You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2014/02/23 17:12:21 UTC
[Bug 56180] New: Bugfix 55943 changed backward compatibility in
classloading
https://issues.apache.org/bugzilla/show_bug.cgi?id=56180
Bug ID: 56180
Summary: Bugfix 55943 changed backward compatibility in
classloading
Product: Tomcat 7
Version: 7.0.52
Hardware: PC
OS: Linux
Status: NEW
Severity: regression
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: ksmster@gmail.com
Between Tomcat 7.0.50 and Tomcat 7.0.52 changed logic of class loading which
may prevent to protect against CVE-2014-0050
My usecase:
1. I have
jcl-over-slf4j-1.7.5.jar
jul-to-slf4j.jar
log4j-over-slf4j-1.7.5.jar
logback-classic.jar
logback-core.jar
slf4j-api.jar
in Tomcat lib folder.
2. With help of setenv.sh I've add this jars to classpath
export
CLASSPATH="${CATALINA_HOME}/conf/:${CATALINA_HOME}/lib/jul-to-slf4j.jar:${CATALINA_HOME}/lib/slf4j-api.jar:${CATALINA_HOME}/lib/logback-classic.jar:${CATALINA_HOME}/lib/logback-core.jar:${CATALINA_HOME}/lib/mail.jar:${JAVA_HOME}/lib/tools.jar"
3. After update to tomcat 7.0.52 I've got
Caused by: java.lang.LinkageError: loader constraint violation: when resolving
method
"org.slf4j.impl.StaticLoggerBinder.getLoggerFactory()Lorg/slf4j/ILoggerFactory;"
the class loader (instance of org/apache/catalina/loader/WebappClassLoader) of
the current class, org/slf4j/LoggerFactory, and the class loader (instance of
sun/misc/Launcher$AppClassLoader) for resolved class,
org/slf4j/impl/StaticLoggerBinder, have different Class objects for the type
LoggerFactory; used in the signature
at org.slf4j.LoggerFactory.getILoggerFactory(LoggerFactory.java:299)
~[slf4j-api.jar:1.7.5]
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:269)
~[slf4j-api.jar:1.7.5]
at org.slf4j.LoggerFactory.getLogger(LoggerFactory.java:281)
~[slf4j-api.jar:1.7.5]
at com.codenvy.inject.ModuleScanner.<clinit>(ModuleScanner.java:36)
~[na:na]
at java.lang.Class.forName0(Native Method) ~[na:1.7.0_51]
at java.lang.Class.forName(Class.java:270) ~[na:1.7.0_51]
at
org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:187)
~[catalina.jar:7.0.52]
at
org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:152)
~[catalina.jar:7.0.52]
at
org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1543)
~[ca
Note. See comment in issue. I assume he have the same problem
https://issues.apache.org/bugzilla/show_bug.cgi?id=55943#c8
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56180] Bugfix 55943 changed backward compatibility in
classloading
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56180
--- Comment #2 from Konstantin Kolinko <kn...@gmail.com> ---
(In reply to Sergey Kabashnyuk from comment #0)
> 2. With help of setenv.sh I've add this jars to classpath
> export
> CLASSPATH="${CATALINA_HOME}/conf/:${CATALINA_HOME}/lib/jul-to-slf4j.jar:
> ${CATALINA_HOME}/lib/slf4j-api.jar:${CATALINA_HOME}/lib/logback-classic.jar:
> ${CATALINA_HOME}/lib/logback-core.jar:${CATALINA_HOME}/lib/mail.jar:
> ${JAVA_HOME}/lib/tools.jar"
>
For starters, move the mentioned libraries from ${CATALINA_HOME}/lib to
somewhere else (so that they are not present twice in System and Common
classloaders)
and make sure that your web application does not have another (third) copy of
them.
>From security risks point of view, you would better avoid having the whole
"conf" on the classpath either.
http://tomcat.apache.org/tomcat-7.0-doc/class-loader-howto.html
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 56180] Bugfix 55943 changed backward compatibility in
classloading
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=56180
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
See this thread for a full discussion of this topic:
http://markmail.org/thread/mid36pgk7nckp2rr
It looks like you should be adding those JARs to the endorsed dir rather than
to the class path.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org