Log message:
Update to 9.0.26
Changelog:
Tomcat 9.0.26 (markt)
Oher
Fix: Re-tagged to ensure that the source file for the changelog did not \
contain an XML byte order mark. (markt)
not released Tomcat 9.0.25 (markt)
Catalina
Fix: Avoid a possible InvalidPathException when obtaining a URI for a \
configuration file. (markt)
Fix: 63684: Wrapper never passed to RealmBase.hasRole() for given security \
constraints. (michaelo)
Fix: 63740: Ensure configuration files are loaded correctly when a Host is \
configured with an xmlBase. Patch provided by uk4sx. (markt)
Fix: Avoid a potential NullPointerException on Service stop if a Service is \
embedded directly (i.e. with no Server) in an applciation and JNDI is enabled. \
Patch provided by S. Ali Tokmen. (markt)
Add: Add a new PropertySource implementation, EnvironmentPropertySource, \
that can be used to do property replacement in configuration files with \
environment variables. Based on a pull request provided by Thomas Meyer. (markt)
Coyote
Fix: 63682: Fix a potential hang when using the asynchronous Servlet API to \
write the response body and the stream and/or connection window reaches 0 bytes \
in size. (markt)
Fix: 63690: Use the average of the current and previous sizes when \
calculating overhead for HTTP/2 DATA and WINDOW_UPDATE frames to avoid false \
positives as a result of client side buffering behaviour that causes a small \
percentage of non-final DATA frames to be smaller than expected. (markt)
Fix: 63706: Avoid NPE accessing https port with plaintext. (remm)
Fix: Correct typos in the names of the configuration attributes \
overheadDataThreshold and overheadWindowUpdateThreshold. (markt)
Fix: If the HTTP/2 connection requires an initial window size larger than \
the default, send a WINDOW_UPDATE to increase the flow control window for the \
connection so that the initial size of the flow control window for the \
connection is consistent with the increased value. (markt)
Fix: 63710: When using HTTP/2, ensure that a content-length header is not \
set for those responses with status codes that do not permit one. (markt)
Fix: 63737: Correct various issues when parsing the accept-encoding header \
to determine if gzip encoding is supported including only parsing the first \
header found. (markt)
Jasper
Fix: 63724: Correct a regression introduced in 9.0.21 that broke compilation \
of JSPs in some configurations. (markt)
Web applications
Fix: Correct the source code links on the index page for the ROOT web \
application to point to Git rather than Subversion. (markt)
Fix: Fix various issues with the Javadoc generated for the documentation web \
application to enable release builds to be built with Java 10 onwards. (markt)
Fix: 63733: Remove the documentation for the "Additional \
Components" since they have been remove / merged into the core Tomcat \
distribution for 9.0.5 onwards. (markt)
Fix: 63739: Correct the invalid Automatic-Module-Name manifest entries for \
the Tomcat provided JARs included in the Tomcat embedded distribution. (markt)
Fix: Fix a large number of Javadoc and documentation typos. Patch provided \
by KangZhiDong. (markt)
Fix: Spelling and formatting corrections for the cluster how-to. Pull \
request provided by Bill Mitchell. (markt)
Other
Add: Expand the coverage and quality of the French translations provided \
with Apache Tomcat. (remm)
Add: Expand the coverage and quality of the Simplified Chinese translations \
provided with Apache Tomcat. Includes contributions by leeyazhou and 康智冬. \
(markt)
Fix: 62140: Additional usage documentation in comments for \
catalina.[bat|sh]. (markt)
Fix: Fix JSSE_OPTS quoting in catalina.bat. Contributed by Peter Uhnak. \
(fschumacher)
Update: 63625: Update to Commons Daemon 1.2.1. This corrects several \
regressions in Commons Daemon 1.2.1, most notably the Windows Service crashing \
on start when using 32-bit JVMs. (markt)
Fix: 63689: Correct a regression in the fix for 63285 that meant that when \
installing a service, the service display name was not set. (markt)
Fix: When performing a silent install with the Windows Installer, ensure \
that the registry entires are added to the 64-bit registry when using a 64-bit \
JVM. (markt)
Fix: Remove unused i18n messages and associated translations. Patch provided \
by KangZhiDong. (markt)
Add: Expand the coverage and quality of the Korean translations provided \
with Apache Tomcat. (woonsan)
2019-08-17 Tomcat 9.0.24 (markt)
Coyote
Code: Remove the code in the sendfile poller that ensured smaller pollsets \
were used with older, no longer supported versions of Windows that could not \
support larger pollsets. (markt)
not released Tomcat 9.0.23 (markt)
Catalina
Update: 63627: Implement more fine-grained handling in \
RealmBase.authenticate(GSSContext, boolean). (michaelo)
Add: 62496: Add option to write auth information (remote user/auth type) to \
response headers. (michaelo)
Add: 57665: Add support for the X-Forwarded-Host header to the \
RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63550: Only try the alternateURL in the JNDIRealm if one has been \
specified. (markt)
Add: 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter \
(michaelo)
Fix: If an unhandled exception occurs on a asynchronous thread started via \
AsyncContext.start(Runnable), process it using the standard error page \
mechanism. (markt)
Fix: Discard large byte buffers allocated using setBufferSize when recycling \
the request. (remm)
Fix: 63579: Correct parsing of malformed OPTIONS requests and reject them \
with a 400 response rather than triggering an internal error that results in a \
500 response. (markt)
Fix: 63608: Align the implementation of the negative match feature for \
patterns used with the RewriteValve with the description in the documentation. \
(markt)
Fix: Avoid a NullPointerException in the CrawlerSessionManagerValve if no \
ROOT Context is deployed and a request does not map to any of the other deployed \
Contexts. Patch provided by Jop Zinkweg. (markt)
Fix: 63636: Context.findRoleMapping() never called in \
StandardWrapper.findSecurityReference(). (michaelo)
Coyote
Code: Refactor the APR poller to always use a single pollset now that the \
Windows operating systems that required multiple smaller pollsets to be used are \
no longer supported. (markt)
Fix: 63524: Improve the handling of PEM file based keys and certificates \
that do not include a full certificate chain when configuring the internal, \
in-memory key store. Improve the handling of PKCS#1 formatted private keys when \
configuring the internal, in-memory key store. (markt)
Update: Add callback when finishing the set properties rule in the digester. \
(remm)
Fix: 63570: Fix regression retrieving local address with the NIO connector. \
Submitted by Aditya Kadakia. (remm)
Fix: 63568: Avoid error when trying to set tcpNoDelay on socket types that \
do not support it, which can occur when using the NIO inherited channel \
capability. Submitted by František Kučera. (remm)
Fix: Correct parsing of invalid host names that contain bytes in the range \
128 to 255 and reject them with a 400 response rather than triggering an \
internal error that results in a 500 response. (markt)
Fix: 63571: Allow users to configure infinite TLS session caches and/or \
timeouts. (markt)
Fix: 63578: Improve handling of invalid requests so that 400 responses are \
returned to the client rather than 500 responses. (markt)
Fix: Fix h2spec test suite failure. It is an error if a Huffman encoded \
string literal contains the EOS symbol. (jfclere)
Add: Connections that fail the TLS handshake will now appear in the access \
logs with a 400 status code. (markt)
Fix: Timeouts for HTTP/2 connections were not always correctly handled \
leaving some connections open for longer than expected. (markt)
Fix: 63650: Refactor initialisation for JSSE based TLS connectors to enable \
custom JSSE providers that provide custom cipher suites to be used. (markt)
Add: Expand the HTTP/2 excessive overhead protection to cover various forms \
of abusive client behaviour and close the connection if any such behaviour is \
detected. (markt)
Fix: Fix a crash on shutdown with the APR/native connector when a blocking \
I/O operation was still in progress when the connector stopped. (markt)
Cluster
Fix: Avoid failing Kubernetes membership (and preventing startup) if the \
stream cannot be opened, to get the same behavior as the DNS based membership. \
The namespace is still a failure on startup but it is easy to provide. (remm)
Fix: Avoid non fatal NPEs with Tribes when JMX is not available. (remm)
Fix: Make Kube environment optional for Kube memberships, for easier testing \
and Graal training. A warn log will occur if the environment is not present. \
(remm)
Web applications
Fix: 63597: Update the custom 404 error page for the Host Manager to take \
account of previous refactoring so that the page is used for 404 errors rather \
than falling back to the default error page. (markt)
Other
Fix: JNDI support for GraalVM native images. (remm)
Fix: JSP runtime library support for GraalVM native images. (remm)
Fix: java.util.logging configuration for GraalVM native images. (remm)
Update: Update Checkstyle to 8.22. (markt)
Update: 62696: The digital signature for the Windows installer now uses \
SHA-256 for hashes. (markt)
Update: 63310: Update to Commons Daemon 1.2.0. This provides improved \
support for Java 11. This also changes the user configured by the Windows \
installer for the Windows service from Local System to the lower privileged \
Local Service. (markt)
Fix: 55969: Tighten up the security of the Apache Tomcat installation \
created by the Windows installer. Change the default shutdown port used by the \
Windows installer from 8005 to -1 (disabled). Limit access to the chosen \
installation directory to local administrators, Local System and Local Service. \
(markt)
Add: Expand the coverage and quality of the French translations provided \
with Apache Tomcat. (remm)
Add: 63285: Add an option to service.bat so that when installing a Windows \
service, the name of the executables used by the Windows service may be changed \
to match the service name. This makes the installation behaviour consistent with \
the Windows installer. The original executable names will be restored when the \
Windows service is removed. The renaming can be enabled by using the new \
--rename option after the service name. (markt)
Fix: 63567: Restore the passing of $LOGGING_MANAGER to the jvm in \
catalina.sh when calling stop. (markt)
Fix: Correct broken OSGi data in JAR file manifests. (markt)
Fix: Add "embed" to the Bundle-Name and Bundle-Symbolic-Name for \
the Tomact embedded WebSocket JAR to align the naming with the other embedded \
JARs and to differentiate it from the standard WebSocket JAR that does not \
include the API classes. (markt)
Fix: 63555: Add Automatic-Module-Name entries for each of the Tomcat \
provided JARs included in the Tomcat embedded distribution. (markt)
Update: Update dependency on bnd to 4.2.0. (markt)
Update: Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to \
pick up the fix for CODEC-134. (markt)
Update: Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to \
pick up the changes Commons Pool2 2.7.0. (markt)
Update: Update the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to \
pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt)
Update: 63648: Update the test TLS keys and certificates used in the test \
suite to replace the keys and certificates that are about to expire. (markt)
|
Log message:
Update to 9.0.22
Changelog:
Tomcat 9.0.22 (markt)
Catalina
Fix: Improve parsing of Range request headers. (markt)
Fix: Range headers that specify a range unit Tomcat does not recognise \
should be ignored rather than triggering a 416 response. Based on a pull request \
by zhanhb. (markt)
Fix: When comparing a date from a If-Range header, an exact match is \
required. Based on a pull request by zhanhb. (markt)
Fix: Add an option to the default servlet to disable processing of PUT \
requests with Content-Range headers as partial PUTs. The default behaviour \
(processing as partial PUT) is unchanged. Based on a pull request by zhanhb. \
(markt)
Fix: Improve parsing of Content-Range headers. (markt)
Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
Coyote
Fix: Remove a source of potential deadlocks when using HTTP/2 when the \
Connector is configured with useAsyncIO as true. (markt)
Fix: 63523: Restore SSLUtilBase methods as protected to preserve \
compatibility. (remm)
Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher)
Fix: Once a URI is identified as invalid don't attempt to process it \
further. Based on a PR by Alex Repert. (markt)
Fix: Fix to avoid the possibility of long poll times for individual pollers \
when using mutliple pollers with APR. (markt)
Fix: Refactor the fix for 63205 so it only applies when using PKCS12 \
keystores as regressions have been reported with some other keystore types. \
(markt)
Jasper
Add: Include file names if SMAP processor is unable to delete or rename a \
class file during SMAP generation. (markt)
Update: Update to the Eclipse JDT compiler 4.12. (markt)
WebSocket
Fix: 63521: As required by the WebSocket specification, if a POJO that is \
deployed as a result of the SCI scan for annotated POJOs is subsequently \
deployed via the programmatic API ignore the programmatic deployment. (markt)
Other
Fix: Switch the check for terminal availability to test for stdin as using \
stdout does not work when output is piped to another process. Patch provided by \
Radosław Józwik. (markt)
Add: Add user buildable optional modules for easier CDI 2 and JAX-RS \
support. Also include a new documentation page describing how to use it. (remm)
2019-06-07 Tomcat 9.0.21 (markt)
Catalina
Add: 57287: Add file sorting to DefaultServlet (schultz)
Fix: Fix --no-jmx flag processing, which was called after registry \
initialization. (remm)
Fix: Ensure that a default request character encoding set on a \
ServletContext is used when calling ServletRequest#getReader(). (markt)
Fix: Make a best efforts attempt to clean-up if a request fails during \
processing due to an OutOfMemoryException. (markt)
Fix: Improve the BoM detection for static files handled by the default \
servlet for the rarely used UTF-32 encodings. Identified by Coverity Scan. \
(markt)
Fix: Ensure that the default servlet reads the entire global XSLT file if \
one is defined. Identified by Coverity Scan. (markt)
Fix: Avoid potential NullPointerException when generating an HTTP Allow \
header. Identified by Coverity Scan. (markt)
Code: Add Context.createInstanceManager() for easier framework integration. \
(remm)
Code: Add utility org.apache.catalina.core.FrameworkListener to allow \
replicating adding a Listener to context.xml in a programmatic way. (remm)
Code: Move Container.ADD_CHILD_EVENT to before the child container start, \
and Container.REMOVE_CHILD_EVENT to before removal of the child from the \
internal child collection. (remm)
Add: Remove any fragment included in the target path used to obtain a \
RequestDispatcher. The requested target path is logged as a warning since this \
is an application error. (markt)
Coyote
Fix: NIO poller seems to create some unwanted concurrency, causing rare CI \
test failures. Add sync when processing async operation to avoid this. (remm)
Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. \
(remm/markt)
Fix: Avoid useless exception wrapping in async IO. (remm)
Fix: 63412: Security manager failure when using the async IO API from a \
webapp. (remm)
Fix: Remove acceptorThreadCount Connector attribute, one accept thread is \
sufficient. As documented, value 2 was the only other sensible value, but \
without and impact beyond certain microbenchmarks. (remm)
Fix: Avoid possible NPEs on connector stop. (remm)
Update: Remove pollerThreadCount Connector attribute for NIO, one poller \
thread is sufficient. (remm)
Add: Add async IO for APR connector for consistency, but disable it by \
default due to low performance. (remm)
Fix: Avoid blocking write of internal buffer when using async IO. (remm)
Code: Refactor async IO implementation to the SocketWrapperBase. (remm)
Update: Refactor SocketWrapperBase close using an atomic boolean and a \
doClose method that subclasses will implement, with a guarantee that it will be \
run only once. (remm)
Fix: Decouple the socket wrapper, which is not recycled, from the NIOx \
channel after close, and replace it with a dummy static object. (remm)
Fix: Clear buffers on socket wrapper close. (remm)
Fix: NIO2 failed to properly close sockets on connector stop. (remm)
Update: Reduce the default for maxConcurrentStreams on the Http2Protocol \
from 200 to 100 to align with typical defaults for HTTP/2 implementations. \
(markt)
Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align \
with typical HTTP/2 implementations. (markt)
Add: Add support for same-site cookie attribute. Patch provided by John \
Kelly. (markt)
Fix: Drop legacy NIO double socket close (close channel, then close socket). \
(remm)
Fix: Fix HTTP/2 end of stream concurrency with async. (remm)
Fix: Correct a bug in the stream flushing code that could lead to multiple \
threads processing the stream concurrently which in turn could cause errors \
processing the stream. (markt)
Cluster
Fix: 62841: Refactor the DeltaRequest serialization to reduce the window \
during which the DeltaSession is locked and to remove a potential cause of \
deadlocks during serialization. (markt)
Fix: 63441: Further streamline the processing of session creation messages \
in the DeltaManager to reduce the possibility of a session update message being \
processed before the session has been created. (markt)
WebSocket
d: Expand the explanation of how deprecated TLS configuration attributes are \
converted to the new TLS configuration style. (markt)
Tribes
Fix: Treat NoRouteToHostException the same way as SocketTimeoutException \
when checking the health of group membaven packaging. (remm)
Fix: 63403: Fix TestHttp2InitialConnection test failures when running with a \
non-English locale. (kkolinko)
Fix: Add Graal JreCompat, and use it to disable JMX and URL stream handlers. \
(remm)
Add: Expand the coverage and Expand the coverage and quality of the \
Simplified Chinese translations provided with Apache Tomcat. Includes \
contributions by 諵. (markt)
Fix: Use the test command to check for terminal availability rather than the \
tty command since the tty based te
Fix: Fix some edge cases where the docBase was not being set using a \
canonical path which in turn meant resource URLs were not being constructed as \
expected. (markt)
Fix: Fix a potential resource leak when executing CGI scripts from a WAR \
file. Identified by Coverity scan. (markt)
Fix: Fix a potential concurrency issue in the StringCache identified by \
Coverity scan. (markt)
Fix: Fix a potential concurrency issue in the main Sendfile thread of the \
APR connector. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak when running a web application from a WAR \
file. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak on some exception paths in the \
DataSourceRealm. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak on an exception path when parsing JSP \
files. Identified by Coverity scan. (markt)
Fix: Fix a potential resource leak when a JNDI lookup returns an object of \
an in compatible class. Identified by Coverity scan. (markt)
Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI \
resources for resources of a specified type. (markt)
Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object \
placed in the session is compatible with session serialization with mem-cached. \
Patch provided by Martin Lemanski. (markt)
Add: 63358: Expand the throwOnFailure support in the Connector to include \
the adding of a Connector to a running Service. (markt)
Add: 63361: Add a new method (Registry.disableRegistry()) that can be used \
to disable JMX registration of Tomcat components providing it is called before \
the first component is registered. (markt)
Fix: Avoid OutOfMemoryErrors and ArrayIndexOutOfBoundsExceptions when \
accessing large files via the default servlet when resource caching has been \
disabled. (markt)
Fix: Avoid a NullPointerException when a Context is defined in server.xml \
with a docBase but not the optional path. (markt)
Fix: 63333: Override the isAvailable() method in the JAASRealm so that only \
login failures caused by invalid credentials trigger account lock out when the \
LockOutRealm is in use. Patch provided by jchobantonov. (markt)
Fix: Add --no-jmx flag to allow disabling JMX in startup.Tomcat.main. (remm)
Coyote
Fix: The useAsyncIO boolean attribute on the Connector element value now \
defaults to true. (remm)
Fix: Possible HTTP/2 connection leak issue when using async with NIO. (remm)
Fix: Fix socket close discrepancies for NIO, now the wrapper close is used \
everywhere except for socket accept problems. (remm)
Fix: Implement poller timeout when using async IO with NIO. (remm)
Fix: Avoid creating and using object caches when they are disabled. (remm)
Fix: When running on newer JREs that don't support SSLv2Hello, don't warn \
that it is not available unless explicitly configured. (markt)
Fix: Change default value of pollerThreadCount of NIO to 1. (remm)
Fix: Associate BlockPoller thread name with its NIO connector for better \
readability. (remm)
Fix: The async HTTP/2 frame parser should tolerate concurrency so clearing \
shared buffers before attempting a read is not possible. (remm)
Update: Update the HTTP/2 connection preface and initial frame reading to be \
asynchronous instead of blocking IO. (remm)
Code: Refactor Hostname validation to improve performance. Patch provided by \
Uwe Hees. (markt)
Update: Add additional NIO2 style read and write methods closer to core \
NIO2, for possible use with an asynchronous workflow like CompletableFuture. \
(remm)
Fix: Expand HTTP/2 timeout handling to include connection window exhaustion \
on write. This is the fix for CVE-2019-10072. (markt)
Jasper
Fix: 63359: Ensure that the type conversions used when converting from \
strings for jsp:setProperty actions are correctly implemented as per section \
JSP.1.14.2.1 of the JSP 2.3 specification. (markt)
Other
Fix: 63335: Ensure that stack traces written by the OneLineFormatter are \
fully indented. The entire stack trace is now indented by an additional TAB \
character. (markt)
Fix: 63370: Message files (LocalStrings_*.properties) of the examples webapp \
not converted to ascii. (woonsan)
Add: Expand the coverage and quality of the French translations provided \
with Apache Tomcat. (remm)
Add: Expand the coverage and quality of the Japanese translations provided \
with Apache Tomcat. Includes contributions by motohashi.yuki. (markt)
Add: Expand the coverage and quality of the Czech translations provided with \
Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
Fix: When using the OneLineFormatter, don't print a blank line in the log \
after printing a stack trace. (markt)
Update: Update the internal fork of Apache Commons FileUpload to 41e4047 \
(2019-04-24) pick up some enhancements. (markt)
Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 \
(2019-04-24) to pick up some clean-up and enhancements. (markt)
Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d \
(2019-04-30) to pick up some enhancements and bug fixes. (markt)
2019-04-13 Tomcat 9.0.19 (markt)
Catalina
Fix: Fix wrong JMX registration regression in 9.0.18. (remm)
Coyote
Update: Add vectoring for NIO in the base and SSL channels. (remm)
Add: Add asynchronous IO from NIO2 to the NIO connector, with support for \
the async IO implementations for HTTP/2 and Websockets. The useAsyncIO boolean \
attribute on the Connector element allows enabling use of the asynchronous IO \
API. (remm)
Other
Fix: Ensure that the correct files are included in the source distribution \
for javacc based parsers depending on whether jjtree is used or not. (markt)
Fix: Ensure that text files in the source distribution have the correct line \
endings for the target platform. (markt)
not released Tomcat 9.0.18 (markt)
Catalina
Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader \
attribute of the RemoteIpFilter and RemoteIpValve. (markt)
Fix: 63235: Refactor Charset cache to reduce start time. (markt)
Fix: 63249: Use a consistent log level (WARN) when logging the failure to \
register or deregister a JMX Bean. (markt)
Fix: 63249: Use a consistent log level (ERROR) when logging the \
LifecycleException associated with the failure to start or stop a component. \
(markt)
Fix: When the SSI directive fsize is used with an invalid target, return a \
file size of - rather than 1k. (markt)
Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that \
may cause a dead-lock when Tomcat starts. (markt)
Fix: 63275: When using a RequestDispatcher ensure that \
HttpServletRequest.getContextPath() returns an encoded path in the dispatched \
request. (markt)
Update: Add optional listeners for Server/Listener, as a slight variant of a \
standard listener. The difference is that loading is not fatal when it fails. \
This would allow adding example configuration to the standard server.xml if \
deemed useful. Storeconfig will not attempt to persist the new listener. (remm)
Fix: 63286: Document the differences in behaviour between the LogFormat \
directive in httpd and the pattern attribute in the AccessLogValve for %D and \
%T. (markt)
Fix: 63287: Make logging levels more consistent for similar issues of \
similar severity. (markt)
Fix: 63311: Add support for https URLs to the local resolver within Tomcat \
used to resolve standard XML DTDs and schemas when Tomcat is configured to \
validate XML configuration files such as web.xml. (markt)
Fix: Encode the output of the SSI printenv command. This is the fix for \
CVE-2019-0221. (markt)
Code: Use constants for SSI encoding values. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to \
true, limit the encoded form of the individual command line arguments to those \
values allowed by RFC 3875. This restriction may be relaxed by the use of the \
new initialisation parameter cmdLineArgumentsEncoded. (markt)
Add: When the CGI Servlet is configured with enableCmdLineArguments set to \
true, limit the decoded form of the individual command line arguments to known \
safe values when running on Windows. This restriction may be relaxed by the use \
of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for \
CVE-2019-0232. (markt)
Coyote
Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
Fix: Restore original maxConnections default for NIO2 as the underlying \
close issues have been fixed. (remm)
Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) \
and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and \
instead dropped the connection. (markt)
Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 \
that prevented the use of PKCS#8 private keys with OpenSSL based connectors. \
(markt)
Fix: Fix NIO2 SSL edge cases. (remm)
Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any \
query string present in the original HTTP/1.1 request is passed to the HTTP/2 \
request processing. (markt)
Fix: When Tomcat writes a final response without reading all of an HTTP/2 \
request, reset the stream to inform the client that the remaining request body \
is not required. (markt)
Jasper
Add: Add support for specifying Java 11 (with the value 11) as the compiler \
source and/or compiler target for JSP compilation. (markt)
Add: Add support for specifying Java 12 (with the value 12) and Java 13 \
(with the value 13) as the compiler source and/or compiler target for JSP \
compilation. If used with an ECJ version that does not support these values, a \
warning will be logged and the latest supported version will used. Based on a \
patch by Thomas Collignon. (markt)
Web applications
Fix: 63184: Expand the SSI documentation to provide more information on the \
supported directives and their attributes. Patch provided by nightwatchcyber. \
(markt)
Add: Add a note to the documentation about the risk of DoS with poorly \
written regular expressions and the RewriteValve. Patch provided by salgattas. \
(markt)
jdbc-pool
Fix: Improved maxAge handling. Add support for age check on idle \
connections. Connection that expired reconnects rather than closes it. Patch \
provided by toby1984. (kfujino)
Fix: 63320: Ensure that StatementCache caches statements that include arrays \
in arguments. (kfujino)
Other
Update: Update to the Eclipse JDT compiler 4.10. (markt)
Add: Expand the coverage and quality of the Spanish translations provided \
with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta. (markt)
Add: Expand the coverage and quality of the Czech translations provided with \
Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
Add: Expand the coverage and quality of the Chinese translations provided \
with Apache Tomcat. Includes contributions by winsonzhao and wjt. (markt)
Add: Expand the coverage and quality of the Russian translations provided \
with Apache Tomcat. (kkolinko)
Add: Expand the coverage and quality of the Japanese translations provided \
with Apache Tomcat. (kfujino)
Add: Expand the coverage and quality of the Korean translations provided \
with Apache Tomcat. (woonsan)
Add: Expand the coverage and quality of the German translations provided \
with Apache Tomcat. (fschumacher)
Add: Expand the coverage and quality of the French translations provided \
with Apache Tomcat. (remm)
|