Navigation:
Browse pkgsrc
(this page) 2019-10-02 09:46:52 by Zafer Aydogan | Files touched by this commit (3) |  |
Log message: Update to 8.5.46 Changelog: Tomcat 8.5.46 (markt) Catalina Fix: 63684: Wrapper never passed to RealmBase.hasRole() for given security \ constraints. (michaelo) Fix: Avoid a potential NullPointerException on Service stop if a Service is \ embedded directly (i.e. with no Server) in an applciation and JNDI is enabled. \ Patch provided by S. Ali Tokmen. (markt) Add: Add a new PropertySource implementation, EnvironmentPropertySource, that \ can be used to do property replacement in configuration files with environment \ variables. Based on a pull request provided by Thomas Meyer. (markt) Coyote Fix: 63682: Fix a potential hang when using the asynchronous Servlet API to \ write the response body and the stream and/or connection window reaches 0 bytes \ in size. (markt) Fix: 63690: Use the average of the current and previous sizes when calculating \ overhead for HTTP/2 DATA and WINDOW_UPDATE frames to avoid false positives as a \ result of client side buffering behaviour that causes a small percentage of \ non-final DATA frames to be smaller than expected. (markt) Fix: 63706: Avoid NPE accessing https port with plaintext. (remm) Fix: Correct typos in the names of the configuration attributes \ overheadDataThreshold and overheadWindowUpdateThreshold. (markt) Fix: If the HTTP/2 connection requires an initial window size larger than the \ default, send a WINDOW_UPDATE to increase the flow control window for the \ connection so that the initial size of the flow control window for the \ connection is consistent with the increased value. (markt) Fix: 63710: When using HTTP/2, ensure that a content-length header is not set \ for those responses with status codes that do not permit one. (markt) Fix: 63737: Correct various issues when parsing the accept-encoding header to \ determine if gzip encoding is supported including only parsing the first header \ found. (markt) Web applications Fix: Correct the source code links on the index page for the ROOT web \ application to point to Git rather than Subversion. (markt) Fix: Fix various issues with the Javadoc generated for the documentation web \ application to enable release builds to be built with Java 10 onwards. (markt) Fix: Fix a large number of Javadoc and documentation typos. Patch provided by \ KangZhiDong. (markt) Fix: Spelling and formatting corrections for the cluster how-to. Pull request \ provided by Bill Mitchell. (markt) Other Fix: Back-port various corrections and improvements to the English versions of \ the i18n messages. (markt) Add: Include the available German translations in the standard Tomcat \ distribution. Back-port additions and updates to the German i18n messages. \ (markt) Fix: Back-port various corrections and improvements to the Spanish i18n \ messages. (markt) Fix: Back-port various corrections and improvements to the French i18n \ messages. (markt) Fix: Back-port various corrections and improvements to the Japanese i18n \ messages. (markt) Fix: Back-port various corrections and improvements to the Russian i18n \ messages. (markt) Add: Add Korean translations to the standard Tomcat distribution. (markt) Add: Add Simplifed Chinese translations to the standard Tomcat distribution. (markt) Fix: 62140: Additional usage documentation in comments for catalina.[bat|sh]. \ (markt) Fix: Fix JSSE_OPTS quoting in catalina.bat. Contributed by Peter Uhnak. \ (fschumacher) Update: 63625: Update to Commons Daemon 1.2.1. This corrects several \ regressions in Commons Daemon 1.2.1, most notably the Windows Service crashing \ on start when using 32-bit JVMs. (markt) Fix: 63689: Correct a regression in the fix for 63285 that meant that when \ installing a service, the service display name was not set. (markt) Fix: When performing a silent install with the Windows Installer, ensure that \ the registry entires are added to the 64-bit registry when using a 64-bit JVM. \ (markt) Fix: Remove unused i18n messages and associated translations. Patch provided by \ KangZhiDong. (markt) 2019-08-21Tomcat 8.5.45 (markt) Coyote Code: Remove the code in the sendfile poller that ensured smaller pollsets were \ used with older, no longer supported versions of Windows that could not support \ larger pollsets. (markt) not releasedTomcat 8.5.44 (markt) Catalina Add: 62258: Don't trigger the standard error page mechanism when the error has \ caused the connection to the client to be closed as no-one will ever see the \ error page. (markt) Update: 63627: Implement more fine-grained handling in \ RealmBase.authenticate(GSSContext, boolean). (michaelo) Add: 62496: Add option to write auth information (remote user/auth type) to \ response headers. (michaelo) Add: 51497: Add an option, ipv6Canonical, to the AccessLogValve that causes \ IPv6 addresses to be output in canonical form defined by RFC 5952. \ (ognjen/markt) Add: 57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter \ and RemoteIpValve. (markt) Fix: 63550: Only try the alternateURL in the JNDIRealm if one has been \ specified. (markt) Add: 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter (michaelo) Fix: If an unhandled exception occurs on a asynchronous thread started via \ AsyncContext.start(Runnable), process it using the standard error page \ mechanism. (markt) Fix: Discard large byte buffers allocated using setBufferSize when recycling \ the request. (remm) Fix: 63579: Correct parsing of malformed OPTIONS requests and reject them with \ a 400onse rather than triggering an internal error that results in a 500 \ response. (markt) Fix: Correct version information in X-Powered-By header. (markt) Fix: 63608: Align the implementation of the negative match feature for patterns \ used with the RewriteVx: Avoid a NullPointerException in the \ CrawlerSessionManagerValve if no ROOT Context is deployed and a request does not \ map to any of the other deployed Contexts. Patch provided by Jop Zinkweg. \ (markt) Fix: 63636: Context.findRoleMapping() never called 3524: Improve the handling \ of PEM file based keys and certificates that do not include a full certificate \ chain when configuring the internal, in-memory key store. Improve the handling \ of PKCS#1 formatted private keys when configuring the internal, in-memying to \ set tcpNoDelay on socket types that do not support it, which can occur when \ using the NIO inherited channel capability. Submitted by František Kučera. \ (remm) Fix: Correct parsing of invalid host names that contain bytes in the range 128 \ to 255 or that results in a 500 response. (markt) Fix: 63571: Allow users to configure infinite TLS session caches and/or \ timeouts. (markt) Fix: 63578: Improve handling of invalid requests so that 400 responses are \ returned to the client rather than 500 respon an error if a Huffman encoded \ string literal contains the EOS symbol. (jfclere) Add: Connections that fail the TLS handshake will now appear in the access logs \ with a 400 status code. (markt) Fix: Timeouts for HTTP/2 connections were not always correctnger than expected. \ (markt) Add: Expand the HTTP/2 excessive overhead protection to cover various forms of \ abusive client behaviour and close the connection if any such behaviour is \ detected. (markt) Fix: Fix a crash on shutdown with the APR/native connress when the connector \ stopped. (markt) Web applications Fix: 63597: Update the custom 404 error page for the Host Manager to take \ account of previous refactoring so that the page is used for 404 errors rather \ than falling back to the default error pagebat so that when installing a Windows \ service, by default, it changes the name of the executables used by the Windows \ service to match the service name. This makes the installation behaviour \ consistent with the Windows installer. The original executable nhe renaming can \ be disabled by using the new --no-rename option after the service name. (markt) Update: Switch from Checkstyle to the JRE6 backport and update to version 8.22. \ This allows Tomcat 8.5 to use the newer Checkstyle releases while still buildi \ digital signature for the Windows installer now uses SHA-256 for hashes. (markt) Update: 63310: Update to Commons Daemon 1.2.0. This provides improved support \ for Java 11. This also changes the user configured by the Windows installer for \ the Windows seer privileged Local Service. (markt) Fix: 55969: Tighten up the security of the Apache Tomcat installation created \ by the Windows installer. Change the default shutdown port used by the Windows \ installer from 8005 to -1 (disabled). Limit access to the cho local \ administrators, Local System and Local Service. (markt) Add: 63285: Add an option to service.bat so that when installing a Windows \ service, the name of the executables used by the Windows service may be changed \ to match the service name. This maksistent with the Windows installer. The \ original executable names will be restored when the Windows service is removed. \ The renaming can be enabled by using the new --rename option after the service \ name. (markt) Fix: 63567: Restore the passing of $LOGGIsh when calling stop. (markt) Update: Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to \ pick up the fix for CODEC-134. (markt) Update: Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to \ pick up the changes Commons Poe the internal fork of Commons DBCP2 to 87d9e3a \ (2018-08-01) to pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt) Update: 63648: Update the test TLS keys and certificates used in the test suite \ to replace the keys and certificates that are about to expire. (markt) |
| 2019-07-15 16:28:24 by Ryo ONODERA | Files touched by this commit (3) | |
Log message:
Update to 8.5.43
Changelog:
Tomcat 8.5.43 (markt)
Catalina
Update: Modify the Default and WebDAV Servlets so that a 405 status code is \
returned for PUT and DELETE requests when disabled via the readonly \
initialisation parameter.
Fix: Align the contents of the Allow header with the response code for the \
Default and WebDAV Servlets. For any given resource a method that returns a 405 \
status code will not be listed in the Allow header and a method listed in the \
Allow header will not return a 405 status code. (markt)
Fix: When using WebDAV to copy a file resource to a destination that \
requires a collection to be overwritten, ensure that the operation succeeds \
rather than fails (with a 500 response). This enables Tomcat to pass two \
additional tests from the Litmus WebDAV test suite. (markt)
Fix: 49464: Improve the Default Servlet's handling of static files when the \
file encoding is not compatible with the required response encoding. (markt)
Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher)
Add: 58590: Add the ability for a UserDatabase to monitor the backing XML \
file for changes and reload the source file if a change in the last modified \
time is detected. This is enabled by default meaning that changes to \
$CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the \
file is saved. (markt)
Fix: Improve parsing of Range request headers. (markt)
Fix: Range headers that specify a range unit Tomcat does not recognise \
should be ignored rather than triggering a 416 response. Based on a pull request \
by zhanhb. (markt)
Fix: When comparing a date from a If-Range header, an exact match is \
required. Based on a pull request by zhanhb. (markt)
Fix: Add an option to the default servlet to disable processing of PUT \
requests with Content-Range headers as partial PUTs. The default behaviour \
(processing as partial PUT) is unchanged. Based on a pull request by zhanhb. \
(markt)
Fix: Improve parsing of Content-Range headers. (markt)
Fix: Ensure that the HEAD response is consistent with the GET response when \
HttpServlet is relied upon to generate the HEAD response and the GET response \
uses chunking. (markt)
Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
Coyote
Fix: Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat \
HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or later. \
(markt)
Fix: Once a URI is identified as invalid don't attempt to process it \
further. Based on a PR by Alex Repert. (markt)
Fix: Fix to avoid the possibility of long poll times for individual pollers \
when using mutliple pollers with APR. (markt)
Fix: Refactor the fix for 63205 so it only applies when using PKCS12 \
keystores as regressions have been reported with some other keystore types. \
(markt)
Jasper
Add: Include file names in error messages if SMAP processor is unable to \
delete or rename a class file during SMAP generation. (markt)
WebSocket
Fix: 63521: As required by the WebSocket specification, if a POJO that is \
deployed as a result of the SCI scan for annotated POJOs is subsequently \
deployed via the programmatic API ignore the programmatic deployment. (markt)
Other
Code: Switch i18n message files to use UTF-8 and convert to ASCII at build \
time. (markt)
Fix: 63523: Restore SSLUtilBase methods as protected to preserve \
compatibility. (remm)
Fix: Switch the check for terminal availability to test for stdin as using \
stdout does not work when output is piped to another process. Patch provided by \
Radosław Józwik. (markt)
2019-06-07 Tomcat 8.5.42 (markt)
Catalina
Add: 57287: Add file sorting to DefaultServlet (schultz)
Fix: Ensure that the default servlet reads the entire global XSLT file if \
one is defined. Identified by Coverity Scan. (markt)
Fix: Avoid potential NullPointerException when generating an HTTP Allow \
header. Identified by Coverity Scan. (markt)
Add: Remove any fragment included in the target path used to obtain a \
RequestDispatcher. The requested target path is logged as a warning since this \
is an application error. (markt)
Coyote
Update: Add additional NIO2 style read and write methods closer to core \
NIO2, for possible use with an asynchronous workflow like CompletableFuture. \
(remm)
Fix: Avoid useless exception wrapping in async IO. (remm)
Fix: 63412: Security manager failure when using the async IO API from a \
webapp. (remm)
Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. \
(remm/markt)
Update: Reduce the default for maxConcurrentStreams on the Http2Protocol \
from 200 to 100 to align with typical defaults for HTTP/2 implementations. \
(markt)
Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align \
with typical HTTP/2 implementations. (markt)
Add: Add support for same-site cookie attribute. Patch provided by John \
Kelly. (markt)
Fix: Correct a bug in the stream flushing code that could lead to multiple \
threads processing the stream concurrently which in turn could cause errors \
processing the stream. (markt)
Cluster
Fix: 62841: Refactor the DeltaRequest serialization to reduce the window \
during which the DeltaSession is locked and to remove a potential cause of \
deadlocks during serialization. (markt)
Fix: 63441: Further streamline the processing of session creation messages \
in the DeltaManager to reduce the possibility of a session update message being \
processed before the session has been created. (markt)
Tribes
Fix: Treat NoRouteToHostException the same way as SocketTimeoutException \
when checking the health of group members. This avoids a SEVERE log message \
every time the check is performed when the host associated with a group member \
is not powered on. (markt)
Other
Update: Switch from FindBugs to SpotBugs. (fschumacher)and to check for \
terminal availability rather than the tty command since the tty based test fails \
on non-English locales. (markt)
2019-05-13 Tomcat 8.5.41 (markt)
Catalina
Fix: Fix a potential resource leak when executing CGI scripts from a WAR \
fileread of the APR connector. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak when running a web application from a WAR \
file. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak on some exception paths in ttified by \
Coverity scan. (markt)
Fix: Fix a potential resource leak when a JNDI lookup returns an object of \
an in compatible class. Identified by Coverity scan. (markt)
Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI \
rescaching has been disabled. (markt)
Fix: Avoid a NullPointerException when a Context is defined in server.xml \
with a docBase but not the optional path. (markt)
Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object \
placed in the sesials trigger account lock out when the LockOutRealm is in use. \
Patch provided by jchobantonov. (markt)
Coyote
Fix: When running on newer JREs that don't support SSLv2Hello, don't warn \
that it is not available unless explicitly configured. (markt)
Code: Refactor Hostname validation to improve performance. Patch provided by \
Uwe Hees. (markt)
Fix: Expand HTTP/2 timeout handling to include connection window exhaustion \
on write. This is the fix for CVE-2019-10072. (markt)
Other
Fix: 63335: Ensure that stack traces written by the OneLineFormatter are \
fully indented. The entire stack trace is now indented by an additional TAB \
character. (markt)
Fix: When using the OneLineFormatter, don't print a blank line in the log \
after printing a stack trace. (markt)
Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 \
(2019-04-24) to pick up some clean-up and enhancements less the JDBC 4.2 related \
changes that require Java 8. (markt)
Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d \
(2019-04-30) to pick up some enhancements and bug fixes. (markt)
Update: Update the internal fork of Apache Commons FileUpload to 41e4047 \
(2019-04-24) pick up some enhancements. (markt)
2019-04-12 Tomcat 8.5.40 (markt)
Catalina
Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader \
attribute of the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63235: Refactor Charset cache to reduce start time. (markt)
Fix: 63249: Use a consistent log level (WARN) when logging the failure to \
register or deregister a JMX Bean. (markt)
Fix: 63249: Use a consistent log level (ERROR) when logging the \
LifecycleException associated with the failure to start or stop a component. \
(markt)
Fix: When the SSI directive fsize is used with an invalid target, return a \
file size of - rather than 1k. (markt)
Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that \
may cause a dead-lock when Tomcat starts. (markt)
Fix: 63275: When using a RequestDispatcher ensure that \
HttpServletRequest.getContextPath() returns an encoded path in the dispatched \
request. (markt)
Fix: 63286: Document the differences in behaviour between the LogFormat \
directive in httpd and the pattern attribute in the AccessLogValve for %D and \
%T. (markt)
Fix: 63311: Add support for https URLs to the local resolver within Tomcat \
used to resolve standard XML DTDs and schemas when Tomcat is configured to \
validate XML configuration files such as web.xml. (markt)
Fix: Encode the output of the SSI printenv command. This is the fix for \
CVE-2019-0221. (markt)
Code: Use constants for SSI encoding values. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to \
true, limit the encoded form of the individual command line arguments to those \
values allowed by RFC 3875. This restriction may be relaxed by the use of the \
new initialisation parameter cmdLineArgumentsEncoded. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to \
true, limit the decoded form of the individual command line arguments to known \
safe values when running on Windows. This restriction may be relaxed by the use \
of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for \
CVE-2019-0232. (markt)
Update: Change the default for the enableCmdLineArguments parameter of the \
CGI servlet from true to false as additional hardening against CVE-2019-0232. \
(markt)
Coyote
Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) \
and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and \
instead dropped the connection. (markt)
Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 \
that prevented the use of PKCS#8 private keys with OpenSSL based connectors. \
(markt)
Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any \
query string present in the original HTTP/1.1 request is passed to the HTTP/2 \
request processing. (markt)
Fix: When Tomcat writes a final response without reading all of an HTTP/2 \
request, reset the stream to inform the client that the remaining request body \
is not required. (markt)
Fix: 63312: Correct a regression in the error page handling that prevented \
error pages from issuing redirects or taking other action that required the \
response status code to be changed. (markt)
Jasper
Add: Add support for specifying Java 11 (with the value 11) as the compiler \
source and/or compiler target for JSP compilation. (markt)
Add: Add support for specifying Java 12 (with the value 12) and Java 13 \
(with the value 13) as the compiler source and/or compiler target for JSP \
compilation. If used with an ECJ version that does not support these values, a \
warning will be logged and the latest supported version will used. Based on a \
patch by Thomas Collignon. (markt)
WebSocket
Fix: Improve the handling of exceptions during TLS handshakes for the \
WebSocket client. (markt)
Web applications
Fix: 63184: Expand the SSI documentation to provide more information on the \
supported directives and their attributes. Patch provided by nightwatchcyber. \
(markt)
Add: Add a note to the documentation about the risk of DoS with poorly \
written regular expressions and the RewriteValve. Patch provided by salgattas. \
(markt)
jdbc-pool
Fix: 63320: Ensure that StatementCache caches statements that include arrays \
in arguments. (kfujino)
|
| 2019-03-26 21:57:51 by Ryo ONODERA | Files touched by this commit (3) |
Log message:
Update to 8.5.39
Changelog:
The APR/Native connector now supports both OpenSSL and JSSE
TLS configuration syntax (NIO and NIO2 already support this)
Various improvements to NIO2
Various fixes for HTTP/2 push requests
Refactor error handling so that errors that occur early in
request processing are handled by the application's error
handling where the application can be identified
|
| 2019-01-22 15:49:23 by Ryo ONODERA | Files touched by this commit (3) | |
Log message:
Update to 8.5.37
Changelog:
Tomcat 8.5.37 (markt)
Catalina
Update: Update the recommended minimum Tomcat Native version to 1.2.19. (markt)
Other
Update: Update the packaged version of the Tomcat Native Library to 1.2.19 \
to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a. \
(markt)
not released Tomcat 8.5.36 (markt)
Catalina
Fix: 62788: Add explicit logging configuration to write log files using \
UTF-8 to align with Tomcat's use of UTF-8 by default elsewhere. (markt)
Fix: The default Servlet should not override a previously set content-type. \
(remm)
Add: 62897: Provide a property (clearReferencesThreadLocals) on the standard \
Context implementation that enables the check for memory leaks via ThreadLocals \
to be disabled because this check depends on the use of an API that has been \
deprecated in later versions of Java. (markt)
Fix: Fix more storeconfig issues with duplicated SSL attributes. (remm)
Fix: 62968: Avoid unnecessary (and relatively expensive) getResources() call \
in the Mapper when processing rule 7. (markt)
Fix: 62978: Update the RemoteIpValve to handle multiple values in the \
x-forwarded-proto header. Patch provided by Tom Groot. (markt)
Fix: Update the RemoteIpFilter to handle multiple values in the \
x-forwarded-proto header. Based on a patch provided by Tom Groot. (markt)
Code: 62986: Refactor the code that performs class scanning during web \
application start to make integration simpler for downstream users. Patch \
provided by rmannibucau. (markt)
Fix: 62988: Fix the LoadBalancerDrainingValve so it works when the session \
cookie configuration is not explicitly declared. Based on a patch provided by \
Andreas Kurth. (markt)
Fix: 63002: Fix setting rewrite qsdiscard flag. (remm)
Fix: Implement the requirements of section 8.2.2 2c of the Servlet \
specification and prevent a web application from deploying if it has fragments \
with duplicate names and is configured to use relative ordering of fragments. \
(markt)
Coyote
Fix: Avoid an exception when using Tomcat Native built with a version of \
OpenSSL that does not support TLSv1.3. (markt)
Fix: 62899: Prevent the incorrect timing out of connections when Servlet \
non-blocking I/O is used to read a request body over an HTTP/2 stream. (markt)
Fix: Avoid bad SSLHostConfig JMX registrations before init. (remm)
Jasper
Add: 53737: Extend JspC, the precompilation tool, to include support for \
resource JARs. (markt)
Fix: 62976: Avoid an IllegalStateException when using background compilation \
when tag files are packaged in JAR files. (markt)
Web applications
Fix: 62918: Filter out subtype mbeans to avoid breaking the connector status \
page. (remm)
Other
Fix: Prevent an error when running in a Cygwin shell and the \
JAVA_ENDORSED_DIRS system property is empty. Patch provided by Zemian Deng. \
(markt)
Add: 53930: Add support for the CATALINA_OUT_CMD environment variable that \
defines a command to which captured stdout and stderr will be redirected. Patch \
provided by Casey Lucas. (markt)
2018-11-07 Tomcat 8.5.35 (markt)
Catalina
Add: 61692: Add the ability to control which HTTP methods are handled by the \
CGI Servlet via a new initialization parameter cgiMethods. (markt)
Fix: 62687: Expose content length information for resources when using a \
compressed war. (remm)
Fix: 62737: Fix rewrite substitutions parsing of {} nesting. (remm)
Fix: Add rewrite flags output when getting the rewrite configuration back. (remm)
Fix: Add missing qsdiscard flag to the rewrite flags as a cleaner way to \
discard the query string. (remm)
Fix: Add documentation about the files context.xml.default and \
web.xml.default that can be used to customize conf/context.xml and conf/web.xml \
on a per host basis. (fschumacher)
Fix: Ensure that a canonical path is always used for the docBase of a \
Context to ensure consistent behaviour. (markt)
Fix: 62803: Fix SSL connector configuration processing in storeconfig. (remm)
Fix: 62797: Pass throwable to keep client aborts with status 200 rather than \
500. Patch submitted by zikfat. (remm)
Fix: 62809: Correct a regression in the implementation of DIGEST \
authentication support for the Deployer Ant tasks (bug 45832) that prevented the \
DeployTask from working when authentication was required. (markt)
Update: Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
Add: Ignore an attribute named source on Context elements provided by \
StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat \
integration provided by Eclipse. Based on a patch by mdfst13. (markt)
Add: 62830: Added JniLifeCycleListener and static methods \
Library.loadLibrary(libraryName) and Library.load(filename) to load a native \
library by a shared class loader so that more than one Webapp can use it. \
(isapir)
Fix: Correct a typo in the Spanish resource files. Patch provided by Diego \
Agulló. (markt)
Fix: 62868: Order the Enumeration<URL> provided by \
WebappClassLoaderBase.getResources(String) according to the setting of the \
delegate flag. (markt)
Coyote
Add: Add TLSv1.3 to the default protocols and to the all alias for JSSE \
based TLS connectors when running on a JVM that supports TLS version 1.3. One \
such JVM is OpenJDK version 11. (rjung)
Fix: 62685: Correct an error in host name validatin parsing that did not \
allow a fully qualified domain name to terminate with a period. Patch provided \
by AG. (markt)
Fix: 62739: Do not reject requests with an empty HTTP Host header. Such \
requests are unusual but not invalid. Patch provided by MichaeNIO2 connector \
when using the OpenSSL backed JSSE implementation. (schultz/markt)
Fix: 62791: Remove an unnecessary check in the NIO TLS implementation that \
prevented from secure WebSocket connections from being established. (markt)
Fix: Fix servesed by the fix for 53492, that caused the JSP compiler to \
hang. (markt)
Fix: 62721: Correct generation of web.xml header when using JspC. (markt)
Fix: 62757: Correct a regression in the fix for 62603 that caused \
NullPointerExceptions when compiling tag files on first access when development \
mode was disabled and background compilation was enabled. Based on a patch by \
Jordi Llach. (markt)
WebSocket
Fix: 62731: Make the URI returned by HandshakeRequest.getRequestURI() and \
Session.getRequestURI() absolute so that the scheme, host and port are \
accessible. (markt)
Web applications
Fix: 62676: Expand the CORS filter documentation to make it clear that \
explicit configuration is required to enable support for cross-origin requests. \
(markt)
Fix: 62712: Correct NPE in Manager application when attempting to view \
configured certificates for an APR/native TLS connector. (markt)
Fix: 62761: Correct the advanced CORS example in the Filter documentation to \
use a valid configuration. (markt)
Fix: 62786: Add a note to the Context documentation to explain that, by \
default, settings for a Context element defined in server.xml will be \
overwritten by settings specified in a default context file such as \
conf/context.xml. (markt)
Fix: Create a little visual separation between the Undeploy button and the \
other buttons in the Manager application. Patch provided by Łukasz Jąder. \
(markt)
Other
Update: Update the internal fork of Apache Commons Pool 2 to d4e0e88 \
(2018-09-12) to pick up some bug fixes and enhancements. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.18 \
to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. \
(markt)
2018-09-10 Tomcat 8.5.34 (markt)
Catalina
Add: Make the isLocked() method of the LockOutRealm public and expose the \
method via JMX. (markt)
Fix: Improve the handling of path parameters when working with \
RequestDispatcher objects. (markt)
Fix: 62664: Process requests with content type multipart/form-data to \
servlets with a @MultipartConfig annotation regardless of HTTP method. (markt)
Fix: 62667: Add recursion to rewrite substitution parsing. (remm)
Fix: 62669: When using the SSIFilter and a resource does not specify a \
content type, do not force the content type to application/x-octet-stream. \
(markt)
Fix: 62670: Adjust the memory leak protection for the DriverManager so that \
JDBC drivers located in $CATALINA_HOME/lib and $CATALINA_BASE/lib are loaded via \
the service loader mechanism when the protection is enabled. (markt)
Fix: When generating a redirect to a directory in the Default Servlet, avoid \
generating a protocol relative redirect. (markt)
Coyote
Fix: Fix potential deadlocks when using asynchronous Servlet processing with \
HTTP/2 connectors. (markt)
Fix: 62620: Fix corruption of response bodies when writing large bodies \
using asynchronous processing over HTTP/2. (markt)
Fix: 62628: Additional fixes for output corruption of response bodies when \
writing large bodies using asynchronous processing over HTTP/2. (markt)
Jasper
Fix: Correct the JSP version in the X-PoweredBy HTTP header generated when \
the xpoweredBy option is enabled. (markt)
Fix: 62662: Fix the corruption of web.xml output during JSP compilation \
caused by the fix for 53492. Patch provided by Bernhard Frauendienst. (markt)
Web applications
Add: Expand the information in the documentation web application regarding \
the use of CATALINA_HOME and CATALINA_BASE. Patch provided by Marek Czernek. \
(markt)
Fix: 62652: Make it clearer that the version of DBCP that is packaged in \
Tomcat 8.5.x is DBCP 2. Correct the names of some DBCP 2 configuration \
attributes that changed between 1.x and 2.x. (markt)
Add: 62666: Expand internationalisation support in the Manager application \
to include the server status page and provide Russian translations in addition \
to English. Patch provided by Artem Chebykin. (markt)
Other
Fix: Switch the build script to use http for downloads from an ASF mirror \
using the closer.lua script to avoid failures due to HTTPS to HTTP redirects. \
(rjung)
2018-08-17 Tomcat 8.5.33 (markt)
Catalina
Fix: Ensure that the HTTP Vary header is set correctly when using the CORS \
filter and improve the cacheability of requests that pass through the COPRS \
filter. (markt)
Fix: 62527: Revert restriction of JNDI to the java: namespace. (remm)
Add: Introduce a new class - MultiThrowable - to report exceptions when \
multiple actions are taken where each action may throw an exception but all \
actions are taken before any errors are reported. Use this new class when \
reporting multiple container (e.g. web application) failures during start. \
(markt)
Fix: Correctly decode URL paths (+ should not be decoded to a space in the \
path) in the RequestDispatcher and the web application class loader. (markt)
Add: Make logout more robust if JASPIC subject is unexpectedly unavailable. \
(markt)
Fix: 62547: JASPIC cleanSubject() was not called on logout when the \
authenticator was configured to cache the authenticated Principal. Patch \
provided by Guillermo González de Agüero. (markt)
Add: 62559: Add jaxb-*.jar to the list of JARs ignored by \
StandardJarScanner. (markt)
Add: 62560: Add oraclepki.jar to the list of JARs ignored by \
StandardJarScanner. (markt)
Add: 62607: Return a non-zero exit code from catalina.[bat|sh] run if Tomcat \
fails to start. (markt)
Code: Remove ServletException from declaration of \
Tomcat.addWebapp(String,String) since it is never thrown. Patch provided by \
Tzafrir. (markt)
Fix: Use short circuit logic to prevent potential NPE in CorsFilter. \
(fschumacher)
Code: Simplify construction of appName from container name in JAASRealm. \
(fschumacher)
Coyote
Update: 60560: Add support for using an inherited channel to the NIO \
connector. Based on a patch submitted by Thomas Meyer with testing and \
suggestions by Coty Sutherland. (remm)
Fix: 62507: Ensure that JSSE based TLS connectors work correctly with a DKS \
keystore. Note: DKS keystores require Java 8 or later. (markt)
Fix: Refactor code that adds an additional header name to the Vary HTTP \
response header to use a common utility method that addresses several additional \
edge cases. (markt)
Fix: 62515: When a connector is configured (via setting bindOnInit to false) \
to bind/unbind the server socket during start/stop, close the socket earlier in \
the stop process so new connections do not sit in the TCP backlog during the \
shutdown process only to be dropped as stop completes. In this scenario new \
connections will now be refused immediately. (markt)
Fix: 62526: Correctly handle PKCS12 format key stores when the key store \
password is configured to be the empty string. (markt)
Fix: Fix error in back-port of HTTP/2 compression that meant compression was \
never enabled. (markt)
Fix: 62605: Ensure ReadListener.onDataAvailable() is called when the initial \
request body data arrives after the request headers when using asynchronous \
processing over HTTP/2. (markt)
Fix: 62614: Ensure that WriteListener.onWritePossible() is called after \
isReady() returns false and the window size is subsequently incremented when \
using asynchronous processing over HTTP/2. (markt)
Jasper
Fix: 53011: When pre-compiling with JspC, report all compilation errors \
rather than stopping after the first error. A new option -failFast can be used \
to restore the previous behaviour of stopping after the first error. Based on a \
patch provided by Marc Pompl. (markt)
Add: 53492: Make the Java file generation process multi-threaded. By \
default, one thread will be used per core. Based on a patch by Dan Fabulich. \
(markt)
Add: 62453: Add a performance optimisation for using expressions in tags \
that depend on uninitialised tag attributes with implied scope. Generally, using \
an explicit scope with tag attributes in EL is the best way to avoid various \
potential performance issues. (markt)
Fix: Correctly decode URL paths (+ should not be decoded to a space in the \
path) in the Jasper class loader. (markt)
Fix: 62603: Fix a potential race condition when development mode is disabled \
and background compilation checks are enabled. It was possible that some updates \
would not take effect and/or ClassNotFoundExceptions would occur. (markt)
WebSocket
Fix: 62596: Remove the limit on the size of the initial HTTP upgrade request \
used to establish the web socket connection. (markt)
Web applications
Add: 61565: Add the ability to trigger a reloading of TLS host configuration \
(certificate and key files, server.xml is not re-parsed) via the Manager web \
application. (markt)
Add: 62558: Add Russian translations for the Manager and Host Manager web \
applications. Based on a patch by Ivan Krasnov. (markt)
Add: 62561: Add advanced class loader configuration information regarding \
the use of the Server and Shared class loaders to the documentation web \
application. (markt)
Tribes
Fix: Ensures that the specified rxBufSize is correctly set to receiver \
buffer size. (kfujino)
Other
Update: Support building with Java 9+ while preserving the Java 7 \
compatibility at runtime (requires Ant 1.9.8 or later). (ebourg)
Update: Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko)
Update: Update JUnit library to version 4.12 (from 4.11). (kkolinko)
Update: Downgrade CGLib library used for testing with EasyMock to version \
2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central. \
(markt/kkolinko)
Add: Implement checksum checks when downloading dependencies that are used \
to build Tomcat. (kkolinko)
Fix: Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
Update: Update the internal fork of Apache Commons Pool 2 to 3e02523 \
(2018-08-09) to pick up some bug fixes and enhancements. (markt)
Update: Update the internal fork of Apache Commons DBCP 2 to abc0484 \
(2018-08-09) to pick up some bug fixes and enhancements. (markt)
Fix: Correct various spelling errors throughout the source code and \
documentation. Patch provided by Kazuhiro Sera. (markt)
|
| 2018-07-25 23:29:25 by Zafer Aydogan | Files touched by this commit (2) |
Log message: Update to 8.5.32 Changelog: Tomcat 8.5.32 (markt) Catalina Fix: Treat the <mapped-name> element of a <env-entry> in web.xml \ in the same way as the mappedName element of the equivalent @Resource \ annotation. Both now attempt to set the mappedName property of the resource. \ (markt) Fix: Correct the processing of resources with <injection-target>s \ defined in web.xml. First look for a match using JavaBean property names and \ then, only if a match is not found, look for a match using fields. (markt) Fix: When restoring a saved request with a request body after FORM \ authentication, ensure that calls to the HttpServletRequest methods \ getRequestURI(), getQueryString() and getProtocol() are not corrupted by the \ processing of the saved request body. (markt) Fix: JNDI resources that are defined with injection targets but no value are \ now treated as if the resource is not defined. (markt) Fix: Ensure that JNDI names used for <lookup-name> entries in web.xml \ and for lookup elements of @Resource annotations specify a name with an explicit \ java: namespace. (markt) Code: Refactor the org.apache.naming package to reduce duplicate code. \ Duplicate code identified by the Simian tool. (markt) Fix: 50019: Add support for <lookup-name>. Based on a patch by Gurkan \ Erdogdu. (markt) Add: 51953: Add the RemoteCIDRFilter and RemoteCIDRValve that can be used to \ allow/deny requests based on IPv4 and/or IPv6 client address where the IP ranges \ are defined using CIDR notation. Based on a patch by Francis Galiegue. (markt) Fix: 62343: Make CORS filter defaults more secure. This is the fix for \ CVE-2018-8014. (markt) Fix: Ensure that the web application resources implementation does not \ incorrectly cache results for resources that are only visible as class loader \ resources. (markt) Fix: Make all loggers associated with Tomcat provided Filters non-static to \ ensure that log messages are not lost when a web application is reloaded. \ (markt) Fix: Correct the manifest for the annotations-api.jar. The JAR implements the \ Common Annotations API 1.2 and the manifest should reflect that. (markt) Fix: Switch to non-static loggers where there is a possibility of a logger \ becoming associated with a web application class loader causing log messages to \ be lost if the web application is stopped. (markt) Add: 62389: Add the IPv6 loopback address to the default internalProxies \ regular expression. Patch by Craig Andrews. (markt) Fix: In the RemoteIpValve and RemoteIpFilter, correctly handle the case when \ the request passes through one or more trustedProxies but no internalProxies. \ Based on a patch by zhanhb. (markt) Fix: Correct the logic in MBeanFactory.removeConnector() to ensure that the \ correct Connector is removed when there are multiple Connectors using different \ addresses but the same port. (markt) Fix: Make JAASRealm mis-configuration more obvious by requiring the \ authenticated Subject to include at least one Principal of a type specified by \ userClassNames. (markt) Fix: 62476: Use GMT timezone for the value of Expires header as required by \ HTTP specification (RFC 7231, 7234). (kkolinko) |
| 2018-03-23 14:19:13 by Ryo ONODERA | Files touched by this commit (3) |
Log message:
Update to 8.5.29
Changelog:
Tomcat 8.5.29 (markt)
Catalina
Fix: Minor optimization when calling class transformers. (rjung)
Fix: Prevent Tomcat from applying gzip compression to content that is \
already compressed with brotli compression. Based on a patch provided by burka. \
(markt)
Fix: 62090: Null container names are not allowed. (remm)
Fix: 62104: Fix programmatic login regression as the NonLoginAuthenticator \
has to be set for it to work (if no login method is specified). (remm)
Fix: 62117: Improve error message in catalina.sh when calling kill -0 \
<pid> fails. Based on a suggestion from Mark Morschhaeuser. (markt)
Fix: 62118: Correctly create a JNDI ServiceRef using the specified interface \
rather than the concrete type. Based on a suggestion by Ángel Álvarez Páscua. \
(markt)
Fix: Fix for RequestDumperFilter log attribute. Patch provided by Kirill \
Romanov via Github. (violetagg)
Fix: 62123: Avoid ConcurrentModificationException when attempting to clean \
up application triggered RMI memory leaks on web application stop. (markt)
Fix: Correct a regression in the fix for 60276 that meant that compression \
was applied to all MIME types. Patch provided by Stefan Knoblich. (markt)
Coyote
Fix: Add minor HPACK fixes, based on fixes by Stuart Douglas. (remm)
Fix: 61751: Follow up fix so that OpenSSL engine returns underflow when \
unwrapping if no bytes were produced and the input is empty. (remm)
Fix: Minor OpenSSL engine cleanups. (remm)
Fix: NIO SSL handshake should throw an exception on overflow status, like \
NIO2 SSL. (remm)
Web applications
Add: 48672: Add documentation for the Host Manager web application. Patch \
provided by Marek Czernek. (markt)
Add: Work-around a known, non-specification compliant behaviour in some \
versions of IE that can allow XSS when the Manager application generates a plain \
text response. Based on a suggestion from Muthukumar Marikani. (markt)
Other
Update the build script so MD5 hashes are no longer generated for releases \
as per the change in the ASF distribution policy. (markt)
2018-02-11 Tomcat 8.5.28 (markt)
Catalina
Fix: Prevent a stack trace being written to standard out when running on \
Java 10 due to changes in the LogManager implementation. (markt)
Fix: 62000: When a JNDI reference cannot be resolved, ensure that the root \
cause exception is reported rather than swallowed. (markt)
Fix: 62036: When caching an authenticated user Principal in the session when \
the web application is configured with the NonLoginAuthenticator, cache the \
internal Principal object rather than the user facing Principal object as Tomcat \
requires the internal object to correctly process later authorization checks. \
(markt)
Fix: Avoid duplicate load attempts if one has been made already. (remm)
Fix: Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine. (remm)
Fix: 62067: Correctly apply security constraints mapped to the context root \
using a URL pattern of "". (markt)
Fix: When using Tomcat embedded, only perform Authenticator configuration \
once during web application start. (markt)
Fix: Process all ServletSecurity annotations at web application start rather \
than at servlet load time to ensure constraints are applied consistently. \
(markt)
Coyote
Fix: 61751: Fix truncated request input streams when using NIO2 with TLS. (markt)
Fix: 62023: Log error reporting multiple SSLHostConfig elements when using \
the APR Connector instead of crashing Tomcat. (csutherl)
Fix: 62032: Fix NullPointerException when certificateFile is not defined on \
an SSLHostConfig and unify the behavior when a certificateFile is defined but \
the file does not exist for both JKS and PEM file types. (csutherl)
WebSocket
Fix: 62024: When closing a connection with an abnormal close, close the \
socket immediately rather than waiting for a close message from the client that \
may never arrive. (markt)
Webapps
Fix: 62049: Fix missing class from manager 404 JSP error page. (remm)
jdbc-pool
Add: Enhance the JMX support for jdbc-pool in order to expose \
PooledConnection and JdbcInterceptors. (kfujino)
Add: Add MBean for PooledConnection. (kfujino)
Add: 62011: Add MBean for StatementCache. (kfujino)
Add: Expose the cache size for each connection via JMX in StatementCache. \
(kfujino)
Add: Add MBean for ResetAbandonedTimer. (kfujino)
Other
Update: Update the NSIS Installer used to build the Windows installer to \
version 3.03. (kkolinko)
|
| 2018-02-01 00:10:39 by Zafer Aydogan | Files touched by this commit (3) |
Log message: Update to 8.5.27 Notable changes: - Correct a regression in the previous fix for 61916 that meant that any call \ to addHeader() would have been replaced with a call to setHeader() for all \ requests mapped to the AddDefaultCharsetFilter. (markt) - Improve handling for ByteChunk and CharChunk instances that grow close to the \ maximum size allowed by the JRE. (markt) Full changelog: https://tomcat.apache.org/tomcat-8.5-doc/changelog.html |
| 2017-10-25 16:18:47 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
Update to 8.5.23
Changelog:
A fix for CVE-2017-12617.
Stricter validation of the HTTP Host header.
Add ExtractingRoot, a new WebResourceRoot implementation that extracts JARs \
to the work directory for improved performance when deploying packed WAR files.
Added support for the OpenSSL SSL_CONF API. To support this the minimum \
required Tomcat Native version is 1.2.14.
|
| 2017-08-15 03:50:46 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
Update to 8.5.20
Changelog:
Tomcat 8.5.20 (markt)
Catalina
Fix: Revert the fix for 49464 since it continued to trigger regressions. (markt)
Fix: Correct a bug in the PushBuilder implementation that meant push URLs \
containing %nn sequences were not correctly decoded. Identified by FindBugs. \
(markt)
Add: 61164: Add support for the %X pattern in the AccessLogValve that \
reports the connection status at the end of the request. Patch provided by \
Zemian Deng. (markt)
Fix: 61351: Correctly handle %nn decoding of URL patterns in web.xml and \
similar locations that may legitimately contain characters that are not \
permitted by RFC 3986. (markt)
Add: 61366: Add a new attribute, localDataSource, to the JDBCStore that \
allows the Store to be configured to use a DataSource defined by the web \
application rather than the default of using a globally defined DataSource. \
Patch provided by Jonathan Horowitz. (markt)
Coyote
Fix: 61086: Ensure to explicitly signal an empty request body for HTTP 205 \
responses. Additional fix to r1795278. Based on a patch provided by Alexandr \
Saperov. (violetagg)
Update: 61345: Add a server listener that can be used to do system property \
replacement from the property source configured in the digester. (remm)
Add: Add additional logging to record problems that occur while waiting for \
the NIO pollers to stop during the Connector stop process. (markt)
Jasper
Fix: 61364: Ensure that files are closed after detecting encoding of JSPs so \
that files do not remain locked by the file system. (markt)
WebSocket
Add: 57767: Add support to the WebSocket client for following redirects when \
attempting to establish a WebSocket connection. Patch provided by J Fernandez. \
(markt)
2017-07-28 Tomcat 8.5.19 (markt)
Catalina
Fix: Performance improvements for service loader look-ups (and look-ups of \
other class loader resources) when the web application is deployed in a packed \
WAR file. (markt)
Fix: 61253: Add warn message when Digester.updateAttributes throws an \
exception instead of ignoring it. (csutherl)
Fix: Correct a further regression in the fix for 49464 that could cause an \
byte order mark character to appear at the start of content included by the \
DefaultServlet. (markt)
Fix: 61313: Make the read timeout configurable in the JNDIRealm and ensure \
that a read timeout will result in an attempt to fail over to the alternateURL. \
Based on patches by Peter Maloney and Felix Schumacher. (markt)
Web applications
Fix: Correct the documentation for how StandardRoot is configured. (markt)
Other
Fix: 61316: Fix corruption of UTF-16 encoded source files in released source \
distributions. (markt)
Tomcat 8.5.18 (markt)
Catalina
Fix: 61232: When log rotation is disabled only one separator will be used \
when generating the log file name. For example if the prefix is catalina. and \
the suffix is .log then the log file name will be catalina.log instead of \
catalina..log. Patch provided by Katya Stoycheva. (violetagg)
Fix: 61264: Correct a regression in the refactoring to use Charset rather \
than String to store request character encoding that prevented getReader() \
throwing an UnsupportedEncodingException if the user agent specifies an \
unsupported character encoding. (markt)
Fix: Correct a regression in the fix for 49464 that could cause an incorrect \
Content-Length header to be sent by the DefaultServlet if the encoding of a \
static is not consistent with the encoding of the response. (markt)
Coyote
Fix: Enable TLS connectors to use Java key stores that contain multiple keys \
where each key has a separate password. Based on a patch by Frank Taffelt. \
(markt)
Fix: Improve the handling of HTTP/2 stream resets due to excessive headers \
when a continuation frame is used. (markt)
Jasper
Add: 53031: Add support for the fork option when compiling JSPs with the \
Jasper Ant task and javac. (markt)
Other
Add: 52791: Add the ability to set the defaults used by the Windows \
installer from a configuration file. Patch provided by Sandra Madden. (markt)
Tomcat 8.5.17 (markt)
Catalina
Fix: 49464: Improve the Default Servlet's handling of static files when the \
file encoding is not compatible with the required response encoding. (markt)
Fix: 61214: Remove deleted attribute servlets from the Context MBean \
description. Patch provided by Alexis Hassler. (markt)
Fix: 61215: Correctly define addConnectorPort and \
invalidAuthenticationWhenDeny in the mbean-descriptors.xml file for the \
org.apache.catalina.valves package so that the attributes are accessible via \
JMX. (markt)
Fix: Make asynchronous error handling more robust. In particular ensure that \
onError() is called for any registered AsyncListeners after an I/O error on a \
non-container thread. (markt)
Fix: Additional permission for deleting files is granted to JULI as it is \
required by FileHandler when running under a Security Manager. The thread that \
cleans the log files is marked as daemon thread. (violetagg)
Fix: 61229: Correct a regression in 8.5.15 that broke WebDAV handling for \
resources with names that included a & character. (markt)
Coyote
Fix: Restore the ability to configure support for SSLv3. Enabling this \
protocol will trigger a warning in the logs since it is known to be insecure. \
(markt)
Fix: Do not log a warning when a null session is returned for an OpenSSL \
based TLS session since this is expected when session tickets are enabled. \
(markt)
Fix: When the access log valve logs a TLS related request attribute and the \
NIO2 connector is used with OpenSSL, ensure that the TLS attric SSL session \
access for the APR connector. (remm)
Add: To ease migration from 8.0.x to 8.5.x, if the HTTP or AJP BIO connector \
is explicitly configured, rather than failing to start the connector because BIO \
has been removed, automatically switch to tribute searchExternalFirst from the \
documentation since the attribute is no longer supported. (markt)
2017-06-26 Tomcat 8.5.16 (markt)
Catalina
Fix: 61072: Respect the documentation statements that allow using the \
platform default secure random for session id generation. (remm)
Fix: Correct the javadoc for \
o.a.c.connector.CoyoteAdapter#parseSessionCookiesId. Patch provided by John \
Andrew (XUZHOUWANG) via Github. (violetagg)
Fix: 61101: CORS filter should set Vary header in response. Submitted by \
Rick Riemer. (remm)
Add: 61105: Add a new JULI FileHandler configuration for specifying the \
maximum number of days to keep the log files. (violetagg)
Fix: 61125: Ensure that WarURLConnection returns the correct value for calls \
to getLastModified() as this is required for the correct detection of JSP \
modifications when the JSP is packaged in a WAR file. (markt)
Fix: Improve the SSLValve so it is able to handle client certificate headers \
from Nginx. Based on a patch by Lucas Ventura Carro. (markt)
Fix: 61134: Do not use '[' and ']' symbols around substituted text fragments \
when generating the default error pages. Patch provided by Katya Todorova. \
(violetagg)
Fix: 61154: Allow the Manager and Host Manager web applications to start by \
default when running under a security manager. This was accomplished by adding a \
custom permission, org.apache.catalina.security.DeployXmlPermission, that \
permits an application to use a META-INF/context.xml file and then granting that \
permission to the Manager and Host Manager. (markt)
Fix: 61173: Polish the javadoc for o.a.catalina.startup.Tomcat. Patch \
provided by peterhansson_se. (violetagg)
Add: A new configuration property crawlerIps is added to the \
o.a.catalina.valves.CrawlerSessionManagerValve. Using this property one can \
specify a regular expression that will be used to identify crawlers based on \
their IP address. Based on a patch provided by Tetradeus. (violetagg)
Fix: 61180: Log a warning message rather than an information message if it \
takes more than 100ms to initialised a SecureRandom instance for a web \
application to use to generate session identifiers. Patch provided by Piotr \
Chlebda. (markt)
Fix: 61185: When an asynchronous request is dispatched via \
AsyncContext.dispatch() ensure that getRequestURI() for the dispatched request \
matches that of the original request. (markt)
Fix: 61197: Ensure that the charset name used in the Content-Type header has \
exactly the same form as that provided by the application. This reverts a \
behavioural change in 8.5.15 that caused problems for some clients. (markt)
Fix: 61201: Ensure that the SCRIPT_NAME environment variable for CGI \
executables is populated in a consistent way regardless of how the CGI servlet \
is mapped to a request. (markt)
Coyote
Fix: 61086: Explicitly signal an empty request body for HTTP 205 responses. \
(markt)
Fix: 61120: Do not ignore path parameters when processing HTTP/2 requests. \
(markt)
Fix: Revert a change introduced in the fix for bug 60718 that changed the \
status code recorded in the access log when the client dropped the connection \
from 200 to 500. (markt)
Fix: Add additional syncs to the SSL session object provided by the OpenSSL \
engine so that a concurrent destruction cannot cause a JVM crash. (remm)
Fix: 61195: Backport, with deprecation where appropriate, the endpoint and \
protocol property changes from 9.0.x to ease migration from 8.5.x to 9.0.x. \
(markt)
Jasper
Fix: 44787: Improve error message when JSP compiler configuration options \
are not valid. (markt)
Fix: 61137: j.s.jsp.tagext.TagLibraryInfo#uri and \
j.s.jsp.tagext.TagLibraryInfo#prefix fields should not be final. Patch provided \
by Katya Todorova. (violetagg)
WebSocket
Fix: Correct the log message when a MessageHandler for PongMessage does not \
implement MessageHandler.Whole. (rjung)
Add: Introduce new API o.a.tomcat.websocket.WsSession#suspend/ \
o.a.tomcat.websocket.WsSession#resume that can be used to suspend/resume reading \
of the incoming messages. (violetagg)
Fix: Improve thread-safety of Futures used to report the result of sending \
WebSocket messages. (markt)
Fix: 61183: Correct a regression in the previous fix for 58624 that could \
trigger a deadlock depending on the locking strategy employed by the client \
code. (markt)
Web applications
Fix: Better document the meaning of the trimSpaces option for Jasper. (markt)
Fix: 61150: Configure the Manager and Host-Manager web applications to \
permit serialization and deserialization of CRSFPreventionFilter related session \
objects to avoid warning messages and/or stack traces on web application stop \
and/or start when running under a security manager. (markt)
Fix: Correct the TLS configuration documentation to remove SSLv2 and SSLv3 \
from the list of supported protocols. (markt)
Tribes
Add: Add JMX support for Tribes components. (kfujino)
Other
Add: 45832: Add HTTP DIGEST authentication support to the Catalina Ant tasks \
used to communicate with the Manager application. (markt)
Fix: 45879: Add the RELEASE-NOTES file to the root of the installation \
created by the Tomcat installer for Windows to make it easier for users to \
identify the installed Tomcat version. (markt)
Fix: 61055: Clarify the code comments in the rewrite valve to make clear \
that there are no plans to provide proxy support for this valve since Tomcat \
does not have proxy capabilities. (markt)
Fix: 61076: Document the altDDName attribute for the Context element. (markt)
Fix: Correct typo in Jar Scan Filter Configuration Reference. Issue reported \
via comments.apache.org. (violetagg)
Fix: 61145: Add missing @Documented annotation to annotations in the \
annotations API. Patch provided by Katya Todorova. (markt)
Fix: 61146: Add missing lookup() method to @EJB annotation in the \
annotations API. Patch provided by Katya Todorova. (markt)
Fix: Correct typo in Context Container Configuration Reference. Patch \
provided by Katya Todorova. (violetagg)
|
| 2017-05-21 01:45:03 by Ryo ONODERA | Files touched by this commit (3) |
Log message:
Update to 8.5.15
Changelog:
Tomcat 8.5.15 (markt)
General
Add: Allow to exclude JUnit test classes using the build property \
test.exclude and document the property in BUILDING.txt. (rjung)
Catalina
Fix: Review those places where Tomcat re-encodes a URI or URI component and \
ensure that that correct encoding (path differs from query string) is applied \
and that the encoding is applied consistently. (markt)
Fix: Avoid a NullPointerException when reading attributes for a initialised \
HTTP connector where TLS is enabled. (markt)
Fix: Always quote the hostName of an SSLHostConfig element when using it as \
part of the JMX object name to avoid errors that prevent the associated TLS \
connector from starting if a wild card hostName is configured (because * is a \
reserved character for JMX object names). (markt)
Code: Start to switch to using Charset rather than String to store encoding \
configuration settings to reduce the number of places the associated Charset \
needs to be looked up. (markt)
Fix: Use a more reliable mechanism for the DefaultServlet when determining \
if the current request is for custom error page or not. (markt)
Fix: Ensure that when the Default or WebDAV servlets process an error \
dispatch that the error resource is processed via the doGet() method \
irrespective of the method used for the original request that triggered the \
error. (markt)
Fix: If a static custom error page is specified that does not exist or \
cannot be read, ensure that the intended error status is returned rather than a \
404 or 403. (markt)
Fix: When the WebDAV servlet is configured and an error dispatch is made to \
a custom error page located below WEB-INF, ensure that the target error page is \
displayed rather than a 404 response. (markt)
Add: 61047: Add MIME mapping for woff2 fonts in the default web.xml. Patch \
provided by Justin Williamson. (violetagg)
Fix: Correct the logic that selects the encoding to use to decode the query \
string in the SSIServletExternalResolver so that the useBodyEncodingForURI \
attribute of the Connector is correctly taken into account. (markt)
Fix: Within the Expires filter, make the content type value specified with \
the ExpiresByType parameter, case insensitive. (markt)
Coyote
Fix: When a TrustManager is configured that does not support \
certificateVerificationDepth only log a warning about that lack of support when \
certificateVerificationDepth has been explicitly set. (markt)
Fix: 60970: Extend the fix for large headers to push requests. (markt)
Fix: Do not include a Date header in HTTP/2 responses with status codes less \
than 200. (markt)
Jasper
Fix: When no BOM is present and an encoding is detected, do not skip the \
bytes used to detect the encoding since they are not part of a BOM. (markt)
Update: 61057: Update to Eclipse JDT Compiler 4.6.3. (violetagg)
Fix: 61065: Ensure that once the class is resolved by \
javax.el.ImportHandler#resolveClass it will be cached with the proper name. \
(violetagg)
WebSocket
Fix: 61003: Ensure the flags for reading/writing in \
o.a.t.websocket.AsyncChannelWrapperSecure are correctly reset even if some \
exceptions occurred during processing. (markt/violetagg)
Web Applications
Add: Add documents for maxIdleTime attribute to Channel Receiver docs. (kfujino)
Other
Add: Modify the Ant build script used to publish to a Maven repository so \
that it no longer requires artifacts to be GPG signed. This is make it possible \
for the CI system to upload snapshot builds to the ASF Maven repository. (markt)
Code: Review i18n property files, remove unnecessary escaping and \
consistently use [...] to delimit inserted values. (markt)
release in progress Tomcat 8.5.14 (markt)
Catalina
Fix: 59825: Log a message that lists the components in the processing chain \
that do not support async processing when a call to ServletRequest.startAsync() \
fails. (markt)
Fix: 60926: Ensure o.a.c.core.ApplicationContextFacade#setSessionTimeout \
will invoke the correct method when running Tomcat with security manager. \
(markt)
Update: Update the early access Servlet 4.0 API implementation to reflect \
the change in method name from getPushBuilder() to newPushBuilder(). (markt)
Fix: Correct a regression in the X to comma refactoring that broke JMX \
operations that take parameters. (markt)
Fix: Avoid a NullPointerException when reading attributes for a running HTTP \
connector where TLS is not enabled. (markt)
Fix: 60940: Improve the handling of the META-INF/ and META-INF/MANIFEST.MF \
entries for Jar files located in /WEB-INF/lib when running a web application \
from a packed WAR file. (markt)
Fix: Pre-load the ExceptionUtils class. Since the class is used extensively \
in error handling, it is prudent to pre-load it to avoid any failure to load \
this class masking the true problem during error handling. (markt)
Fix: Avoid potential NullPointerExceptions related to access logging during \
shutdown, some of which have been observed when running the unit tests. (markt)
Fix: When there is no javax.servlet.WriteListener registered then a call to \
javax.servlet.ServletOutputStream#isReady will return false instead of throwing \
IllegalStateException. (violetagg)
Fix: When there is no javax.servlet.ReadListener registered then a call to \
javax.servlet.ServletInputStream#isReady will return false instead of throwing \
IllegalStateException. (violetagg)
Coyote
Fix: Align cipher configuration parsing with current OpenSSL master. (markt)
Fix: 60970: Fix infinite loop if application tries to write a large header \
to the response when using HTTP/2. (markt)
Jasper
Fix: 60925: Improve the handling of access to properties defined by \
interfaces when a BeanELResolver is used under a SecurityManager. (markt)
jdbc-pool
Code: Refactor the creating a constructor for a proxy class to reduce \
duplicate code. (kfujino)
Fix: In StatementFacade, the method call on the statements that have been \
closed throw SQLException rather than NullPointerException. (kfujino)
Other
Fix: Correct comments about Java 8 in Jre8Compat. Patch provided by fibbers \
via Github. (violetagg)
Fix: 60932: Correctly escape single quotes when used in i18n messages. Based \
on a patch by Michael Osipov. (markt)
Fix: Update the custom Ant task that integrates with the Symantec code \
signing service to use the now mandatory 2-factor authentication. (markt)
|
New packages: