[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487509#comment-17487509 ] Jacques Le Roux commented on OFBIZ-11848: - Done with INFRA-22843 > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487490#comment-17487490 ] Jacques Le Roux commented on OFBIZ-11848: - Thinking about it, for Jira issues and commits comments relation, I think it's more on Infra side. I'll ask them. > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Comment Edited] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487489#comment-17487489 ] Jacques Le Roux edited comment on OFBIZ-11848 at 2/5/22, 1:44 PM: -- Thanks, we crossed on wire. So clearly, as it's now OOTB it will only work on localhost. Our best option is to document it in [https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml]. I don't close here yet. Not only because of that, but because I'll remove other tokens (bash ones) and will enforce the security against encoded, ancrypted webshells. was (Author: jacques.le.roux): Thanks, we crossed on wire. So clearly, as it's now OOTB it will only work on localhost. Our best option is to document it in [https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml]. I don't close here ye. Not only because of that, but because I'll remove other tokens (bash ones) and will enforce the security against encoded, ancrypted webshells. > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487489#comment-17487489 ] Jacques Le Roux commented on OFBIZ-11848: - Thanks, we crossed on wire. So clearly, as it's now OOTB it will only work on localhost. Our best option is to document it in [https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml]. I don't close here ye. Not only because of that, but because I'll remove other tokens (bash ones) and will enforce the security against encoded, ancrypted webshells. > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[
https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487486#comment-17487486
]
Jacques Le Roux commented on OFBIZ-11848:
-
Thanks, looking forward.
Actually I'm not pushing to OFBIZ-11407 but OFBIZ-12558 has the title mentions:
{quote}Fixed: Possible authenticated attack related to Tomcat CVE-2020-1938
(OFBIZ-12558)
{quote}
Jira is taking the reference from the commit comment. It's not the former nor
the later (both are 12558). I don't know the algo, maybe because it's already
closed and the other not(?), which makes not much sense anyway. The algo should
pick from the title IMO. We could [create an Atlassian Jira
issue|https://community.atlassian.com/t5/Jira-questions/Where-do-I-report-a-Bug-to-Atlassian/qaq-p/797944]
for that...
> Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
> -
>
> Key: OFBIZ-11848
> URL: https://issues.apache.org/jira/browse/OFBIZ-11848
> Project: OFBiz
> Issue Type: Sub-task
> Components: framework
>Affects Versions: 17.12.03, Trunk, 18.12.01
>Reporter: Michael Brohl
>Assignee: Michael Brohl
>Priority: Major
> Fix For: Release Branch 17.12, 18.12.01
>
>
> CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service
> Severity: Important
> Vendor: The Apache Software Foundation
> Versions Affected:
> Apache Tomcat 10.0.0-M1 to 10.0.0-M5
> Apache Tomcat 9.0.0.M1 to 9.0.35
> Apache Tomcat 8.5.0 to 8.5.55
> Description:
> A specially crafted sequence of HTTP/2 requests could trigger high CPU
> usage for several seconds. If a sufficient number of such requests were
> made on concurrent HTTP/2 connections, the server could become unresponsive.
> Mitigation:
> - Upgrade to Apache Tomcat 10.0.0-M6 or later
> - Upgrade to Apache Tomcat 9.0.36 or later
> - Upgrade to Apache Tomcat 8.5.56 or later
> Credit:
> This issue was reported publicly via the Apache Tomcat Users mailing
> list without reference to the potential for DoS. The DoS risks were
> identified by the Apache Tomcat Security Team.
> References:
> [1] http://tomcat.apache.org/security-10.html
> [2] http://tomcat.apache.org/security-9.html
> [3] http://tomcat.apache.org/security-8.html
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487485#comment-17487485 ] Michael Brohl commented on OFBIZ-11848: --- To answer your question: if I remember correctly, adding allowedRequestAttributesPattern = ".*" was a solution to a connection problem we faced in a project after the upgrade. I found several recommendations, e.g. [1] to set this and it worked so I went with this solution. I have not checked if the list of allowed patterns could have been reduced though. [1] https://stackoverflow.com/questions/63505670/apache-cant-connect-to-new-tomcat-9-ajp/63928276#63928276 > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487484#comment-17487484 ] Michael Brohl commented on OFBIZ-11848: --- Hi Jacques, I don't remember, the commit is 1,5 years old. I have to check this. Any reasons why you are pushing commits towards the old OFBIZ-11407, which is nearly 2 years old and closed? Shouldn't they go to a new Jira? > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-12524) Production Run - VIEW permissions
[
https://issues.apache.org/jira/browse/OFBIZ-12524?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487478#comment-17487478
]
Pierre Smits commented on OFBIZ-12524:
--
[GitHub Pull Request #475|https://github.com/apache/ofbiz-framework/pull/475]
now needs to be reworked. Caused by out-of-sequence commit/merge of
[{{{}418d6e0{}}}#diff-1fbd717a3a3a1f3c301b977057d68e3748c1a233373c362b8be4c0a3dd070aa6|https://github.com/apache/ofbiz-framework/commit/418d6e03d45c3647f96dbc1f7630b348a60d11f1#diff-1fbd717a3a3a1f3c301b977057d68e3748c1a233373c362b8be4c0a3dd070aa6]
> Production Run - VIEW permissions
> -
>
> Key: OFBIZ-12524
> URL: https://issues.apache.org/jira/browse/OFBIZ-12524
> Project: OFBiz
> Issue Type: Improvement
> Components: manufacturing
>Affects Versions: Upcoming Branch
>Reporter: Pierre Smits
>Assignee: Pierre Smits
>Priority: Major
> Labels: permissions, productionrun, trust, usability, ux
>
> Currently, a user with only 'VIEW' permissions, as demonstrated in trunk demo
> with userId = auditor, accessing the Production run screen, sees editable
> fields and/or triggers (to requests) reserved for users with 'CREATE' or
> 'UPDATE' permissions.
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
[GitHub] [ofbiz-framework] PierreSmits commented on pull request #475: Improved: Production Run - VIEW permissions (OFBIZ-12524)
PierreSmits commented on pull request #475: URL: https://github.com/apache/ofbiz-framework/pull/475#issuecomment-1030611164 This PR now needs to be reworked. Caused by out-of-sequence commit/merge of https://github.com/apache/ofbiz-framework/commit/418d6e03d45c3647f96dbc1f7630b348a60d11f1#diff-1fbd717a3a3a1f3c301b977057d68e3748c1a233373c362b8be4c0a3dd070aa6 -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Comment Edited] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487475#comment-17487475 ] Jacques Le Roux edited comment on OFBIZ-11848 at 2/5/22, 11:24 AM: --- Hi [~mbrohl], This discussion is about OFBIZ-12558 and what to put into allowedRequestAttributesPattern. With OFBIZ-11407, you 1st moved to Tomcat 9.0.31. Then with [b791dca commit|https://github.com/apache/ofbiz-framework/commit/b791dca] for OFBIZ-11848 you added allowedRequestAttributesPattern which is great. For OFBIZ-12558 I commented allowedRequestAttributesPattern out. So OOTB it has now the Tomcat default value, which is null. So it's the same situation than before your b791dca commit. My question is: what issue/s did you cross that leaded you to change for all possibilitites (ie ".*")? I wonder because between OFBIZ-11407 (23/Feb/20) and b791dca commit (03/Jul/20) the demos were running (they were down for security reason between 2020-08-11 and 2020-12-1 in relation with OFBIZ-12080) w/o an AJP related problem. I checked, I found nothing AJP special in the [then HTTPD config|https://github.com/apache/ofbiz-tools/tree/master/demo-backup/site-enabled3]. The demos are still down and I don't want to put all the necessary to test them by my own locally. But I'd like to be sure the Tomcat default value (null) will not block them when they will, hopefully soon, be back. And of course we need to set the best possible value or clearly explain to our users in https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml. TIA PS: For those interested the possible values for allowedRequestAttributesPattern are defined at https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html was (Author: jacques.le.roux): Hi [~mbrohl], This discussion is about OFBIZ-12558 and what to put into allowedRequestAttributesPattern. With OFBIZ-11407, you 1st moved to Tomcat 9.0.31. Then with [b791dca commit|https://github.com/apache/ofbiz-framework/commit/b791dca] for OFBIZ-11848 you added allowedRequestAttributesPattern which is great. For OFBIZ-12558 I commented allowedRequestAttributesPattern out. So OOTB it has now the Tomcat default value, which is null. So it's the same situation than before your b791dca commit. My question is: what issue/s did you cross that leaded you to change for all possibilitites (ie ".*")? I wonder because between OFBIZ-11407 (23/Feb/20) and b791dca commit (03/Jul/20) the demos were running (they were down for security reason between 2020-08-11 and 2020-12-1 in relation with OFBIZ-12080) w/o an AJP related problem. I checked, I found nothing AJP special in the [then HTTPD config|https://github.com/apache/ofbiz-tools/tree/master/demo-backup/site-enabled3]. The demos are still down and I don't want to put all the necessary to test them by my own locally. But I'd like to be sure the Tomcat default value (null) will not block them when they will, hopefully soon, be back. And of course I we need to set the best possible value or clearly explain to our users in https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml. TIA PS: For those interested the possible values for allowedRequestAttributesPattern are defined at https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian
[jira] [Comment Edited] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487475#comment-17487475 ] Jacques Le Roux edited comment on OFBIZ-11848 at 2/5/22, 11:23 AM: --- Hi [~mbrohl], This discussion is about OFBIZ-12558 and what to put into allowedRequestAttributesPattern. With OFBIZ-11407, you 1st moved to Tomcat 9.0.31. Then with [b791dca commit|https://github.com/apache/ofbiz-framework/commit/b791dca] for OFBIZ-11848 you added allowedRequestAttributesPattern which is great. For OFBIZ-12558 I commented allowedRequestAttributesPattern out. So OOTB it has now the Tomcat default value, which is null. So it's the same situation than before your b791dca commit. My question is: what issue/s did you cross that leaded you to change for all possibilitites (ie ".*")? I wonder because between OFBIZ-11407 (23/Feb/20) and b791dca commit (03/Jul/20) the demos were running (they were down for security reason between 2020-08-11 and 2020-12-1 in relation with OFBIZ-12080) w/o an AJP related problem. I checked, I found nothing AJP special in the [then HTTPD config|https://github.com/apache/ofbiz-tools/tree/master/demo-backup/site-enabled3]. The demos are still down and I don't want to put all the necessary to test them by my own locally. But I'd like to be sure the Tomcat default value (null) will not block them when they will, hopefully soon, be back. And of course I we need to set the best possible value or clearly explain to our users in https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml. TIA PS: For those interested the possible values for allowedRequestAttributesPattern are defined at https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html was (Author: jacques.le.roux): Hi [~mbrohl], This discussion is about OFBIZ-12558 and what to put into allowedRequestAttributesPattern. With OFBIZ-11407, you 1st moved to Tomcat 9.0.31. Then with [b791dca commit|https://github.com/apache/ofbiz-framework/commit/b791dca] you added allowedRequestAttributesPattern which is great. For OFBIZ-12558 I commented allowedRequestAttributesPattern out. So OOTB it has now the Tomcat default value, which is null. So it's the same situation than before your b791dca commit. My question is: what issue/s did you cross that leaded you to change for all possibilitites (ie ".*")? I wonder because between OFBIZ-11407 (23/Feb/20) and b791dca commit (03/Jul/20) the demos were running (they were down for security reason between 2020-08-11 and 2020-12-1 in relation with OFBIZ-12080) w/o an AJP related problem. I checked, I found nothing AJP special in the [then HTTPD config|https://github.com/apache/ofbiz-tools/tree/master/demo-backup/site-enabled3]. The demos are still down and I don't want to put all the necessary to test them by my own locally. But I'd like to be sure the Tomcat default value (null) will not block them when they will, hopefully soon, be back. And of course I we need to set the best possible value or clearly explain to our users in https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml. TIA PS: For those interested the possible values for allowedRequestAttributesPattern are defined at https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira
[jira] [Commented] (OFBIZ-11848) Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996)
[ https://issues.apache.org/jira/browse/OFBIZ-11848?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487475#comment-17487475 ] Jacques Le Roux commented on OFBIZ-11848: - Hi [~mbrohl], This discussion is about OFBIZ-12558 and what to put into allowedRequestAttributesPattern. With OFBIZ-11407, you 1st moved to Tomcat 9.0.31. Then with [b791dca commit|https://github.com/apache/ofbiz-framework/commit/b791dca] you added allowedRequestAttributesPattern which is great. For OFBIZ-12558 I commented allowedRequestAttributesPattern out. So OOTB it has now the Tomcat default value, which is null. So it's the same situation than before your b791dca commit. My question is: what issue/s did you cross that leaded you to change for all possibilitites (ie ".*")? I wonder because between OFBIZ-11407 (23/Feb/20) and b791dca commit (03/Jul/20) the demos were running (they were down for security reason between 2020-08-11 and 2020-12-1 in relation with OFBIZ-12080) w/o an AJP related problem. I checked, I found nothing AJP special in the [then HTTPD config|https://github.com/apache/ofbiz-tools/tree/master/demo-backup/site-enabled3]. The demos are still down and I don't want to put all the necessary to test them by my own locally. But I'd like to be sure the Tomcat default value (null) will not block them when they will, hopefully soon, be back. And of course I we need to set the best possible value or clearly explain to our users in https://github.com/apache/ofbiz-framework/blob/trunk/framework/catalina/ofbiz-component.xml. TIA PS: For those interested the possible values for allowedRequestAttributesPattern are defined at https://tomcat.apache.org/tomcat-9.0-doc/config/ajp.html > Upgrade Tomcat from 9.0.34 to 9.0.36 (CVE-2020-11996) > - > > Key: OFBIZ-11848 > URL: https://issues.apache.org/jira/browse/OFBIZ-11848 > Project: OFBiz > Issue Type: Sub-task > Components: framework >Affects Versions: 17.12.03, Trunk, 18.12.01 >Reporter: Michael Brohl >Assignee: Michael Brohl >Priority: Major > Fix For: Release Branch 17.12, 18.12.01 > > > CVE-2020-11996 Apache Tomcat HTTP/2 Denial of Service > Severity: Important > Vendor: The Apache Software Foundation > Versions Affected: > Apache Tomcat 10.0.0-M1 to 10.0.0-M5 > Apache Tomcat 9.0.0.M1 to 9.0.35 > Apache Tomcat 8.5.0 to 8.5.55 > Description: > A specially crafted sequence of HTTP/2 requests could trigger high CPU > usage for several seconds. If a sufficient number of such requests were > made on concurrent HTTP/2 connections, the server could become unresponsive. > Mitigation: > - Upgrade to Apache Tomcat 10.0.0-M6 or later > - Upgrade to Apache Tomcat 9.0.36 or later > - Upgrade to Apache Tomcat 8.5.56 or later > Credit: > This issue was reported publicly via the Apache Tomcat Users mailing > list without reference to the potential for DoS. The DoS risks were > identified by the Apache Tomcat Security Team. > References: > [1] http://tomcat.apache.org/security-10.html > [2] http://tomcat.apache.org/security-9.html > [3] http://tomcat.apache.org/security-8.html -- This message was sent by Atlassian Jira (v8.20.1#820001)
[GitHub] [ofbiz-framework] sonarcloud[bot] commented on pull request #500: Improved: List and Grid (OFBIZ-11345)
sonarcloud[bot] commented on pull request #500: URL: https://github.com/apache/ofbiz-framework/pull/500#issuecomment-1030597504 Kudos, SonarCloud Quality Gate passed!  [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=500=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=500=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=500=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=500=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=500) No Coverage information [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=500=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=500=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [ofbiz-framework] PierreSmits opened a new pull request #500: Improved: List and Grid (OFBIZ-11345)
PierreSmits opened a new pull request #500: URL: https://github.com/apache/ofbiz-framework/pull/500 According to the definition in widget-form.xsd the use of a combination of a form with type="list" is deprecated in favour of a grid. Refactor various list forms into grids. Refactor various list form references in screens. Improved: BlogScreens.xml: from form ref to grid ref BlogForms.xml: from form definition with list ref to grid definition with list ref additional cleanup -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487441#comment-17487441 ] ASF subversion and git services commented on OFBIZ-11948: - Commit 30770e1ceaa81198f3ba56a9dbc0dfb727a84d7a in ofbiz-framework's branch refs/heads/trunk from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=30770e1 ] Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948) In SecuredUpload::isValidImageFile I initially used isValidText() and thought that decoding would be better so finally used isValidTextFile() instead. But then valid images files are not passing. So this replaces isValidTextFile by isValidText there. Also while at it removes few other PHP tokens, now useless (hopefully, I have still to check encoded and encrypted PHP webshells), from security::deniedWebShellTokens. The less tokens we have the better the whole is legible. Improves related comments. Modifies SecurityUtilTest::webShellTokensTesting accordingly > Remote Code Execution (File Upload) Vulnerability > - > > Key: OFBIZ-11948 > URL: https://issues.apache.org/jira/browse/OFBIZ-11948 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk, 17.12.04, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.05, 18.12.01 > > > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability to the > OFBiz security team, and we thank him for that. > I'll later quote here his email message when the vulnerability will be fixed. > It's a post-auth vulnerability so we did not ask for a CVE. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487440#comment-17487440 ] ASF subversion and git services commented on OFBIZ-11948: - Commit b447f4dd3ffd32f4c80e0c3a90e4f78830fd6b0d in ofbiz-framework's branch refs/heads/release22.01 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=b447f4d ] Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948) In SecuredUpload::isValidImageFile I initially used isValidText() and thought that decoding would be better so finally used isValidTextFile() instead. But then valid images files are not passing. So this replaces isValidTextFile by isValidText there. Also while at it removes few other PHP tokens, now useless (hopefully, I have still to check encoded and encrypted PHP webshells), from security::deniedWebShellTokens. The less tokens we have the better the whole is legible. Improves related comments. Modifies SecurityUtilTest::webShellTokensTesting accordingly > Remote Code Execution (File Upload) Vulnerability > - > > Key: OFBIZ-11948 > URL: https://issues.apache.org/jira/browse/OFBIZ-11948 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk, 17.12.04, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.05, 18.12.01 > > > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability to the > OFBiz security team, and we thank him for that. > I'll later quote here his email message when the vulnerability will be fixed. > It's a post-auth vulnerability so we did not ask for a CVE. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Commented] (OFBIZ-11948) Remote Code Execution (File Upload) Vulnerability
[ https://issues.apache.org/jira/browse/OFBIZ-11948?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17487439#comment-17487439 ] ASF subversion and git services commented on OFBIZ-11948: - Commit 047849f42bf5cb69e28132b66a4a5907136188d8 in ofbiz-framework's branch refs/heads/release18.12 from Jacques Le Roux [ https://gitbox.apache.org/repos/asf?p=ofbiz-framework.git;h=047849f ] Fixed: Remote Code Execution (File Upload) Vulnerability (OFBIZ-11948) In SecuredUpload::isValidImageFile I initially used isValidText() and thought that decoding would be better so finally used isValidTextFile() instead. But then valid images files are not passing. So this replaces isValidTextFile by isValidText there. Also while at it removes few other PHP tokens, now useless (hopefully, I have still to check encoded and encrypted PHP webshells), from security::deniedWebShellTokens. The less tokens we have the better the whole is legible. Improves related comments. Modifies SecurityUtilTest::webShellTokensTesting accordingly Conflicts handled by hand framework/security/config/security.properties framework/security/src/test/java/org/apache/ofbiz/security/SecurityUtilTest.java > Remote Code Execution (File Upload) Vulnerability > - > > Key: OFBIZ-11948 > URL: https://issues.apache.org/jira/browse/OFBIZ-11948 > Project: OFBiz > Issue Type: Sub-task > Components: product/catalog >Affects Versions: Trunk, 17.12.04, 18.12.01 >Reporter: Jacques Le Roux >Assignee: Jacques Le Roux >Priority: Major > Fix For: 17.12.05, 18.12.01 > > > Harshit Shukla harshit.sh...@gmail.com reported this RCE vulnerability to the > OFBiz security team, and we thank him for that. > I'll later quote here his email message when the vulnerability will be fixed. > It's a post-auth vulnerability so we did not ask for a CVE. -- This message was sent by Atlassian Jira (v8.20.1#820001)
[GitHub] [ofbiz-framework] sonarcloud[bot] commented on pull request #499: Improved: Dutch labels (OFBIZ-10363)
sonarcloud[bot] commented on pull request #499: URL: https://github.com/apache/ofbiz-framework/pull/499#issuecomment-1030580556 Kudos, SonarCloud Quality Gate passed!  [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=BUG) [0 Bugs](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=BUG) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=VULNERABILITY) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=VULNERABILITY) [0 Vulnerabilities](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=VULNERABILITY) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=499=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=499=false=SECURITY_HOTSPOT) [0 Security Hotspots](https://sonarcloud.io/project/security_hotspots?id=apache_ofbiz-framework=499=false=SECURITY_HOTSPOT) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=CODE_SMELL) [](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=CODE_SMELL) [0 Code Smells](https://sonarcloud.io/project/issues?id=apache_ofbiz-framework=499=false=CODE_SMELL) [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=499) No Coverage information [](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=499=new_duplicated_lines_density=list) [0.0% Duplication](https://sonarcloud.io/component_measures?id=apache_ofbiz-framework=499=new_duplicated_lines_density=list) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
[GitHub] [ofbiz-framework] PierreSmits opened a new pull request #499: Improved: Dutch labels (OFBIZ-10363)
PierreSmits opened a new pull request #499: URL: https://github.com/apache/ofbiz-framework/pull/499 WorkEffortUiLabels.xml -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: notifications-unsubscr...@ofbiz.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org
