Log Message:
security update:

Important: Session fixation CVE-2013-2067

FORM authentication associates the most recent request requiring
authentication with the current session. By repeatedly sending
a request for an authenticated resource while the victim is
completing the login form, an attacker could inject a request
that would be executed using the victim's credentials.

Note that the option to change session ID on authentication was
added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of
session fixation was an application responsibility.
This vulnerability represents a bug in Tomcat's session fixation
protection that was added in 6.0.21. Hence, only versions 6.0.21
onwards are listed as vulnerable.

This was fixed in revision 1417891.

This issue was identified by the Tomcat security team on
15 Oct 2012 and made public on 10 May 2013.

Affects: 6.0.21-6.0.36

Important: Denial of service CVE-2012-3544

When processing a request submitted using the chunked transfer
encoding, Tomcat ignored but did not limit any extensions that
were included. This allows a client to perform a limited DOS
by streaming an unlimited amount of data to the server.

This was fixed in revision 1476592.

This issue was reported to the Tomcat security team on
10 November 2011 and made public on 10 May 2013.

Affects: 6.0.0-6.0.36

ChangeLog:
++++++++++
Catalina

fix	52055: Ensure that filters are recycled. (markt/kkolinko)
fix	52184: Reduce log level for invalid cookies. (markt)
fix	53481: Added support for SSLHonorCipherOrder to allow the
	server to impose its cipher order on the client. Based on
	a patch provided by Marcel Å ebek. (schultz)
fix	54044: Correct bug in timestamp cache used by logging
	(including the access log valve) that meant entries could
	be made with an earlier timestamp than the true timestamp. (markt)
fix	In FormAuthenticator: If it is configured to change
	Session IDs, do the change before displaying the login
	form. (kkolinko)
fix	54054: Do not share shell environment variables between
	multiple instances of the CGI servlet. (markt)
fix	54087: Correctly handle (ignore) invalid If-Modified-Since
	header rather than throwing an exception. (markt/kkolinko)
fix	54220: Ensure the ErrorReportValve only generates an error
	report if the error flag on the response has been set. (markt)
fix	Fix memory leak of servlet instances when running with
	a SecurityManager and either init() or destroy() methods
	fail or the servlet is a SingleThreadModel one, and of
	filter instances if their destroy() method fails with an
	Error. (kkolinko)
fix	54382: Fix NPE when SSI processing is enabled and an empty
	SSI directive is present. (markt)
fix	54483: Correct one of the Spanish translations. Based on
	a suggestion from adinamita. (kkolinko)
update	54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt)

Coyote

fix	54248: Ensure that byte order marks are swallowed when
	using a Reader to read a request body with a BOM for those
	encodings that require byte order marks. (markt)
fix	54324: Allow APR connector to disable TLS compression
	if OpenSSL supports it. (schultz)
fix	54456: Ensure that if a client aborts a request when
	sending a chunked request body that this is communicated
	correctly to the client reading the request body. (markt)
update	Update the native component of the APR/native connector
	to 1.1.27 and make that version the recommended minimum
	version. (kkolinko)

Jasper

fix	54615: Tomcat 6 doesn't build against ecj 4.x (kkolinko)

Cluster

fix	54045: Make sure getMembers() returns available member
	when TcpFailureDetector works in static cluster. (kfujino)

Web applications

update	22278: Add a commented out sample configuration of
	RemoteAddrValve to META-INF/context.xml files of the
	Manager and Host Manager applications. (kkolinko)
fix	54080: Clarify documentation for initial value of
	internalProxies attribute of RemoteIpValve. (schultz/kkolinko)
fix	54198: Clarify that HttpServletResponse.sendError(int)
	results in an HTML response by default. (markt)
fix	54207: Correct JNDI factory package name in Javadoc for
	org.apache.naming.java.javaURLContextFactory. (markt)

Other

update	Add sample Apache Commons Daemon JSVC wrapper script
	bin/daemon.sh that can be used with /etc/init.d. (kkolinko)
update	In the build configuration: introduce property
	"tomcat.output" that is used to specify location of the
	build output directory. This simplifies configuration if
	someone wants to move the output directory elsewhere
	(e.g. out of the source tree). (kkolinko)
fix	54390: Use 'java_home' on Mac OS X to auto-detect
	JAVA_HOME. (schultz)
update	54601: Change catalina.sh to consistently use
	LOGGING_MANAGER variable to configure logging, instead
	of modifying JAVA_OPTS one. (kkolinko)
update	54890: Update to Apache Commons Daemon 1.0.15. (mturk)