Navigation:
Browse pkgsrc
(this page)
New packages:Log Message:
Update to 7.0.77
Changelog:
Tomcat 7.0.77 (violetagg)
Catalina
add 54618: Add support to the HttpHeaderSecurityFilter for the HSTS \
preload parameter. (markt)
fix 60911: Ensure NPE will not be thrown when looking for SSL session \
ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote
fix When using the NIO2 connector, ensure a WebSocket close frame is \
processed before the end of stream is processed to ensure that the end of stream \
is processed correctly. (markt)
fix 60852: Correctly spell compressible when used in configuration \
attributes and internal code. Based on a patch by Michael Osipov. (markt)
fix Improve sendfile handling when requests are pipelined. (markt)
Jasper
fix Improve the error handling for simple tags to ensure that the tag is \
released and destroyed once used. (remm, violetagg)
fix 60844: Correctly handle the error when fewer parameter values than \
required by the method are used to invoke an EL method expression. Patch \
provided by Daniel Gray. (markt)
jdbc-pool
fix 60764: Implement equals() and hashCode() in the StatementFacade in \
order to enable these methods to be called on the closed statements if any \
statement proxy is set. This behavior can be changed with useStatementFacade \
attribute. (kfujino)
Tomcat 7.0.76 (markt) released 2017-03-16
Catalina
code Make it easier for sub-classes of Tomcat to modify the default \
web.xml settings by over-riding getDefaultWebXmlListener(). Patch provided by \
Aaron Anderson. (markt)
fix Reduce the contention in the default InstanceManager implementation \
when multiple threads are managing objects and need to reference the annotation \
cache. (markt)
code 60674: Remove final marker from CorsFilter to enable sub-classing. \
(markt)
fix 60683: Security manager failure causing NPEs when doing IO on some \
JVMs. (csutherl)
fix 60688: Update the internal fork of Apache Commons BCEL to r1782855 \
to add early access Java 9 support to the annotation scanning code. (markt)
fix 60718: Improve error handling for asynchronous processing and \
correct a number of cases where the requestDestroyed() event was not being fired \
and an entry wasn't being made in the access logs. (markt)
fix 60808: Ensure that the Map returned by \
ServletRequest.getParameterMap() is fully immutable. Based on a patch provided \
by woosan. (markt)
fix 60824: Correctly cache the Subject in the session - if there is a \
session - when running under a SecurityManager. Patch provided by Jan \
Engehausen. (markt)
fix Ensure request and response facades are used when firing application \
listeners. (markt/remm)
fix When HTTP TRACE requests are disabled on the Connector, ensure that \
the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the \
returned Allow header. (markt)
Coyote
fix Ensure that executor thread pools used with connectors pre-start the \
configured minimum number of idle threads. (markt)
add 60594: Allow some invalid characters that were recently restricted \
to be processed in requests by using the system property \
tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
Jasper
fix Refactor code generated for JSPs to reduce the size of the code \
required for tags. (markt)
Cluster
add Make the accessTimeout configurable in ClusterSingleSignOn. The \
accessTimeout is used as a timeout period for PING in replication map. (kfujino)
fix 60806: To avoid ClassNotFoundException, make sure that the web \
application class loader is passed to ReplicatedContext. (kfujino)
WebSocket
fix 60617: Correctly create a CONNECT request when establishing a \
WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
Tribes
fix Ensure that NoRpcChannelReply messages are not received on \
RpcCallback. (kfujino)
fix 60722: Take account of the dispatchersUseEncodedPaths setting on the \
current Context when generating paths for dispatches triggered by \
AsyncContext.dispatch(). (markt)
Other
fix 60620: Fix configuration of Eclipse projects, broken by introduction \
of SafeForkJoinWorkerThreadFactory helper class. This class cannot be built with \
Java 6. (kkolinko)
update Update the packaged version of the Tomcat Native Library to \
1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. \
(violetagg)
add 60784: Update all unit tests that test the HTTP status line to check \
for the required space after the status code. Patch provided by Michael Osipov. \
(markt)
update Update the NSIS Installer used to build the Windows installer to \
version 3.01. (markt)
fix Refactor the build script and the NSIS installer script so that \
either NSIS 2.x or NSIS 3.x can be used to build the installer. This is \
primarily to re-enable building the installer on the Linux based CI system where \
the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
Tomcat 7.0.75 (violetagg) released 2017-01-24
Cluster
add Make the accessTimeout configurable in BackupManager. The \
accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Web applications
fix Ensure the ASF logo image is correctly displayed in docs and \
host-manager applications. (violetagg)
Tomcat 7.0.74 (violetagg) not released
Catalina
add 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP \
status codes recognised by Tomcat. (markt)
fix Correctly handle the configClass attribute of a Host when embedding \
Tomcat. (markt)
fix 60379: Dispose of the GSS credential once it is no longer required. \
Patch provided by Michael Osipov. (markt)
fix 60380: Ensure that a call to HttpServletRequest#logout() triggers a \
call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
fix 60387: Correct the javadoc for \
o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is \
different for the different implementations. (violetagg)
code 60393: Use consistent parameter naming in implementations of \
Realm#authenticate(GSSContext, boolean). (markt)
fix 60395: Log when an Authenticator passes an incomplete GSSContext to \
a Realm since it indicates a bug in the Authenticator. Patch provided by Michael \
Osipov. (markt)
update Update the warnings that reference required options for running \
on Java 9 to use the latest syntax for those options. (markt)
fix 60513: Fix thread safety issue with RMI cleanup code. (remm)
add 60620: Extend thed memory leaks. (markt)
Coyote
fix Ensure that the endpoint is able to unlock the acceptor thread \
during shutdown if the endpoint is configured to listen to any local address of \
a specific type such as 0.0.0.0 or ::. (markt)
fix Ensue is enabled by default for APR. (markt)
fix Prevent read time out when the file is deleted while serving the \
response. The issue was observed only with APR Connector and sendfile enabled. \
(violetagg)
fix Improve the logic that selects an to unlock the Acceptor to take \
account of platforms what do not listen on all local addresses when configured \
with an address of 0.0.0.0 or ::. (markt)
fix 60409: When unable to complete sendfile request, ensure the \
Processor will be added to the(markt)
fix 60431: Improve handling of varargs in UEL expressions. Based on a \
patch by Ben Wolfe. (markt)
fix 60497: Restore previous tag reuse behavior following the use of \
try/finally. (remm)
fix Improve the error handling for simple tags to ensure that the tag is \
released and destroyed once used. (remm)
fix 60497: Follow up fix using a better variable name for the tag reuse \
flag. (remm)
fix Revert use of try/finally for simple tags. (remm)
Web applications
fix Correct a typo in Host Configuration Reference. Issue reported via \
comments.apache.org. (violetagg)
add In the documentation web application, be explicit that clustering \
requires a secure network for all of the cluster network traffic. (markt)
update Update the ASF logos to the new versions.
Tribes
fix Reduce the warning logs for a message received from a different \
domain in order to avoid excessive log outputs. (kfujino)
add Add log message that PING message has received beyond the timeout \
period. (kfujino)
fix When a PING message that beyond the time-out period has been \
received, make sure that valid member is added to the map membership. (kfujino)
WebSocket
fix 60437: Avoid possible handshake overflows in the websocket client. (remm)
jdbc-pool
add 58816: Implement the statistics of jdbc-pool. The stats infos are \
borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, \
releasedIdleCount and removeAbandonedCount. (kfujino)
fix 60194: If validationQuery is not specified, connection validation is \
done by calling the isValid() method. (kfujino)
fix 60398: Fix testcase of TestSlowQueryReport. (kfujino)
add Enable reset the statistics without restarting the pool. (kfujino)
Other
fix 60366: Change catalina.bat to use directly LOGGING_MANAGER and \
LOGGING_CONFIG variables in order to configure logging, instead of modifying \
JAVA_OPTS. Patch provided by Petter Isberg. (violetagg)
add New property is added test.verbose in order to control whether the \
output of the tests is displayed on the console or not. Patch provided by \
Emmanuel Bourg. (violetagg)
update Update the ASF logos used in the Apache Tomcat installer for \
Windows to use the new versions.
fix Spelling corrections provided by Josh Soref. (violetagg)
Tomcat 7.0.73 (violetagg) released 2016-11-14
Catalina
fix 60117: Ensure that the name of LogLevel is localized when using \
OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
add 60151: Improve the exception error messages when a ResourceLink \
fails to specify the type, specifies an unknown type or specifies the wrong \
type. (markt)
fix 60167: Ignore empty lines in /etc/passwd files when using the \
PasswdUserDatabase. (markt)
fix Improve the access checks for linked global resources to handle the \
case where the current class loader is a child of the web application class \
loader. (markt)
fix 60199: Log a warning if deserialization issues prevent a session \
attribute from being loaded. (markt)
fix Correctly test for control characters when reading the provided \
shutdown password. (markt)
fix When configuring the JMX remote listener, specify the allowed types \
for the credentials. (markt)
Coyote
fix 60123: Avoid potential threading issues that could cause excessively \
large vales to be returned for the processing time of a current request. (markt)
fix 60174: Log instances of HeadersTooLargeException during request \
processing. (markt)
fix Correct the HTTP header parser so that DEL is not treated as a valid \
token character. (markt)
fix 60319: When using an Executor, disconnect it from the Connector \
attributes maxThreads, minSpareThreads and threadPriority to enable the \
configuration settings to be consistently reported. These Connector attributes \
will be reported as -1 when an Executor is in use. The values used by the \
executor may be set and obtained via the Executor. (markt)
fix If an I/O error occurs during async processing on a non-container \
thread, ensure that the onError() event is triggered. (markt)
fix Improve detection of I/O errors during async processing on \
non-container threads and trigger async error handling when they are detected. \
(markt)
add Add additional checks for valid characters to the HTTP request line \
parsing so invalid request lines are rejected sooner. (markt)
Web applications
add Add an example of using the classesToInitialize attribute of the \
JreMemoryLeakPreventionListener to the documentation web application. Based on a \
patch by Cris Berneburg. (markt)
fix 60192: Correct a typo in the status output of the Manager \
application. Patch provided by Radhakrishna Pemmasani. (markt)
fix Correct a typo in HTTP Connector How-To. Issue reported via \
comments.apache.org. (violetagg)
fix Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
fix Correct a typo in CGI How-To. Issue reported via \
comments.apache.org. (violetagg)
fix 60344: Add a note to BUILDING.txt regarding using the source bundle \
with the correct line endings. (markt)
Tribes
fix When the proxy node sends a backup retrieve message, ensure that \
using the channelSendOptions that has been set rather than the default \
channelSendOptions. (kfujino)
jdbc-pool
fix 60099: Ensure that use all method arguments as a cache key when \
using StatementCache. (kfujino)
fix 60139: Correct Javadocs for PoolConfiguration.getValidationInterval \
and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other
add Add documentation to the bin/catalina.bat script to remind users \
that environment variables don't affect the configuration of Tomcat when run as \
a Windows Service. Based upon a documentation patch by James H.H. Lampert. \
(schultz)
Tomcat 7.0.72 (violetagg) released 2016-09-19
Catalina
fix Ensure Digester.useContextClassLoader is considered in case the \
class loader is used. (violetagg)
Jasper
fix 60101: Remove preloading of the class that was deleted. (violetagg)
jdbc-pool
fix Notify jmx when returning the connection that has been marked \
suspect. (kfujino)
fix Ensure that the POOL_EMPTY notification has been added to the jmx \
notification types. (kfujino)
Other
update Update the packaged version of the Tomcat Native Library to \
1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
Tomcat 7.0.71 (violetagg) not released
Catalina
fix 57705: Add debug logging for requests denied by the remote host and \
remote address valves and filters. Based on a patch by Graham Leggett. (markt)
update Change the default of the sessionCookiePathUsesTrailingSlash \
attribute of the Context element to false since the problems caused when a \
Servlet is mapped to /* are more significant than the security risk of not \
enabling this option by default. (markt)
fix 59708: Modify the LockOutRealm logic. Valid authentication attempts \
during the lock out period will no longer reset the lock out timer to zero. \
(markt)
fix Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Ensure that reading the singleThreadModel attribute of a \
StandardWrapper via JMX does not trigger initialisation of the associated \
servlet. With some frameworks this can trigger an unexpected initialisation \
thread and if initilisation is not thread-safe the initialisation can then fail. \
(markt)
fix By default, treat paths used to obtain a request dispatcher as \
encoded. This behaviour can be changed per web application via the \
dispatchersUseEncodedPaths attribute of the Context. (markt)
fix 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. \
(fschumacher)
add Provide a mechanism that enables the container to check if a \
component (typically a web application) has been granted a given permission when \
running under a SecurityManager without the current execution stack having to \
have passed through the component. Use this new mechanism to extend \
SecurityManager protection to the system property replacement feature of the \
digester. (markt)
add When retrieving an object via a ResourceLink, ensure that the object \
obtained is of the expected type. (markt)
fix 59866: When scanning WEB-INF/classes for annotations, don't scan the \
contents of WEB-INF/classes/META-INF (if present) since classes will never be \
loaded from that location. (markt)
fix 59912: Fix an edge case in input stream handling where an \
IOException could be thrown when reading a POST body. (markt)
fix 59966: Do not start the web application if the error page \
configuration in web.xml is invalid. (markt)
fix Switch the CGI servlet to the standard logging mechanism and remove \
support for the debug attribute. (markt)
add Add a new initialisation parameter, envHttpHeaders, to the CGI \
Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a \
mechanism that can be used to mitigate any future, similar issues. (markt)
add When adding and removing ResourceLinks dynamically, ensure that the \
global resource is only visible via the ResourceLinkFactory when it is meant to \
be. (markt)
fix 60008: When processing CORs requests, treat any origin with a URI \
scheme of file as a valid origin. (markt)
fix Improve handling of exceptions during a Lifecycle events triggered \
by a state transition. The exception is now caught and the component is now \
placed into the FAILED state. (markt)
fix Fix a file descriptor leak when reading the global web.xml. (markt)
fix 60041: Better error message if a JAR is deleted while a web \
application is running. Note: Deleting a JAR while the application is running is \
not supported and errors are expected. Based on a patch by gehui. (markt)
Coyote
fix Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59904: Add a limit (default 200) for the number of cookies allowed \
per request. Based on a patch by gehui. (markt)
fix Make timing attacks against the Realm implementations harder. (schultz)
add Refactor the code that implements the requirement that a call to \
complete() or dispatch() made from a non-container thread before the container \
initiated thread that called startAsync() completes must be delayed until the \
container initiated thread has completed. Rather than implementing this by \
blocking the non-container thread, extend the internal state machine to track \
this. This removes the possibility that blocking the non-container thread could \
trigger a deadlock. (markt)
Jasper
fix Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Improve the error handling for custom tags to ensure that the tag is \
returned to the pool or released and destroyed once used. (markt)
fix Fixed StringIndexOutOfBoundsException. Based on a patch provided by \
wuwen via Github. (violetagg)
WebSocket
fix Improve error handling around user code prior to calling \
InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59868: Clarify the documentation for the Manager web application to \
make clearer that the host name and IP address in the server section are the \
primary host name and IP address. (markt)
fix 59908: Ensure that a reason phrase is included in the close message \
if a session is closed due to a timeout. (markt)
Web Applications
fix Do not log an additional case of IOExceptions in the error handler \
for the Drawboard WebSocket example when the root cause is the client \
disconnecting since the logs add no value. (markt)
fix 59642: Mention the localDataSource in the DataSourceRealm section of \
the Realm How-To. (markt)
fix Follow-up to the fix for 59399. Ensure that the new attribute \
transportGuaranteeRedirectStatus is documented for all Realms. Also document the \
NullRealm and when it is automatically created for an Engine. (markt)
fix MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. \
Patch provided by Radoslav Husar. (violetagg)
fix 60034: Correct a typo in the Manager How-To page of the \
documentation web application. (markt)
Tribes
add Add log message when the ping has timed-out. (kfujino)
fix If the ping message has been received at the \
AbstractReplicatedMap#leftOver method, ensure that notify the member is alive \
than ignore it. (kfujino)
jdbc-pool
fix Fix the duplicated connection release when connection verification \
failed. (kfujino)
fix Ensure that do not remove the abandoned connection that has been \
already released. (kfujino)
fix In order to avoid the unintended skip of PoolCleaner, remove the \
check code of the execution interval in the task that has been scheduled. \
(kfujino)
fix 59849: Ensure that the connection verification is executed by \
initSQL (if required) if the borrowing PooledConnection has not been \
initialized. (kfujino)
fix 59850: Ensure that the ResultSet is closed when enabling the \
StatementCache interceptor. (kfujino)
fix 59923: Reduce the default value of validationInterval in order to \
avoid the potential issue that continues to return an invalid connection after \
database restart. (kfujino)
fix Ensure that the ResultSet is returned as Proxy object when enabling \
the StatementDecoratorInterceptor. (kfujino)
fix 60043: Ensure that the suspectTimeout works without removing \
connection when the removeAbandoned is disabled. (kfujino)
fix Add log message of when returning the connection that has been \
marked suspect. (kfujino)
fix Correct Javadoc for ConnectionPool.suspect(). Based on a patch by \
Yahya Cahyadi. (markt)
Other
add Use the mirror network rather than the ASF master site to download \
the current ASF dependencies. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.8 \
to pick up the latest fixes and make 1.2.8 the minimum recommended version. \
(markt)
fix Fixed typos in mbeans-descriptors.xml files. (violetagg)
update Update the internal fork of Commons BCEL to r1757132 to align \
with the BCEL 6 release. (markt)
update Update the internal fork of Commons Codec to r1757174. Code \
formatting changes only. (markt)
update Update the internal fork of Commons FileUpload to afdedc9. This \
pulls in a fix to improve the performance with large multipart boundaries. \
(markt)
fix Update the download location for Objenesis. (violetagg)
Tomcat 7.0.70 (violetagg) released 2016-06-20
Catalina
fix 59219: Ensure AsyncListener.onError() is called if an Exception is \
thrown during async processing. (markt)
fix 59220: Ensure that AsyncListener.onComplete() is called if the async \
request times out and the response is already committed. (markt)
fix 59261: ServletRequest.getAsyncContext() now throws an \
IllegalStateException as required by the Servlet specification if the request is \
not in asynchronous mode when called. (markt)
fix 59310: Do not add a Content-Length: 0 header for custom responses to \
HEAD requests that do not set a Content-Length value. (markt)
fix When normalizing paths, improve the handling when paths end with /. \
or /.. and ensure that input and output are consistent with respect to whether \
or not they end with /. (markt)
fix 59317: Ensure that HttpServletRequest.getRequestURI() returns an \
encoded URI rather than a decoded URI after a dispatch. (markt)
fix Ensure that the value for the header X-Frame-Options is constructed \
correctly according to the specification when ALLOW-FROM option is used. \
(violetagg)
add 59399: Add a new option to the Realm implementations that ship with \
Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to \
be controlled per Realm. (markt)
fix 59449: In ContainerBase, ensure that the process to remove a child \
container is the reverse of the process to add one. Patch provided by Huxing \
Zhang. (markt)
fix RMI Target related memory leaks are avoidable which makes them an \
application bug that needs to be fixed rather than a JRE bug to work around. \
Therefore, start logging RMI Target related memory leaks on web application \
stop. Add an option that controls if the check for these leaks is made. Log a \
warning if running on Java 9 with this check enabled but without the command \
line option it requires. (markt)
fix Fix a potential concurrency issue with the web application class \
loader and concurrent reads and writes of the resource cache. (markt)
fix 59619: Within the web application class loader, always use path as \
the key for the resource cache to improve the hit ratio. This also fixes a \
problem exposed by the fix for 56777 that enabled file based configuration \
resources to be loaded from the class path. (markt)
fix Fix error message when failed to register MBean. (kfujino)
Coyote
fix 58970: Fix a connection counting bug in the NIO connector that meant \
some dropped connections were not removed from the current connection count. \
(markt)
fix 59289: Do not recycle upgrade processors in unexpected close \
situations. (remm)
fix Ensure that requests with HTTP method names that are not tokens (as \
required by RFC 7231) are rejected with a 400 response. (markt)
fix When an asynchronous request is processed by the AJP connector, \
ensure that request processing has fully completed before starting the next \
request. (markt)
fix If an async dispatch results in the completion of request \
processing, ensure that any remaining request body is swallowed before starting \
the processing of the next request else the remaining body may be read as the \
start of the next request leading to a 400 response. (markt)
Jasper
fix Fix a memory leak in the expression language implementation that \
caused the class loader of the first web application to use expressions to be \
pinned in memory. (markt)
fix 59654: Enforce the requirements of section 7.3.1 of the JSP \
specification regarding the permitted locations for TLD files. Patch provided by \
Huxing Zhang. (markt)
WebSocket
fix Ensure that a client disconnection triggers the error handling for \
the associated WebSocket end point. (markt)
Web Applications
fix Correct a typo in SSL/TLS Configuration How-To. Issue reported via \
comments.apache.org. (violetagg)
fix 58891: Update the SSL how-to. Based on a suggestion by Alexander \
Kjäll. (markt)
Tribes
fix Fix potential NPE that depends on the setting order of attributes of \
static member when using the static cluster. (kfujino)
add Add get/set method for the channel that is related to \
ChannelInterceptorBase. (kfujino)
fix As with the multicast cluster environment, in the static cluster \
environment, the local member inherits properties from the cluster receiver. \
(kfujino)
add Add get/set method for the channel that is related to each Channel \
services. (kfujino)
add Add name to channel in order to identify channels. In tomcat cluster \
environment, it is set the cluster name + "-Channel" as default value. \
(kfujino)
add Add the channel name to the thread which is invoked by channel \
services in order to identify the associated channel. (kfujino)
fix Ensure that clear the channel instance from channel services when \
stopping channel. (kfujino)
add Implement map state in the replication map. (kfujino)
fix Ensure that the ping is not executed during the start/stop of the \
replication map. (kfujino)
fix In ping processing in the replication map, send not the INIT message \
but the newly introduced PING message. (kfujino)
jdbc-pool
fix Fix a memory leak with the pool cleaner thread that retained a \
reference to the web application class loader for the first web application to \
use a connection pool. (markt)
Other
update Update the packaged version of the Tomcat Native Library to 1.2.7 \
to pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR 1.5.2. \
(violetagg/markt)
update Remove native code (Windows Service Wrapper, APR/native \
connector) support for Windows Itanium. (markt)
update Update the internal fork of Commons File Upload to r1743698 \
(1.3.1 plus additional fixes). (markt)
fix 58626: Add support for a new environment variable (USE_NOHUP) that \
causes nohup to be used when starting Tomcat. It is disabled by default except \
on HP-UX where it is enabled by default since it is required when starting \
Tomcat at boot on HP-UX. (markt)
| Revision | Action | file |
| 1.29 | modify | pkgsrc/www/apache-tomcat7/Makefile |
| 1.17 | modify | pkgsrc/www/apache-tomcat7/PLIST |
| 1.24 | modify | pkgsrc/www/apache-tomcat7/distinfo |