Log Message:
Update apache-tomcat6 to 6.0.39, including avoidance for CVE-2013-1571.
Upstream changelog:

Tomcat 6.0.39 (markt)
    Catalina
        fix	55166: Fix regression that broke XML validation when
                running on some Java 5 JVMs. (kkolinko)

    Coyote
        fix	Make the HTTP NIO connector tolerant of whitespace
                in the individual values used for the ciphers attribute.
                (markt)
        fix	Remove dependency introduced on the jsp-api.jar as
                part of the XML validation changes introduced in 6.0.38.
                (markt)

    Jasper
        fix	Correct several errors in jspxml Schema and DTD. (kkolinko)

    Cluster
        code	Remove an empty TestTwoPhaseCommit test from Tribes. (kkolinko)

    Web applications
        fix	Fix broken link in Jasper How-To documentation. (markt)
        fix	Align index.html and index.jsp in ROOT web application.
                Correct links to specifications and to the Tomcat mailing
                lists. (kkolinko)
        fix	Remove second copy of RUNNING.txt from the full-docs
                distribution. Some unpacking utilities can't handle
                multiple copies of a file with the same name in a directory.
                (kkolinko)

    Other
        update	Update sample Eclipse IDE project: use JUnit 4 library
                and prefer a Java 5 JDK when several JDKs are configured.
                Cleanup the Ant build files. (kkolinko)
        fix	Correct Maven dependencies for individual JAR files. (markt)

Tomcat 6.0.38 (markt)	not released

    Catalina
        fix	Ensure that when Tomcat's anti-resource locking features
                are used that the temporary copy of the web application
                and not the original is removed when the web application
                stops. (markt/kkolinko)
        fix	55019: Fix a potential exception when accessing JSPs
                while running under a SecurityManager. (jfclere)
        fix	55052: Make JULI's LogManager to additionally look for
                logging properties without prefixes if the property
                cannot be found with a prefix. (kkolinko)
        fix	55266: Ensure that the session ID is parsed from the
                request before any redirect as the session ID may need
                to be encoded as part of the redirect URL. (markt)
        fix	55404: Log warnings about using security roles in web.xml
                as warnings. (markt)
        fix	55268: Added optional --service-start-wait-time
                command-line option to change service start wait time
                from default of 10 seconds. (schultz)
        fix	Correctly associate the default resource bundle with
                the English locale so that requests that specify an
                Accept-Language of English ahead of French, Spanish or
                Japanese get the English messages they asked for. (markt)
        fix	Add missing JavaEE 5 XML schema definitions. (markt)
        fix	When Catalina parses TLD files, always use a namespace
                aware parser to be consistent with how Jasper parses
                TLD files. The tldNamespaceAware attribute of the Context
                is now ignored. (markt)
        fix	As per section SRV.14.4.3 of the Servlet 2.5 specification,
                a namespace aware, validating parser will be used when
                processing *.tld and web.xml files if the system property
                org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set
                to true. (markt)
        fix	Ensure that sessions IDs are not parsed from URLs for
                Contexts where disableURLRewriting is true. (markt)
        add	Add an option to the Context to control the blocking of
                XML external entities when parsing XML configuration
                files and enable this blocking by default when a security
                manager is used. The block is implemented via a custom
                resolver to enable the logging of any blocked entities.
                (markt)
        fix	56016: When loading resources for XML schema validation,
                take account of the possibility that servlet-api.jar and
                jsp-api.jar may not be loaded by the same class loader.
                Patch by Juan Carlos Estibariz. (markt)

    Coyote
        fix	52811: Fix parsing of Content-Type header in
                HttpServletResponse.setContentType(). Introduces a new
                HTTP header parser that follows RFC2616. (markt)
        fix	54691: Add configuration attribute "sslEnabledProtocols"
                to HTTP connector and document it. (Internally this
                attribute has been already implemented but not documented,
                under names "protocols" and "sslProtocols". \ 
Those names
                of this attribute are now deprecated). (schultz)
        fix	54947: Fix the HTTP NIO connector that incorrectly
                rejected a request if the CRLF terminating the request
                line was split across multiple packets.
                Patch by Konstantin Preißer. (markt)
        fix	55228: Allow web applications to set a HTTP Date header.
                (markt)
        fix	Better adherence to RFC2616 for content-length headers.
                (markt)
        fix	Add support for limiting the size of chunk extensions
                when using chunked encoding. (markt)
        fix	55749: Improve the error message when SSLEngine is
                disabled in the AprLifecycleListener and SSL is
                configured for an APR/native connector. (markt)
        fix	Avoid possible NPE if a content type is specified without
                a character set. (markt)

    Jasper
        fix	55198: Ensure attribute values in tagx files that include
                EL and quoted XML characters are correctly quoted in
                the output. (markt)
        fix	55671: Consistently use the configuration option name
                genStringAsCharArray rather than a mixture of
                genStrAsCharArray and genStringAsCharArray but retain
                support for genStrAsCharArray as in initialisation
                parameter for the JSP servlet to retain backwards
                compatibility with existing configurations. (markt)
        fix	55691: Fix javax.el.ArrayELResolver to correctly handle
                the case where the base object is an array of primitives.
                (markt)
        fix	55973: Fix processing of XML schemas when validation
                is enabled in Jasper. (kkolinko)

    Web applications
        add	Add documentation for
                o.a.c.tribes.group.interceptors.TcpFailureDetector. (kfujino)
        add	Complete the documentation for MessageDispatch15Interceptor.
                (kfujino)
        add	Add to cluster document a description of
                notifyLifecycleListenerOnFailure and
                heartbeatBackgroundEnabled. (kfujino)
        fix	55746: Add documentation on the allRolesMode to the
                CombinedRealm and LockOutRealm. Patch by Cédric Couralet.
                (markt)
        fix	Fix the sample configuration of StaticMembershipInterceptor
                in order to prevent warning log. uniqueId must be 16 bytes.
                (kfujino)
        fix	55119: Avoid CVE-2013-1571 when generating Javadoc. (markt)

    Other
        update	Update Maven Central location used to download
                dependencies at build time to be repo.maven.apache.org.
                (kkolinko)
        fix	55663: Minor correction to the wording of the NOTICE files
                to align them with the requirements for NOTICE files.
                (violetagg)
        fix	Add @since markers to the common annotations classes and
                fix a few specification compliance issues. (markt)
        update	Update to Eclipse JDT Compiler 4.3.1. (markt)
        update	Update the Apache Jakarta JSTL implementation used by
                the exmaples web application to 1.1.2. (markt)