On 09/10/2024 03:33, Boris Petrov wrote:
I also have been experiencing the same issue (with Tomcat 9). 9.0.93
works fine. 9.0.94 is unusable. 9.0.95 and now 9.0.96 almost work but
sometimes I get the same behavior as with 9.0.94. I see it in my
integration tests - there are some sporadic failur
t the heap usage to see where the memory is being used.
Most profilers should also be able to tell where the CPU time is being
spent.
Did you look at DAEMON-460? Does it apply to you?
Mark
Regards,
Sajid
On 10/9/2024 4:24 PM, Mark Thomas wrote:
Please send your reply to the users list so
On 09/10/2024 07:47, Ron Boyer wrote:
hello, I am trying to renew the SSL certificate from a signing authority. I am
running Tomcat 9. I understand that I have to import PKCS #12 certificate. I
seem to be able to make one, but I don't think it is correct. My signing
authority, GoDaddy, wil
TBD.
I suspect this will be a topic of discussion at Community Over Code at
Bratislava next week.
I am expecting that any fix won't be in the June release round but
should be in the July release round.
Let us know how you get on and good luck.
Will do!
Mark
On 30/05/2024 10:16, Mark Thom
On 30/09/2024 07:37, Lazar Kirchev wrote:
Hello,
Tomcat automatically adds header Transfer-Encoding: chunked if on http 1.1,
the response code supports body and there is no Connection: Close header
(Tomcat 9's code -
https://github.com/apache/tomcat/blob/372f3cefe6225b58fcdae7c344d81396b8e08570/
On 30/09/2024 07:38, Ahmed Ashour wrote:
Hi all,
Even though the regression should have been fixed in 10.1.30, our team still
sees it around once weekly. Twice so far.
With 10.1.29 it was very frequent, that the server can't be used, but with
10.1.30 it is much less, but sadly it seems on rare
On 04/10/2024 20:32, Anurag Sharma wrote:
HI Mark And Christopher,
Apologies for the late response,
Tomcat act as a reverse proxy to 3rd party legacy system. We have recently
upgraded Tomcat to use HTTP/2 protocol; this causes the legacy system not to
render and get an error message when re
15 Oct 2024 13:59:57 Andreas Moroder :
Hello,
we have Tomcat 9.0.96 and Java 8.
We would like to get rid of Oracle java and use IBM semeru.
Can Oracle java simply be replaced by ibm semeru,
Yes.
or are changes to the java and jsp applications necessary?
No.
Do the java libraries we ca
On 18/10/2024 09:55, Kele Masemola wrote:
Good day,
We are trying to integrate Tomcat Apache with Sentinel, so we just wanted to
get some clarity on a few things. We installed Apache Tomcat data connector on
Sentinel. It seems the Apache servers in our environment are running on Windows
machi
On 20/10/2024 02:49, Dan McLaughlin wrote:
We use Shibboleth SP, which passes request attributes from Apache over AJP
to Tomcat; after upgrading from Tomcat 10.1 to Tomcat 11, the request
attributes aren't coming over. Does anyone know of anything that changed
in Tomcat 11 that might affect requ
On 20/10/2024 15:45, Andreas Moroder wrote:
Hello Mark,
I made some more test, but it works only for a few clicks, then the
service stops. It's running on windows ( for reasons I dont'know and
can't change)
with semeru 17 I see this lines in the logs
I see a couple of problems with that code:
On 08/10/2024 05:21, Sajid Hussain wrote:
Hi,
I was using tomcat 9 with JDK 17 on windows. My java application was
using 2.7.18. Now I'm migrating my application spring version to 3.3.4
with Tomcat 10.1.30 and JDK 21. I have upgraded the version in my java
project and fix the hibernate error
On 28/10/2024 21:44, Leroy Mims wrote:
My place of work prefers DISA STIGed software. I contacted DISA about STIGs
for Tomcat 10.1 and they said that the organization that produces the
software has to request that it be STIGed. The idea of applyingTomcat 9
STIGs to Tomcat 10.1 was rejected and DI
On 24/10/2024 17:07, Alan Masters wrote:
I am attempting to send e-mail from Tomcat using an external mail host -
mail.btinternet.com.
I have included javax.mail jar in my build path and can see
javax.mail.Authenticator in this library.
When trying to start up apache-tomcat-9.0.91 I get
On 23/10/2024 18:57, Mark Foley wrote:
I'm running Tomcat 8.5.11. I have a hopefully small problem.
Tomcat 8.5.x is EOL and no longer supported.
8.5.11 is also rather old with quite a long list of know security issues.
I have a webapp directory: $CATALINA_HOME/webapps/myapp/. In that directo
CVE-2024-46544 Apache mod_jk - Information Disclosure / DoS
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- JK 1.2.9-1.2.49 (mod_jk on Unix like platforms only)
Description:
Incorrect default permissions for the memory mapped file configured by
the JkShmFile dir
CVE-2024-38286 Apache Tomcat - Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M20
Apache Tomcat 10.1.0-M1 to 10.1.24
Apache Tomcat 9.0.13 to 9.0.89
Description:
Tomcat, under certain configurations on any platfo
On 23/09/2024 13:50, Rachana Kharchane wrote:
Hi Team,
I Have few queries
How can we ensure the old config is kept in place post installing a new tomcat
version?
Do we have options to backup the configuration and reapply after new version
install of Tomcat?
Read RUNNING.txt in the root of
On 21/09/2024 10:45, Thomas Hoffmann (Speed4Trade GmbH) wrote:
Hello,
the recent Tomcat 10.1 versions seem to contain the file tomcat-coyote-ffm.jar
This triggers a warning that the TldScanner didn't find any Tld inside the jar:
FEIN [main] org.apache.jasper.servlet.TldScanner$TldScannerCallback
On 24/09/2024 08:58, Michael Lau wrote:
here's a clip of the error from the cmd window of my friend:
0-Sep-2024 13:51:51.584 INFO [Timer-0]
org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading
Illegal access: this web application instance has been stopped already.
Could
On 26/09/2024 16:05, Doug Whitfield wrote:
Hi Folks,
On the left sidebar of the website the download is for “Tomcat 10” while the
Documentation is for “Tomcat 10.1”. Now, between Download and Documentation
things are consistent.
I don’t think this is strictly speaking wrong, but I don’t see a
On 24/09/2024 12:40, Thomas Meyer wrote:
Am 24. September 2024 10:44:46 MESZ schrieb Mark Thomas :
On 24/09/2024 08:59, Thomas Meyer wrote:
Hi,
We see sometimes elapsed time values with over 100 million milliseconds and
status code 500 in the Tomcat logs for HTTP/2.0 connections.
Is that
Mark
Thanks
-Original Message-
From: Mark Thomas
Sent: Thursday, September 19, 2024 2:52 PM
To: users@tomcat.apache.org
Subject: Re: Error migrating to Tomcat 10.1
On 19/09/2024 20:19, Campbell, Lance wrote:
I am using the latest Tomcat 10.1
Java 17
Apache Web server communicate
On 19/09/2024 20:19, Campbell, Lance wrote:
I am using the latest Tomcat 10.1
Java 17
Apache Web server communicates with an application server running tomcat. The
application name is webtools.
I am migrating a working app from Tomcat 9 to Tomcat 10.1.
Does your AJP connector in Tomcat 9 h
On 01/10/2024 06:15, Anurag Sharma wrote:
Dear Tomcat Team,
I hope this message finds you well.
I am currently facing a challenge regarding the use of HTTP/1.1 for specific
API endpoints within a servlet configured for HTTP/2. My browser defaults to
HTTP/2, which complicates the situation as
On 24/09/2024 08:59, Thomas Meyer wrote:
Hi,
We see sometimes elapsed time values with over 100 million milliseconds and
status code 500 in the Tomcat logs for HTTP/2.0 connections.
Is that expected or a bug?
Is it just the large elapsed times that are unexpected or are the 500
status codes
On 23/10/2024 23:13, Mark Foley wrote:
On Wed, 23 Oct 2024 19:13:44 Mark Thomas wrote:
That won't work. What will work is renaming:
$CATALINA_HOME/webapps/myapp
to
$CATALINA_HOME/webapps/myapp#subapp/
Mark
Hmmm ... what I was attempting was splitting many webapps into mul
On 11/10/2024 01:05, Eric Robinson wrote:
Mark,
Thanks very much for the update. We'll check back in November!
I've just committed the fix. It should be in the next set of releases
(November).
Mark
-Eric
-Original Message-----
From: Mark Thomas
Sent: Thursday, October
On 06/11/2024 21:17, Ivano Luberti wrote:
Hi, as stated in the subject, we had a correctly behaving tomcat 8.5
behind a reverse proxy implemented with Apache.
After upgrading to Tomcat 9 every request is seen by tomcat as coming
from localhost.
Apache and Tomcat are running on the same mach
CVE-2024-52316 Apache Tomcat - Authentication Bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M26
Apache Tomcat 10.1.0-M1 to 10.1.30
Apache Tomcat 9.0.0-M1 to 9.0.95
Description:
If Tomcat was configured to use a custom Jakarta A
CVE-2024-52317 Apache Tomcat - Request and/or response mix-up
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M23 to 11.0.0-M26
Apache Tomcat 10.1.7 to 10.1.30
Apache Tomcat 9.0.92 to 9.0.95
Description:
Incorrect recycling of the request and
On 14/11/2024 20:08, Simon Arame wrote:
Hi, simple question to confirm a doubt about
https://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Naming
the first paragraph states
When autoDeploy or deployOnStartup operations are performed by a Host,
the name and context path of the web
CVE-2024-52318 Apache Tomcat - XSS in generated JSPs
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0
Apache Tomcat 10.1.31
Apache Tomcat 9.0.96
Description:
The fix for improvement 69333 [0] caused pooled JSP tags not to be
released after use
hanks and Regards,
Rajendra Rathore
9922701491
-Original Message-
From: Mark Thomas
Sent: Monday, November 18, 2024 4:48 PM
To: Tomcat Users List
Cc: annou...@apache.org; annou...@tomcat.apache.org; Tomcat Developers List
Subject: [SECURITY] CVE-2024-52317 Apache Tomcat - Request a
Note: Correction to 10.1.x affected versions
CVE-2024-52317 Apache Tomcat - Request and/or response mix-up
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M23 to 11.0.0-M26
Apache Tomcat 10.1.27 to 10.1.30
Apache Tomcat 9.0.92 to 9.0.95
Descr
This has been fixed (by Rémy) for the August release round.
Mark
On 27/07/2023 01:41, Fong Mason wrote:
Hi Chris,
寄件者: Christopher Schultz
寄件日期: 2023年7月27日 0:35
收件者: users@tomcat.apache.org
主旨: Re: Persist function in host manager working in 9.0.60 but not 1
On 01/08/2023 19:13, அருள்ராஜன் அ லை wrote:
Hi
We are recently upgraded tomcat 8.5.91 . While the below JSP compiled into
JAVA it is missing some content
JSP
JAVA class generated
try {
response.setContentType("text/html");
pageContext = _jspxFactory.getPageContex
On 03/08/2023 16:53, Amit Pande wrote:
What am I missing in the logger configuration? Do we have to have the console
handler configured?
Is CATALINA_HOME set correctly?
Do you see any log file at all in the expected location?
Mark
---
RequestDispatcher operates within a given ServletContext (web application).
You are trying to do a cross-context dispatch - i.e. to another web
application. To do this you will need to:
- enable cross-context dispatch for the /plugins web application
https://tomcat.apache.org/tomcat-8.5-doc/
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.0-M10 (alpha).
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.12.
Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specificati
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.92.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 8.5.92 is a bugfix and fea
19 Aug 2023 19:46:56 Bhavesh Mistry :
Hi, Tomcat Dev team and Users,
I am trying to block the request and give 404 bad requests or 403 when
the
HOST header does not match the requested server name. My goal is to
block
whenever there is a mismatch in the host header and URL server name.
On 18/08/2023 11:28, Rubén Pérez wrote:
This is a response to an existing thread (about Memory leak in recent
versions of Tomcat):
https://www.mail-archive.com/users@tomcat.apache.org/msg141882.html
I haven't found a way to reply publicly as a continuation of that thread.
You need to reply to
On 20/08/2023 05:21, Mark Thomas wrote:
On 18/08/2023 11:28, Rubén Pérez wrote:
I started experiencing exactly the same issue when updating from Spring
6.0.7 to 6.0.9, therefore updating tomcat from 10.1.5 to 10.1.8. The
Memory
leak is very clearly visible in my monitoring tools. A
Tomcat doesn't expose the SNI information.
What problem are you trying to solve here?
Tomcat rejects requests with mis-matched host headers by default and can
be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't
need to write any extra code for this.
Mark
On 21/08/2023 12:
On 22/08/2023 11:53, Jason Guild wrote:
Hi All:
I have a web application MYAPP which embeds its logging configuration in
WEB-INF/classes/logging.properties.
I'd like to see more detailed logging when running the application
inside my IDE without making any temporary changes to this file.
The
https://tomcat.apache.org/tomcat-11.0-doc/config/http.html
Search for useVirtualThreads
The same option exists in the latest 8.5.x, 9.0.x and 10.1.x releases.
You need to be using Java 21 to use virtual threads.
Mark
On 22/08/2023 14:14, William Crowell wrote:
Hi,
To use virtual threads in
On 23/08/2023 00:44, John Jiang wrote:
Hi,
I'm using tomcat-embed-core 9.0.78 + OpenJDK 11.o.19.
My project needs a custom javax.net.ssl.SSLContext implementation.
Why? What problem are you trying to solve?
How can I integrate this custom SSLContext to the embedded Tomcat
server?
I don't fin
On 23/08/2023 10:07, William Crowell wrote:
Mark,
Thanks for your reply. Just to clarify…this is all I need in Tomcat 11’s
server.xml (as well as JDK21):
…
Correct.
Mark
-
To unsubscribe, e-mail: users-unsubscr...@t
On 23/08/2023 14:20, John Jiang wrote:
Hi Mark,
Thanks for your reply!
On Thu, Aug 24, 2023 at 12:15 AM Mark Thomas wrote:
On 23/08/2023 00:44, John Jiang wrote:
Hi,
I'm using tomcat-embed-core 9.0.78 + OpenJDK 11.o.19.
My project needs a custom javax.net.ssl.SSLContext implement
On 24/08/2023 13:07, Mcalexander, Jon J. wrote:
Getting a 404 error when trying to download the binaries for 2.0.5
https://dlcdn.apache.org/tomcat/tomcat-connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.9-ocsp-win32-bin.zip
Is this a known issue?
It is now.
The OpenSSL versio
On 25/08/2023 07:50, Ivano Luberti wrote:
Hi, I understand that this question can be OT but I don't know where to
search for.
Looking into tomcat manager sessions I see this cookie set in each session
javax.servlet.jsp.jstl.fmt.request.charset ISO-8859-1
The value ISO-8859-1 i s
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.0-M11 (alpha).
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 10.1.13.
Apache Tomcat 10 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
specificati
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 9.0.80.
Apache Tomcat 9 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 9.0.80 is a bugfix and fea
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.93.
Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.
Apache Tomcat 8.5.93 is a bugfix and fea
CVE-2023-41080 Apache Tomcat - Open redirect
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M10
Apache Tomcat 10.1.0-M1 to 10.1.12
Apache Tomcat 9.0.0-M1 to 9.0.79
Apache Tomcat 8.5.0 to 8.5.92
Description:
If the ROOT (default) w
023 9:29 AM
To: Tomcat Users List
Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat
Yes, understood.
Thank you for clarifying. Even I was referring to initial consensus
without any timeline or approach conclusion.
Thanks,
Amit
-Original Message-
From: Mark Thomas
Sent: F
On 29/08/2023 20:53, David Cleary wrote:
2023-08-29T15:31:57.840-04:00 WARN [main] o.a.t.u.n.j.JSSEUtil - Some of the
specified [ciphers] are not supported by the SSL engine and have been skipped:
[Dozens of OpenSSL ciphers]
We use OpenSSL and moving to Tomcat 10.1.13 has caused an overload o
x27;t updated for long. Perhaps add comments/ask the folks on user list to vote?
That is more likely to irritate folks rather than encourage them to help
you progress your patch.
Mark
Thanks,
Amit
-Original Message-
From: Mark Thomas
Sent: Monday, August 28, 2023 11:20 AM
To: Tomcat
On 29/08/2023 08:00, Bhavesh Mistry wrote:
Hi Mark,
I am sorry for delayed response.
Basically, when request url does not match host header then I would reject
it. For example,
curl - -k "https://www.mydomain.com/login"; -H 'Host:
attackerHostHeaderInjection.com'
Why? What problem are
On 29/08/2023 21:28, Loeschmann, Lori wrote:
Hello,
We have a Tomcat application which authenticates via CAS. The application and
CAS reside on different servers.
We also have an internal audit process that flags files on these servers when
they change. It's a retroactive review of authorized
On 29/08/2023 21:51, Bhavesh Mistry wrote:
Hi Mark,
curl - -k "https://www.mydomain.com/login"; -H 'Host:
attackerHostHeaderInjection.com'
*Why? What problem are you trying to solve?*
Host Header injection is a vulnerability that needs to be addressed., I am
trying to solve if the host
On 30/08/2023 23:58, Matthew Robinson wrote:
Please may I have some assistance to upgrade a JAVA Maven project which uses
embedded Tomcat 7 to use embedded Tomcat 10?
I’m having extreme difficulty determining the appropriate versions of the
various components such that they play nice together.
provement is additive, and possibly not corrective.
Improvements are definitely corrective as well as additive. Early
versions of the guide had very odd advice regarding MIME type mapping
that has since been removed.
On Tue, Sep 5, 2023 at 9:36 AM Peter Kreuser wrote:
Robert,
While Mark Thomas
On 05/09/2023 20:38, Christopher Schultz wrote:
All,
I have some questions about Virtual Threads and their use within Tomcat.
Note that only Tomcat 11 currently has support for Virtual Threads when
running on a version 19 or later JVM.
Not quite. All current versions support virtual threads
tps://bz.apache.org/bugzilla/show_bug.cgi?id=57830 The state of the
ticket isn't updated for long. Perhaps add comments/ask the folks on user
list to vote?
That is more likely to irritate folks rather than encourage them to help
you progress your patch.
Mark
Thanks,
Amit
-Original M
On 05/09/2023 22:02, Christopher Schultz wrote:
Mark,
On 9/5/23 15:55, Mark Thomas wrote:
On 05/09/2023 20:38, Christopher Schultz wrote:
All,
I have some questions about Virtual Threads and their use within
Tomcat. Note that only Tomcat 11 currently has support for Virtual
Threads when
On 06/09/2023 20:04, Francois Marot wrote:
Hello,
I'm in the process of switching from Dependency-check [1] to
Dependency-track [2] to analyse vulnerabilities on my dependencies.
I analyze a classic spring boot webapp depending upon
org.apache.tomcat.embed:tomcat-embed-core. Dependency Check who
On 06/09/2023 21:24, Christopher Schultz wrote:
On 9/6/23 03:29, Mark Thomas wrote:
On 05/09/2023 22:02, Christopher Schultz wrote:
Thanks for the correction. I just did a quick docs[1] search for
"virtual" in Tomcat 10.x for example and I didn't see
useVirtualThreads,
On 07/09/2023 15:41, Christopher Schultz wrote:
On 9/6/23 16:29, Mark Thomas wrote:
There isn't
much point using an executor with virtual threads.
Okay then perche
https://tomcat.apache.org/tomcat-11.0-doc/config/executor.html#Virtual_Thread_Implementation ?
That is the int
On 09/09/2023 11:52, Aryeh Friedman wrote:
Every other jsp in my webapp (and other webapps on the same tomcat
instance [9.0.75]) works and I am using a the default container but as
curl/catalina.out show BasePage is *NEVER* being called (either the
_jspService() or the getX()):
How have you con
The Apache Tomcat Connectors project is part of the Tomcat project and
provides web server plugins for httpd (mod_jk) and IIS (ISAPI) to
connect those web servers with Tomcat and other backends.
The Apache Tomcat Project is proud to announce the release of version
1.2.49 of the Apache Tomcat Co
CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48
Description:
In some circumstances, such as when a configuration included
"JkOptions
On 13/09/2023 14:00, Shawn Heisey wrote:
On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote:
I moved away from using the proprietary java keystore format.
I switched to using Base64 PEM format. This is usually also the format
you get from the certificate issuer.
No need to convert it in
On 25/09/2023 10:50, Aniket Pachpute wrote:
Hi,
We are getting a timeout exception when POST request size is >8k and SSL is
enabled in the tomcat.
Below are the exception details:
org.apache.catalina.connector.Request.parseParameters Exception thrown
whilst processing POSTed parameters
org.apa
On 25/09/2023 17:17, James H. H. Lampert wrote:
I probably asked the question before, but does Tomcat have any problems
with not having a ROOT context?
None I am aware of although there may be some edge cases. Past
precedence is that any such edge cases would be treated as bugs and
fixed in t
On 26/09/2023 16:50, Christopher Schultz wrote:
Jon,
On 9/26/23 11:32, Mcalexander, Jon J. wrote:
I have a question around the SSLHostConfig SSL Connector in Tomcat. In
the section, if the SSL Certificate is in a
Windows PFS Keystore, is it appropriate to add
certificateKeystoreType="PFX"
n 28/09/2023 00:22, Christopher Bland wrote:
Hi Everyone,
I’m making progress. I started from scratch again adding pieces back one by
one. It seems like I am seeing the following errors with my configuration
Could not load Logmanager "org.apache.logging.log4j.jul.LogManager"
java.lang.ClassN
28 Sept 2023 03:22:26 Muralisankar Srinivasan :
Dear Users,
I am facing the following Exceptions from the Java Maven application
which
is migrated from Javax to Jakarta, using "jakartaee-migration-1.0.7".
The
application was successful in "Apache Tomcat Version 9.0.64".
Please suggest the de
On 29/09/2023 20:20, Bruno Melloni wrote:
On a tomcat server I have a number of REST services deployed as WARs.
There are interdependencies and even applications on other servers that
call them, so I really don't want to start calling services after
starting Tomcat until every single webapp is fu
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 2.0.6 stable.
The key features of this release are:
- Disable OCSP if the insecure optionalNoCA certificate verification
option is used
- The binaries for Windows in this release have been built with OpenSSL
On 02/10/2023 09:35, Leonard wrote:
Hi,
I am debugging a performance issue related to sending binary WebSocket messages
using Tomcat (embed/Spring Boot) 10.1.4 on Java 20 and MacOS 13.5.2.
For this I try to disable compression ("PerMessageDeflate") when sending
messages.
The solution describe
On 02/10/2023 18:23, Deepak Lalchandani wrote:
The Apache Tomcat installation at this directory is version 10.1.13. A
Tomcat 10.0 installation is expected
The above is error message I'm getting.
Please resolve and screenshots are detached from e mail
The error looks pretty clear to me.
Eclipse
The Apache Tomcat team announces the immediate availability of Apache
Tomcat Native 1.2.39 stable.
The key features of this release are:
- Disable OCSP if the insecure optionalNoCA certificate verification
option is used
- The binaries for Windows in this release have been built with OpenSSL
On 03/10/2023 06:16, Nithin P wrote:
Hi,
I'm using Apache Ofbiz v18.12.06 While I'm trying to upload an image for
vulnerability scanning it shows CVE-2020-1938. I have tried to update to the
latest version having the same issue, Does Anyone know where the tomcat conf
files are stored in the A
07 pm Deepak Lalchandani,
wrote:
Hi Mark,
In Apache Tomcat website I can install 10.1 only ,when I
configure the server by clicking on Add server and select location of
tomcat server, it adds 10.1.3 and the error with red symbol appears
Regards,
Deepak
On Mon, 2 Oct 2023, 10:58 pm
Running multiple instances of Tomcat from the same CATALINA_BASE is
totally unsupported. This isn't one of those "We don't technically
support that but you should be OK situations". This is one of the rare
"You do that and it *will* break and you will be on your own when it
does." situations.
CVE-2023-42794 Apache Tomcat - denial of service
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.70 to 9.0.80
Apache Tomcat 8.5.85 to 8.5.93
Description:
Tomcat's internal fork of a Commons FileUpload included an unreleased,
in progress refactoring th
CVE-2023-42795 Apache Tomcat - information disclosure
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93
Description:
When recyclin
CVE-2023-44487 Apache Tomcat - HTTP/2 DoS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93
Description:
Tomcat's HTTP/2 implement
CVE-2023-45648 Apache Tomcat - Request Smuggling
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M11
Apache Tomcat 10.1.0-M1 to 10.1.13
Apache Tomcat 9.0.0-M1 to 9.0.80
Apache Tomcat 8.5.0 to 8.5.93
Description:
Tomcat did not cor
On 10/10/2023 13:03, Mark Linton wrote:
Hello Tomcat users.
Is there a forum (like a webpage that we can search for previous
questions?)...
lists.apache.org
I am experiencing an issue with logging on to the manager and hosts
webpage(s).
What issue?
Please see the tomcat-users.xml attache
On 10/10/2023 13:38, a.grub...@bluewin.ch wrote:
Dear all
I have a question.
When I deploy a new application (either downgrade or upgrade), what is
mandatory to be done apart from ReleaseNotes for the application? I ask
specific for remove certain directories from Tomcat structure, also topic
r
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.0-M13 (alpha).
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language,
Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations
On 16/10/2023 23:04, Mcalexander, Jon J. wrote:
Good afternoon all!
I have a question around the error valve. It mentions that if you want you can
supply custom error pages that need to be relative to $CATALINA_BASE. My
question is, just where should this go? Do you typically create an errors
17 Oct 2023 16:51:38 Donal Anglin :
Hey all,
Sonatype are of the opinion that CVE-2023-42794 is also applicable to
the
10.x and 11.x streams of Tomcat and issued the notice:
The Sonatype Security Research team discovered that this vulnerability
is
also present and remains unfixed in the 10.x
Donal Anglin*
On Tue, Oct 17, 2023 at 6:23 PM Mark Thomas wrote:
17 Oct 2023 16:51:38 Donal Anglin :
Hey all,
Sonatype are of the opinion that CVE-2023-42794 is also applicable to
the
10.x and 11.x streams of Tomcat and issued the notice:
The Sonatype Security Research team discovered that
On 17/10/2023 22:47, Aditya Shastri wrote:
Hello,
We have several tomcat instances that use a single CATALINA_HOME which
is a symlink for a specific version. The Tomcat instance we use is
very barebones and doesn't have any of the apps that come with it.
For example,
The CATALINA_HOME points to
1 - 100 of 9262 matches
Mail list logo
