Re: Questions on recent CVE fixes

Thanks for the response and confirmation, Mark. On Wed, Mar 14, 2018 at 12:24 AM, Mark Thomas <ma...@apache.org> wrote: > On 14/03/2018 01:04, Harish Krishnan wrote: > >> Hi All, >> >> Thanks for all the help and work you great people do. >> >> My qu

Questions on recent CVE fixes

this include the empty ("") string to make our usage vulnerable too? regards Harish Krishnan

Re: Enforcing server preference for cipher suites

for the great support. I have another query (different topic) coming shortly...:-) Sent from my iPhone > On Oct 12, 2017, at 7:59 PM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harish, > &

Re: Enforcing server preference for cipher suites

for the timely response and help! Sent from my iPhone > On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko <knst.koli...@gmail.com> > wrote: > > 2017-10-09 19:31 GMT+03:00 Harish Krishnan <harish@gmail.com>: >> Hi All, >> >> Need your expert input here.

Re: Enforcing server preference for cipher suites

. Sent from my iPhone > On Oct 10, 2017, at 10:26 AM, Konstantin Kolinko <knst.koli...@gmail.com> > wrote: > > 2017-10-09 19:31 GMT+03:00 Harish Krishnan <harish@gmail.com>: >> Hi All, >> >> Need your expert input here. >> Not sure what I am doing

Re: Enforcing server preference for cipher suites

? Sent from my iPhone > On Oct 9, 2017, at 11:51 PM, Peter Kreuser <l...@kreuser.name> wrote: > > Harish, > > >> Am 10.10.2017 um 00:00 schrieb Harish Krishnan <harish@gmail.com>: >> >> Thanks for the response, Chris. >> >> Below

Re: Enforcing server preference for cipher suites

ltz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Harish, > > On 10/9/17 12:31 PM, Harish Krishnan wrote: > > Need your expert input here. Not sure what I am doing wrong, but I > > cannot get this server preference cipher suites feature

Enforcing server preference for cipher suites

to this attribute (true OR false OR undefined which is by default), I always see the Clients preference picked. As an example, if clients order is ABCDEF, and servers order is DEFABC, no matter what value I set to this useServerCipherSuitesOrder attribute, always the order selected is ABC... Regard Harish

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

rly next week. > > Mark > > >> On 26/09/17 02:22, Harish Krishnan wrote: >> Thank you for the response and confirmation, Mark. >> >> Sent from my iPhone >> >>>> On Sep 25, 2017, at 12:36 PM, Mark Thomas <ma...@apache.org> wrote: &g

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

Thank you for the response and confirmation, Mark. Sent from my iPhone > On Sep 25, 2017, at 12:36 PM, Mark Thomas <ma...@apache.org> wrote: > >> On 25/09/17 18:12, Harish Krishnan wrote: >> Hi Mark, >> >> Thanks for the timely updates. >> My unders

Re: [SECURITY] CVE-2017-12617 Apache Tomcat Possible additional RCE via JSP upload

Hi Mark, Thanks for the timely updates. My understanding is, there will be a new 7.x update available for addressing CVE-2017-12617. Is that correct? The current latest (7.0_81) resolves the initial 2 CVEs (CVE*12615 and CVE*12616). When can we expect the new update for 7.x? Sent from my

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

Thanks a lot for the clear explanation, Mark. I have all my questions answered, appreciate your help & you guys are Great! My apologies for the previous follow-up emails, I am still a novice in tomcat & failed in understanding the exact fix quicker. regards Harish Krishnan On Wed, Mar

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

examples in tomcat) of the webapp. If i know how to do this on the mentioned tomcat webapps, then i can apply the same for my webapps too. Looking for your response & help here. regards Harish Krishnan On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish@gmail.com> wrot

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

Any help on my previous question is really appreciated. Thank You! On Fri, Mar 11, 2016 at 4:05 PM, Harish Krishnan <harish@gmail.com> wrote: > Thanks again for the reply, Chris & Violeta! > Thanks for clarifying what the "protected directory" is, even i gues

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

rected to examples/. Not sure what i am missing here. Same behavior is seen on my web application too. Please let me know where i am doing wrong & help me on how to disable the redirect for the root of webapps. regards Harish Krishnan On Wed, Mar 9, 2016 at 7:29 AM, Christopher Schultz < ch.

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

re context attribute was set, will completely be disabled. You mentioned that only "protected directories" inside the deployed web application is covered in this CVE fix. Can you please help me understand what this protected directories are & how to configure this in tomcat ? regards Harish

Re: Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

404. I have set the context attribute (mapperContextRootRedirectEnabled) as well - My question simply boils down to, What additional setting i need to do for the above redirect to NOT happen. Thanks for your help. regards Harish Krishnan On Mon, Mar 7, 2016 at 12:42 PM, Mark Th

Question about your recent security (CVE-2015-5345) fix in 7.0.68 build

Am i missing anything here ? Please help me understand the exact fix for this issue. regards Harish Krishnan