Weirdest thing this afternoon: Firefox liked a server, but Chrome didn't

2024-12-19 Thread James Lampert
This afternoon, I was doing a routine certificate update for a customer (cert in a Java Keystore), and when I restarted, Firefox worked just fine with the site, but Chrome kept insisting it couldn't negotiate a cipher. The customer in question is still on Tomcat 7, because for some reason (maybe h

RE: Tomcat 10.1.34 log messages

2024-12-19 Thread joan.balaguero
Perfect Mark, thanks. -Original Message- From: Mark Thomas Sent: Thursday, December 19, 2024 5:12 PM To: users@tomcat.apache.org Subject: Re: Tomcat 10.1.34 log messages Hi Joan, Thanks for the extra information. I can see several legitimate ways the NPE might happen. I've added a nul

Re: Tomcat 10.1.34 log messages

2024-12-19 Thread Mark Thomas
Hi Joan, Thanks for the extra information. I can see several legitimate ways the NPE might happen. I've added a null check to avoid any NPE in that case. I can also see a couple of ways the warning message could appear in normal usage so I've dropped that to debug. Both changes will be in

Re: Excessive memory usage for HTTP/2 requests

2024-12-19 Thread Arjan van IJzendoorn
Hello, In my initial message, I tried embedding an image but that did not work. Here is a link to a publicly hosted image instead: https://ibb.co/4KFXgdj In the memory analyzer screenshot, you can see the 'recycledRequestAndResponses' stack taking up 288MB, which is more than half of the tota

Re: CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet

2024-12-19 Thread Thiru
I truly appreciate your swift response, Mark. Thank you so much! On Thu, Dec 19, 2024 at 4:23 PM Mark Thomas wrote: > On 19/12/2024 10:49, Thiru wrote: > > Hello There, > > > > Good day! > > > > Could you kindly help clarify the following regarding CVE-2024-50379? > > > > In the default Tomcat

Re: CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet

2024-12-19 Thread Mark Thomas
On 19/12/2024 10:49, Thiru wrote: Hello There, Good day! Could you kindly help clarify the following regarding CVE-2024-50379? In the default Tomcat setup, the readonly initialization parameter of the DefaultServlet is not write-enabled, even for a case-insensitive file system (Reference: http

RE: CVE-2024-50379 Apache Tomcat - RCE via write-enabled default servlet

2024-12-19 Thread Thiru
Hello There, Good day! Could you kindly help clarify the following regarding CVE-2024-50379? In the default Tomcat setup, the readonly initialization parameter of the DefaultServlet is not write-enabled, even for a case-insensitive file system (Reference: https://tomcat.apache.org/tomcat-9.0-doc