https://issues.apache.org/bugzilla/show_bug.cgi?id=48160
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
2009/11/7 Mark Thomas :
>
> We also need to think about what to do with tc native. Maybe something like:
I think that we can
- recommend recompiling 1.1.16 with OpenSSL 0.9.8l for those who used
our sources
- for those architectures where binaries are available for 1.1.16
(windows 32/64-bit), rebu
On 09/11/09 11:34, Konstantin Kolinko wrote:
2009/11/7 Mark Thomas:
We also need to think about what to do with tc native. Maybe something like:
I think that we can
- recommend recompiling 1.1.16 with OpenSSL 0.9.8l for those who used
our sources
- for those architectures where binaries are a
Konstantin Kolinko wrote:
> 2009/11/7 Mark Thomas :
>> We also need to think about what to do with tc native. Maybe something like:
>
> I think that we can
> - recommend recompiling 1.1.16 with OpenSSL 0.9.8l for those who used
> our sources
> - for those architectures where binaries are available
Summarising the information gathered so far from various channels
(thanks to Bill B., Bill W. & Rainer who have done most of the actual
work to find the info below).
BIO/NIO connectors using JSSE.
Vulnerable when renegotiation is triggered by the client or server.
We could prevent server initiated
On 09/11/09 11:56, Mark Thomas wrote:
- We can release 1.1.17 with the binaries built with 0.9.8l. This
will also protect users at the risk of breaking any
configurations that require renegotiation. Mladen is doing this
now.
I've uploaded binaries with APR-1.3.9/OpenSSL 9.8.8l.
Should
Author: markt
Date: Mon Nov 9 11:27:57 2009
New Revision: 834021
URL: http://svn.apache.org/viewvc?rev=834021&view=rev
Log:
Update schemas to latest draft as of 2009-11-05
Modified:
tomcat/trunk/java/javax/servlet/resources/javaee_6.xsd
tomcat/trunk/java/javax/servlet/resources/web-app_3
Author: markt
Date: Mon Nov 9 11:29:18 2009
New Revision: 834022
URL: http://svn.apache.org/viewvc?rev=834022&view=rev
Log:
Add the JSP 2.2 schema. Note election to use CDDL.
Added:
tomcat/trunk/java/javax/servlet/jsp/resources/jsp_2_2.xsd (with props)
Added: tomcat/trunk/java/javax/servl
Author: markt
Date: Mon Nov 9 11:31:08 2009
New Revision: 834023
URL: http://svn.apache.org/viewvc?rev=834023&view=rev
Log:
Add JSP 2.2 XSD
Modified:
tomcat/trunk/NOTICE
Modified: tomcat/trunk/NOTICE
URL:
http://svn.apache.org/viewvc/tomcat/trunk/NOTICE?rev=834023&r1=834022&r2=834023&view=
Author: markt
Date: Mon Nov 9 11:37:53 2009
New Revision: 834024
URL: http://svn.apache.org/viewvc?rev=834024&view=rev
Log:
Use correct default manifest
Use specific notice and license file for jsp jar
Added:
tomcat/trunk/res/META-INF/jsp-api.jar.license (with props)
tomcat/trunk/res/M
https://issues.apache.org/bugzilla/show_bug.cgi?id=48157
--- Comment #3 from Ralf Hauser 2009-11-09 04:06:08 UTC ---
Since we do not really have the option use "APR/Native" and we would be happy
to have X-Header fixing heuristics as another optional server.xml attribute.
You fear in comment 2 tha
https://issues.apache.org/bugzilla/show_bug.cgi?id=48158
--- Comment #2 from Ralf Hauser 2009-11-09 04:07:54 UTC ---
tomcat-dev-list:> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the client or server.
> We could prevent server initiated renegotiation (and probab
2009/11/9 Mark Thomas :
> Konstantin Kolinko wrote:
>>
>> My understanding is that 1.1.17 and later require TC 6.0.21 and 5.5.29
>> and later and vice versa, because of some API changes, and thus won't
>> be useful until those versions are released.
>
> That isn't my understanding. 6.0.21/5.5.29 re
Author: markt
Date: Mon Nov 9 12:34:45 2009
New Revision: 834034
URL: http://svn.apache.org/viewvc?rev=834034&view=rev
Log:
Cookie is now serializable in Servlet 3.0
Fix some Eclipse warnings
Modified:
tomcat/trunk/java/javax/servlet/http/Cookie.java
Modified: tomcat/trunk/java/javax/servle
Author: markt
Date: Mon Nov 9 12:40:56 2009
New Revision: 834036
URL: http://svn.apache.org/viewvc?rev=834036&view=rev
Log:
Add support for displayName
Modified:
tomcat/trunk/java/javax/servlet/annotation/WebServlet.java
Modified: tomcat/trunk/java/javax/servlet/annotation/WebServlet.java
U
Author: markt
Date: Mon Nov 9 13:04:52 2009
New Revision: 834047
URL: http://svn.apache.org/viewvc?rev=834047&view=rev
Log:
Fix CVE-2009-3548.
When installing using defaults, don't create an administrative user with a
blank password
Note: This is already public - it was discussed on the users li
https://issues.apache.org/bugzilla/show_bug.cgi?id=48157
--- Comment #4 from Konstantin Kolinko 2009-11-09
05:12:13 UTC ---
If you really want something like that, you can write a Filter or a Valve. See
org.apache.catalina.valves.RequestDumperValve for an example.
http://tomcat.apache.org/tomca
Author: markt
Date: Mon Nov 9 13:18:42 2009
New Revision: 834050
URL: http://svn.apache.org/viewvc?rev=834050&view=rev
Log:
Correct latest Tomcat 4 version
Since it has been almost 6 months since the final 4.1.x release, remove the
download and doc links and mark it as archived.
Removed:
to
Author: kkolinko
Date: Mon Nov 9 13:19:42 2009
New Revision: 834052
URL: http://svn.apache.org/viewvc?rev=834052&view=rev
Log:
svn:eol-style
Modified:
tomcat/trunk/res/META-INF/jasper-jdt.jar.license (contents, props changed)
tomcat/trunk/res/META-INF/jasper-jdt.jar.notice (contents,
Author: kkolinko
Date: Mon Nov 9 13:39:59 2009
New Revision: 834059
URL: http://svn.apache.org/viewvc?rev=834059&view=rev
Log:
svn:eol-style
Modified:
tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.license (contents, props
changed)
tomcat/tc6.0.x/trunk/res/META-INF/jasper-jdt.jar.no
Author: markt
Date: Mon Nov 9 13:48:26 2009
New Revision: 834061
URL: http://svn.apache.org/viewvc?rev=834061&view=rev
Log:
Add CVE-2009-3548 info
Modified:
tomcat/site/trunk/docs/security-5.html
tomcat/site/trunk/docs/security-6.html
tomcat/site/trunk/xdocs/security-5.xml
tomcat
CVE-2009-3548: Apache Tomcat Windows Installer insecure default
administrative password
Severity: Low
Vendor:
The Apache Software Foundation
Versions Affected:
Tomcat 5.5.0 to 5.5.28
Tomcat 6.0.0 to 6.0.20
The unsupported Tomcat 3.x, 4.0.x, 4.1.x and 5.0.x versions may be also
affected.
Descri
Author: markt
Date: Mon Nov 9 14:01:25 2009
New Revision: 834068
URL: http://svn.apache.org/viewvc?rev=834068&view=rev
Log:
Proposal
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=834
Author: markt
Date: Mon Nov 9 14:01:46 2009
New Revision: 834070
URL: http://svn.apache.org/viewvc?rev=834070&view=rev
Log:
Proposal
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=834
https://issues.apache.org/bugzilla/show_bug.cgi?id=48157
--- Comment #5 from Mark Thomas 2009-11-09 06:08:15 GMT ---
My current understanding is that a filter/valve as proposed will do very little
to mitigate this attack as the SSL handshaking occurs at the JSSE level and is
simply not visible to
https://issues.apache.org/bugzilla/show_bug.cgi?id=48158
--- Comment #3 from Mark Thomas 2009-11-09 06:15:15 GMT ---
(In reply to comment #2)
> Couldn't you make this an optional server.xml attribute
See the clientAuth connector attribute for options already available for
limiting server side re-
Author: kkolinko
Date: Mon Nov 9 14:26:00 2009
New Revision: 834078
URL: http://svn.apache.org/viewvc?rev=834078&view=rev
Log:
Revert r.831830. A better patch for issue 48097 was proposed.
Modified:
tomcat/trunk/java/org/apache/catalina/security/SecurityClassLoad.java
Modified: tomcat/trunk
Author: kkolinko
Date: Mon Nov 9 14:29:55 2009
New Revision: 834080
URL: http://svn.apache.org/viewvc?rev=834080&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097
Patch by Mark Thomas.
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
Mod
https://issues.apache.org/bugzilla/show_bug.cgi?id=47330
--- Comment #12 from Mark Thomas 2009-11-09 06:31:33 GMT ---
Patch applied. Many thanks.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
--- You are receiving this mail because: ---
You are the ass
Author: markt
Date: Mon Nov 9 14:31:40 2009
New Revision: 834081
URL: http://svn.apache.org/viewvc?rev=834081&view=rev
Log:
Patch provided by Cyrille Le Clerc
* fix NPE in log statement if protocolHeader has not been defined and the
servlet container does not support request.getHeader(null)
* fi
Author: markt
Date: Mon Nov 9 14:33:03 2009
New Revision: 834082
URL: http://svn.apache.org/viewvc?rev=834082&view=rev
Log:
Remove unnecessary code
Modified:
tomcat/trunk/java/org/apache/catalina/filters/RequestFilter.java
Modified: tomcat/trunk/java/org/apache/catalina/filters/RequestFilte
Author: kkolinko
Date: Mon Nov 9 14:41:35 2009
New Revision: 834084
URL: http://svn.apache.org/viewvc?rev=834084&view=rev
Log:
Revoke patch that has concerns. Vote for the alternative one.
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x
Author: kkolinko
Date: Mon Nov 9 15:04:07 2009
New Revision: 834096
URL: http://svn.apache.org/viewvc?rev=834096&view=rev
Log:
With rev.834080 WebappClassLoader#findResourceInternal(String,String) is always
called with AccessController.doPrivileged(), thus there is no need to wrap
#findResource
Author: kkolinko
Date: Mon Nov 9 15:08:50 2009
New Revision: 834099
URL: http://svn.apache.org/viewvc?rev=834099&view=rev
Log:
Remove unused inner class
Modified:
tomcat/trunk/java/org/apache/catalina/loader/WebappClassLoader.java
tomcat/trunk/java/org/apache/catalina/security/SecurityCl
On 09.11.2009 11:56, Mark Thomas wrote:
> Summarising the information gathered so far from various channels
> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> work to find the info below).
>
> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the
https://issues.apache.org/bugzilla/show_bug.cgi?id=48158
Luciana Moreira changed:
What|Removed |Added
CC||more...@privasphere.com
--
Conf
https://issues.apache.org/bugzilla/show_bug.cgi?id=48157
Luciana Moreira changed:
What|Removed |Added
CC||more...@privasphere.com
--
Conf
2009/11/9 Mark Thomas :
> Summarising the information gathered so far from various channels
> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> work to find the info below).
>
> BIO/NIO connectors using JSSE.
> Vulnerable when renegotiation is triggered by the client or server
Konstantin Kolinko wrote:
> 2009/11/9 Mark Thomas :
>> Summarising the information gathered so far from various channels
>> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
>> work to find the info below).
>>
>> BIO/NIO connectors using JSSE.
>> Vulnerable when renegotiation is
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
A vulnerability in the TLS protocol has recently been made public [1]
that allows an attacker to inject arbitrary requests into an TLS stream.
The current understanding of the Tomcat developers is as follows:
BIO & NIO connectors using JSSE
These c
On 09.11.2009 17:16, Mark Thomas wrote:
> Konstantin Kolinko wrote:
>> 2009/11/9 Mark Thomas :
>>> Summarising the information gathered so far from various channels
>>> (thanks to Bill B., Bill W. & Rainer who have done most of the actual
>>> work to find the info below).
>>>
>>> BIO/NIO connectors
On Mon, Nov 9, 2009 at 8:04 AM, Konstantin Kolinko
wrote:
> 2009/11/9 Mark Thomas :
> > Summarising the information gathered so far from various channels
> > (thanks to Bill B., Bill W. & Rainer who have done most of the actual
> > work to find the info below).
> >
> > BIO/NIO connectors using JSS
Author: markt
Date: Mon Nov 9 20:43:47 2009
New Revision: 834220
URL: http://svn.apache.org/viewvc?rev=834220&view=rev
Log:
The assumption that contexts will always be file system based or that resources
will always be extracted to the work does not hold true, particularly for
custom DirContext
Author: markt
Date: Mon Nov 9 20:52:49 2009
New Revision: 834227
URL: http://svn.apache.org/viewvc?rev=834227&view=rev
Log:
Unused code
Modified:
tomcat/trunk/java/org/apache/catalina/util/Base64.java
Modified: tomcat/trunk/java/org/apache/catalina/util/Base64.java
URL:
http://svn.apache.o
Author: markt
Date: Mon Nov 9 21:00:22 2009
New Revision: 834229
URL: http://svn.apache.org/viewvc?rev=834229&view=rev
Log:
StringManagers should be final
Modified:
tomcat/trunk/java/org/apache/catalina/authenticator/SingleSignOn.java
tomcat/trunk/java/org/apache/catalina/connector/Comet
Author: markt
Date: Mon Nov 9 21:06:37 2009
New Revision: 834233
URL: http://svn.apache.org/viewvc?rev=834233&view=rev
Log:
StringManagers should be static final
Modified:
tomcat/trunk/java/org/apache/catalina/connector/Connector.java
tomcat/trunk/java/org/apache/catalina/connector/Coyot
Author: markt
Date: Mon Nov 9 21:18:01 2009
New Revision: 834238
URL: http://svn.apache.org/viewvc?rev=834238&view=rev
Log:
Align all three StringManager implementations
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/util/StringManager.java
tomcat/trunk/java/org/apache/naming/Str
On Mon, Nov 9, 2009 at 10:47 AM, Costin Manolache wrote:
>
>
> On Mon, Nov 9, 2009 at 8:04 AM, Konstantin Kolinko > wrote:
>
>> 2009/11/9 Mark Thomas :
>> > Summarising the information gathered so far from various channels
>> > (thanks to Bill B., Bill W. & Rainer who have done most of the actua
Author: markt
Date: Mon Nov 9 22:34:35 2009
New Revision: 834260
URL: http://svn.apache.org/viewvc?rev=834260&view=rev
Log:
Cookie changes proposal
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STA
Author: markt
Date: Mon Nov 9 22:35:04 2009
New Revision: 834262
URL: http://svn.apache.org/viewvc?rev=834262&view=rev
Log:
Cookie changes proposal
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STA
Last week I noticed the link to Filip's old tomcat 16,000 concurrent
connections was broken on the resources page.
http://tomcat.apache.org/resources.html
peter lin
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For
Unless someone has a better solution - I'll submit the fix ( tonight ), will
disable re-negotiation for
Jsse-mode.
I added a system property to allow people how don't care about this, IMO by
default it should
be on.
Also got the test case to work - please let me know if it's acceptable to
commit i
Costin Manolache wrote:
> Unless someone has a better solution - I'll submit the fix ( tonight ), will
> disable re-negotiation for
> Jsse-mode.
> I added a system property to allow people how don't care about this, IMO by
> default it should
> be on.
Sounds good. Any chance it could be a connecto
Author: markt
Date: Tue Nov 10 00:31:25 2009
New Revision: 834286
URL: http://svn.apache.org/viewvc?rev=834286&view=rev
Log:
Add merge code for the remaining elements in web.xml
Modified:
tomcat/trunk/java/org/apache/catalina/startup/LocalStrings.properties
tomcat/trunk/java/org/apache/ca
Author: costin
Date: Tue Nov 10 01:02:43 2009
New Revision: 834289
URL: http://svn.apache.org/viewvc?rev=834289&view=rev
Log:
Fix for the SSL midm - disable client re-negotiation, connection will be
closed.
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
Author: costin
Date: Tue Nov 10 01:04:13 2009
New Revision: 834290
URL: http://svn.apache.org/viewvc?rev=834290&view=rev
Log:
Test case for the MITM/ssl re-negotiation, also a unit test for a simple ssl
request
( to check the fix didn't broke anything and ssl still works )
Added:
tomcat/tr
wrote in message
news:20091110010244.4f8382388...@eris.apache.org...
> Author: costin
> Date: Tue Nov 10 01:02:43 2009
> New Revision: 834289
>
> URL: http://svn.apache.org/viewvc?rev=834289&view=rev
> Log:
> Fix for the SSL midm - disable client re-negotiation, connection will be
> closed.
>
>
Right, need to invalidate as well.
The request will not be executed - how can he continue the attack ?
On Mon, Nov 9, 2009 at 7:49 PM, Bill Barker wrote:
>
> wrote in message
> news:20091110010244.4f8382388...@eris.apache.org...
> > Author: costin
> > Date: Tue Nov 10 01:02:43 2009
> > New Rev
Author: costin
Date: Tue Nov 10 04:54:34 2009
New Revision: 834340
URL: http://svn.apache.org/viewvc?rev=834340&view=rev
Log:
Invalidate the session - so it can't be resumed.
Not sure what else we can do using this hook - we could switch to SSLEngine,
but that's pretty large change.
Modified:
59 matches
Mail list logo
