.MetricsExtension - - OpenTracing: -Maven artifact: -org.apache.geronimo:geronimo-opentracing -CDI extension class: - org.apache.geronimo.microprofile.opentracing.microprofile.cdi.OpenTracingExtension - - OpenAPI: -Maven artifact: -org.apache.geronimo:geronimo-openapi -CDI extension class: - org.apache.geronimo.microprofile.openapi.cdi.GeronimoOpenAPIExtension - - Rest client: -Maven artifact: -org.apache.cxf:cxf-rt-rs-mp-client -CDI extension class: -org.apache.cxf.microprofile.client.cdi.RestClientExtension - - JSON Web Tokens: -Note: Fore reference only, unusable outside Apache TomEE; -Maven artifact: -org.apache.tomee:mp-jwt -CDI extension class: -org.apache.tomee.microprofile.jwt.cdi.MPJWTCDIExtension - - - - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat) branch 10.1.x updated: Update CDI information
This is an automated email from the ASF dual-hosted git repository. remm pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git The following commit(s) were added to refs/heads/10.1.x by this push: new d878912065 Update CDI information d878912065 is described below commit d878912065d39a6de381912db0a0f004eff0d1bd Author: remm AuthorDate: Tue Dec 17 15:13:41 2024 +0100 Update CDI information --- webapps/docs/cdi.xml | 85 1 file changed, 6 insertions(+), 79 deletions(-) diff --git a/webapps/docs/cdi.xml b/webapps/docs/cdi.xml index 6a6f1a23b2..05983445c4 100644 --- a/webapps/docs/cdi.xml +++ b/webapps/docs/cdi.xml @@ -23,7 +23,7 @@ &project; -CDI 2, JAX-RS and dependent libraries support +CDI, JAX-RS and dependent libraries support @@ -42,11 +42,11 @@ - + -CDI 2 support is provided by the modules/owb optional module. -It packages the Apache OpenWebBeans project and allows adding CDI 2 support +CDI support is provided by the modules/owb optional module. +It packages the Apache OpenWebBeans project and allows adding CDI support to the Tomcat container. The build process of the module uses Apache Maven, and is not available as a binary bundle as it is built using a number of publicly available JARs. @@ -83,7 +83,7 @@ mvn clean && mvn package]]> It packages the Apache CXF project and allows adding JAX-RS support to individual webapps. The build process of the module uses Apache Maven, and is not available as a binary bundle as it is built using a number of -publicly available JARs. The support depends on CDI 2 support, which should +publicly available JARs. The support depends on CDI support, which should have previously been installed at either the container or webapp level. @@ -99,7 +99,7 @@ mvn clean && mvn package]]> -If the CDI 2 support is available at the container +If the CDI support is available at the container level, the JAR can also be placed in the Tomcat lib folder, but in that case the CXF Servlet declaration must be individually added in each webapp as needed (it is normally loaded by the web fragment that is @@ -108,79 +108,6 @@ mvn clean && mvn package]]> desired root path where JAX-RS resources will be available. - -The webapp as a whole should be processed by the Tomcat migration tool for -Jakarta EE. - - - - - - - -ASF artifacts are available that implement Eclipse Microprofile -specifications using CDI 2 extensions. Once the CDI 2 and JAX-RS support -is installed, they will be usable by individual webapps. - - - -The following implementations are available (reference: -org.apache.tomee.microprofile.TomEEMicroProfileListener) as -Maven artifacts which must be added to the webapp /WEB-INF/lib -folders: - - Configuration: -Maven artifact: -org.apache.geronimo.config:geronimo-config -CDI extension class: -org.apache.geronimo.config.cdi.ConfigExtension - - Fault Tolerance: -Maven artifact: -org.apache.geronimo.safeguard:safeguard-parent -CDI extension class: -org.apache.safeguard.impl.cdi.SafeguardExtension - - Health: -Maven artifact: -org.apache.geronimo:geronimo-health -CDI extension class: - org.apache.geronimo.microprofile.impl.health.cdi.GeronimoHealthExtension - - Metrics: -Maven artifact: -org.apache.geronimo:geronimo-metrics -CDI extension class: - org.apache.geronimo.microprofile.metrics.cdi.MetricsExtension - - OpenTracing: -Maven artifact: -org.apache.geronimo:geronimo-opentracing -CDI extension class: - org.apache.geronimo.microprofile.opentracing.microprofile.cdi.OpenTracingExtension - - OpenAPI: -Maven artifact: -org.apache.geronimo:geronimo-openapi -CDI extension class: - org.apache.geronimo.microprofile.openapi.cdi.GeronimoOpenAPIExtension - - Rest client: -Maven artifact: -org.apache.cxf:cxf-rt-rs-mp-client -CDI extension class: -org.apache.cxf.microprofile.client.cdi.RestClientExtension - - JSON Web Tokens: -Note: Fore reference only, unusable outside Apache TomEE; -Maven artifact: -org.apache.tomee:mp-jwt -CDI extension class: -org.apache.tomee.microprofile.jwt.cdi.MPJWTCDIExtension - - - - - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2024-54677 Apache Tomcat - DoS in examples web application
CVE-2024-54677 Apache Tomcat - DoS in examples web application Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 Description: Numerous examples in the examples web application did not place limits on uploaded data enabling an OutOfMemoryError to be triggered causing a denial of service. Note that by default, the examples web application is only accessible to localhost. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.2 or later - Upgrade to Apache Tomcat 10.1.34 or later - Upgrade to Apache Tomcat 9.0.98 or later Credit: The initial vulnerability was identified by Elysee Franchuk with additional issues identified by the Tomcat security team. History: 2024-12-17 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1922564 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-9.xml
Author: markt Date: Tue Dec 17 12:25:38 2024 New Revision: 1922564 URL: http://svn.apache.org/viewvc?rev=1922564&view=rev Log: Add CVE-2024-50379 and CVE-2024-54677 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-11.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-11.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-10.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1922564&r1=1922563&r2=1922564&view=diff == --- tomcat/site/trunk/docs/security-10.html (original) +++ tomcat/site/trunk/docs/security-10.html Tue Dec 17 12:25:38 2024 @@ -42,7 +42,48 @@ Table of Contents -Fixed in Apache Tomcat 10.1.33Fixed in Apache Tomcat 10.1.31Fixed in Apache Tomcat 10.1.25Fixed in Apache Tomcat 10.1.19Fixed in Apache Tomcat 10.1.16Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Apache Tomcat 10.1.8Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache T omcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat +Fixed in Apache Tomcat 10.1.34Fixed in Apache Tomcat 10.1.33Fixed in Apache Tomcat 10.1.31Fixed in Apache Tomcat 10.1.25Fixed in Apache Tomcat 10.1.19Fixed in Apache Tomcat 10.1.16Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Apache Tomcat 10.1.8Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomca t 10.0.0-M5Not a vulnerability in Tomcat + 2024-12-09 Fixed in Apache Tomcat 10.1.34 + +Low: DoS in examples web application + + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-54677"; rel="nofollow">CVE-2024-54677 + +Numerous examples in the examples web application did not place limits on + uploaded data enabling an OutOfMemoryError to be triggered causing a + denial of service. + +This was fixed with commits + https://github.com/apache/tomcat/commit/f57a9d9847c1038be61f5818d73b8be907c460d4";>f57a9d98, + https://github.com/apache/tomcat/commit/aa5b4d0043289cf054f531ec55126c980d3572e1";>aa5b4d00, + https://github.com/apache/tomcat/commit/e8c16cdba833884e1bd49fff1f1cb699da177585";>e8c16cdb, + https://github.com/apache/tomcat/commit/dbec927859d9484cb8bd680a7c67b1a560f48444";>dbec9278, + https://github.com/apache/tomcat/commit/d63a10afc142b12f462a15f7d10f79fd80ff94eb";>d63a10af, + https://github.com/apache/tomcat/commit/54e56495e9a106218efe9fc9c79d976c0032bbfd";>54e56495 and + https://github.com/apache/tomcat/commit/bbd82e9593314ade4cfd57248f9285fbad686f66";>bbd82e95. + +The issue was made public on 17 December 2024. + +Affects: 10.1.0-M1 to 10.1.33 + +Important: Remote Code Execution via write enabled Default Servlet + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379"; rel="nofollow">CVE-2024-50379 + +If the default servlet is write enabled (readonly + initialisation parameter set to the non-default value of + false) for a case insensitive file system, concurrent read + and upload under load of the same file can bypass Tomcat's case + sensitivity checks and cause an uploaded file to be treated as a JSP + leading to remote code execution. + +This was fixed with commits + https://github.com/apache/tomcat/commit/8554f6b1722b33a2ce8b0a3fad37825f3a75f2
[SECURITY] CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet
CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.1 Apache Tomcat 10.1.0-M1 to 10.1.33 Apache Tomcat 9.0.0.M1 to 9.0.97 Description: If the default servlet is write enabled (readonly initialisation parameter set to the non-default value of false) for a case insensitive file system, concurrent read and upload under load of the same file can bypass Tomcat's case sensitivity checks and cause an uploaded file to be treated as a JSP leading to remote code execution. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.2 or later - Upgrade to Apache Tomcat 10.1.34 or later - Upgrade to Apache Tomcat 9.0.98 or later Credit: This vulnerability identified by Nacl, WHOAMI, Yemoli and Ruozhi. History: 2024-12-17 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PR] for delete failure case, respond with SC_CONFLICT rather than SC_METHOD_NOT_ALLOWED [tomcat]
Chenjp opened a new pull request, #802: URL: https://github.com/apache/tomcat/pull/802 Since allowed methods check has been performed previously, failure status code switch to 409 / SC_CONFLICT. Root cause may be insufficient privileges, OS file locking, or already deleted by another concurrent request. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] prefer central repo, disable releases for asf-snapshots [tomcat-tck]
adoroszlai commented on PR #2: URL: https://github.com/apache/tomcat-tck/pull/2#issuecomment-2549076448 @markt-asf could you please help review this? -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
