Log Message:
update to current tomcat 8.0 train version, fixing CVE-2016-5388.

Changelog:

Tomcat 8.0.39 (violetagg)
Catalina

    Fix: When creating a new Connector via JMX, ensure that both HTTP/1.1 and \ 
AJP/1.3 connectors can be created. (markt)
    Fix: Include the Context name in the log message when an item cannot be \ 
added to the cache. (markt)
    Fix: Exclude JAR files in /WEB-INF/lib from the static resource cache. (markt)
    Fix: When calling getResourceAsStream() on a directory, ensure that null is \ 
returned. (markt)
    Fix: 60161: Allow creating subcategories of the container logger, and use it \ 
for the rewrite valve. (remm)
    Fix: Correctly test for control characters when reading the provided \ 
shutdown password. (markt)
    Fix: When configuring the JMX remote listener, specify the allowed types for \ 
the credentials. (markt)

Coyote

    Fix: Correct the HTTP header parser so that DEL is not treated as a valid \ 
token character. (markt)
    Fix: 60319: When using an Executor, disconnect it from the Connector \ 
attributes maxThreads, minSpareThreads and threadPriority to enable the \ 
configuration settings to be consistently reported. These Connector attributes \ 
will be reported as -1 when an Executor is in use. The values used by the \ 
executor may be set and obtained via the Executor. (markt)
    Fix: If an I/O error occurs during async processing on a non-container \ 
thread, ensure that the onError() event is triggered. (markt)
    Fix: Improve detection of I/O errors during async processing on \ 
non-container threads and trigger async error handling when they are detected. \ 
(markt)
    Add: Add additional checks for valid characters to the HTTP request line \ 
parsing so invalid request lines are rejected sooner. (markt)

Web applications

    Fix: Correct a typo in HTTP Connector How-To. Issue reported via \ 
comments.apache.org. (violetagg)
    Fix: Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
    Fix: Correct a typo in CGI How-To. Issue reported via comments.apache.org. \ 
(violetagg)

Tribes

    Fix: When the proxy node sends a backup retrieve message, ensure that using \ 
the channelSendOptions that has been set rather than the default \ 
channelSendOptions. (kfujino)

Other

    Update: Update the ECJ compiler to version 4.5.1. (markt)
    Fix: Remove classes from tomcat-util-scan.jar that are duplicates of those \ 
in tomcat-util.jar. (markt)

2016-10-10 Tomcat 8.0.38 (markt)
Catalina

    Add: 59961: Add an option to the StandardJarScanner to control whether or \ 
not JAR Manifests are scanned for additional class path entries. (markt)
    Fix: 60013: Refactor the previous fix to align the behaviour of the Rewrite \ 
Valve with mod_rewrite. As part of this, provide an implementation for the B and \ 
NE flags and improve the handling for the QSA flag. Includes multiple test cases \ 
by Santhana Preethiand a patch by Tiago Oliveira. (markt)
    Fix: 60087: Refactor the web resources handling to use the Tomcat specific \ 
war:file:... URL protocol to refer to WAR files and their contents rather than \ 
the standard jar:file:... form since some components of the JRE, such as JAR \ 
verification, give unexpected results when the standard form is used. A \ 
side-effect of the refactoring is that when using packed WARs, it is now \ 
possible to reference a WAR and/or specific JARs within a WAR in the security \ 
policy file used when running under a SecurityManager. (markt)
    Fix: 60116: Fix a problem with the rewrite valve that caused back references \ 
evaluated in conditions to be forced to lower case when using the NC flag. \ 
(markt)
    Fix: Ensure Digester.useContextClassLoader is considered in case the class \ 
loader is used. (violetagg)
    Fix: 60117: Ensure that the name of LogLevel is localized when using \ 
OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
    Fix: 60146: Improve performance for resource retrieval by making calls to \ 
WebResource.getInputStream() trigger caching if the resource is small enough. \ 
Patch provided by mohitchugh. (markt)
    Add: 60151: Improve the exception error messages when a ResourceLink fails \ 
to specify the type, specifies an unknown type or specifies the wrong type. \ 
(markt)
    Fix: 60167: Ignore empty lines in /etc/passwd files when using the \ 
PasswdUserDatabase. (markt)
    Fix: 60170: Exclude the compressed test file index.html.br from RAT \ 
analysis. Patch provided by Gavin McDonald. (markt)
    Fix: When starting web resources, ensure that class resources are only \ 
started once. (markt)
    Fix: Improve the access checks for linked global resources to handle the \ 
case where the current class loader is a child of the web application class \ 
loader. (markt)
    Fix: 60199: Log a warning if deserialization issues prevent a session \ 
attribute from being loaded. (markt)

Coyote

    Fix: Correctly handle a call to AsyncContext.complete() from a non-container \ 
thread when non-blocking I/O is being used. (markt)
    Add: Refactor the code that implements the requirement that a call to \ 
complete() or dispatch() made from a non-container thread before the container \ 
initiated thread that called startAsync() completes must be delayed until the \ 
container initiated thread has completed. Rather than implementing this by \ 
blocking the non-container thread, extend the internal state machine to track \ 
this. This removes the possibility that blocking the non-container thread could \ 
trigger a deadlock. (markt)
    Fix: 60123: Avoid potential threading issues that could cause excessively \ 
large vales to be returned for the processing time of a current request. (markt)
    Fix: 60174: Log instances of HeadersTooLargeException during request \ 
processing. (markt)

Jasper

    Fix: 60101: Remove preloading of the class that was deleted. (violetagg)

Web applications

    Add: Expand the documentation for the nested elements within a Resources \ 
element to clarify the behaviour of different configuration options with respect \ 
to the order in which resources are searched. (markt)
    Add: Add an example of using the classesToInitialize attribute of the \ 
JreMemoryLeakPreventionListener to the documentation web application. Based on a \ 
patch by Cris Berneburg. (markt)
    Fix: 60192: Correct a typo in the status output of the Manager application. \ 
Patch provided by Radhakrishna Pemmasani. (markt)

jdbc-pool

    Fix: Notify jmx when returning the connection that has been marked suspect. \ 
(kfujino)
    Fix: Ensure that the POOL_EMPTY notification has been added to the jmx \ 
notification types. (kfujino)
    Fix: 60099: Ensure that use all method arguments as a cache key when using \ 
StatementCache. (kfujino)
    Fix: 60139: Correct Javadocs for PoolConfiguration.getValidationInterval and \ 
setValidationInterval. Reported by Phillip Webb. (kfujino)

Other

    Fix: Update the download location for Objenesis. (violetagg)
    Fix: 60164: Replace log4j-core*.jar with log4j-web*.jar since it is \ 
log4j-web*.jar that contains the ServletContainerInitializer. (markt)
    Add: Add documentation to the bin/catalina.bat script to remind users that \ 
environment variables don't affect the configuration of Tomcat when run as a \ 
Windows Service. Based upon a documentation patch by James H.H. Lampert. \ 
(schultz)
    Update: Update the packaged version of the Tomcat Native Library to 1.2.10 \ 
to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)

2016-09-05 Tomcat 8.0.37 (markt)
Catalina

    Fix: 57705: Add debug logging for requests denied by the remote host and \ 
remote address valves and filters. Based on a patch by Graham Leggett. (markt)
    Add: 59399: Add a new option to the Realm implementations that ship with \ 
Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to \ 
be controlled per Realm. (markt)
    Update: Change the default of the sessionCookiePathUsesTrailingSlash \ 
attribute of the Context element to false since the problems caused when a \ 
Servlet is mapped to /* are more significant than the security risk of not \ 
enabling this option by default. (markt)
    Fix: Do not attempt to start web resources during a web application's \ 
initialisation phase since the web application is not fully configured at that \ 
point and the web resources may not be correctly configured. (markt)
    Fix: 59708: Modify the LockOutRealm logic. Valid authentication attempts \ 
during the lock out period will no longer reset the lock out timer to zero. \ 
(markt)
    Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
    Fix: 59813: Ensure that circular relations of the Class-Path attribute from \ 
JAR manifests will be processed correctly. (violetagg)
    Fix: Ensure that reading the singleThreadModel attribute of a \ 
StandardWrapper via JMX does not trigger initialisation of the associated \ 
servlet. With some frameworks this can trigger an unexpected initialisation \ 
thread and if initilisation is not thread-safe the initialisation can then fail. \ 
(markt)
    Fix: Compatibility with rewrite from httpd for non existing headers. (jfclere)
    Fix: By default, treat paths used to obtain a request dispatcher as encoded. \ 
This behaviour can be changed per web application via the \ 
dispatchersUseEncodedPaths attribute of the Context. (markt)
    Fix: 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. \ 
(fschumacher)
    Fix: 59859: Fix resource leak in WebDAV servlet. Based on patch by Coty \ 
Sutherland. (fschumacher)
    Add: Provide a mechanism that enables the container to check if a component \ 
(typically a web application) has been granted a given permission when running \ 
under a SecurityManager without the current execution stack having to have \ 
passed through the component. Use this new mechanism to extend SecurityManager \ 
protection to the system property replacement feature of the digester. (markt)
    Add: When retrieving an object via a ResourceLink, ensure that the object \ 
obtained is of the expected type. (markt)
    Fix: 59824: Mark the RewriteValve as supporting async processing by default. \ 
(markt)
    Fix: 59862: Allow nested jar files scanning to be filtered with the system \ 
property tomcat.util.scan.StandardJarScanFilter.jarsToSkip. Patch is provided by \ 
Terence Bandoian. (violetagg)
    Fix: 59866: When scanning WEB-INF/classes for annotations, don't scan the \ 
contents of WEB-INF/classes/META-INF (if present) since classes will never be \ 
loaded from that location. (markt)
    Fix: 59888: Correctly handle tabs and spaces in quoted version one cookies \ 
when using the Rfc6265CookieProcessor. (markt)
    Fix: 59912: Fix an edge case in input stream handling where an IOException \ 
could be thrown when reading a POST body. (markt)
    Fix: 59960: Fix Javadoc so it builds with Java 8. Patch by Coty Sutherland. \ 
(markt)
    Fix: 59966: Do not start the web application if the error page configuration \ 
in web.xml is invalid. (markt)
    Fix: Switch the CGI servlet to the standard logging mechanism and remove \ 
support for the debug attribute. (markt)
    Fix: Changes to the allowLinking attribute of a StandardRoot instance now \ 
invalidate the cache if caching is enabled. (markt)
    Add: Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet \ 
to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that \ 
can be used to mitigate any future, similar issues. (markt)
    Add: When adding and removing ResourceLinks dynamically, ensure that the \ 
global resource is only visible via the ResourceLinkFactory when it is meant to \ 
be. (markt)
    Fix: 60008: When processing CORs requests, treat any origin with a URI \ 
scheme of file as a valid origin. (markt)
    Fix: Improve handling of exceptions during a Lifecycle events triggered by a \ 
state transition. The exception is now caught and the component is now placed \ 
into the FAILED state. (markt)
    Fix: 60013: Fix encoding issues when using the RewriteValve with UTF-8 query \ 
strings or UTF-8 redirect URLs. (markt)
    Fix: 60022: Improve handling when a WAR file and/or the associated exploded \ 
directory are symlinked into the appBase. (markt)
    Fix: Fix a file descriptor leak when reading the global web.xml. (markt)
    Fix: Consistently decode URL patterns provided via web.xml using the \ 
encoding of the web.xml file where specified or UTF-8 where no explicit encoding \ 
is specified. (markt)
    Fix: Make timing attacks against the Realm implementations harder. (schultz)

Coyote

    Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
    Fix: Extend synchronization for NIO2 writes to avoid \ 
ConcurrentModificationException observed during testing. (markt)
    Fix: 59904: Add a limit (default 200) for the number of cookies allowed per \ 
request. Based on a patch by gehui. (markt)
    Fix: 59925: Correct regression in r1628368 and ensure that HTTP separators \ 
are handled as configured in the LegacyCookieProcessor. Patch provided by Kyohei \ 
Nakamura. (markt)
    Fix: OpenSSL now disables 3DES by default so reflect this when using OpenSSL \ 
syntax to select ciphers. (markt)

Jasper

    Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
    Fix: Improve the error handling for custom tags to ensure that the tag is \ 
returned to the pool or released and destroyed once used. (markt)
    Fix: 60032: Fix handling of method calls that use varargs within EL value \ 
expressions. (markt)
    Fix: Ignore engineOptionsClass and scratchdir when running under a security \ 
manager. (markt)
    Fix: Fixed StringIndexOutOfBoundsException. Based on a patch provided by \ 
wuwen via Github. (violetagg)

WebSocket

    Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
    Fix: 59908: Ensure that a reason phrase is included in the close message if \ 
a session is closed due to a timeout. (markt)

Web Applications

    Fix: Do not log an additional case of IOExceptions in the error handler for \ 
the Drawboard WebSocket example when the root cause is the client disconnecting \ 
since the logs add no value. (markt)
    Fix: 59642: Mention the localDataSource in the DataSourceRealm section of \ 
the Realm How-To. (markt)
    Fix: Follow-up to the fix for 59399. Ensure that the new attribute \ 
transportGuaranteeRedirectStatus is documented for all Realms. Also document the \ 
NullRealm and when it is automatically created for an Engine. (markt)
    Fix: Fix the description of maxAge attribute in jdbc-pool doc. This \ 
attribute works both when a connection is returned and when a connection is \ 
borrowed. (kfujino)
    Fix: 59774: Correct the prefix values in the documented examples for \ 
configuring the AccessLogValve. Patch provided by Mike Noordermeer. (markt)
    Fix: 59868: Clarify the documentation for the Manager web application to \ 
make clearer that the host name and IP address in the server section are the \ 
primary host name and IP address. (markt)
    Fix: MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. \ 
Patch provided by Radoslav Husar. (violetagg)
    Fix: Update NIO Connector configuration documentation with an information \ 
about socket.directSslBuffer. (violetagg)
    Fix: 60034: Correct a typo in the Manager How-To page of the documentation \ 
web application. (markt)

Tribes

    Add: Add log message when the ping has timed-out. (kfujino)
    Fix: If the ping message has been received at the \ 
AbstractReplicatedMap#leftOver method, ensure that notify the member is alive \ 
than ignore it. (kfujino)

jdbc-pool

    Fix: Fix the duplicated connection release when connection verification \ 
failed. (kfujino)
    Fix: Ensure that do not remove the abandoned connection that has been \ 
already released. (kfujino)
    Fix: In order to avoid the unintended skip of PoolCleaner, remove the check \ 
code of the execution interval in the task that has been scheduled. (kfujino)
    Fix: 59850: Ensure that the ResultSet is closed when enabling the \ 
StatementCache interceptor. (kfujino)
    Fix: 59923: Reduce the default value of validationInterval in order to avoid \ 
the potential issue that continues to return an invalid connection after \ 
database restart. (kfujino)
    Fix: Ensure that the ResultSet is returned as Proxy object when enabling the \ 
StatementDecoratorInterceptor. (kfujino)
    Fix: 60043: Ensure that the suspectTimeout works without removing connection \ 
when the removeAbandoned is disabled. (kfujino)
    Fix: Add log message of when returning the connection that has been marked \ 
suspect. (kfujino)
    Fix: Correct Javadoc for ConnectionPool.suspect(). Based on a patch by Yahya \ 
Cahyadi. (markt)

Other

    Update: 59276: Update optional Checkstyle library to 6.17. (kkolinko)
    Add: Use the mirror network rather than the ASF master site to download the \ 
current ASF dependencies. (markt)
    Update: Update the packaged version of the Tomcat Native Library to 1.2.8 to \ 
pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)
    Fix: 59899: Update Tomcat's copy of the Java Persistence annotations to \ 
include the changes made in 2.1 / JavaEE 7. (markt)
    Fix: Fixed typos in mbeans-descriptors.xml files. (violetagg)
    Update: Update the internal fork of Commons BCEL to r1757132 to align with \ 
the BCEL 6 release. (markt)
    Update: Update the internal fork of Commons DBCP2 to r1757164 to pick up a \ 
couple of bug fixes. (markt)
    Update: Update the internal fork of Commons Codec to r1757174. Code \ 
formatting changes only. (markt)
    Update: Update the internal fork of Commons FileUpload to afdedc9. This \ 
pulls in a fix to improve the performance with large multipart boundaries. \ 
(markt)