Log Message:
Update to 7.0.34

* CVE-2012-4431 is fixed in 7.0.32

Changelog:
Tomcat 7.0.34 (markt)	2012-12-12

    Catalina

        fix	53871: Improve error message if annotation scanning fails during web \ 
application start due to poor configuration or illegal cyclic inheritance with \ 
the application's classes. (markt)
        fix	Fix unit test for AccessLogValve when using non-GMT time zone. (rjung)
        fix	54170: Ensure correct registration of Filters and Servlets in the \ 
JMX registry if the Filter or Servlet name includes a character that must be \ 
quoted if used in an ObjectName value. (markt)
        add	Add new attribute renameOnRotate to the AccessLogValve. (rjung)
        fix	54190: Correct unit tests for BASIC authentication so that session \ 
timeout is correctly tested. Also refactor unit test to make it easier to add \ 
additional tests. Patch by Brian Burch. (markt)
        fix	54220: Ensure the ErrorReportValve only generates an error report if \ 
the error flag on the response has been set. (markt)
        fix	Simplify time zone handling in the access log valve and correctly \ 
handle various edge cases for non-standard DST changes. (markt)

    Web applications

        fix	54198: Clarify that HttpServletResponse.sendError(int) results in an \ 
HTML response by default. (markt)
        fix	54207: Correct JNDI factory package name in Javadoc for \ 
org.apache.naming.java.javaURLContextFactory. (markt)

    jdbc-pool

        code	Fix a handful of Eclipse warnings in the JDBC pool source code \ 
including the warnings reported in 53565. (markt)
        fix	54150: Make sure that SlowQueryReportJmx mbean deregistered during \ 
webapp shutdown. Reported by Alex Franken. (kfujino)
        fix	54194: Make sure that connection pool mbean is not registered when \ 
jmxEnabled is false. Patch provided by tobias.gierke. (kfujino)

    Other

        update	Update to Eclipse JDT Compiler 4.2.1. (markt)

Tomcat 7.0.33 (markt)	2012-11-21

    Catalina

        add	53960, 54115: Extensions to HttpClient test helper class. Patches by \ 
Brian Burch. (markt/kkolinko)
        fix	53993: Avoid a possible NPE in the AccessLogValve when the session \ 
ID is logged and a session is invalidated. (markt)
        fix	Add support for LAST_ACCESS_AT_START system property to \ 
PersistentManager. (kfujino)
        add	Update MIME type mapping with additional / updated mime.types from \ 
the Apache web server. (markt)
        fix	54007: Fix a memory leak that prevented deletion of a context.xml \ 
file associated with a Context that had failed to deploy. Also fix the problems \ 
uncovered with undeploying such a Context once the leak had been fixed and the \ 
file could be deleted. (markt)
        fix	54044: Correct bug in timestamp cache used by logging (including the \ 
access log valve) that meant entries could be made with an earlier timestamp \ 
than the true timestamp. (markt)
        fix	54054: Do not share shell environment variables between multiple \ 
instances of the CGI servlet. (markt)
        fix	54060: Use a simple parser rather than a regular expression to parse \ 
HTTP Digest authentication headers so the header is correctly parsed. The new \ 
approach is also faster and generates less garbage. (markt)
        fix	54068: Rewrite the web fragment ordering algorithm to resolve \ 
multiple issues that resulted in incorrect ordering or failure to find a \ 
correct, valid order. (markt)
        update	The HTTP header parser added to address 52811 has been removed \ 
and replaced with the light-weight HTTP header parser created to address 54060. \ 
The new parser includes a work-around for a bug in the Adobe Acrobat Reader 9.x \ 
plug-in for Microsoft Internet Explorer that was identified when the old parser \ 
was introduced (53814).
        fix	54076: Add an alternative work-around for clients that use SPNEGO \ 
authentication and expect the authenticated user to be cached per connection \ 
(Tomcat only does this if an HTTP session is available). (markt)
        fix	54087: Correctly handle (ignore) invalid If-Modified-Since header \ 
rather than throwing an exception. (markt)
        fix	54096: In web.xml, <env-entry> should accept any type that has \ 
a constructor that takes a single String or char. (markt)
        add	54127: Add support for sending a WebSocket Ping. Patch provided by \ 
Sean Winterberger. (markt)
        fix	In FormAuthenticator: If it is configured to change Session IDs, do \ 
the change before displaying the login form. (kkolinko)
        fix	Ensure AsyncListener.timeout() and AsyncListener.complete() are \ 
called with the correct thread context class loader. (fhanik)
        fix	54123: If an asynchronous request times out without any \ 
AsyncListeners defined, a 500 error will be triggered. (markt)
        fix	54124: Correct provided value of request attribute \ 
javax.servlet.async.request_uri and add missing request attribute \ 
javax.servlet.async.path_info. (markt)
        add	Add denyStatus initialization parameter to CsrfPreventionFilter, \ 
allowing to customize the HTTP status code used for denied requests. (kkolinko)
        fix	54141: Increase the permitted number of nested Realm levels from 2 \ 
to 3 by default and make the limit configurable via a system property. (markt)
        fix	Revert occasional API change in BaseDirContext class that was done \ 
in 7.0.32. Methods should not be final. (kkolinko)
        fix	Prevent failures in the AccessLogValve when running under a \ 
SecurityManager and the first request received is an asynchronous one. (markt)

    Coyote

        fix	Correct an issue that prevented WebSockets from being used over SSL \ 
when using the HTTP NIO connector. (markt)
        fix	54022: Ensure the Comet END event is triggered on client disconnect \ 
with APR/native on Windows Vista/2k8 or later. Patch provided by Douglas Beachy. \ 
(markt)
        fix	54067: Ensure responses with 1xx response codes are correctly marked \ 
as not containing an entity body. This caused an issue for some WebSocket \ 
clients when an Transfer-Encoding header was sent with the 101 (HTTP upgrade) \ 
response. (markt)

    Jasper

        code	53867: Optimise the XML escaping provided by the PageContext \ 
implementation. Based on a patch by Sheldon Shao. (markt)
        code	53896: Use an optimised CompositeELResolver for Jasper that skips \ 
resolvers that are known to be unable to resolve the value. Patch by Jarek \ 
Gawor. (markt)
        fix	53986: Correct a regression introduced by the fix for 53713. JSP \ 
comments that ended with the sequence ---%> (or any similar sequence with a \ 
odd number of - characters) was not correctly parsed. (markt)
        fix	54011: Fix a bug in the tag plug-in for <c:out> that triggered \ 
a JSP compilation error if the escapeXml attribute was used. Patch provided by \ 
Sheldon Shao. (markt)
        code	Follow up to 5401. Simplify generated code for <c:out>. Based \ 
on a patch by Sheldon Shao. (markt)
        fix	54012: Fix a bug in the tag plug-in infrastructure that meant the \ 
<c:set> triggered a JSP compilation error when used in a tag file. Based \ 
on a patch provided byx	54144: Fix a bug in the tag plug-in for <c:out> \ 
that meant that if the value of the tag evaluated to a java.io.Reader object \ 
then it was not correctly handled. (markt)

    Cluster

        fix	Add getSessionIdsFull operation to mbeans-descriptor. listSpplications

        add	54143: Add display of the memory pools usage (including PermGen) to \ 
the Status page of the Manager web application. (kkolinko)

    Tribes

        fix	54045: Make sure getMembers() returns available member when \ 
TcpFailureDetector   fix	Revert multiple operation support for the \ 
JMXProxyServlet pending further discussion. (schultz)
        fix	CVE-2012-4431: Fix bypass of CsrfPreventionFilter when there is no \ 
session. Improve session management in the filter. (kkolinko)

    Web apit servlets (JSP and default) are marked as override-able when using \ 
embedded mode. (markt)
        fix	When the DefaultServlet is under heavy load, the HTTP header parser \ 
added to address 52811 generates large amounts of garbage and uses significant \ 
CPU time. A cache has been added that significantly reduces the overhead of this \ 
parser. (markt)
        fix	53854: Make directory listings work correctly when aliases are used. \ 
(markt)

    Jasper

        code	53713: Performance improvement of up to four times faster parsing \ 
of JSP pages. Patch provided by Sheldon Shao. (markt)

    Cluster

        add	Make the cluster members and the cluster deployer associated with \ 
the cluster accessible via JMX. (markt)
        fix	Fix a behavior of TcpPingInterceptor#uhread. If set to false, ping \ 
thread is never started. (kfujino)

    Web applications

        add	Improve the documentation web application to clarify the difference \ 
between the tag and version parameters when using text interface of the Manager \ 
web application. (markt)
        add	Make sessions saved in the Store associated with a Manager that \ 
extends PersistentManager optionally visible (via the showProxySessions Servlet \ 
initialisation parameter in web.xml) to the Manager web application. (markt)