Re: Tomcat upgrade from 9.0.80 to 9.0.81

Thu, 12 Oct 2023 12:08:45 -0700 

All,

On 10/11/23 08:06, i...@flyingfischer.ch wrote:


Am 11.10.23 um 14:02 schrieb Alexander Veit:

Caused by: org.apache.http.ConnectionClosedException: Premature end 
of Content-Length delimited message body (expected: 4,999; received: 
3,040)
        at 
org.apache.http.impl.io.ContentLengthInputStream.read(ContentLengthInputStream.java:178)
        at 
io.restassured.internal.util.IOUtils.toByteArray(IOUtils.java:30)
        at 
io.restassured.internal.http.GZIPEncoding$GZIPDecompressingEntity.getContent(GZIPEncoding.java:69)
        at 
org.apache.http.conn.BasicManagedEntity.getContent(BasicManagedEntity.java:85)
        at 
io.restassured.internal.http.HTTPBuilder.parseResponse(HTTPBuilder.java:546)
        at 
io.restassured.internal.RequestSpecificationImpl$RestAssuredHttpBuilder.super$2$parseResponse(RequestSpecificationImpl.groovy)

        at sun.reflect.GeneratedMethodAccessor129.invoke(Unknown Source)

        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:498)

        at 
org.codehaus.groovy.reflection.CachedMethod.invoke(CachedMethod.java:107)

        at groovy.lang.MetaMethod.doMethodInvoke(MetaMethod.java:323)

        at 
groovy.lang.MetaClassImpl.invokeMethod(MetaClassImpl.java:1268)
        at 
org.codehaus.groovy.runtime.ScriptBytecodeAdapter.invokeMethodOnSuperN(ScriptBytecodeAdapter.java:144)


Has anyone seen this? I will keep everyone posted after debugging more.


We have experienced the same problem with Tomcat 8.5.94.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




Seems to be reported multiple times as this is blocking bug for 
upgrading to the last Tomcat version:



https://bz.apache.org/bugzilla/show_bug.cgi?id=67670



We understand that it is blocking, but if you re using h2, especially 
exposed directly to the internet, you should upgrade to the broken 
release and use Konstantin's recommended workarounds.



Both the h2 Rapid Reset and HTTP Trailer / possible request smuggling 
CVEs are both very important.



We apologize for the regressions. Release votes appear to be going well; 
we will have a new set of releases for everyone very shortly.



Although they are not "official" releases, you are welcome to deploy the 
release-candidates themselves. Assuming they are voted stable, they will 
be identical to the upcoming "official" releases.



See the dev@ list [VOTE] emails for where to get those release-candidate 
artifacts.


-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to