users  

Messages by Thread

• Is Tomcat affected by CVE-2026-49975 (HTTP/2 Bomb)? Stefan Mayr
  • Re: Is Tomcat affected by CVE-2026-49975 (HTTP/2 Bomb)? Christopher Schultz
• Logging of which jars did or didn't need scanning? Holle, Jess via users
  • RE: Logging of which jars did or didn't need scanning? Hemanta Pathak
  • RE: Logging of which jars did or didn't need scanning? Holle, Jess via users
• Informal poll of Tomcat version usage Christopher Schultz
• [BUG] Parameters.recycle() does not reset queryStringCharset — leaks across recycled Requests 황인엽
  • Re: [BUG] Parameters.recycle() does not reset queryStringCharset — leaks across recycled Requests Mark Thomas
  • Re: [BUG] Parameters.recycle() does not reset queryStringCharset — leaks across recycled Requests Mark Thomas
• Fwd: Questions regarding updating Apache Tomcat on a server. Brian Proffitt
  • Re: Fwd: Questions regarding updating Apache Tomcat on a server. Jon McAlexander
  • Re: Fwd: Questions regarding updating Apache Tomcat on a server. Christopher Schultz
  • Re: Fwd: Questions regarding updating Apache Tomcat on a server. Jon McAlexander
• Fw: Tomcat Jobs Jon McAlexander
• [SECURITY] CVE-2026-43515 Apache Tomcat - Security constraints not correctly applied Mark Thomas
• [SECURITY] CVE-2026-43514 Apache Tomcat - AJP secret compared in non-constant time Mark Thomas
• [SECURITY] CVE-2026-43513 Apache Tomcat - LockOutRealm treats user names as case-sensitive Mark Thomas
• [SECURITY] CVE-2026-43512 Apache Tomcat - Digest authenticator will authenticate any unknown user Mark Thomas
• [SECURITY] CVE-2026-42498 Apache Tomcat - WebSocket authentication header exposure Mark Thomas
• [SECURITY] CVE-2026-41293 Apache Tomcat - HTTP/2 request headers not validated Mark Thomas
• [SECURITY] CVE-2026-41284 Apache Tomcat - Unbounded read in WebDAV LOCK and PROPFIND handling Mark Thomas
• [ANN] Apache Tomcat 10.1.55 Available Christopher Schultz
• [ANN] Apache Tomcat 9.0.118 available Rémy Maucherat
• [ANN] Apache Tomcat 11.0.22 Available Mark Thomas
  • The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Thomas Meyer
  • Re: The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Mark Thomas
  • Apache Tomcat x.x.x Available? Mark Foley
  • Re: Apache Tomcat x.x.x Available? David Wall
  • Re: Apache Tomcat x.x.x Available? Mark Foley
  • Re: Apache Tomcat x.x.x Available? Chuck Caldarale
  • Re: The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Rémy Maucherat
  • Re: The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Mark Thomas
  • Re: The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Mark Thomas
  • Re: The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Christopher Schultz
  • Re: The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Mark Thomas
  • Re: The scheme https s not consistent with the TLS enabled setting (Re: [ANN] Apache Tomcat 11.0.22 Available) Thomas Meyer
• Very rare requests claim they are from 127.0.0.1 Christopher Schultz
  • Re: Very rare requests claim they are from 127.0.0.1 Mark Thomas
  • Re: Very rare requests claim they are from 127.0.0.1 Christopher Schultz
  • Re: Very rare requests claim they are from 127.0.0.1 Konstantin Kolinko
  • Re: Very rare requests claim they are from 127.0.0.1 Christopher Schultz
• Community Over Code Conference, October 2026, Glasgow, Scotland, UK Christopher Schultz
• Clarification on Tomcat 9.1 Release Timeline and Support Plans somasani nikhil
  • Re: Clarification on Tomcat 9.1 Release Timeline and Support Plans Christopher Schultz
• Limits on redirect length Stephen Booth
  • Re: Limits on redirect length Mark Thomas
• Double Slash Conversion to Single Slash in URL Not Working Grackin, Michael A. Mr. (Fed) via users
  • Re: Double Slash Conversion to Single Slash in URL Not Working Mark Thomas
  • Re: Double Slash Conversion to Single Slash in URL Not Working Christopher Schultz
  • RE: [EXTERNAL] Re: Double Slash Conversion to Single Slash in URL Not Working Grackin, Michael A. Mr. (Fed) via users
• cgi not found Holger Klawitter
  • Re: cgi not found Christopher Schultz
  • Re: cgi not found Holger Klawitter
  • Re: cgi not found Christopher Schultz
• [SECURITY] CVE-2026-34487 Apache Tomcat - Cloud membership for clustering component exposed the Kubernetes bearer token Mark Thomas
• [SECURITY] CVE-2026-34486 Apache Tomcat - Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor Mark Thomas
• [SECURITY] CVE-2026-34500 Apache Tomcat - OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled Mark Thomas
• [SECURITY] CVE-2026-34483 Apache Tomcat - Incomplete escaping of JSON access logs Mark Thomas
• [SECURITY] CVE-2026-32990 Apache Tomcat - The fix for CVE-2025-66614 is incomplete Mark Thomas
• [SECURITY] CVE-2026-29146 Apache Tomcat - EncryptInterceptor vulnerable to padding oracle attack by default Mark Thomas
• [SECURITY] CVE-2026-29145 Apache Tomcat and Tomcat Native - OCSP checks sometimes soft-fail even when soft-fail is disabled Mark Thomas
• [SECURITY] CVE-2026-29129 Apache Tomcat - Configured TLS cipher preference order not preserved Mark Thomas
• [SECURITY] CVE-2026-25854 Apache Tomcat - Occasionally open redirect Mark Thomas
• [SECURITY] CVE-2026-24880 Apache Tomcat - Request smuggling via invalid chunk extension Mark Thomas
• [ANN] Apache Tomcat 11.0.21 Available Mark Thomas
• [ANN] Apache Tomcat 9.0.117 available Rémy Maucherat
• [ANN] Apache Tomcat 10.1.54 Available Christopher Schultz
• [ANN] End Of Support for Tomcat Native 1.x Christopher Schultz
• Tomcat 9.0.37 - Request Header Parsing Exception: X-Forwarded-For Lost and Host Field Duplicated Resulting in 400 Bad Request 扛起一片天！✨
  • Re: Tomcat 9.0.37 - Request Header Parsing Exception: X-Forwarded-For Lost and Host Field Duplicated Resulting in 400 Bad Request Christopher Schultz
  • Re: Tomcat 9.0.37 - Request Header Parsing Exception: X-Forwarded-For Lost and Host Field Duplicated Resulting in 400 Bad Request 扛起一片天！✨
  • Re: Tomcat 9.0.37 - Request Header Parsing Exception: X-Forwarded-For Lost and Host Field Duplicated Resulting in 400 Bad Request Christopher Schultz
• Tomcat 11.0.18 - java.lang.AssertionError in Mapper#internalMap Torsten Krah
  • Re: Tomcat 11.0.18 - java.lang.AssertionError in Mapper#internalMap Christopher Schultz
  • Re: Tomcat 11.0.18 - java.lang.AssertionError in Mapper#internalMap Torsten Krah
• [ANN] Apache Tomcat 10.1.53 Available Christopher Schultz
  • AW: [ANN] Apache Tomcat 10.1.53 Available Döscher, Andreas (ESI) via users
  • Re: AW: [ANN] Apache Tomcat 10.1.53 Available Christopher Schultz
• [ANN] Apache Tomcat 9.0.116 available Rémy Maucherat
• [ANN] Apache Tomcat 11.0.20 Available Mark Thomas
• Apache Tomcat 9.0.108 -- Upgrading to 9.1.x and Release Info Jack Haddad
  • Re: Apache Tomcat 9.0.108 -- Upgrading to 9.1.x and Release Info Sebastian Trost via users
• Tomcat 11 latest release version date Deepti Sharma S via users
  • Re: Tomcat 11 latest release version date Mark Thomas
  • Re: Tomcat 11 latest release version date Jonathan S. Fisher
  • Re: Tomcat 11 latest release version date Christopher Schultz
  • Re: Tomcat 11 latest release version date Christopher Schultz
• FIPS Mode Mike Brown
  • Re: FIPS Mode Amit Pande via users
• Run Priority -- Tomcat running on IBM Midrange boxes James H. H. Lampert via users
  • Re: Run Priority -- Tomcat running on IBM Midrange boxes Konstantin Kolinko
  • Re: Run Priority -- Tomcat running on IBM Midrange boxes James H. H. Lampert via users
  • Re: Run Priority -- Tomcat running on IBM Midrange boxes Christopher Schultz
  • Re: Run Priority -- Tomcat running on IBM Midrange boxes James H. H. Lampert via users
  • Re: Run Priority -- Tomcat running on IBM Midrange boxes Rainer Jung
  • Re: Run Priority -- Tomcat running on IBM Midrange boxes Christopher Schultz
• [ANN] Apache Tomcat Native 2.0.14 released Mark Thomas
• [ANN] Apache Tomcat Native 1.3.7 released Mark Thomas
• Recall: Apache Tomcat 10 Issue Mcalexander, Jon J. via users
• Re: users Digest 6 Mar 2026 16:12:31 -0000 Issue 15160 Richard Huntrods
• Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Dimitris Soumis
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Rob Sargent
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Dimitris Soumis
  • Re: Apache Tomcat 10 Issue Dimitris Soumis
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Sebastian Trost via users
  • Re: Apache Tomcat 10 Issue Sebastian Trost via users
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Sebastian Trost via users
  • Re: Apache Tomcat 10 Issue David Wall
  • Re: Apache Tomcat 10 Issue Sebastian Trost via users
  • Re: Apache Tomcat 10 Issue Christopher Schultz
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Rob Sargent
  • Re: Apache Tomcat 10 Issue Zdeněk Henek
  • RE: Apache Tomcat 10 Issue Mcalexander, Jon J. via users
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Zdeněk Henek
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Zdeněk Henek
  • RE: Apache Tomcat 10 Issue Short, William J.
  • Re: Apache Tomcat 10 Issue Christopher Schultz
• Access log Bytes Written when compression is enabled David Cleary
  • Re: Access log Bytes Written when compression is enabled Christopher Schultz
  • Re: Access log Bytes Written when compression is enabled David Cleary
  • Re: Access log Bytes Written when compression is enabled Christopher Schultz
  • Re: Access log Bytes Written when compression is enabled Mark Thomas
• Order of ciphers is no longer preserved Benny Prange
• [SECURITY] CVE-2026-24733 Apache Tomcat - Security constraint bypass with HTTP/0.9 Mark Thomas
• [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass Mark Thomas
  • Fwd: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass Ivano Luberti
  • Re: Fwd: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass Christopher Schultz
  • Re: Fwd: [SECURITY] CVE-2026-24734 Apache Tomcat and Tomcat Native - OCSP revocation bypass Ivano Luberti
• [SECURITY] CVE-2025-66614 Apache Tomcat - Client certificate verification bypass due to virtual host mapping Mark Thomas
• Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Benny Prange
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Rémy Maucherat
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Benny Prange
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Christopher Schultz
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Benny Prange
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Rémy Maucherat
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Benny Prange
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Rémy Maucherat
  • Re: Ignored JSSE properties in Tomcat 11.0.12+ and Java21+ Benny Prange
• [ANN] End of support for Apache Tomcat Native 1.3.x Mark Thomas
• [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Mark Thomas
  • RE: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Rathore, Rajendra via users
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Sebastian Trost via users
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Rathore, Rajendra via users
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Mark Thomas
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan James H. H. Lampert via users
  • RE: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Mcalexander, Jon J. via users
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan James H. H. Lampert via users
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Rémy Maucherat
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Christopher Schultz
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan David Wall
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Christopher Schultz
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan David Wall
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan James H. H. Lampert via users
  • Re: [ANN] Tomcat 9.0.x End of Support and Tomcat 9 long term support plan Christopher Schultz
• [ANN] Apache Tomcat Native 1.3.6 released Mark Thomas
• [ANN] Apache Tomcat Native 2.0.13 released Mark Thomas
• [Inquiry] java.lang.IllegalStateException: setAttribute: Session already invalidated during Cluster Replication (Tomcat 9.0.73) 조재현
  • Re: [Inquiry] java.lang.IllegalStateException: setAttribute: Session already invalidated during Cluster Replication (Tomcat 9.0.73) Mark Thomas
• Set "X-Frame-Options" SAMEORIGIN to ALWAYS ? Baron Fujimoto
  • AW: Set "X-Frame-Options" SAMEORIGIN to ALWAYS ? Thomas Hoffmann (Speed4Trade GmbH) via users
  • Re: Set "X-Frame-Options" SAMEORIGIN to ALWAYS ? Baron Fujimoto
  • Re: Set "X-Frame-Options" SAMEORIGIN to ALWAYS ? Christopher Schultz
  • Re: Set "X-Frame-Options" SAMEORIGIN to ALWAYS ? Baron Fujimoto
• NoClassDefFoundError of OSGI class SynchronousBundleListener for Tyrus initialization Robert von Burg
• Re: Apache Tomcat Server (V 10.1.50) / Cybersecurity risk assessment Christopher Schultz
  • Re: Apache Tomcat Server (V 10.1.50) / Cybersecurity risk assessment Mark Thomas
• Tomcat config with virtual threads joan.balaguero
  • Re: Tomcat config with virtual threads Mark Thomas
  • Re: Tomcat config with virtual threads Christopher Schultz
  • RE: Tomcat config with virtual threads joan.balaguero
• [ANN] Apache Tomcat 11.0.18 Available Mark Thomas
• move to tomcat 11, now see a jasper dependency Rob Sargent
  • Re: move to tomcat 11, now see a jasper dependency Mark Thomas
  • Re: move to tomcat 11, now see a jasper dependency Rob Sargent
• [ANN] Apache Tomcat 10.1.52 Available Christopher Schultz
  • AW: [ANN] Apache Tomcat 10.1.52 Available Döscher, Andreas (ESI) via users
  • Re: AW: [ANN] Apache Tomcat 10.1.52 Available Mark Thomas
• [ANN] Apache Tomcat 9.0.115 available Rémy Maucherat
  • UNSUBSCRIBE Re: [ANN] Apache Tomcat 9.0.115 available N Patterson-Kling
  • Re: [ANN] Apache Tomcat 9.0.115 available Evan Rempel via users
  • Re: [ANN] Apache Tomcat 9.0.115 available Mark Thomas
  • Re: [ANN] Apache Tomcat 9.0.115 available Evan Rempel via users
  • Re: [ANN] Apache Tomcat 9.0.115 available Christopher Schultz
• Tomcat 9.0.x securing db credentials in server.xml dineshk via users
  • Re: Tomcat 9.0.x securing db credentials in server.xml Mark Thomas
  • AW: Tomcat 9.0.x securing db credentials in server.xml Thomas Hoffmann (Speed4Trade GmbH) via users
  • Re: Tomcat 9.0.x securing db credentials in server.xml Christopher Schultz
  • RE: Tomcat 9.0.x securing db credentials in server.xml Mcalexander, Jon J. via users
  • Re: Tomcat 9.0.x securing db credentials in server.xml Christopher Schultz
  • Re: Tomcat 9.0.x securing db credentials in server.xml Brian Wolfe
  • Re: Tomcat 9.0.x securing db credentials in server.xml Christopher Schultz
  • Re: Tomcat 9.0.x securing db credentials in server.xml Brian Wolfe

• Earlier messages