On 03/09/2025 09:07, Mark Thomas wrote:
Given the above, I'm still minded to back-port these changes but I will
check the relative performance of the Java implementations of SHA-1 and
SHA-256 and report back first.
Mark
In every Java version I tested (8, 11, 17, 21, 23, 24) apart
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.11.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
Thanks to everyone who contributed to this release.
The following votes were cast:
Binding:
+1: dsoumis, schultz, markt, csutherl, funkman, rjung
No other votes were cast.
The vote therefore passes.
Mark
-
To unsubscribe, e
On 01/09/2025 14:02, Rémy Maucherat wrote:
The proposed 9.0.109 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.109
>
+1
Tests pass on Windows, Linux and MacOS.
Build is cross-platform reproducible.
Mark
On 02/09/2025 13:58, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Tests pass on Windows, Linux and MacOS.
Build is cross-platform reproducible.
Mark
-
To unsubscribe,
On 01/09/2025 12:22, Mark Thomas wrote:
The proposed 11.0.11 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.11
Tests pass on Windows, Linux and MacOS.
Build is cross-platform reproducible.
Mark
On 02/09/2025 18:19, Rémy Maucherat wrote:
On Tue, Sep 2, 2025 at 6:04 PM Mark Thomas wrote:
On 02/09/2025 17:00, ma...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos
9126de9274 Switch strong ETag generation from SHA-1 to SHA-256
9126de9274 is described below
commit 9126de92742cb5eeaef5fa6b902eaec4291cd7de
Author: Mark Thomas
AuthorDate: Tue Sep 2 17:00:43 2025 +0100
Switch strong ETag generation from SHA-1 to SHA-256
Given the RFC 9110 recommendation, I&#
The proposed Apache Tomcat 11.0.11 release is now available for voting.
The notable changes compared to 11.0.10 include:
- Fix concurrent access issues in the session FileStore implementation
that were causing lost sessions when the store was used with the
PersistentValve. Based on pull requ
On 30/08/2025 12:38, Rémy Maucherat wrote:
On Sat, Aug 30, 2025 at 11:26 AM Mark Thomas wrote:
On 29/08/2025 11:26, Mark Thomas wrote:
On 29/08/2025 10:08, Rémy Maucherat wrote:
On Fri, Aug 29, 2025 at 10:54 AM Mark Thomas wrote:
Hi all,
I am currently thinking along the following lines
On 29/08/2025 11:26, Mark Thomas wrote:
On 29/08/2025 10:08, Rémy Maucherat wrote:
On Fri, Aug 29, 2025 at 10:54 AM Mark Thomas wrote:
Hi all,
I am currently thinking along the following lines for the September
releases:
- fix a couple of things I still have on my TODO list
- wait for the
00d2987779 Re-apply automatic formatting excluding forks of Commons
projects
00d2987779 is described below
commit 00d298777924d6b59905a92eedb99ec4ce9e085f
Author: Mark Thomas
AuthorDate: Fri Aug 29 12:24:02 2025 +0100
Re-apply automatic formatting excluding forks of Commons projects
This get
On 29/08/2025 10:08, Rémy Maucherat wrote:
On Fri, Aug 29, 2025 at 10:54 AM Mark Thomas wrote:
Hi all,
I am currently thinking along the following lines for the September
releases:
- fix a couple of things I still have on my TODO list
- wait for the Coverity build to be analysed, review the
Hi all,
I am currently thinking along the following lines for the September
releases:
- fix a couple of things I still have on my TODO list
- wait for the Coverity build to be analysed, review the results and fix
anything that looks worth fixing before the tag
- run the tests locally
- tag
3a88873371 Attempt to fix smoke test on MacOS
3a88873371 is described below
commit 3a88873371d2e9ea759bfb66ccf9dc36f9e0df6b
Author: Mark Thomas
AuthorDate: Thu Aug 28 16:35:46 2025 +0100
Attempt to fix smoke test on MacOS
Nice idea but run command need to run on Windows too.
Also need to see
On 28/08/2025 14:46, Rémy Maucherat wrote:
On Thu, Aug 28, 2025 at 2:44 PM Mark Thomas wrote:
I'm just waiting for the GitHub uploaded file to be processed. It seems
to have been stuck in the queue to be analysed at position 191 for a
while. I'm hoping the queue position on
On 28/08/2025 13:19, Rémy Maucherat wrote:
On Thu, Aug 28, 2025 at 1:08 PM Mark Thomas wrote:
All,
It has been on my TODO list for a while so I am going to start looking
at automating the coverity scan build and upload process.
My plan is to upload 1 build of main (currently 12.0.x) a day
All,
It has been on my TODO list for a while so I am going to start looking
at automating the coverity scan build and upload process.
My plan is to upload 1 build of main (currently 12.0.x) a day. Based on
the current lines of code, we could upload as often as three times a day
if we wanted
e796ac9dde Refactor WebResource locking to use the new
KeyedReentrantReadWriteLock
e796ac9dde is described below
commit e796ac9dde647d7d7f07b03c888b0f073257bf44
Author: Mark Thomas
AuthorDate: Wed Aug 27 12:24:27 2025 +0100
Refactor WebResource locking to use the new
On 19/08/2025 17:43, Mark Thomas wrote:
On 19/08/2025 17:38, Christopher Schultz wrote:
> On 8/19/25 11:22 AM, Mark Thomas wrote:
I've currently got it working on
"catch (Exception )" to "catch (Exception e)"
although I want to look at the diff for that one
123d8c2bac Rename IOException variables to ioe unless ignored
123d8c2bac is described below
commit 123d8c2bac7a2fa3182f1b9c58383c81ab1e5bf4
Author: Mark Thomas
AuthorDate: Wed Aug 20 15:21:08 2025 +0100
Rename IOException variables to ioe unless ignored
This was (mostly) Cursor's attempt
ebf01cd23c Rename some exceptions
ebf01cd23c is described below
commit ebf01cd23c4839cb00b1f48feb330a4b18fd14c6
Author: Mark Thomas
AuthorDate: Wed Aug 20 14:34:08 2025 +0100
Rename some exceptions
Not complete.
This was GitHub CoPilot's attempt at renaming. It would have
On 19/08/2025 17:38, Christopher Schultz wrote:
> On 8/19/25 11:22 AM, Mark Thomas wrote:
I've currently got it working on
"catch (Exception )" to "catch (Exception e)"
although I want to look at the diff for that one to see how big it is
before deciding whether
On 19/08/2025 15:52, Christopher Schultz wrote:
Mark,
On 8/19/25 3:01 AM, Mark Thomas wrote:
All,
I stumbled across quite few instances of log messages like this while
I was looking at something for $dayjob:
log.error(sm.getString("naming.bindFailed", e));
It would be lot more u
On 19/08/2025 10:34, Rémy Maucherat wrote:
On Tue, Aug 19, 2025 at 9:02 AM Mark Thomas wrote:
All,
I stumbled across quite few instances of log messages like this while I
was looking at something for $dayjob:
log.error(sm.getString("naming.bindFailed", e));
It would be lot more u
All,
I stumbled across quite few instances of log messages like this while I
was looking at something for $dayjob:
log.error(sm.getString("naming.bindFailed", e));
It would be lot more useful with the stack trace so I think that really
should be:
log.error(sm.getString("naming.bindFailed")
) were added to refs/heads/main by this push:
new ba5e6beffa Simplify
ba5e6beffa is described below
commit ba5e6beffa673c35f404e77536c348c33fef6c96
Author: Mark Thomas
AuthorDate: Mon Aug 18 09:43:36 2025 +0100
Simplify
---
java/org/apache/tomcat/util/net/Acceptor.java | 3 +--
1 file
CVE-2025-55668 Apache Tomcat - Session fixation via rewrite valve
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Older, EOL versions may also be affected
Descrip
CVE-2025-48989 Apache Tomcat - DoS in HTTP/2 - Made You Reset
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.9
Apache Tomcat 10.1.0-M1 to 10.1.43
Apache Tomcat 9.0.0.M1 to 9.0.107
Older, EOL versions may also be affected
Description:
To
All,
Over the next few days the Tomcat security team will be updating the
official CVE records for Tomcat CVEs CVE-2022-45143 onwards to
explicitly state (rather than just imply) that "Older, EOL versions may
also be affected."
We will also explicitly add a version range with a start of "3"
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.10.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
The following votes were cast:
Binding:
+1: isapir, markt, dsoumis, remm, fschumacher, rjung, schultz
No other votes were cast.
The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubs
On 04/08/2025 14:27, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Unit tests pass on Linux, Windows and MacOS.
Build is cross-platform repeatable.
Mark
-
To unsubscrib
On 31/07/2025 19:36, Rémy Maucherat wrote:
The proposed 9.0.108 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.108
Unit tests pass on Linux, Windows and MacOS.
Build is cross-platform repeatable.
Mark
---
On 31/07/2025 18:29, Mark Thomas wrote:
The proposed 11.0.9 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.10
Unit tests pass on Linux, Windows and MacOS.
Build is cross-platform repeatable.
Mark
The proposed Apache Tomcat 11.0.10 release is now available for voting.
The notable changes compared to 11.0.9 include:
- Fix bloom filter population for archive indexing when using a
packed WAR containing one or more JAR files.
- Add missing call to set keep-alive timeout when using HTTP/1.1
27 Jul 2025 18:46:37 Simon Arame :
Hi,
I would like to submit a pull request or merge request for tomcat. We
have
created a fork on Github. What is the standard way to proceed. Should I
commit to my copy of the "main" branch or create a special branch with
a
particular name ?
Simon
You d
On 25/07/2025 07:07, Paulo Miguel Almeida wrote:
Question for the tomcat maintainers
---
Is that something that you would be interested in getting merged into
Tomcat's source code? I'm happy to make changes to the approach of
course... just wanna know if there
90fcf10974 Change default for archiveIndexStrategy to bloom to
improve performance
90fcf10974 is described below
commit 90fcf10974e0899b42baedf0ac5c4d235252936f
Author: Mark Thomas
AuthorDate: Tue Jul 22 07:59:11 2025 +0100
Change default for archiveIndexStrategy to bloom to improve performance
Correcting typo in fixed versions
CVE-2025-53506 Apache Tomcat - DoS in HTTP/2
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
An uncontrolled resource
Correcting typo in fixed versions
CVE-2025-52520 Apache Tomcat - DoS in multipart upload
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
For some unlikel
CVE-2025-53506 Apache Tomcat - DoS in HTTP/2
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
An uncontrolled resource consumption vulnerability if an HTT
CVE-2025-52520 Apache Tomcat - DoS in multipart upload
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.8
Apache Tomcat 10.1.0-M1 to 10.1.42
Apache Tomcat 9.0.0.M1 to 9.0.106
Description:
For some unlikely configurations of multipart uploa
CVE-2025-49125 Apache Tomcat - APR/Native Connector crash leading to DoS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
A race condition on connection close could trigger a JVM crash when
using the APR/Native connec
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.9.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
The following votes were cast:
Binding:
+1: schultz, remm, markt, dsoumis, funkman
No other votes were cast.
The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubscribe, e-mail: dev-
On 04/07/2025 16:39, build...@apache.org wrote:
Build status: BUILD FAILED: failed compile (failure)
Worker used: bb_worker2_ubuntu
URL: https://ci2.apache.org/#builders/120/builds/621
Blamelist: Mark Thomas , remm
Build Text: failed compile (failure)
Status Detected: new failure
Build Source
On 02/07/2025 08:20, Rémy Maucherat wrote:
The proposed 9.0.107 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.107
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL
On 01/07/2025 22:42, Mark Thomas wrote:
The proposed 11.0.9 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.9
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0
On 01/07/2025 22:45, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0)
Mark
-
The proposed Apache Tomcat 11.0.9 release is now available for voting.
The notable changes compared to 11.0.8 include:
- Increase the default for maxPartCount from 10 to 50. Update the
documentation to provide more details on the memory requirements
to support multi-part uploads while avoidi
On 20/06/2025 13:13, r...@apache.org wrote:
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 4c68821
On 19/06/2025 17:13, Christopher Schultz wrote:
I guess maybe I don't understand the issue. BZ always required an
account to write, and anyone could register for an account. A small
hurdle, but present. The same is true for GitHub.
I'm not sure why we care about AI scrapers, given that all
On 19/06/2025 15:10, Mark Thomas wrote:
All,
The Tomcat project has been using Bugzilla to track issues for more than
20 years.
Recently there has been a significant increase in abusive traffic
targetting the ASF's Bugzilla instances - mostly AI scraping.
To protect the ASF Bug
All,
The Tomcat project has been using Bugzilla to track issues for more than
20 years.
Recently there has been a significant increase in abusive traffic
targetting the ASF's Bugzilla instances - mostly AI scraping.
To protect the ASF Bugzilla instances and ensure that they remain usable
f
CVE-2025-49125 Apache Tomcat - Security constraint bypass for
pre/post-resources
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
When using PreResou
CVE-2025-49124 Apache Tomcat - Side-loading via Tomcat installer for Windows
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0 to 10.1.41
Apache Tomcat 9.0.23 to 9.0.105
Description:
During installation, the Tomcat in
CVE-2025-48988 Apache Tomcat - DoS in multipart upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
Tomcat used the same limit for both request p
CVE-2025-48976 Apache Tomcat - DoS in Commons FileUpload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
Apache Commons FileUpload provided a hard-c
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.8.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
The following votes were cast:
Binding:
+1: markt, dsoumis, schultz, remm, rjung
No other votes were cast.
The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
On 05/06/2025 19:54, Mark Thomas wrote:
The proposed Apache Tomcat 11.0.8 release is now
On 06/06/2025 00:10, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0)
Build is reproducible.
Mark
On 05/06/2025 22:05, Rémy Maucherat wrote:
The proposed 9.0.106 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.106
Test pass on Windows (Tomcat Native 1.3.1), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL
On 05/06/2025 19:54, Mark Thomas wrote:
The proposed 11.0.8 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.8
Test pass on Windows (Tomcat Native 2.0.9), Linux (Tomcat Native built
with OpenSSL 3.0.13) and MacOS (Tomcat Native built with OpenSSL 3.5.0
The proposed Apache Tomcat 11.0.8 release is now available for voting.
The notable changes compared to 11.0.7 include:
- Provide finer grained control of multi-part request processing via two
new attributes on the Connector element.
- Mark the JSP wrapper for reload after a failed compilation
On 04/06/2025 13:05, schu...@apache.org wrote:
Author: schultz
Date: Wed Jun 4 12:05:18 2025
New Revision: 1926115
URL: http://svn.apache.org/viewvc?rev=1926115&view=rev
Log:
Fix release date (year) for tcnative 2.0.9
Tx for fixing that.
Mark
---
Hi all,
My current plan for 11.0.8 is to tag towards the end of this week. There
are a few PRs to review, I need to do the usual dependency checks and
i18n updates as well as a couple of fixes I have sat locally that I need
to clean up and commit.
Mark
---
On 03/06/2025 10:16, jean-frederic clere wrote:
On 5/22/25 11:30 AM, Mark Thomas wrote:
All,
This isn't going to work for 3.5.x. We need to use a newer compiler
than the one packaged with Mladen's custom Microsoft compiler bundle.
I have been meaning to look at updating the Tom
CVE-2025-46701 Apache Tomcat - CGI security constraint bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.6
Apache Tomcat 10.1.0-M1 to 10.1.40
Apache Tomcat 9.0.0.M1 to 9.0.104
Description:
When running on a case insensitive file syst
The following votes were cast:
Binding:
+1: rjung, remm, markt
Non-binding:
Tested successfully on Windows: Federico Bustamante
The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubsc
On 23/05/2025 18:23, Mark Thomas wrote:
The key differences of version 2.0.9 compared to 2.0.8 are:
- Update Windows build to use Visual Studio 2022
- The windows binaries in this release have been built with OpenSSL
3.5.0 and APR 1.7.6
The 2.0.x branch is primarily intended for use with
On 28/05/2025 19:59, Christopher Schultz wrote:
Mark,
On 5/23/25 1:23 PM, Mark Thomas wrote:
The key differences of version 2.0.9 compared to 2.0.8 are:
- Update Windows build to use Visual Studio 2022
- The windows binaries in this release have been built with OpenSSL
3.5.0 and APR 1.7.6
7dd670b5cc Code clean-up - formatting. No functional change.
7dd670b5cc is described below
commit 7dd670b5ccd83f4129ccd72a9792d677ee6a7dbe
Author: Mark Thomas
AuthorDate: Thu May 22 17:53:04 2025 +0100
Code clean-up - formatting. No functional change.
Sorry. Just realised this one removed
The key differences of version 2.0.9 compared to 2.0.8 are:
- Update Windows build to use Visual Studio 2022
- The windows binaries in this release have been built with OpenSSL
3.5.0 and APR 1.7.6
The 2.0.x branch is primarily intended for use with Tomcat 10.1.x
onwards but can be used with e
On 22/05/2025 15:27, Mark Thomas wrote:
I'm making progress. I've built Tomcat Native 2.0.x with OpenSSL 3.5.0
but it looks like I've picked up too many dependencies. I'm looking at
how to fix that now.
Thank you Mladen. He had already made the necessary changes. I jus
On 22/05/2025 15:15, Christopher Schultz wrote:
Mark,
On 5/22/25 5:30 AM, Mark Thomas wrote:
All,
This isn't going to work for 3.5.x. We need to use a newer compiler
than the one packaged with Mladen's custom Microsoft compiler bundle.
I have been meaning to look at updating
to
spend some time looking at that.
Mark
On 22/05/2025 08:13, Mark Thomas wrote:
All,
The last Tomcat Native releases were in July 2024. The Windows binaries
were built with 3.0.14.
There are some low severity CVEs in 3.0.14 that we don't believe apply
to Tomcat's usage of
All,
The last Tomcat Native releases were in July 2024. The Windows binaries
were built with 3.0.14.
There are some low severity CVEs in 3.0.14 that we don't believe apply
to Tomcat's usage of OpenSSL but that may trigger a security scanner.
There is a new OpenSSL LTS branch, 3.5.x, that in
All,
This was mentioned briefly before (I think on a BZ issue) but needs a
wider discussion before taking action - if we do anything.
It has been suggested that there isn't much benefit to maintaining the
NIO2 connector and that we could simplify maintenance by removing it
(deprecating in 11
The following votes were cast:
Binding:
+1: markt, schultz, remm, dsoumis, rjung, isapir
No other votes were cast.
The vote therefore passed.
Thanks to everyone who contributed to this release.
Mark
On 07/05/2025 19:22, Mark Thomas wrote:
The proposed Apache Tomcat 11.0.7 release is now
On 08/05/2025 13:56, Christopher Schultz wrote:
Please reply with a +1 for release or +0/-0/-1 with an explanation.
+1
Tests pass for NIO and NIO2 on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mark
-
On 07/05/2025 20:03, Rémy Maucherat wrote:
The proposed 9.0.105 release is:
[ ] -1, Broken - do not release
[ ] +1, Stable - go ahead and release as 9.0.105
Tests pass for NIO, NIO2 and APR/native on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mar
On 07/05/2025 19:22, Mark Thomas wrote:
The proposed 11.0.7 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.7
Tests pass for NIO and NIO2 on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mark
The proposed Apache Tomcat 11.0.7 release is now available for voting.
The notable changes compared to 11.0.6 include:
- Process possible path parameters rewrite production in the rewrite
valve.
- Enable allowLinking to be set on PreResources, JarResources and
PostResources. If not set expl
On 06/05/2025 11:09, Rémy Maucherat wrote:
On Tue, May 6, 2025 at 9:48 AM Mark Thomas wrote:
Hi all,
I am currently working on a couple of platform specific test failures.
I have fixed one of these (the JSP compilation bug) but still have
another to fix (TestGenerator fails on Windows
Hi all,
I am currently working on a couple of platform specific test failures. I
also want to try and fix the issue described in "Content type unknown
after upgrading Tomcat 10.1.39 => 10.1.40" on the users list.
I'm hopeful that I'll be able to tag 11.0.x later today or early tomorrow.
Mark
fab7247d2f0e3a29d5daef565f829f383e10e5e2
Author: Mark Thomas
AuthorDate: Mon Apr 28 12:58:21 2025 +0100
+ protected String[] findCGI(String contextPath, String
servletPath, String pathInfo, String cgiPathPrefix) {
I know it wasn't your goal to clean any of this up, but I think a custom
CVE-2025-31651 Apache Tomcat - Rewrite rule bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.5
Apache Tomcat 10.1.0-M1 to 10.1.39
Apache Tomcat 9.0.0.M1 to 9.0.102
Description:
For a subset of unlikely rewrite rule configurations, i
CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.5
Apache Tomcat 10.1.10 to 10.1.39
Apache Tomcat 9.0.76 to 9.0.102
Description:
Incorrect error handling for some i
The following commit(s) were added to refs/heads/main by this push:
new 58e979b Update ci.yml
58e979b is described below
commit 58e979be2fa61ad5f259e021a96e621bcab2d86d
Author: Mark Thomas
AuthorDate: Sat Apr 19 16:56:32 2025 +0100
Update ci.yml
Attempt to fix curre
The following votes were cast:
Binding:
+1: markt, remm, schultz, dsoumis, csutherl, ebourg, rjung
No other votes were cast. The vote therefore passes.
Thanks to everyone who contributed to this release.
Mark
-
To unsubscri
91278e6794 Fix BZ 69635 - add support to ImportHandler for resolving
inner classes
91278e6794 is described below
commit 91278e6794b073af33574aade2d82386722685d4
Author: Mark Thomas
AuthorDate: Fri Apr 4 17:17:39 2025 +0100
Fix BZ 69635 - add support to ImportHandler for resolving inner classes
On 04/04/2025 14:11, Rémy Maucherat wrote:
The proposed 9.0.104 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.104
Windows installer has valid signature.
Build is fully cross-platform (Linux / Windows) reproducible.
Tests pass on Windows, Linux and M
On 03/04/2025 19:34, Christopher Schultz wrote:
Mark,
On 4/3/25 1:38 PM, Mark Thomas wrote:
On 01/04/2025 19:56, Rémy Maucherat wrote:
The proposed 9.0.103 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.103
+1
Build is cross-platform reproducible
On 01/04/2025 19:56, Rémy Maucherat wrote:
The proposed 9.0.103 release is:
[ ] -1, Broken - do not release
[X] +1, Stable - go ahead and release as 9.0.103
+1
Build is cross-platform reproducible (Windows).
Test pass on Linux, Windows and MacOS (M1).
I did observe some test failures due to
On 01/04/2025 19:42, Christopher Schultz wrote:
The proposed Apache Tomcat 10.1.40 release is now available for
voting.
+1
Build is cross-platform reproducible (Windows).
Test pass on Linux, Windows and MacOS (M1).
I did observe some test failures due to the known issue in the
AccessLogValv
On 01/04/2025 17:06, Mark Thomas wrote:
The proposed 11.0.6 release is:
[ ] -1 Broken - do not release
[X] +1 Stable - go ahead and release as 11.0.6
Tests pass for NIO and NIO2 on Windows, Linux and MacOS M1.
Build is cross-platform (Windows, Linux, MacOS) repeatable.
Mark
On 01/04/2025 09:31, Emmanuel Bourg wrote:
On 01/04/2025 10:06, Mark Thomas wrote:
Did you figure out the file handler issue with Jsign 7.1?
The issue was with 7.0 - we were seeing the "Unsupported file" error
with Ant.
I don't recall any issues with 7.1. I'm currently
On 31/03/2025 22:39, Emmanuel Bourg wrote:
Hi Mark,
On 31/03/2025 16:51, Mark Thomas wrote:
I have a couple of tasks to get done (update JSign, update i18n
strings) and then I should be ready to tag 11.0.6. I am currently
hoping to be able to do that tomorrow.
Did you figure out the file
/heads/main by this push:
new 8a5e5475f1 Restore final keywords
8a5e5475f1 is described below
commit 8a5e5475f1ead35589dc8c5e359b9395838112b7
Author: Mark Thomas
AuthorDate: Mon Mar 31 17:27:02 2025 +0100
Restore final keywords
Removing final broke the signature tests for the
1 - 100 of 5561 matches
Mail list logo
