https://bz.apache.org/bugzilla/show_bug.cgi?id=57767
--- Comment #19 from J Fernandez ---
Are there any additional proposed changes for this patch? I would like to
leverage some of the functionality for
https://bz.apache.org/bugzilla/show_bug.cgi?id=59758.
--
You are receiving this mail because
https://bz.apache.org/bugzilla/show_bug.cgi?id=61554
Bug ID: 61554
Summary: Add excludes to rat-excludes.txt for Tomcat9
Product: Tomcat 9
Version: 9.0.0.M26
Hardware: PC
OS: Linux
Status: NEW
Severity: no
2017-09-19 23:45 GMT+03:00 Mark Thomas :
> Updated with Konstantin's feedback.
>
> Further comments, feedback etc welcome.
>
>
>
> The Apache Tomcat Team announces that support for Apache Tomcat Native
> 1.1.x will end on 30 September 2018.
>
> This means that after 30 September 2018:
> - releases
2017-09-20 20:09 GMT+03:00 Konstantin Kolinko :
> 2017-09-20 15:23 GMT+03:00 :
>> Author: markt
>> Date: Wed Sep 20 12:23:44 2017
>> New Revision: 1809011
>>
>> URL: http://svn.apache.org/viewvc?rev=1809011&view=rev
>> Log:
>> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
>> Partial fix
2017-09-20 15:23 GMT+03:00 :
> Author: markt
> Date: Wed Sep 20 12:23:44 2017
> New Revision: 1809011
>
> URL: http://svn.apache.org/viewvc?rev=1809011&view=rev
> Log:
> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
> Partial fix for CVE-2017-12617
> This moves a check from the Default
On 20/09/17 14:04, Mark Thomas wrote:
> On 20/09/17 13:52, ma...@apache.org wrote:
>> Author: markt
>> Date: Wed Sep 20 12:52:47 2017
>> New Revision: 1809025
>>
>> URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
>> Log:
>> Partial fix for CVE-2017-12617
>> This ensures that a path specified
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Guillermo Grandes changed:
What|Removed |Added
CC||guillermo.gran...@gmail.com
--
Yo
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #6 from Mark Thomas ---
Nope. That will fail for directories where the trailing '/' is provided since
it will have been removed from the absolute and canonical paths.
--
You are receiving this mail because:
You are the assignee fo
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #5 from Mark Thomas ---
Maybe a better check would be that, given the path will already have been
normalised, if the the absolute path ends with the given name.
--
You are receiving this mail because:
You are the assignee for the
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #4 from Remy Maucherat ---
Well, every time there's surprising normalization, it causes security issues so
it's a big API mistake :) The normalization of the input path should only
happen for getCanonicalPath, that's the whole point
On 20/09/17 13:52, ma...@apache.org wrote:
> Author: markt
> Date: Wed Sep 20 12:52:47 2017
> New Revision: 1809025
>
> URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
> Log:
> Partial fix for CVE-2017-12617
> This ensures that a path specified for creation of a file does not end in '/'
>
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #3 from Mark Thomas ---
The File API certainly isn't helping.
When a file named '/test.jsp' exists '/test.jsp/' -> '/test.jsp' is surprising.
Less so when it doesn't exist because it could be referring to a directory and
both forms
Author: markt
Date: Wed Sep 20 12:52:47 2017
New Revision: 1809025
URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
Log:
Partial fix for CVE-2017-12617
This ensures that a path specified for creation of a file does not end in '/'
since that is dropped by the File API.
Modified:
tomcat/
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Remy Maucherat changed:
What|Removed |Added
Summary|none|Apache Tomcat Remote Code
Author: markt
Date: Wed Sep 20 12:23:44 2017
New Revision: 1809011
URL: http://svn.apache.org/viewvc?rev=1809011&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Partial fix for CVE-2017-12617
This moves a check from the Default servlet where it applied to GET, POST, HEAD
an
https://bz.apache.org/bugzilla/show_bug.cgi?id=61545
Nils Winkler changed:
What|Removed |Added
CC||nils.wink...@fisglobal.com
--
You are
https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
--- Comment #1 from Mark Thomas ---
This additional issue has been confirmed and CVE-2017-12617 has been allocated.
--
You are receiving this mail because:
You are the assignee for the bug.
Hi,
What about creating a 'security' component for Tomcat in Bugzilla with
an all caps description explaining it should go to
secur...@tomcat.apache.org instead? This may prevent some accidental
reports sent to Bugzilla.
Emmanuel Bourg
https://bz.apache.org/bugzilla/show_bug.cgi?id=61545
Bug ID: 61545
Summary: ProxyConnection.invoke() does not handle
javax.sql.PooledConnection method calls
Product: Tomcat Modules
Version: unspecified
Hardware: PC
All,
Following the announcement of CVE-2017-12615 [1], the Apache Tomcat
Security Team has received multiple reports that a similar vulnerability
exists in all current Tomcat versions and affects all operating systems.
Unfortunately, one of these reports was made via the public bug tracker
[2] ra
2017-09-20 10:09 GMT+03:00 Mark Thomas :
>
> On 19/09/17 14:32, Violeta Georgieva wrote:
> > Hi,
> >
> > I'm planning to start preparing Tomcat 7/8.0 for a release later today.
> > If you would like to include something in addition, please reply here.
>
> Please delay those tags for BZ 61542
ok
>
On 19/09/17 14:32, Violeta Georgieva wrote:
> Hi,
>
> I'm planning to start preparing Tomcat 7/8.0 for a release later today.
> If you would like to include something in addition, please reply here.
Please delay those tags for BZ 61542
Mark
--
22 matches
Mail list logo
