Subject: CVS commit: [pkgsrc-2011Q3] pkgsrc/www/apache-tomcat6
From: Matthias Scheler
Date: 2011-12-14 08:20:13
Message id: 20111214072014.3A062175DD@cvs.netbsd.org

Log Message:
Pullup ticket #3629 - requested by spz
www/apache-tomcat6: security update

Revisions pulled up:
- www/apache-tomcat6/Makefile                                   1.10
- www/apache-tomcat6/PLIST                                      1.6
- www/apache-tomcat6/distinfo                                   1.7

---
   Module Name:	pkgsrc
   Committed By:	spz
   Date:		Tue Dec 13 09:44:17 UTC 2011

   Modified Files:
   	pkgsrc/www/apache-tomcat6: Makefile PLIST distinfo

   Log Message:
   Upstream changelog:

   Tomcat 6.0.35 (jfclere)
   +++++++++++++++++++++++

   Catalina
   --------

   fix	Fix regression in decoding of parameters that contain spaces.
   	Patch by Willem Fibbe. (kkolinko)

   Tomcat 6.0.34 (jfclere)	not released
   ++++++++++++++++++++++++++++++++++++

   Catalina
   --------

   fix	51550: Display an error page rather than an empty response
   	for an IllegalStateException caused by too many active sessions.
   	(markt)
   add	51640: Improve the memory leak prevention for leaks triggered
   	by java.sql.DriverManager. (markt/kkolinko)
   fix	51688: JreMemoryLeakPreventionListener now protects against
   	AWT thread creation. (schultz)
   fix	51758: The digester (used for processing XML files) used
   	the logger name org.apache.commons.digester.Digester rather
   	than the expected org.apache.tomcat.util.digester.Digester.
   	The digester has been changed to use the expected logger name.
   	(kkolinko)
   add	51862: Added a classesToInitialize attribute to
   	JreMemoryLeakPreventionListener to allow pre-loading of
   	configurable classes to avoid some classloader leaks. (slaurent)
   fix	51872: Ensure that the access log always uses the correct
   	value for the remote IP address associated with the request
   	and that requests with multiple errors do not result in
   	multiple entries in the access log. (markt)
   add	Allow to overwrite the check for distributability of session
   	attributes by session implementations. (rjung)
   add	Provide the log format "OneLineFormatter" for JULI that
   	provides the same information as the default plus thread
   	name but on a single line. (markt/rjung)
   fix	Ensure the the memory leak protection for the HttpClient
   	keep-alive always operates even if the thread has already
   	stopped. (markt)
   fix	51940: Do not limit saving of request bodies during FORM
   	authentication to POST requests since any HTTP method may
   	include a request body. Based on a patch by Nicholas Sushkin.
   	(kkolinko)
   fix	52091: Address performance issues related to lock contention
   	in StandardWrapper. Based on patch provided by Taiki Sugawara.
   	(kkolinko)
   update	In GenericPrincipal, SerializablePrincipal: Do not sort lists
   	of roles that have only one element. (kkolinko)
   add	Make configuration issue for CsrfPreventionFilter result in
   	the failure of the filter rather than just a warning message.
   	(kkolinko)
   fix	Ensure changes to the configuration of RemoteAddrValve and
   	RemoteHostValve via JMX are thread-safe. (kkolinko)
   add	Make configuration issue for RemoteAddrValve and
   	RemoteHostValve result in the failure of the valve rather
   	than just a warning message. (kkolinko)
   update	In RequestFilterValve (RemoteAddrValve, RemoteHostValve):
   	refactor value matching logic into separate method and expose
   	this new method isAllowed through JMX. (kkolinko)
   add	Improve performance of parameter processing for GET and POST
   	requests. Also add an option to limit the maximum number of
   	parameters processed per request. This defaults to 10000.
   	Excessive parameters are ignored. Note that FailedRequestFilter
   	can be used to reject the request if some parameters were
   	ignored. (markt/kkolinko)
   add	New filter FailedRequestFilter that will reject a request
   	if there were errors during HTTP parameter parsing. (kkolinko)

   Coyote
   ------

   fix	50394: Return -1 from read operation instead of throwing an
   	exception when encountering an EOF with the HTTP APR connector.
   	(kkolinko)
   fix	51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt)
   fix	Detect incomplete AJP messages and reject the associated
   	request if one is found. (markt)
   fix	51794: Fix race condition in NioEndpoint selector.
   	Patch provided by dlord. (fhanik)
   fix	51905: Fix infinite loop in AprEndpoint shutdown if acceptor
   	unlock fails. Reduce timeout before forcefully closing the
   	socket from 30s to 10s. (kkolinko)
   fix	52121: Fix possible output corruption when compression is
   	enabled for a connector and the response is flushed.
   	Test case provided by David Marcks. (kkolinko)
   fix	Replace unneeded call that iterated events queue in
   	NioEndpoint.Poller. (kkolinko)
   fix	Improve MimeHeaders.toString(). (kkolinko)
   fix	Allow the BIO HTTP connector to be used with SSL when
   	running under Java 7. (markt)
   fix	Improve multi-byte character handling in all connectors. (rjung)

   Jasper
   ------

   fix	51220: Correct copy/paste error in original commit for this
   	issue. (markt)
   fix	52091: Address performance issues related to log creation
   	in TagHandlerPool. Patch provided by Taiki Sugawara. (markt)

   Cluster
   -------

   add	51736: Make rpcTimeout configurable in BackupManager. (kfujino)
   add	New cluster manager attribute sessionAttributeFilter allows
   	to filter which session attributes are replicated using a
   	regular expression applied to the attribute name. (rjung)
   fix	Avoid an unnecessary session ID change notice.
   	Notice of changed session ID by JvmRouteBinderValve is
   	unnecessary to BackupManager. In BackupManager, change of
   	session ID is replicated by the call of a setId() method.
   	(kfujino)
   fix	Fix unneeded duplicate resetDeltaRequest() call in
   	DeltaSession.setId(String). (kkolinko)
   add	When Context manager does not exist, no context manager
   	message is replied in order to avoid timeout (default 60 sec)
   	of GET_ALL_SESSIONS sync phase. (kfujino)

   Webapps
   -------

   fix	Correct the documentation for the connectionLinger attribute
   	of the HTTP connector. (markt)
   add	Show build date and version in the header on every
   	documentation page. (kkolinko)
   fix	52049: Improve setup instructions for running as a Windows
   	service: correct information on how a JRE is identified and
   	selected. (markt)
   update	52172: Clarify Tomcat build instructions. Patch provided by
   	bmargulies. (kkolinko)

   Other
   -----

   update	Update the native component of the APR/native connectors
   	to 1.1.22. (markt)
   update	Update the recommended version of the native component
   	of the APR/native connectors to 1.1.22. (kkolinko)
   update	Update the Eclipse compiler (used for JSPs) to 3.7. (markt)
   fix	Correct two typos in the Windows installer. (kkolinko)
   fix	52059: In Windows uninstaller: Do not forget to remove
   	Tomcat keys from 32-bit registry on deinstallation. (kkolinko)

Files:
RevisionActionfile
1.9.2.1modifypkgsrc/www/apache-tomcat6/Makefile
1.5.6.1modifypkgsrc/www/apache-tomcat6/PLIST
1.6.2.1modifypkgsrc/www/apache-tomcat6/distinfo