Author: kkolinko
Date: Wed May 28 00:51:50 2014
New Revision: 1597913
URL: http://svn.apache.org/r1597913
Log:
Amend revision lists for CVE-2014-0119
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/docs/security-8.html
tomc
2014-05-27 16:46 GMT+04:00 Mark Thomas :
> CVE-2014-0119 Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - Apache Tomcat 8.0.0-RC1 to 8.0.5
> - Apache Tomcat 7.0.0 to 7.0.53
> - Apache Tomcat 6.0.0 to 6.0.39
>
> Description:
> In li
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568
--- Comment #3 from Konstantin Kolinko ---
The specification requirement is not to reject, but to provide "undefined
behaviour". The rejection behaviour is a security hardening.
(In reply to Mark Thomas from comment #2)
> 3. Check the met
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568
--- Comment #2 from Mark Thomas ---
My original proposal [1] included a page directive to make this configurable.
That part was rejected.
Options at this point:
1. Go ahead and add the page directive anyway
2. Add an init param to the JSP
On 28/05/2014, at 9:48 am, Konstantin Kolinko wrote:
> 2014-05-28 1:35 GMT+04:00 Tim Whittington :
>> Switching to dev list…
>>
>>>
I’m using the interactive mode of https://github.com/timw/groktls
to dump these.
>>>
>>> Cool. I was just using the SSLInfo class and grep, obviously :
2014-05-28 1:35 GMT+04:00 Tim Whittington :
> Switching to dev list…
>
>>
>>> I’m using the interactive mode of https://github.com/timw/groktls
>>> to dump these.
>>
>> Cool. I was just using the SSLInfo class and grep, obviously :)
>>
>> I've been thinking that the way Tomcat does JSSE cipher suit
Switching to dev list…
>
>> I’m using the interactive mode of https://github.com/timw/groktls
>> to dump these.
>
> Cool. I was just using the SSLInfo class and grep, obviously :)
>
> I've been thinking that the way Tomcat does JSSE cipher suites is a
> bit ... verbose. It would be nice to roll
https://issues.apache.org/bugzilla/show_bug.cgi?id=55282
Violeta Georgieva changed:
What|Removed |Added
Status|REOPENED|RESOLVED
Resolution|--
Author: violetagg
Date: Tue May 27 19:45:55 2014
New Revision: 1597858
URL: http://svn.apache.org/r1597858
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55282
Merged revision 1597855 from tomcat/trunk:
o.a.t.util.descriptor.web.ApplicationListener overrides equals and hashCode
metho
Author: violetagg
Date: Tue May 27 19:32:11 2014
New Revision: 1597855
URL: http://svn.apache.org/r1597855
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55282
o.a.t.util.descriptor.web.ApplicationListener overrides equals and hashCode
methods.
Modified:
tomcat/trunk/java/org/a
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
On 5/27/14, 8:46 AM, Mark Thomas wrote:
> CVE-2014-0097 Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: - Apache Tomcat 8.0.0-RC1 to 8.0.3 - Apache
> Tomcat 7.0.0 to 7.0.52 - A
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
All,
On 5/27/14, 8:46 AM, Mark Thomas wrote:
> CVE-2014-0095 Denial of Service
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected: - Apache Tomcat 8.0.0-RC2 to 8.0.3
>
> Description: A regression was introdu
https://issues.apache.org/bugzilla/show_bug.cgi?id=56561
Violeta Georgieva changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|--
Author: violetagg
Date: Tue May 27 17:51:17 2014
New Revision: 1597837
URL: http://svn.apache.org/r1597837
Log:
Merged revision 1597532 from tomcat/trunk:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=56561
Fixed NoSuchElementException when an attribute has empty string as value.
Modifie
https://issues.apache.org/bugzilla/show_bug.cgi?id=56561
--- Comment #4 from Violeta Georgieva ---
I also plan another 7.0.x release at the beginning of the next month.
--
You are receiving this mail because:
You are the assignee for the bug.
---
The Buildbot has detected a new failure on builder tomcat-trunk while building
ASF Buildbot.
Full details are available at:
http://ci.apache.org/builders/tomcat-trunk/builds/114
Buildbot URL: http://ci.apache.org/
Buildslave for this Build: bb-vm_ubuntu
Build Reason: scheduler
Build Source Sta
https://issues.apache.org/bugzilla/show_bug.cgi?id=56546
Remy Maucherat changed:
What|Removed |Added
Priority|P2 |P1
Severity|normal
https://issues.apache.org/bugzilla/show_bug.cgi?id=56546
--- Comment #6 from Konstantin Kolinko ---
(In reply to Mark Thomas from comment #5)
I am OK to treat this as enhancement, though Remy raised this as a serious
issue. In any case it is not a stopper for tagging 8.0.next.
On my TODO is to
https://issues.apache.org/bugzilla/show_bug.cgi?id=56546
--- Comment #5 from Mark Thomas ---
Is there anything more to do here? If not, I'll resolve this as fixed.
--
You are receiving this mail because:
You are the assignee for the bug.
The Buildbot has detected a new failure on builder tomcat-7-trunk while
building ASF Buildbot.
Full details are available at:
http://ci.apache.org/builders/tomcat-7-trunk/builds/86
Buildbot URL: http://ci.apache.org/
Buildslave for this Build: bb-vm_ubuntu
Build Reason: scheduler
Build Source
Author: markt
Date: Tue May 27 13:52:06 2014
New Revision: 1597788
URL: http://svn.apache.org/r1597788
Log:
Vote
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1597788&r1=1597787&r2=15
The Buildbot has detected a restored build on builder tomcat-7-trunk while
building ASF Buildbot.
Full details are available at:
http://ci.apache.org/builders/tomcat-7-trunk/builds/85
Buildbot URL: http://ci.apache.org/
Buildslave for this Build: bb-vm_ubuntu
Build Reason: scheduler
Build Sour
Author: markt
Date: Tue May 27 13:16:39 2014
New Revision: 1597774
URL: http://svn.apache.org/r1597774
Log:
Fix copy/paste error in fix revision info
Modified:
tomcat/site/trunk/docs/security-8.html
tomcat/site/trunk/xdocs/security-8.xml
Modified: tomcat/site/trunk/docs/security-8.html
U
Author: markt
Revision: 1578812
Modified property: svn:log
Modified: svn:log at Tue May 27 13:15:51 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:15:51 2014
@@ -1 +1,2 @@
Fix possible overflow when parsing long
Author: markt
Revision: 1578611
Modified property: svn:log
Modified: svn:log at Tue May 27 13:15:27 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:15:27 2014
@@ -1 +1,2 @@
Prevent user supplied XSLTs from defini
Author: markt
Revision: 1578610
Modified property: svn:log
Modified: svn:log at Tue May 27 13:15:01 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:15:01 2014
@@ -1 +1,2 @@
Redefine globalXsltFile as relative to
Author: markt
Revision: 1578392
Modified property: svn:log
Modified: svn:log at Tue May 27 13:14:27 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:14:27 2014
@@ -1 +1,2 @@
Correct regression introduced in 8.0.0-
Author: markt
Revision: 1578337
Modified property: svn:log
Modified: svn:log at Tue May 27 13:11:56 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:11:56 2014
@@ -1 +1,2 @@
Improve processing of chuck size from c
Author: markt
Revision: 1589990
Modified property: svn:log
Modified: svn:log at Tue May 27 13:11:10 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:11:10 2014
@@ -1 +1,2 @@
More defensive coding around some XML a
Author: markt
Revision: 1589980
Modified property: svn:log
Modified: svn:log at Tue May 27 13:10:46 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:10:46 2014
@@ -1 +1,2 @@
More defensive coding around some XML a
Author: markt
Revision: 1589837
Modified property: svn:log
Modified: svn:log at Tue May 27 13:10:17 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:10:17 2014
@@ -1 +1,2 @@
Add some defensive coding around some X
CORRECTION: This is CVE-2014-0099 *NOT* -0097
Apologies for the typo
On 27/05/2014 13:46, Mark Thomas wrote:
> CVE-2014-0099 Information Disclosure
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - Apache Tomcat 8.0.0-RC1 to 8.0.3
> - Apac
Author: markt
Revision: 1578814
Modified property: svn:log
Modified: svn:log at Tue May 27 13:07:06 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:07:06 2014
@@ -1 +1,2 @@
Fix possible overflow when parsing long
Author: markt
Revision: 1578655
Modified property: svn:log
Modified: svn:log at Tue May 27 13:06:29 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:06:29 2014
@@ -1 +1,2 @@
Prevent user supplied XSLTs from defini
Author: markt
Revision: 1578637
Modified property: svn:log
Modified: svn:log at Tue May 27 13:05:56 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:05:56 2014
@@ -1 +1,2 @@
Redefine globalXsltFile as relative to
Author: markt
Revision: 1578341
Modified property: svn:log
Modified: svn:log at Tue May 27 13:05:13 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:05:13 2014
@@ -1 +1,2 @@
Improve processing of chuck size from c
Author: markt
Revision: 1589997
Modified property: svn:log
Modified: svn:log at Tue May 27 13:04:22 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:04:22 2014
@@ -1 +1,2 @@
More defensive coding around some XML a
Author: markt
Revision: 1590028
Modified property: svn:log
Modified: svn:log at Tue May 27 13:03:55 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:03:55 2014
@@ -1 +1,2 @@
Defensive coding around some XML activi
Author: markt
Revision: 1593821
Modified property: svn:log
Modified: svn:log at Tue May 27 13:02:59 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:02:59 2014
@@ -1,3 +1,4 @@
Defensive coding around some XML acti
Author: markt
Revision: 1580473
Modified property: svn:log
Modified: svn:log at Tue May 27 13:02:28 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:02:28 2014
@@ -1 +1,2 @@
Fix possible overflow when parsing long
Author: markt
Revision: 1585853
Modified property: svn:log
Modified: svn:log at Tue May 27 13:01:43 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:01:43 2014
@@ -1,2 +1,3 @@
Redefine the globalXsltFile initialis
Author: markt
Revision: 1579262
Modified property: svn:log
Modified: svn:log at Tue May 27 13:01:05 2014
--
--- svn:log (original)
+++ svn:log Tue May 27 13:01:05 2014
@@ -1 +1,2 @@
Improve processing of chuck size from c
CVE-2014-0096 Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39
Description:
The default servlet allows web applications to define (at multiple
l
CVE-2014-0119 Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.5
- Apache Tomcat 7.0.0 to 7.0.53
- Apache Tomcat 6.0.0 to 6.0.39
Description:
In limited circumstances it was possible for a malicious web applica
CVE-2014-0097 Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39
Description:
The code used to parse the request content length header did not che
CVE-2014-0095 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC2 to 8.0.3
Description:
A regression was introduced in revision 1519838 that caused AJP
requests to hang if an explicit content length of zero was set on the
re
CVE-2014-0075 Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat 8.0.0-RC1 to 8.0.3
- Apache Tomcat 7.0.0 to 7.0.52
- Apache Tomcat 6.0.0 to 6.0.39
Description:
It was possible to craft a malformed chunk size as part of a chucked
requ
Author: markt
Date: Tue May 27 12:39:01 2014
New Revision: 1597764
URL: http://svn.apache.org/r1597764
Log:
CVE-2014-0075
CVE-2014-0095
CVE-2014-0096
CVE-2014-0099
CVE-2014-0119
Modified:
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/docs/security-7.html
tomcat/site/trunk/d
Author: kkolinko
Date: Tue May 27 12:29:00 2014
New Revision: 1597761
URL: http://svn.apache.org/r1597761
Log:
Discern the first and the second requests in the test case.
It is merge of r1597759 from tomcat/trunk.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/tes
Author: kkolinko
Date: Tue May 27 12:25:57 2014
New Revision: 1597759
URL: http://svn.apache.org/r1597759
Log:
Discern the first and the second requests in the test case.
Modified:
tomcat/trunk/test/org/apache/coyote/http11/TestAbstractHttp11Processor.java
Modified:
tomcat/trunk/test/org/ap
Author: kkolinko
Date: Tue May 27 12:17:29 2014
New Revision: 1597757
URL: http://svn.apache.org/r1597757
Log:
Add license header
It is backport of revisions 1597753-1597755 from tomcat/trunk.
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/test/webapp-3.0/WEB-INF/b
Author: kkolinko
Date: Tue May 27 12:04:30 2014
New Revision: 1597755
URL: http://svn.apache.org/r1597755
Log:
Add license header
Modified:
tomcat/trunk/test/webapp/WEB-INF/bug53545.tld
Modified: tomcat/trunk/test/webapp/WEB-INF/bug53545.tld
URL:
http://svn.apache.org/viewvc/tomcat/trunk/te
Author: kkolinko
Date: Tue May 27 12:01:52 2014
New Revision: 1597754
URL: http://svn.apache.org/r1597754
Log:
Add license header
Modified:
tomcat/trunk/test/webapp/bug5/bug53545.html
Modified: tomcat/trunk/test/webapp/bug5/bug53545.html
URL:
http://svn.apache.org/viewvc/tomcat/trun
Author: kkolinko
Date: Tue May 27 11:59:14 2014
New Revision: 1597753
URL: http://svn.apache.org/r1597753
Log:
Add license header
Modified:
tomcat/trunk/test/webapp/bug5/bug56334and56561.jspx
Modified: tomcat/trunk/test/webapp/bug5/bug56334and56561.jspx
URL:
http://svn.apache.org/vi
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568
Grigory changed:
What|Removed |Added
Hardware|PC |All
OS|
https://issues.apache.org/bugzilla/show_bug.cgi?id=56568
Bug ID: 56568
Summary: Incompatible change in "JSPs only permit GET POST or
HEAD"
Product: Tomcat 8
Version: 8.0.1
Hardware: PC
Status: NEW
Seve
https://issues.apache.org/bugzilla/show_bug.cgi?id=56561
--- Comment #3 from Mark Thomas ---
We don't revoke releases, we just produce a new release.
How quickly the next set of releases happens depends on a number of factors. I
was planning another 8.0.x shortly anyway to try and get back to a
57 matches
Mail list logo
