Hi Chris,
On Sat, Jun 15, 2019 at 10:44 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Tommy,
>
>
> Why not allow Tomcat to serve everything in the web application (other
> than /WEB-INF/* and /META-INF/*) as usual? What is
After some further research, it appears the issue I'm encountering is known
since 2007 by IBM at least:
https://www-01.ibm.com/support/docview.wss?uid=swg21259282
While reviewing the JSR-369 history, at jcp.org, it seems that this is
since servlet spec 2.3, perhaps even earlier. Does anyone
Hi Mark,
On Thu, Jun 20, 2019 at 3:58 AM Mark Thomas wrote:
> On June 20, 2019 10:00:12 AM UTC, Tommy Pham wrote:
>
>
>
> >> In looking at the code for ApplicationHttpRequest [1] for the
> >> getPathTranlated()
> >>
> >> @Override
> >> public String getPathTranslated() {
> >>
This updated notice corrects the version numbers in the mitigation section.
CVE-2019-10072 Apache Tomcat HTTP/2 DoS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.19
Apache Tomcat 8.5.0 to 8.5.40
Description:
The fix for
On 20/06/2019 20:35, Amit Pande wrote:
> Could you please clarify:
>
> Affected versions 8.5.0 to 8.5.40
> Mitigation says: 8.5.40 or later
>
> What am I missing?
Nothing.
The affected versions are correct.
The mitigation is not. It should be 8.5.41 or later. I'll issue a
correction.
Thanks
Could you please clarify:
Affected versions 8.5.0 to 8.5.40
Mitigation says: 8.5.40 or later
What am I missing?
> On Jun 20, 2019, at 2:25 PM, Mark Thomas wrote:
>
> CVE-2019-10072 Apache Tomcat HTTP/2 DoS
>
> Severity: Important
>
> Vendor: The Apache Software Foundation
>
> Versions
CVE-2019-10072 Apache Tomcat HTTP/2 DoS
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.19
Apache Tomcat 8.5.0 to 8.5.40
Description:
The fix for CVE-2019-0199 was incomplete and did not address connection
window exhaustion on write.
On 20/06/2019 18:50, Mark Thomas wrote:
> On 20/06/2019 18:27, Michael Magnuson wrote:
>> Thanks Mark. A couple clarifications on your example first. You don't list
>> the clientAuth= attribute. I assume this was a simple oversight.
>
> It is replaced by certificateVerification="required"
>
On 20/06/2019 18:27, Michael Magnuson wrote:
> Thanks Mark. A couple clarifications on your example first. You don't list
> the clientAuth= attribute. I assume this was a simple oversight.
It is replaced by certificateVerification="required"
> You list the SSLEnabled="true" attribute twice.
Thanks Mark. A couple clarifications on your example first. You don't list
the clientAuth= attribute. I assume this was a simple oversight. You list the
SSLEnabled="true" attribute twice. Should one of these be secure="true"? For
the certificateVerification= attribute, is the correct
On 20/06/2019 17:24, Michael Magnuson wrote:
> Mark,
>
> Thank you for your replies and help.
>
> I'm not sure how to verify that Tomcat Native was built with OCSP support?
Lets assume it has been. I think that is a safe assumption for now.
> Removing the element had no negative effect. I
Mark,
Thank you for your replies and help.
I'm not sure how to verify that Tomcat Native was built with OCSP support?
Removing the element had no negative effect. I originally put
it in there following this guide:
On 20/06/2019 16:19, Michael Magnuson wrote:
> Mark,
>
> Tomcat version 8.5.41 and TCNative version 1.2.21.
There is a OCSP related bug in 1.2.21 but that should not affect you
since the client certs have a responder URL.
8.5.41 isn't the latest but there aren't any OCSP related changes in
Mark,
Tomcat version 8.5.41 and TCNative version 1.2.21.
Mike Magnuson | Semper Valens Solutions, Inc.
DCGS-A Fixed Systems Engineer
Phone: (520) 263-0759
Email: mmagnu...@sempervalens.com
http://www.sempervalens.com/
ISO 9001:2015 | CMMI DEV /3
From: Mark
On June 20, 2019 10:00:12 AM UTC, Tommy Pham wrote:
>> In looking at the code for ApplicationHttpRequest [1] for the
>> getPathTranlated()
>>
>> @Override
>> public String getPathTranslated() {
>> if (getPathInfo() == null || getServletContext() == null) {
>> return
Tomcat version?
Tomcat Native version?
Mark
On 19/06/2019 23:46, Michael Magnuson wrote:
> Hi,
>
> I'm running Tomcat 8.5 on RHEL 7.6. I'm successfully using client
> certificate validation from the smart card, but I would like to add
> client-cert OCSP revocation checking. I *think* I've
Hi Mark,
On Sun, Jun 16, 2019 at 2:25 AM Tommy Pham wrote:
> Hi Chris,
>
> Thank you for the feedback.
>
> On Sat, Jun 15, 2019 at 10:44 PM Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Tommy,
>>
>> On 6/15/19 21:51,
Hi Chris,
On Mon, Jun 17, 2019 at 2:11 PM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Tommy,
> > Tommy,
> >
> > On 6/15/19 21:51, Tommy Pham wrote:
> Hi Mark,
>
> After some research and thought about internal
Hi Mark,
Thanks for the feedback.
On Mon, Jun 17, 2019 at 4:19 AM Mark Thomas wrote:
> On 17/06/2019 01:04, Tommy Pham wrote:
> > Hello everyone,
> >
> > 1) Is there an official documentation for embedding TC process? My
> search
> > shows various how-to on other sites.
> >a) If not, I
19 matches
Mail list logo
