On 4 October 2017 23:31:36 BST, Laurent Perez wrote:
>Thanks for the replies. The jsessionid/cookie tracking mode is not
>really
>part of the problem, sorry about that.
>
>Obviously I'm thinking about renaming the war but the rewriting is
>really
>used, for example seo friendly urls like /bar/step
Thanks for the replies. The jsessionid/cookie tracking mode is not really
part of the problem, sorry about that.
Obviously I'm thinking about renaming the war but the rewriting is really
used, for example seo friendly urls like /bar/steps/1 internally rewrite to
/foo/somesubmodule/steps.jsp?step=1
On 4 October 2017 21:28:24 BST, Stefan Mayr wrote:
>Hi
>
>Am 04.10.2017 um 19:27 schrieb Mark Thomas:
>> ... are now (mostly) available:
>>
>> http://tomcat.apache.org/presentations.html
>>
>> I thought Jean-Frederic sent me his slides but I can't find the
>e-mail.
>> I'm sure one of us will upd
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
TCD,
On 10/4/17 3:45 PM, TurboChargedDad . wrote:
> Perhaps I am not wording my question correctly.
Can you confirm that the connection-pool exhaustion appears to be
happening on the AJP client (httpd/mod_proxy_ajp) and NOT on the
server (Tomcat/AJ
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 3:44 PM, James H. H. Lampert wrote:
> On 10/4/17, 12:26 PM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE- Hash: SHA256
>>
>> James,
> . . .
>> Okay so you are in no way interfering with the defaults. That
>> mea
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 12:54 PM, James H. H. Lampert wrote:
> On the HTTPAPI/FTPAPI list, I was told that HTTPAPI uses the
> operating system's SSL support (which was how I thought it worked),
> and directed to look through the system values to see what
Hi
Am 04.10.2017 um 19:27 schrieb Mark Thomas:
> ... are now (mostly) available:
>
> http://tomcat.apache.org/presentations.html
>
> I thought Jean-Frederic sent me his slides but I can't find the e-mail.
> I'm sure one of us will update that page shortly.
Reverse Proxies, Load-Balancing & Clus
Perhaps I am not wording my question correctly.
Today we have...
[Prxoy 1] | [Proxy 2] ---> [Apache ---> tomcat1]
(HTTPS) (HTTPS) (HTTPS) --> (AJP) -->
So we send the information from the proxies over https to the instance
running the tomcat server.
The SSL is terminated by Apa
On 10/4/17, 12:26 PM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
. . .
Okay so you are in no way interfering with the defaults. That means
you'll get (depending upon your exact versions of various things) a
Tomcat which supports TLSv1 or later, and most o
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 3:15 PM, James H. H. Lampert wrote:
> Christopher Schultz (Tomcat list guru) wrote:
/me bows
>> Looks like your server only has ECDHE-based suites available, and
>> the client supports none of those. Can you post your
>> config
Christopher Schultz (Tomcat list guru) wrote:
Looks like your server only has ECDHE-based suites available, and the
client supports none of those. Can you post your
configuration from conf/server.xml?
Yes, and I can also post something else.
I found the Java source for your own "SSLInfo" pro
On 04/10/17 19:26, TurboChargedDad . wrote:
> My initial reads about BIO vs NIO seems to involve terminating SSL at the
> tomcat instance. Which we do not do. Am I running off into the weeds with
> that?
Yes. The NIO AJP connector is a drop in replacement for the BIO AJP
connector.
https://to
My initial reads about BIO vs NIO seems to involve terminating SSL at the
tomcat instance. Which we do not do. Am I running off into the weeds with
that?
Thanks,
TCD
On Wed, Oct 4, 2017 at 9:17 AM, Mark Thomas wrote:
> On 04/10/17 13:51, TurboChargedDad . wrote:
> > Hello all..
> > I am go
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
James,
On 10/4/17 12:54 PM, James H. H. Lampert wrote:
> I wrote:
>>> I mean, I know that I need to get HTTPAPI and Tomcat speaking
>>> the same language, but where do I begin?
> Here's what I got back when I ran the SSLLabs server test on the
> clo
Thanks for the suggestions. Pulling the various suggestions so far we have:
- Frankfurt, Germany
- Paris, France
- Washington DC, USA
- Manchester, UK
With some of those locations coming with a venue provided and/or
potential for sponsorship.
My current thinking (and this is just my personal vie
... are now (mostly) available:
http://tomcat.apache.org/presentations.html
I thought Jean-Frederic sent me his slides but I can't find the e-mail.
I'm sure one of us will update that page shortly.
Enjoy!
Mark
-
To unsubscribe
2017-10-04 17:53 GMT+03:00 Aquatic Safaris Diver :
>
> I've read the migration manuals and have tried to make the changes to
> my configuration to work correctly in tomcat v8.5, but it's not. I'm
> not an experton XML files and JDK so please help me. I'm sure this is crazy
> simple
> for you ex
I wrote:
I mean, I know that I need to get HTTPAPI and Tomcat speaking the
same language, but where do I begin?
Here's what I got back when I ran the SSLLabs server test on the cloud
server:
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SS
2017-09-28 19:56 GMT+03:00 Konstantin Kolinko :
> 2017-09-26 11:57 GMT+03:00 Oliver Heister :
>> 2. Currently MITM attacks by evil ISPs or WiFi networks are possible
>> against people downloading tomcat from
>> http://tomcat.apache.org/download-80.cgi . (The page has links to PGP, md5
>> and sha1
I've read the migration manuals and have tried to make the changes to
my configuration to work correctly in tomcat v8.5, but it's not. I'm
not an experton XML files and JDK so please help me. I'm sure this is crazy
simple
for you experts.
The server.xml conf file is OK between the two version
On 4 October 2017 15:17:25 BST, Mark Thomas wrote:
>On 04/10/17 13:51, TurboChargedDad . wrote:
>> Hello all..
>> I am going to do my best to describe my problem. Hopefully someone
>will
>> have some sort of insight.
>>
>> Tomcat 7.0.41 (working on updating that)
>> Java 1.6 (Working on getting
On 04/10/17 13:51, TurboChargedDad . wrote:
> Hello all..
> I am going to do my best to describe my problem. Hopefully someone will
> have some sort of insight.
>
> Tomcat 7.0.41 (working on updating that)
> Java 1.6 (Working on getting this updated to the latest minor release)
> RHEL Linux
>
>
Hi,
I was hoping to get some help/suggestion since I have nearly exhausted all
options (at least, I have tried quite a few items).
I have an instrumentation agent which i want to load after the VM starts
tomcat. I have no problem loading the agent itself.
What I am having issues with is the clas
Hello all..
I am going to do my best to describe my problem. Hopefully someone will
have some sort of insight.
Tomcat 7.0.41 (working on updating that)
Java 1.6 (Working on getting this updated to the latest minor release)
RHEL Linux
I inherited an opti-tenant setup. Individual user accounts o
Thanks Mark and Christopher
On Wed, Oct 4, 2017 at 6:12 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Murthy,
>
> On 10/3/17 7:38 AM, s v n trimurthulu wrote:
> > At present we are using 7.0.x in our production environment.
-Original Message-
From: André Warnier (tomcat) [mailto:a...@ice-sa.com]
Sent: Wednesday, October 04, 2017 11:14 AM
To: users@tomcat.apache.org
Subject: Re: Mapping role names to groups
> On 04.10.2017 10:20, Sebastian Trost wrote:
>> -Original Message-
>> From: Mark Thomas [mailt
Hello,
2017-10-04 4:52 GMT+03:00 Caldarale, Charles R :
>
> > From: Baron Fujimoto [mailto:ba...@hawaii.edu]
> > Subject: Re: [SECURITY] CVE-2017-12617 Apache Tomcat Remote Code
Execution
> via JSP upload
>
> > I haven't seen an announcement for 8.0.47, nor does the Apache Tomcat
> > website seem
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 7.0.82.
Apache Tomcat is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Expression Language and Java
WebSocket technologies.
This release contains a number of bug fixes and improvement
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.0.47.
Please note that Tomcat 8.x users should normally be using 8.5.x
releases in preference to 8.0.x releases. The Apache Tomcat team
announced that support for Apache Tomcat 8.0.x will end on
30 June 2018.
Apache To
On 04.10.2017 10:20, Sebastian Trost wrote:
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Tuesday, October 03, 2017 4:10 PM
To: Tomcat Users List
Subject: Re: Mapping role names to groups
On 03/10/17 14:01, Sebastian Trost wrote:
Hi!
I was looking for a way to m
On 04/10/17 08:53, Brian Toal wrote:
> The chain [1] left of with:
> "The relevant language is in section 8.2.1
>
>
> If a framework wants its META-INF/web-fragment.xml honored in such a way
> that it augments a web application's web.xml, the framework must be bundled
> within the web application
On 04/10/17 09:20, Sebastian Trost wrote:
> -Original Message-
> From: Mark Thomas [mailto:ma...@apache.org]
> Sent: Tuesday, October 03, 2017 4:10 PM
> To: Tomcat Users List
> Subject: Re: Mapping role names to groups
>
> On 03/10/17 14:01, Sebastian Trost wrote:
>>> Hi!
>>>
>>> I was l
On 04/10/17 08:27, Michael Smith wrote:
> Mark,
>
> Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
> are not supported, but are they exploitable by this vulnerability?
I don't know. I haven't tested them and I don't plan to test them.
My expectation is that 6.x and 5
-Original Message-
From: Mark Thomas [mailto:ma...@apache.org]
Sent: Tuesday, October 03, 2017 4:10 PM
To: Tomcat Users List
Subject: Re: Mapping role names to groups
On 03/10/17 14:01, Sebastian Trost wrote:
>> Hi!
>>
>> I was looking for a way to map security role names from tomcat to
On 04.10.2017 07:40, Peter Kreuser wrote:
Peter Kreuser
Am 04.10.2017 um 02:44 schrieb Christopher Schultz
:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Laurant,
On 10/3/17 5:17 PM, Laurent Perez wrote:
I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A
"foo" war is deploy
Jetty also makes it very easy to scan jar for @WebServlet, @WebFilter,
@WebListener via AnnotationConfiguration.
http://www.eclipse.org/jetty/documentation/9.4.x/configuring-webapps.html
On Wed, Oct 4, 2017 at 12:53 AM, Brian Toal wrote:
> The chain [1] left of with:
> "The relevant language is
The chain [1] left of with:
"The relevant language is in section 8.2.1
If a framework wants its META-INF/web-fragment.xml honored in such a way
that it augments a web application's web.xml, the framework must be bundled
within the web application's WEB-INF/lib directory
Therefore, Tomcat 8.0 lo
On 04.10.2017 02:44, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Laurant,
On 10/3/17 5:17 PM, Laurent Perez wrote:
I'm using apache+mod_proxy+mod_rewrite as a tomcat frontend. A
"foo" war is deployed at /foo context path under tomcat. The /foo
path is not public,
Mark,
Do you know if tomcat 5.x and 6.x are vulnerable to this issue? I know they
are not supported, but are they exploitable by this vulnerability?
Thx
Mike
On 3 October 2017 at 11:55, Mark Thomas wrote:
> CVE-2017-12617 Apache Tomcat Remote Code Execution via JSP Upload
>
> Severity: Import
39 matches
Mail list logo
