Subject: CVS commit: [pkgsrc-2016Q4] pkgsrc/www/apache-tomcat8
From: Benny Siegert
Date: 2017-03-03 16:21:29
Message id: 20170303152129.28123FBE4@cvs.NetBSD.org

Log Message:
Pullup ticket #5220 - requested by spz
www/apache-tomcat8: security fix

Revisions pulled up:
- www/apache-tomcat8/Makefile                                   1.9-1.10
- www/apache-tomcat8/PLIST                                      1.5-1.7
- www/apache-tomcat8/distinfo                                   1.10-1.11

---
   Module Name:    pkgsrc
   Committed By:   spz
   Date:           Sun Jan  1 17:26:13 UTC 2017

   Modified Files:
           pkgsrc/www/apache-tomcat8: Makefile PLIST distinfo

   Log Message:
   update to current tomcat 8.0 train version, fixing CVE-2016-5388.

   Changelog:

   Tomcat 8.0.39 (violetagg)
   Catalina

       Fix: When creating a new Connector via JMX, ensure that both HTTP/1.1 and \ 
AJP/1.3 connectors can be created. (markt)
       Fix: Include the Context name in the log message when an item cannot be \ 
added to the cache. (markt)
       Fix: Exclude JAR files in /WEB-INF/lib from the static resource cache. (markt)
       Fix: When calling getResourceAsStream() on a directory, ensure that null \ 
is returned. (markt)
       Fix: 60161: Allow creating subcategories of the container logger, and use \ 
it for the rewrite valve. (remm)
       Fix: Correctly test for control characters when reading the provided \ 
shutdown password. (markt)
       Fix: When configuring the JMX remote listener, specify the allowed types \ 
for the credentials. (markt)

   Coyote

       Fix: Correct the HTTP header parser so that DEL is not treated as a valid \ 
token character. (markt)
       Fix: 60319: When using an Executor, disconnect it from the Connector \ 
attributes maxThreads, minSpareThreads and threadPriority to enable the \ 
configuration settings to be consistently reported.
   These Connector attributes will be reported as -1 when an Executor is in use. \ 
The values used by the executor may be set and obtained via the Executor. \ 
(markt)
       Fix: If an I/O error occurs during async processing on a non-container \ 
thread, ensure that the onError() event is triggered. (markt)
       Fix: Improve detection of I/O errors during async processing on \ 
non-container threads and trigger async error handling when they are detected. \ 
(markt)
       Add: Add additional checks for valid characters to the HTTP request line \ 
parsing so invalid request lines are rejected sooner. (markt)

   Web applications

       Fix: Correct a typo in HTTP Connector How-To. Issue reported via \ 
comments.apache.org. (violetagg)
       Fix: Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
       Fix: Correct a typo in CGI How-To. Issue reported via \ 
comments.apache.org. (violetagg)

   Tribes

       Fix: When the proxy node sends a backup retrieve message, ensure that \ 
using the channelSendOptions that has been set rather than the default \ 
channelSendOptions. (kfujino)

   Other

       Update: Update the ECJ compiler to version 4.5.1. (markt)
       Fix: Remove classes from tomcat-util-scan.jar that are duplicates of \ 
those in tomcat-util.jar. (markt)

   2016-10-10 Tomcat 8.0.38 (markt)
   Catalina

       Add: 59961: Add an option to the StandardJarScanner to control whether or \ 
not JAR Manifests are scanned for additional class path entries. (markt)
       Fix: 60013: Refactor the previous fix to align the behaviour of the \ 
Rewrite Valve with mod_rewrite. As part of this, provide an implementation for \ 
the B and NE flags and improve the handling for
   the QSA flag. Includes multiple test cases by Santhana Preethiand a patch by \ 
Tiago Oliveira. (markt)
       Fix: 60087: Refactor the web resources handling to use the Tomcat \ 
specific war:file:... URL protocol to refer to WAR files and their contents \ 
rather than the standard jar:file:... form since some
   components of the JRE, such as JAR verification, give unexpected results when \ 
the standard form is used. A side-effect of the refactoring is that when using \ 
packed WARs, it is now possible to
   reference a WAR and/or specific JARs within a WAR in the security policy file \ 
used when running under a SecurityManager. (markt)
       Fix: 60116: Fix a problem with the rewrite valve that caused back \ 
references evaluated in conditions to be forced to lower case when using the NC \ 
flag. (markt)
       Fix: Ensure Digester.useContextClassLoader is considered in case the \ 
class loader is used. (violetagg)
       Fix: 60117: Ensure that the name of LogLevel is localized when using \ 
OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
       Fix: 60146: Improve performance for resource retrieval by making calls to \ 
WebResource.getInputStream() trigger caching if the resource is small enough. \ 
Patch provided by mohitchugh. (markt)
       Add: 60151: Improve the exception error messages when a ResourceLink \ 
fails to specify the type, specifies an unknown type or specifies the wrong \ 
type. (markt)
       Fix: 60167: Ignore empty lines in /etc/passwd files when using the \ 
PasswdUserDatabase. (markt)
       Fix: 60170: Exclude the compressed test file index.html.br from RAT \ 
analysis. Patch provided by Gavin McDonald. (markt)
       Fix: When starting web resources, ensure that class resources are only \ 
started once. (markt)
       Fix: Improve the access checks for linked global resources to handle the \ 
case where the current class loader is a child of the web application class \ 
loader. (markt)
       Fix: 60199: Log a warning if deserialization issues prevent a session \ 
attribute from being loaded. (markt)

   Coyote

       Fix: Correctly handle a call to AsyncContext.complete() from a \ 
non-container thread when non-blocking I/O is being used. (markt)
       Add: Refactor the code that implements the requirement that a call to \ 
complete() or dispatch() made from a non-container thread before the container \ 
initiated thread that called startAsync()
   completes must be delayed until the container initiated thread has completed. \ 
Rather than implementing this by blocking the non-container thread, extend the \ 
internal state machine to track this. This
   removes the possibility that blocking the non-container thread could trigger \ 
a deadlock. (markt)
       Fix: 60123: Avoid potential threading issues that could cause excessively \ 
large vales to be returned for the processing time of a current request. (markt)
       Fix: 60174: Log instances of HeadersTooLargeException during request \ 
processing. (markt)

   Jasper

       Fix: 60101: Remove preloading of the class that was deleted. (violetagg)

   Web applications

       Add: Expand the documentation for the nested elements within a Resources \ 
element to clarify the behaviour of different configuration options with respect \ 
to the order in which resources are
   searched. (markt)
       Add: Add an example of using the classesToInitialize attribute of the \ 
JreMemoryLeakPreventionListener to the documentation web application. Based on a \ 
patch by Cris Berneburg. (markt)
       Fix: 60192: Correct a typo in the status output of the Manager \ 
application. Patch provided by Radhakrishna Pemmasani. (markt)

   jdbc-pool

       Fix: Notify jmx when returning the connection that has been marked \ 
suspect. (kfujino)
       Fix: Ensure that the POOL_EMPTY notification has been added to the jmx \ 
notification types. (kfujino)
       Fix: 60099: Ensure that use all method arguments as a cache key when \ 
using StatementCache. (kfujino)
       Fix: 60139: Correct Javadocs for PoolConfiguration.getValidationInterval \ 
and setValidationInterval. Reported by Phillip Webb. (kfujino)

   Other

       Fix: Update the download location for Objenesis. (violetagg)
       Fix: 60164: Replace log4j-core*.jar with log4j-web*.jar since it is \ 
log4j-web*.jar that contains the ServletContainerInitializer. (markt)
       Add: Add documentation to the bin/catalina.bat script to remind users \ 
that environment variables don't affect the configuration of Tomcat when run as \ 
a Windows Service. Based upon a documentation
   patch by James H.H. Lampert. (schultz)
       Update: Update the packaged version of the Tomcat Native Library to \ 
1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)

   2016-09-05 Tomcat 8.0.37 (markt)
   Catalina

       Fix: 57705: Add debug logging for requests denied by the remote host and \ 
remote address valves and filters. Based on a patch by Graham Leggett. (markt)
       Add: 59399: Add a new option to the Realm implementations that ship with \ 
Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to \ 
be controlled per Realm. (markt)
       Update: Change the default of the sessionCookiePathUsesTrailingSlash \ 
attribute of the Context element to false since the problems caused when a \ 
Servlet is mapped to /* are more significant than
   the security risk of not enabling this option by default. (markt)
       Fix: Do not attempt to start web resources during a web application's \ 
initialisation phase since the web application is not fully configured at that \ 
point and the web resources may not be
   correctly configured. (markt)
       Fix: 59708: Modify the LockOutRealm logic. Valid authentication attempts \ 
during the lock out period will no longer reset the lock out timer to zero. \ 
(markt)
       Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
       Fix: 59813: Ensure that circular relations of the Class-Path attribute \ 
from JAR manifests will be processed correctly. (violetagg)
       Fix: Ensure that reading the singleThreadModel attribute of a \ 
StandardWrapper via JMX does not trigger initialisation of the associated \ 
servlet. With some frameworks this can trigger an
   unexpected initialisation thread and if initilisation is not thread-safe the \ 
initialisation can then fail. (markt)
       Fix: Compatibility with rewrite from httpd for non existing headers. (jfclere)
       Fix: By default, treat paths used to obtain a request dispatcher as \ 
encoded. This behaviour can be changed per web application via the \ 
dispatchersUseEncodedPaths attribute of the Context. (markt)
       Fix: 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. \ 
(fschumacher)
       Fix: 59859: Fix resource leak in WebDAV servlet. Based on patch by Coty \ 
Sutherland. (fschumacher)
       Add: Provide a mechanism that enables the container to check if a \ 
component (typically a web application) has been granted a given permission when \ 
running under a SecurityManager without the
   current execution stack having to have passed through the component. Use this \ 
new mechanism to extend SecurityManager protection to the system property \ 
replacement feature of the digester. (markt)
       Add: When retrieving an object via a ResourceLink, ensure that the object \ 
obtained is of the expected type. (markt)
       Fix: 59824: Mark the RewriteValve as supporting async processing by \ 
default. (markt)
       Fix: 59862: Allow nested jar files scanning to be filtered with the \ 
system property tomcat.util.scan.StandardJarScanFilter.jarsToSkip. Patch is \ 
provided by Terence Bandoian. (violetagg)
       Fix: 59866: When scanning WEB-INF/classes for annotations, don't scan the \ 
contents of WEB-INF/classes/META-INF (if present) since classes will never be \ 
loaded from that location. (markt)
       Fix: 59888: Correctly handle tabs and spaces in quoted version one \ 
cookies when using the Rfc6265CookieProcessor. (markt)
       Fix: 59912: Fix an edge case in input stream handling where an \ 
IOException could be thrown when reading a POST body. (markt)
       Fix: 59960: Fix Javadoc so it builds with Java 8. Patch by Coty \ 
Sutherland. (markt)
       Fix: 59966: Do not start the web application if the error page \ 
configuration in web.xml is invalid. (markt)
       Fix: Switch the CGI servlet to the standard logging mechanism and remove \ 
support for the debug attribute. (markt)
       Fix: Changes to the allowLinking attribute of a StandardRoot instance now \ 
invalidate the cache if caching is enabled. (markt)
       Add: Add a new initialisation parameter, envHttpHeaders, to the CGI \ 
Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a \ 
mechanism that can be used to mitigate any future,
   similar issues. (markt)
       Add: When adding and removing ResourceLinks dynamically, ensure that the \ 
global resource is only visible via the ResourceLinkFactory when it is meant to \ 
be. (markt)
       Fix: 60008: When processing CORs requests, treat any origin with a URI \ 
scheme of file as a valid origin. (markt)
       Fix: Improve handling of exceptions during a Lifecycle events triggered \ 
by a state transition. The exception is now caught and the component is now \ 
placed into the FAILED state. (markt)
       Fix: 60013: Fix encoding issues when using the RewriteValve with UTF-8 \ 
query strings or UTF-8 redirect URLs. (markt)
       Fix: 60022: Improve handling when a WAR file and/or the associated \ 
exploded directory are symlinked into the appBase. (markt)
       Fix: Fix a file descriptor leak when reading the global web.xml. (markt)
       Fix: Consistently decode URL patterns provided via web.xml using the \ 
encoding of the web.xml file where specified or UTF-8 where no explicit encoding \ 
is specified. (markt)
       Fix: Make timing attacks against the Realm implementations harder. (schultz)

   Coyote

       Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
       Fix: Extend synchronization for NIO2 writes to avoid \ 
ConcurrentModificationException observed during testing. (markt)
       Fix: 59904: Add a limit (default 200) for the number of cookies allowed \ 
per request. Based on a patch by gehui. (markt)
       Fix: 59925: Correct regression in r1628368 and ensure that HTTP \ 
separators are handled as configured in the LegacyCookieProcessor. Patch \ 
provided by Kyohei Nakamura. (markt)
       Fix: OpenSSL now disables 3DES by default so reflect this when using \ 
OpenSSL syntax to select ciphers. (markt)

   Jasper

       Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
       Fix: Improve the error handling for custom tags to ensure that the tag is \ 
returned to the pool or released and destroyed once used. (markt)
       Fix: 60032: Fix handling of method calls that use varargs within EL value \ 
expressions. (markt)
       Fix: Ignore engineOptionsClass and scratchdir when running under a \ 
security manager. (markt)
       Fix: Fixed StringIndexOutOfBoundsException. Based on a patch provided by \ 
wuwen via Github. (violetagg)

   WebSocket

       Fix: Improve error handling around user code prior to calling \ 
InstanceManager.destroy() to ensure that the method is executed. (markt)
       Fix: 59908: Ensure that a reason phrase is included in the close message \ 
if a session is closed due to a timeout. (markt)

   Web Applications

       Fix: Do not log an additional case of IOExceptions in the error handler \ 
for the Drawboard WebSocket example when the root cause is the client \ 
disconnecting since the logs add no value. (markt)
       Fix: 59642: Mention the localDataSource in the DataSourceRealm section of \ 
the Realm How-To. (markt)
       Fix: Follow-up to the fix for 59399. Ensure that the new attribute \ 
transportGuaranteeRedirectStatus is documented for all Realms. Also document the \ 
NullRealm and when it is automatically created
   for an Engine. (markt)
       Fix: Fix the description of maxAge attribute in jdbc-pool doc. This \ 
attribute works both when a connection is returned and when a connection is \ 
borrowed. (kfujino)
       Fix: 59774: Correct the prefix values in the documented examples for \ 
configuring the AccessLogValve. Patch provided by Mike Noordermeer. (markt)
       Fix: 59868: Clarify the documentation for the Manager web application to \ 
make clearer that the host name and IP address in the server section are the \ 
primary host name and IP address. (markt)
       Fix: MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. \ 
Patch provided by Radoslav Husar. (violetagg)
       Fix: Update NIO Connector configuration documentation with an information \ 
about socket.directSslBuffer. (violetagg)
       Fix: 60034: Correct a typo in the Manager How-To page of the \ 
documentation web application. (markt)

   Tribes

       Add: Add log message when the ping has timed-out. (kfujino)
       Fix: If the ping message has been received at the \ 
AbstractReplicatedMap#leftOver method, ensure that notify the member is alive \ 
than ignore it. (kfujino)

   jdbc-pool

       Fix: Fix the duplicated connection release when connection verification \ 
failed. (kfujino)
       Fix: Ensure that do not remove the abandoned connection that has been \ 
already released. (kfujino)
       Fix: In order to avoid the unintended skip of PoolCleaner, remove the \ 
check code of the execution interval in the task that has been scheduled. \ 
(kfujino)
       Fix: 59850: Ensure that the ResultSet is closed when enabling the \ 
StatementCache interceptor. (kfujino)
       Fix: 59923: Reduce the default value of validationInterval in order to \ 
avoid the potential issue that continues to return an invalid connection after \ 
database restart. (kfujino)
       Fix: Ensure that the ResultSet is returned as Proxy object when enabling \ 
the StatementDecoratorInterceptor. (kfujino)
       Fix: 60043: Ensure that the suspectTimeout works without removing \ 
connection when the removeAbandoned is disabled. (kfujino)
       Fix: Add log message of when returning the connection that has been \ 
marked suspect. (kfujino)
       Fix: Correct Javadoc for ConnectionPool.suspect(). Based on a patch by \ 
Yahya Cahyadi. (markt)

   Other

       Update: 59276: Update optional Checkstyle library to 6.17. (kkolinko)
       Add: Use the mirror network rather than the ASF master site to download \ 
the current ASF dependencies. (markt)
       Update: Update the packaged version of the Tomcat Native Library to 1.2.8 \ 
to pick up the latest fixes and make 1.2.8 the minimum recommended version. \ 
(markt)
       Fix: 59899: Update Tomcat's copy of the Java Persistence annotations to \ 
include the changes made in 2.1 / JavaEE 7. (markt)
       Fix: Fixed typos in mbeans-descriptors.xml files. (violetagg)
       Update: Update the internal fork of Commons BCEL to r1757132 to align \ 
with the BCEL 6 release. (markt)
       Update: Update the internal fork of Commons DBCP2 to r1757164 to pick up \ 
a couple of bug fixes. (markt)
       Update: Update the internal fork of Commons Codec to r1757174. Code \ 
formatting changes only. (markt)
       Update: Update the internal fork of Commons FileUpload to afdedc9. This \ 
pulls in a fix to improve the performance with large multipart boundaries. \ 
(markt)

---
   Module Name:    pkgsrc
   Committed By:   spz
   Date:           Sat Feb  4 20:48:03 UTC 2017

   Modified Files:
           pkgsrc/www/apache-tomcat8: Makefile PLIST distinfo

   Log Message:
   Update to Tomcat 8.0.41. Upstream changelog:

   Tomcat 8.0.41 (violetagg)
   Cluster

       Add: Make the accessTimeout configurable in BackupManager. The \ 
accessTimeout is used as a timeout period for PING in replication map. (kfujino)

   Web applications

       Fix: Ensure the ASF logo image is displayed in host-manager. (violetagg)

   not released Tomcat 8.0.40 (violetagg)
   Catalina

       Add: 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP \ 
status codes recognised by Tomcat. (markt)
       Fix: 60446: Handle the case where the stored user credential uses a \ 
different key length than the length currently configured for the \ 
CredentialHandler. Based on a patch by Niklas Holm. (markt)
       Fix: 60351: Delay creating META-INF/war-tracker file until after the WAR \ 
has been expanded to address the case where the Tomcat process terminates during \ 
the expansion. (markt)
       Fix: Correctly handle the configClass attribute of a Host when embedding \ 
Tomcat. (markt)
       Fix: 60379: Dispose of the GSS credential once it is no longer required. \ 
Patch provided by Michael Osipov. (markt)
       Fix: 60380: Ensure that a call to HttpServletRequest#logout() triggers a \ 
call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
       Fix: 60387: Correct the javadoc for \ 
o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is \ 
different for the different implementations. (violetagg)
       Code: 60393: Use consistent parameter naming in implementations of \ 
Realm#authenticate(GSSContext, boolean). (markt)
       Fix: 60395: Log when an Authenticator passes an incomplete GSSContext to \ 
a Realm since it indicates a bug in the Authenticator. Patch provided by Michael \ 
Osipov. (markt)
       Fix: Correctly generate URLs for resources located inside JARs that are \ 
themselves located inside a packed WAR file. (markt)
       Fix: 60410: Ensure that multiple calls to JarInputStreamWrapper#close() \ 
do not incorrectly trigger the closure of the underlying JAR or WAR file. \ 
(markt)
       Fix: 60411: Implement support in the RewriteValve for symbolic names to \ 
specify the redirect code to use when returning a redirect response to the user \ 
agent. Patch provided by Michael Osipov.
   (markt)
       Fix: 60413: In the RewriteValve write empty capture groups as the empty \ 
string rather than as "null" when generating the re-written URL. Based \ 
on a patch by Michael Osipov. (markt)
       Update: Update the warnings that reference required options for running \ 
on Java 9 to use the latest syntax for those options. (markt)
       Fix: 60513: Fix thread safety issue with RMI cleanup code. (remm)

   Coyote

       Fix: Ensure that the endpoint is able to unlock the acceptor thread \ 
during shutdown if the endpoint is configured to listen to any local address of \ 
a specific type such as 0.0.0.0 or ::. (markt)
       Fix: Prevent read time out when the file is deleted while serving the \ 
response. The issue was observed only with APR Connector and sendfile enabled. \ 
(violetagg)
       Fix: Improve the logic that selects an address to use to unlock the \ 
Acceptor to take account of platforms what do not listen on all local addresses \ 
when configured with an address of 0.0.0.0 or
   ::. (markt)
       Fix: 60409: When unable to complete sendfile request, ensure the \ 
Processor will be added to the cache only once. (markt/violetagg)

   Jasper

       Fix: 60431: Improve handling of varargs in UEL expressions. Based on a \ 
patch by Ben Wolfe. (markt)
       Fix: 60497: Restore previous tag reuse behavior following the use of \ 
try/finally. (remm)
       Fix: Improve the error handling for simple tags to ensure that the tag is \ 
released and destroyed once used. (remm)
       Fix: 60497: Follow up fix using a better variable name for the tag reuse \ 
flag. (remm)
       Fix: Revert use of try/finally for simple tags. (remm)

   Web applications

       Fix: Correct a typo in Host Configuration Reference. Issue reported via \ 
comments.apache.org. (violetagg)
       Fix: 60344: Add a note to BUILDING.txt regarding using the source bundle \ 
with the correct line endings. (markt)
       Fix: 60412: Add information on the comment syntax for the RewriteValve \ 
configuration. (markt)
       Fix: 60467: remove problematic characters from XML documentation. Based \ 
upon a patch by Michael Osipov. (schultz)
       Add: In the documentation web application, be explicit that clustering \ 
requires a secure network for all of the cluster network traffic. (markt)
       Update: Update the ASF logos to the new versions.
       Fix: 60468: Correct the format of the sample ISO-8601 date used to report \ 
the build date for the documentation. Patch provided by Michael Osipov. (markt)

   Tribes

       Fix: Reduce the warning logs for a message received from a different \ 
domain in order to avoid excessive log outputs. (kfujino)
       Add: Add log message that PING message has received beyond the timeout \ 
period. (kfujino)
       Fix: When a PING message that beyond the time-out period has been \ 
received, make sure that valid member is added to the map membership. (kfujino)

   WebSocket

       Fix: 60437: Avoid possible handshake overflows in the websocket client. (remm)

   jdbc-pool

       Add: 58816: Implement the statistics of jdbc-pool. The stats infos are \ 
borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, \ 
releasedIdleCount and removeAbandonedCount.
   (kfujino)
       Fix: 60194: If validationQuery is not specified, connection validation is \ 
done by calling the isValid() method. (kfujino)
       Fix: 60398: Fix testcase of TestSlowQueryReport. (kfujino)
       Add: Enable reset the statistics without restarting the pool. (kfujino)

   Other

       Fix: 60366: Change catalina.bat to use directly LOGGING_MANAGER and \ 
LOGGING_CONFIG variables in order to configure logging, instead of modifying \ 
JAVA_OPTS. Patch provided by Petter Isberg.
   (violetagg)
       Add: New property is added test.verbose in order to control whether the \ 
output of the tests is displayed on the console or not. Patch provided by \ 
Emmanuel Bourg. (violetagg)
       Update: Update the ASF logos used in the Apache Tomcat installer for \ 
Windows to use the new versions.
       Fix: Spelling corrections provided by Josh Soref. (violetagg)

---
   Module Name:	pkgsrc
   Committed By:	prlw1
   Date:		Mon Feb  6 15:55:49 UTC 2017

   Modified Files:
   	pkgsrc/www/apache-tomcat8: PLIST

   Log Message:
   Fix PLIST:

   $ tar tzvf /usr/pkgsrc/distfiles/apache-tomcat-8.0.41.tar.gz | egrep 'ROOT=
   .*asf-logo'
   -rw-r--r--  1 root     wheel      26447 Jan 18 22:25 apache-tomcat-8.0.41/=
   webapps/ROOT/asf-logo-wide.svg

Files:
RevisionActionfile
1.8.6.1modifypkgsrc/www/apache-tomcat8/Makefile
1.4.6.1modifypkgsrc/www/apache-tomcat8/PLIST
1.9.6.1modifypkgsrc/www/apache-tomcat8/distinfo