./www/apache-tomcat55, The Apache Projects Java Servlet 2.4 and JSP 2.0 server

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 5.5.35, Package name: apache-tomcat-5.5.35, Maintainer: pkgsrc-users

Tomcat is the Java Servlet / Java Server Page environment produced
by the Apache Foundation's Tomcat Project. Tomcat can be run as a
standalone web server with Servlet and JSP support, or using Apache
Server as its web server via the mod_jk Apache module (www/ap-jk).

This is the Tomcat 5.5 package, which is a Java Serlet 2.4 and JSP
2.0 server.


Required to run:
[lang/openjdk8]

SHA1: 84235e1bb66fe98512d74578e9b7c4c9d3dbc5d8
RMD160: 7b3f8d38d4e25c3606b73730713a01274e0babc7
Filesize: 8838.521 KB

Version history: (Expand)


CVS history: (Expand)


   2015-11-04 03:47:43 by Alistair G. Crooks | Files touched by this commit (758)
Log message:
Add SHA512 digests for distfiles for www category

Problems found locating distfiles:
	Package haskell-cgi: missing distfile haskell-cgi-20001206.tar.gz
	Package nginx: missing distfile array-var-nginx-module-0.04.tar.gz
	Package nginx: missing distfile encrypted-session-nginx-module-0.04.tar.gz
	Package nginx: missing distfile headers-more-nginx-module-0.261.tar.gz
	Package nginx: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package nginx-devel: missing distfile echo-nginx-module-0.58.tar.gz
	Package nginx-devel: missing distfile form-input-nginx-module-0.11.tar.gz
	Package nginx-devel: missing distfile lua-nginx-module-0.9.16.tar.gz
	Package nginx-devel: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx-devel: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package php-owncloud: missing distfile owncloud-8.2.0.tar.bz2

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
   2014-03-11 15:05:19 by Jonathan Perkin | Files touched by this commit (350)
Log message:
Remove example rc.d scripts from PLISTs.

These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or
ignored otherwise.
   2012-10-28 07:31:10 by Aleksej Saushev | Files touched by this commit (600)
Log message:
Drop superfluous PKG_DESTDIR_SUPPORT, "user-destdir" is default these days.
   2012-04-04 13:34:27 by OBATA Akio | Files touched by this commit (3) | Package updated
Log message:
Update apache-tomcat to 5.5.35.
(fix CVE-2011-4858)

Tomcat 5.5.35 (jim)
    Catalina
        * Make configuration issues for security related Valves and Filters
          result in the failure of the valve or filter rather than just a
          warning message. (markt)
        * Ensure changes to the configuration of the RemoteHostValve and the
	  RemoteAddrValve via JMX are thread-safe. (markt)
        * In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor
	  value matching logic into separate method and expose this new method
          isAllowed through JMX. (kkolinko)
        * Improve performance of parameter processing for GET and POST requests.
          Also add an option to limit the maximum number of parameters processed
          per request. This defaults to 10000. Excessive parameters are ignored.
          Note that FailedRequestFilter can be used to reject the request if
          some parameters were ignored. (markt/kkolinko)
        * New filter FailedRequestFilter that will reject a request if there
          were errors during HTTP parameter parsing. (kkolinko)
        * 52384: Do not fail with parameter parsing when debug logging is
          enabled. (kkolinko, jim)
        * Do not flag extra '&' characters in parameters as parse errors.
          (kkolinko, jim)
        * Slightly improve performance of UDecoder.convert(). Align %2f handling
          between implementations. (kkolinko)
        * 52225: Fix ClassCastException when adding an alias for an existing
          host via JMX. (kkolinko)
        * Do not throw an IllegalArgumentException from a parseParameters() call
          when a chunked POST request is too large, but treat it like an IO
          error. (kkolinko)
        * Add SetCharacterEncodingFilter (similar to the one contained in the
          examples web application) to the org.apache.catalina.filters package
          so it is available for all web applications. (kkolinko)

    General
        * Update Eclipse compiler to 3.7 and switch to using ecj.jar. (markt)

    Coyote
        * Improve multi-byte character handling in all connectors. (rjung)

    Jasper
        * 52335: Only handle <\% and not \% as escaped in template text. (markt)

    Webapps
        * 52049: Improve setup instructions for running as a Windows service:
          correct information on how a JRE is identified and selected.
          (kkolinko)
        * 52172: Update Tomcat build instructions. Includes changes proposed by
          bmargulies. (kkolinko)
        * 52243: Improve windows service documentation to clarify how to include
          # and/or ; in the value of an environment variable that is passed to
          the service. (markt)

    Other
        * 52059: Ensure Windows registry keys are removed when using the
          un-install option of the Windows installer. (markt)
   2011-09-25 10:53:37 by OBATA Akio | Files touched by this commit (2) | Package updated
Log message:
Update apache-tomcat55 to 5.5.34.

General
 * Update Tomcat-Native to 1.1.22. (jim)
 * Fix CVE-2011-2729. Update to Commons Daemon 1.0.7. (markt)
 * 33262: When using the Windows installer, the monitor is now auto-started for
   the current user rather than all users to be consistent with menu item
   creation. (markt)
 * 40510: Provide an option within the Windows installer to create menu entries
   for the current user or all users. (markt)
 * 50949: Add the ability to specify the AJP port and the shutdown port when
   using the Windows installer. (markt)
 * 51135: Fix auto-detection of JAVA_HOME for 64-bit Windows platforms that only
   have a 32-bit JVM installed when using the Windows installer. (markt)

Catalina
 * 27988: Improve reporting of missing files. (markt)
 * 28852: Add URL encoding where missing to parameters in URLs presented by Ant
   tasks to the Manager application. Based on a patch by Stephane Bailliez.
   (mark)
 * 41179: Return 404 rather than 400 for requests to the ROOT context when no
   ROOT context has been deployed. (markt)
 * 50189: Once the application has finished writing to the response, prevent
   further reads from the request since this causes various problems in the
   connectors which do not expect this. (markt)
 * Fix CVE-2011-2204. Prevent user passwords appearing in log files if a
   runtime exception (e.g. OOME) occurs while creating a new user for a
   MemoryUserDatabase via JMX. (markt)
 * 51042: Don't trigger session creation listeners when a session ID is changed
   as part of the authentication process. (markt)
 * 51324: Improve handling of exceptions when flushing the response buffer to
   ensure that the doFlush flag does not get stuck in the enabled state. Patch
   provided by Jeremy Norris. (kkolinko)
 * 51403: Avoid NullPointerException in JULI FileHandler if formatter is
   misconfigured. (kkolinko)
 * 51473: Fix concatenation of values in SecurityConfig.setSecurityProperty()
   when the value provided by JRE is null. (kkolinko)
 * 51550: Internal errors in Tomcat components that process requests before they
   are passed to a web application, such as Authenticators, now return a 500
   response rather than a 200 response. (markt)
 * Add additional configuration options to the DIGEST authenticator. (markt)

Coyote
 * Fix CVE-2011-2526. Protect against crashes (HTTP APR) if sendfile is
   configured to send more data than is available in the file. (markt)
 * 50394: Return -1 from read operation instead of throwing an exception when
   encountering an EOF with the HTTP APR connector. (kkolinko)
 * 50744: Skip the SSL configuration check on platforms where an unbounded
   socket cannot be created. (kkolinko)
 * 51073: Throw an exception and do not start the APR connector if it is
   configured for SSL and an invalid value is provided for SSLProtocol. (markt)
 * 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt)

Jasper
 * 36362: Handle the case where tag file attributes (which can use any valid XML
   name) have a name which is not a Java identifier. (markt)
 * Fix possible threading issue in JSP compilation when development mode is
   enabled. (markt)

Cluster
 * 48717: Ensure session activation events are fired. (markt)
 * 50771: Ensure HttpServletRequest#getAuthType() returns the name of the
   authentication scheme if request has already been authenticated. (kfujino)
 * 51647: Fix session replication when a session attribute is a Java dynamic
   proxy. Based on a patch by Tomasz Skutnik. (markt)

Webapps
 * 41498: Add the allRolesMode attribute to the Realm configuration page in the
   documentation web application. (markt)
 *  Configure Security Manager How-To to include a copy of the actual
    conf/catalina.policy file when the documentation is built, rather than
    maintaining a copy of its content. (kkolinko)
 * 48997: Fixed some typos and improve cross-referencing to the HTTP Connector
   and APR documentation with the SSL How-To page of the documentation web
   application. (markt)

Other
 * Align jpda settings in catalina.bat with catalina.sh, tc6.0.x, tc7.0.x and
   trunk. (markt)
 * Clarify error messages in *.sh files to mention that if a script is not found
   it might be because execute permission is needed. (kkolinko)
   2011-03-17 22:22:56 by David Brownlee | Files touched by this commit (3) | Package updated
Log message:
Update www/apache-tomcat55 to 5.5.33

- Addresses SA http://cve.mitre.org/cgi-bin/cvename.cg … -2011-0013
- Added LICENSE entry to pkgsrc
- Drop MAINTAINERship
- Changes since 5.5.28 below

Tomcat 5.5.33 (jim)

General

    fix	Fix permissions of version.sh in bin tarball. (rjung)
    fix	45332, 45852, 50140: Backport numerous improvements to the Windows \ 
installer. Specify the correct encoding (the current Windows code page) rather \ 
than assuming UTF-8 when creating tomcat-users.xml - 45332, 45852. Update \ 
install/uninstall icons. Create an installation log. Allow 32-bit JVMs to be \ 
selected when installing on a 64-bit platform. Do not ignore install directory \ 
if it is specified with the command line switch on 64-bit platforms - 50140. Add \ 
support for the /? command line switch. Replace the .ini files with the script \ 
equivalents. Provide the ability to edit the roles for the added user. Clean up \ 
fully after installation. Add DetailPrint statements for operations that may \ 
take time. Improve the descriptions of the components. (kkolinko, mturk, markt)
    add	Add roles (admin-gui, admin-script, manager-gui, manager-script, \ 
manager-jmx, manager-status) to the Manager, Host Manager and Admin applications \ 
to allow more fine-grained control of permissions. The old roles are deprecated \ 
but will still work in the same way. (kkolinko)

Catalina

    fix	Improve HTTP specification compliance in support of Accept-Language \ 
header. (kkolinko)
    fix	50620: Stop exceptions that occur during Session.endAccess() from \ 
preventing the normal completion of Request.recycle(). (markt/kkolinko)

Coyote

    update	Remove JSSE13Factory, JSSE13SocketFactory classes, as Tomcat 5.5 \ 
always runs on JRE 1.4 or later. (kkolinko)
    fix	50325: When the JVM indicates support for RFC 5746, disable Tomcat's \ 
allowUnsafeLegacyRenegotiation configuration attribute and use the JVM \ 
configuration to control renegotiation. (markt/kkolinko)

Tomcat 5.5.32 (jim)	released 2011-02-01

General

    update	Update to Commons Daemon 1.0.5. (mturk)
    update	Update to commons-pool 1.5.5. (markt)
    fix	Ensure POM files have correct line endings in source distributions. \ 
(rjung/markt)

Catalina

    add	43960: Expose available property of StandardWrapper via JMX. (markt)
    fix	50131: Avoid possible NPE in debug output in PersistentValve. Patch \ 
provided by sebb. (kkolinko)
    fix	50413: Ensure 304s are not returned when using static files as error \ 
pages. (markt/kkolinko)
    fix	Avoid unnecessary cast in StandardContext. (markt)
    fix	50460: Avoid a possible memory leak caused by using a cached exception \ 
instance. (kkolinko)
    fix	50550: When a new directory is created (e.g. via WebDAV) ensure that a \ 
subsequent request for that directory does not result in a 404 response. \ 
(markt/kkolinko)

Coyote

    fix	47913: Return the IP address rather than null for getRemoteHost() with \ 
the APR connector if the IP address does not resolve. (markt)
    fix	49521: Disable scanning for a free port in Jk AJP/1.3 connector by \ 
default. Do not change maxPort field value of ChannelSocket in its setPort() and \ 
init() methods. Add support for maxPort attribute on a Connector element as a \ 
synonym for channelSocket.maxPort. (kkolinko)

Jasper

    fix	49935: Handle compilation of recursive tag files. (markt)

Cluster

    fix	Improve sending an access message in DeltaManager. maxInactiveInterval \ 
of not Manager but the session is used. If maxInactiveInterval is negative, an \ 
access message is not sending. (kfujino)
    fix	50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED \ 
message. (kfujino)

Webapps

    add	50294: Add more information to documentation regarding format of \ 
configuration files. Patch provided by Luke Meyer. (markt)
    update	Improve documentation of database connection factory. (rjung)
    fix	Improve filtering of Manager display output. (kkolinko)
    update	Configure the Admin, Manager and Host-Manager web applications to use \ 
HttpOnly flag for their session cookies. (kkolinko)

Tomcat 5.5.31 (jim)	released 2010-09-16

General

    fix	Add svn:executable property to some script files and remove it from \ 
non-executable files. (rjung)

Catalina

    fix	38113 Add system property (ALLOW_EMPTY_QUERY_STRING) to allow spec \ 
compliant handling of query string. (markt/kkolinko/jim)
    fix	Return a copy of the URL being used from the webapp class loader, not \ 
the original array. (kkolinko/markt)
    fix	49749: Use HttpOnly flag of current context when genrating a \ 
Single-Sign-On cookie. (markt)

Coyote

    fix	49718: Fix regression in previous fix for 46984 caused by the patch \ 
being applied to the wrong section of code. The regression caused HTTP 0.9 \ 
requests to fail. (markt)

Webapps

    fix	49585: Update JSVC documentation to reflect new packaging of Commons \ 
Daemon. (markt)
    fix	49774: Add support for SSL with either JSSE or APR baaed connectors to \ 
the admin app. (markt)

Cluster

    fix	Add Null check when CHANGE_SESSION_ID message received. (kfujino)

Tomcat 5.5.30 (jim)	released 2010-07-09

General

    update	Update to Commons Daemon 1.0.2. Use service launcher (procrun) from \ 
the Commons Daemon release. Do not keep a copy of it in our source tree. \ 
(mturk/kkolinko)
    update	Update to NSIS 2.46. (kkolinko)
    update	Update to Apache Commons DBCP 1.3. (markt)
    fix	48840: Swallow output (if any) from use of cd when determining \ 
$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch \ 
provided by mdietze. (markt/kkolinko)
    fix	49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
    fix	48990: Build windows distributions correctly on Linux and add support \ 
for the skip.installer property. (kkolinko)

Catalina

    fix	Fix CVE-2010-1157. Prevent possible disclosure of host name or IP \ 
address via the HTTP WWW-Authenticate header when using BASIC or DIGEST \ 
authentication. (markt)
    fix	44041, 48694: Fix duplicate class definition under load. Avoid possible \ 
deadlock in class loading. (markt/kkolinko)
    fix	47774: Ensure web application class loader is used when calling session \ 
listeners. (kfujino)
    update	48179: Improve error handling when reading or writing TLD cache file \ 
("tldCache.ser"). (kkolinko)
    fix	49398: ByteChunk.indexOf(String, int, int, int) could not find a string \ 
of length 1. (kkolinko)
    fix	Ensure all required i18n messages are present for the APR/native \ 
Listener. (kkolinko)
    fix	Fix possible overflows when calculating session statistics. (kkolinko)
    fix	49424: Avoid NPE if client provides no data with a chunked POST request. \ 
(markt)
    fix	Minor code cleanup in AccessLogValve and FastCommonAccessLogValve \ 
classes. (kkolinko)

Coyote

    fix	Arrange filter logic. (jfclere)
    fix	48613: Only attempt APR/native connector initialization if the Listener \ 
element has been specified in server.xml. (fhanik/kkolinko)
    fix	48843: Prevent possible deadlock and correct queue handling for worker \ 
allocation in APR connectors. (kkolinko)
    fix	Use chunked encoding for http 1.1 responses with no content-length \ 
(regardless of keep-alive) so client can differentiate between complete and \ 
partial responses. (markt)

Jasper

    fix	42390, 48616: Fix compilation error with some nested tag files and \ 
simple tags. Do not declare or synchronize scripting variables for JSP fragments \ 
since they are scriptless. (kkolinko)
    fix	47878: Return “404”s rather than a permanent “500” if a JSP is \ 
deleted. Make sure first response after deletion is correct. (markt/kkolinko)
    fix	48701: Add a system property to allow disabling enforcement of JSP.5.3. \ 
The specification recommends, but does not require, this enforcement. (kkolinko)
    fix	48580: Prevent AccessControlException when running under a security \ 
manager if the first access is to a JSP that uses a FunctionMapper. \ 
(markt/kknko)
    fix	49196: Avoid NullPointerException in PageContext.getErrorData() if an \ 
error-handling JSP page is called directly. (kkolinko)

Cluster

    fix	48717: When a node joins a cluster and it receives all the current \ 
sessions, ensure the sessionCreated event is fired if the Manager is configured \ 
to replicate session events. (markt)
    fix	49170: Do not send duplicated session. (kfujino)
    fix	49445: When session ID is changed after authentication, ensure the \ 
DeltaManager replicates the change in ID to the other nodes in the cluster. \ 
(kfujino)

Webapps

    add	Backport documentation stylesheet improvements from Tomcat 6: use CSS \ 
styles to provide printer-friendly layout, support generation of TOC tables, \ 
support links revision numbers, use underscores instead of spaces in anchor \ 
names. (kkolinko)

Tomcat 5.5.29 (fhanik)	released 2010-04-20

General

    add	37847: Make location and filename of catalina.out configurable in \ 
catalina.sh. (fhanik/kkolinko)
    fix	47609: Provide fail-safe EOL conversion for build process. \ 
(sebb/markt/kkolinko)
    fix	47689: Enable the test Ant target to work. (markt)
    fix	47712: Loading tcnative was broken in 5.5.28. (rjung)
    fix	Correct CVE-2009-3548. When installed via the Windows installer and \ 
using defaults, don't create an administrative user with a blank password. \ 
Additionally, the administrative user is only created if the manager or \ 
host-manager web applications are selected for installation. (markt/kkolinko)
    update	Deprecate the jni Buffer and Thread classes. (rjung)
    update	Include 32-bit and 64-bit versions of Tomcat Native DLLs into the \ 
Windows installer, instead of downloading them from a web site during install, \ 
and allow it to automatically select the correct one for the current platform. \ 
(kkolinko/mturk)
    update	Update Windows installer to use NSIS 2.45. (kkolinko)
    update	Update to commons-pool 1.5.4. This fixes regressions in 1.5.2. (markt)
    fix	Align server.xml installed by the Windows installer with the one bundled \ 
in zip/tar.gz archives. (kkolinko)
    fix	Encode all property files using ascii escaped UTF-8. (rjung)
    fix	Correct MD5 generation in the build process. (kkolinko)

Catalina

    fix	37848: Re-fix. Don't display info output when there is no terminal. (markt)
    fix	39231: Call LoginModule.logout() when using JAASRealm. (markt/kkolinko)
    fix	39844: Fix NPE when performing a non-HTTP forward. (billbarker)
    fix	41059: Reduce the chances of errors when using ENABLE_CLEAR_REFERENCES. \ 
Patch by Curt Arnold. (markt)
    add	45255: Add the ability to change session ID on authentication to protect \ 
against session fixation attacks. This is disabled by default. (markt/kkolinko)
    fix	46967: Better handling of errors when trying to use Manager.randomFile. \ 
Based on a patch by Kirk Wolf. (kkolinko)
    fix	47518: Correct reference in Valve Javadoc that referred to an old \ 
method. Patch provided by Christopher Schultz. (markt)
    fix	47537: Return an error page rather than a zero length 200 response if \ 
the forward to the login or error page fails during FORM authentication. (markt)
    fix	47718: Fix file descriptor leak on context stop/reload. Patch provided \ 
by George Sexton. (markt)
    fix	47826: Correct error in debug message in org.apache.catalina.Bootstrap \ 
(markt)
    fix	47963: Ensure that any HTTP status messages are compliant with RFC2616. \ 
(markt/kkolinko)
    fix	47997: Enable the NamingResourcesMBean to work with non-Server (i.e. \ 
Context) containers. Patch provided by Michael Allman. (markt)
    fix	48004: Allow applications to set the Server header. (markt)
    fix	48007: Improve exception processing in CustomObjectInputStream. (kkolinko)
    fix	48049: Fix copy and paste error so NamingContext.destroySubContext() \ 
works correctly. Patch provided by gingyang.xu (markt)
    update	48097: Make WebappClassLoader to do not swallow \ 
AccessControlException. (kkolinko)
    fix	48097: Avoid throwing an AccessControlException which can lead to a \ 
NoClassDefFoundError on first access of first jsp. (kkolinko/markt)
    fix	48322: Single quote characters are not HTTP separators and should not be \ 
treated as such in the cookie handling. (markt)
    add	Provide an option to allow the use of equals characters in cookie \ 
values. (markt)
    fix	48516: Prevent NPE in JNDIRealm if requested user does not exist. Patch \ 
provided by Kevin Conaway. (markt)
    fix	48577: Filter URL when displaying missing included page. (markt)
    fix	48760: Remove race condition that can result in multiple threads trying \ 
to use the same InputStream. (markt)
    fix	Add an additional permission required by JULI when running under newer \ 
JDKs and a security manager. (markt)
    fix	Close resource stream in WebappClassLoader after read error. (pero)
    fix	Do not swallow exceptions in ApplicationContextFacade.doPrivileged() \ 
(kkolinko)
    fix	Various related (un)deploy improvements including: better handling of \ 
failed (un)deployment; adding checking for invalid zip file entries that don't \ 
make sense in a WAR file; and improved validation of WAR file names. These \ 
changes address CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902.

Coyote

    fix	43327: Allow APR/native connector to work correctly on systems when IPv6 \ 
is enabled. (markt)
    fix	46950: Support SSL renegotiation with APR/native connector. Note that \ 
this requires APR/native 1.1.17 or later. (markt)
    fix	47225: Fix error in calculation of a buffer length in the mapper. (markt)
    fix	47744: Prevent a medium term memory leak if using SSl with the JSSE \ 
provider and also using a security manager. Based on a patch by Greg Vanore. \ 
(markt)
    fix	47987: Limit size of not found resources cache. (markt)
    fix	48109: Ensure InputStream is closed in WebappClassLoader on error \ 
conditions. (markt)
    fix	48311: APR should not be initialised if the APR life-cycle listener is \ 
not enabled. (markt)
    fix	48581: Avoid security exception on first access. (markt)
    fix	48584: Prevent the APR connector logging an error if the acceptor fails \ 
during shutdown since this is expected. (mturk)
    fix	CVE-2009-3555. Provide option to disable legacy SSL renegotiation. \ 
(markt/costin)
    fix	Fix Windows installer to bundle an up-to-date version of native/APR with \ 
it. When asked to install TC-Native it was downloading some very old (1.1.4) \ 
version of it from the HEAnet site. (kkolinko)
    update	Update the native/APR library version bundled with Tomcat to 1.1.20. \ 
(kkolinko)
    update	Update recommended version for native to 1.1.19. (rjung)
    fix	Remove unneeded line from the method that normalizes decodedURI. (kkolinko)

Jasper

    fix	38797: Fix regression in previous fix for this bug. (markt)
    fix	41661: Fix thread safety issue in JspConfig.init() (markt)
    fix	41824: Need to use canonical rather than binary form when writing code. \ 
(markt)
    fix	46907: Don't swallow input stream when debug logging is enabled. (markt)
    fix	48582: Avoid NPE on background compile. (markt)

Cluster

    fix	DeltaManager needs to replicate changed attributes even if session gets \ 
invalidated. Otherwise session listeners will not see the right data on the \ 
secondary nodes. (rjung)
    fix	Remove unnecessary Java5 dependencies. (markt)
    fix	46384: Correct synchronisation issue that could lead to a cluster member \ 
disappering permanently. (markt)
    fix	47554: Include httpOnly attribute when re-writing session cookie after \ 
fail over. (markt)

Webapps

    fix	41564: Add some information on installing Tomcat as a service on \ 
operating systems with User Account Control, e.g. Vista. (markt)
    fix	47656: Add information to documentation on system property replacement \ 
in configuration files. (markt)
    fix	47769: Clarify the JNDI docs with repect to use of <resource-ref> \ 
and related elements, specifically when they are required and when they may be \ 
omitted. (markt)
    fix	48381: Add information on how Tomcat treats host names to the host \ 
configuration documentation. (markt)
    add	48530: Add information on the Manager Server Status page to the Manager \ 
How-To in the documentation webapp. Based on a patch by Arnaud Espy. (markt)
    add	48532: Add information to the BIO/NIO SSL configuration page in the \ 
documentation web application to specify how the defaults for the various trust \ 
store attributes are determined. (markt)
    fix	48686: Fix deleting a host via the Administration web application rather \ 
than failign with a HTTP 500 response. (markt)
    add	Make changelog.xml be directly rendered as HTML by certain browsers. \ 
(kkolinko)

Tomcat 5.5.28 (fhanik)	released 2009-09-04

General

    fix	39194: Make the setting of the classpath consistent for the .sh and .bat \ 
startup scripts. (markt/kkolinko)
    fix	45880: Include NOTICE file in Windows installer and make sure src files \ 
are excluded. (markt)
    update	Update to NSIS 2.44 (kkolinko)
    update	Build scripts: Use different values for ${tomcat-dbcp.home} and \ 
${jasper-compiler-jdt.home} in tomcat-deps. Fix download task checks for \ 
commons-pool and commons-dbcp. (kkolinko)
    add	Add the 64-bit windows service binaries to the distribution and get the \ 
Windows installer to automatically select the correct one for the current \ 
platform. (markt/kkolinko)
    update	Update to commons-pool 1.5.2. This includes various fixes to prevent \ 
deadlocks, reduce syncs and make object allocation occur fairly - i.e. objects \ 
are allocated to threads in the order that the threads request them. This fixes \ 
a number of issues with the version of DBCP embedded within Tomcat. (markt)
    update	Update Tomcat Windows service application (procrun) to version 2.0.5. \ 
It contains a fix for issue 41538 (mturk)
    fix	47149: Explicitly specify encoding when performing filtering during \ 
copy, fixcrlf or replace operations in build scripts. Don't add blank lines to \ 
files when fixing line endings. Explicitly specify encoding when compiling. \ 
(kkolinko)
    fix	47464: Some class files were accidentally included into the source \ 
distributions of TC 5.5.27. (kkolinko)
    docs	Document that building Tomcat requires Ant 1.6.2 or later. (kkolinko)

Catalina

    fix	37458: Fix sync error that may lead to NPE in rare circumstances. Patch \ 
by Konstantin Kolinko. (markt)
    fix	37498: Fall back to container log if application log is unavailable \ 
during context destruction. (markt)
    fix	37794: Handle POSTed parameters when sent with chunked encoding. (markt)
    fix	37984: Strip {MD5} as well as {SHA} if present in digest passwords in \ 
LDAP directories. (markt)
    fix	38553: A lack of certificates is normal if a user doesn't have a \ 
certificate. Return a 401 rather than a 400 in this case. (markt)
    fix	38570: When checking docBase against appBase, make sure we check for an \ 
exact match against the appBase. (markt)
    fix	39013: When testing for an invalid docBase, use an exact match for the \ 
appBase. (markt)
    fix	39396: Only include TRACE in an OPTIONS response if we know it has been \ 
enabled. (markt)
    fix	Remove wrong "No role found" realm debug log message, even if \ 
a role was found. (rjung)
    fix	39997: Add the SSLRandomSeed option to the AprLifecycleListener to \ 
enable faster starts on development systems. (markt)
    fix	40380: Fix potential synchronization issue in StandardSession.expire(). \ 
(markt)
    fix	41407: JAAS Realm now works with CLIENT-CERT authentication. (markt)
    add	42419: Add a system property that enables the name of the session cookie \ 
and session path parameter to be configured. (markt)
    fix	42579: Support both relative and absolute search results in the JNDI \ 
Realm implementation. Patch provided by Brandon DuRette. (markt)
    fix	42707: Make adding a host alias via JMX take effect immediately. (markt)
    fix	43343: Correctly handle requesting a session we are in the middle of \ 
persisting. Based on a suggestion by Wade Chandler. (markt/kkolinko)
    add	44382: Add support for using httpOnly for session cookies. This is \ 
disabled by default. (markt/fhanik)
    fix	45576: JAAS Realm now works with DIGEST authentication. (markt)
    fix	45628: JARs that do not declare any dependencies should always be \ 
considered as fulfilled. (markt)
    fix	45933: Don't use a web application provided parser to process TLD files. \ 
(markt)
    fix	45996: Add Accept-Ranges header to responses from the DefaultServlet \ 
with an option to disable it. (markt)
    fix	46105: Correctly set URI encoding when replaying a request after FORM \ 
authentication. (markt)
    fix	46408: Correct possible invalid case in SecurityUtil. (markt)
    fix	46552: Return a 400 response rather than a 200 response if the request \ 
headers are too large. (markt)
    fix	46597: Port all cookie handling changes from Tomcat 6.0.x. (markt)
    fix	46606: Make max depth limit for WebDAV servlet configurable. (markt)
    fix	46717: Fix hard to reproduce thread safety issue with session \ 
expiration. (markt)
    fix	46982: Fix DST problem with AccessLogValve. (markt)
    fix	Improve handling of situation where web application tries to configure \ 
logging at the context level but the security policy prevents this. \ 
(markt/rjung)
    fix	Fix an information disclosure vulnerability in a number of the Realms \ 
that allowed user enumeration when using FORM authentication. This is \ 
CVE-2009-0580. (markt)
    fix	Fix various WebDAV compliance issues identified by the Litmus test \ 
suite. (markt)
    fix	Use a better default (webapps) for a Host's appBase. (idarwin/markt)
    fix	44943: Reduce copy/paste issues caused by different engine names in \ 
server.xml. (markt, kkolinko)
    fix	Remove obsolete classpath entry for commons-logging from start script. \ 
It is already present in the classpath set by the manifest in bootstrap.jar. \ 
(rjung)
    fix	38483: Thread safety issues in AccessLogValve classes. (kkolinko)
    add	Allow log file encoding to be configured for JULI FileHandler. (kkolinko)

Jasper

    fix	36923: Parse deactivated EL expressions correctly. (markt)
    fix	37084: Fix JspC compilation with Ant when compiling JSPs that use a \ 
custom taglib. (markt/kkolinko)
    fix	37515: Add options for Java 1.6 and 1.7 to the JDT compiler. (markt)
    fix	38197: Fix tag pooling when tags are used with jsp:attribute. (markt)
    fix	38352: Make the directory defined by javax.servlet.context.tempdir \ 
readable for JSPs when running under a security manager as required by the \ 
specification. (markt)
    fix	38797: Revert previous fix for 37933 and implement a new fix that does \ 
not have the side effects described in 38797.
    fix	38897: Add uri of broken TLD to error message to aid debugging. (markt)
    fix	41606: Fix double initialisation of JSPs. Patch provided by Chris \ 
Halstead. (markt)
    fix	45666: Fix infinite loop on include. Patch provided by Tom Wadzinski. (markt)
    fix	46354: Fix ArrayIndexOutOfBoundsException when using \ 
org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true. Patch provided by \ 
Konstantin Kolinko. (markt)
    fix	46909: Only include semi-colon in type attribute for <jsp:plugin> \ 
when it is required. (markt)

Cluster

    fix	Fix minor memory leak found by find bugs. (markt, rjung)
    fix	40551: Enable the JvmRouteBinderValve to work with PersistentManagers as \ 
well as clustering. Patch by Chris Chandler. (markt)
    fix	46357: Corrected test for host's parent must be an engine. (markt, rjung)
    update	45317: Properly log the value of the state transfer timeout flag. \ 
(fhanik, rjung)
    fix	45279: Properly close multicast socket. (fhanik, rjung)
    fix	45447: Add Spanish resource files. Patch provided by Jesus Marin. \ 
(markt, rjung)
    fix	46990: Fix synchronization issues in cluster membership reported by \ 
FindBugs. Patch provided by Sebb. (markt, rjung)
    fix	47389: DeltaManager doesn't do session replication if \ 
notifySessionListenersOnReplication=false. Patch by Keiichi Fujino. (fhanik, \ 
rjung)
    fix	Separate statistics counter lock in FastAsyncSocketSender from inherited \ 
DataSender lock to reduce blocking during failed node detection. (rjung)
    fix	Handle situation session ID rewriting on fail-over with parallel \ 
requests from the same client. (pero)
    fix	43641: Use of bind attribute for membership element breaks multicast. (rjung)

Webapps

    fix	Fix CVE-2009-0781. XSS in calendar example. (markt)
    fix	36574: Fix broken PDFs. (markt)
    fix	39603: Admin app only showed ROOT web application when clustering was \ 
enabled. (markt)
    fix	47032: Fix /status/all in Manager webapp when using the \ 
PersistentManager. (markt)
    fix	47235: Remove use of autoReconnect from MySQL examples. (mark)
    fix	46509: Use correct link on error page in JSP security example. Patch \ 
provided by Michael Moody. (markt)
    fix	46562: Close file when reading has finished when using SSI. (markt)

Coyote

    fix	37869: Correctly extract client certificates, including the full \ 
certificate chain when using the APR/native HTTP connector. (markt)
    fix	39637: Correctly extract client certificates, including the full \ 
certificate chain when using the AJP connectors. Patch by Patrik Schnellmann. \ 
(markt)
    update	Set remote port for AJP connectors from the optional request \ 
attribute AJP_REMOTE_PORT. (rjung)
    fix	45026: Never return an empty HTTP status reason phrase. mod_jk and httpd \ 
2.x do not like that. (rjung)
    fix	45528: An invalid SSL configuration could cause an infinite logging loop \ 
on startup. (markt)
    fix	46984: Reject requests with invalid HTTP methods with a 400 rather than \ 
a 501. (markt)
    update	Update the APR/native connector to 1.1.16. (markt, kkolinko)
    fix	Correct potential DOS issue in Java AJP connector when processing \ 
invalid request headers. This is CVE-2009-0033. (markt)
    fix	Make DateTool thread safe. (fhanik)
   2009-06-15 00:00:42 by Joerg Sonnenberger | Files touched by this commit (316)
Log message:
Convert @exec/@unexec to @pkgdir or drop it.
   2008-09-10 11:53:31 by David Brownlee | Files touched by this commit (3) | Package updated
Log message:
Updated www/apache-tomcat55 to 5.5.27

Tomcat 5.5.27 (fhanik)

    General

        44463: War file upload in manager webapp fails due to missing commons-io \ 
dependency. Added commons-io 1.4. (rjung)

    Catalina

        44021, 43013: Add support for # to signify multi-level contexts for \ 
directories and wars.
        44494: Backport from 6.0 (rjung)
        Add additional checks for URI normalization. (remm)
        Don't throw an ArrayIndexOutOfBoundsException when empty URL is \ 
requested. Patch provided by Charles R Caldarale. (markt)
        29936: Don't use parser from a webapp to parse web.xml and possibly \ 
context.xml files. (markt)
        43079: Correct pattern verification for suspicious URLs. Patch provided \ 
by John Kew. (markt)
        43080: Log suspicious URL pattern warnings to the correct web \ 
application. (markt)
        43117: Setting an empty workDIR could delete all of CATALINA_HOME. Patch \ 
provided by Takayuki Kaneko. (markt)
        44282: Prevent security exception in trace level logging for web \ 
application class loader when running under a security manager. (markt)
        44529: No roles specified (deny all) should take precedence over no \ 
auth-constraint specified (allow-all). (markt)
        43578: Enable start on Linux if $CATALINA_HOME contains a space. \ 
Original patch provided by Ray Sauers with improvements by Ian Ward Comfort. \ 
(markt)
        44673: Throw IOE if ServletInputStream is closed and a call is made to \ 
any read(), ready(), mark(), reset(), or skip() method as per javadocs for \ 
Reader. (markt)
        Enable the CGIServlet to work with Windows Vista. (markt)
        Add additional permission required to read JDK logging configuration \ 
when running with a security manager. (markt)
        44943: Reduce copy/paste issues caused by different engine names in \ 
server.xml. (markt)
        45195: Prevent NPE when calling Session.getAttribute(null) and \ 
Session.removeAttribute(null). The spec is unclear but this is a regression from \ 
5.0.x. (markt)
        45293: Update name of commons-logging jar in security policy. (markt)
        45453: Fix race condition in JDBC Realm. Based on a patch provided by \ 
Santtu Hyrkk. (markt)
        JAAS Realm did not read role information for users. (markt)

    Connectors

        Log errors for AJP signoffs at DEBUG level, since it is harmless if \ 
mod_jk has hung up the phone. (billbarker)
        42727: Handle request lines that are exact multiples of 4096 in length. \ 
Patch provided by Will Pugh. (markt)
        43191: Compression could not be disabled for some file types. Based on a \ 
patch by Len Popp. (markt)
        45591: Fix NPE on shutdown failure in some cases. Based on a patch by \ 
Matt Passell. (markt)

    Jasper

        31257: Quote endorsed dirs if they contain a space. (markt)
        42943: Make sure nested element is inside <jsp:text> element \ 
before throwing exception. (markt)
        44877: Prevent collisions in tag pool names. (markt)
        45015: Enfore JSP spec rules on quoting in attrbutes. This is \ 
configurable using the system property \ 
org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING. (markt)

    Webapps

        42899: When saving config from admin app, correctly handle case where \ 
the old config file does not exist. (markt)
        44541: Document packetSize attribute for AJP connector. (markt)
        44715: Document use of secret for AJP connector. (markt)
        45323: Add note that context.xml files can only contain a single Context \ 
element. (markt)
        Update JNDI datasource docs since maxActive setting for unlimited \ 
changed in commons-pool > 1.2. (markt)

    Specification

        Use a localised error message if a user tries to write a negative length \ 
byte array during default processing of a HEAD request. (markt)
        44562: HEAD requests cannot use includes. Patch provided by David \ 
Jencks. (markt)