Re: net::ERR_HTTP2_PROTOCOL_ERROR with 10.1.30

2024-10-09 Thread Mark Thomas
On 09/10/2024 03:33, Boris Petrov wrote: I also have been experiencing the same issue (with Tomcat 9). 9.0.93 works fine. 9.0.94 is unusable. 9.0.95 and now 9.0.96 almost work but sometimes I get the same behavior as with 9.0.94. I see it in my integration tests - there are some sporadic failur

Re: Migrating from Tomcat 9.0.88 to Tomcat 10.1.30 on windows machine with JDK 21 LTS

2024-10-09 Thread Mark Thomas
t the heap usage to see where the memory is being used. Most profilers should also be able to tell where the CPU time is being spent. Did you look at DAEMON-460? Does it apply to you? Mark Regards, Sajid On 10/9/2024 4:24 PM, Mark Thomas wrote: Please send your reply to the users list so

Re: SSL on Tomcat 9

2024-10-09 Thread Mark Thomas
On 09/10/2024 07:47, Ron Boyer wrote: hello, I am trying to renew the SSL certificate from a signing authority. I am running Tomcat 9. I understand that I have to import PKCS #12 certificate. I seem to be able to make one, but I don't think it is correct. My signing authority, GoDaddy, wil

Re: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-10-10 Thread Mark Thomas
TBD. I suspect this will be a topic of discussion at Community Over Code at Bratislava next week. I am expecting that any fix won't be in the June release round but should be in the July release round. Let us know how you get on and good luck. Will do! Mark On 30/05/2024 10:16, Mark Thom

Re: Setting Transfer-Encoding: chunked

2024-09-30 Thread Mark Thomas
On 30/09/2024 07:37, Lazar Kirchev wrote: Hello, Tomcat automatically adds header Transfer-Encoding: chunked if on http 1.1, the response code supports body and there is no Connection: Close header (Tomcat 9's code - https://github.com/apache/tomcat/blob/372f3cefe6225b58fcdae7c344d81396b8e08570/

Re: net::ERR_HTTP2_PROTOCOL_ERROR with 10.1.30

2024-09-30 Thread Mark Thomas
On 30/09/2024 07:38, Ahmed Ashour wrote: Hi all, Even though the regression should have been fixed in 10.1.30, our team still sees it around once weekly. Twice so far. With 10.1.29 it was very frequent, that the server can't be used, but with 10.1.30 it is much less, but sadly it seems on rare

Re: Using HTTP 1.1 over a configured HTTP2 Connector

2024-10-06 Thread Mark Thomas
On 04/10/2024 20:32, Anurag Sharma wrote: HI Mark And Christopher, Apologies for the late response, Tomcat act as a reverse proxy to 3rd party legacy system. We have recently upgraded Tomcat to use HTTP/2 protocol; this causes the legacy system not to render and get an error message when re

Re: tomcat 9.0.96 and ibm semeru

2024-10-16 Thread Mark Thomas
15 Oct 2024 13:59:57 Andreas Moroder : Hello, we have Tomcat 9.0.96  and Java 8. We would like to get rid of Oracle java and use IBM semeru. Can Oracle java simply be replaced by ibm semeru, Yes. or are changes to the java and jsp applications necessary? No. Do the java libraries we ca

Re: Assistance with Apache Tomcat Integration with MS Sentinel

2024-10-18 Thread Mark Thomas
On 18/10/2024 09:55, Kele Masemola wrote: Good day, We are trying to integrate Tomcat Apache with Sentinel, so we just wanted to get some clarity on a few things. We installed Apache Tomcat data connector on Sentinel. It seems the Apache servers in our environment are running on Windows machi

Re: Tomcat 11 & Request Attributes

2024-10-21 Thread Mark Thomas
On 20/10/2024 02:49, Dan McLaughlin wrote: We use Shibboleth SP, which passes request attributes from Apache over AJP to Tomcat; after upgrading from Tomcat 10.1 to Tomcat 11, the request attributes aren't coming over. Does anyone know of anything that changed in Tomcat 11 that might affect requ

Re: Tomca 9.96 und semeru

2024-10-21 Thread Mark Thomas
On 20/10/2024 15:45, Andreas Moroder wrote: Hello Mark, I made some more test, but it works only for a few clicks, then the service stops. It's running on windows ( for reasons I dont'know and can't change) with semeru 17 I see this lines in the logs I see a couple of problems with that code:

Re: Migrating from Tomcat 9.0.88 to Tomcat 10.1.30 on windows machine with JDK 21 LTS

2024-10-08 Thread Mark Thomas
On 08/10/2024 05:21, Sajid Hussain wrote: Hi, I was using tomcat 9 with JDK 17 on windows. My java application was using 2.7.18. Now I'm migrating my application spring version to 3.3.4 with Tomcat 10.1.30 and JDK 21. I have upgraded the version in my java project and fix the hibernate error

Re: Tomcat 10.1 STIGing

2024-10-29 Thread Mark Thomas
On 28/10/2024 21:44, Leroy Mims wrote: My place of work prefers DISA STIGed software. I contacted DISA about STIGs for Tomcat 10.1 and they said that the organization that produces the software has to request that it be STIGed. The idea of applyingTomcat 9 STIGs to Tomcat 10.1 was rejected and DI

Re: Fwd: NoClassDefFoundError: javax/mail/Authenticator

2024-10-24 Thread Mark Thomas
On 24/10/2024 17:07, Alan Masters wrote: I am attempting to send e-mail from Tomcat using an external mail host -   mail.btinternet.com. I have included javax.mail jar in my build path and can see javax.mail.Authenticator in this library. When trying to start up  apache-tomcat-9.0.91 I get

Re: javax.naming.NameNotFoundException

2024-10-23 Thread Mark Thomas
On 23/10/2024 18:57, Mark Foley wrote: I'm running Tomcat 8.5.11. I have a hopefully small problem. Tomcat 8.5.x is EOL and no longer supported. 8.5.11 is also rather old with quite a long list of know security issues. I have a webapp directory: $CATALINA_HOME/webapps/myapp/. In that directo

[SECURITY] CVE-2024-46544 Apache mod_jk - Information Disclosure / Denial of Service

2024-09-23 Thread Mark Thomas
CVE-2024-46544 Apache mod_jk - Information Disclosure / DoS Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - JK 1.2.9-1.2.49 (mod_jk on Unix like platforms only) Description: Incorrect default permissions for the memory mapped file configured by the JkShmFile dir

[SECURITY] CVE-2024-38286 Apache Tomcat - Denial of Service

2024-09-23 Thread Mark Thomas
CVE-2024-38286 Apache Tomcat - Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M20 Apache Tomcat 10.1.0-M1 to 10.1.24 Apache Tomcat 9.0.13 to 9.0.89 Description: Tomcat, under certain configurations on any platfo

Re: tomcat query

2024-09-23 Thread Mark Thomas
On 23/09/2024 13:50, Rachana Kharchane wrote: Hi Team, I Have few queries How can we ensure the old config is kept in place post installing a new tomcat version? Do we have options to backup the configuration and reapply after new version install of Tomcat? Read RUNNING.txt in the root of

Re: Tld Scanner and tomcat-coyote-ffm

2024-09-21 Thread Mark Thomas
On 21/09/2024 10:45, Thomas Hoffmann (Speed4Trade GmbH) wrote: Hello, the recent Tomcat 10.1 versions seem to contain the file tomcat-coyote-ffm.jar This triggers a warning that the TldScanner didn't find any Tld inside the jar: FEIN [main] org.apache.jasper.servlet.TldScanner$TldScannerCallback

Re: tomcat startup error, IBM DB2 related (database)

2024-09-24 Thread Mark Thomas
On 24/09/2024 08:58, Michael Lau wrote: here's a clip of the error from the cmd window of my friend: 0-Sep-2024 13:51:51.584 INFO [Timer-0] org.apache.catalina.loader.WebappClassLoaderBase.checkStateForResourceLoading Illegal access: this web application instance has been stopped already. Could

Re: Website inconsistency

2024-09-26 Thread Mark Thomas
On 26/09/2024 16:05, Doug Whitfield wrote: Hi Folks, On the left sidebar of the website the download is for “Tomcat 10” while the Documentation is for “Tomcat 10.1”. Now, between Download and Documentation things are consistent. I don’t think this is strictly speaking wrong, but I don’t see a

Re: Elapsed Time incorrect for HTTP/2.0?

2024-09-27 Thread Mark Thomas
On 24/09/2024 12:40, Thomas Meyer wrote: Am 24. September 2024 10:44:46 MESZ schrieb Mark Thomas : On 24/09/2024 08:59, Thomas Meyer wrote: Hi, We see sometimes elapsed time values with over 100 million milliseconds and status code 500 in the Tomcat logs for HTTP/2.0 connections. Is that

Re: Error migrating to Tomcat 10.1

2024-09-19 Thread Mark Thomas
Mark Thanks -Original Message- From: Mark Thomas Sent: Thursday, September 19, 2024 2:52 PM To: users@tomcat.apache.org Subject: Re: Error migrating to Tomcat 10.1 On 19/09/2024 20:19, Campbell, Lance wrote: I am using the latest Tomcat 10.1 Java 17 Apache Web server communicate

Re: Error migrating to Tomcat 10.1

2024-09-19 Thread Mark Thomas
On 19/09/2024 20:19, Campbell, Lance wrote: I am using the latest Tomcat 10.1 Java 17 Apache Web server communicates with an application server running tomcat. The application name is webtools. I am migrating a working app from Tomcat 9 to Tomcat 10.1. Does your AJP connector in Tomcat 9 h

Re: Using HTTP 1.1 over a configured HTTP2 Connector

2024-10-01 Thread Mark Thomas
On 01/10/2024 06:15, Anurag Sharma wrote: Dear Tomcat Team, I hope this message finds you well. I am currently facing a challenge regarding the use of HTTP/1.1 for specific API endpoints within a servlet configured for HTTP/2. My browser defaults to HTTP/2, which complicates the situation as

Re: Elapsed Time incorrect for HTTP/2.0?

2024-09-24 Thread Mark Thomas
On 24/09/2024 08:59, Thomas Meyer wrote: Hi, We see sometimes elapsed time values with over 100 million milliseconds and status code 500 in the Tomcat logs for HTTP/2.0 connections. Is that expected or a bug? Is it just the large elapsed times that are unexpected or are the 500 status codes

Re: javax.naming.NameNotFoundException

2024-10-24 Thread Mark Thomas
On 23/10/2024 23:13, Mark Foley wrote: On Wed, 23 Oct 2024 19:13:44 Mark Thomas wrote: That won't work. What will work is renaming: $CATALINA_HOME/webapps/myapp to $CATALINA_HOME/webapps/myapp#subapp/ Mark Hmmm ... what I was attempting was splitting many webapps into mul

Re: Database Connection Requests Initiated but Not Sent on the Wire (Some, Not All)

2024-10-25 Thread Mark Thomas
On 11/10/2024 01:05, Eric Robinson wrote: Mark, Thanks very much for the update. We'll check back in November! I've just committed the fix. It should be in the next set of releases (November). Mark -Eric -Original Message----- From: Mark Thomas Sent: Thursday, October

Re: remote address is localhost after upgrading tomcat instance behind reverse proxy from tomcat8.5 to tomcat9

2024-11-07 Thread Mark Thomas
On 06/11/2024 21:17, Ivano Luberti wrote: Hi, as stated in the subject, we had a correctly behaving tomcat 8.5 behind a reverse proxy implemented with Apache. After upgrading to Tomcat 9  every request is seen by tomcat as coming from localhost. Apache and Tomcat are running on the same mach

[SECURITY] CVE-2024-52316 Apache Tomcat - Authentication Bypass

2024-11-18 Thread Mark Thomas
CVE-2024-52316 Apache Tomcat - Authentication Bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M26 Apache Tomcat 10.1.0-M1 to 10.1.30 Apache Tomcat 9.0.0-M1 to 9.0.95 Description: If Tomcat was configured to use a custom Jakarta A

[SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up

2024-11-18 Thread Mark Thomas
CVE-2024-52317 Apache Tomcat - Request and/or response mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M23 to 11.0.0-M26 Apache Tomcat 10.1.7 to 10.1.30 Apache Tomcat 9.0.92 to 9.0.95 Description: Incorrect recycling of the request and

Re: Documentation doubt

2024-11-15 Thread Mark Thomas
On 14/11/2024 20:08, Simon Arame wrote: Hi, simple question to confirm a doubt about https://tomcat.apache.org/tomcat-9.0-doc/config/context.html#Naming the first paragraph states When autoDeploy or deployOnStartup operations are performed by a Host, the name and context path of the web

[SECURITY] CVE-2024-52318 Apache Tomcat - XSS in generated JSPs

2024-11-18 Thread Mark Thomas
CVE-2024-52318 Apache Tomcat - XSS in generated JSPs Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0 Apache Tomcat 10.1.31 Apache Tomcat 9.0.96 Description: The fix for improvement 69333 [0] caused pooled JSP tags not to be released after use

Re: [SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up

2024-11-18 Thread Mark Thomas
hanks and Regards, Rajendra Rathore 9922701491 -Original Message- From: Mark Thomas Sent: Monday, November 18, 2024 4:48 PM To: Tomcat Users List Cc: annou...@apache.org; annou...@tomcat.apache.org; Tomcat Developers List Subject: [SECURITY] CVE-2024-52317 Apache Tomcat - Request a

[SECURITY] CVE-2024-52317 Apache Tomcat - Request and/or response mix-up

2024-11-18 Thread Mark Thomas
Note: Correction to 10.1.x affected versions CVE-2024-52317 Apache Tomcat - Request and/or response mix-up Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M23 to 11.0.0-M26 Apache Tomcat 10.1.27 to 10.1.30 Apache Tomcat 9.0.92 to 9.0.95 Descr

Re: 回覆: Persist function in host manager working in 9.0.60 but not 10.1.x

2023-08-03 Thread Mark Thomas
This has been fixed (by Rémy) for the August release round. Mark On 27/07/2023 01:41, Fong Mason wrote: Hi Chris, 寄件者: Christopher Schultz 寄件日期: 2023年7月27日 0:35 收件者: users@tomcat.apache.org 主旨: Re: Persist function in host manager working in 9.0.60 but not 1

Re: JSP to Servlet conversion missing HTML contents in Tomcat 8.5.91

2023-08-03 Thread Mark Thomas
On 01/08/2023 19:13, அருள்ராஜன் அ லை wrote: Hi We are recently upgraded tomcat 8.5.91 . While the below JSP compiled into JAVA it is missing some content JSP JAVA class generated try { response.setContentType("text/html"); pageContext = _jspxFactory.getPageContex

Re: Using dedicated SSL handshake failure logger

2023-08-03 Thread Mark Thomas
On 03/08/2023 16:53, Amit Pande wrote: What am I missing in the logger configuration? Do we have to have the console handler configured? Is CATALINA_HOME set correctly? Do you see any log file at all in the expected location? Mark ---

Re: Forwarding request to a different servlet

2023-08-11 Thread Mark Thomas
RequestDispatcher operates within a given ServletContext (web application). You are trying to do a cross-context dispatch - i.e. to another web application. To do this you will need to: - enable cross-context dispatch for the /plugins web application https://tomcat.apache.org/tomcat-8.5-doc/

[ANN] Apache Tomcat 11.0.0-M10 (alpha) available

2023-08-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M10 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 10.1.12 available

2023-08-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.12. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specificati

[ANN] Apache Tomcat 8.5.92 available

2023-08-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.92. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.92 is a bugfix and fea

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-19 Thread Mark Thomas
19 Aug 2023 19:46:56 Bhavesh Mistry : Hi, Tomcat Dev team and Users, I am trying to block the request and give 404 bad requests or 403 when the HOST header does not match the requested server name.  My goal is to block whenever there is a mismatch in the host header and URL server name.

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

2023-08-20 Thread Mark Thomas
On 18/08/2023 11:28, Rubén Pérez wrote: This is a response to an existing thread (about Memory leak in recent versions of Tomcat): https://www.mail-archive.com/users@tomcat.apache.org/msg141882.html I haven't found a way to reply publicly as a continuation of that thread. You need to reply to

Re: Possible AbstractProtocol.waitingProcessors leak in Tomcat 9.0.75

2023-08-20 Thread Mark Thomas
On 20/08/2023 05:21, Mark Thomas wrote: On 18/08/2023 11:28, Rubén Pérez wrote: I started experiencing exactly the same issue when updating from Spring 6.0.7 to 6.0.9, therefore updating tomcat from 10.1.5 to 10.1.8. The Memory leak is very clearly visible in my monitoring tools. A

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-22 Thread Mark Thomas
Tomcat doesn't expose the SNI information. What problem are you trying to solve here? Tomcat rejects requests with mis-matched host headers by default and can be configured to allow them in 8.5.x, 9.0.x and 10.1.x. You shouldn't need to write any extra code for this. Mark On 21/08/2023 12:

Re: overriding application log configuration at the container level

2023-08-22 Thread Mark Thomas
On 22/08/2023 11:53, Jason Guild wrote: Hi All: I have a web application MYAPP which embeds its logging configuration in WEB-INF/classes/logging.properties. I'd like to see more detailed logging when running the application inside my IDE without making any temporary changes to this file. The

Re: Virtual Thread Configuration In Tomcat 11

2023-08-22 Thread Mark Thomas
https://tomcat.apache.org/tomcat-11.0-doc/config/http.html Search for useVirtualThreads The same option exists in the latest 8.5.x, 9.0.x and 10.1.x releases. You need to be using Java 21 to use virtual threads. Mark On 22/08/2023 14:14, William Crowell wrote: Hi, To use virtual threads in

Re: How to integrate alternative SSLContext?

2023-08-23 Thread Mark Thomas
On 23/08/2023 00:44, John Jiang wrote: Hi, I'm using tomcat-embed-core 9.0.78 + OpenJDK 11.o.19. My project needs a custom javax.net.ssl.SSLContext implementation. Why? What problem are you trying to solve? How can I integrate this custom SSLContext to the embedded Tomcat server? I don't fin

Re: Virtual Thread Configuration In Tomcat 11

2023-08-23 Thread Mark Thomas
On 23/08/2023 10:07, William Crowell wrote: Mark, Thanks for your reply. Just to clarify…this is all I need in Tomcat 11’s server.xml (as well as JDK21): … Correct. Mark - To unsubscribe, e-mail: users-unsubscr...@t

Re: How to integrate alternative SSLContext?

2023-08-23 Thread Mark Thomas
On 23/08/2023 14:20, John Jiang wrote: Hi Mark, Thanks for your reply! On Thu, Aug 24, 2023 at 12:15 AM Mark Thomas wrote: On 23/08/2023 00:44, John Jiang wrote: Hi, I'm using tomcat-embed-core 9.0.78 + OpenJDK 11.o.19. My project needs a custom javax.net.ssl.SSLContext implement

Re: Tomcat Native

2023-08-24 Thread Mark Thomas
On 24/08/2023 13:07, Mcalexander, Jon J. wrote: Getting a 404 error when trying to download the binaries for 2.0.5 https://dlcdn.apache.org/tomcat/tomcat-connectors/native/2.0.5/binaries/tomcat-native-2.0.5-openssl-3.0.9-ocsp-win32-bin.zip Is this a known issue? It is now. The OpenSSL versio

Re: OT: where does JSTL set thsi cookie? javax.servlet.jsp.jstl.fmt.request.charset

2023-08-25 Thread Mark Thomas
On 25/08/2023 07:50, Ivano Luberti wrote: Hi, I understand that this question can be OT but I don't know where to search for. Looking into tomcat manager sessions I see this cookie set in each session     javax.servlet.jsp.jstl.fmt.request.charset     ISO-8859-1 The value ISO-8859-1 i s

[ANN] Apache Tomcat 11.0.0-M11 (alpha) available

2023-08-25 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M11 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

[ANN] Apache Tomcat 10.1.13 available

2023-08-25 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 10.1.13. Apache Tomcat 10 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations specificati

[ANN] Apache Tomcat 9.0.80 available

2023-08-25 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 9.0.80. Apache Tomcat 9 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 9.0.80 is a bugfix and fea

[ANN] Apache Tomcat 8.5.93 available

2023-08-25 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 8.5.93. Apache Tomcat 8 is an open source software implementation of the Java Servlet, JavaServer Pages, Java Unified Expression Language, Java WebSocket and JASPIC technologies. Apache Tomcat 8.5.93 is a bugfix and fea

[SECURITY] CVE-2023-41080 Apache Tomcat - open redirect

2023-08-25 Thread Mark Thomas
CVE-2023-41080 Apache Tomcat - Open redirect Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M10 Apache Tomcat 10.1.0-M1 to 10.1.12 Apache Tomcat 9.0.0-M1 to 9.0.79 Apache Tomcat 8.5.0 to 8.5.92 Description: If the ROOT (default) w

Re: [External] Re: Supporting Proxy Protocol in Tomcat

2023-08-28 Thread Mark Thomas
023 9:29 AM To: Tomcat Users List Subject: RE: [External] Re: Supporting Proxy Protocol in Tomcat Yes, understood. Thank you for clarifying. Even I was referring to initial consensus without any timeline or approach conclusion. Thanks, Amit -Original Message- From: Mark Thomas Sent: F

Re: Disabling cipher warning

2023-08-29 Thread Mark Thomas
On 29/08/2023 20:53, David Cleary wrote: 2023-08-29T15:31:57.840-04:00 WARN [main] o.a.t.u.n.j.JSSEUtil - Some of the specified [ciphers] are not supported by the SSL engine and have been skipped: [Dozens of OpenSSL ciphers] We use OpenSSL and moving to Tomcat 10.1.13 has caused an overload o

Re: [External] Re: Supporting Proxy Protocol in Tomcat

2023-08-29 Thread Mark Thomas
x27;t updated for long. Perhaps add comments/ask the folks on user list to vote? That is more likely to irritate folks rather than encourage them to help you progress your patch. Mark Thanks, Amit -Original Message- From: Mark Thomas Sent: Monday, August 28, 2023 11:20 AM To: Tomcat

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-29 Thread Mark Thomas
On 29/08/2023 08:00, Bhavesh Mistry wrote: Hi Mark, I am sorry for delayed response. Basically, when request url does not match host header then I would reject it. For example, curl - -k "https://www.mydomain.com/login"; -H 'Host: attackerHostHeaderInjection.com' Why? What problem are

Re: war file timestamp change

2023-08-29 Thread Mark Thomas
On 29/08/2023 21:28, Loeschmann, Lori wrote: Hello, We have a Tomcat application which authenticates via CAS. The application and CAS reside on different servers. We also have an internal audit process that flags files on these servers when they change. It's a retroactive review of authorized

Re: Tomcat 9 Connector config allowHostHeaderMismatch not working as expected

2023-08-29 Thread Mark Thomas
On 29/08/2023 21:51, Bhavesh Mistry wrote: Hi Mark, curl - -k "https://www.mydomain.com/login"; -H 'Host: attackerHostHeaderInjection.com' *Why? What problem are you trying to solve?* Host Header injection is a vulnerability that needs to be addressed., I am trying to solve if the host

Re: Upgrading Embedded Tomcat 7.x to 10.x

2023-08-31 Thread Mark Thomas
On 30/08/2023 23:58, Matthew Robinson wrote: Please may I have some assistance to upgrade a JAVA Maven project which uses embedded Tomcat 7 to use embedded Tomcat 10? I’m having extreme difficulty determining the appropriate versions of the various components such that they play nice together.

Re: CIS Tomcat 8 Benchmark (v1.1.0) -- Questions

2023-09-05 Thread Mark Thomas
provement is additive, and possibly not corrective. Improvements are definitely corrective as well as additive. Early versions of the guide had very odd advice regarding MIME type mapping that has since been removed. On Tue, Sep 5, 2023 at 9:36 AM Peter Kreuser wrote: Robert, While Mark Thomas

Re: Virtual Threads

2023-09-05 Thread Mark Thomas
On 05/09/2023 20:38, Christopher Schultz wrote: All, I have some questions about Virtual Threads and their use within Tomcat. Note that only Tomcat 11 currently has support for Virtual Threads when running on a version 19 or later JVM. Not quite. All current versions support virtual threads

Re: [External] Re: Supporting Proxy Protocol in Tomcat

2023-09-05 Thread Mark Thomas
tps://bz.apache.org/bugzilla/show_bug.cgi?id=57830 The state of the ticket isn't updated for long. Perhaps add comments/ask the folks on user list to vote? That is more likely to irritate folks rather than encourage them to help you progress your patch. Mark Thanks, Amit -Original M

Re: Virtual Threads

2023-09-06 Thread Mark Thomas
On 05/09/2023 22:02, Christopher Schultz wrote: Mark, On 9/5/23 15:55, Mark Thomas wrote: On 05/09/2023 20:38, Christopher Schultz wrote: All, I have some questions about Virtual Threads and their use within Tomcat. Note that only Tomcat 11 currently has support for Virtual Threads when

Re: CVE referencing Tomcat are not also referencing Tomcat-embed

2023-09-06 Thread Mark Thomas
On 06/09/2023 20:04, Francois Marot wrote: Hello, I'm in the process of switching from Dependency-check [1] to Dependency-track [2] to analyse vulnerabilities on my dependencies. I analyze a classic spring boot webapp depending upon org.apache.tomcat.embed:tomcat-embed-core. Dependency Check who

Re: Virtual Threads

2023-09-06 Thread Mark Thomas
On 06/09/2023 21:24, Christopher Schultz wrote: On 9/6/23 03:29, Mark Thomas wrote: On 05/09/2023 22:02, Christopher Schultz wrote: Thanks for the correction. I just did a quick docs[1] search for "virtual" in Tomcat 10.x for example and I didn't see useVirtualThreads,

Re: Virtual Threads

2023-09-07 Thread Mark Thomas
On 07/09/2023 15:41, Christopher Schultz wrote: On 9/6/23 16:29, Mark Thomas wrote: There isn't much point using an executor with virtual threads. Okay then perche https://tomcat.apache.org/tomcat-11.0-doc/config/executor.html#Virtual_Thread_Implementation ? That is the int

Re: page extends not working???

2023-09-09 Thread Mark Thomas
On 09/09/2023 11:52, Aryeh Friedman wrote: Every other jsp in my webapp (and other webapps on the same tomcat instance [9.0.75]) works and I am using a the default container but as curl/catalina.out show BasePage is *NEVER* being called (either the _jspService() or the getX()): How have you con

[ANN] Apache Tomcat Connectors 1.2.49 released

2023-09-12 Thread Mark Thomas
The Apache Tomcat Connectors project is part of the Tomcat project and provides web server plugins for httpd (mod_jk) and IIS (ISAPI) to connect those web servers with Tomcat and other backends. The Apache Tomcat Project is proud to announce the release of version 1.2.49 of the Apache Tomcat Co

[SECURITY] CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure

2023-09-13 Thread Mark Thomas
CVE-2023-41081 Apache Tomcat Connectors (mod_jk) Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - Apache Tomcat Connectors mod_jk Connector 1.2.0 to 1.2.48 Description: In some circumstances, such as when a configuration included "JkOptions

Re: AW: Solution to "Invalid keystore format" (cross-posted to Tomcat Users List at Apache, and Java 400 List at Midrange)

2023-09-13 Thread Mark Thomas
On 13/09/2023 14:00, Shawn Heisey wrote: On 9/12/23 01:06, Thomas Hoffmann (Speed4Trade GmbH) wrote: I moved away from using the proprietary java keystore format. I switched to using Base64 PEM format. This is usually also the format you get from the certificate issuer. No need to convert it in

Re: Exception thrown whilst processing POSTed parameters when SSL is enabled in TOMCAT

2023-09-25 Thread Mark Thomas
On 25/09/2023 10:50, Aniket Pachpute wrote: Hi, We are getting a timeout exception when POST request size is >8k and SSL is enabled in the tomcat. Below are the exception details: org.apache.catalina.connector.Request.parseParameters Exception thrown whilst processing POSTed parameters org.apa

Re: I forget: does Tomcat have any problems with *not* having a ROOT context?

2023-09-25 Thread Mark Thomas
On 25/09/2023 17:17, James H. H. Lampert wrote: I probably asked the question before, but does Tomcat have any problems with not having a ROOT context? None I am aware of although there may be some edge cases. Past precedence is that any such edge cases would be treated as bugs and fixed in t

Re: SSLHostConfig question

2023-09-26 Thread Mark Thomas
On 26/09/2023 16:50, Christopher Schultz wrote: Jon, On 9/26/23 11:32, Mcalexander, Jon J. wrote: I have a question around the SSLHostConfig SSL Connector in Tomcat. In the   section, if the SSL Certificate is in a Windows PFS Keystore, is it appropriate to add certificateKeystoreType="PFX"

Re: [External]Re: Tomcat 10 on RHEL 8 with Java 17

2023-09-28 Thread Mark Thomas
n 28/09/2023 00:22, Christopher Bland wrote: Hi Everyone, I’m making progress. I started from scratch again adding pieces back one by one. It seems like I am seeing the following errors with my configuration Could not load Logmanager "org.apache.logging.log4j.jul.LogManager" java.lang.ClassN

Re: Jakarta migration issue in Tomcat 10.1.12 with Java 11

2023-09-28 Thread Mark Thomas
28 Sept 2023 03:22:26 Muralisankar Srinivasan : Dear Users, I am facing the following Exceptions from the Java Maven application which is migrated from Javax to Jakarta, using "jakartaee-migration-1.0.7". The application was successful in "Apache Tomcat Version 9.0.64". Please suggest the de

Re: Best way to *programmatically* detect that all webapps are fully deployed and running?

2023-09-30 Thread Mark Thomas
On 29/09/2023 20:20, Bruno Melloni wrote: On a tomcat server I have a number of REST services deployed as WARs. There are interdependencies and even applications on other servers that call them, so I really don't want to start calling services after starting Tomcat until every single webapp is fu

[ANN] Apache Tomcat Native 2.0.6 released

2023-10-02 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 2.0.6 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL

Re: Websocket: Disable compression/permessage-deflate

2023-10-02 Thread Mark Thomas
On 02/10/2023 09:35, Leonard wrote: Hi, I am debugging a performance issue related to sending binary WebSocket messages using Tomcat (embed/Spring Boot) 10.1.4 on Java 20 and MacOS 13.5.2. For this I try to disable compression ("PerMessageDeflate") when sending messages. The solution describe

Re: Need help tomcat

2023-10-02 Thread Mark Thomas
On 02/10/2023 18:23, Deepak Lalchandani wrote: The Apache Tomcat installation at this directory is version 10.1.13. A Tomcat 10.0 installation is expected The above is error message I'm getting. Please resolve and screenshots are detached from e mail The error looks pretty clear to me. Eclipse

[ANN] Apache Tomcat Native 1.2.39 released

2023-10-03 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat Native 1.2.39 stable. The key features of this release are: - Disable OCSP if the insecure optionalNoCA certificate verification option is used - The binaries for Windows in this release have been built with OpenSSL

Re: need help in solving CVE-2020-1938 error regards

2023-10-03 Thread Mark Thomas
On 03/10/2023 06:16, Nithin P wrote: Hi, I'm using Apache Ofbiz v18.12.06 While I'm trying to upload an image for vulnerability scanning it shows CVE-2020-1938. I have tried to update to the latest version having the same issue, Does Anyone know where the tomcat conf files are stored in the A

Re: Need help tomcat

2023-10-03 Thread Mark Thomas
07 pm Deepak Lalchandani, wrote: Hi Mark, In Apache Tomcat website I can install 10.1 only ,when I configure the server by clicking on Add server and select location of tomcat server, it adds 10.1.3 and the error with red symbol appears Regards, Deepak On Mon, 2 Oct 2023, 10:58 pm

Re: Sharing catalina home among tomcat machines in a load balanced environment gives problems with log files

2023-10-10 Thread Mark Thomas
Running multiple instances of Tomcat from the same CATALINA_BASE is totally unsupported. This isn't one of those "We don't technically support that but you should be OK situations". This is one of the rare "You do that and it *will* break and you will be on your own when it does." situations.

[SECURITY] CVE-2023-42794 Apache Tomcat - denial of service

2023-10-10 Thread Mark Thomas
CVE-2023-42794 Apache Tomcat - denial of service Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.70 to 9.0.80 Apache Tomcat 8.5.85 to 8.5.93 Description: Tomcat's internal fork of a Commons FileUpload included an unreleased, in progress refactoring th

[SECURITY] CVE-2023-42795 Apache Tomcat - information disclosure

2023-10-10 Thread Mark Thomas
CVE-2023-42795 Apache Tomcat - information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: When recyclin

[SECURITY] CVE-2023-44487 Apache Tomcat - HTTP/2 DoS

2023-10-10 Thread Mark Thomas
CVE-2023-44487 Apache Tomcat - HTTP/2 DoS Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: Tomcat's HTTP/2 implement

[SECURITY] CVE-2023-45648 Apache Tomcat - Request Smuggling

2023-10-10 Thread Mark Thomas
CVE-2023-45648 Apache Tomcat - Request Smuggling Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M11 Apache Tomcat 10.1.0-M1 to 10.1.13 Apache Tomcat 9.0.0-M1 to 9.0.80 Apache Tomcat 8.5.0 to 8.5.93 Description: Tomcat did not cor

Re: Problems with tomcat-users.xml

2023-10-10 Thread Mark Thomas
On 10/10/2023 13:03, Mark Linton wrote: Hello Tomcat users. Is there a forum (like a webpage that we can search for previous questions?)... lists.apache.org I am experiencing an issue with logging on to the manager and hosts webpage(s). What issue? Please see the tomcat-users.xml attache

Re: Deploy an application (upgrade/downgrade) - Remove Cache/Directories

2023-10-10 Thread Mark Thomas
On 10/10/2023 13:38, a.grub...@bluewin.ch wrote: Dear all I have a question. When I deploy a new application (either downgrade or upgrade), what is mandatory to be done apart from ReleaseNotes for the application? I ask specific for remove certain directories from Tomcat structure, also topic r

[ANN] Apache Tomcat 11.0.0-M13 (alpha) available

2023-10-14 Thread Mark Thomas
The Apache Tomcat team announces the immediate availability of Apache Tomcat 11.0.0-M13 (alpha). Apache Tomcat 11 is an open source software implementation of the Jakarta Servlet, Jakarta Server Pages, Jakarta Expression Language, Jakarta WebSocket, Jakarta Authentication and Jakarta Annotations

Re: error valve

2023-10-16 Thread Mark Thomas
On 16/10/2023 23:04, Mcalexander, Jon J. wrote: Good afternoon all! I have a question around the error valve. It mentions that if you want you can supply custom error pages that need to be relative to $CATALINA_BASE. My question is, just where should this go? Do you typically create an errors

Re: CVE-2023-42794 on 10.1.x

2023-10-17 Thread Mark Thomas
17 Oct 2023 16:51:38 Donal Anglin : Hey all, Sonatype are of the opinion that CVE-2023-42794 is also applicable to the 10.x and 11.x streams of Tomcat and issued the notice: The Sonatype Security Research team discovered that this vulnerability is also present and remains unfixed in the 10.x

Re: [IE] Re: CVE-2023-42794 on 10.1.x

2023-10-17 Thread Mark Thomas
Donal Anglin* On Tue, Oct 17, 2023 at 6:23 PM Mark Thomas wrote: 17 Oct 2023 16:51:38 Donal Anglin : Hey all, Sonatype are of the opinion that CVE-2023-42794 is also applicable to the 10.x and 11.x streams of Tomcat and issued the notice: The Sonatype Security Research team discovered that

Re: Tomcat minor update

2023-10-18 Thread Mark Thomas
On 17/10/2023 22:47, Aditya Shastri wrote: Hello, We have several tomcat instances that use a single CATALINA_HOME which is a symlink for a specific version. The Tomcat instance we use is very barebones and doesn't have any of the apps that come with it. For example, The CATALINA_HOME points to

  1   2   3   4   5   6   7   8   9   10   >