Hello,
I am currently working on my company's platform to get around this
security problem during re-negotiation. After discussing with my group
about the progress being made towards a fix for tomcat, some questions
were raised and I was hoping you could help me answer them.
We use Tomcat 5.
Author: kkolinko
Date: Wed Nov 11 08:05:02 2009
New Revision: 834796
URL: http://svn.apache.org/viewvc?rev=834796&view=rev
Log:
vote
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=8347
On 11/11/09 09:09, Luciana Moreira Sa de Souza Signed by - PrivaSphere AG wrote:
Hello,
I am currently working on my company's platform to get around this
security problem during re-negotiation. After discussing with my group
about the progress being made towards a fix for tomcat, some questions
Author: markt
Date: Wed Nov 11 09:17:43 2009
New Revision: 834814
URL: http://svn.apache.org/viewvc?rev=834814&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48097
Avoid throwing an AccessControlException which can lead to a
NoClassDefFoundError on first access of first jsp.
https://issues.apache.org/bugzilla/show_bug.cgi?id=48097
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
Author: markt
Date: Wed Nov 11 09:34:28 2009
New Revision: 834818
URL: http://svn.apache.org/viewvc?rev=834818&view=rev
Log:
Votes
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=834818
2009/11/10 :
> Author: markt
> Date: Tue Nov 10 16:57:29 2009
> New Revision: 834544
>
> URL: http://svn.apache.org/viewvc?rev=834544&view=rev
> Log:
> Proposal for cve-2009-3555 work-around
>
> Modified:
> tomcat/tc6.0.x/trunk/STATUS.txt
>
> +
> +* Disable TLS renegotiation be default with an
https://issues.apache.org/bugzilla/show_bug.cgi?id=48170
--- Comment #1 from Sebb 2009-11-11 03:09:43 UTC ---
(In reply to comment #0)
> I have a soak test at constant load that is initially stable. Within the
> hour,
> an ever increasing number of blocked threads develops. The vast majority o
https://issues.apache.org/bugzilla/show_bug.cgi?id=48170
--- Comment #2 from Sebb 2009-11-11 03:13:35 UTC ---
(In reply to comment #1)
> (In reply to comment #0)
> > I have a soak test at constant load that is initially stable. Within the
> > hour,
> > an ever increasing number of blocked threa
https://issues.apache.org/bugzilla/show_bug.cgi?id=48172
Summary: JspRuntimeContext synch. problems.
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
https://issues.apache.org/bugzilla/show_bug.cgi?id=48172
--- Comment #1 from Sebb 2009-11-11 03:38:03 UTC ---
Created an attachment (id=24514)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24514)
Convert jspReloadCount to AtomicInteger
--
Configure bugmail: https://issues.apache.or
https://issues.apache.org/bugzilla/show_bug.cgi?id=48172
--- Comment #2 from Sebb 2009-11-11 03:52:08 UTC ---
The lastCheck field is also not synch.
This is not problem, so long as:
* the instance of JspRuntimeContext is created before the background thread is
started
* checkCompile() is only e
https://issues.apache.org/bugzilla/show_bug.cgi?id=48172
--- Comment #3 from Sebb 2009-11-11 06:22:34 UTC ---
Created an attachment (id=24515)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24515)
Make fields final
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.c
https://issues.apache.org/bugzilla/show_bug.cgi?id=48173
Summary: org.apache.catalina.tribes.io.ChannelData.EMPTY_DATA_A
RRAY should be final
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Stat
https://issues.apache.org/bugzilla/show_bug.cgi?id=48174
Summary: org.apache.tomcat.jni.Address.APR_ANYADDR should be
final
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Status: NEW
https://issues.apache.org/bugzilla/show_bug.cgi?id=48175
Summary: Loggers should be final
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
Compo
On Wed, Nov 11, 2009 at 12:09 AM, Luciana Moreira Sa de Souza Signed
by - PrivaSphere AG wrote:
> Hello,
>
> I am currently working on my company's platform to get around this security
> problem during re-negotiation. After discussing with my group about the
> progress being made towards a fix fo
https://issues.apache.org/bugzilla/show_bug.cgi?id=48176
Summary: Fields that should be final
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: normal
Priority: P2
C
https://issues.apache.org/bugzilla/show_bug.cgi?id=48175
--- Comment #1 from Sebb 2009-11-11 08:03:09 UTC ---
Created an attachment (id=24518)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=24518)
Some more logger fields
--
Configure bugmail: https://issues.apache.org/bugzilla/userp
https://issues.apache.org/bugzilla/show_bug.cgi?id=48175
Sebb changed:
What|Removed |Added
Attachment #24516|application/octet-stream|text/plain
mime type|
On 11/11/2009 12:11 AM, Costin Manolache wrote:
openssl s_client ...
Type "R" ( to renegotiate ).
Unfortunately renegotiation is handled transparently and did work quite
well...
bummer, I will see what needs to be done today.
Costin
On Tue, Nov 10, 2009 at 10:53 PM, Filip Hanik - Dev List
On Wed, Nov 11, 2009 at 1:36 AM, Konstantin Kolinko
wrote:
> 2009/11/10 :
> > Author: markt
> > Date: Tue Nov 10 16:57:29 2009
> > New Revision: 834544
> >
> > URL: http://svn.apache.org/viewvc?rev=834544&view=rev
> > Log:
> > Proposal for cve-2009-3555 work-around
> >
> > Modified:
> >tomcat
https://issues.apache.org/bugzilla/show_bug.cgi?id=48170
--- Comment #3 from Earl Nolan 2009-11-11 09:27:26 UTC ---
The simplest approach is to change the static member variable declaration:
private static volatile JspFactory deflt = null;
and then remove the synchronized keyword on the getter/
https://issues.apache.org/bugzilla/show_bug.cgi?id=48177
Summary: org.apache.naming.java.javaURLContextFactory.getInitia
lContext not thread-safe
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Sorry for my confusion - didn't realize NIO has its own ssl AND is not the
default in the embedded tomcat.
We should make it in trunk - and maybe get rid of the old connector, APR +
NIO is enough ( plus the new one I'm
planning for lite :-)
I changed the tests - the good news is that indeed NIO r
Hi,
I think cookies are still broken, and this is getting more and more
complex. The apparent issue is that the parser applies v1 parsing rules
when parsing v0 cookies (which are generated using a much more lenient
character exclusion), resulting in cookies that cannot be parsed back.
A simple ex
https://issues.apache.org/bugzilla/show_bug.cgi?id=48178
Summary: org.apache.tomcat.lite.Locale2Charset.defaultMap is
not threadsafe
Product: Tomcat 7
Version: trunk
Platform: PC
OS/Version: Windows XP
Status: NEW
On 11/11/2009 11:13 AM, Costin Manolache wrote:
Sorry for my confusion - didn't realize NIO has its own ssl AND is not the
default in the embedded tomcat.
We should make it in trunk - and maybe get rid of the old connector, APR +
the old connector is still the most stable one. So we should l
Great foresight, Filip !
public int handshake(boolean read, boolean write) throws IOException {
if ( initHandshakeComplete ) return 0; //we have done our initial
handshake
...
}
+ no handling of the SSLEngineResult -> just perfect security !
I have an update to the uni
https://issues.apache.org/bugzilla/show_bug.cgi?id=48179
Summary: After startup seeing
java.io.FileNotFoundException:/tldcache.ser
(No such file or directory)
Product: Tomcat 5
Version: 5.5.23
Platform: PC
O
Author: costin
Date: Wed Nov 11 19:13:24 2009
New Revision: 835017
URL: http://svn.apache.org/viewvc?rev=835017&view=rev
Log:
Add similar SSL tests for NIO connector.
Modified:
tomcat/trunk/test/org/apache/catalina/startup/TestTomcatSSL.java
Modified: tomcat/trunk/test/org/apache/catalina/s
Author: fhanik
Date: Wed Nov 11 19:51:50 2009
New Revision: 835036
URL: http://svn.apache.org/viewvc?rev=835036&view=rev
Log:
Make the location of stdout and stderr output configurable. Leave the default
as it always has been.
Currently, one can reconfigure the location of all logfiles except thi
Author: fhanik
Date: Wed Nov 11 19:54:40 2009
New Revision: 835037
URL: http://svn.apache.org/viewvc?rev=835037&view=rev
Log:
proposal
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=83
Remy Maucherat wrote:
> Hi,
>
> I think cookies are still broken, and this is getting more and more
> complex. The apparent issue is that the parser applies v1 parsing rules
> when parsing v0 cookies (which are generated using a much more lenient
> character exclusion), resulting in cookies that c
Author: markt
Date: Wed Nov 11 21:54:23 2009
New Revision: 835084
URL: http://svn.apache.org/viewvc?rev=835084&view=rev
Log:
Pull patches while we sort out issues
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5
Author: markt
Date: Wed Nov 11 21:55:00 2009
New Revision: 835086
URL: http://svn.apache.org/viewvc?rev=835086&view=rev
Log:
Pull patches while we sort out issues
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6
On 11/11/2009 02:45 PM, Mark Thomas wrote:
Remy Maucherat wrote:
Hi,
I think cookies are still broken, and this is getting more and more
complex. The apparent issue is that the parser applies v1 parsing rules
when parsing v0 cookies (which are generated using a much more lenient
character e
On Wed, 2009-11-11 at 16:45 -0500, Mark Thomas wrote:
> I really do loath cookies right now. I've pulled the proposed patches for
> 5.5.x
> and 6.0.x until I (or someone else) can take a look at this.
I do too. v0 cookies is 15 years old stuff that Netscape hacked out of
thin air without thinking
https://issues.apache.org/bugzilla/show_bug.cgi?id=48169
--- Comment #2 from Troy Bowman 2009-11-11 16:24:45 UTC ---
The linux distro is Gentoo. Best distro for people who like to drive
stick-shift. ;)
Thanks to your explanation, I changed the following and the delay indeed
completely disappear
Author: mturk
Date: Thu Nov 12 05:57:20 2009
New Revision: 835244
URL: http://svn.apache.org/viewvc?rev=835244&view=rev
Log:
Cast some votes
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?
Author: mturk
Date: Thu Nov 12 06:01:01 2009
New Revision: 835246
URL: http://svn.apache.org/viewvc?rev=835246&view=rev
Log:
Cast some votes
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?
41 matches
Mail list logo
