Re: Tomcat 8.5.51 fails

Thu, 13 Feb 2020 17:21:12 -0800 

Thank you for your kind response to my mail.
I read the changinglog. I might understand the contents.

Thank you.

Yours truly,
Kazuhiko Kohmoto

On 2020/02/13 19:26, Olaf Kock wrote:

On 13.02.20 11:17, Olaf Kock wrote:

On 13.02.20 10:36, kohm...@iris.eonet.ne.jp wrote:

On 2020/02/13 18:25, André Warnier (tomcat/perl) wrote:

Check in the file (tomcat_dir)/conf/server.xml, the Connector :

     <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />

The setting is the same as mine.

I have use server.xml used in 8.5.50. In case of 8.5.50, I have no
problem.

Please notice, I have been using Tomcat for 5 years with updates.
Why this time?

Because this time, security relevant defaults changed: See these recent
commits on the git mirror:

https://github.com/apache/tomcat/commit/b962835f98b905286b78c414d5aaec2d0e711f75#diff-8dc0090e11bd1ca2caa389bb79d52262

https://github.com/apache/tomcat/commit/2becbfd3228942a18b663ca715ee9c9b80743120#diff-8dc0090e11bd1ca2caa389bb79d52262

Or, even better digestible (I hit 'send' too early):

Mark's announcement of the availability contained:


- AJP defaults changed to listen the loopback address, require a

secret and to be disabled in the sample server.xml

And the changelog on
http://tomcat.apache.org/tomcat-8.5-doc/changelog.html for 8.5.51
contains this information on AJP:

   * Update: Disable (comment out in server.xml) the AJP/1.3 connector by
     default. (markt)
   * Update: Change the default bind address for the AJP/1.3 connector to
     be the loopback address. (markt)
   * Add: Rename the |requiredSecret| attribute of the AJP/1.3 Connector
     to |secret| and add a new attribute |secretRequired| that defaults
     to |true|. When |secretRequired| is |true| the AJP/1.3 Connector
     will not start unless the |secret| attribute is configured to a
     non-null, non-zero length String. (markt)
   * Add: Add a new attribute, |allowedRequestAttributesPattern| to the
     AJP/1.3 Connector. Requests with unrecognised attributes will be
     blocked with a 403. (markt)

There's also a discussion on the "Re: [ANN] Apache Tomcat 9.0.31
available" thread on this changed default that might give you some
background.

I hope, this helps,

Olaf





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to