https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
Bug ID: 59134
Summary: Secure websocket connection through a proxy is not ok
Product: Tomcat 8
Version: trunk
Hardware: PC
Status: NEW
Severity: normal
Priori
Am 07.03.2016 um 08:27 schrieb Mark Thomas:
On 06/03/2016 18:46, rj...@apache.org wrote:
Author: rjung
Date: Sun Mar 6 18:46:46 2016
New Revision: 1733827
URL: http://svn.apache.org/viewvc?rev=1733827&view=rev
Log:
Update OpenSSL patch for OpenSSL 1.0.2g.
Why was this necessary? I built 1.2.
On 07/03/2016 08:54, Rainer Jung wrote:
> Am 07.03.2016 um 08:27 schrieb Mark Thomas:
>> On 06/03/2016 18:46, rj...@apache.org wrote:
>>> Author: rjung
>>> Date: Sun Mar 6 18:46:46 2016
>>> New Revision: 1733827
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1733827&view=rev
>>> Log:
>>> Update Ope
On 02/03/2016 13:43, Mark Thomas wrote:
> Version 1.2.4 includes the following changes:
>
> - Report runtime rather than compile time version for OpenSSL
> - Fixes to allow continued building with master
>
> The proposed release artefacts can be found at [1],
> and the build was done using tag [2
space/apache-commons/daemon/dist/bin/commons-daemon-20160307-native-src.tar.gz
-Dexamples.sources.skip=true
-Dbase.path=/srv/gump/public/workspace/tomcat-8.0.x/tomcat-build-libs
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar
-Dtest.apr.loc=/srv/gump/public/workspac
Hi,
2016-03-02 15:43 GMT+02:00 Mark Thomas :
>
> Version 1.2.4 includes the following changes:
>
> - Report runtime rather than compile time version for OpenSSL
> - Fixes to allow continued building with master
>
> The proposed release artefacts can be found at [1],
> and the build was done using
mons/daemon/dist/bin/commons-daemon-20160307-native-src.tar.gz
-Dexamples.sources.skip=true
-Dbase.path=/srv/gump/public/workspace/tomcat-trunk/tomcat-build-libs
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar
-Dtest.relaxTiming=true
-Dcommons-daemon.jar=/srv/gump/pub
Author: markt
Date: Mon Mar 7 12:29:36 2016
New Revision: 1733914
URL: http://svn.apache.org/viewvc?rev=1733914&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59119
Correct read logic
Modified:
tomcat/trunk/java/org/apache/tomcat/websocket/AsyncChannelWrapperSecure.java
Author: markt
Date: Mon Mar 7 12:31:19 2016
New Revision: 1733915
URL: http://svn.apache.org/viewvc?rev=1733915&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59119
Correct read logic
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/java/org/apach
Author: markt
Date: Mon Mar 7 12:33:06 2016
New Revision: 1733916
URL: http://svn.apache.org/viewvc?rev=1733916&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59119
Correct read logic
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/java/org/apach
https://bz.apache.org/bugzilla/show_bug.cgi?id=59119
Mark Thomas changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
https://bz.apache.org/bugzilla/show_bug.cgi?id=59120
--- Comment #1 from Mark Thomas ---
The documentation you quote is not consistent with the claims you make
regarding SSL being more general.
Part of the problem is that this code has to work across multiple Java versions
and multiple vendors a
pache-commons/daemon/dist/bin/commons-daemon-20160307-native-src.tar.gz
-Dexamples.sources.skip=true
-Dbase.path=/srv/gump/public/workspace/tomcat-trunk/tomcat-build-libs
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar
-Dtest.relaxTiming=true
-Dcommons-daemon.
https://bz.apache.org/bugzilla/show_bug.cgi?id=59120
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
mons/daemon/dist/bin/commons-daemon-20160307-native-src.tar.gz
-Dexamples.sources.skip=true
-Dbase.path=/srv/gump/public/workspace/tomcat-trunk/tomcat-build-libs
-Djdt.jar=/srv/gump/packages/eclipse/plugins/R-4.5-201506032000/ecj-4.5.jar
-Dtest.apr.loc=/srv/gump/public/workspace/tomcat-native-tru
On 06/03/2016 21:20, Rainer Jung wrote:
> Am 06.03.2016 um 19:49 schrieb Rainer Jung:
>> I updated the tcnative NMAKEmakefiles and the provided openssl patch for
>> building with APR 1.5.2 and OpenSSL 1.0.2g.
>>
>> Can others please see, whether it still works for them? I did run a
>> build myself,
https://bz.apache.org/bugzilla/show_bug.cgi?id=59120
--- Comment #3 from Jack ---
When you say "it behaves the same way as Oracle", did you mean the
communication used the same TLS version? From my test (by setting
-Djavax.net.debug=ssl) Oracle uses TLS v1.2, and IBM uses TLS v1.0.
I think it's
https://bz.apache.org/bugzilla/show_bug.cgi?id=59092
--- Comment #2 from Matthew Reiter ---
This is the same defect as https://bz.apache.org/bugzilla/show_bug.cgi?id=58813
(Incoming requests hang after a website using the ISAPI connector is
restarted).
--
You are receiving this mail because:
Yo
https://bz.apache.org/bugzilla/show_bug.cgi?id=59122
Mark Thomas changed:
What|Removed |Added
Resolution|--- |INVALID
Status|NEW
/dist/commons-daemon-20160307.jar
-Dtomcat-dbcp-src.jar=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps/tomcat-dbcp-src.jar
-Dtomcat-dbcp.home=/srv/gump/public/workspace/tomcat-7.0.x/tomcat-deps
-Dtest.excludePerformance=true
-Dhamcrest.jar=/srv/gump/packages/hamcrest/hamcrest-core-1.3.jar
-Dco
Author: markt
Date: Mon Mar 7 16:28:09 2016
New Revision: 1733940
URL: http://svn.apache.org/viewvc?rev=1733940&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59123
Close NamingEnumeration objects used by the JNDIRealm once they are no longer
required.
Modified:
tomcat/tru
Author: markt
Date: Mon Mar 7 16:29:15 2016
New Revision: 1733941
URL: http://svn.apache.org/viewvc?rev=1733941&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59123
Close NamingEnumeration objects used by the JNDIRealm once they are no longer
required.
Modified:
tomcat/tc8
Author: markt
Date: Mon Mar 7 16:29:52 2016
New Revision: 1733942
URL: http://svn.apache.org/viewvc?rev=1733942&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59123
Close NamingEnumeration objects used by the JNDIRealm once they are no longer
required.
Modified:
tomcat/tc7
Author: markt
Date: Mon Mar 7 16:35:51 2016
New Revision: 1733943
URL: http://svn.apache.org/viewvc?rev=1733943&view=rev
Log:
Close NamingEnumeration objects used by the JNDIRealm once they are no longer
required.
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/ja
Author: markt
Date: Mon Mar 7 16:36:16 2016
New Revision: 1733944
URL: http://svn.apache.org/viewvc?rev=1733944&view=rev
Log:
Correct changelog
Modified:
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/vie
https://bz.apache.org/bugzilla/show_bug.cgi?id=59123
Mark Thomas changed:
What|Removed |Added
Resolution|--- |FIXED
Status|NEW
On 05/03/2016 18:36, Mark Thomas wrote:
> On 05/03/2016 17:08, Christopher Schultz wrote:
>
>>> First of all we could add the remote address valve and limit access to
>>> localhost by default. That will limit some remote attacks but possibly
>>> not all depending on reverse proxy configurations
>>
https://bz.apache.org/bugzilla/show_bug.cgi?id=59125
Mark Thomas changed:
What|Removed |Added
Attachment #33626|text/x-java |text/plain
mime type|
https://bz.apache.org/bugzilla/show_bug.cgi?id=59125
Mark Thomas changed:
What|Removed |Added
Attachment #33626|1 |0
is patch|
https://bz.apache.org/bugzilla/show_bug.cgi?id=57130
--- Comment #4 from Coty Sutherland ---
Hmm, lack of experience in the area I suppose...I thought I did a pretty
literal implementation of the requirements from the description (specifically
the first point). I could rewrite it if you would lik
https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
Christopher Schultz changed:
What|Removed |Added
OS||All
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=59125
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
Mark Thomas changed:
What|Removed |Added
Resolution|INVALID |---
Status|RESOLVED
https://bz.apache.org/bugzilla/show_bug.cgi?id=59138
Bug ID: 59138
Summary: checkThreadLocalMapForLeaks has false positives
Product: Tomcat 7
Version: unspecified
Hardware: PC
Status: NEW
Severity: normal
Priori
2016-03-07 17:52 GMT+01:00 Mark Thomas :
> On 05/03/2016 18:36, Mark Thomas wrote:
> > On 05/03/2016 17:08, Christopher Schultz wrote:
> >
> >>> First of all we could add the remote address valve and limit access to
> >>> localhost by default. That will limit some remote attacks but possibly
> >>>
Author: markt
Date: Mon Mar 7 19:41:36 2016
New Revision: 1733963
URL: http://svn.apache.org/viewvc?rev=1733963&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
Correct client connect logic for secure connections made through a proxy.
Modified:
tomcat/trunk/java/org/apa
Author: markt
Date: Mon Mar 7 19:42:18 2016
New Revision: 1733964
URL: http://svn.apache.org/viewvc?rev=1733964&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
Correct client connect logic for secure connections made through a proxy.
Modified:
tomcat/tc8.0.x/trunk/ (
https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
Mark Thomas changed:
What|Removed |Added
Status|REOPENED|RESOLVED
Resolution|---
Author: markt
Date: Mon Mar 7 19:42:49 2016
New Revision: 1733965
URL: http://svn.apache.org/viewvc?rev=1733965&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
Correct client connect logic for secure connections made through a proxy.
Modified:
tomcat/tc7.0.x/trunk/ (
https://bz.apache.org/bugzilla/show_bug.cgi?id=59134
--- Comment #3 from Mark Thomas ---
Thanks for the report. This has been fixed in 9.0.x for 9.0.0.M4 onwards, 8.0.x
for 8.0.33 onwards and 7.0.x for 7.0.69 onwards.
--
You are receiving this mail because:
You are the assignee for the bug.
--
The Buildbot has detected a build exception on builder tomcat-8-trunk while
building . Full details are available at:
https://ci.apache.org/builders/tomcat-8-trunk/builds/493
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The AnyBranchScheduler
Author: markt
Date: Mon Mar 7 19:56:37 2016
New Revision: 1733968
URL: http://svn.apache.org/viewvc?rev=1733968&view=rev
Log:
ws police
Modified:
tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
Modified: tomcat/trunk/java/org/apache/catalina/realm/JNDIRealm.java
URL:
http://svn.
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
Michael Osipov <1983-01...@gmx.net> changed:
What|Removed |Added
CC||1983-01...@gmx.net
https://bz.apache.org/bugzilla/show_bug.cgi?id=59138
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
OS|
https://bz.apache.org/bugzilla/show_bug.cgi?id=59138
--- Comment #2 from Mark Thomas ---
And for the record while I was 99% sure just from reading the description what
the problem was I did go to the trouble of building a simple test case and
confirming the memory leak with a profiler.
--
You a
https://bz.apache.org/bugzilla/show_bug.cgi?id=59139
Louis Burton changed:
What|Removed |Added
CC||louis.bur...@gmail.com
--
You are rece
https://bz.apache.org/bugzilla/show_bug.cgi?id=59139
Bug ID: 59139
Summary: undeployOldVersions sorts alphabetically though
version numbers are normally numeric in part
Product: Tomcat 8
Version: trunk
Hardware: All
https://bz.apache.org/bugzilla/show_bug.cgi?id=59139
Mark Thomas changed:
What|Removed |Added
Status|NEW |RESOLVED
Resolution|---
The following votes were cast:
Binding:
+1: markt, rjung, violetagg
No other votes were cast.
This vote therefore passes.
Thanks to everyone who tested and voted.
I'll start the release now with a view to announcing tomorrow.
Mark
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=59125
--- Comment #4 from Jes Wulfsberg Nielsen ---
As in, "complete" is not a "release resources", and you don't need to do it in
case of errors?
That runs counter to all examples I've seen of async servlets, where the
"complete" is specifically out
Author: markt
Date: Mon Mar 7 20:48:37 2016
New Revision: 12678
Log:
Release Tomcat Native 1.2.5
Added:
release/tomcat/tomcat-connectors/native/1.2.5/
- copied from r12592, dev/tomcat/tomcat-connectors/native/1.2.5/
Removed:
dev/tomcat/tomcat-connectors/native/1.2.5/
Author: markt
Date: Mon Mar 7 20:51:19 2016
New Revision: 1733978
URL: http://svn.apache.org/viewvc?rev=1733978&view=rev
Log:
Update to Tomcat Native Library 1.2.5
Modified:
tomcat/trunk/build.properties.default
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/build.proper
Author: markt
Date: Mon Mar 7 20:52:55 2016
New Revision: 1733979
URL: http://svn.apache.org/viewvc?rev=1733979&view=rev
Log:
Update to Tomcat Native Library 1.2.5
Modified:
tomcat/tc8.0.x/trunk/ (props changed)
tomcat/tc8.0.x/trunk/build.properties.default
tomcat/tc8.0.x/trunk/web
https://bz.apache.org/bugzilla/show_bug.cgi?id=59125
--- Comment #5 from Mark Thomas ---
As in complete() is required (by the spec) to be called as part of the error
handling and if it isn't the container has to do it. See 2.3.3.3 of the servlet
spec and search for onError.
If you have further q
https://bz.apache.org/bugzilla/show_bug.cgi?id=59125
--- Comment #6 from Jes Wulfsberg Nielsen ---
Thanks for the clarifications; re-reading the fine print I see the point on
"complete" being called from an AsyncContext listener.
Shouldn't it then be a similar state error to call it using .whenC
https://bz.apache.org/bugzilla/show_bug.cgi?id=59139
--- Comment #2 from Louis Burton ---
Thanks for clarifying.
Apologies, I was looking at the documentation for 'undeployOldVersions' and
didn't see reference to this:
http://tomcat.apache.org/tomcat-8.0-doc/config/host.html
I see it explained e
https://bz.apache.org/bugzilla/show_bug.cgi?id=59138
--- Comment #3 from Brett Kail ---
Entries in ThreadLocalMap weakly reference the key, which is the ThreadLocal
subclass that is loaded by the application class loader. Assuming there are no
other retained references to the application class l
The Buildbot has detected a restored build on builder tomcat-8-trunk while
building . Full details are available at:
https://ci.apache.org/builders/tomcat-8-trunk/builds/494
Buildbot URL: https://ci.apache.org/
Buildslave for this Build: silvanus_ubuntu
Build Reason: The AnyBranchScheduler
https://bz.apache.org/bugzilla/show_bug.cgi?id=59138
--- Comment #4 from Mark Thomas ---
Hmm. The profiler was showing the key as strongly reachable. That explains why
it wasn't collected but not why it was strongly reachable. Let me take another
look at the results.
--
You are receiving this m
https://bz.apache.org/bugzilla/show_bug.cgi?id=59123
--- Comment #3 from Emmanuel L ---
Sounds good to me. Thanks for the patch and sorry for having been lazy and not
have provided it...
--
You are receiving this mail because:
You are the assignee for the bug.
-
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #18 from Anthony J. Biacco ---
I usually just modify server.* org/apache/catalina/util/ServerInfo.properties
and rebuild catalina.jar.
Not exactly ideal, but fairly trivial for me at least to mask the info.
--
You are receiving th
https://bz.apache.org/bugzilla/show_bug.cgi?id=58750
--- Comment #19 from Anthony J. Biacco ---
Sorry, i don't REBUILD the jar, i just leave
org/apache/catalina/util/ServerInfo.properties there after modded as suggested
in the Valves section of
https://tomcat.apache.org/tomcat-8.0-doc/security-ho
https://bz.apache.org/bugzilla/show_bug.cgi?id=59138
Mark Thomas changed:
What|Removed |Added
Resolution|INVALID |---
Status|RESOLVED
63 matches
Mail list logo
