headers
bugzilla | 1 Aug 2008 07:45
Picon
Favicon

DO NOT REPLY [Bug 42565] jsp /expression language ternary expression without space before colon stopped working

https://issues.apache.org/bugzilla/show_bug.cgi?id=42565

Magnus Melin <mkmelin+apache <at> iki.fi> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |45511

--

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Permalink | Reply | 0 comments |
headers
bugzilla | 1 Aug 2008 07:45
Picon
Favicon

DO NOT REPLY [Bug 45511] EL "empty" keyword does not work

https://issues.apache.org/bugzilla/show_bug.cgi?id=45511

Magnus Melin <mkmelin+apache <at> iki.fi> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |mkmelin+apache <at> iki.fi
             Blocks|                            |42565

--

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Permalink | Reply | 0 comments |
headers
bugzilla | 1 Aug 2008 09:52
Picon
Favicon

DO NOT REPLY [Bug 45516] All Tomcat http threads stuck in java.net.SocketOutputStream.socketWrite0(Native Method)

https://issues.apache.org/bugzilla/show_bug.cgi?id=45516

--- Comment #1 from Ville Hartikainen <ville.hartikainen <at> logica.com>  2008-08-01 00:52:56 PST ---
Version information of used JDK and Tomcat, as reported by "catalina.sh
version"
------------------
Using JRE_HOME:       /usr/java/jdk1.5.0_13/
Server version: Apache Tomcat/6.0.14
Server built:   Jul 20 2007 04:17:30
Server number:  6.0.14.0
OS Name:        Linux
OS Version:     2.6.18-53.1.4.el5
Architecture:   amd64
JVM Version:    1.5.0_13-b05
JVM Vendor:     Sun Microsystems Inc.

--

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Permalink | Reply | 0 comments |
headers
Mohn, Robert | 1 Aug 2008 14:18
Picon
Favicon

When will release 6.0.18 be published to maven?

When will release 6.0.18 be published to the maven repositories?

Thanks,

-Rob
Permalink | Reply | 2 comments |
headers
markt | 1 Aug 2008 16:05
Picon
Favicon
Gravatar

svn commit: r681699 - in /tomcat/site/trunk: docs/security-4.html docs/security-5.html docs/security-6.html xdocs/security-4.xml xdocs/security-5.xml xdocs/security-6.xml

Author: markt
Date: Fri Aug  1 07:05:44 2008
New Revision: 681699

URL: http://svn.apache.org/viewvc?rev=681699&view=rev
Log:
Update security pages.

Modified:
    tomcat/site/trunk/docs/security-4.html
    tomcat/site/trunk/docs/security-5.html
    tomcat/site/trunk/docs/security-6.html
    tomcat/site/trunk/xdocs/security-4.xml
    tomcat/site/trunk/xdocs/security-5.xml
    tomcat/site/trunk/xdocs/security-6.xml

Modified: tomcat/site/trunk/docs/security-4.html
URL: http://svn.apache.org/viewvc/tomcat/site/trunk/docs/security-4.html?rev=681699&r1=681698&r2=681699&view=diff
==============================================================================
--- tomcat/site/trunk/docs/security-4.html (original)
+++ tomcat/site/trunk/docs/security-4.html Fri Aug  1 07:05:44 2008
 <at>  <at>  -206,7 +206,6  <at>  <at> 
        vulnerabilities in the 4.0.x branch will not be fixed. Users should
        upgrade to 4.1.x, 5.5.x or 6.x to obtain security fixes.</p>

-
   </blockquote>
 </p>
 </td>
 <at>  <at>  -298,6 +297,61  <at>  <at>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mark Thomas | 1 Aug 2008 16:06
Picon
Favicon
Gravatar

[CVE-2008-1232] Apache Tomcat XSS vulnerability


CVE-2008-1232: Apache Tomcat XSS vulnerability

Severity: Low

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
The message argument of HttpServletResponse.sendError() call is not only
displayed on the error page, but is also used for the reason-phrase of HTTP
response. This may include characters that are illegal in HTTP headers. It
is possible for a specially crafted message to result in arbitrary content
being injected into the HTTP response. For a successful XSS attack,
unfiltered user supplied data must be included in the message argument.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680947&view=rev

4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
(Continue reading)

Permalink | Reply | 0 comments |
headers
Mark Thomas | 1 Aug 2008 16:06
Picon
Favicon
Gravatar

[CVE-2008-2370] Apache Tomcat information disclosure vulnerability


CVE-2008-2370: Apache Tomcat information disclosure vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description:
When using a RequestDispatcher the target path was normalised before the
query string was removed. A request that included a specially crafted
request parameter could be used to access content that would otherwise be
protected by a security constraint or by locating it in under the WEB-INF
directory.

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should obtain the latest source from svn or apply this patch
which will be included from 5.5.27
http://svn.apache.org/viewvc?rev=680949&view=rev
4.1.x users should obtain the latest source from svn or apply this patch
which will be included from 4.1.38
http://svn.apache.org/viewvc?rev=680950&view=rev
(Continue reading)

Permalink | Reply | 3 comments |
headers
bugzilla | 1 Aug 2008 16:47
Picon
Favicon

DO NOT REPLY [Bug 45516] All Tomcat http threads stuck in java.net.SocketOutputStream.socketWrite0(Native Method)

https://issues.apache.org/bugzilla/show_bug.cgi?id=45516

Mark Thomas <markt <at> apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #2 from Mark Thomas <markt <at> apache.org>  2008-08-01 07:47:17 PST ---
This occasionally gets reported on the users list. The most recent occurrence
appears to be this thread:
http://markmail.org/message/hghfhwoxdoa6fg5s

My best guess at the moment as to the root cause is some form of network
oddity.

The users list is the best place to get help with this issue as bugzilla is
really suited to being used as a support forum.

If you investigations identify a bug in Tomcat, feel free to re-open this issue
and provide the appropriate information.

--

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Permalink | Reply | 0 comments |
headers
bugzilla | 1 Aug 2008 17:48
Picon
Favicon

DO NOT REPLY [Bug 45523] New: Setting outputBuffer in Connector has no effect

https://issues.apache.org/bugzilla/show_bug.cgi?id=45523

           Summary: Setting outputBuffer in Connector has no effect
           Product: Tomcat 6
           Version: 6.0.13
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
        AssignedTo: tomcat-dev <at> jakarta.apache.org
        ReportedBy: timo.kinnunen <at> gmail.com

Increasing outputBuffer has no effect when an exception occurs when large
amount of output has already been written.

I have a JSP-file which contains the following lines:

<jsp:include page="index2.html"></jsp:include>
<u:dao beanVar="var" foo="1"></u:dao>

u:dao tag throws an NPE, which is caught in a filter and then forwarded to an
error JSP-page. Despite this, the browser receives partial contents of
index2.html. If the line order is reversed, the browser correctly receives the
contents of the error JSP. The index2.html size 36Kb.

I've tried these two Connector definitions: 

    <Connector connectionTimeout="20000" port="8080"
(Continue reading)

Permalink | Reply | 2 comments |
headers
bugzilla | 1 Aug 2008 18:00
Picon
Favicon

DO NOT REPLY [Bug 45523] Setting outputBuffer in Connector has no effect

https://issues.apache.org/bugzilla/show_bug.cgi?id=45523

Mark Thomas <markt <at> apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |INVALID

--- Comment #1 from Mark Thomas <markt <at> apache.org>  2008-08-01 09:00:53 PST ---
The outputBuffer on the connector is not related to the output buffer for a
JSP.

Please use the users list for assistance.

--

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
Permalink | Reply | 0 comments |

Gmane