Re: [PR] recycle RequestInfo when Request is reused in pool [tomcat]
qingdaoheze commented on PR #868: URL: https://github.com/apache/tomcat/pull/868#issuecomment-2976145027 https://github.com/user-attachments/assets/f15d8b35-a570-4bf3-a5be-325404a9d409"; /> @rmaucher When the org.apache.coyote.Request pool is used, its org.apache.coyote.Request#reqProcessorMX is not recycled after the request is recycled. So when org.apache.coyote.RequestGroupInfo#removeRequestProcessor is run, its stat count is counted many times. So the result count in org.apache.coyote.RequestGroupInfo will be wrong. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69710] FileCountLimitExceededException is thrown in version 11.0.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 --- Comment #13 from Remy Maucherat --- The previous defaults were there without doing the math (and even more often new features were added on top of the existing defaults), so when you multiply everything it gets out of hand. Obviously mitigations are that multipart is not often out of auth or easily accessible for scripting and so on. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat-native) branch jfclere-patch-1 created (now 5d2fd2249)
This is an automated email from the ASF dual-hosted git repository. jfclere pushed a change to branch jfclere-patch-1 in repository https://gitbox.apache.org/repos/asf/tomcat-native.git at 5d2fd2249 remove forgotten ref: trunk element. This branch includes the following new commits: new 5d2fd2249 remove forgotten ref: trunk element. The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat-native) 01/01: remove forgotten ref: trunk element.
This is an automated email from the ASF dual-hosted git repository. jfclere pushed a commit to branch jfclere-patch-1 in repository https://gitbox.apache.org/repos/asf/tomcat-native.git commit 5d2fd22497ad313bf395c69209c6057124885f72 Author: Jean-Frederic Clere AuthorDate: Mon Jun 16 16:47:37 2025 +0200 remove forgotten ref: trunk element. Sorry I forgot to remove it in my previous PR. --- .github/workflows/makefile.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/makefile.yml b/.github/workflows/makefile.yml index ad8a4412a..a67b2d0e7 100644 --- a/.github/workflows/makefile.yml +++ b/.github/workflows/makefile.yml @@ -24,8 +24,6 @@ jobs: runs-on: windows-latest steps: - uses: actions/checkout@v4 - with: - ref: trunk - name: Download Openssl using curl and Expand-Archive shell: pwsh run: | - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PR] remove forgotten ref: trunk element. [tomcat-native]
jfclere opened a new pull request, #29: URL: https://github.com/apache/tomcat-native/pull/29 Sorry I forgot to remove it in my previous PR. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] scripts, maven pom.xml and class to help to load libraries from a jar [tomcat-native]
jfclere closed pull request #3: scripts, maven pom.xml and class to help to load libraries from a jar URL: https://github.com/apache/tomcat-native/pull/3 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
svn commit: r1926475 - in /tomcat/site/trunk: docs/security-10.html docs/security-11.html docs/security-9.html xdocs/security-10.xml xdocs/security-11.xml xdocs/security-9.xml
Author: markt Date: Mon Jun 16 13:57:16 2025 New Revision: 1926475 URL: http://svn.apache.org/viewvc?rev=1926475&view=rev Log: Add CVE-2025-48976, -48988, -49124, -49125 Modified: tomcat/site/trunk/docs/security-10.html tomcat/site/trunk/docs/security-11.html tomcat/site/trunk/docs/security-9.html tomcat/site/trunk/xdocs/security-10.xml tomcat/site/trunk/xdocs/security-11.xml tomcat/site/trunk/xdocs/security-9.xml Modified: tomcat/site/trunk/docs/security-10.html URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-10.html?rev=1926475&r1=1926474&r2=1926475&view=diff == --- tomcat/site/trunk/docs/security-10.html (original) +++ tomcat/site/trunk/docs/security-10.html Mon Jun 16 13:57:16 2025 @@ -42,7 +42,75 @@ Table of Contents -Fixed in Apache Tomcat 10.1.41Fixed in Apache Tomcat 10.1.40Fixed in Apache Tomcat 10.1.35Fixed in Apache Tomcat 10.1.34Fixed in Apache Tomcat 10.1.33Fixed in Apache Tomcat 10.1.31Fixed in Apache Tomcat 10.1.25Fixed in Apache Tomcat 10.1.19Fixed in Apache Tomcat 10.1.16Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Apache Tomcat 10.1.8Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10Fixed in Apache Tomcat 10.0.0-M8< /a>Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat +Fixed in Apache Tomcat 10.1.42Fixed in Apache Tomcat 10.1.41Fixed in Apache Tomcat 10.1.40Fixed in Apache Tomcat 10.1.35Fixed in Apache Tomcat 10.1.34Fixed in Apache Tomcat 10.1.33Fixed in Apache Tomcat 10.1.31Fixed in Apache Tomcat 10.1.25Fixed in Apache Tomcat 10.1.19Fixed in Apache Tomcat 10.1.16Fixed in Apache Tomcat 10.1.14Fixed in Apache Tomcat 10.1.13Fixed in Apache Tomcat 10.1.9Fixed in Apache Tomcat 10.1.8Fixed in Apache Tomcat 10.1.6Fixed in Apache Tomcat 10.1.5Fixed in Apache Tomcat 10.1.2Fixed in Apache Tomcat 10.1.1Fixed in Apache Tomcat 10.0.27Fixed in Apache Tomcat 10.0.23Fixed in Apache Tomcat 10.1.0-M17Fixed in Apache Tomcat 10.0.21Fixed in Apache Tomcat 10.1.0-M15Fixed in Apache Tomcat 10.0.20Fixed in Apache Tomcat 10.1.0-M14Fixed in Apache Tomcat 10.0.16Fixed in Apache Tomcat 10.1.0-M10Fixed in Apache Tomcat 10.0.12Fixed in Apache Tomcat 10.1.0-M6Fixed in Apache Tomcat 10.0.7Fixed in Apache Tomcat 10.0.6Fixed in Apache Tomcat 10.0.5Fixed in Apache Tomcat 10.0.4Fixed in Apache Tomcat 10.0.2Fixed in Apache Tomcat 10.0.0-M10< /li>Fixed in Apache Tomcat 10.0.0-M8Fixed in Apache Tomcat 10.0.0-M7Fixed in Apache Tomcat 10.0.0-M6Fixed in Apache Tomcat 10.0.0-M5Not a vulnerability in Tomcat + 2025-06-09 Fixed in Apache Tomcat 10.1.42 + +Moderate: Security constraint bypass for PreResources and + PostResources + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49125"; rel="nofollow">CVE-2025-49125 + +When using PreResources or PostResources mounted other than at the root + of the web application, it was possible to access those resources via an + unexpected path. That path was likely not to be protected by the same + security constraints as the expected path, allowing those security + constraints to be bypassed. + +This was fixed with commit + https://github.com/apache/tomcat/commit/7617b9c247bc77ed0444dd69adcd8aa48777886c";>7617b9c2. + +The issue was made public on 16 June 2025. + +Affects: 10.1.0-M1 to 10.1.41 + +Low: Side-loading via Tomcat installer for Windows + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-49124"; rel="nofollow">CVE-2025-49124 + +During installation, the Tomcat installer for Windows used icacls.exe + without specifying a full path. This enabled a side-loading + vulnerability. + +This was fixed with commit + https://github.com/apache/tomcat/commit/e0e07812224d327a321babb554f5a5758d30cc49";>e0e07812. + +The issue was made public on 16 June 2025. + +Affects: 10.1.0 to 10.1.41 + +Important: DoS in multipart upload + http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-48988"; rel="nofollow">CVE-2025-48988 + +Tomcat used the same limit for both request parameters and parts in a + multipart request. Since uploaded parts also includ
(tomcat-native) branch main updated (82c308fd4 -> c1dc84543)
This is an automated email from the ASF dual-hosted git repository. jfclere pushed a change to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-native.git from 82c308fd4 Add note about needing a C compiler and autoconf/automake add e9186c302 Add a build test for windows. new c1dc84543 Merge pull request #26 from jfclere/trunk The 1 revisions listed above as "new" are entirely new to this repository and will be described in separate emails. The revisions listed as "add" were already present in the repository and have only been added to this reference. Summary of changes: .github/workflows/makefile.yml | 86 ++ 1 file changed, 86 insertions(+) create mode 100644 .github/workflows/makefile.yml - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] Add a build test for windows. [tomcat-native]
jfclere merged PR #26: URL: https://github.com/apache/tomcat-native/pull/26 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
(tomcat-native) 01/01: Merge pull request #26 from jfclere/trunk
This is an automated email from the ASF dual-hosted git repository. jfclere pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/tomcat-native.git commit c1dc845431a4134a0fb714285fa46fdebf6b8ca2 Merge: 82c308fd4 e9186c302 Author: Jean-Frederic Clere AuthorDate: Mon Jun 16 14:42:02 2025 +0200 Merge pull request #26 from jfclere/trunk Add a build test for windows. .github/workflows/makefile.yml | 86 ++ 1 file changed, 86 insertions(+) - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2025-48976 Apache Tomcat - DoS in Commons FileUpload
CVE-2025-48976 Apache Tomcat - DoS in Commons FileUpload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0-M1 to 10.1.41 Apache Tomcat 9.0.0.M1 to 9.0.105 Description: Apache Commons FileUpload provided a hard-coded limit of 10kB for the size of the headers associated with a multipart request. A specially crafted request that used a large number of parts with large headers could trigger excessive memory usage leading to a DoS. This limit is now configurable (maxPartHeaderSize on the Connector) with a default of 512 bytes. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: The vulnerability was identified by the TERASOLUNA Framework Security Team of NTT DATA Group Corporation History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2025-48988 Apache Tomcat - DoS in multipart upload
CVE-2025-48988 Apache Tomcat - DoS in multipart upload Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0-M1 to 10.1.41 Apache Tomcat 9.0.0.M1 to 9.0.105 Description: Tomcat used the same limit for both request parameters and parts in a multipart request. Since uploaded parts also include headers which must be retained, processing multipart requests can result in significantly more memory usage. A specially crafted request that used a large number of parts could trigger excessive memory usage leading to a DoS. The maximum number of parts is now configurable (maxPartCount on the Connector) with a default of 10 parts. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: The vulnerability was identified by the TERASOLUNA Framework Security Team of NTT DATA Group Corporation History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2025-49124 Apache Tomcat - Side-loading via Tomcat installer for Windows
CVE-2025-49124 Apache Tomcat - Side-loading via Tomcat installer for Windows Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0 to 10.1.41 Apache Tomcat 9.0.23 to 9.0.105 Description: During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This enabled a side-loading vulnerability. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: T. Doğa Gelişli https://linkedin.com/in/tdogagelisli/ History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[SECURITY] CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources
CVE-2025-49125 Apache Tomcat - Security constraint bypass for pre/post-resources Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.7 Apache Tomcat 10.1.0-M1 to 10.1.41 Apache Tomcat 9.0.0.M1 to 9.0.105 Description: When using PreResources or PostResources mounted other than at the root of the web application, it was possible to access those resources via an unexpected path. That path was likely not to be protected by the same security constraints as the expected path, allowing those security constraints to be bypassed. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.8 or later - Upgrade to Apache Tomcat 10.1.42 or later - Upgrade to Apache Tomcat 9.0.106 or later Credit: Greg K (https://github.com/gregk4sec) History: 2025-06-16 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 69710] FileCountLimitExceededException is thrown in version 11.0.8
https://bz.apache.org/bugzilla/show_bug.cgi?id=69710 Mark Thomas changed: What|Removed |Added Resolution|WONTFIX |--- Status|RESOLVED|REOPENED --- Comment #12 from Mark Thomas --- Now the associated CVEs are public, it can be revealed that this change was in response to CVE-2025-48976 and CVE-2025-48988. Combined, these CVEs could trigger an OOME leading to a DoS. With a carefully crafted request, the memory usage is: Part Header Size (was 10kB, now 512) x Maximum number of Parts per request (was 1000, now 10) x Maximum number of concurrent request (8192) x 2 (due to the internal implementation) x 2 (if running on Java 8 - so Tomcat 9 only) That made the worst case memory usage 10kb x ~1k x 8k x 4 = 320Gb The changes we introduced reduced this to a more manageable 0.5k x 10 x 8k x 4 = 160Mb Yes, the part limit of 10 is too low for some use cases but increasing it to 100 is probably going to far. Happy to discuss how we can improve things for the July release round. A few options to consider for starters: a) We could make the default maxPartCount 20 by default but halve it for Tomcat 9 if running on Java 8. b) Increase maxPartCount to something else. Options here depend on what we consider to be reasonable for default memory requirements. If we think 1Gb is reasonable maxPartCount could go as high as 60 (or 120 if we include optional a) as well) c) include part headers in the maxPostSize calculation? With a 2Mb default that leads to around 16Gb memory usage which is too high. maxPostSize would need to come down to ~200k for that to work - that might be too low for a default. What do folks think? -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] recycle RequestInfo when Request is reused in pool [tomcat]
rmaucher commented on PR #868: URL: https://github.com/apache/tomcat/pull/868#issuecomment-2976593193 > HTTP/2 is handled differently because of the multiplexing. We probably do need a `recycle()` method on `RequestInfo`. It looks like it should be called around line 440 (current 9.0.x code) of `StreamProcessor`. That looks correct, you know that code better than I do. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[PR] Add an artifact for easy testing. [tomcat-native]
jfclere opened a new pull request, #28: URL: https://github.com/apache/tomcat-native/pull/28 make native/WIN7_X64_DLL_RELEASE\tcnative-2.dll available for tests. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
Re: [PR] recycle RequestInfo when Request is reused in pool [tomcat]
qingdaoheze commented on PR #868: URL: https://github.com/apache/tomcat/pull/868#issuecomment-2978822957 > HTTP/2 is handled differently because of the multiplexing. We probably do need a `recycle()` method on `RequestInfo`. It looks like it should be called around line 440 (current 9.0.x code) of `StreamProcessor`. For this solution, there is also a concurrency problem. Because the request has already returned to the pool on the line 150 of StreamProcessor. Then the recycle method is executed on line 151 of StreamProcessor. In the progress, the request has been returned to the pool may be borrowed by another request and its reqProcessorMX may has been changed. https://github.com/user-attachments/assets/605bc1f9-98be-44eb-a250-84e4927f517d"; /> -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
