Subject: CVS commit: pkgsrc/www/apache-tomcat6
From: Ryo ONODERA
Date: 2024-07-18 14:05:43
Message id: 20240718120543.2ED6DFC74@cvs.NetBSD.org

Log Message:
www/apache-tomcat6: Update to 6.0.53

Changelog:
Tomcat 6.0.53 (violetagg)
    Coyote
        fix Ensure that the socket is returned only once to the poller.
            (violetagg)

Tomcat 6.0.52 (violetagg)                                     not released
    Coyote
        fix Improve sendfile handling when requests are pipelined. (markt)

Tomcat 6.0.51 (violetagg)                               released 2017-03-16
    Jasper
        fix 60613: Refactor code generated for JSPs to reduce the size of
            the code required for tags. (markt)

    Other
               Change Realm configuration in the default conf/server.xml
        update file to use a org.apache.catalina.realm.LockOutRealm. The
               LockOutRealm is available since 6.0.19, but has not been
               configured by default. (kkolinko)

               Update the packaged version of the Tomcat Native Library to
        update 1.2.12 to pick up the latest Windows binaries built with
               OpenSSL 1.0.2k. (violetagg)

        update Update the NSIS Installer used to build the Windows
               installer to version 3.01. (markt)

               Refactor the build script and the NSIS installer script so
               that either NSIS 2.x or NSIS 3.x can be used to build the
        fix    installer. This is primarily to re-enable building the
               installer on the Linux based CI system where the combination
               of NSIS 3.x and wine leads to failed installer builds.
               (markt)

Tomcat 6.0.50 (violetagg)                                      not released
    Web applications
        fix Ensure the ASF logo image is correctly displayed in ROOT, docs
            and host-manager applications. (violetagg)

Tomcat 6.0.49 (violetagg)                                      not released
    Coyote
        fix 57799: Remove useless sendfile check for NIO SSL. (remm)

            60409: When unable to complete sendfile request, ensure the
        fix Processor will be added to the cache only once. (markt/
            violetagg)

    Jasper
        add 44294: Add support for varargs in UEL expressions. (markt)

        fix 60356: Fix pre-compilation of JSPs that depend on nested tag
            files packaged in a JAR. (markt)

        fix 60431: Improve handling of varargs in UEL expressions. Based on
            a patch by Ben Wolfe. (markt)

        fix 60497: Restore previous tag reuse behavior following the use of
            try/finally. (remm)

        fix Improve the error handling for simple tags to ensure that the
            tag is released and destroyed once used. (remm)

        fix 60497: Follow up fix using a better variable name for the tag
            reuse flag. (remm)

        fix Revert use of try/finally for simple tags. (remm)

    Web applications
        fix    Correct a typo in Host Configuration Reference. Issue
               reported via comments.apache.org. (violetagg)

               In the documentation web application, be explicit that
        add    clustering requires a secure network for all of the cluster
               network traffic. (markt)

        update Update the ASF logos to the new versions. (markt)

    Other
        update Update the ASF logos used in the Apache Tomcat installer for
               Windows to use the new versions. (markt)

Tomcat 6.0.48 (violetagg)                               released 2016-11-15
    Catalina
        fix Correctly test for control characters when reading the provided
            shutdown password. (markt)

        fix When configuring the JMX remote listener, specify the allowed
            types for the credentials. (markt)

    Coyote
        fix Correct the HTTP header parser so that DEL is not treated as a
            valid token character. (markt)

            Add additional checks for valid characters to the HTTP request
        add line parsing so invalid request lines are rejected sooner.
            (markt)

    Web applications
        fix Correct a typo in CGI How-To. Issue reported via
            comments.apache.org. (violetagg)

    Extras
            55017: Add the ability to configure the RMI bind address when
        add using the JMX remote listener. Patch provided by Alexey Noskov.
            (markt)

        fix 56039: Enable the JmxRemoteLifecycleListener to work over SSL.
            Patch by esengstrom. (markt)

            56096: When the attribute rmiBindAddress of the JMX Remote
        fix Lifecycle Listener is specified it's value will be used when
            constructing the address of a JMX API connector server. Patch
            is provided by Jim Talbut. (markt)

            57377: Remove the restriction that prevented the use of SSL
        fix when specifying a bind address with the
            JMXRemoteLifecycleListener. Also enable SSL to be configured
            for the registry as well as the server. (markt)

Tomcat 6.0.47 (violetagg)                               released 2016-10-16
    Catalina
        fix Fixed a warning message that is logged during Tomcat startup.
            (violetagg)

Tomcat 6.0.46 (violetagg)                                      not released
    Catalina
            Log a warning message if a user tries to configure the default
        add session timeout via the deprecated (and ignored)
            Manager.setMaxInactiveInterval() method. (markt)

            Correct a regression introduced in 6.0.45 where the deprecated
        fix Manager.getMaxInactiveInterval() method returned the current
            default session timeout in minutes rather than seconds. (markt)

        fix 58486: Expand memory leak protection to include additional
            issues identified related to XML parsing. (markt)

        fix 59123: Close NamingEnumeration objects used by the JNDIRealm
            once they are no longer required. (fschumacher/markt)

            59138: Correct a false positive warning for ThreadLocal related
        fix memory leaks when the key class but not the value class has
            been loaded by the web application class loader. (markt)

            59269: Correct the implementation of PersistentManagerBase so
        fix that minIdleSwap functions as designed and sessions are swapped
            out to keep the active session count below maxActiveSessions.
            (markt)

        fix 59247: Preload ResourceEntry as a workaround for security
            manager issues on some JVMs. (kkolinko/remm)

            59310: Do not add a Content-Length: 0 header for custom
        fix responses to HEAD requests that do not set a Content-Length
            value. (markt)

            59449: In ContainerBase, ensure that the process to remove a
        fix child container is the reverse of the process to add one. Patch
            provided by Huxing Zhang. (markt)

            RMI Target related memory leaks are avoidable which makes them
            an application bug that needs to be fixed rather than a JRE bug
            to work around. Therefore, start logging RMI Target related
        fix memory leaks on web application stop. Add an option that
            controls if the check for these leaks is made. Log a warning if
            running on Java 9 with this check enabled but without the
            command line option it requires. (markt)

            59708: Modify the LockOutRealm logic. Valid authentication
        fix attempts during the lock out period will no longer reset the
            lock out timer to zero. (markt)

            By default, treat paths used to obtain a request dispatcher as
        fix encoded. This behaviour can be changed per web application via
            the dispatchersUseEncodedPaths attribute of the Context.
            (markt)

            Provide a mechanism that enables the container to check if a
            component (typically a web application) has been granted a
            given permission when running under a SecurityManager without
        add the current execution stack having to have passed through the
            component. Use this new mechanism to extend SecurityManager
            protection to the system property replacement feature of the
            digester. (markt)

        add When retrieving an object via a ResourceLink, ensure that the
            object obtained is of the expected type. (markt)

        fix Switch the CGI servlet to the standard logging mechanism and
            remove support for the debug attribute. (markt)

            Add a new initialisation parameter, envHttpHeaders, to the CGI
        add Servlet to mitigate httpoxy (CVE-2016-5388) by default and to
            provide a mechanism that can be used to mitigate any future,
            similar issues. (markt)

            When adding and removing ResourceLinks dynamically, ensure that
        add the global resource is only visible via the ResourceLinkFactory
            when it is meant to be. (markt)

        fix Make timing attacks against the Realm implementations harder.
            (schultz/markt)

        fix Ensure Digester.useContextClassLoader is considered in case the
            class loader is used. (violetagg)

            60151: Improve the exception error messages when a ResourceLink
        add fails to specify the type, specifies an unknown type or
            specifies the wrong type. (markt)

            Correct basePackage and PrivilegedFindResourceByName in
        fix SecurityClassLoad so that tomcat can successfully start with
            the Security Manager enabled. (csutherl)

            Improve the access checks for linked global resources to handle
        fix the case where the current class loader is a child of the web
            application class loader. (markt)

    Coyote
            58646: Correct a problem with sendfile that resulted in a
        fix Processor being added to the cache twice leading to broken
            responses. (markt)

        fix Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL
            (APR) to those currently considered secure. (markt)

            Add a new environment variable JSSE_OPTS that is intended to be
        add used to pass JVM wide configuration to the JSSE implementation.
            The default value is -Djdk.tls.ephemeralDHKeySize=2048 which
            protects against weak Diffie-Hellman keys. (markt)

        fix 59451: Correct Javadoc for MessageBytes. Patch provided by
            Kyohei Nakamura. (markt)

            Ensure that requests with HTTP method names that are not tokens
        fix (as required by RFC 7231) are rejected with a 400 response.
            (markt)

        fix 59904: Add a limit (default 200) for the number of cookies
            allowed per request. Based on a patch by gehui. (markt)

            60123: Avoid potential threading issues that could cause
        fix excessively large vales to be returned for the processing time
            of a current request. (markt)

    Jasper
            Fix a memory leak in the expression language implementation
        fix that caused the class loader of the first web application to
            use expressions to be pinned in memory. (markt)

            59654: Enforce the requirements of section 7.3.1 of the JSP
        fix specification regarding the permitted locations for TLD files.
            Patch provided by Huxing Zhang. (markt)

        fix Catch and log any Exceptions during calls to Servlet.destroy()
            when destroying the Servlet associated with a JSP page. (markt)

            Improve the error handling for custom tags to ensure that the
        fix tag is returned to the pool or released and destroyed once
            used. (markt)

    Web applications
        fix 58935: Remove incorrect references in the documentation to
            using jar:file: URLs with the Manager application. (markt)

            Correct the description of the ServletRequest.getServerPort()
        fix in Proxy How-To. Issue reported via comments.apache.org.
            (violetagg)

        fix Fix a potential indefinite wait in the Comet Chat servlet in
            the examples web application. (markt)

        fix Update in the documentation the link to the maven repository
            where Tomcat snapshot artifacts are deployed. (markt/violetagg)

            Clarify in the documentation that calls to ServletContext.log
        fix (String, Throwable) or GenericServlet.log(String, Throwable)
            are logged at the SEVERE level. (violetagg)

        fix Correct a typo in SSL/TLS Configuration How-To. Issue reported
            via comments.apache.org. (violetagg)

        fix 58891: Update the SSL how-to. Based on a suggestion by
            Alexander Kja:ll. (markt)

        fix 59642: Mention the localDataSource in the DataSourceRealm
            section of the Realm How-To. (markt)

        fix 60034: Correct a typo in the Manager How-To page of the
            documentation web application. (markt)

            Add an example of using the classesToInitialize attribute of
        add the JreMemoryLeakPreventionListener to the documentation web
            application. Based on a patch by Cris Berneburg. (markt)

        fix 60192: Correct a typo in the status output of the Manager
            application. Patch provided by Radhakrishna Pemmasani. (markt)

    Other
               58283: Change the default download location for libraries
        fix    during the build process from /usr/share/java to $
               {user.home}/temp. Patch provided by Ahmed Hosni. (markt)

               59031: When using the Windows uninstaller, do not remove the
        fix    contents of any directories that have been symlinked into
               the Tomcat directory structure. (markt)

               Modify the default tomcat-users.xml file to make it harder
        update for users to configure the entries intended for use with the
               examples web application for the Manager application.
               (markt)

        update 59280: Update the NSIS Installer used to build the Windows
               Installers to version 2.51. (kkolinko)

               58626: Add support for a new environment variable
               (USE_NOHUP) that causes nohup to be used when starting
        fix    Tomcat. It is disabled by default except on HP-UX where it
               is enabled by default since it is required when starting
               Tomcat at boot on HP-UX. (markt)

        add    Use the mirror network rather than the ASF master site to
               download the current ASF dependencies. (markt)

               Update the packaged version of the Tomcat Native Library to
        update 1.2.10 to pick up the latest Windows binaries built with
               OpenSSL 1.0.2j. (markt)

Files:
RevisionActionfile
1.22modifypkgsrc/www/apache-tomcat6/Makefile
1.18modifypkgsrc/www/apache-tomcat6/distinfo