Subject: CVS commit: [pkgsrc-2010Q2] pkgsrc/www/apache-tomcat6
From: Matthias Scheler
Date: 2010-09-25 15:30:25
Message id: 20100925133025.7EB98175DD@cvs.netbsd.org

Log Message:
Pullup ticket #3231 - requested by spz
apache-tomcat6: security update

Revisions pulled up:
- www/apache-tomcat6/Makefile			1.7
- www/apache-tomcat6/PLIST			1.4
- www/apache-tomcat6/distinfo			1.4
---
Module Name:	pkgsrc
Committed By:	spz
Date:		Sun Sep 19 14:32:04 UTC 2010

Modified Files:
	pkgsrc/www/apache-tomcat6: Makefile PLIST distinfo

Log Message:
Update of apache-tomcat to version 6.0.29
(and a little Makefile cosmetics)
fixes two of the currently known security issues

Upstream changelog:
Tomcat 6.0.29 (jfclere)	released 2010-07-22

Catalina

add	48960: Add a new option to the SSI Servlet and SSI Filter to
	allow the disabling of the exec command. This is now disabled
	by default. Based on a patch by Yair Lenga. (markt)
fix	49551: Allow default context.xml location to be specified using
	an absolute path. (markt)
fix	49598: When session is changed and the session cookie is
	replaced, ensure that the new Set-Cookie header overwrites the
		old Set-Cookie header. (markt)
fix	Fix order when listing Webapp loader search URLs. (rjung)
add	Add support for *.jar pattern in VirtualWebappLoader. (kkolinko)

Tomcat 6.0.28 (jfclere)	released 2010-07-09

Catalina

fix	Arrange filter logic. (jfclere)
fix	49230: Enhance JRE leak prevention listener with protection for
	the keep-alive thread started by sun.net.www.http.HttpClient.
	Patch provided by Rob Kooper. (markt)
fix	49351: Fix possible NPe when embedding and no name is specified
	for the Service. (markt)
fix	49424: Avoid NPE if client provides no data with a chunked
	POST request. (markt)
fix	49414: Differentiate between request threads and application
	created threads when warning about still running threads when
	an application stops. (markt)
fix	49443: Use remoteIpHeader rather than remoteIPHeader
	consistently. (markt)
add	Add property searchExternalFirst to WebappLoader. If set,
	the external repositories will be searched before the WEB-INF
	ones. (rjung)

Cluster

fix	49445: When session ID is changed after authentication, ensure
	the DeltaManager replicates the change in ID to the other nodes
	in the cluster. (kfujino)

Webapps

fix	49213: Grant permissions required by manager application when
	running under a security manager. (markt/kkolinko)
fix	49436: Correct documented default for readonly attribute of
	the UserDatabase component. (markt)

Tomcat 6.0.27 (jfclere)	not released

General

update	Update DBCP to 1.3. (markt)

Catalina

fix	Fix CVE-2010-1157. Prevent possible disclosure of host name
	or IP address via the HTTP WWW-Authenticate header when using
	BASIC or DIGEST authentication. (markt)
add	Include context name when reporting memory leaks to aid root
	cause identification. (markt)
fix	Improve exception handling on session de-serialization to
	assist in identifying the root cause of 48007. (kkolinko)
add	48379: Make session cookie name, domain and path configurable
	per context. (markt)
fix	48589: Make JNDIRealm easier to extend. Based on a patch by
	Candid Dauth. (markt/kkolinko)
fix	48629: Allow user names as well as DNs to be used with the
	nested role search. Add roleNested to the documentation.
	Patch provided by Felix Schumacher. (markt)
fix	48661: Make error page behavior consistent, regardless of how
	the error page is defined. If a response has been committed,
	always include the error page. (markt)
fix	48729: Return roles defined by both userRoleName and roleName
	mechanisms. Patch provided by 'eric'. Also make user's role
	list immutable.(markt)
fix	48760: Fix potential multi-threading issue in static resource
	serving where multiple threads could try to use the the same
	InputStream. (markt)
fix	48790: Fix thread safety issue in the count of the maximum
	number of active session. (markt/kkolinko)
fix	48793: Make catalina.sh more robust to different return values
	on different platforms. Patch provided by Thomas GL. (markt)
fix	48840: Swallow output (if any) from use of cd when determining
	$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts.
	Based on patch provided by mdietze. (markt/kkolinko)
fix	48895: Make clearing of ThreadLocals that are causing memory
	leaks on web application stop, reload or undeploy configurable
	since the process of clearing them is not thread-safe. (markt)
fix	48903: Fix deadlock in webapp class loader. (rjung)
fix	48971: Make stopping of leaking Timer threads optional and
	disabled by default. (markt)
fix	48976: Document JAVA_ENDORSED_DIRS in start-up scripts.
	Patch provided by Laurent Vaills. (markt)
fix	48983: Improve debug logging for situations when RemoteIpValve
	is bypassed. Patch provided by Cyrille Le Clerc. (markt)
fix	49018: Fix processing of time argument in the Expire sessions
	action in the Manager web application. (kkolinko)
fix	49116: If session is already invalid, expire session to prevent
	memory leak. (kfujino)
fix	49158: Ensure only one session cookie is returned for a single
	request. (markt/fhanik)
fix	49245: Fix session expiration check in cross-context requests.
	(markt)
fix	49398: ByteChunk.indexOf(String, int, int, int) could not find
	a string of length 1. (kkolinko)
fix	Fix possible overflows when calculating session statistics.
	(kkolinko)
add	Log unexpected exceptions when providing access to web
	application resources in ApplicationContext. (kkolinko)
fix	Improve exception handling in CatalinaShutdownHook. (kkolinko)
add	Expose properties of VirtualWebappLoader and WebappClassLoader
	via JMX. (rjung)

Coyote

fix	48839: Correctly handle HTTP header folding in the NIO connector.
	Patch suggested by Richa Baronia. (markt)
fix	48843: Prevent possible deadlock for worker allocation in
	connectors. (kkolinko)
fix	48843: Fix handling of add queues in AprEndpoint.Poller and
	AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko)
add	48862: Add support for the backlog parameter to the AJP
	connector. (pero/markt)
fix	48917: Correct name of mod_jk module in ApacheConfig.
	Patch provided by Todd Hicks. (markt)
fix	49095: AprEndpoint did not wakeup acceptors during shutdown
	when deferAccept option was enabled. Based on a patch provided
	by Ruediger Pluem. (kkolinko)
add	Use chunked encoding for http 1.1 requests with no
	content-length (regardless of keep-alive) so client can
	differentiate between complete and partial responses. (markt)
fix	Correct the SSL session timeout attribute name so the code
	agrees with the documentation. (markt)
add	CoyotePrincipal now implements Serializable. (fhanik)
fix	Enable the BIO AJP connector to run under a security manager.
	(markt)

Jasper

fix	45015: Correct a regression in quote handling caused by the
	re-factoring of attribute parsing. (markt)
fix	48701: Add a system property to allow disabling enforcement
	of JSP.5.3. The specification recommends, but does not require,
	this enforcement. (kkolinko)
fix	48737: Don't assume paths that start with /META-INF/... are
	always in JARs. This is not true for some IDEs.
	Patch provided by Fabrizio Giustina. (markt)
fix	49081: Correctly handle EL expressions of the form #${...}. (markt)
fix	49196: Avoid NullPointerException in PageContext.getErrorData()
	if an error-handling JSP page is called directly. (markt)

Cluster

fix	48717: When a node joins a cluster and it receives all the
	current sessions, ensure the sessionCreated event is fired
	if the Manager is configured to replicate session events. (markt)
fix	48934: Previous fix to handle dropped connections incorrectly
	permanently disabled session replication. (fhanik)
fix	49051: memberAlive is not called if member has not already
	existed in membership. (kfujino)
fix	49151: Avoid ClassCastException in BackupManager#stop. (kfujino)
fix	49170: Do not send duplicated session. (kfujino)
fix	Add missing messages and ensure cluster listeners log messages
	to correct logger. (markt)

Webapps

add	Use underscores instead of spaces in anchor names in Tomcat
	documentation. (kkolinko)
add	Add support for displaying the Spring Security user name
	(if present) in the Manager application. (markt)
update	Improve the ChatServlet Comet example (/examples/jsp/chat/).
	(kkolinko)

Other

update	Update to Commons Daemon 1.0.2. Use service launcher (procrun)
	from the Commons Daemon release. Do not keep a copy of it in
	our source tree. (mturk/kkolinko)
update	Update to NSIS 2.46. (kkolinko)
fix	48990: Fix the skip.installer build property so if set, only
	the Windows installer is skipped. (markt)
fix	49178: Provide in catalina.policy an example of additional
	permissions that might be needed for code located in
	$CATALINA_BASE/lib. (markt)
fix	49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
fix	Remove unused code from org.apache.tomcat.util.buf classes.
	(kkolinko)
update	Rearrange tomcat-juli.jar permissions and wrap long lines in
	the conf/catalina.policy file, to make the text more readable
	when cited in documentation. (kkolinko)
fix	Do not evaluate the execute.installer property when building
	a release. The skip.installer property is used instead. (kkolinko)

Tomcat 6.0.26 (jfclere)	released 2010-03-11

Catalina

fix	Close security hole in unreleased 6.0.25 by ensuring new find
	leaks functionality is protected by a security constraint.
	(kkolinko)
fix	48831: Improve logging shutdown behaviour. Use Catalina's
	shutdown hook to shutdown JULI. This enables them to be shutdown
	in the correct order. Do not shutdown global handlers several
	times. (markt/kkolinko)

Coyote

fix	48584: Prevent the APR connector logging an error if the
	acceptor fails during shutdown since this is expected. (mturk)
fix	48660: Using compression should not overwrite any Vary header
	set by a web application. (markt)

Jasper

fix	48371: Ensure generated servlet mappings are inserted at the
	correct location when using JspC and allow the option that
	controls this to be configured on the command line.
	Also allow the encoding of web.xml to be configured when using
	JspC and deprecate some unused JspC methods. (markt/kkolinko)
fix	48498: Avoid ArrayIndexOutOfBoundsException triggered by a
	Java 6/7 XML parser bug. (markt/kkolinko)
fix	48668: Additional fixes to ensure deferred syntax is handled
	correctly. (kkolinko)
fix	48827: Correct a regression in the fix for 47977 that caused
	an incorrect non-empty body error to be reported for valid
	JSP documents. (markt)

Webapps

add	Make changelog.xml be directly rendered as HTML by certain
	browsers. (kkolinko)
add	Add support for automated generation of TOC tables and for
	links to svn revisions to tomcat-docs.xsl in documentation.
	(kkolinko/fhanik)
add	Move Manager application JSPs that are not intended to be
	accessed directly under the WEB-INF directory. (kkolinko)
fix	Improve the messages displayed by the find leaks diagnostic
	in the Manager application. (kkolinko)

Other

fix	Encode all property files using ascii escaped UTF-8. Also
	fixes deployment problem when using French locale. (jfclere/rjung)

Tomcat 6.0.25 (jfclere)	not released

Catalina

fix	48039: Return immediately if start() is called on an already
	started StandardService. (markt)
fix	48109: Ensure InputStream is closed on error condition in web
	application class loader. (markt)
fix	48179: Clean up dead code that was used to read tldCache file.
	(kkolinko)
fix	48318: Handle case where WebDAV resource is in directory
	listing but is not accessible. (markt)
add	48384: Add a per context xslt option for directory listings.
	Make the fallback options work as described in the
	documentation. (markt)
fix	48577: Filter URL when displaying missing included page. (markt)
fix	48612: Prevent exception on shutdown if the address attribute
	is specified for a connector. (markt)
fix	48613: Further fixes to ensure APRLifecycleListener is only
	used if defined in server.xml. (fhanik)
fix	48614: Correct JULI log file buffering so default behaviour
	is no buffering. (fhanik)
fix	48625: Provide an option to exit if an error occurs during
	the initialization phase. (fhanik)
fix	48645: Use specified encoding rather than null in calls to
	RequestUtil.URLDecode(byte[] bytes, String enc) (markt)
fix	48653: Force request.secure and request.scheme to false and
	http if the X-Forwarded-Proto header has the value http.
	Patch provided by Cyrille Le Clerc. (markt)
fix	48678: Remove duplicate server field from
	org.apache.catalina.startup.Catalina. (markt)
fix	48694: Remove potential deadlock in web application class
	loader. (markt)
add	48716: Provide additional configuration options for JULI. (markt)
fix	48726: Prevent OOME when uploading large WAR files with the
	deployer. Patch provided by adam. (markt)
add	Improve memory leak protection by safely stopping threads
	started via java.util.Timer that an application starts but
	fails to stop and by clearing references retained due to the
	use of java.util.ResourceBundle. (markt)
update	Modify ThreadLocal memory leak detection to not report false
	positives and to simplify implementation. (markt/kkolinko)
add	Basic memory leak detection was added to the standard Host
	implementation and exposed via JMX to detect memory leaks on
	web application reload. (markt/kkolinko)

Coyote

update	Update the native/APR library version bundled with Tomcat to
	1.1.20. (kkolinko)

Jasper

add	Add some debug logging to the compiler where exceptions were
	previously swallowed. (markt)
fix	48170: Remove unnecessary synchronization that is causing
	issues under load. (markt)
fix	48580: Prevent AccessControlException if first access is to
	a JSP that uses a FunctionMapper. (markt)
fix	48582: Avoid NPE on background compilation failure. (markt)
fix	48616: Don't declare or synchronize scripting variables for
	JSP fragments since they are scriptless. This is an alternative
	fix for 42390 that avoids both the original problem and the
	regression in the first fix. (kkolinko)
fix	48627: Fix regression in re-factored EL parsing. Keep literals
	as literals and handle deferredSyntaxAllowedAsLiteral. (kkolinko)
fix	48668: When parsing JSPs only parse EL as EL if EL is enabled
	else strings such as ${ will be silently dropped. (markt)
fix	Various EL TCK failures. (markt)

Cluster

fix	Force a disconnect if an error occurs during replication such
	as a firewall dropping the connection. (fhanik)

Webapps

add	Add new "Find leaks" command to the Manager application.
	It allows to detect web applications that have caused memory
	leaks on stop, reload or undeploy. (markt/kkolinko)

Other

fix	Ensure files in conf directory have CRLF line endings when
	using the Windows installer. (kkolinko)
fix	Allow special characters recognized by the Windows command-line
	shell to be present in the names of CATALINA_HOME/_BASE and
	the current directory used to call the Tomcat scripts. (kkolinko)
fix	Don't use @Deprecated annotations in javax.servlet.jsp.JspContext
	since the specification does not include them in the API
	definition. (markt)
add	Improve the information in the JAR manifest files. (markt)

Files:
RevisionActionfile
1.6.2.1modifypkgsrc/www/apache-tomcat6/Makefile
1.3.10.1modifypkgsrc/www/apache-tomcat6/PLIST
1.3.4.1modifypkgsrc/www/apache-tomcat6/distinfo