On 25/06/2025 14:07, Mark Thomas wrote:
I think I need to look at the rules for merging welcome resources. That
might prompt some changes to the PR.
At the moment, a is almost certain to match since it
will likely be using extension mapping making any welcome resources that
follow
On 25/06/2025 09:17, Rémy Maucherat wrote:
On Wed, Jun 25, 2025 at 9:19 AM Mark Thomas wrote:
All,
Servlet 6.2 intends to address a long standing (more than 10 years)
issue with welcome files. Consider the following:
- *.do is mapped to a servlet
- welcome files are index.jsp, index.do
The
Tim
On Wed, Jun 25, 2025 at 3:19 AM Mark Thomas wrote:
All,
Servlet 6.2 intends to address a long standing (more than 10 years)
issue with welcome files. Consider the following:
PR: https://github.com/jakartaee/servlet/pull/881
Issue: https://github.com/ja
All,
Servlet 6.2 intends to address a long standing (more than 10 years)
issue with welcome files. Consider the following:
- *.do is mapped to a servlet
- welcome files are index.jsp, index.do
The intention is that the index.jsp page should be used if present and
index.do (which always maps
CSRF protection implies that some form of authentication is in
place. If all your multipart uploads are protected by authentication AND
you trust all of your authenticated users then that will help you.
Mark
On Mon, 23 Jun 2025, 09:02 Mark Thomas, wrote:
On 23/06/2025 01:17, Hrvoje Lončar
regarding upgrade.
But switching from one minor release to another shouldn't break existing
setup, it should only fix bugs.
BR,
Hrvoje Lončar
On Fri, Jun 20, 2025 at 1:02 PM Mark Thomas wrote:
On 20/06/2025 11:54, Hrvoje Lončar wrote:
Thank you very much
Mark ThomasThat was the case :(
Abs
to the BZ
discussion.
Mark
On Fri, Jun 20, 2025 at 10:01 AM Mark Thomas wrote:
On 20/06/2025 02:07, Hrvoje Lončar wrote:
Hi!
Hope it's the right place to ask for help or/and advice.
Few days ago I switched to latest Tomcat 10.1.42.
After deyploy POST is not working due to missing
On 11/06/2025 14:36, Troels Arvin wrote:
Hello,
On May 28th, Mark Thomas wrote:
Define the Valve at the web application level in the web application's
META-INF/context.xml (nested under ) rather than at the host
level in server.xml
Rewrite rules for that web application then go in WE
On 20/06/2025 01:18, Amit Pande wrote:
Hello,
I was testing out the "configtest" option of the catalina.sh/.bat and observed
that does not do validation for the shutdown port.
There are lots of things it doesn't explicitly test. Why is the shutdown
port of particular interest?
https://gi
On 20/06/2025 02:07, Hrvoje Lončar wrote:
Hi!
Hope it's the right place to ask for help or/and advice.
Few days ago I switched to latest Tomcat 10.1.42.
After deyploy POST is not working due to missing CSRF token.
When I inspect HTTP request, CSRF token is in a payload as "_csrf" and the
value i
On 19/06/2025 16:56, Christopher Schultz wrote:
2. Try remote debugging?
I'd love to, but what am I looking for? If I had seen the "committed"
flag set to "true" at some point, I would look for a value-change as a
trigger to see what's causing it.
I just commented-out everything in the F
All,
The Tomcat project has been using Bugzilla to track issues for more than
20 years.
Recently there has been a significant increase in abusive traffic
targetting the ASF's Bugzilla instances - mostly AI scraping.
To protect the ASF Bugzilla instances and ensure that they remain usable
f
On 18/06/2025 15:11, Raviteja Karanam wrote:
TCS Confidential
Not any more it isn't. You posted this question to a public mailing list.
Hi Tomcat Team,
We have recently upgraded the tomcat version from apache-tomcat-9.0.80
to apache-tomcat-9.0.102.
After upgrade we are facing the issue *
On 17/06/2025 18:33, Ramesh B R wrote:
Hello team,
We are using tomcat 9 version in RHEL 8 and application gets into hung
status very often.
Have captured the thread dump to find the route cause.
Could you please help here to see what is issue and how to fix it.
For us to help, we need to s
On 17/06/2025 21:13, Christopher Schultz wrote:
All,
I recently wrote a relatively simple Servlet (which is less and less
common these days with frameworks, etc.) and I was surprised that I got
a chunked response.
It's not interfering with the operation of the servlet or the client,
but w
See https://bz.apache.org/bugzilla/show_bug.cgi?id=69710
In short, you'll probably need to increase maxPartCount
Mark
On 17/06/2025 16:45, Stephen Booth wrote:
I just updated my production servers from 9.0.104 to 9.0.106
and this broke my registration form with the following exception.
Stack
CVE-2025-49125 Apache Tomcat - Security constraint bypass for
pre/post-resources
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
When using PreResou
CVE-2025-49124 Apache Tomcat - Side-loading via Tomcat installer for Windows
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0 to 10.1.41
Apache Tomcat 9.0.23 to 9.0.105
Description:
During installation, the Tomcat in
CVE-2025-48988 Apache Tomcat - DoS in multipart upload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
Tomcat used the same limit for both request p
CVE-2025-48976 Apache Tomcat - DoS in Commons FileUpload
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.7
Apache Tomcat 10.1.0-M1 to 10.1.41
Apache Tomcat 9.0.0.M1 to 9.0.105
Description:
Apache Commons FileUpload provided a hard-c
?
No, because this is a Tomcat provided limit rather than one defined in
the Servlet specification. You can use the ParameterLimitValve at the
Context level if you want to be sure of overriding and Tomcat-wide settings.
Mark
Greetings,
Fabian
Mark Thomas wrote - Freitag, 13. Juni 2025
On 13/06/2025 18:26, Amit Pande wrote:
Hello,
When using "protocols" TLSv1.3 in SSLHostConfig with HTTP 1.1 protocol
(Http11NioProtocol or Http11Nio2Protocol ) and certificateVerification=optional, we see
below warning in logs:
13-Jun-2025 11:42:58.453 WARNING [catalina-exec-1]
org.apache.
https://tomcat.apache.org/tomcat-11.0-doc/config/http.html
You'll need to increase maxPartCount
Mark
On 13/06/2025 15:13, Matthias Reischenbacher wrote:
Hi,
after upgrading from 11.0.6 to 11.0.8 a form multi part POST stopped
working with the exception:
org.apache.tomcat.util.http.Invalid
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.8.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
25 15:27, Mark Thomas ha scritto:
Why do you need to add/remove a certificate?
Mark
On 03/06/2025 09:15, Ivano Luberti wrote:
Hi Mark, only problem to solve is to avoid restart upon adding/
removal of an SSL certificate.
Il 29-May-25 09:38, Mark Thomas ha scritto:
On 29/05/2025 07:59,
Why do you need to add/remove a certificate?
Mark
On 03/06/2025 09:15, Ivano Luberti wrote:
Hi Mark, only problem to solve is to avoid restart upon adding/removal
of an SSL certificate.
Il 29-May-25 09:38, Mark Thomas ha scritto:
On 29/05/2025 07:59, Ivano Luberti wrote:
Thanks Chris
CVE-2025-46701 Apache Tomcat - CGI security constraint bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.6
Apache Tomcat 10.1.0-M1 to 10.1.40
Apache Tomcat 9.0.0.M1 to 9.0.104
Description:
When running on a case insensitive file syst
On 29/05/2025 07:59, Ivano Luberti wrote:
Thanks Chris, yes that's what I tried to explain from the beginning,
sorry I wasn't clear enough.
To summarize: there is no solution out of the box, I have to develop
something.
I will look into that.
Just out of interest, what problem are you tryi
On 28/05/2025 15:48, Troels Arvin wrote:
Hello,
Mark Thomas wrote:
Try with per context rewrite rules rather than global ones.
What does that mean?
https://tomcat.apache.org/tomcat-11.0-doc/rewrite.html
Define the Valve at the web application level in the web application's
MET
Try with per context rewrite rules rather than global ones. The watched
resource path is relative to the docBase.
You might be able to trick watched resources with
"../../conf/standalone/rewrite.config" but I haven't tested it and I'm
fairly sure it was never intended to work that way (even if
On 27/05/2025 21:11, Ivano Luberti wrote:
Hi all, is there a way to configure tomcat in order to avoid restart
when I change the list of ssl certificates?
Which list of certificates? There are several.
Exactly what are you changing? Are you adding a cert to a keystore,
adding a PEM file to a
The switch to 3.5 LTS would be wonderful, I hope you can get the build
working, Mark.
Please keep us updated.
Thanks,
Fede.
On Thu, May 22, 2025, 07:07 Mark Thomas wrote:
On 22/05/2025 07:53, Mark Thomas wrote:
On 21/05/2025 23:04, federico bustamante wrote:
Yes, I don't have high hope
On 22/05/2025 07:53, Mark Thomas wrote:
On 21/05/2025 23:04, federico bustamante wrote:
Yes, I don't have high hopes on make in it work on Ubuntu, but I
thought of
giving it a try using mingw-64.
I'll report back.
I've been building the Tomcat Native binaries for Windows for
On 21/05/2025 23:04, federico bustamante wrote:
Yes, I don't have high hopes on make in it work on Ubuntu, but I thought of
giving it a try using mingw-64.
I'll report back.
I've been building the Tomcat Native binaries for Windows for a while.
I'll try with 3.5 and report back.
I'll also st
On 21/05/2025 10:37, Harri Pesonen wrote:
Hello,
We have a random problem with Apache Tomcat/9.0.100 in Windows, JDK 11.0.13.
We have seen this problem only once so far.
Problem is that WebSocket connection is apparently closed but there is no
callback to @OnClose handler, which is implemented
On 21/05/2025 13:44, Zdeněk Henek wrote:
Hello,
I am getting these errors in one of our systems:
java.lang.ClassCastException: class com.sun.mail.handlers.text_html cannot
be cast to class javax.activation.DataContentHandler
(com.sun.mail.handlers.text_html is in unnamed module of loader
org.ap
On 30/04/2025 16:17, Mark Thomas wrote:
On 30/04/2025 14:59, Doug Whitfield wrote:
Hi folks,
This feature was added in 9.0.90:
The system property org.apache.catalina.connector.RECYCLE_FACADES will
now default to true if not specified, which will in turn set the
default value for the
On 30/04/2025 14:59, Doug Whitfield wrote:
Hi folks,
This feature was added in 9.0.90:
The system property org.apache.catalina.connector.RECYCLE_FACADES will now
default to true if not specified, which will in turn set the default value for
the discardFacades connector attribute, thus causing
Minor nit:
Tomcat also supports:
Jakarta Annotations
Jakarta Debugging Support for Other Languages
but we don't list then on the spec age. We probably should.
Mark
On 29/04/2025 15:36, William Crowell wrote:
Chris,
Beautiful answer and exactly what I was looking for. Thank you.
Regards,
On 29/04/2025 08:16, Zdeněk Henek wrote:
Hi,
I have looked at the commits and all have in changes http2. Is this an
issue in case we don't use http2?
No. It only affects h2/h2c.
Mark
Thank you.
Regards,
Zdenek Henek
On Mon, Apr 28, 2025 at 7:12 PM Mark Thomas wrote:
CVE-2025-
CVE-2025-31651 Apache Tomcat - Rewrite rule bypass
Severity: Low
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.5
Apache Tomcat 10.1.0-M1 to 10.1.39
Apache Tomcat 9.0.0.M1 to 9.0.102
Description:
For a subset of unlikely rewrite rule configurations, i
CVE-2025-31650 Apache Tomcat - DoS via invalid HTTP prioritization header
Severity: High
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M2 to 11.0.5
Apache Tomcat 10.1.10 to 10.1.39
Apache Tomcat 9.0.76 to 9.0.102
Description:
Incorrect error handling for some i
On 28/04/2025 16:35, Christopher Schultz wrote:
ABT,
On 4/28/25 9:05 AM, A Name wrote:
We are looking at adding a second instance of our app (named
differently --
myappA and myappB) to our Tomcat 9. We currently have the app
installed at
a number of customer locations, we are looking at drop
On 28/04/2025 14:05, A Name wrote:
We are looking at adding a second instance of our app (named differently --
myappA and myappB) to our Tomcat 9. We currently have the app installed at
a number of customer locations, we are looking at dropping 1 app
Currently, our database connections are esta
There is a lot of information here. Responses in-line.
On 24/04/2025 21:51, Simon Arame wrote:
Not sure I am interpreting the doc correctly, does this mean that the
concerned classes of the xercesImpl jar in /WEB-INF/lib will be
ignored when there exists the equivalent in the bootstrap class
On 24/04/2025 02:02, Zoran Avtarovski wrote:
We have a cluster of tomcat servers on AWS EC2 which operate behind an
AWS load balancer with sticky sessions.
We have our session storage on a DB using a JDBC store which for the
most part is working well, but we occasionally see duplicate session
02 PM Mark Thomas wrote:
On 22/04/2025 16:44, Simon Arame wrote:
What is strange is that although it says "this web application instance
has
been stopped already", the web application is still running, end users
are
still receiving 200 OKs from the web application.
Any other web app
On 22/04/2025 16:44, Simon Arame wrote:
What is strange is that although it says "this web application instance has
been stopped already", the web application is still running, end users are
still receiving 200 OKs from the web application.
Any other web applications running on that Tomcat i
On 22/04/2025 01:09, Eric Robinson wrote:
Hi all,
We want to implement tomcat clustering, but we cannot because the application
is commercial, and it does not support serializable objects. In short, it does
not work with tomcat's standard clustering technology. Is there any known
reliable way
On 21/04/2025 17:49, Christopher Schultz wrote:
Ramesh,
On 4/21/25 1:06 AM, Ramesh B R wrote:
How to decide on heap memory size?
is it 25% of total memory? or 50% total memory?
What is the ideal value (in %) for heap memory ?
Only you can answer that question about your own application envir
On 17/04/2025 20:32, RAY, DAVID wrote:
I updated from Tomcat 9.0.102 to 9.0.104 on two RHEL servers. Both are
'crashing' at startup after the update.Version 9.0.102 and prior versions
ran fine. No issues. Version 9.0.104 is crashing at startup. Any suggestions
much appreciated:
That
To expand on some of that:
On 17/04/2025 16:47, Rémy Maucherat wrote:
On Thu, Apr 17, 2025 at 5:16 PM William Crowell
wrote:
Hi,
A few questions on the future direction of the project.
It seems like Project Panama is still in preview mode as of JDK 24. Is that
correct?
No, it's a stable
On 16/04/2025 19:35, Thorsten Heit wrote:
Hi all,
long time Tomcat user, but first time I'm posting, so hi to you all :-)
I'm suffering a strange phenomenon after I upgraded Tomcat on one of our
virtual machines from 10.1.39 to 10.1.40:
When I open the link to an application being served by
On 16/04/2025 18:20, Nguyen Duong wrote:
Hi Tomcat team
I am really sorry to bother you regarding this fix for Tomcat 9.0.98 revolving
around the following CVEs,
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-50379
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-56337
(★) My que
Thad,
A quick read of https://github.com/jai-imageio/jai-imageio-core suggests
a possible cause.
The library is using the SPI plugin mechanism of ImageIO.
I haven't confirmed this with a code inspection but what I assume is
happening is that the web application is registering an extension at
On 10/04/2025 17:53, Christopher Schultz wrote:
Charles,
On 4/9/25 6:57 PM, Charles Slivkoff wrote:
I noticed this in February and have attempted multiple times to
contact the list owners and have received no response.
There are no posts for Tomcat 10.1.x to tomcat-announce after 33 on
2024-1
On 10/04/2025 10:44, Greg Huber wrote:
Hello,
Going through the logs, the session creation was being triggered from
our 403 jsp page (they were not following the robots.txt and got
themselves banned).
10 minutes of log entries: (752 403's)
752 (32.71%) 0 (00.00%) 1.5 MiB (04.64%) 4
On 09/04/2025 12:45, Vishwas Bm wrote:
Hi,
I am getting below error when having tomcat server name with trailing dot
(.) when using tomcat 10.
From the stacktrace, it looks like it is coming as part of SNI handling.
That is generated by the JRE. Nothing to do with Tomcat.
I'll note that RFC
On 09/04/2025 12:22, Greg Huber wrote:
Hello,
I have noticed that seems I have alot of sessions open, when looking in
the application manager. It was was 800+. I don't remember seeing it
this high before.
Before what?
If I refresh the screen I can see the number going up
slowly. I ha
your time and assistance. I look forward to your response.
Regards,
Rose Mary
*From: *Mark Thomas
*Date: *Thursday, 3 April 2025 at 2:49 PM
*To: *users@tomcat.apache.org
*Subject: *[EXTERNAL] Re: Monitoring Virtual Threads via JMX / MBeans in
Tomcat
On 28/03/2025 09:08, Rose Mary P T wrote:
There are several presentations by me on the Tomcat website that discuss
this. Maybe start with this one from slide 12.
Slides:
https://tomcat.apache.org/presentations/2013-02-acna-Apache-Tomcat-Clustering.pdf
Video:
https://www.youtube.com/watch?v=rX1zm11AXcA
HTH,
Mark
On Fri, Apr 4, 2025 at 8:23 P
On 08/04/2025 13:29, Aniket Pachpute wrote:
No Plans.
Please See: https://lists.apache.org/thread/qlzpscgoqct9wspkj5qjkm34s66jswj0
Plans have evolved a little since that message.
For Tomcat 9:
https://lists.apache.org/thread/o8d1nz8mj8dhwq88jbt7zxopp3omkkkb
Work has now started on Tomcat 12 /
8 Apr 2025 21:45:50 Christopher Schultz :
Justin,
On 4/8/25 3:16 AM, Justin Chen wrote:
Dear users and supporters,
Currently I have two CGI scripts:
1. "/cgi-bin/update" //an administrative command, required
role="admin"
2. "/cgi-bin/updateOrder" //update order, required role="biz"
In order
On 04/04/2025 18:18, Alexander Norz wrote:
Dear Tomcat users and supporters,
The Apache Tomcat software uses forks from packages as Apache Commons
FileUpload and others.
However, do you not recommend using classes from such Tomcat packages
within a web app that only will run on Tomcat? (e.g.
On 04/04/2025 02:42, Chuck Caldarale wrote:
On 2025 Apr 3, at 19:57, Tim N wrote:
For a long time up to the latest version 11 documentation, there has been a
recommended maximum limit of 4 nodes per cluster.
https://tomcat.apache.org/tomcat-11.0-doc/cluster-howto.html
"This works great for s
ionCount will always be 1 more than the current connections. i.e.
a value of 1 means there are no current requests.
Mark
Thank you for your continued support.
Best Regards,
Rose Mary
From: Mark Thomas
Date: Thursday, 27 March 2025 at 9:25 PM
To: users@tomcat.apache.org
Subject: [EXTERNAL]
On 03/04/2025 05:34, Tim N wrote:
That should have been
Looks like this last worked Tomcat v10.1.20 and first failed v10.1.23
...and now looks like this was first fixed again in v10.1.39
Any ideas why?
It suggests that the JasperInitializer was not trigger on start. If not
a packaging issu
On 27/03/2025 14:54, William Crowell wrote:
Sebastian,
Thanks for your reply. I did know about environment variables. I would be
concerned about someone doing a “ps -ef” on the box and getting the password
from the command line arguments. I will keep looking.
Write a small class that impl
Date: Wednesday, 26 March 2025 at 12:48 PM
To: Rose Mary P T
Subject:
Begin forwarded message:
From: Mark Thomas
Subject: [EXTERNAL] Re: Monitoring Virtual Threads via JMX / MBeans in Tomcat
Date: 6 March 2025 at 2:08:43 PM IST
To:
Reply-To: "Tomcat Users List"
On 06/03/2025
em?
Mark
Regards,
William Crowell
From: Mark Thomas
Date: Tuesday, March 25, 2025 at 8:27 AM
To: users@tomcat.apache.org
Subject: Re: NIO Thread Madness
On 25/03/2025 11:24, William Crowell wrote:
Chris,
Looking at JMX is the next step. I make a request and Tomcat never returns,
and I do
On 25/03/2025 11:24, William Crowell wrote:
Chris,
Looking at JMX is the next step. I make a request and Tomcat never returns,
and I do not get a “connection refused”. It just sits and hangs.
Looking that the thread dump you sent me privately now.
Which port/protocol are you using to conne
William Crowell
____
From: Mark Thomas
Sent: Tuesday, March 25, 2025 5:09:20 AM
To: users@tomcat.apache.org
Subject: Re: NIO Thread Madness
On 24/03/2025 18:56, William Crowell wrote:
Are there any logs I can enable to find out why the application server stops
accepting connections?
I'd sug
On 24/03/2025 18:56, William Crowell wrote:
Are there any logs I can enable to find out why the application server stops
accepting connections?
I'd suggest taking 3 thread dumps approx 5s apart when this happens.
Hopefully you'll see a bunch of threads waiting on the database and
where th
Hello Joey,
> -Ursprüngliche Nachricht-
> Von: Joey Cochran
> Gesendet: Mittwoch, 19. März 2025 18:27
> An: users@tomcat.apache.org
> Betreff: RE: JNDIRealm with required ChannelBindingToken fails
>
> On 2025/03/19 08:02:43 "Thomas Hoffmann (Speed4Trade GmbH)
On 19/03/2025 18:51, Mark Thomas wrote:
On 19/03/2025 14:52, Roberto Resoli wrote:
Hello,
I am trying to verify GPG signatures of recent tomcat downloads, but I
noted that both
Mark E D Thomas
DCFD35E0BF8CA7344752DE8B6FB21E8933C60243
Remy Maucherat
On 19/03/2025 14:52, Roberto Resoli wrote:
Hello,
I am trying to verify GPG signatures of recent tomcat downloads, but I
noted that both
Mark E D Thomas DCFD35E0BF8CA7344752DE8B6FB21E8933C60243
Remy Maucherat
48F8E69F6390C9F25CFEDCD268248959359E722B
Are no more available on the https
Hello Michael,
> -Ursprüngliche Nachricht-
> Von: Michael Osipov
> Gesendet: Dienstag, 18. März 2025 22:50
> An: users@tomcat.apache.org
> Betreff: Re: JNDIRealm with required ChannelBindingToken fails
>
> On 2025/03/18 16:22:42 "Thomas Hoffmann (Speed4Tra
e succeeded in JNDIReal with CBT?
Could the connection issue be solved with standard methods?
If further information is needed, I can provide further details.
Thank you very much in advance!
Thomas
Kind regards,
Mark
____
От: Mark Thomas
Отправлено: 18 марта 2025 г. 9:35
Кому: users@tomcat.apache.org
Тема: Re: context path version number with parallel deployment
On 17/03/2025 18:43, Усманов Азат Анварович wrote:
thanks a lot! I got it working.
A quick follow
On 17/03/2025 18:43, Усманов Азат Анварович wrote:
thanks a lot! I got it working.
A quick follow up
What's step do I need to take to include this info in documentation ? I think
it might be useful to others
The list is in the Javadoc:
https://tomcat.apache.org/tomcat-11.0-doc/api/org/apache
tor
Distributed Application Platform Services
Northwestern University
4th Floor
2020 Ridge Avenue
Evanston, IL 60208-0801
darryl.ba...@northwestern.edu <mailto:darryl.ba...@northwestern.edu>
(847) 467-6674
On 3/10/25, 11:38 AM, "Mark Thomas" mailto:ma...@apache.org>> wrote:
On 10/03/2025 21:58, Piotr P. Karwasz wrote:
If you are looking for instructions on how to replace Tomcat's default
logging backend with Log4j Core, there is a dedicated section[2] in our
new Integrating Log4j Core with Jakarta EE Guide[3]
[2] https://logging.apache.org/log4j/2.x/jakarta.ht
CVE-2025-24813 Potential RCE and/or information disclosure and/or
information corruption with partial PUT
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.2
Apache Tomcat 10.1.0-M1 to 10.1.34
Apache Tomcat 9.0.0.M1 to 9.0.98
Descrip
have been resolved with that specific fix?
It is certainly possible. The only way to be sure is to test it and find
out.
Mark
As always, thanks for the hard work on Tomcat!
Regards,
Boris
On 1/20/25 10:31 AM, Mark Thomas wrote:
On 17/01/2025 15:31, Boris Petrov wrote:
Hi Mark,
I'
On 06/03/2025 06:29, Joash Jose wrote:
Dear Apache Tomcat Support Team,
I hope this message finds you well.
I am writing to inquire whether Apache Tomcat (tomacat version is 10.1.33
running on Java 21) exposes virtual thread metrics through JMX / MBeans.
Specifically:
Virtual Thread Visibil
On 05/03/2025 19:19, François Rajotte wrote:
Hi Christopher,
Thanks for your comments.
Regarding the behavior of the non-container thread when an async
request gets cancelled, I don't really care exactly how it's handled.
Currently, my strategy is to let it finish if it had already started
proc
On 27/02/2025 19:56, Banana Kanana wrote:
Hi,
We are using Apache Tomcat 9.0 and frequently see logs related to
CloseNowException in one of our applications. This exception occurs on
multiple operating systems, including OpenSUSE, Ubuntu, and Windows, and in
different parts of our codebase.
Fr
On 26/02/2025 12:04, Mark Thomas wrote:
On 26/02/2025 08:16, Mark Thomas wrote:
On 13/02/2025 10:04, Rémy Maucherat wrote:
On Thu, Feb 13, 2025 at 9:41 AM Cenk Pekyaman
wrote:
We run tomcat on java17 with the embedded tomcat setup.
We have http and https connectors and we have http2
On 26/02/2025 08:16, Mark Thomas wrote:
On 13/02/2025 10:04, Rémy Maucherat wrote:
On Thu, Feb 13, 2025 at 9:41 AM Cenk Pekyaman
wrote:
We run tomcat on java17 with the embedded tomcat setup.
We have http and https connectors and we have http2 upgradeProtocol for
both.
We recently upgraded
On 13/02/2025 10:04, Rémy Maucherat wrote:
On Thu, Feb 13, 2025 at 9:41 AM Cenk Pekyaman wrote:
We run tomcat on java17 with the embedded tomcat setup.
We have http and https connectors and we have http2 upgradeProtocol for
both.
We recently upgraded from 9.0.88 to 10.1.24 to work on javax to
All,
Tomcat 9 is the last major Tomcat version supporting Java EE. Therefore,
the Tomcat community intends to provide support for Tomcat 9 beyond the
10 years for which major Tomcat versions are typically supported.
Extended support will be provided via a new 9.1.x branch that will be
starte
On 17/02/2025 11:50, Michael Osipov wrote:
Folks,
consider the following usecase:
...
This, of course does not work. I have to move the allowLinking attribute up to
Resources which means that all resources are allowed to do that. I'd rather
prefer something like:
Opt
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.4.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
On 12/02/2025 02:50, Chuck Caldarale wrote:
On 2025 Feb 11, at 19:21, Amit Pande wrote:
Am planning to update the Tomcat configuration to support HTTP/2.
Wanted to understand the difference between
nested
within the HTTP/1.1 connector
Vs
Supporting protocol=org.apache.coyote.http2.Http
On 11/02/2025 12:42, Christopher Schultz wrote:
Mark,
On 2/7/25 3:42 AM, Mark Thomas wrote:
On 06/02/2025 19:25, Jalaj Asher wrote:
Hello,
Is it ok to delete files from tomcat/temp folder while the tomcat is
running ?
Generally, no. There are instances where that will break things.
It
e not available Tomcat 11.0.0
>
> Hi Mark, any link to read the reason of this decision?
>
>
> Il 11-Feb-25 13:03, Mark Thomas ha scritto:
> > On 11/02/2025 10:53, S Abirami wrote:
> >> Hi All,
> >>
> >> Tomcat catalina.policy file is not availabl
On 11/02/2025 10:53, S Abirami wrote:
Hi All,
Tomcat catalina.policy file is not available from Tomcat 11.0.0.
Is there any specific reason for the removal?
Support for running under a SecurityManager has been removed.
Mark
---
The Apache Tomcat team announces the immediate availability of Apache
Tomcat 11.0.3.
Apache Tomcat 11 is an open source software implementation of the
Jakarta Servlet, Jakarta Pages, Jakarta Expression Language, Jakarta
WebSocket, Jakarta Authentication and Jakarta Annotations specifications.
If the applications contain JSPs precompiled against an earlier version
of Tomact 9 there is no solution that will enable them to work with
9.0.96 short of rebuilding and precompiling against 9.0.96 or later.
If they have not been precompiled then:
- stop Tomact
- empty work directory
- start T
On 06/02/2025 19:25, Jalaj Asher wrote:
Hello,
Is it ok to delete files from tomcat/temp folder while the tomcat is running ?
Generally, no. There are instances where that will break things.
It may be possible to delete some files safely - although that begs the
question why isn't Tomcat del
1 - 100 of 1156 matches
Mail list logo
