Author: isapir
Date: Mon Oct 22 08:02:26 2018
New Revision: 1844531
URL: http://svn.apache.org/viewvc?rev=1844531&view=rev
Log:
Added JniLifecycleListener per BZ 62830
Added:
tomcat/trunk/java/org/apache/catalina/core/JniLifecycleListener.java
Modified:
tomcat/trunk/webapps/docs/changelog
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #9 from Igal Sapir ---
Commit r1844531 adds JniLifecycleListener to trunk
--
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscri
Dtest.accesslog=true -Dexecute.test.nio=true
-Dtest.openssl.path=/srv/gump/public/workspace/openssl-1.1.1/dest-20181022/bin/openssl
-Dexecu
te.test.bio=false -Dexecute.test.apr=false -Dtest.excludePerformance=true
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-4.0-SNAPSHOT
ecute.test.nio=false -Dtest.accesslog=true
-Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20181022.jar
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-4.0-SNAPSHOT.jar
-Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test
[Working
xecute.test.nio=true -Dtest.accesslog=true
-Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20181022.jar
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easymock-4.0-SNAPSHOT.jar
-Dcglib.jar=/srv/gump/packages/cglib/cglib-nodep-2.2.jar test
[Wor
workspace/tomcat-8.5.x/tomcat-build-libs
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.7.3a-201803300640/ecj-4.7.3a.jar
-Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native-1.2-1.1.1/dest-20181022/lib
-Dtest.relaxTiming=true
-Dcommons-daemon.jar=/srv/gump/public/workspace/apache-commons/d
lic/workspace/tomcat-native-1.2-1.0.2/dest-20181022/lib
-Dtest.relaxTiming=true -Dexecute.test.nio=false -Dtest.accesslog=true
-Dtomcat-dbcp.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-20181022.jar
-Deasymock.jar=/srv/gump/public/workspace/easymock/core/target/easym
GitHub user mdfst13 opened a pull request:
https://github.com/apache/tomcat/pull/128
Add missing word for readability
Not an important change, but seemed worth making now while it's topical
rather than leaving as is. The old version said that it tested in the past.
This version s
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
Bug ID: 62844
Summary: Tomcat CGI suffix name arbitrary resolution
vulnerability
Product: Tomcat 9
Version: 9.0.8
Hardware: PC
Status: NEW
Severity:
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #1 from mingxuan ---
Created attachment 36203
--> https://bz.apache.org/bugzilla/attachment.cgi?id=36203&action=edit
Please refer to the annex for details.
--
You are receiving this mail because:
You are the assignee for the bug
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
mingxuan changed:
What|Removed |Added
OS||All
--- Comment #2 from mingxuan ---
Tomca
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
mingxuan changed:
What|Removed |Added
OS|All |Mac OS X 10.13
--
You are receiving this m
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
Remy Maucherat changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #4 from mingxuan ---
Thank you very much for your reply. If there are safety problems. Is it a
direct email to secur...@tomcat.apache.org? I still think there is a risk.
Because CGI has been opened. Upload it to this directory for w
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #5 from Remy Maucherat ---
Yes, obvious security concerns should always be discussed on the security
mailing list.
At this time, the CGI servlet treats as CGI any mapped path.
--
You are receiving this mail because:
You are the as
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #6 from mingxuan ---
Well. Thank you very much! Thank you! I'll send an e-mail to the security team.
Ha-ha! I always feel like a problem。。。 ;)
--
You are receiving this mail because:
You are the assignee for the bug.
-
Author: isapir
Date: Mon Oct 22 17:54:31 2018
New Revision: 1844592
URL: http://svn.apache.org/viewvc?rev=1844592&view=rev
Log:
Added JniLifecycleListener per BZ 62830
Added:
tomcat/tc8.5.x/trunk/java/org/apache/catalina/core/JniLifecycleListener.java
Modified:
tomcat/tc8.5.x/trunk/webapp
Author: isapir
Date: Mon Oct 22 18:06:11 2018
New Revision: 1844593
URL: http://svn.apache.org/viewvc?rev=1844593&view=rev
Log:
Added JniLifecycleListener per BZ 62830
Added:
tomcat/tc7.0.x/trunk/java/org/apache/catalina/core/JniLifecycleListener.java
Modified:
tomcat/tc7.0.x/trunk/webapp
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
Igal Sapir changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #11 from Igal Sapir ---
JniLifecycleListener, Library.load(), and Library.loadLibrary() available in
Tomcat 9.0.13, 8.5.35, and 7.0.92
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #7 from Mark Thomas ---
Speaking as a member of both the Tomcat and ASF security teams:
I whole-heartedly endorse everything Rémy said in comment #3.
There is no vulnerability here. By design, the CGI servlet executes what it is
t
On 22/10/2018 09:19, Bill Barker wrote:
To whom it may engage...
test-compile:
[javac] Compiling 168 source files to
/srv/gump/public/workspace/tomcat-7.0.x/output/testclasses
[javac]
/srv/gump/public/workspace/tomcat-7.0.x/test/org/apache/catalina/valves/TestCrawlerSessionManage
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #12 from Christopher Schultz ---
Sorry... I must be missing something, here.
System.loadLibrary isn't ClassLoader-specific... once the library has been
loaded, it can't be loaded again at all.
The code here is all fine, and using
https://bz.apache.org/bugzilla/show_bug.cgi?id=62844
--- Comment #8 from mingxuan ---
Thank you very much. Your explanation is authoritative. This problem is really
caused by Web's arbitrary path uploading and CGI arbitrary resolution. And left
behind CGI's script back door. This should really be
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc7.0.x-test-bio has an issue affecting its community
integration.
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc8.5.x-test-nio has an issue affecting its community
integration.
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #13 from Igal Sapir ---
(In reply to Christopher Schultz from comment #12)
> Sorry... I must be missing something, here.
>
> System.loadLibrary isn't ClassLoader-specific... once the library has been
> loaded, it can't be loaded ag
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #14 from Konstantin Kolinko ---
I think that this listener must be mentioned on "security-howto.xml".
http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Listeners
It can be configured in any container (e.g. in context.xml
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc7.0.x-test-nio has an issue affecting its community
integration.
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc8.5.x-test-nio2 has an issue affecting its community
integration
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc8.5.x-test-apr has an issue affecting its community
integration.
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-trunk-test-nio2 has an issue affecting its community integration.
T
To whom it may engage...
This is an automated request, but not an unsolicited one. For
more information please visit http://gump.apache.org/nagged.html,
and/or contact the folk at gene...@gump.apache.org.
Project tomcat-tc7.0.x-test-apr has an issue affecting its community
integration.
Author: isapir
Date: Tue Oct 23 04:26:21 2018
New Revision: 1844615
URL: http://svn.apache.org/viewvc?rev=1844615&view=rev
Log:
Added JniLifecycleListener statement to security-howto BZ 62830
Modified:
tomcat/trunk/webapps/docs/security-howto.xml
Modified: tomcat/trunk/webapps/docs/security-
https://bz.apache.org/bugzilla/show_bug.cgi?id=62830
--- Comment #15 from Igal Sapir ---
(In reply to Konstantin Kolinko from comment #14)
> I think that this listener must be mentioned on "security-howto.xml".
>
> http://tomcat.apache.org/tomcat-9.0-doc/security-howto.html#Listeners
>
> It can
I just checked https://tomcat.apache.org/ and it does not support HTTP/2.
Who can fix that?
Igal
The Buildbot has detected a new failure on builder tomcat-trunk while building
. Full details are available at:
https://ci.apache.org/builders/tomcat-trunk/builds/3677
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The AnyBranchScheduler schedu
I am able to build locally on that same revision.
Any ideas?
Igal
On Mon, Oct 22, 2018 at 9:51 PM wrote:
> The Buildbot has detected a new failure on builder tomcat-trunk while
> building . Full details are available at:
> https://ci.apache.org/builders/tomcat-trunk/builds/3677
>
> Buildbo
On October 23, 2018 4:33:19 AM UTC, Igal Sapir wrote:
>I just checked https://tomcat.apache.org/ and it does not support
>HTTP/2.
>
>Who can fix that?
>
>Igal
The infrastructure team.
Mark
-
To unsubscribe, e-mail: dev-unsubscr
Author: kfujino
Date: Tue Oct 23 06:58:38 2018
New Revision: 1844619
URL: http://svn.apache.org/viewvc?rev=1844619&view=rev
Log:
Ensure that remove the member from suspect list when member added.
Modified:
tomcat/trunk/java/org/apache/catalina/tribes/group/interceptors/TcpFailureDetector.jav
40 matches
Mail list logo
