Log Message:
Update to 8.5.43

Changelog:
Tomcat 8.5.43 (markt)
Catalina

    Update: Modify the Default and WebDAV Servlets so that a 405 status code is \ 
returned for PUT and DELETE requests when disabled via the readonly \ 
initialisation parameter.
    Fix: Align the contents of the Allow header with the response code for the \ 
Default and WebDAV Servlets. For any given resource a method that returns a 405 \ 
status code will not be listed in the Allow header and a method listed in the \ 
Allow header will not return a 405 status code. (markt)
    Fix: When using WebDAV to copy a file resource to a destination that \ 
requires a collection to be overwritten, ensure that the operation succeeds \ 
rather than fails (with a 500 response). This enables Tomcat to pass two \ 
additional tests from the Litmus WebDAV test suite. (markt)
    Fix: 49464: Improve the Default Servlet's handling of static files when the \ 
file encoding is not compatible with the required response encoding. (markt)
    Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher)
    Add: 58590: Add the ability for a UserDatabase to monitor the backing XML \ 
file for changes and reload the source file if a change in the last modified \ 
time is detected. This is enabled by default meaning that changes to \ 
$CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the \ 
file is saved. (markt)
    Fix: Improve parsing of Range request headers. (markt)
    Fix: Range headers that specify a range unit Tomcat does not recognise \ 
should be ignored rather than triggering a 416 response. Based on a pull request \ 
by zhanhb. (markt)
    Fix: When comparing a date from a If-Range header, an exact match is \ 
required. Based on a pull request by zhanhb. (markt)
    Fix: Add an option to the default servlet to disable processing of PUT \ 
requests with Content-Range headers as partial PUTs. The default behaviour \ 
(processing as partial PUT) is unchanged. Based on a pull request by zhanhb. \ 
(markt)
    Fix: Improve parsing of Content-Range headers. (markt)
    Fix: Ensure that the HEAD response is consistent with the GET response when \ 
HttpServlet is relied upon to generate the HEAD response and the GET response \ 
uses chunking. (markt)
    Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt)

Coyote

    Fix: Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat \ 
HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or later. \ 
(markt)
    Fix: Once a URI is identified as invalid don't attempt to process it \ 
further. Based on a PR by Alex Repert. (markt)
    Fix: Fix to avoid the possibility of long poll times for individual pollers \ 
when using mutliple pollers with APR. (markt)
    Fix: Refactor the fix for 63205 so it only applies when using PKCS12 \ 
keystores as regressions have been reported with some other keystore types. \ 
(markt)

Jasper

    Add: Include file names in error messages if SMAP processor is unable to \ 
delete or rename a class file during SMAP generation. (markt)

WebSocket

    Fix: 63521: As required by the WebSocket specification, if a POJO that is \ 
deployed as a result of the SCI scan for annotated POJOs is subsequently \ 
deployed via the programmatic API ignore the programmatic deployment. (markt)

Other

    Code: Switch i18n message files to use UTF-8 and convert to ASCII at build \ 
time. (markt)
    Fix: 63523: Restore SSLUtilBase methods as protected to preserve \ 
compatibility. (remm)
    Fix: Switch the check for terminal availability to test for stdin as using \ 
stdout does not work when output is piped to another process. Patch provided by \ 
Radosław Józwik. (markt)

2019-06-07 Tomcat 8.5.42 (markt)
Catalina

    Add: 57287: Add file sorting to DefaultServlet (schultz)
    Fix: Ensure that the default servlet reads the entire global XSLT file if \ 
one is defined. Identified by Coverity Scan. (markt)
    Fix: Avoid potential NullPointerException when generating an HTTP Allow \ 
header. Identified by Coverity Scan. (markt)
    Add: Remove any fragment included in the target path used to obtain a \ 
RequestDispatcher. The requested target path is logged as a warning since this \ 
is an application error. (markt)

Coyote

    Update: Add additional NIO2 style read and write methods closer to core \ 
NIO2, for possible use with an asynchronous workflow like CompletableFuture. \ 
(remm)
    Fix: Avoid useless exception wrapping in async IO. (remm)
    Fix: 63412: Security manager failure when using the async IO API from a \ 
webapp. (remm)
    Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. \ 
(remm/markt)
    Update: Reduce the default for maxConcurrentStreams on the Http2Protocol \ 
from 200 to 100 to align with typical defaults for HTTP/2 implementations. \ 
(markt)
    Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align \ 
with typical HTTP/2 implementations. (markt)
    Add: Add support for same-site cookie attribute. Patch provided by John \ 
Kelly. (markt)
    Fix: Correct a bug in the stream flushing code that could lead to multiple \ 
threads processing the stream concurrently which in turn could cause errors \ 
processing the stream. (markt)

Cluster

    Fix: 62841: Refactor the DeltaRequest serialization to reduce the window \ 
during which the DeltaSession is locked and to remove a potential cause of \ 
deadlocks during serialization. (markt)
    Fix: 63441: Further streamline the processing of session creation messages \ 
in the DeltaManager to reduce the possibility of a session update message being \ 
processed before the session has been created. (markt)

Tribes

    Fix: Treat NoRouteToHostException the same way as SocketTimeoutException \ 
when checking the health of group members. This avoids a SEVERE log message \ 
every time the check is performed when the host associated with a group member \ 
is not powered on. (markt)

Other

    Update: Switch from FindBugs to SpotBugs. (fschumacher)and to check for \ 
terminal availability rather than the tty command since the tty based test fails \ 
on non-English locales. (markt)

2019-05-13 Tomcat 8.5.41 (markt)
Catalina

    Fix: Fix a potential resource leak when executing CGI scripts from a WAR \ 
fileread of the APR connector. Identified by Coverity scan. (markt)
    Fix: Fix a potential resource leak when running a web application from a WAR \ 
file. Identified by Coverity scan. (markt)
    Fix: Fix a potential resource leak on some exception paths in ttified by \ 
Coverity scan. (markt)
    Fix: Fix a potential resource leak when a JNDI lookup returns an object of \ 
an in compatible class. Identified by Coverity scan. (markt)
    Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI \ 
rescaching has been disabled. (markt)
    Fix: Avoid a NullPointerException when a Context is defined in server.xml \ 
with a docBase but not the optional path. (markt)
    Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object \ 
placed in the sesials trigger account lock out when the LockOutRealm is in use. \ 
Patch provided by jchobantonov. (markt)

Coyote

    Fix: When running on newer JREs that don't support SSLv2Hello, don't warn \ 
that it is not available unless explicitly configured. (markt)
    Code: Refactor Hostname validation to improve performance. Patch provided by \ 
Uwe Hees. (markt)
    Fix: Expand HTTP/2 timeout handling to include connection window exhaustion \ 
on write. This is the fix for CVE-2019-10072. (markt)

Other

    Fix: 63335: Ensure that stack traces written by the OneLineFormatter are \ 
fully indented. The entire stack trace is now indented by an additional TAB \ 
character. (markt)
    Fix: When using the OneLineFormatter, don't print a blank line in the log \ 
after printing a stack trace. (markt)
    Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 \ 
(2019-04-24) to pick up some clean-up and enhancements less the JDBC 4.2 related \ 
changes that require Java 8. (markt)
    Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d \ 
(2019-04-30) to pick up some enhancements and bug fixes. (markt)
    Update: Update the internal fork of Apache Commons FileUpload to 41e4047 \ 
(2019-04-24) pick up some enhancements. (markt)

2019-04-12 Tomcat 8.5.40 (markt)
Catalina

    Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader \ 
attribute of the RemoteIpFilter and RemoteIpValve. (markt)
    Fix: 63235: Refactor Charset cache to reduce start time. (markt)
    Fix: 63249: Use a consistent log level (WARN) when logging the failure to \ 
register or deregister a JMX Bean. (markt)
    Fix: 63249: Use a consistent log level (ERROR) when logging the \ 
LifecycleException associated with the failure to start or stop a component. \ 
(markt)
    Fix: When the SSI directive fsize is used with an invalid target, return a \ 
file size of - rather than 1k. (markt)
    Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that \ 
may cause a dead-lock when Tomcat starts. (markt)
    Fix: 63275: When using a RequestDispatcher ensure that \ 
HttpServletRequest.getContextPath() returns an encoded path in the dispatched \ 
request. (markt)
    Fix: 63286: Document the differences in behaviour between the LogFormat \ 
directive in httpd and the pattern attribute in the AccessLogValve for %D and \ 
%T. (markt)
    Fix: 63311: Add support for https URLs to the local resolver within Tomcat \ 
used to resolve standard XML DTDs and schemas when Tomcat is configured to \ 
validate XML configuration files such as web.xml. (markt)
    Fix: Encode the output of the SSI printenv command. This is the fix for \ 
CVE-2019-0221. (markt)
    Code: Use constants for SSI encoding values. (markt)
    Add: When the CGI Servlet is configured with enableCmdLineArguments set to \ 
true, limit the encoded form of the individual command line arguments to those \ 
values allowed by RFC 3875. This restriction may be relaxed by the use of the \ 
new initialisation parameter cmdLineArgumentsEncoded. (markt)
    Add: When the CGI Servlet is configured with enableCmdLineArguments set to \ 
true, limit the decoded form of the individual command line arguments to known \ 
safe values when running on Windows. This restriction may be relaxed by the use \ 
of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for \ 
CVE-2019-0232. (markt)
    Update: Change the default for the enableCmdLineArguments parameter of the \ 
CGI servlet from true to false as additional hardening against CVE-2019-0232. \ 
(markt)

Coyote

    Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
    Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
    Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
    Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) \ 
and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and \ 
instead dropped the connection. (markt)
    Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 \ 
that prevented the use of PKCS#8 private keys with OpenSSL based connectors. \ 
(markt)
    Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any \ 
query string present in the original HTTP/1.1 request is passed to the HTTP/2 \ 
request processing. (markt)
    Fix: When Tomcat writes a final response without reading all of an HTTP/2 \ 
request, reset the stream to inform the client that the remaining request body \ 
is not required. (markt)
    Fix: 63312: Correct a regression in the error page handling that prevented \ 
error pages from issuing redirects or taking other action that required the \ 
response status code to be changed. (markt)

Jasper

    Add: Add support for specifying Java 11 (with the value 11) as the compiler \ 
source and/or compiler target for JSP compilation. (markt)
    Add: Add support for specifying Java 12 (with the value 12) and Java 13 \ 
(with the value 13) as the compiler source and/or compiler target for JSP \ 
compilation. If used with an ECJ version that does not support these values, a \ 
warning will be logged and the latest supported version will used. Based on a \ 
patch by Thomas Collignon. (markt)

WebSocket

    Fix: Improve the handling of exceptions during TLS handshakes for the \ 
WebSocket client. (markt)

Web applications

    Fix: 63184: Expand the SSI documentation to provide more information on the \ 
supported directives and their attributes. Patch provided by nightwatchcyber. \ 
(markt)
    Add: Add a note to the documentation about the risk of DoS with poorly \ 
written regular expressions and the RewriteValve. Patch provided by salgattas. \ 
(markt)

jdbc-pool

    Fix: 63320: Ensure that StatementCache caches statements that include arrays \ 
in arguments. (kfujino)