Correcting typo in fixed versions
CVE-2025-53506 Apache Tomcat - DoS in HTTP/2
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
An uncontrolled resource
Correcting typo in fixed versions
CVE-2025-52520 Apache Tomcat - DoS in multipart upload
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
For some unlikel
CVE-2025-53506 Apache Tomcat - DoS in HTTP/2
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
An uncontrolled resource consumption vulnerability if an HTT
CVE-2025-52520 Apache Tomcat - DoS in multipart upload
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
For some unlikely configurations of multipart uploa
CVE-2025-49125 Apache Tomcat - APR/Native Connector crash leading to DoS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
A race condition on connection close could trigger a JVM crash when
using the APR/Native connec
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.9.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
The following votes were cast:
Binding:
+1: schultz, remm, markt, dsoumis, funkman
No other votes were cast.
The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubscribe, e-mail: dev-
On 04/07/2025 16:39, build...@apache.org wrote:
Build status: BUILD FAILED: failed compile (failure)
Worker used: bb_worker2_ubuntu
URL: https://ci2.apache.org/#builders/120/builds/621
Blamelist: Mark Thomas , remm
Build Text: failed compile (failure)
Status Detected: new failure
Build Source
On 02/07/2025 08:20, Rémy Maucherat wrote:
The proposed 9.0.107 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.107
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL
On 01/07/2025 22:42, Mark Thomas wrote:
The proposed 11.0.9 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.9
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0
On 01/07/2025 22:45, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0)
Mark
-
The proposed Apache Tomcat 11.0.9 release is now available for voting.
The notable changes compared to 11.0.8 include:
- Increase the default for maxPartCount from 10 to 50. Update the
documentation to provide more details on the memory requirements
to support multi-part uploads while avoidi
On 20/06/2025 13:13, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 4c68821
On 19/06/2025 17:13, Christopher Schultz wrote:
I guess maybe I don't understand the issue. BZ always required an
account to write, and anyone could register for an account. A small
hurdle, but present. The same is true for GitHub.
I'm not sure why we care about AI scrapers, given that all
On 19/06/2025 15:10, Mark Thomas wrote:
All,
The Tomcat project has been using Bugzilla to track issues for more than
20 years.
Recently there has been a significant increase in abusive traffic
targetting the ASF's Bugzilla instances - mostly AI scraping.
To protect the ASF Bug
All,
The Tomcat project has been using Bugzilla to track issues for more than
20 years.
Recently there has been a significant increase in abusive traffic
targetting the ASF's Bugzilla instances - mostly AI scraping.
To protect the ASF Bugzilla instances and ensure that they remain usable
f
CVE-2025-49125 Apache Tomcat - Security constraint bypass for
pre/post-resources
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
When using PreResou
CVE-2025-49124 Apache Tomcat - Side-loading via Tomcat installer for Windows
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0 to 10.1.41
Apache Tomcat 9.0.23 to 9.0.105
Description:
During installation, the Tomcat in
CVE-2025-48988 Apache Tomcat - DoS in multipart upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
Tomcat used the same limit for both request p
CVE-2025-48976 Apache Tomcat - DoS in Commons FileUpload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
Apache Commons FileUpload provided a hard-c
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.8.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
The following votes were cast:
Binding:
+1: markt, dsoumis, schultz, remm, rjung
No other votes were cast.
The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
On 05/06/2025 19:54, Mark Thomas wrote:
The proposed Apache Tomcat 11.0.8 release is now
On 06/06/2025 00:10, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0)
Build is reproducible.
Mark
On 05/06/2025 22:05, Rémy Maucherat wrote:
The proposed 9.0.106 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.106
Test pass on Windows (Tomcat Native 1.3.1), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL
On 05/06/2025 19:54, Mark Thomas wrote:
The proposed 11.0.8 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.8
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0
The proposed Apache Tomcat 11.0.8 release is now available for voting.
The notable changes compared to 11.0.7 include:
- Provide finer grained control of multi-part request processing via two
new attributes on the Connector element.
- Mark the JSP wrapper for reload after a failed compilation
On 04/06/2025 13:05, schu...@apache.org wrote:
Author: schultz
Date: Wed Jun 4 12:05:18 2025
New Revision: 1926115
URL: http://svn.apache.org/viewvc?rev=1926115&view=rev
Log:
Fix release date (year) for tcnative 2.0.9
Tx for fixing that.
Mark
---
Hi all,
My current plan for 11.0.8 is to tag towards the end of this week. There
are a few PRs to review, I need to do the usual dependency checks and
i18n updates as well as a couple of fixes I have sat locally that I need
to clean up and commit.
Mark
---
On 03/06/2025 10:16, jean-frederic clere wrote:
On 5/22/25 11:30 AM, Mark Thomas wrote:
All,
This isn't going to work for 3.5.x. We need to use a newer compiler
than the one packaged with Mladen's custom Microsoft compiler bundle.
I have been meaning to look at updating the Tom
CVE-2025-46701 Apache Tomcat - CGI security constraint bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.6
Apache Tomcat 10.1.0-M1 to 10.1.40
Apache Tomcat 9.0.0.M1 to 9.0.104
Description:
When running on a case insensitive file syst
The following votes were cast:
Binding:
+1: rjung, remm, markt
Non-binding:
Tested successfully on Windows: Federico Bustamante
The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubsc
On 23/05/2025 18:23, Mark Thomas wrote:
The key differences of version 2.0.9 compared to 2.0.8 are:
- Update Windows build to use Visual Studio 2022
- The windows binaries in this release have been built with OpenSSL
3.5.0 and APR 1.7.6
The 2.0.x branch is primarily intended for use with
On 28/05/2025 19:59, Christopher Schultz wrote:
Mark,
On 5/23/25 1:23 PM, Mark Thomas wrote:
The key differences of version 2.0.9 compared to 2.0.8 are:
- Update Windows build to use Visual Studio 2022
- The windows binaries in this release have been built with OpenSSL
3.5.0 and APR 1.7.6
7dd670b5cc Code clean-up - formatting. No functional change.
7dd670b5cc is described below
commit 7dd670b5ccd83f4129ccd72a9792d677ee6a7dbe
Author: Mark Thomas
AuthorDate: Thu May 22 17:53:04 2025 +0100
Code clean-up - formatting. No functional change.
Sorry. Just realised this one removed
The key differences of version 2.0.9 compared to 2.0.8 are:
- Update Windows build to use Visual Studio 2022
- The windows binaries in this release have been built with OpenSSL
3.5.0 and APR 1.7.6
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x
onwards but can be used with e
On 22/05/2025 15:27, Mark Thomas wrote:
I'm making progress. I've built Tomcat Native 2.0.x with OpenSSL 3.5.0
but it looks like I've picked up too many dependencies. I'm looking at
how to fix that now.
Thank you Mladen. He had already made the necessary changes. I jus
On 22/05/2025 15:15, Christopher Schultz wrote:
Mark,
On 5/22/25 5:30 AM, Mark Thomas wrote:
All,
This isn't going to work for 3.5.x. We need to use a newer compiler
than the one packaged with Mladen's custom Microsoft compiler bundle.
I have been meaning to look at updating
to
spend some time looking at that.
Mark
On 22/05/2025 08:13, Mark Thomas wrote:
All,
The last Tomcat Native releases were in July 2024. The Windows binaries
were built with 3.0.14.
There are some low severity CVEs in 3.0.14 that we don't believe apply
to Tomcat's usage of
All,
The last Tomcat Native releases were in July 2024. The Windows binaries
were built with 3.0.14.
There are some low severity CVEs in 3.0.14 that we don't believe apply
to Tomcat's usage of OpenSSL but that may trigger a security scanner.
There is a new OpenSSL LTS branch, 3.5.x, that in
All,
This was mentioned briefly before (I think on a BZ issue) but needs a
wider discussion before taking action - if we do anything.
It has been suggested that there isn't much benefit to maintaining the
NIO2 connector and that we could simplify maintenance by removing it
(deprecating in 11
The following votes were cast:
Binding:
+1: markt, schultz, remm, dsoumis, rjung, isapir
No other votes were cast.
The vote therefore passed.
Thanks to everyone who contributed to this release.
Mark
On 07/05/2025 19:22, Mark Thomas wrote:
The proposed Apache Tomcat 11.0.7 release is now
On 08/05/2025 13:56, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Tests pass for NIO and NIO2 on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mark
-
On 07/05/2025 20:03, Rémy Maucherat wrote:
The proposed 9.0.105 release is:
[ ] -1, Broken - do not release
[ ] +1, Stable - go ahead and release as 9.0.105
Tests pass for NIO, NIO2 and APR/native on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mar
On 07/05/2025 19:22, Mark Thomas wrote:
The proposed 11.0.7 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.7
Tests pass for NIO and NIO2 on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mark
The proposed Apache Tomcat 11.0.7 release is now available for voting.
The notable changes compared to 11.0.6 include:
- Process possible path parameters rewrite production in the rewrite
valve.
- Enable allowLinking to be set on PreResources, JarResources and
PostResources. If not set expl
On 06/05/2025 11:09, Rémy Maucherat wrote:
On Tue, May 6, 2025 at 9:48 AM Mark Thomas wrote:
Hi all,
I am currently working on a couple of platform specific test failures.
I have fixed one of these (the JSP compilation bug) but still have
another to fix (TestGenerator fails on Windows
Hi all,
I am currently working on a couple of platform specific test failures. I
also want to try and fix the issue described in "Content type unknown
after upgrading Tomcat 10.1.39 => 10.1.40" on the users list.
I'm hopeful that I'll be able to tag 11.0.x later today or early tomorrow.
Mark
fab7247d2f0e3a29d5daef565f829f383e10e5e2
Author: Mark Thomas
AuthorDate: Mon Apr 28 12:58:21 2025 +0100
+ protected String[] findCGI(String contextPath, String
servletPath, String pathInfo, String cgiPathPrefix) {
I know it wasn't your goal to clean any of this up, but I think a custom
CVE-2025-31651 Apache Tomcat - Rewrite rule bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.5
Apache Tomcat 10.1.0-M1 to 10.1.39
Apache Tomcat 9.0.0.M1 to 9.0.102
Description:
For a subset of unlikely rewrite rule configurations, i
CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.5
Apache Tomcat 10.1.10 to 10.1.39
Apache Tomcat 9.0.76 to 9.0.102
Description:
Incorrect error handling for some i
The following commit(s) were added to refs/heads/main by this push:
new 58e979b Update ci.yml
58e979b is described below
commit 58e979be2fa61ad5f259e021a96e621bcab2d86d
Author: Mark Thomas
AuthorDate: Sat Apr 19 16:56:32 2025 +0100
Update ci.yml
Attempt to fix curre
The following votes were cast:
Binding:
+1: markt, remm, schultz, dsoumis, csutherl, ebourg, rjung
No other votes were cast. The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubscri
91278e6794 Fix BZ 69635 - add support to ImportHandler for resolving
inner classes
91278e6794 is described below
commit 91278e6794b073af33574aade2d82386722685d4
Author: Mark Thomas
AuthorDate: Fri Apr 4 17:17:39 2025 +0100
Fix BZ 69635 - add support to ImportHandler for resolving inner classes
On 04/04/2025 14:11, Rémy Maucherat wrote:
The proposed 9.0.104 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.104
Windows installer has valid signature.
Build is fully cross-platform (Linux / Windows) reproducible.
Tests pass on Windows, Linux and M
On 03/04/2025 19:34, Christopher Schultz wrote:
Mark,
On 4/3/25 1:38 PM, Mark Thomas wrote:
On 01/04/2025 19:56, Rémy Maucherat wrote:
The proposed 9.0.103 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.103
+1
Build is cross-platform reproducible
On 01/04/2025 19:56, Rémy Maucherat wrote:
The proposed 9.0.103 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.103
+1
Build is cross-platform reproducible (Windows).
Test pass on Linux, Windows and MacOS (M1).
I did observe some test failures due to
On 01/04/2025 19:42, Christopher Schultz wrote:
The proposed Apache Tomcat 10.1.40 release is now available for
voting.
+1
Build is cross-platform reproducible (Windows).
Test pass on Linux, Windows and MacOS (M1).
I did observe some test failures due to the known issue in the
AccessLogValv
On 01/04/2025 17:06, Mark Thomas wrote:
The proposed 11.0.6 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.6
Tests pass for NIO and NIO2 on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mark
On 01/04/2025 09:31, Emmanuel Bourg wrote:
On 01/04/2025 10:06, Mark Thomas wrote:
Did you figure out the file handler issue with Jsign 7.1?
The issue was with 7.0 - we were seeing the "Unsupported file" error
with Ant.
I don't recall any issues with 7.1. I'm currently
On 31/03/2025 22:39, Emmanuel Bourg wrote:
Hi Mark,
On 31/03/2025 16:51, Mark Thomas wrote:
I have a couple of tasks to get done (update JSign, update i18n
strings) and then I should be ready to tag 11.0.6. I am currently
hoping to be able to do that tomorrow.
Did you figure out the file
/heads/main by this push:
new 8a5e5475f1 Restore final keywords
8a5e5475f1 is described below
commit 8a5e5475f1ead35589dc8c5e359b9395838112b7
Author: Mark Thomas
AuthorDate: Mon Mar 31 17:27:02 2025 +0100
Restore final keywords
Removing final broke the signature tests for the
Hi all,
I have a couple of tasks to get done (update JSign, update i18n strings)
and then I should be ready to tag 11.0.6. I am currently hoping to be
able to do that tomorrow.
Mark
-
To unsubscribe, e-mail: dev-unsubscr...
/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 4c47edde5e Update JDT to 4.35 / 3.41
4c47edde5e is described below
commit 4c47edde5e8e406a4ea1a7999f08c25e651f59d0
Author: Mark Thomas
AuthorDate: Fri Mar 28 11:46:36 2025 +
Update JDT to 4.35
On 21/03/2025 14:11, Christopher Schultz wrote:
All,
I'm looking at adding file-based allow/deny for the RemoteCIDR(Filter|
Valve) and I can see that there is a bunch of duplicate code between the
two classes.
Is there any reason not to re-use methods such as RemoteCIDR(Filter|
Valve).fillF
On 20/03/2025 11:24, Rémy Maucherat wrote:
On Thu, Mar 20, 2025 at 12:11 PM Mark Thomas wrote:
On 20/03/2025 10:09, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos
On 20/03/2025 10:09, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 3ae844b
On 20/03/2025 10:22, Mark Thomas wrote:
On 19/03/2025 09:51, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs
On 19/03/2025 09:51, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new e5de08a
On 17/03/2025 12:08, Rémy Maucherat wrote:
Hi,
Would it be ok to use records and pattern variables (which replace the
instanceof then cast code) in Tomcat ?
+1
I think they would improve the code overall, esp records. Although it
would make the branches a bit more different, this is "boilerp
On 12/03/2025 13:18, Rémy Maucherat wrote:
On Wed, Mar 12, 2025 at 1:23 PM Mark Thomas wrote:
All,
I have been working through the some specification compliance questions
raised by some research into HTTP conformance [1].
That paper's focus is security but I don't see any securit
All,
I have been working through the some specification compliance questions
raised by some research into HTTP conformance [1].
That paper's focus is security but I don't see any security concerns for
Tomcat. I do see a number of false positive results and I have raised
issues for those.
O
On 11/03/2025 15:28, Mark Thomas wrote:
I'm testing with the real signing service.
I have found an issue. The timestamp of the Uninstaller isn't reset
after the signature is inserted so that breaks repeatable builds. I
should be able to fix that fairly quickly.
OK. I think w
On 11/03/2025 13:41, Rainer Jung wrote:
Am 11.03.25 um 14:31 schrieb Emmanuel Bourg:
On 11/03/2025 13:09, Mark Thomas wrote:
It is JSign again.
If I switch back to JSign 6.0 the build starts working. Based on what
we have seen previously, it looks JSign is retaining a reference to
the
On 11/03/2025 11:24, Mark Thomas wrote:
File Uninstall.exe
line fails claiming it can' t open ".\Uninstall.exe"
but that file is created a few steps earlier and is present when I check
the file system.
Still looking...
It is JSign again.
If I switch back to JSign 6.0 t
On 11/03/2025 09:24, Mark Thomas wrote:
On 10/03/2025 11:18, Rainer Jung wrote:
I implemented this and tested it on Linux with custom makensis and on
Windows with native makensis.exe. I could not test the codesigning
part on Windows, because I did not have the right detached signatures
and
On 10/03/2025 11:18, Rainer Jung wrote:
I implemented this and tested it on Linux with custom makensis and on
Windows with native makensis.exe. I could not test the codesigning part
on Windows, because I did not have the right detached signatures and
using a wrong one seems to prevent NSIS from
CVE-2025-24813 Potential RCE and/or information disclosure and/or
information corruption with partial PUT
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98
Descrip
The following votes were cast:
Binding:
+1: dsoumis, rjung, remm, schultz, markt
No other votes were cast. The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubscribe, e-mail: dev-uns
On 05/03/2025 12:22, Dimitris Soumis wrote:
Build is 100% reproducible with nsis.tool=makensis. I am getting an error
though if the nsis.tool=wine as it doesn't contain the latest build.xml
files with the fixes.
Just to note with the latest fixes you won't see that error but the
build still
On 03/03/2025 19:52, Rémy Maucherat wrote:
The proposed 9.0.102 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.102
Build is cross platform (MacOS/Linux/Windows) reproducible.
Tests pass on:
- Linux (OpenSSL 3.0.13 from Ubuntu 24.04)
- Windows (OpenSSL
On 04/03/2025 19:13, Christopher Schultz wrote:
The proposed Apache Tomcat 10.1.39 release is now available for
voting.
+1
Build is cross platform (OSX/Linux/Windows) reproducible.
Tests pass on:
- Linux (OpenSSL 3.0.13 from Ubuntu 24.04)
- Windows (OpenSSL 3.0.14 - Native 2.0.8 binaries)
- M
On 28/02/2025 17:06, Mark Thomas wrote:
The proposed 11.0.5 release is:
[ ] -1 Broken - do not release
[ ] +1 Stable - go ahead and release as 11.0.5
Build is cross platform (Linux/Windows) reproducible.
Tests pass on:
- Linux (OpenSSL 3.0.13 from Ubuntu 24.04)
- Windows (OpenSSL 3.0.14
On 04/03/2025 09:34, Rainer Jung wrote:
Hi all,
this is only a first rough idea:
- previously we signed the exe files for the Windows installer and
uninstaller by first generating a temporary installer. Then running that
(on Windows or with wine) so that it writes our the uninstaller. Then
s
On 03/03/2025 23:43, Christopher Schultz wrote:
On 3/3/25 7:45 AM, Rémy Maucherat wrote:
Ok. I would like it more if using my platform makensis was possible.
+1
Is this the kind of thing we could somehow move upstream? I seem to
recall that the build option we needed to use was just enab
On 03/03/2025 16:08, Rainer Jung wrote:
Am 03.03.25 um 16:54 schrieb Mark Thomas:
So, I think we have a different set of options now:
a) Keep the existing makensis approach and remove Wine support
b) Revert the change to using callbacks to sign the uninstaller and
installer. Keep the
On 03/03/2025 15:38, Rémy Maucherat wrote:
On Mon, Mar 3, 2025 at 1:45 PM Rémy Maucherat wrote:
On Mon, Mar 3, 2025 at 1:27 PM Mark Thomas wrote:
On 03/03/2025 10:54, Mark Thomas wrote:
I do like the makensis approach as it is a lot simpler. Wine on Mac has
proven tricky to get working
On 03/03/2025 10:54, Mark Thomas wrote:
I don't recall if I tested with wine after the changes were complete. I
do recall installing and uninstalling wine multiple times. I'll retest now.
So clearly I didn't test this with Wine. There is no way the current
build.xml file
On 03/03/2025 09:45, Rémy Maucherat wrote:
On Sun, Mar 2, 2025 at 10:20 PM Rainer Jung wrote:
Hmm, I never tried with wine but at least I checked, that the ant
download for Windows contains a binary named "ant", not just "ant.exe".
I don't recall if I tested with wine after the changes we
On 03/03/2025 10:03, Rémy Maucherat wrote:
On Mon, Mar 3, 2025 at 10:30 AM Mark Thomas wrote:
On 28/02/2025 22:41, r...@apache.org wrote:
// If the ETag the client gave does not match the entity
// etag, then the entire entity is returned.
-if
On 28/02/2025 22:41, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 7f0df68
Thanks all for the feedback. I'm going to send this to the users list
shortly.
Mark
On 17/02/2025 08:35, Mark Thomas wrote:
Updated version after Chris's comments below. Any more comments or are
we happy to publish this?
Mark
Subject: The future of Tomcat 9
Tomcat 9 is the
On 20/02/2025 15:23, Mark Thomas wrote:
I'm making progress with the updates for Tomcat 11. Should have
something to commit soon.
That took longer than expected but I think that work is complete.
In most cases users shouldn't see anything. If Tomcat does encounter a
scenario it
On 20/02/2025 13:52, Rémy Maucherat wrote:
On Thu, Feb 20, 2025 at 2:42 PM Mark Thomas wrote:
On 20/02/2025 13:36, Rémy Maucherat wrote:
On Thu, Feb 20, 2025 at 1:06 PM Mark Thomas wrote:
All,
The recent releases have improved things for users of embedded Tomcat
but there are still some
On 20/02/2025 13:36, Rémy Maucherat wrote:
On Thu, Feb 20, 2025 at 1:06 PM Mark Thomas wrote:
All,
The recent releases have improved things for users of embedded Tomcat
but there are still some issues. I am seeing reports via $work related
to Spring Boot.
The problem is on Windows and Mac
All,
The recent releases have improved things for users of embedded Tomcat
but there are still some issues. I am seeing reports via $work related
to Spring Boot.
The problem is on Windows and Mac. The file systems are case insensitive
and DirResourceSet instances are read/write by default so
All,
A case sensitivity test was added to DirResourceSet as part of the fix
for CVE-2024-50379. It is also used to check whether the JVM setting
described in CVE-2024-56337 is required.
The current case sensitivity check is imperfect. Things are complicated by:
- Windows introducing per direc
The following votes were cast:
Binding:
+1: markt, schultz, remm
Non-binding:
+1: dsoumis
No other votes were cast. The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubscribe, e-mai
Updated version after Chris's comments below. Any more comments or are
we happy to publish this?
Mark
Subject: The future of Tomcat 9
Tomcat 9 is the last major Tomcat version supporting Java EE. Therefore,
the Tomcat community intends to provide support for Tomcat 9 beyond the
10 years for
the repo that mean it is mostly
just a copy and paste task.
I'll look at this now.
Mark
Best regards,
Rainer
Am 17.02.23 um 17:39 schrieb Mark Thomas:
They have. I have a new set ready to commit. Just running the tests to
make sure I didn't miss any.
Mark
On 17/02/2023 16:
ll be provided for 9.1.x end of support.
On 13/02/2025 15:34, Mark Thomas wrote:
I haven't seen any further discussion so I am going to draft an
announcement for review that I'll post this list.
Mark
On 04/02/2025 21:14, Christopher Schultz wrote:
Mark,
On 2/3/25 11:00 AM, Ma
1 - 100 of 5522 matches
Mail list logo
