Re: Security issue involving HTTP response headers

Hi James, Peter Kreuser > Am 02.10.2019 um 08:05 schrieb > : > > Tomcat 7.0.63 and above. > > Navigate to the tomcat conf directory and open the web.xml with a text editor. > > In the filter section of the web.xml add the following filter > > > httpHeaderSecurity > > org.apache.cata

RE: Security issue involving HTTP response headers

Tomcat 7.0.63 and above. Navigate to the tomcat conf directory and open the web.xml with a text editor. In the filter section of the web.xml add the following filter httpHeaderSecurity org.apache.catalina.filters.HttpHeaderSecurityFilter antiClickJackingOption SAME

Security issue involving HTTP response headers

We have a customer who is particularly concerned about security. We just updated their Tomcat, which solved all the issues coming up in their security scan, except for one involving the following HTTP headers: X-FRAME-OPTIONS X-XSS-PROTECTION X-CONTENT-TYPE-OPTIONS and strict transport security

RE: Tomcat 9.0.24/9.0.26 suspected memory leak

> -Original Message- > From: Mark Thomas > Sent: Tuesday, October 1, 2019 17:43 > To: users@tomcat.apache.org > Subject: Re: Tomcat 9.0.24/9.0.26 suspected memory leak > > Found it. > > HTTP/2 on NIO is affected. > HTTP/2 on APR/native is not affected. > > Need to check on NIO2 but I su

Re: Tomcat 9.0.24/9.0.26 suspected memory leak

Found it. HTTP/2 on NIO is affected. HTTP/2 on APR/native is not affected. Need to check on NIO2 but I suspect it is affected. Patch to follow shortly. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For add

Re: tomcat startup error on windows 10

On 01/10/2019 22:12, Barry Kimelman wrote: > my laptop is windows 10 , 64 bit > > I am running tomcat 9.0.14. it has been running fine since I installed it, > until today. Today for the first time in a long while I could not start > tomcat. > > I found the following logfile >

Re: Tomcat 9.0.24/9.0.26 suspected memory leak

On 30/09/2019 14:12, Rémy Maucherat wrote: > I added debug code in > AbstractProtocol.ConnectionHandler.release(SocketWrapperBase) to check > if the processor considered was present in the waitingProcessors map. The > result is the following: > TEST-javax.servlet.http.TestHttpServletResponseSend

tomcat startup error on windows 10

my laptop is windows 10 , 64 bit I am running tomcat 9.0.14. it has been running fine since I installed it, until today. Today for the first time in a long while I could not start tomcat. I found the following logfile *** * C:\Tomcat_9_0_14\logs

Re: Additional Information on Apache Tomcat CVE-2018-8037

On 01/10/2019 18:27, Martin Cocaro wrote: > yes, upgrading to 8.5 is work in progress, but would want to have a > conclusive test that the same scenario fails in 8.0.X. What is the best way > to distribute the POC code and what is required from our end to get access > to it? Martin, There is no P

Re: Additional Information on Apache Tomcat CVE-2018-8037

yes, upgrading to 8.5 is work in progress, but would want to have a conclusive test that the same scenario fails in 8.0.X. What is the best way to distribute the POC code and what is required from our end to get access to it? On Tue, Oct 1, 2019 at 1:54 PM Christopher Schultz < ch...@christophersc

Re: Additional Information on Apache Tomcat CVE-2018-8037

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 10/1/19 12:15, Martin Cocaro wrote: > Thank you Chris for the answer. The EOL date and its policy made > me wonder if the CVE was tested it against that version. > > Is there any place I can get a POC version of the CVE test case so > tha

Re: Additional Information on Apache Tomcat CVE-2018-8037

Thank you Chris for the answer. The EOL date and its policy made me wonder if the CVE was tested it against that version. Is there any place I can get a POC version of the CVE test case so that I can do the test myself against version 8.0.53? On Tue, Oct 1, 2019 at 12:43 PM Christopher Schultz <

Re: Additional Information on Apache Tomcat CVE-2018-8037

Thank you for the confirmation! Much appreciated. On Tue, Oct 1, 2019 at 12:46 PM Mark Thomas wrote: > > Martin, > > > > On 10/1/19 10:35, Martin Cocaro wrote: > >> Apache Tomcat Users Team, > > > >> The purpose of this email is to request information regarding > >> Apache Tomcat CVE-2018-8037 >

Re: Release of Tomcat 8.5.46, EOL of 8.5.x?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Mark, On 9/27/19 12:18, Mark Thomas wrote: > On 27/09/2019 14:38, KM wrote: >> I saw the announcement of the latest 8.5.x version of Tomcat. >> Has anyone heard of an EOL date for Tomcat 8.5.x? I haven't seen >> anything about it anywhere. I saw 8

Re: Additional Information on Apache Tomcat CVE-2018-8037

> Martin, > > On 10/1/19 10:35, Martin Cocaro wrote: >> Apache Tomcat Users Team, > >> The purpose of this email is to request information regarding >> Apache Tomcat CVE-2018-8037 >> possibly affecting >> version 8.0.X (particularly 8.0.53). The CVE

Re: Additional Information on Apache Tomcat CVE-2018-8037

-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Martin, On 10/1/19 10:35, Martin Cocaro wrote: > Apache Tomcat Users Team, > > The purpose of this email is to request information regarding > Apache Tomcat CVE-2018-8037 > possibly affecting > version

Additional Information on Apache Tomcat CVE-2018-8037

Apache Tomcat Users Team, The purpose of this email is to request information regarding Apache Tomcat CVE-2018-8037 possibly affecting version 8.0.X (particularly 8.0.53). The CVE was made public on 22-July-2018, after being privately disclosed on 16