date:20231016

Re: Invalid CVE on sonatype?

2023-10-16 Thread Romain Manni-Bucau

Think it had been done since the report seems to concern v8/v9, this is why
from my window sonatype missed a data in their db and it triggers false
positives for any recent tomcat build.

Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book



Le lun. 16 oct. 2023 à 14:30, Mark Thomas  a écrit :

> On 16/10/2023 13:11, Romain Manni-Bucau wrote:
> > Hi all,
> >
> > It seems ossindex reports an invalid CVE for tomcat:
> >
> https://ossindex.sonatype.org/component/pkg:maven/org.apache.tomcat/tomcat-coyote@10.1.15
> > (https://ossindex.sonatype.org/vulnerability/CVE-2023-42794)
> >
> > Am I right assuming it is due to the way coordinates are entered in their
> > system more than an actual issue or did I miss something?
> > Should we send a mail to ossin...@sonatype.org to get it fixed?
>
> It isn't clear to me what Sonatype think the problem is. I have no
> interest in creating an account to find out.
>
> If Sonatype have identified an error in the report (I've looked but
> can't see one) then Sonatype should report it to the Tomcat security
> team via the usual channel (secur...@tomcat.apache.org).
>
> Mark
>
> -
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

Re: Invalid CVE on sonatype?

2023-10-16 Thread Mark Thomas


On 16/10/2023 13:11, Romain Manni-Bucau wrote:

Hi all,

It seems ossindex reports an invalid CVE for tomcat:
https://ossindex.sonatype.org/component/pkg:maven/org.apache.tomcat/tomcat-coyote@10.1.15
(https://ossindex.sonatype.org/vulnerability/CVE-2023-42794)

Am I right assuming it is due to the way coordinates are entered in their
system more than an actual issue or did I miss something?
Should we send a mail to ossin...@sonatype.org to get it fixed?


It isn't clear to me what Sonatype think the problem is. I have no 
interest in creating an account to find out.


If Sonatype have identified an error in the report (I've looked but 
can't see one) then Sonatype should report it to the Tomcat security 
team via the usual channel (secur...@tomcat.apache.org).


Mark

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Invalid CVE on sonatype?

2023-10-16 Thread Romain Manni-Bucau

Hi all,

It seems ossindex reports an invalid CVE for tomcat:
https://ossindex.sonatype.org/component/pkg:maven/org.apache.tomcat/tomcat-coyote@10.1.15
(https://ossindex.sonatype.org/vulnerability/CVE-2023-42794)

Am I right assuming it is due to the way coordinates are entered in their
system more than an actual issue or did I miss something?
Should we send a mail to ossin...@sonatype.org to get it fixed?

Best,
Romain Manni-Bucau
@rmannibucau  |  Blog
 | Old Blog
 | Github  |
LinkedIn  | Book

[ANN] Apache Tomcat 8.5.95 available

2023-10-16 Thread Christopher Schultz


The Apache Tomcat team announces the immediate availability of Apache
Tomcat 8.5.95.

Apache Tomcat 8 is an open source software implementation of the Java
Servlet, JavaServer Pages, Java Unified Expression Language, Java
WebSocket and JASPIC technologies.

Apache Tomcat 8.5.95 is a bugfix and feature release. The notable
changes compared to 8.5.94 include:

- Correct a regression in 8.5.94 that broke the Tomcat JBDC
  connection pool

- Correct a regression in 8.5.94 that broke HTTP compression

Please refer to the change log for the complete list of changes:
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html

Downloads:
https://tomcat.apache.org/download-80.cgi

Migration guides from Apache Tomcat 7.x and 8.0:
https://tomcat.apache.org/migration.html

Please note that Tomcat 8.5.x will reach End-of-life (EOL) on 31 March 
2024. For more information please visit 
https://tomcat.apache.org/tomcat-85-eol.html


Enjoy!

- The Apache Tomcat team

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 8.5.x updated: Add release date for 8.5.95.

2023-10-16 Thread schultz

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
 new 750a0931c7 Add release date for 8.5.95.
750a0931c7 is described below

commit 750a0931c7846624e2137bce46bda61cc9962e73
Author: Christopher Schultz 
AuthorDate: Mon Oct 16 07:55:22 2023 -0400

Add release date for 8.5.95.
---
 webapps/docs/changelog.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3f6cd5e504..a82490a6a8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -122,7 +122,7 @@
 
   
 
-
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[tomcat] branch 10.1.x updated: Update release date for 10.1.15.

2023-10-16 Thread schultz

This is an automated email from the ASF dual-hosted git repository.

schultz pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
 new d66900389b Update release date for 10.1.15.
d66900389b is described below

commit d66900389bbf2b18575ee9b25c69b7b9a05286c0
Author: Christopher Schultz 
AuthorDate: Mon Oct 16 07:56:14 2023 -0400

Update release date for 10.1.15.
---
 webapps/docs/changelog.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index f13e0e0639..1ae49a5dc4 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -122,7 +122,7 @@
 
   
 
-
+
   
 
   


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1913015 - in /tomcat/site/trunk: ./ docs/ docs/tomcat-8.5-doc/ docs/tomcat-8.5-doc/annotationapi/ docs/tomcat-8.5-doc/annotationapi/javax/annotation/ docs/tomcat-8.5-doc/annotationapi/jav

2023-10-16 Thread schultz

Author: schultz
Date: Mon Oct 16 11:53:48 2023
New Revision: 1913015

URL: http://svn.apache.org/viewvc?rev=1913015&view=rev
Log:
Update web site to include Tomcat 8.5.95.


[This commit notification would consist of 67 parts, 
which exceeds the limit of 50 ones, so it was shortened to the summary.]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r1913011 - in /tomcat/site/trunk: ./ docs/ docs/tomcat-10.1-doc/ docs/tomcat-10.1-doc/annotationapi/ docs/tomcat-10.1-doc/annotationapi/jakarta/annotation/ docs/tomcat-10.1-doc/annotationa

2023-10-16 Thread schultz

Author: schultz
Date: Mon Oct 16 11:45:57 2023
New Revision: 1913011

URL: http://svn.apache.org/viewvc?rev=1913011&view=rev
Log:
Update website to include Tomcat 10.1.15.


[This commit notification would consist of 67 parts, 
which exceeds the limit of 50 ones, so it was shortened to the summary.]

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r64551 - /dev/tomcat/tomcat-8/v8.5.95/ /release/tomcat/tomcat-8/v8.5.95/

2023-10-16 Thread schultz

Author: schultz
Date: Mon Oct 16 11:32:09 2023
New Revision: 64551

Log:
Promote Tomcat 8.5.95 to released.

Added:
release/tomcat/tomcat-8/v8.5.95/
  - copied from r64550, dev/tomcat/tomcat-8/v8.5.95/
Removed:
dev/tomcat/tomcat-8/v8.5.95/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

svn commit: r64550 - /dev/tomcat/tomcat-10/v10.1.15/ /release/tomcat/tomcat-10/v10.1.15/

2023-10-16 Thread schultz

Author: schultz
Date: Mon Oct 16 11:18:58 2023
New Revision: 64550

Log:
Promote v10.1.15 to released.

Added:
release/tomcat/tomcat-10/v10.1.15/
  - copied from r64549, dev/tomcat/tomcat-10/v10.1.15/
Removed:
dev/tomcat/tomcat-10/v10.1.15/


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE][RELEASE] Release Apache Tomcat 8.5.95

2023-10-16 Thread Christopher Schultz


All,

The following votes were cast:

+1: isapir, lihan, remm, michaelo, schultz

Non-binding:

+1: cesarhernandezgt

There were no other votes cast, therefore the vote passes. I will begin 
the release process very shortly.


-chris

On 10/11/23 21:31, Christopher Schultz wrote:
> The proposed Apache Tomcat 8.5.95 release is now available for voting.
>
> The notable changes compared to 8.5.94 are:
>
> - Correct a regression in 8.5.94 that broke the Tomcat JBDC
>   connection pool
>
> - Correct a regression in 8.5.94 that broke HTTP compression
>
> Along with lots of other bug fixes and improvements.
>
> For full details, see the changelog:
> https://nightlies.apache.org/tomcat/tomcat-8.5.x/docs/changelog.html
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-8/v8.5.95/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1463
>
> The tag is:
> https://github.com/apache/tomcat/tree/8.5.95/
>
> The proposed 8.5.95 release is:
> [ ] Broken - do not release
> [ ] Stable - go ahead and release as 8.5.95 (stable)

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[VOTE][RESULT] Release Apache Tomcat 10.1.15

2023-10-16 Thread Christopher Schultz


All,

The following votes were cast:

+1: isapir, schultz, lihan, remm

Non-binding:

+1: rmannibucau

There were no other votes cast, therefore the vote passes.

I will begin the release process very shortly.

-chris

On 10/11/23 20:50, Christopher Schultz wrote:

The proposed Apache Tomcat 10.1.15 release is now available for
voting.

The notable changes compared to 10.1.14 are:

- Correct a regression in 10.1.14 that broke the Tomcat JBDC
   connection pool

- Correct a regression in 10.1.14 that broke HTTP compression

For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-10.1.x/docs/changelog.html

Applications that run on Tomcat 9 and earlier will not run on Tomcat 10 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory.


It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-10/v10.1.15/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1462

The tag is:
https://github.com/apache/tomcat/tree/10.1.15
bd69455d3331a153c411b6f1ac5e434bed06f3ce

The proposed 10.1.15 release is:
[ ] Broken - do not release
[ ] Stable - go ahead and release as 10.1.15


-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Re: Invalid CVE on sonatype?

Re: Invalid CVE on sonatype?

Invalid CVE on sonatype?

[ANN] Apache Tomcat 8.5.95 available

[tomcat] branch 8.5.x updated: Add release date for 8.5.95.

[tomcat] branch 10.1.x updated: Update release date for 10.1.15.

svn commit: r1913015 - in /tomcat/site/trunk: ./ docs/ docs/tomcat-8.5-doc/ docs/tomcat-8.5-doc/annotationapi/ docs/tomcat-8.5-doc/annotationapi/javax/annotation/ docs/tomcat-8.5-doc/annotationapi/jav

svn commit: r1913011 - in /tomcat/site/trunk: ./ docs/ docs/tomcat-10.1-doc/ docs/tomcat-10.1-doc/annotationapi/ docs/tomcat-10.1-doc/annotationapi/jakarta/annotation/ docs/tomcat-10.1-doc/annotationa

svn commit: r64551 - /dev/tomcat/tomcat-8/v8.5.95/ /release/tomcat/tomcat-8/v8.5.95/

svn commit: r64550 - /dev/tomcat/tomcat-10/v10.1.15/ /release/tomcat/tomcat-10/v10.1.15/

[VOTE][RELEASE] Release Apache Tomcat 8.5.95

[VOTE][RESULT] Release Apache Tomcat 10.1.15

12 matches

Site Navigation

Mail list logo

Footer information