-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
CVE-2011-1088 Apache Tomcat security constraint bypass
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - Tomcat 7.0.0 to 7.0.10
- - Earlier versions are not affected
Description:
When a web application was started, @
Author: markt
Date: Tue Mar 15 09:42:37 2011
New Revision: 1081698
URL: http://svn.apache.org/viewvc?rev=1081698&view=rev
Log:
The name for the default host does not have to be resolvable in DNS.
Modified:
tomcat/trunk/webapps/docs/config/host.xml
Modified: tomcat/trunk/webapps/docs/config/h
Author: markt
Date: Tue Mar 15 09:44:17 2011
New Revision: 1081700
URL: http://svn.apache.org/viewvc?rev=1081700&view=rev
Log:
Add recent change
Modified:
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk
On 14/03/2011 23:11, Peter P. Lupo wrote:
> Just to be clear: you don't have to try sending an e-mail. Just add the jar
> and try to get a response or two from an app running on Tomcat 7.
I don't see this error. The users list is the place to debug this.
Mark
> On 2011-03-14 10:07:37, Filip Hanik wrote:
> > I think the entire solution is over complicated. Not a fan of introducing
> > the processor into the input buffer, for an edge case.
> > If you are stopping the connector, I would let the current request finish
> > up.
> > Since Tomcat 7 should
Author: markt
Date: Tue Mar 15 12:58:04 2011
New Revision: 1081755
URL: http://svn.apache.org/viewvc?rev=1081755&view=rev
Log:
Better comment
Modified:
tomcat/trunk/java/org/apache/catalina/valves/CrawlerSessionManagerValve.java
Modified:
tomcat/trunk/java/org/apache/catalina/valves/Crawler
Author: markt
Date: Tue Mar 15 13:10:33 2011
New Revision: 1081765
URL: http://svn.apache.org/viewvc?rev=1081765&view=rev
Log:
Remove unused code
Fix some Eclipse warnings
Modified:
tomcat/trunk/java/org/apache/jasper/util/Enumerator.java
tomcat/trunk/java/org/apache/jasper/xmlparser/ASCI
Author: markt
Date: Tue Mar 15 13:23:13 2011
New Revision: 1081771
URL: http://svn.apache.org/viewvc?rev=1081771&view=rev
Log:
Fix a couple of FindBBugs warnings
Modified:
tomcat/trunk/java/org/apache/jasper/resources/LocalStrings.properties
tomcat/trunk/java/org/apache/jasper/xmlparser/X
https://issues.apache.org/bugzilla/show_bug.cgi?id=48318
--- Comment #3 from Rico Neubauer 2011-03-15 09:23:23
EDT ---
Besides dead links or missing permissions, also a folder with a trailing dot in
its name leads to this error. e.g. "00."
--
Configure bugmail: https://issues.apache.org/bugzil
https://issues.apache.org/bugzilla/show_bug.cgi?id=48318
Rico Neubauer changed:
What|Removed |Added
CC||r.neuba...@seeburger.de
--
Config
Author: markt
Date: Tue Mar 15 13:31:43 2011
New Revision: 1081775
URL: http://svn.apache.org/viewvc?rev=1081775&view=rev
Log:
Fix FindBugs nag
Added:
tomcat/trunk/webapps/examples/WEB-INF/classes/ServletToJsp.java
- copied, changed from r1081772,
tomcat/trunk/webapps/examples/WEB-INF/
On 15/03/2011 13:31, ma...@apache.org wrote:
> Author: markt
> Date: Tue Mar 15 13:31:43 2011
> New Revision: 1081775
>
> URL: http://svn.apache.org/viewvc?rev=1081775&view=rev
> Log:
> Fix FindBugs nag
>
> Added:
> tomcat/trunk/webapps/examples/WEB-INF/classes/ServletToJsp.java
> - cop
Author: markt
Date: Tue Mar 15 13:56:35 2011
New Revision: 1081785
URL: http://svn.apache.org/viewvc?rev=1081785&view=rev
Log:
More FindBugs warnings
Modified:
tomcat/trunk/java/org/apache/catalina/mbeans/MBeanUtils.java
tomcat/trunk/java/org/apache/jasper/compiler/TagFileProcessor.java
Author: markt
Date: Tue Mar 15 13:58:21 2011
New Revision: 1081786
URL: http://svn.apache.org/viewvc?rev=1081786&view=rev
Log:
Include clean-up under a single entry
Modified:
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org
Author: kkolinko
Date: Tue Mar 15 14:07:27 2011
New Revision: 1081793
URL: http://svn.apache.org/viewvc?rev=1081793&view=rev
Log:
Followup to markt's r1081239:
update the doc for CrawlerSessionManagerValve
Modified:
tomcat/trunk/webapps/docs/config/valve.xml
Modified: tomcat/trunk/webapps/do
Hi!
The CrawlerSessionManagerValve sets sessionId from ip address as
request.setRequestedSessionId(sessionInfo.getSessionId());
I have not checked, but I suspect that the Response.encodeURL(..)
calls in the web application
will still be including the session id into the URLs.
Woudn't it be go
On 15/03/2011 14:28, Konstantin Kolinko wrote:
> Hi!
>
> The CrawlerSessionManagerValve sets sessionId from ip address as
>
> request.setRequestedSessionId(sessionInfo.getSessionId());
>
> I have not checked, but I suspect that the Response.encodeURL(..)
> calls in the web application
> will s
2011/3/15 Peter P. Lupo :
> I would open an issue on Bugzilla but first I'd like to check it with you
> guys.
>
> I'm trying to add mail.jar (Java Mail) to my app's lib (the problem also
> happens with tomcat's lib). It is quite simple. If I do it, I start getting
> "Exception in thread http-bio-8
2011/3/15 Mark Thomas :
> On 15/03/2011 14:28, Konstantin Kolinko wrote:
>> Hi!
>>
>> The CrawlerSessionManagerValve sets sessionId from ip address as
>>
>> request.setRequestedSessionId(sessionInfo.getSessionId());
>>
>> I have not checked, but I suspect that the Response.encodeURL(..)
>> calls
https://issues.apache.org/bugzilla/show_bug.cgi?id=50394
Hugh Warrington changed:
What|Removed |Added
Status|RESOLVED|REOPENED
Resolution|INVA
Author: markt
Date: Tue Mar 15 17:48:15 2011
New Revision: 1081882
URL: http://svn.apache.org/viewvc?rev=1081882&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50903
If a connector is stopped, not not process any keep-alive connections. The
exact behaviours are:
- HTTP BIO -
https://issues.apache.org/bugzilla/show_bug.cgi?id=50903
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "PoweredBy" page has been changed by Björn Hahnefeld.
http://wiki.apache.org/tomcat/PoweredBy?action=diff&rev1=323&rev2=324
--
[[h
Dear Wiki user,
You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change
notification.
The "PoweredBy" page has been changed by Björn Hahnefeld.
http://wiki.apache.org/tomcat/PoweredBy?action=diff&rev1=324&rev2=325
--
[[h
Author: kkolinko
Date: Tue Mar 15 18:37:24 2011
New Revision: 1081895
URL: http://svn.apache.org/viewvc?rev=1081895&view=rev
Log:
Correct a typo in changelog for 7.0.9
Modified:
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570
--- Comment #10 from Chris Beckey 2011-03-15 16:16:28 EDT
---
Created an attachment (id=26775)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26775)
Patch to implement FIPS mode setting in Tomcat 7 trunk
Requires TC native pat
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570
--- Comment #11 from Chris Beckey 2011-03-15 16:17:55 EDT
---
Created an attachment (id=26776)
--> (https://issues.apache.org/bugzilla/attachment.cgi?id=26776)
patch to implement FIPS mode setting in tc native
Requires patch to Tomcat,
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570
Chris Beckey changed:
What|Removed |Added
Keywords||FixedInTrunk
Component|Con
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570
Chris Beckey changed:
What|Removed |Added
Attachment #26776|application/octet-stream|text/plain
mime type|
Author: markt
Date: Tue Mar 15 20:49:44 2011
New Revision: 1081940
URL: http://svn.apache.org/viewvc?rev=1081940&view=rev
Log:
Handle the scenario where the client sends multiple JSESSIONID cookies. This
patch trades a little duplication for simpler code. The duplication only occurs
when the cli
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570
Chris Beckey changed:
What|Removed |Added
CC||cbec...@gmail.com
Componen
https://issues.apache.org/bugzilla/show_bug.cgi?id=50570
--- Comment #13 from Chris Beckey 2011-03-15 17:13:13 EDT
---
The first attachment (named "Source and properties files to add FIPS ...")
contains source code and properties using TC 6.0.20 as the base.
The next two attached files (named "p
Author: markt
Date: Tue Mar 15 22:51:10 2011
New Revision: 1081969
URL: http://svn.apache.org/viewvc?rev=1081969&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50928
Don't ignore keyPass attribute
Added:
tomcat/trunk/test/org/apache/tomcat/util/net/keystore-info.txt (w
Author: markt
Date: Tue Mar 15 22:53:36 2011
New Revision: 1081976
URL: http://svn.apache.org/viewvc?rev=1081976&view=rev
Log:
Chain exception
Modified:
tomcat/trunk/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
tomcat/trunk/webapps/docs/changelog.xml
Modified:
tomcat/trun
https://issues.apache.org/bugzilla/show_bug.cgi?id=50928
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
Author: markt
Date: Tue Mar 15 23:00:54 2011
New Revision: 1081980
URL: http://svn.apache.org/viewvc?rev=1081980&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50925
Update docs for keyPass attribute
Modified:
tomcat/trunk/webapps/docs/changelog.xml
tomcat/trunk/weba
https://issues.apache.org/bugzilla/show_bug.cgi?id=50925
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
Author: markt
Date: Tue Mar 15 23:05:53 2011
New Revision: 1081987
URL: http://svn.apache.org/viewvc?rev=1081987&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50929
When wrapping an exception, set the root cause
Modified:
tomcat/trunk/java/javax/servlet/http/HttpUtils.j
https://issues.apache.org/bugzilla/show_bug.cgi?id=50929
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|
Author: kkolinko
Date: Wed Mar 16 03:23:31 2011
New Revision: 1082037
URL: http://svn.apache.org/viewvc?rev=1082037&view=rev
Log:
vote
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=10
40 matches
Mail list logo
