svn commit: r781697 - in /tomcat/site/trunk: docs/security-6.html xdocs/security-6.xml

Author: markt Date: Thu Jun 4 09:49:08 2009 New Revision: 781697 URL: http://svn.apache.org/viewvc?rev=781697&view=rev Log: Add a note about 6.0.17 for historical record. We did get some questions about this we 6.0.1 was released. Modified: tomcat/site/trunk/docs/security-6.html tomcat/

svn propchange: r739522 - svn:log

Author: markt Revision: 739522 Modified property: svn:log Modified: svn:log at Thu Jun 4 11:03:18 2009 -- --- svn:log (original) +++ svn:log Thu Jun 4 11:03:18 2009 @@ -1,2 +1,3 @@ Fix https://issues.apache.org/bugzilla

svn propchange: r652592 - svn:log

Author: markt Revision: 652592 Modified property: svn:log Modified: svn:log at Thu Jun 4 11:03:50 2009 -- --- svn:log (original) +++ svn:log Thu Jun 4 11:03:50 2009 @@ -1,2 +1,3 @@ Fix https://issues.apache.org/bugzilla

svn propchange: r781542 - svn:log

Author: markt Revision: 781542 Modified property: svn:log Modified: svn:log at Thu Jun 4 11:04:33 2009 -- --- svn:log (original) +++ svn:log Thu Jun 4 11:04:33 2009 @@ -1,2 +1,3 @@ Fix https://issues.apache.org/bugzilla

svn propchange: r681156 - svn:log

Author: markt Revision: 681156 Modified property: svn:log Modified: svn:log at Thu Jun 4 11:05:25 2009 -- --- svn:log (original) +++ svn:log Thu Jun 4 11:05:25 2009 @@ -1,2 +1,3 @@ Fix https://issues.apache.org/bugzilla

svn commit: r781708 - in /tomcat/container/branches/tc4.1.x: RELEASE-NOTES-4.1.txt catalina/src/share/org/apache/catalina/startup/ContextConfig.java

Author: markt Date: Thu Jun 4 11:07:19 2009 New Revision: 781708 URL: http://svn.apache.org/viewvc?rev=781708&view=rev Log: Port fixes for https://issues.apache.org/bugzilla/show_bug.cgi?id=29936 and https://issues.apache.org/bugzilla/show_bug.cgi?id=45933 This addresses CVE-2009-0783 Modified:

svn commit: r781710 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml

Author: markt Date: Thu Jun 4 11:10:59 2009 New Revision: 781710 URL: http://svn.apache.org/viewvc?rev=781710&view=rev Log: Add CVE-2009-0783 Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site

svn commit: r781722 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/authenticator/SSLAuthenticator.java webapps/docs/changelog.xml

Author: markt Date: Thu Jun 4 12:45:20 2009 New Revision: 781722 URL: http://svn.apache.org/viewvc?rev=781722&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38553 A lack of certs is normal if the user doesn't have a trusted cert. Return 401, not 400 in this case. Modified:

DO NOT REPLY [Bug 38553] Wrong HTTP code for failed CLIENT-CERT authentication

https://issues.apache.org/bugzilla/show_bug.cgi?id=38553 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

svn commit: r781723 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/startup/ContextConfig.java webapps/docs/changelog.xml

Author: markt Date: Thu Jun 4 12:48:13 2009 New Revision: 781723 URL: http://svn.apache.org/viewvc?rev=781723&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=38570 When checking docBase against appBase, make sure we check for an exact match against the appBase Modified:

DO NOT REPLY [Bug 38570] if docBase path contains "webapps", a backslash is inserted

https://issues.apache.org/bugzilla/show_bug.cgi?id=38570 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

[SECURITY] CVE-2009-0783 Apache Tomcat Information disclosure

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 CVE-2009-0783: Apache Tomcat information disclosure vulnerability Severity: low Vendor: The Apache Software Foundation Versions Affected: Tomcat 6.0.0 to 6.0.18 Tomcat 5.5.0 to 5.5.27 Tomcat 4.1.0 to 4.1.39 The unsupported Tomcat 3.x, 4.0.x and 5.0

svn commit: r781730 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml

Author: markt Date: Thu Jun 4 13:24:42 2009 New Revision: 781730 URL: http://svn.apache.org/viewvc?rev=781730&view=rev Log: Fix typo. Modified: tomcat/site/trunk/docs/security-4.html tomcat/site/trunk/docs/security-5.html tomcat/site/trunk/docs/security-6.html tomcat/site/trunk/x

svn commit: r781735 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/session/StandardSession.java modules/cluster/src/share/org/apache/catalina/cluster/session/DeltaSession.java

Author: markt Date: Thu Jun 4 13:45:47 2009 New Revision: 781735 URL: http://svn.apache.org/viewvc?rev=781735&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46717 Hard to reproduce thread safety issue with session expiration Modified: tomcat/container/tc5.5.x/catalina/

DO NOT REPLY [Bug 46717] Wrong Session Expiration because of non thread-safe code

https://issues.apache.org/bugzilla/show_bug.cgi?id=46717 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

svn commit: r781742 - /tomcat/current/tc5.5.x/STATUS.txt

Author: markt Date: Thu Jun 4 14:05:47 2009 New Revision: 781742 URL: http://svn.apache.org/viewvc?rev=781742&view=rev Log: Remove applied fixes Modified: tomcat/current/tc5.5.x/STATUS.txt Modified: tomcat/current/tc5.5.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/

svn commit: r781743 - in /tomcat/container/tc5.5.x: modules/cluster/src/share/org/apache/catalina/cluster/mcast/McastServiceImpl.java modules/groupcom/src/share/org/apache/catalina/tribes/membership/M

Author: markt Date: Thu Jun 4 14:12:01 2009 New Revision: 781743 URL: http://svn.apache.org/viewvc?rev=781743&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=43641 Use of bind attribute for membership element breaks multicast. (rjung) Modified: tomcat/container/tc5.5.x/

svn commit: r781744 - /tomcat/current/tc5.5.x/STATUS.txt

Author: markt Date: Thu Jun 4 14:14:29 2009 New Revision: 781744 URL: http://svn.apache.org/viewvc?rev=781744&view=rev Log: Remove a applied path. Change vote based on regression reported for 6.0.20 Modified: tomcat/current/tc5.5.x/STATUS.txt Modified: tomcat/current/tc5.5.x/STATUS.txt URL:

svn commit: r781746 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Compiler.java

Author: markt Date: Thu Jun 4 14:18:39 2009 New Revision: 781746 URL: http://svn.apache.org/viewvc?rev=781746&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=41606 Prevent double init() of JSP Patch provided by Chris Halstead Modified: tomcat/container/tc5.5.x/webapps/do

DO NOT REPLY [Bug 41606] The jspInit method is called twice.

https://issues.apache.org/bugzilla/show_bug.cgi?id=41606 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

svn commit: r781751 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java catalina/src/share/org/apache/naming/resources/FileDirContext.java webapps/docs/c

Author: markt Date: Thu Jun 4 14:25:14 2009 New Revision: 781751 URL: http://svn.apache.org/viewvc?rev=781751&view=rev Log: (empty) Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java tomcat/container/tc5.5.x/catalina/src/share/org/apac

svn commit: r781753 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/valves/AccessLogValve.java webapps/docs/changelog.xml

Author: markt Date: Thu Jun 4 14:33:47 2009 New Revision: 781753 URL: http://svn.apache.org/viewvc?rev=781753&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46982 Use DST offset not current offset (which will be 0 when DST is not being used) Modified: tomcat/container/

DO NOT REPLY [Bug 46982] AccessLogValve reports correct time but incorrect offset following Spring DST transition.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46982 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|

svn commit: r781755 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml servletapi/servlet2.4-jsp2.0-tc5.x/jsr152/examples/security/protected/error.jsp

Author: markt Date: Thu Jun 4 14:37:23 2009 New Revision: 781755 URL: http://svn.apache.org/viewvc?rev=781755&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46509 Use correct link on error page in JSP security example Patch provided by Michael Moody Modified: tomcat/con

DO NOT REPLY [Bug 46509] Tomcat 5.5 security example gives j_security_check not available

https://issues.apache.org/bugzilla/show_bug.cgi?id=46509 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

svn commit: r781758 - in /tomcat/container/tc5.5.x: catalina/src/share/org/apache/catalina/ssi/SSIServlet.java webapps/docs/changelog.xml

Author: markt Date: Thu Jun 4 14:43:39 2009 New Revision: 781758 URL: http://svn.apache.org/viewvc?rev=781758&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46562 Close the reader when we are done Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalin

DO NOT REPLY [Bug 46562] Reader not closed

https://issues.apache.org/bugzilla/show_bug.cgi?id=46562 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

svn commit: r781759 - in /tomcat: container/tc5.5.x/webapps/docs/changelog.xml jasper/tc5.5.x/src/share/org/apache/jasper/compiler/Generator.java

Author: markt Date: Thu Jun 4 14:49:33 2009 New Revision: 781759 URL: http://svn.apache.org/viewvc?rev=781759&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=46909 The ';' should really only be used if there is a following parameter Modified: tomcat/container/tc5.5.x/web

DO NOT REPLY [Bug 46909] error

https://issues.apache.org/bugzilla/show_bug.cgi?id=46909 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

svn commit: r781763 - in /tomcat: connectors/trunk/http11/src/java/org/apache/coyote/http11/ container/tc5.5.x/webapps/docs/

Author: markt Date: Thu Jun 4 14:58:30 2009 New Revision: 781763 URL: http://svn.apache.org/viewvc?rev=781763&view=rev Log: (empty) Modified: tomcat/connectors/trunk/http11/src/java/org/apache/coyote/http11/Http11AprProcessor.java tomcat/connectors/trunk/http11/src/java/org/apache/coyo

DO NOT REPLY [Bug 46984] Server incorrectly reports a 501 error on bad method name. Should report 400 error.

https://issues.apache.org/bugzilla/show_bug.cgi?id=46984 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|

svn commit: r781767 - in /tomcat: connectors/trunk/util/java/org/apache/tomcat/util/http/mapper/Mapper.java container/tc5.5.x/catalina/src/share/org/apache/catalina/connector/MapperListener.java conta

Author: markt Date: Thu Jun 4 15:06:19 2009 New Revision: 781767 URL: http://svn.apache.org/viewvc?rev=781767&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=42707 Make adding a host alias via jmx take effect immediately Modified: tomcat/connectors/trunk/util/java/org/a

DO NOT REPLY [Bug 42707] add host alias using jmx doesn't take affect until restart

https://issues.apache.org/bugzilla/show_bug.cgi?id=42707 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|

DO NOT REPLY [Bug 44856] add host alias using jmx doesn't take affect until restart

https://issues.apache.org/bugzilla/show_bug.cgi?id=44856 Bug 44856 depends on bug 42707, which changed state. Bug 42707 Summary: add host alias using jmx doesn't take affect until restart https://issues.apache.org/bugzilla/show_bug.cgi?id=42707 What|Old Value |N

svn commit: r781770 - /tomcat/connectors/trunk/util/java/org/apache/tomcat/util/buf/DateTool.java

Author: markt Date: Thu Jun 4 15:18:21 2009 New Revision: 781770 URL: http://svn.apache.org/viewvc?rev=781770&view=rev Log: Remove generics component of ported patch as it breaks Tomcat 4 build. Modified: tomcat/connectors/trunk/util/java/org/apache/tomcat/util/buf/DateTool.java Modified:

svn commit: r781777 - /tomcat/current/tc5.5.x/STATUS.txt

Author: markt Date: Thu Jun 4 15:29:59 2009 New Revision: 781777 URL: http://svn.apache.org/viewvc?rev=781777&view=rev Log: Remove applied patches Modified: tomcat/current/tc5.5.x/STATUS.txt Modified: tomcat/current/tc5.5.x/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.

svn commit: r781779 - /tomcat/trunk/java/org/apache/catalina/valves/AccessLogValve.java

Author: markt Date: Thu Jun 4 15:36:07 2009 New Revision: 781779 URL: http://svn.apache.org/viewvc?rev=781779&view=rev Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=47158 Thread safety issues Modified: tomcat/trunk/java/org/apache/catalina/valves/AccessLogValve.java Modified:

svn commit: r781780 - /tomcat/tc6.0.x/trunk/STATUS.txt

Author: markt Date: Thu Jun 4 15:39:21 2009 New Revision: 781780 URL: http://svn.apache.org/viewvc?rev=781780&view=rev Log: Propose fix for 47158 Modified: tomcat/tc6.0.x/trunk/STATUS.txt Modified: tomcat/tc6.0.x/trunk/STATUS.txt URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATU

DO NOT REPLY [Bug 47158] I think AccessLogValve has race condition problem

https://issues.apache.org/bugzilla/show_bug.cgi?id=47158 --- Comment #1 from Mark Thomas 2009-06-04 08:39:30 PST --- I agree with your analysis for currentMIllis. I disagree with your analysis for currentDate. I think we can remove all the places this is updated except getDate() and still h

DO NOT REPLY [Bug 47316] New: In config file, Service and engine names must match

https://issues.apache.org/bugzilla/show_bug.cgi?id=47316 Summary: In config file, Service and engine names must match Product: Tomcat 6 Version: unspecified Platform: Other OS/Version: AIX Status: NEW Severity: normal

DO NOT REPLY [Bug 47316] In config file, Service and engine names must match

https://issues.apache.org/bugzilla/show_bug.cgi?id=47316 --- Comment #1 from Mark Thomas 2009-06-04 09:52:19 PST --- That looks to be a side effect of the fix for 42707. Having the names the same won't cause any problems. In fact it helps make sure JMX works as expected. As has been said p

DO NOT REPLY [Bug 47317] New: Incorrect session handling when using session="false" in page directive?

https://issues.apache.org/bugzilla/show_bug.cgi?id=47317 Summary: Incorrect session handling when using session="false" in page directive? Product: Tomcat 6 Version: unspecified Platform: PC OS/Version: Windows XP S

DO NOT REPLY [Bug 47317] Incorrect session handling when using session="false" in page directive?

https://issues.apache.org/bugzilla/show_bug.cgi?id=47317 --- Comment #1 from Paul LeBeau 2009-06-04 12:24:11 PST --- Note also that this bug affect more than just pageContext.findAttribute(). This method call is apparently being used by the EL engine as well, so session attributes are unav

Re: svn commit: r781780 - /tomcat/tc6.0.x/trunk/STATUS.txt

2009/6/4 : == > --- tomcat/tc6.0.x/trunk/STATUS.txt (original) > +++ tomcat/tc6.0.x/trunk/STATUS.txt Thu Jun  4 15:39:21 2009 > @@ -132,3 +132,9 @@ >     http://svn.apache.org/viewvc/httpd/httpd/trunk/docs/conf/ >     The

DO NOT REPLY [Bug 47318] New: Tomcat 6.0.20 does not include imports from included JSP

https://issues.apache.org/bugzilla/show_bug.cgi?id=47318 Summary: Tomcat 6.0.20 does not include imports from included JSP Product: Tomcat 6 Version: unspecified Platform: PC OS/Version: Linux Status: NEW