Bug 64206

Summary: Answer file not being used
Product: Tomcat 8 Reporter: david wooffindin <david.wooffindin>
Component: PackagingAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: regression    
Priority: P2    
Version: 8.5.51   
Target Milestone: ----   
Hardware: PC   
OS: All   

Description david wooffindin 2020-03-09 11:53:01 UTC
The installer is not taking into account the answer file, specifically the port on which the server should run
Comment 1 Mark Thomas 2020-03-09 11:55:39 UTC
Which port? Shutdown, HTTP or AJP?
Comment 2 david wooffindin 2020-03-09 13:02:17 UTC
Just tested installer for:

8.5.50:
Shutdown, HTTP & AJP ports are all set based on the information supplied during install.

8.5.51 : 
Shutdown port works, HTTP defaults to 8080, regardless of what is specified during install.
AJP is not visible in the installation GUI, so can't specify.
It is also commented out in the server.xml file created.
Comment 3 Mark Thomas 2020-03-09 13:29:45 UTC
Support for AJP was removed from the installer so that aspect is as expected.

I've looked through the commit that removed AJP support and I don't see anything that should affect HTTP. I'll spin up a VM and do some testing.
Comment 4 david wooffindin 2020-03-09 13:39:32 UTC
[semi-offtopic] : just curious, was the CVE for the AJP fixed in this release ? Or just disabling it instead by default ?
Comment 5 Mark Thomas 2020-03-09 13:57:44 UTC
Found it. Just need to confirm the fix and then I'll back-port.

CVE-2020-1938 was fixed in 8.5.51
For more details for https://markmail.org/message/jahnxqb4wnimedlr
Comment 6 Mark Thomas 2020-03-09 14:23:38 UTC
Fixed in:
- master for 10.0.0-M3 onwards
- 9.0.x for 9.0.33 onwards
- 8.5.x for 8.5.53 onwards
- 7.0.x for 7.0.101 onwards