Path to this page:
Subject: CVS commit: [pkgsrc-2016Q4] pkgsrc/www/apache-tomcat8
From: Benny Siegert
Date: 2017-03-03 16:21:29
Message id: 20170303152129.28123FBE4@cvs.NetBSD.org
Log Message:
Pullup ticket #5220 - requested by spz
www/apache-tomcat8: security fix
Revisions pulled up:
- www/apache-tomcat8/Makefile 1.9-1.10
- www/apache-tomcat8/PLIST 1.5-1.7
- www/apache-tomcat8/distinfo 1.10-1.11
---
Module Name: pkgsrc
Committed By: spz
Date: Sun Jan 1 17:26:13 UTC 2017
Modified Files:
pkgsrc/www/apache-tomcat8: Makefile PLIST distinfo
Log Message:
update to current tomcat 8.0 train version, fixing CVE-2016-5388.
Changelog:
Tomcat 8.0.39 (violetagg)
Catalina
Fix: When creating a new Connector via JMX, ensure that both HTTP/1.1 and \
AJP/1.3 connectors can be created. (markt)
Fix: Include the Context name in the log message when an item cannot be \
added to the cache. (markt)
Fix: Exclude JAR files in /WEB-INF/lib from the static resource cache. (markt)
Fix: When calling getResourceAsStream() on a directory, ensure that null \
is returned. (markt)
Fix: 60161: Allow creating subcategories of the container logger, and use \
it for the rewrite valve. (remm)
Fix: Correctly test for control characters when reading the provided \
shutdown password. (markt)
Fix: When configuring the JMX remote listener, specify the allowed types \
for the credentials. (markt)
Coyote
Fix: Correct the HTTP header parser so that DEL is not treated as a valid \
token character. (markt)
Fix: 60319: When using an Executor, disconnect it from the Connector \
attributes maxThreads, minSpareThreads and threadPriority to enable the \
configuration settings to be consistently reported.
These Connector attributes will be reported as -1 when an Executor is in use. \
The values used by the executor may be set and obtained via the Executor. \
(markt)
Fix: If an I/O error occurs during async processing on a non-container \
thread, ensure that the onError() event is triggered. (markt)
Fix: Improve detection of I/O errors during async processing on \
non-container threads and trigger async error handling when they are detected. \
(markt)
Add: Add additional checks for valid characters to the HTTP request line \
parsing so invalid request lines are rejected sooner. (markt)
Web applications
Fix: Correct a typo in HTTP Connector How-To. Issue reported via \
comments.apache.org. (violetagg)
Fix: Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
Fix: Correct a typo in CGI How-To. Issue reported via \
comments.apache.org. (violetagg)
Tribes
Fix: When the proxy node sends a backup retrieve message, ensure that \
using the channelSendOptions that has been set rather than the default \
channelSendOptions. (kfujino)
Other
Update: Update the ECJ compiler to version 4.5.1. (markt)
Fix: Remove classes from tomcat-util-scan.jar that are duplicates of \
those in tomcat-util.jar. (markt)
2016-10-10 Tomcat 8.0.38 (markt)
Catalina
Add: 59961: Add an option to the StandardJarScanner to control whether or \
not JAR Manifests are scanned for additional class path entries. (markt)
Fix: 60013: Refactor the previous fix to align the behaviour of the \
Rewrite Valve with mod_rewrite. As part of this, provide an implementation for \
the B and NE flags and improve the handling for
the QSA flag. Includes multiple test cases by Santhana Preethiand a patch by \
Tiago Oliveira. (markt)
Fix: 60087: Refactor the web resources handling to use the Tomcat \
specific war:file:... URL protocol to refer to WAR files and their contents \
rather than the standard jar:file:... form since some
components of the JRE, such as JAR verification, give unexpected results when \
the standard form is used. A side-effect of the refactoring is that when using \
packed WARs, it is now possible to
reference a WAR and/or specific JARs within a WAR in the security policy file \
used when running under a SecurityManager. (markt)
Fix: 60116: Fix a problem with the rewrite valve that caused back \
references evaluated in conditions to be forced to lower case when using the NC \
flag. (markt)
Fix: Ensure Digester.useContextClassLoader is considered in case the \
class loader is used. (violetagg)
Fix: 60117: Ensure that the name of LogLevel is localized when using \
OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
Fix: 60146: Improve performance for resource retrieval by making calls to \
WebResource.getInputStream() trigger caching if the resource is small enough. \
Patch provided by mohitchugh. (markt)
Add: 60151: Improve the exception error messages when a ResourceLink \
fails to specify the type, specifies an unknown type or specifies the wrong \
type. (markt)
Fix: 60167: Ignore empty lines in /etc/passwd files when using the \
PasswdUserDatabase. (markt)
Fix: 60170: Exclude the compressed test file index.html.br from RAT \
analysis. Patch provided by Gavin McDonald. (markt)
Fix: When starting web resources, ensure that class resources are only \
started once. (markt)
Fix: Improve the access checks for linked global resources to handle the \
case where the current class loader is a child of the web application class \
loader. (markt)
Fix: 60199: Log a warning if deserialization issues prevent a session \
attribute from being loaded. (markt)
Coyote
Fix: Correctly handle a call to AsyncContext.complete() from a \
non-container thread when non-blocking I/O is being used. (markt)
Add: Refactor the code that implements the requirement that a call to \
complete() or dispatch() made from a non-container thread before the container \
initiated thread that called startAsync()
completes must be delayed until the container initiated thread has completed. \
Rather than implementing this by blocking the non-container thread, extend the \
internal state machine to track this. This
removes the possibility that blocking the non-container thread could trigger \
a deadlock. (markt)
Fix: 60123: Avoid potential threading issues that could cause excessively \
large vales to be returned for the processing time of a current request. (markt)
Fix: 60174: Log instances of HeadersTooLargeException during request \
processing. (markt)
Jasper
Fix: 60101: Remove preloading of the class that was deleted. (violetagg)
Web applications
Add: Expand the documentation for the nested elements within a Resources \
element to clarify the behaviour of different configuration options with respect \
to the order in which resources are
searched. (markt)
Add: Add an example of using the classesToInitialize attribute of the \
JreMemoryLeakPreventionListener to the documentation web application. Based on a \
patch by Cris Berneburg. (markt)
Fix: 60192: Correct a typo in the status output of the Manager \
application. Patch provided by Radhakrishna Pemmasani. (markt)
jdbc-pool
Fix: Notify jmx when returning the connection that has been marked \
suspect. (kfujino)
Fix: Ensure that the POOL_EMPTY notification has been added to the jmx \
notification types. (kfujino)
Fix: 60099: Ensure that use all method arguments as a cache key when \
using StatementCache. (kfujino)
Fix: 60139: Correct Javadocs for PoolConfiguration.getValidationInterval \
and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other
Fix: Update the download location for Objenesis. (violetagg)
Fix: 60164: Replace log4j-core*.jar with log4j-web*.jar since it is \
log4j-web*.jar that contains the ServletContainerInitializer. (markt)
Add: Add documentation to the bin/catalina.bat script to remind users \
that environment variables don't affect the configuration of Tomcat when run as \
a Windows Service. Based upon a documentation
patch by James H.H. Lampert. (schultz)
Update: Update the packaged version of the Tomcat Native Library to \
1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
2016-09-05 Tomcat 8.0.37 (markt)
Catalina
Fix: 57705: Add debug logging for requests denied by the remote host and \
remote address valves and filters. Based on a patch by Graham Leggett. (markt)
Add: 59399: Add a new option to the Realm implementations that ship with \
Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to \
be controlled per Realm. (markt)
Update: Change the default of the sessionCookiePathUsesTrailingSlash \
attribute of the Context element to false since the problems caused when a \
Servlet is mapped to /* are more significant than
the security risk of not enabling this option by default. (markt)
Fix: Do not attempt to start web resources during a web application's \
initialisation phase since the web application is not fully configured at that \
point and the web resources may not be
correctly configured. (markt)
Fix: 59708: Modify the LockOutRealm logic. Valid authentication attempts \
during the lock out period will no longer reset the lock out timer to zero. \
(markt)
Fix: Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: 59813: Ensure that circular relations of the Class-Path attribute \
from JAR manifests will be processed correctly. (violetagg)
Fix: Ensure that reading the singleThreadModel attribute of a \
StandardWrapper via JMX does not trigger initialisation of the associated \
servlet. With some frameworks this can trigger an
unexpected initialisation thread and if initilisation is not thread-safe the \
initialisation can then fail. (markt)
Fix: Compatibility with rewrite from httpd for non existing headers. (jfclere)
Fix: By default, treat paths used to obtain a request dispatcher as \
encoded. This behaviour can be changed per web application via the \
dispatchersUseEncodedPaths attribute of the Context. (markt)
Fix: 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. \
(fschumacher)
Fix: 59859: Fix resource leak in WebDAV servlet. Based on patch by Coty \
Sutherland. (fschumacher)
Add: Provide a mechanism that enables the container to check if a \
component (typically a web application) has been granted a given permission when \
running under a SecurityManager without the
current execution stack having to have passed through the component. Use this \
new mechanism to extend SecurityManager protection to the system property \
replacement feature of the digester. (markt)
Add: When retrieving an object via a ResourceLink, ensure that the object \
obtained is of the expected type. (markt)
Fix: 59824: Mark the RewriteValve as supporting async processing by \
default. (markt)
Fix: 59862: Allow nested jar files scanning to be filtered with the \
system property tomcat.util.scan.StandardJarScanFilter.jarsToSkip. Patch is \
provided by Terence Bandoian. (violetagg)
Fix: 59866: When scanning WEB-INF/classes for annotations, don't scan the \
contents of WEB-INF/classes/META-INF (if present) since classes will never be \
loaded from that location. (markt)
Fix: 59888: Correctly handle tabs and spaces in quoted version one \
cookies when using the Rfc6265CookieProcessor. (markt)
Fix: 59912: Fix an edge case in input stream handling where an \
IOException could be thrown when reading a POST body. (markt)
Fix: 59960: Fix Javadoc so it builds with Java 8. Patch by Coty \
Sutherland. (markt)
Fix: 59966: Do not start the web application if the error page \
configuration in web.xml is invalid. (markt)
Fix: Switch the CGI servlet to the standard logging mechanism and remove \
support for the debug attribute. (markt)
Fix: Changes to the allowLinking attribute of a StandardRoot instance now \
invalidate the cache if caching is enabled. (markt)
Add: Add a new initialisation parameter, envHttpHeaders, to the CGI \
Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a \
mechanism that can be used to mitigate any future,
similar issues. (markt)
Add: When adding and removing ResourceLinks dynamically, ensure that the \
global resource is only visible via the ResourceLinkFactory when it is meant to \
be. (markt)
Fix: 60008: When processing CORs requests, treat any origin with a URI \
scheme of file as a valid origin. (markt)
Fix: Improve handling of exceptions during a Lifecycle events triggered \
by a state transition. The exception is now caught and the component is now \
placed into the FAILED state. (markt)
Fix: 60013: Fix encoding issues when using the RewriteValve with UTF-8 \
query strings or UTF-8 redirect URLs. (markt)
Fix: 60022: Improve handling when a WAR file and/or the associated \
exploded directory are symlinked into the appBase. (markt)
Fix: Fix a file descriptor leak when reading the global web.xml. (markt)
Fix: Consistently decode URL patterns provided via web.xml using the \
encoding of the web.xml file where specified or UTF-8 where no explicit encoding \
is specified. (markt)
Fix: Make timing attacks against the Realm implementations harder. (schultz)
Coyote
Fix: Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: Extend synchronization for NIO2 writes to avoid \
ConcurrentModificationException observed during testing. (markt)
Fix: 59904: Add a limit (default 200) for the number of cookies allowed \
per request. Based on a patch by gehui. (markt)
Fix: 59925: Correct regression in r1628368 and ensure that HTTP \
separators are handled as configured in the LegacyCookieProcessor. Patch \
provided by Kyohei Nakamura. (markt)
Fix: OpenSSL now disables 3DES by default so reflect this when using \
OpenSSL syntax to select ciphers. (markt)
Jasper
Fix: Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: Improve the error handling for custom tags to ensure that the tag is \
returned to the pool or released and destroyed once used. (markt)
Fix: 60032: Fix handling of method calls that use varargs within EL value \
expressions. (markt)
Fix: Ignore engineOptionsClass and scratchdir when running under a \
security manager. (markt)
Fix: Fixed StringIndexOutOfBoundsException. Based on a patch provided by \
wuwen via Github. (violetagg)
WebSocket
Fix: Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
Fix: 59908: Ensure that a reason phrase is included in the close message \
if a session is closed due to a timeout. (markt)
Web Applications
Fix: Do not log an additional case of IOExceptions in the error handler \
for the Drawboard WebSocket example when the root cause is the client \
disconnecting since the logs add no value. (markt)
Fix: 59642: Mention the localDataSource in the DataSourceRealm section of \
the Realm How-To. (markt)
Fix: Follow-up to the fix for 59399. Ensure that the new attribute \
transportGuaranteeRedirectStatus is documented for all Realms. Also document the \
NullRealm and when it is automatically created
for an Engine. (markt)
Fix: Fix the description of maxAge attribute in jdbc-pool doc. This \
attribute works both when a connection is returned and when a connection is \
borrowed. (kfujino)
Fix: 59774: Correct the prefix values in the documented examples for \
configuring the AccessLogValve. Patch provided by Mike Noordermeer. (markt)
Fix: 59868: Clarify the documentation for the Manager web application to \
make clearer that the host name and IP address in the server section are the \
primary host name and IP address. (markt)
Fix: MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. \
Patch provided by Radoslav Husar. (violetagg)
Fix: Update NIO Connector configuration documentation with an information \
about socket.directSslBuffer. (violetagg)
Fix: 60034: Correct a typo in the Manager How-To page of the \
documentation web application. (markt)
Tribes
Add: Add log message when the ping has timed-out. (kfujino)
Fix: If the ping message has been received at the \
AbstractReplicatedMap#leftOver method, ensure that notify the member is alive \
than ignore it. (kfujino)
jdbc-pool
Fix: Fix the duplicated connection release when connection verification \
failed. (kfujino)
Fix: Ensure that do not remove the abandoned connection that has been \
already released. (kfujino)
Fix: In order to avoid the unintended skip of PoolCleaner, remove the \
check code of the execution interval in the task that has been scheduled. \
(kfujino)
Fix: 59850: Ensure that the ResultSet is closed when enabling the \
StatementCache interceptor. (kfujino)
Fix: 59923: Reduce the default value of validationInterval in order to \
avoid the potential issue that continues to return an invalid connection after \
database restart. (kfujino)
Fix: Ensure that the ResultSet is returned as Proxy object when enabling \
the StatementDecoratorInterceptor. (kfujino)
Fix: 60043: Ensure that the suspectTimeout works without removing \
connection when the removeAbandoned is disabled. (kfujino)
Fix: Add log message of when returning the connection that has been \
marked suspect. (kfujino)
Fix: Correct Javadoc for ConnectionPool.suspect(). Based on a patch by \
Yahya Cahyadi. (markt)
Other
Update: 59276: Update optional Checkstyle library to 6.17. (kkolinko)
Add: Use the mirror network rather than the ASF master site to download \
the current ASF dependencies. (markt)
Update: Update the packaged version of the Tomcat Native Library to 1.2.8 \
to pick up the latest fixes and make 1.2.8 the minimum recommended version. \
(markt)
Fix: 59899: Update Tomcat's copy of the Java Persistence annotations to \
include the changes made in 2.1 / JavaEE 7. (markt)
Fix: Fixed typos in mbeans-descriptors.xml files. (violetagg)
Update: Update the internal fork of Commons BCEL to r1757132 to align \
with the BCEL 6 release. (markt)
Update: Update the internal fork of Commons DBCP2 to r1757164 to pick up \
a couple of bug fixes. (markt)
Update: Update the internal fork of Commons Codec to r1757174. Code \
formatting changes only. (markt)
Update: Update the internal fork of Commons FileUpload to afdedc9. This \
pulls in a fix to improve the performance with large multipart boundaries. \
(markt)
---
Module Name: pkgsrc
Committed By: spz
Date: Sat Feb 4 20:48:03 UTC 2017
Modified Files:
pkgsrc/www/apache-tomcat8: Makefile PLIST distinfo
Log Message:
Update to Tomcat 8.0.41. Upstream changelog:
Tomcat 8.0.41 (violetagg)
Cluster
Add: Make the accessTimeout configurable in BackupManager. The \
accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Web applications
Fix: Ensure the ASF logo image is displayed in host-manager. (violetagg)
not released Tomcat 8.0.40 (violetagg)
Catalina
Add: 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP \
status codes recognised by Tomcat. (markt)
Fix: 60446: Handle the case where the stored user credential uses a \
different key length than the length currently configured for the \
CredentialHandler. Based on a patch by Niklas Holm. (markt)
Fix: 60351: Delay creating META-INF/war-tracker file until after the WAR \
has been expanded to address the case where the Tomcat process terminates during \
the expansion. (markt)
Fix: Correctly handle the configClass attribute of a Host when embedding \
Tomcat. (markt)
Fix: 60379: Dispose of the GSS credential once it is no longer required. \
Patch provided by Michael Osipov. (markt)
Fix: 60380: Ensure that a call to HttpServletRequest#logout() triggers a \
call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
Fix: 60387: Correct the javadoc for \
o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is \
different for the different implementations. (violetagg)
Code: 60393: Use consistent parameter naming in implementations of \
Realm#authenticate(GSSContext, boolean). (markt)
Fix: 60395: Log when an Authenticator passes an incomplete GSSContext to \
a Realm since it indicates a bug in the Authenticator. Patch provided by Michael \
Osipov. (markt)
Fix: Correctly generate URLs for resources located inside JARs that are \
themselves located inside a packed WAR file. (markt)
Fix: 60410: Ensure that multiple calls to JarInputStreamWrapper#close() \
do not incorrectly trigger the closure of the underlying JAR or WAR file. \
(markt)
Fix: 60411: Implement support in the RewriteValve for symbolic names to \
specify the redirect code to use when returning a redirect response to the user \
agent. Patch provided by Michael Osipov.
(markt)
Fix: 60413: In the RewriteValve write empty capture groups as the empty \
string rather than as "null" when generating the re-written URL. Based \
on a patch by Michael Osipov. (markt)
Update: Update the warnings that reference required options for running \
on Java 9 to use the latest syntax for those options. (markt)
Fix: 60513: Fix thread safety issue with RMI cleanup code. (remm)
Coyote
Fix: Ensure that the endpoint is able to unlock the acceptor thread \
during shutdown if the endpoint is configured to listen to any local address of \
a specific type such as 0.0.0.0 or ::. (markt)
Fix: Prevent read time out when the file is deleted while serving the \
response. The issue was observed only with APR Connector and sendfile enabled. \
(violetagg)
Fix: Improve the logic that selects an address to use to unlock the \
Acceptor to take account of platforms what do not listen on all local addresses \
when configured with an address of 0.0.0.0 or
::. (markt)
Fix: 60409: When unable to complete sendfile request, ensure the \
Processor will be added to the cache only once. (markt/violetagg)
Jasper
Fix: 60431: Improve handling of varargs in UEL expressions. Based on a \
patch by Ben Wolfe. (markt)
Fix: 60497: Restore previous tag reuse behavior following the use of \
try/finally. (remm)
Fix: Improve the error handling for simple tags to ensure that the tag is \
released and destroyed once used. (remm)
Fix: 60497: Follow up fix using a better variable name for the tag reuse \
flag. (remm)
Fix: Revert use of try/finally for simple tags. (remm)
Web applications
Fix: Correct a typo in Host Configuration Reference. Issue reported via \
comments.apache.org. (violetagg)
Fix: 60344: Add a note to BUILDING.txt regarding using the source bundle \
with the correct line endings. (markt)
Fix: 60412: Add information on the comment syntax for the RewriteValve \
configuration. (markt)
Fix: 60467: remove problematic characters from XML documentation. Based \
upon a patch by Michael Osipov. (schultz)
Add: In the documentation web application, be explicit that clustering \
requires a secure network for all of the cluster network traffic. (markt)
Update: Update the ASF logos to the new versions.
Fix: 60468: Correct the format of the sample ISO-8601 date used to report \
the build date for the documentation. Patch provided by Michael Osipov. (markt)
Tribes
Fix: Reduce the warning logs for a message received from a different \
domain in order to avoid excessive log outputs. (kfujino)
Add: Add log message that PING message has received beyond the timeout \
period. (kfujino)
Fix: When a PING message that beyond the time-out period has been \
received, make sure that valid member is added to the map membership. (kfujino)
WebSocket
Fix: 60437: Avoid possible handshake overflows in the websocket client. (remm)
jdbc-pool
Add: 58816: Implement the statistics of jdbc-pool. The stats infos are \
borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, \
releasedIdleCount and removeAbandonedCount.
(kfujino)
Fix: 60194: If validationQuery is not specified, connection validation is \
done by calling the isValid() method. (kfujino)
Fix: 60398: Fix testcase of TestSlowQueryReport. (kfujino)
Add: Enable reset the statistics without restarting the pool. (kfujino)
Other
Fix: 60366: Change catalina.bat to use directly LOGGING_MANAGER and \
LOGGING_CONFIG variables in order to configure logging, instead of modifying \
JAVA_OPTS. Patch provided by Petter Isberg.
(violetagg)
Add: New property is added test.verbose in order to control whether the \
output of the tests is displayed on the console or not. Patch provided by \
Emmanuel Bourg. (violetagg)
Update: Update the ASF logos used in the Apache Tomcat installer for \
Windows to use the new versions.
Fix: Spelling corrections provided by Josh Soref. (violetagg)
---
Module Name: pkgsrc
Committed By: prlw1
Date: Mon Feb 6 15:55:49 UTC 2017
Modified Files:
pkgsrc/www/apache-tomcat8: PLIST
Log Message:
Fix PLIST:
$ tar tzvf /usr/pkgsrc/distfiles/apache-tomcat-8.0.41.tar.gz | egrep 'ROOT=
.*asf-logo'
-rw-r--r-- 1 root wheel 26447 Jan 18 22:25 apache-tomcat-8.0.41/=
webapps/ROOT/asf-logo-wide.svg
Files: