Navigation:
Browse pkgsrc
(this page) 2014-06-07 02:24:30 by Ryo ONODERA | Files touched by this commit (2) |  |
Log message:
Update to 7.0.54
* Fix CVE-2014-0119
Changelog:
Tomcat 7.0.54 (violetagg)
Catalina
fix Fix custom UTF-8 decoder so that a byte of value 0xC1 is always \
rejected immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 \
decoder tests to account for UTF-8 decoding improvements in Java 8. The custom \
UTF-8 decoder is still required due to bugs in the UTF-8 decoder provided by \
Java. Java 8's decoder is better than Java 7's but it is still buggy. (markt)
fix 56027: Add more options for managing FIPS mode in the \
AprLifecycleListener. (schultz/kkolinko)
fix 56321: When a WAR is modified, undeploy the web application before \
deleting any expanded directory as the undeploy process may refer to classes \
that need to be loaded from the expanded directory. If the expanded directory is \
deleted first, any attempt to load a new class during undeploy will fail. \
(markt)
fix 56339: Avoid an infinite loop if an application calls \
session.invalidate() from the session destroyed event for that session. (markt)
update 56365: Simplify file name pattern matching code in \
StandardJarScanner. Ignore leading and trailing whitespace and empty strings \
when configuring patterns. Improve documentation. (kkolinko)
fix 56369: Ensure that removing an MBean notification listener reverts \
all the operations performed when adding an MBean notification listener. (markt)
add 56382: Information about finished deployment and its execution time \
is added to the log files. Patch is provided by Danila Galimov. (violetagg)
add 56383: Properties for disabling server information and error report \
are added to the org.apache.catalina.valves.ErrorReportValve. Based on the patch \
provided by Nick Bunn. (violetagg/kkolinko)
fix Only create XML parsing objects if required and fix associated \
potential memory leak in the default Servlet. (markt)
fix Modify generic exception handling so that StackOverflowError is not \
treated as a fatal error and can handled and/or logged as required. (markt)
fix 56409: Avoid StackOverflowError on non-Windows systems if a file \
named \ is encountered when scanning for TLDs. (markt)
add 56430: Extend checks for suspicious URL patterns to include patterns \
of the form *.a.b which are not valid patterns for extension mappings. (markt)
add Extend XML factory, parser etc. memory leak protection to cover some \
additional locations where, theoretically, a memory leak could occur. (markt)
fix Ensure that a TLD parser obtained from the cache has the correct \
value of blockExternal. (markt)
fix 56441: Raise the visibility of exceptions thrown when a problem is \
encountered calling a getter or setter on a component attribute. The logging \
level is raised from debug to warning. (markt)
fix 56451: Make resources accessed via a context alias accessible via \
JNDI in the same way standard resources are available. (markt)
add 56463: Property for disabling server information is added to the \
DefaultServlet. Server information is presented in the response sent to the \
client when directory listings is enabled. (violetagg)
add Add the org.apache.naming package to the packages requiring code to \
have the defineClassInPackage permission when running under a security manager. \
(markt)
add Add the org.apache.naming.resources package to the packages \
requiring code to have the accessClassInPackage permission when running under a \
security manager. (markt)
fix Make the naming context tokens for containers more robust. Require \
RuntimePermission when introducing a new token. (markt/kkolinko)
fix 56472: Allow NamingContextListener to clean up on stop if its start \
failed. (kkolinko)
add 56492: Avoid eclipse debugger pausing on uncaught exceptions when \
tomcat renews its threads. (slaurent)
fix Minor fixes to ThreadLocalLeakPreventionListener. Do not trigger \
threads renewal for failed contexts. Do not ignore threadRenewalDelay setting. \
Improve documentation. (kkolinko)
fix Correct regression introduced in r797162 that broke authentication \
of users when using the JAASMemoryLoginModule. (markt)
fix 56501: HttpServletRequest.getContextPath() should return the \
undecoded context path used by the user agent. (markt)
fix 56523: When using SPNEGO authentication, log the exceptions \
associated with failed user logins at debug level rather than error level. \
(markt)
fix 56536: Ensure that HttpSessionBindingListener.valueUnbound() uses \
the correct class loader when the SingleSignOn valve is used. (markt)
Coyote
add 56399: Assert that both Coyote and Catalina request objects have \
been properly recycled. (kkolinko)
fix 56416: Correct documentation for default value of socket linger for \
the AJP and HTTP connectors. (markt)
Jasper
fix 56334: Fix a regression in the handling of back-slash escaping \
introduced by the fix for 55735. (markt/kkolinko)
fix 56425: Improve method matching for EL expressions. When looking for \
matching methods, an exact match between parameter types is preferred followed \
by an assignable match followed by a coercible match. (markt)
fix Correct the handling of back-slash escaping in the EL parser and no \
longer require that \$ or \# must be followed by { in order for the back-slash \
escaping to take effect. (markt)
fix 56529: Avoid NoSuchElementException while handling attributes with \
empty string value in custom tags. Patch provided by Hariprasad Manchi. \
(violetagg)
Cluster
fix Remove cluster and replicationValve from cluster manager template. \
These instance are not necessary to template. (kfujino)
fix Add support for cross context session replication to \
org.apache.catalina.ha.session.BackupManager. (kfujino)
fix Remove the unnecessary cross context check. It does not matter \
whether the context that is referenced by other context is set to \
crossContext=true. The context that refers to the different context must be set \
to crossContext=true. (kfujino)
code Move to org.apache.catalina.ha.session.ClusterManagerBase common \
logics of org.apache.catalina.ha.session.BackupManager and \
org.apache.catalina.ha.session.DeltaManager. (kfujino)
code Simplify the code of o.a.c.ha.tcp.SimpleTcpCluster. In order to add \
or remove cluster valve to Container, use pipeline instead of \
IntrospectionUtils. (kfujino)
fix There is no need to set cluster instance when \
SimpleTcpCluster.unregisterClusterValve is called. Set null than cluster \
instance for cleanup. (kfujino)
code Backport refactoring of AbstractReplicatedMap to implement Map \
rather than extend ConcurrentHashMap to enable Tomcat 7 to be built with Java 8. \
(markt)
WebSocket
fix 56343: Avoid a NPE if Tomcat's Java WebSocket 1.0 implementation is \
used with the Java WebSocket 1.0 API JAR from the reference implementation. \
(markt)
fix Increase the default maximum size of the executor used by the \
WebSocket implementation for call backs associated with asynchronous writes from \
10 to 200. (markt)
add Add a warning if the thread group created for WebSocket asynchronous \
write call backs can not be destroyed when the web application is stopped. \
(markt)
fix Ensure that threads created to support WebSocket clients are stopped \
when no longer required. This will happen automatically for WebSocket client \
connections initiated by web applications but stand alone clients must call \
WsWebSocketContainer.destroy(). (markt)
fix 56449: When creating a new session, add the message handlers to the \
session before calling Endpoint.onOpen() so the message handlers are in place \
should the onOpen() method trigger the sending of any messages. (markt)
fix 56458: Report WebSocket sessions that are created over secure \
connections as secure rather than as not secure. (markt)
fix Stop threads used for secure WebSocket client connections when they \
are no longer required and give them better names for easier debugging while \
they are running. (markt)
Web applications
fix Add Support for copyXML attribute of Host to Host Manager. (kfujino)
fix Ensure that "name" request parameter is used as a \
application base of host if "webapps" request parameter is not set \
when adding host in HostManager Application. (kfujino)
fix Correct documentation on Windows service options, aligning it with \
Apache Commons Daemon documentation. (kkolinko)
update 55215: Improve log4j configuration example. Clarify access \
logging documentation. Based on patches provided by Brian Burch. (kkolinko)
update 55383: Backport improved HTML markup for tables and code \
fragments from Tomcat 8 documentation. (kkolinko)
fix 56418: Ensure that the Manager web application does not report \
success for a web application deployment that fails. (slaurent)
fix Fix target and rel attributes on links in documentation. They were \
lost during XSLT transformation. (kkolinko)
update Improve valves documentation. Split valves into groups. (kkolinko)
Other
fix Align DisplayName of Tomcat installed by service.bat with one \
installed by the *.exe installer. Print a warning in case if neither server nor \
client jvm is found by service.bat. (kkolinko)
update 56363: Update to version 1.1.30 of Tomcat Native library. (schultz)
update Update package renamed Apache Commons BCEL to r1593495 to pick up \
some additional changes for Java 7 support and some code clean up. (markt)
add In tests: allow to configure directory where JUnit reports and \
access log are written to. (kkolinko)
|
| 2014-04-08 22:14:55 by Ryo ONODERA | Files touched by this commit (3) | |
Log message:
Update to 7.0.53
* Fix CVE-2014-0050 and CVE-2013-4590,
Changelog:
Tomcat 7.0.53 (violetagg)
Catalina
add Make it easier for applications embedding and/or extending Tomcat to \
modify the javaseClassLoader attribute of the WebappClassLoader. (markt)
fix Improve the robustness of web application undeployment based on some \
code analysis triggered by the report for 54315. (markt)
fix 56219: Improve merging process for web.xml files to take account of \
the elements and attributes supported by the Servlet version of the merged file. \
(markt)
fix 56190: The response should be closed (i.e. no further output is \
permitted) when a call to AsyncContext.complete() takes effect. (markt)
fix 56236: Enable Tomcat to work with alternative Servlet and JSP API \
JARs that package the XML schemas in such as way as to require a dependency on \
the JSP API before enabling validation for web.xml. Tomcat has no such \
dependency. (markt)
fix 56246: Fix NullPointerException in MemoryRealm when authenticating \
an unknown user. (markt)
fix 56248: Allow the deployer to update an existing WAR file without \
undeploying the existing application if the update flag is set. This allows any \
existing custom context.xml for the application to be retained. To update an \
application and remove any existing context.xml simply undeploy the old version \
of the application before deploying the new version. (markt)
fix Redefine the globalXsltFile initialisation parameter of the \
DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent \
user supplied XSLTs used by the DefaultServlet from defining external entities. \
(markt)
add Add a work around for validating XML documents (often TLDs) that use \
just the file name to refer to refer to the JavaEE schema on which they are \
based. (markt)
fix 56293: Cache resources loaded by the class loader from \
/META-INF/services/ for better performance for repeated look ups. (markt)
Coyote
fix 53119: Make sure the NIO AJP output buffer is cleared on any error \
to prevent any possible overflow if it is written to again before the connection \
is closed. This extends the original fix for the APR/native output buffer to the \
NIO connector. (kkolinko)
fix 56172: Avoid possible request corruption when using the AJP NIO \
connector and a request is sent using more than one AJP message. Patch provided \
by Amund Elstad. (markt)
fix 56213: Reduce garbage collection when the NIO connector is under \
heavy load. (markt)
fix Improve processing of chuck size from chunked headers. Avoid \
overflow and use a bit shift instead of a multiplication as it is marginally \
faster. (markt/kkolinko)
fix Fix possible overflow when parsing long values from a byte array. (markt)
Jasper
fix 54475: Add Java 8 support to SMAP generation for JSPs. Patch by \
Robbie Gibson. (markt)
fix 55483: Improve handing of overloaded methods and constructors in \
expression language implementation. (markt)
fix 56208: Restore the validateXml option to Jasper that was previously \
renamed validateTld. Both options are now supported. validateXml controls the \
validation of web.xml files when Jasper parses them and validateTld controls the \
validation of *.tld files when Jasper parses them. (markt)
fix 56223: Throw an IllegalStateException if a call is made to \
ServletContext.setInitParameter() after the ServletContext has been initialized. \
(markt)
fix 56265: Do not escape values of dynamic tag attributes containing EL \
expressions. (kkolinko)
fix Make the default compiler source and target versions for JSPs Java 6 \
since Tomcat 7 requires Java 6 as a minimum. (markt)
update 56283: Update to the Eclipse JDT Compiler P20140317-1600 which \
adds support for Java 8 syntax to JSPs. Add support for value "1.8" \
for the compilerSourceVM and compilerTargetVM options. (markt)
WebSocket
fix Avoid a possible deadlock when one thread is shutting down a \
connection while another thread is trying to write to it. (markt)
fix Call onError if an exception is thrown calling onClose when closing \
a session. (remm)
Web applications
code In the documentation: add support for several documentation tags \
from Tomcat 8. Such as <version-major/>. (kkolinko)
add 56093: Add the SSL Valve to the documentation web application. (markt)
fix 56217: Improve readability by using left alignment for the table \
cell containing the request information on the Manager application status page. \
(markt)
fix Fixed java.lang.NegativeArraySizeException when using "Expire \
sessions" command in the manager web application on a context where the \
session timeout is disabled. (kfujino)
fix Add support for LAST_ACCESS_AT_START system property to Manager web \
application. (kfujino)
fix Add definition of org.apache.catalina.ant.FindLeaksTask. (kfujino)
fix 56273: If the Manager web application does not perform an operation \
because the web application is already being serviced, report an error rather \
than reporting success. (markt)
fix 56304: Add a note to the documentation about not using WebSocket \
with BIO HTTP in production. (markt)
Other
fix 56143: Improve service.bat so that it can be launched from a non-UAC \
console. This includes using a single call to tomcat7.exe to install the Windows \
service rather than three calls, and using command line arguments instead of \
environment variables to pass the settings. (markt/kkolinko)
fix Fix regression in 7.0.52: when using service.bat install to install \
the service the values for --StdOutput, --StdError options were passed as blank \
instead of "auto". (kkolinko)
fix Align options between service.bat and exe Windows installer. For \
service.bat the changes are in --Classpath, --DisplayName, --StartPath, \
--StopPath. For exe installer the changes are in --JvmMs, --JvmMx options, which \
are now 128 Mb and 256 Mb respectively instead of being empty. Explicitly \
specify --LogPath path when uninstalling Windows service, avoiding default value \
for that option. (kkolinko)
code Simplify Windows *.bat files: remove %OS% checks, as java 6 does \
not run on ancient non-NT operating systems. (kkolinko)
fix 56137: Explicitly use the BIO connector in the SSL example in \
server.xml so it doesn't break if APR is enabled. (markt)
fix 56139: Avoid a web application class loader leak in some unit tests \
when running on Windows. (markt)
fix Correct build script to avoid building JARs with empty packages. (markt)
add Allow to limit JUnit test run to a number of selected test case \
methods. (kkolinko)
fix 56189: Remove used file cpappend.bat from the distribution. (markt)
Tomcat 7.0.52 (violetagg) released 2014-02-17
Catalina
fix Generate a valid root element for the effective web.xml for a web \
application for all supported versions of web.xml. (markt)
Coyote
code Pull up SocketWrapper to AbstractProcessor. (markt)
fix In some circumstances asynchronous requests could time out too soon. \
(markt)
Tomcat 7.0.51 (violetagg) not released
Catalina
fix 55287: ServletContainerInitializer defined in the container may not \
be found. (markt/jboynes)
fix 55855: Provide a per Context option (containerSciFilter) to exclude \
container SCIs. (markt)
fix 55937: When deploying applications, treat a context path of /ROOT as \
equivalent to /. (markt)
fix 55943: Improve the implementation of the class loader check that \
prevents web applications from trying to override J2SE implementation classes. \
As part of this fix, refactor the way a null parent class loader is handled \
which enables a number of null checks and object creation calls to be removed. \
(markt)
fix 55958: Differentiate between foo.war the WAR file and foo.war the \
directory. (markt)
fix 55960: Improve the single sign on (SSO) unit tests. Patch provided \
by Brian Burch. (markt)
fix 55974: Retain order when reporting errors and warnings while parsing \
XML configuration files. (markt)
fix 56013: Fix issue with SPNEGO authentication when using IBM JREs. IBM \
JREs only understand the option of infinite lifetime for Kerberos credentials. \
Based on a patch provided by Arunav Sanyal. (markt)
fix 56016: When loading resources for XML schema validation, take \
account of the possibility that servlet-api.jar and jsp-api.jar may not be \
loaded by the same class loader. Patch by Juan Carlos Estibariz. (markt)
fix 56025: When creating a WebSocket connection, always call \
ServerEndpointConfig.Configurator.getNegotiatedSubprotocol() and always create \
the EndPoint instance after calling \
ServerEndpointConfig.Configurator.modifyHandshake(). (markt)
fix 56032: Ensure that the WebSocket connection is closed after an IO \
error or an interrupt while sending a WebSocket message. (markt)
fix 56042: If a request in async mode has an error but has already been \
dispatched don't generate an error page in the ErrorReportValve so the dispatch \
target can handle it. (markt)
fix Add missing javax.annotation.sql.* classes to annotations-api.jar. \
(markt)
fix The type of logger attribute of Context MBean should be not \
org.apache.commons.logging.Log but org.apache.juli.logging.Log. (kfujino)
fix 56082: Fix a concurrency bug in JULI's LogManager implementation. (markt)
fix 56096: When the attribute rmiBindAddress of the JMX Remote Lifecycle \
Listener is specified it's value will be used when constructing the address of a \
JMX API connector server. Patch is provided by Jim Talbut. (violetagg)
fix When environment entry with one and the same name is defined in the \
web deployment descriptor and with annotation then the one specified in the web \
deployment descriptor is with priority. (violetagg)
fix Change default value of xmlBlockExternal attribute of Context. It is \
true now. (kkolinko)
Coyote
fix Avoid possible NPE if a content type is specified without a \
character set. (markt)
fix 55956: Make the forwarded remote IP address available to the \
Connectors via a request attribute. (markt)
fix 55976: Fix sendfile support for the HTTP NIO connector. (markt)
fix 55996: Ensure Async requests timeout correctly when using the NIO \
HTTP connector. (markt)
add 56021: Make it possible to use the Windows-MY key store with the BIO \
and NIO connectors for SSL configuration. It requires a \
keystoreFile="" keystoreType="Windows-My" to be set on the \
connector. Based on a patch provided by Asanka. (markt)
Jasper
fix Correct a regression in the XML refactoring that meant that errors \
in TLD files were swallowed. (markt)
fix 55671: Correct typo in the log message for a wrong value of \
genStringAsCharArray init-param of JspServlet. This parameter had a different \
name in Tomcat 6. (kkolinko)
fix 55973: Fix processing of XML schemas when validation is enabled in \
Jasper. (kkolinko)
fix 56010: Don't throw an IllegalArgumentException when \
JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER. Based on a \
patch by Eugene Chung. (markt)
fix 56012: When using the extends attribute of the page directive do not \
import the super class if it is in an unnamed package as imports from unnamed \
packages are now explicitly illegal. (markt)
fix 56029: A regression in the fix for 55198 meant that when EL \
containing a ternary expression was used in an attribute a compilation error \
would occur for some expressions. (markt)
fix Correct several errors in jspxml Schema and DTD. (kkolinko)
fix Change default value of the blockExternal attribute of JspC task. \
The default value is true. Add support for -no-blockExternal switch when JspC is \
run as a standalone application. (kkolinko)
Cluster
code Simplify the code of \
o.a.c.ha.tcp.SimpleTcpCluster.createManager(String). Remove unnecessary class \
cast. (kfujino)
WebSocket
fix Do not return an empty string for the Sec-WebSocket-Protocol HTTP \
header when no sub-protocol has been requested or no sub-protocol could be \
agreed as RFC6455 requires that no Sec-WebSocket-Protocol header is returned in \
this case. (markt)
Web applications
fix Add index.xhtml to the welcome files list for the examples web \
application. (kkolinko)
fix Clarify that the connectionTimeout may also be used as the read \
timeout when reading a request body (if any) in the documentation web \
application. (markt)
fix Clarify the behaviour of the maxConnections attribute for a \
connector in the documentation web application. (markt)
fix 55888: Update the documentation web application to make it clearer \
that a Container may define no more than one Realm. (markt)
fix 55956: Where available, displayed the forwarded remote IP address \
available on the status page of the Manager web application. (markt)
fix Correct links to the Tomcat mailing lists in the ROOT web \
application. (kkolinko)
fix In Manager web application improve handling of file upload errors. \
Display a message instead of error 500 page. Simplify parts handling code, as it \
is known that Tomcat takes care of them when recycling a request. (kkolinko)
Extras
fix 55166, 56045: Copy the XML schemas used for validation that are \
packaged in jsp-api.jar to servlet-api.jar so that an embedded Tomcat instance \
can start without Jasper being available. This also enables validation to work \
without Jasper being available. (markt/kkolinko)
fix 56039: Enable the JmxRemoteLifecycleListener to work over SSL. Patch \
by esengstrom. (markt)
Other
fix 55743: Enable the stop script to work when the shutdown port is \
disabled and a PID file is defined. This is only available on platforms that use \
catalina.sh. (markt)
fix 55986: When forcing Tomcat to stop via kill -9 $CATALINA_PID, the \
catalina.sh script could incorrectly report that Tomcat had not yet completely \
stopped when it had. Based on a patch by jess. (markt)
fix Package correct license and notice files with embedded JARs. (markt)
code Remove svn keywords (such as $Id) from source files and \
documentation. (kkolinko)
fix Fix CVE-2014-0050, a denial of service with a malicious, malformed \
Content-Type header and multipart request processing. Fixed by merging latest \
code (r1565163) from Commons FileUpload. (markt)
fix 56115: Expose the httpusecaches property of Ant's get task as some \
users may need to change the default. Based on a suggestion by Anthony. (markt)
Tomcat 7.0.50 (violetagg) released 2014-01-08
Catalina
fix Handle the case where a context.xml file is added to a web \
application deployed from a directory. Previously the file was ignored until \
Tomcat was restarted. Now (assuming automatic deployment is enabled) it will \
trigger a redeploy of the web application. (markt)
fix Fix string comparison in HostConfig.setContextClass(). (kkolinko)
code Streamline handling of WebSocket messages when no handler is \
configured for the message currently being received. (markt)
fix Handle the case where a WebSocket annotation configures a message \
size limit larger than the default permitted by Tomcat. (markt)
fix 55855: This is a partial fix that bypasses the relatively expensive \
check for a WebSocket upgrade request if no WebSocket endpoints have been \
registered. (markt)
fix 55905: Prevent a NPE when web.xml references a taglib file that does \
not exist. Provide better error message. (violetagg)
Coyote
fix When using the BIO connector with an internal executor, do not \
display a warning that the executor has not shutdown as the default \
configuration for BIO connectors is not to wait. This is because threads in \
keep-alive connections cannot be interrupted and therefore the warning was \
nearly always displayed. (markt)
Jasper
fix JspC uses servlet context initialization parameters to pass \
configuration so ensure that the servlet context used supports initialization \
parameters. (markt)
Cluster
fix In AbstractReplicatedMap#finalize, remove rpcChannel from channel \
Listener of group channel before sending MapMessage.MSG_STOP message. This \
prevents that the node that sent the MapMessage.MSG_STOP by normal shutdown is \
added to member map again by ping at heartbeat thread in the node that received \
the MapMessage.MSG_STOP. (kfujino)
fix Add time stamp to GET_ALL_SESSIONS message. (kfujino)
Web applications
fix Fix the sample configuration of StaticMembershipInterceptor in order \
to prevent warning log. uniqueId must be 16 bytes. (kfujino)
Extras
update Update dependencies that are used to build tomcat-juli extras \
component. Apache Avalon Framework is updated to version 4.1.5, Apache Log4J to \
version 1.2.17. (rjung)
Tomcat 7.0.49 (violetagg) not released
Catalina
fix Correct a regression in the new XML local resolver that triggered \
false failures when XML validation was configured. (markt)
fix Prevent a NPE when destroying HTTP upgrade handler for WebSocket \
connections. (violetagg)
Tomcat 7.0.48 (violetagg) not released
Catalina
add 51294: Add support for unpacking WARs located outside of the Host's \
appBase in to the appBase. (markt)
fix 55656: Configure the Digester to use the server class loader when \
parsing server.xml rather than the class loader that loaded StandardServer. \
Patch provided by Roberto Benedetti. (markt)
fix 55664: Correctly handle JSR 356 WebSocket Encoder, Decoder and \
MessageHandler implementations that use a generic type such as \
Encoder.Text<List<String>>. Includes a test case by Niki Dokovski. \
(markt)
fix Correctly handle WebSocket Encoders, Decoders and MessageHandlers \
that use arrays of generic types. (markt)
fix 55681: Ensure that the WebSocket session is made available to \
MessageHandler method calls. (markt)
fix Updated servlet spec version and documentation section-number \
reported when JAR files are rejected for containing a trigger class (e.g. \
javax.servlet.Servlet). (schultz)
add Modify the WebSocket handshake process so that the user properties \
Map exposed by the ServerEndpointConfig during the call to \
Configurator.modifyHandshake() is unique to the connection rather than shared by \
all connections associated with the Endpoint. This allows for easier \
configuration of per connection properties from within modifyHandshake(). \
(markt)
fix 55684: Log a warning but continue if the memory leak detection code \
is unable to access all threads to check for possible memory leaks when a web \
application is stopped. (markt)
fix Define the web-fragment.xml in tomcat7-websocket.jar as a Servlet \
3.0 web fragment rather than as a Servlet 3.1 web fragment. (markt)
fix 55715: Add a per web application executor to the WebSocket \
implementation and use it for calling SendHandler.onResult() when there is a \
chance that the current thread also initiated the write. (markt)
fix Prevent file descriptors leak and ensure that files are closed when \
configuring the web application. (violetagg)
fix Fixed the name of the provider-configuration file located in \
tomcat7-websocket.jar!/META-INF/services that exposes information for \
javax.websocket.server.ServerEndpointConfig$Configurator implementation. \
(violetagg)
fix 55760: Remove the unnecessary setting of the \
javax.security.auth.useSubjectCredsOnly system property in the \
SpnegoAuthenticator as in addition to it being unnecessary, it causes problems \
with using SPNEGO with IBM JDKs. Patch provided by Arunav Sanyal. (markt)
fix 55772: Ensure that the request and response are recycled after an \
error during asynchronous processing. Includes a test case based on code \
contributed by Todd West. (markt)
fix 55778: Add an option to the JNDI Realm to control the QOP used for \
the connection to the LDAP server after authentication when using SPNEGO with \
delegated credentials. This value is used to set the javax.security.sasl.qop \
environment property for the LDAP connection. (markt)
fix 55798: Log an error if the MemoryUserDatabase is unable to find the \
specified user database file. (markt)
fix 55799: Correctly enforce the restriction in JSR356 that no more than \
one data message may be sent to a remote WebSocket endpoint at a time. (markt)
fix When Catalina parses TLD files, always use a namespace aware parser \
to be consistent with how Jasper parses TLD files. The tldNamespaceAware \
attribute of the Context is now ignored. (markt)
fix Deprecate the tldNamespaceAware Context attribute as TLDs are always \
parsed with a namespace aware parser. (markt)
fix Correct a logic error that meant that unpackWARs was ignored and the \
WAR was always expanded if a WAR failed to deploy. (markt)
add Add support for defining copyXML on a per Context basis. (markt)
fix Define the expected behaviour of the automatic deployment and align \
the implementation to that definition. (markt)
add When running under a security manager, change the default value of \
the Host's deployXML attribute to false. (markt)
add If a Host is configured with a value of false for deployXML, a web \
application has an embedded descriptor at META-INF/context.xml and no explicit \
descriptor has been defined for this application, do not allow the application \
to start. The reason for this is that the embedded descriptor may contain \
configuration necessary for secure operation such as a RemoteAddrValve. (markt)
fix Prevent an NPE in the WebSocket ServerContainer when processing an \
HTTP session end event. (markt)
add 55801: Add the ability to set a custom SSLContext to use for client \
wss connections. Patch provided by Maciej Lypik. (markt)
fix 55804: If the GSSCredential for the cached Principal expires when \
using SPNEGO authentication, force a re-authentication. (markt)
add 55811: If the main web.xml contains an empty absolute-ordering \
element and validation of web.xml is not enabled, skip parsing any \
web-fragment.xml files as the result is never used. (markt)
fix 55839: Extend support for digest prefixes {MD5}, {SHA} and {SSHA} to \
all Realms rather than just the JNDIRealm. (markt)
fix 55842: Ensure that if a larger than default response buffer is \
configured that the full buffer is used when a Servlet outputs via a Writer. \
(markt)
fix 55851: Further fixes to enable SPNEGO authentication to work with \
IBM JDKs. Based on a patch by Arunav Sanyal. (markt)
add Fix CVE-2013-4590: Add an option to the Context to control the \
blocking of XML external entities when parsing XML configuration files and \
enable this blocking by default when a security manager is used. The block is \
implemented via a custom resolver to enable the logging of any blocked entities. \
(markt)
Coyote
code Implement a number of small refactorings to the APR/native handler \
for upgraded HTTP connections. (markt)
fix Fix an issue with upgraded HTTP connections over HTTPS (e.g. secure \
WebSocket) when using the APR/native connector that resulted in the unexpected \
closure of the connection. (markt)
fix Ensure that the application class loader is used when calling the \
ReadListener and WriteListener methods when using non-blocking IO. A side effect \
of not doing this was that JNDI was not available when processing WebSocket \
events. (markt)
add Make the time that the internal executor (if used) waits for request \
processing threads to terminate before continuing with the connector stop \
process configurable. (markt)
fix 55749: Improve the error message when SSLEngine is disabled in the \
AprLifecycleListener and SSL is configured for an APR/native connector. (markt)
add If a request that includes an Expect: 100-continue header receives \
anything other than a 2xx response, close the connection This protects against \
misbehaving clients that may not sent the request body in that case and send the \
next request instead. (markt)
fix Improve the parsing of trailing headers in HTTP requests. (markt)
Jasper
fix 55735: Fix a regression caused by the fix to 55198. When processing \
JSP documents, attributes in XML elements that are template content should have \
their text xml-escaped, but output of EL expressions in them should not be \
escaped. (markt)
fix 55807: The JSP compiler used a last modified time of -1 for TLDs in \
JARs expanded in to WEB-INF/classes (IDEs often do this expansion) when creating \
the dependency list for JSPs that used that TLD. This meant JSPs using that TLD \
were recompiled on every access. (markt)
Cluster
add Add log message that initialization of AbstractReplicatedMap has \
been completed. (kfujino)
fix The logger of AbstractReplicatedMap should be non-static in order to \
enable logging of each application. Side-effects of this change is to throw \
RuntimeException in MapMessage#getKey() and getValue() instead of Null return \
and error log. (kfujino)
code Simplify the code of DeltaManager#startInternal(). Reduce \
unnecessary nesting for acquisition of cluster instance. (kfujino)
fix Remove unnecessary attributes of stateTransferCreateSendTime and \
receiverQueue from cluster manager template. These attributes should not be \
defined as a template. (kfujino)
fix Fix MBean attribute definition of stateTransfered. The method name \
is not isStateTransfered() but getStateTransfered(). (kfujino)
fix Correct stop failure log of cluster. Failure cause is not only \
Valve. (kfujino)
fix Remove unnecessary sleep when sending session blocks on session sync \
phase. (kfujino)
fix Expose stateTimestampDrop of \
org.apache.catalina.ha.session.DeltaManager via JMX. (kfujino)
fix When the ping timeouted, make sure that memberDisappeared method is \
not called by specifying the members that has already been removed. (kfujino)
add Add log message of session relocation when member disappeared. (kfujino)
fix If ping message fails, prevent wrong timeout detection of normal \
member that is no failure members. (kfujino)
Web applications
add Add some documentation on the SSL configuration options for \
WebSocket clients. (markt)
add Add to cluster document a description of \
notifyLifecycleListenerOnFailure and heartbeatBackgroundEnabled. (kfujino)
fix Update the documentation with information for WebSocket 1.0 \
specification and javadoc. (violetagg)
fix 55703: Clarify the role of the singleton attribute for JNDI resource \
factories. (markt)
fix 55746: Add documentation on the allRolesMode to the CombinedRealm \
and LockOutRealm. Patch by Cédric Couralet. (markt)
add Expand the information on web applications that ship as part of \
Tomcat in the security how-to section of the documentation web application. \
(markt)
fix Expand the description of the WebSocket buffers in the documentation \
web application to clarify their purpose. (markt)
add Correct the documentation for Cluster manager. (kfujino)
add Add information on how to configure integrated Windows \
authentication when Tomcat is running on a non-Windows host. (markt)
Extras
update Update commons-logging to version 1.1.3. (rjung)
Other
add 52323: Add support for the Cobertura code coverage tool when running \
the unit tests. Based on a patch by mhasko. (markt/kkolinko)
update Update sample Eclipse IDE project. Explicitly use a Java 6 SE \
JDK. Exclude JSR356 WebSocket classes from build path, as they cannot be \
compiled with Java 6. (kkolinko)
update Update the Eclipse compiler to 4.3.1. (kkolinko/markt)
|
| 2014-03-11 15:34:41 by Jonathan Perkin | Files touched by this commit (99) |
Log message: Import initial SMF support for individual packages. |
| 2014-03-11 15:05:19 by Jonathan Perkin | Files touched by this commit (350) |
Log message: Remove example rc.d scripts from PLISTs. These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or ignored otherwise. |
| 2013-11-24 05:44:51 by Ryo ONODERA | Files touched by this commit (3) |
Log message:
Update to 7.0.47
Changelog:
The Apache Tomcat Project is proud to announce the release of version 7.0.47 of \
Apache Tomcat. This release contains a number of bug fixes and improvements \
compared to version 7.0.42. The notable changes include:
Back-port the JSR-356 Java WebSocket 1.0 implementation from Apache Tomcat \
8. Note that use of this functionality requires Java 7.
Deprecate the Apache Tomcat proprietary WebSocket API in favour of the new \
JSR-356 implementation.
Add a drawing board example to the WebSocket examples.
The minimum required APR/native library version required if the APR/native \
connector is used is now 1.1.29.
|
| 2013-07-12 12:45:05 by Jonathan Perkin | Files touched by this commit (181) |
Log message: Bump PKGREVISION of all packages which create users, to pick up change of sysutils/user_* packages. |
| 2013-07-08 16:26:15 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
Updte to 7.0.42
Changelog:
Add support for time to first byte in the AccessLogValve. Patch provided by \
Jeremy Boynes.
Correct a regression introduced in 7.0.39 (refactoring of base 64 encoding \
and decoding) that broke the JNDI Realm when userPassword was set and passwords \
were hashed with MD5 or SHA1.
Ensure that the build process produces Javadoc that is not vulnerable to \
CVE-2013-1571. Based on a patch by Uwe Schindler.
|
| 2013-06-17 17:07:55 by Ryo ONODERA | Files touched by this commit (3) |
Log message:
Updte to 7.0.41
Changelog:
Add a Servlet Filter that implements CORS. Patch provided by Mohit Soni.
Ensure that when Tomcat's anti-resource locking features are used that the \
temporary copy of the web application and not the original is removed when the \
web application stops.
Add support for the version attribute to the deploy command of the Ant tasks \
for interfacing with the text based Manager application. Patch provided by \
Sergey Tcherednichenko.
|
| 2013-05-19 15:05:46 by Ryo ONODERA | Files touched by this commit (3) |
Log message:
Update to 7.0.40
Changelog:
Tomcat 7.0.40 Released 2013-05-09
The Apache Tomcat Project is proud to announce the release of version 7.0.40 \
of Apache Tomcat. This release contains a security fix and a number of bug fixes \
and improvements compared to version 7.0.39. The notable changes include:
A fix for CVE-2013-2071 (bug 54178) an information disclosure issue.
Various fixes to stop Tomcat attempting to parse text that looks like an \
EL expression in a JSP document as an EL expression when EL expressions are \
either not permitted or not enabled.
Improved handling and reporting if a ConcurrentModificationException \
occurs while checking for memory leaks when a web application is being stopped.
|
| 2013-04-25 16:30:35 by Ryo ONODERA | Files touched by this commit (2) |
Log message:
Update to 7.0.39
Changelog:
There have been multiple improvements in the bytes to/from characters \
conversion process. The core conversion process has been refactored to use the \
NIO APIs. This has resulted in a number of improvements including invalid UTF-8 \
byte sequences at the end of a series of bytes now trigger a conversion error \
rather than being silently swallowed. Errors detected in request URIs will be \
replaced with the replacement character (allowing the application to respond to \
the invalid URI as it wishes) and errors in request bodies will trigger an \
IOException. The use of the JVM provided UTF-8 decoder has been replaced by a \
better UTF-8 decoder derived from Apache Harmony. This improved decoder has \
earlier detection of error conditions and more closely follows the Unicode \
specification regarding the use of replacement characters.
The annotation scanning process now provides more information if the scan \
fails due to broken class dependencies. There is now enough information to \
identify the class(es) at fault. The JAR scanning process that supports \
annotation scanning has also seen multiple improvements and fixes including the \
exclusion by default of the Bootstrap class path from the scan.
Upgraded a number of Tomcat's dependencies including Commons Daemon to \
1.0.14, Commons IO to 2.4 and Commons FileUpload to r1458500. A new dependency \
on Commons Codec was added to replace Tomcat's internal Base64 encoder/decoder.
|
New packages: