tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rémy Maucherat <r...@apache.org>
Subject Re: [VOTE] Release Apache Tomcat 9.0.18
Date Thu, 11 Apr 2019 14:11:31 GMT
On Thu, Apr 11, 2019 at 4:08 PM Mark Thomas <markt@apache.org> wrote:

> On 11/04/2019 14:52, Mark Thomas wrote:
> > On 11/04/2019 14:31, Rainer Jung wrote:
> >> Am 11.04.2019 um 14:51 schrieb Rémy Maucherat:
> >>> On Thu, Apr 11, 2019 at 2:00 PM Rainer Jung <rainer.jung@kippdata.de>
> >>> wrote:
> >>>
> >>>> Am 10.04.2019 um 15:44 schrieb Mark Thomas:
> >>>>> The proposed Apache Tomcat 9.0.18 release is now available for
> voting.
> >>>>>
> >>>>> The major changes compared to the 9.0.17 release are:
> >>>>>
> >>>>> - Fix for CVE-2019-0232 a RCE vulnerability on Windows
> >>>>>
> >>>>> - Add support for Java 11 to the JSP compiler. Java 12 and 13 are
> also
> >>>>>     now supported if used with a ECJ version with support for those
> >>>>> Java
> >>>>>     versions
> >>>>>
> >>>>> - Various NIO2 stability improvements
> >>>>>
> >>>>> Along with lots of other bug fixes and improvements.
> >>>>>
> >>>>> For full details, see the changelog:
> >>>>> https://ci.apache.org/projects/tomcat/tomcat9/docs/changelog.html
> >>>>>
> >>>>> It can be obtained from:
> >>>>> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-9/v9.0.18/
> >>>>> The Maven staging repo is:
> >>>>>
> https://repository.apache.org/content/repositories/orgapachetomcat-1207/
> >>>>>
> >>>>> The tag is:
> >>>>> https://github.com/apache/tomcat/tree/9.0.18
> >>>>> 0862607e5da91a7c476a6350288d8d8a9380f556
> >>>>>
> >>>>> The proposed 9.0.18 release is:
> >>>>> [ ] Broken - do not release
> >>>>> [ ] Stable - go ahead and release as 9.0.18
> >>>>>
> >>>>>
> >>>>> Due to the security fix contained in this release, the voting period
> >>>>> may
> >>>>> be shortened once sufficient votes are cast to enable a faster
> release.
> >>>>
> >>>> The MBeans for beans with j2eeType seem to be not filled with data.
I
> >>>> have not checked since 9.0.12, so I don't know when that heppaned.
> Just
> >>>> wantd to give a heads up before investigating more.
> >>>>
> >>>> Example diff for one bean:
> >>>>
> >>>>    Name:
> >>>>
> >>>>
> Catalina:j2eeType=Servlet,WebModule=//localhost/,name=default,J2EEApplication=none,J2EEServer=none
> >>>>
> >>>> -modelerType: org.apache.catalina.mbeans.ContainerMBean
> >>>> -maxTime: 0
> >>>> -requestCount: 0
> >>>> -servletClass: org.apache.catalina.servlets.DefaultServlet
> >>>> -countAllocated: 0
> >>>> -available: 0
> >>>> -backgroundProcessorDelay: -1
> >>>> -processingTime: XXX
> >>>> -loadOnStartup: 1
> >>>> -singleThreadModel: false
> >>>> -loadTime: XXX
> >>>> -stateName: STARTED
> >>>> -minTime: XXX
> >>>> -classLoadTime: XXX
> >>>> -asyncSupported: false
> >>>> -objectName:
> >>>>
> >>>>
> Catalina:j2eeType=Servlet,WebModule=//localhost/,name=default,J2EEApplication=none,J2EEServer=none
> >>>>
> >>>> -maxInstances: 20
> >>>> -errorCount: 0
> >>>> +modelerType: org.apache.tomcat.util.modeler.BaseModelMBean
> >>>> +empty: false
> >>>>
> >>>> The modelerType has changed, all attributes missing.
> >>>>
> >>>
> >>> The good news is that 8.5 seems fine.
> >>>
> >>> I'll investigate. If we need to do a new release (IMO: yes), I'll flip
> >>> the
> >>> useAsyncIO default value ...
> >>
> >> I did some more checks:
> >>
> >> - as you said, 8.5.40 is fine
> >>
> >> - using the same scripts, 9.0.17 is also fine, so this looks like a real
> >> code regression
> >>
> >> Thus I would also be -1 for the 9.0.18 release.
>
>
> https://github.com/apache/tomcat/commit/8cbe4ba594dc41615faafb216fcb4ff3e0d8fafc
>
> seems to be the trigger. I haven't reviewed the commit yet.
>

Yes, sorry :( I already made the fix but the commit emails is stuck.
https://github.com/apache/tomcat/commit/4c6c3e9f434ca1a5cecf04f1b9148fb221b3af37

Rémy

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message