Log Message:
Update to 9.0.26

Changelog:
Tomcat 9.0.26 (markt)
Oher

    Fix: Re-tagged to ensure that the source file for the changelog did not \ 
contain an XML byte order mark. (markt)

not released Tomcat 9.0.25 (markt)
Catalina

    Fix: Avoid a possible InvalidPathException when obtaining a URI for a \ 
configuration file. (markt)
    Fix: 63684: Wrapper never passed to RealmBase.hasRole() for given security \ 
constraints. (michaelo)
    Fix: 63740: Ensure configuration files are loaded correctly when a Host is \ 
configured with an xmlBase. Patch provided by uk4sx. (markt)
    Fix: Avoid a potential NullPointerException on Service stop if a Service is \ 
embedded directly (i.e. with no Server) in an applciation and JNDI is enabled. \ 
Patch provided by S. Ali Tokmen. (markt)
    Add: Add a new PropertySource implementation, EnvironmentPropertySource, \ 
that can be used to do property replacement in configuration files with \ 
environment variables. Based on a pull request provided by Thomas Meyer. (markt)

Coyote

    Fix: 63682: Fix a potential hang when using the asynchronous Servlet API to \ 
write the response body and the stream and/or connection window reaches 0 bytes \ 
in size. (markt)
    Fix: 63690: Use the average of the current and previous sizes when \ 
calculating overhead for HTTP/2 DATA and WINDOW_UPDATE frames to avoid false \ 
positives as a result of client side buffering behaviour that causes a small \ 
percentage of non-final DATA frames to be smaller than expected. (markt)
    Fix: 63706: Avoid NPE accessing https port with plaintext. (remm)
    Fix: Correct typos in the names of the configuration attributes \ 
overheadDataThreshold and overheadWindowUpdateThreshold. (markt)
    Fix: If the HTTP/2 connection requires an initial window size larger than \ 
the default, send a WINDOW_UPDATE to increase the flow control window for the \ 
connection so that the initial size of the flow control window for the \ 
connection is consistent with the increased value. (markt)
    Fix: 63710: When using HTTP/2, ensure that a content-length header is not \ 
set for those responses with status codes that do not permit one. (markt)
    Fix: 63737: Correct various issues when parsing the accept-encoding header \ 
to determine if gzip encoding is supported including only parsing the first \ 
header found. (markt)

Jasper

    Fix: 63724: Correct a regression introduced in 9.0.21 that broke compilation \ 
of JSPs in some configurations. (markt)

Web applications

    Fix: Correct the source code links on the index page for the ROOT web \ 
application to point to Git rather than Subversion. (markt)
    Fix: Fix various issues with the Javadoc generated for the documentation web \ 
application to enable release builds to be built with Java 10 onwards. (markt)
    Fix: 63733: Remove the documentation for the "Additional \ 
Components" since they have been remove / merged into the core Tomcat \ 
distribution for 9.0.5 onwards. (markt)
    Fix: 63739: Correct the invalid Automatic-Module-Name manifest entries for \ 
the Tomcat provided JARs included in the Tomcat embedded distribution. (markt)
    Fix: Fix a large number of Javadoc and documentation typos. Patch provided \ 
by KangZhiDong. (markt)
    Fix: Spelling and formatting corrections for the cluster how-to. Pull \ 
request provided by Bill Mitchell. (markt)

Other

    Add: Expand the coverage and quality of the French translations provided \ 
with Apache Tomcat. (remm)
    Add: Expand the coverage and quality of the Simplified Chinese translations \ 
provided with Apache Tomcat. Includes contributions by leeyazhou and 康智冬. \ 
(markt)
    Fix: 62140: Additional usage documentation in comments for \ 
catalina.[bat|sh]. (markt)
    Fix: Fix JSSE_OPTS quoting in catalina.bat. Contributed by Peter Uhnak. \ 
(fschumacher)
    Update: 63625: Update to Commons Daemon 1.2.1. This corrects several \ 
regressions in Commons Daemon 1.2.1, most notably the Windows Service crashing \ 
on start when using 32-bit JVMs. (markt)
    Fix: 63689: Correct a regression in the fix for 63285 that meant that when \ 
installing a service, the service display name was not set. (markt)
    Fix: When performing a silent install with the Windows Installer, ensure \ 
that the registry entires are added to the 64-bit registry when using a 64-bit \ 
JVM. (markt)
    Fix: Remove unused i18n messages and associated translations. Patch provided \ 
by KangZhiDong. (markt)
    Add: Expand the coverage and quality of the Korean translations provided \ 
with Apache Tomcat. (woonsan)

2019-08-17 Tomcat 9.0.24 (markt)
Coyote

    Code: Remove the code in the sendfile poller that ensured smaller pollsets \ 
were used with older, no longer supported versions of Windows that could not \ 
support larger pollsets. (markt)

not released Tomcat 9.0.23 (markt)
Catalina

    Update: 63627: Implement more fine-grained handling in \ 
RealmBase.authenticate(GSSContext, boolean). (michaelo)
    Add: 62496: Add option to write auth information (remote user/auth type) to \ 
response headers. (michaelo)
    Add: 57665: Add support for the X-Forwarded-Host header to the \ 
RemoteIpFilter and RemoteIpValve. (markt)
    Fix: 63550: Only try the alternateURL in the JNDIRealm if one has been \ 
specified. (markt)
    Add: 63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter \ 
(michaelo)
    Fix: If an unhandled exception occurs on a asynchronous thread started via \ 
AsyncContext.start(Runnable), process it using the standard error page \ 
mechanism. (markt)
    Fix: Discard large byte buffers allocated using setBufferSize when recycling \ 
the request. (remm)
    Fix: 63579: Correct parsing of malformed OPTIONS requests and reject them \ 
with a 400 response rather than triggering an internal error that results in a \ 
500 response. (markt)
    Fix: 63608: Align the implementation of the negative match feature for \ 
patterns used with the RewriteValve with the description in the documentation. \ 
(markt)
    Fix: Avoid a NullPointerException in the CrawlerSessionManagerValve if no \ 
ROOT Context is deployed and a request does not map to any of the other deployed \ 
Contexts. Patch provided by Jop Zinkweg. (markt)
    Fix: 63636: Context.findRoleMapping() never called in \ 
StandardWrapper.findSecurityReference(). (michaelo)

Coyote

    Code: Refactor the APR poller to always use a single pollset now that the \ 
Windows operating systems that required multiple smaller pollsets to be used are \ 
no longer supported. (markt)
    Fix: 63524: Improve the handling of PEM file based keys and certificates \ 
that do not include a full certificate chain when configuring the internal, \ 
in-memory key store. Improve the handling of PKCS#1 formatted private keys when \ 
configuring the internal, in-memory key store. (markt)
    Update: Add callback when finishing the set properties rule in the digester. \ 
(remm)
    Fix: 63570: Fix regression retrieving local address with the NIO connector. \ 
Submitted by Aditya Kadakia. (remm)
    Fix: 63568: Avoid error when trying to set tcpNoDelay on socket types that \ 
do not support it, which can occur when using the NIO inherited channel \ 
capability. Submitted by František Kučera. (remm)
    Fix: Correct parsing of invalid host names that contain bytes in the range \ 
128 to 255 and reject them with a 400 response rather than triggering an \ 
internal error that results in a 500 response. (markt)
    Fix: 63571: Allow users to configure infinite TLS session caches and/or \ 
timeouts. (markt)
    Fix: 63578: Improve handling of invalid requests so that 400 responses are \ 
returned to the client rather than 500 responses. (markt)
    Fix: Fix h2spec test suite failure. It is an error if a Huffman encoded \ 
string literal contains the EOS symbol. (jfclere)
    Add: Connections that fail the TLS handshake will now appear in the access \ 
logs with a 400 status code. (markt)
    Fix: Timeouts for HTTP/2 connections were not always correctly handled \ 
leaving some connections open for longer than expected. (markt)
    Fix: 63650: Refactor initialisation for JSSE based TLS connectors to enable \ 
custom JSSE providers that provide custom cipher suites to be used. (markt)
    Add: Expand the HTTP/2 excessive overhead protection to cover various forms \ 
of abusive client behaviour and close the connection if any such behaviour is \ 
detected. (markt)
    Fix: Fix a crash on shutdown with the APR/native connector when a blocking \ 
I/O operation was still in progress when the connector stopped. (markt)

Cluster

    Fix: Avoid failing Kubernetes membership (and preventing startup) if the \ 
stream cannot be opened, to get the same behavior as the DNS based membership. \ 
The namespace is still a failure on startup but it is easy to provide. (remm)
    Fix: Avoid non fatal NPEs with Tribes when JMX is not available. (remm)
    Fix: Make Kube environment optional for Kube memberships, for easier testing \ 
and Graal training. A warn log will occur if the environment is not present. \ 
(remm)

Web applications

    Fix: 63597: Update the custom 404 error page for the Host Manager to take \ 
account of previous refactoring so that the page is used for 404 errors rather \ 
than falling back to the default error page. (markt)

Other

    Fix: JNDI support for GraalVM native images. (remm)
    Fix: JSP runtime library support for GraalVM native images. (remm)
    Fix: java.util.logging configuration for GraalVM native images. (remm)
    Update: Update Checkstyle to 8.22. (markt)
    Update: 62696: The digital signature for the Windows installer now uses \ 
SHA-256 for hashes. (markt)
    Update: 63310: Update to Commons Daemon 1.2.0. This provides improved \ 
support for Java 11. This also changes the user configured by the Windows \ 
installer for the Windows service from Local System to the lower privileged \ 
Local Service. (markt)
    Fix: 55969: Tighten up the security of the Apache Tomcat installation \ 
created by the Windows installer. Change the default shutdown port used by the \ 
Windows installer from 8005 to -1 (disabled). Limit access to the chosen \ 
installation directory to local administrators, Local System and Local Service. \ 
(markt)
    Add: Expand the coverage and quality of the French translations provided \ 
with Apache Tomcat. (remm)
    Add: 63285: Add an option to service.bat so that when installing a Windows \ 
service, the name of the executables used by the Windows service may be changed \ 
to match the service name. This makes the installation behaviour consistent with \ 
the Windows installer. The original executable names will be restored when the \ 
Windows service is removed. The renaming can be enabled by using the new \ 
--rename option after the service name. (markt)
    Fix: 63567: Restore the passing of $LOGGING_MANAGER to the jvm in \ 
catalina.sh when calling stop. (markt)
    Fix: Correct broken OSGi data in JAR file manifests. (markt)
    Fix: Add "embed" to the Bundle-Name and Bundle-Symbolic-Name for \ 
the Tomact embedded WebSocket JAR to align the naming with the other embedded \ 
JARs and to differentiate it from the standard WebSocket JAR that does not \ 
include the API classes. (markt)
    Fix: 63555: Add Automatic-Module-Name entries for each of the Tomcat \ 
provided JARs included in the Tomcat embedded distribution. (markt)
    Update: Update dependency on bnd to 4.2.0. (markt)
    Update: Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to \ 
pick up the fix for CODEC-134. (markt)
    Update: Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to \ 
pick up the changes Commons Pool2 2.7.0. (markt)
    Update: Update the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to \ 
pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt)
    Update: 63648: Update the test TLS keys and certificates used in the test \ 
suite to replace the keys and certificates that are about to expire. (markt)