Navigation:
Browse pkgsrc
(this page) 2015-05-19 21:33:54 by S.P.Zeidler | Files touched by this commit (3) |  |
Log message:
Update to Tomcat 6.0.44
Upstream changelog:
Catalina
++++++++
fix Correct typo in the message shown by HttpServlet for unexpected
HTTP method. (kkolinko)
add Allow to configure RemoteAddrValve and RemoteHostValve to adopt
behavior depending on the connector port. Implemented by
optionally adding the connector port to the string compared with
the patterns allow and deny. Configured using addConnectorPort
attribute on valve. (rjung)
fix 56608: Fix IllegalStateException for JavaScript files when
switching from Writer to OutputStream. The special handling of
this case in the DefaultServlet was broken due to a MIME type
change for JavaScript. (markt)
fix 57675: Correctly quote strings when using the extended access
log. (markt)
Coyote
++++++
fix 57234: Make SSL protocol filtering to remove insecure protocols
case insensitive. Correct spelling of filterInsecureProtocols
method. (kkolinko/schultz)
fix When applying the maxSwallowSize limit to a connection read
that many bytes first before closing the connection to give
the client a chance to read the response. (markt)
fix 57544: Fix a potential infinite loop when preparing a kept
alive HTTP connection for the next request. (markt)
add 57570: Make the processing of chunked encoding trailing headers
optional and disabled by default. (markt)
fix 57581: Change statistics byte counter in coyote Request object
to be long to allow values above 2Gb. (kkolinko)
update Update the minimum recommended version of the Tomcat Native
library (if used) to 1.1.33. (markt)
Jasper
++++++
fix Fix potential issue with BeanELResolver when running under a
security manager. Some classes may not be accessible but may
have accessible interfaces. (markt)
fix Simplify code in ProtectedFunctionMapper class of Jasper
runtime. (kkolinko)
fix 57801: Improve the error message in the start script in case
the PID read from the PID file is already owned by a process.
(rjung)
Web applications
++++++++++++++++
fix Update documentation for CGI servlet. Recommend to copy the
servlet declaration into web application instead of enabling
it globally. Correct documentation for cgiPathPrefix. (kkolinko)
update Improve Tomcat Manager documentation. Rearrange, add section
on HTML GUI, document /expire command and Server Status page.
(kkolinko)
add 54143: Add display of the memory pools usage (including PermGen)
to the Status page of the Manager web application. (kkolinko)
fix Fix several issues with status.xsd schema in Manager web
application, testing it against actual output of
StatusTransformer class. (kkolinko)
update Align algorithm that generates anchor names in Tomcat
documentation with Tomcat 7/8/9. No visible changes, but may
help with future updates to the documentation. (kkolinko)
fix 56058: Add links to the AccessLogValve documentation for
configuring reverse proxies and/or Tomcat to ensure that the
desired information is used entered in the access log when
Tomcat is running behind a reverse proxy. (markt)
fix 57503: Make clear that the JULI integration for log4j only
works with log4j 1.2.x. (markt)
update 57644: Update examples to use Apache Standard Taglib 1.2.5.
(jboynes/kkolinko)
fix 57706: Clarify the documentation for the AJP connector to make
clearer that when using tomcatAuthentication="false" the user
provided by the reverse proxy will not be associated with any
roles. (markt)
fix Correct the documentation for deployOnStartup to make clear
that if a WAR file is updated while Tomcat is stopped and
unpackWARs is true, Tomcat will not detect the changed WAR
file when it starts and will not replace the unpacked WAR file
with the contents of the updated WAR. (markt)
add 57759: Add information to the keyAlias documentation to make
it clear that the order keys are read from the keystore is
implementation dependent. (markt)
fix 57864: Update the documentation web application to make it
clearer that hex values are not valid for cluster send options.
Based on a patch by Kyohei Nakamura. (markt)
Other
+++++
add 57344: Provide sha1 checksum files for Tomcat downloads.
(kkolinko)
fix 57558: Change catalina-tasks.xml to use all jars in
${catalina.home}/lib to define Tomcat Ant tasks. This fixes
a NoClassDefFoundError with validate task. (kkolinko)
update Update to Tomcat Native Library version 1.1.33 to pick up the
Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1.
(markt)
|
| 2015-01-03 17:43:44 by Ryo ONODERA | Files touched by this commit (2) | |
Log message:
Update to 6.0.43
Changelog:
# Tomcat 6.0.43 (markt)
## Catalina
* fix Assert that mapping result object is empty before performing mapping work \
in Mapper. (kkolinko)
## Coyote
* fix 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a \
patch by Marcel Å ebek. (schultz/jfclere)
* fix 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict \
SP800-131a mode. (markt/kkolinko)
* fix 57102: Fix bug that meant sslEnabledProtocols setting was not recognised \
for the HTTPS NIO connector. (markt)
* add Disable SSLv3 by default for the APR/native HTTPS connector. (markt/schultz)
* fix Do not increase remaining counter at end of stream in IdentityInputFilter. \
(kkolinko)
* fix Disable SSLv3 by default (along with SSLv2 which was already disabled by \
default) in light of the recently announced POODLE vulnerability \
(CVE-2014-3566). (markt)
* fix 57116: Do not fallback to default protocol list for HTTPS BIO connector if \
sslEnabledProtocols has no matches. (markt)
* update Align calculation of default ciphers and default protocols for JSSE \
HTTPS connectors with Tomcat 7 which allows for per connector defaults based on \
the choice of sslProtocol. (markt/kkolinko)
## Web applications
* fix Configure the Javadoc tool to read sources as ISO-8859-1, suppress \
timestamp comments and enable charset header. (kkolinko)
* fix Correct typos in configuration samples on SSL Configuration page of Tomcat \
documentation. (kkolinko)
## Other
* update 56079: The Apache Tomcat Windows service and the Apache Tomcat Windows \
service monitor application are now digitally signed. (markt/kkolinko)
* update 56988: Allow to use relative path in base.path setting when building \
Tomcat. (kkolinko)
fix Update documentation: the minimum version of Apache Ant required to build \
Tomcat is 1.8.0. (kkolinko)
* update 56596: Update to Tomcat Native Library version 1.1.32 to pick up the \
Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt)
* fix Fix timestamps in Tomcat build to use 24-hour instead of 12-hour format \
and use UTC timezone. (kkolinko)
# Tomcat 6.0.42 (jfclere) not released
## Catalina
* fix 56600: In WebdavServlet: Do not waste time generating response for broken \
PROPFIND request. (kkolinko)
* fix 56648: Reduce scope of synchronization when adding children to a container \
(e.g. adding a Context to a Host) to prevent blocking requests to other children \
while the new child starts. (markt)
* fix 56684: Ensure that Tomcat does not shut down if the socket waiting for the \
shutdown command experiences a SocketTimeoutException. (markt)
## Coyote
fix Various improvements to ChunkedInputFilter including clean-up, i18n for \
error messages and adding an error flag to allow subsequent attempts at reading \
after an error to fail fast. (markt)
fix 56661: Support using AJP request attribute AJP_LOCAL_ADDR to fix \
getLocalAddr(). (rjung)
## Jasper
* fix 43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko)
* fix 56334: Fix a regression in EL parsing when quoted string follows a \
whitespace. (markt)
* fix 56560: Fix NoClassDefFoundError when using Jasper Ant task defined by \
catalina-tasks.xml file. Patch provided by M Gemmell. (kkolinko)
* fix 56561: Avoid NoSuchElementException while handling attributes with empty \
string value. (violetagg)
* fix 56612: Correctly parse consecutive escaped single quotes when used in an \
EL expression. (markt)
* code Use if { ... } else if { ... } rather than multiple if { ... } for \
alternative branches in the JSP parser. (kkolinko)
* fix Fix a potential resource leak in JDTCompiler when checking wether a \
resource is a package. Reported by Coverity Scan. (fschumacher)
## Other
* fix 56606: When creating tomcat-users.xml in the Windows Installer, use the \
new attribute name for the name of the user. (markt)
* add 56829: Add the ability for users to define their own values for _RUNJAVA \
and _RUNJDB environment variables. Be more strict with executable filename on \
Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
|
| 2014-06-28 19:05:46 by S.P.Zeidler | Files touched by this commit (2) | |
Log message:
security'ish update. Changelog:
Tomcat 6.0.41
=============
Jasper
------
fix 56529: Avoid NoSuchElementException while handling attributes
with empty string value in custom tags. Based on a patch
provided by Hariprasad Manchi. (violetagg/kkolinko)
Tomcat 6.0.40 not released
============================
Catalina
--------
fix 56027: Add more options for managing FIPS mode in the
AprLifecycleListener. (schultz/kkolinko)
fix 56082: Fix a concurrency bug in JULI's LogManager
implementation. (markt)
fix 56236: Enable Tomcat to work with alternative Servlet and
JSP API JARs that package the XML schemas in such as way as
to require a dependency on the JSP API before enabling
validation for web.xml. Tomcat has no such dependency. (markt)
fix Change the default value of the xmlBlockExternal attribute
of Context elements. It is now true. (kkolinko)
fix Don't log to standard out in SSLValve. (kkolinko/markt)
code Use StringBuilder in DefaultServlet. (kkolinko)
fix 56275: Allow web applications to be stopped cleanly even
if filters throw exceptions when their destroy() method is
called. (markt/kkolinko)
fix Redefine the globalXsltFile initialisation parameter of the
DefaultServlet as relative to CATALINA_BASE/conf or
CATALINA_HOME/conf. Prevent user supplied XSLTs used by the
DefaultServlet from defining external entities. (markt)
fix Add a work around for validating XML documents (often TLDs)
that use just the file name to refer to refer to the JavaEE
schema on which they are based. (kkolinko)
fix 56369: Ensure that removing an MBean notification listener
reverts all the operations performed when adding an MBean
notification listener. (markt)
fix Only create XML parsing objects if required and fix associated
potential memory leak in the default Servlet. (markt)
fix Ensure that a TLD parser obtained from the cache has the
correct value of blockExternal. (markt/kkolinko)
add Extend XML factory, parser etc. memory leak protection to
cover some additional locations where, theoretically, a
memory leak could occur. (markt)
add Add the org.apache.naming package to the packages requiring
code to have the defineClassInPackage permission when running
under a security manager. (markt)
add Add the org.apache.naming.resources package to the packages
requiring code to have the accessClassInPackage permission
when running under a security manager. (markt)
fix Make the naming context tokens for containers more robust.
Require RuntimePermission when introducing a new token.
(markt/kkolinko)
Coyote
------
fix Improve processing of chuck size from chunked headers.
Avoid overflow and use a bit shift instead of a multiplication
as it is marginally faster. (markt/kkolinko)
fix Fix possible overflow when parsing long values from a byte
array. (markt)
update 56363: Update to version 1.1.30 of Tomcat Native library.
The minimum required version of this library for APR connector
is now 1.1.30. (kkolinko)
Jasper
------
fix Change the default behaviour of JspC to block XML external
entities by default. (kkolinko)
fix Restore the validateXml option to Jasper that was previously
renamed validateTld. Both options are now supported.
validateXml controls the validation of web.xml files when
Jasper parses them and validateTld controls the validation
of *.tld files when Jasper parses them. (markt)
fix 54475: Add Java 8 support to SMAP generation for JSPs.
Patch by Robbie Gibson. (markt)
fix 56010: Don't throw an IllegalArgumentException when
JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER.
Based on a patch by Eugene Chung. (markt)
fix 56265: Do not escape values of dynamic tag attributes
ontaining EL expressions. (kkolinko)
fix 56283: Add support for running Tomcat 6 with ecj-P20140317-1600.jar
(as drop-in replacement for ecj-4.3.1.jar). Add support for
value "1.8" for the compilerSourceVM and compilerTargetVM
options. Note that ecj-P20140317-1600.jar can only be used
when running with Java 6 or later. The "1.8" options make
sense only when running with Java 8 (or later). (kkolinko)
fix 56334: Fix a regression in the handling of back-slash escaping
introduced by the fix for 55735. (markt/kkolinko)
fix Correct the handling of back-slash escaping in the EL parser
and no longer require that \$ or \# must be followed by { in
order for the back-slash escaping to take effect. (markt)
Cluster
-------
code Refactor AbstractReplicatedMap and related classes to enable
Tomcat 6 to be compiled using Java 8. (markt)
Web applications
----------------
add 56093: Documentation for SSLValve. (markt/kkolinko)
fix Correct documentation on Windows service options, aligning
it with Apache Commons Daemon documentation. (kkolinko)
add Add support for version-major, version-major-minor tags in
documentation XSLT, to simplify documentation backports. (kkolinko)
fix Fix target and rel attributes on links in documentation.
They were lost during XSLT transformation. (kkolinko)
Other
-----
code Remove svn keywords (such as $Id) from source files and
documentation. (kkolinko)
update Improvements to the Windows installer, to align it with
installing the sevice with service.bat. Use explicit memory
sizes (--JvmMs 128 Mb and --JvmMx 256 Mb). Specify log
directory path when ininstalling, so that the log file is
written to the Tomcat logs directory, instead of
"%SystemRoot%\System32\LogFiles\Apache". (kkolinko)
update 49993, 56143: Improve service.bat script. Allow it to be
launched from non-UAC console. The UAC prompt will be shown
only once. Now there is no need to run the command shell
with elevated privileges. Improve check for JAVA_HOME and
add support for JRE_HOME. Warn if neither "client" nor
"server" JVM is found. Align classpath, display name and
other options with the exe installer. Make command names
case-insensitive. Update documentation. (kkolinko)
|
| 2014-03-11 15:34:41 by Jonathan Perkin | Files touched by this commit (99) |
Log message: Import initial SMF support for individual packages. |
| 2014-03-11 15:05:19 by Jonathan Perkin | Files touched by this commit (350) |
Log message: Remove example rc.d scripts from PLISTs. These are now handled dynamically if INIT_SYSTEM is set to "rc.d", or ignored otherwise. |
| 2014-02-06 13:01:43 by S.P.Zeidler | Files touched by this commit (3) | |
Log message:
Update apache-tomcat6 to 6.0.39, including avoidance for CVE-2013-1571.
Upstream changelog:
Tomcat 6.0.39 (markt)
Catalina
fix 55166: Fix regression that broke XML validation when
running on some Java 5 JVMs. (kkolinko)
Coyote
fix Make the HTTP NIO connector tolerant of whitespace
in the individual values used for the ciphers attribute.
(markt)
fix Remove dependency introduced on the jsp-api.jar as
part of the XML validation changes introduced in 6.0.38.
(markt)
Jasper
fix Correct several errors in jspxml Schema and DTD. (kkolinko)
Cluster
code Remove an empty TestTwoPhaseCommit test from Tribes. (kkolinko)
Web applications
fix Fix broken link in Jasper How-To documentation. (markt)
fix Align index.html and index.jsp in ROOT web application.
Correct links to specifications and to the Tomcat mailing
lists. (kkolinko)
fix Remove second copy of RUNNING.txt from the full-docs
distribution. Some unpacking utilities can't handle
multiple copies of a file with the same name in a directory.
(kkolinko)
Other
update Update sample Eclipse IDE project: use JUnit 4 library
and prefer a Java 5 JDK when several JDKs are configured.
Cleanup the Ant build files. (kkolinko)
fix Correct Maven dependencies for individual JAR files. (markt)
Tomcat 6.0.38 (markt) not released
Catalina
fix Ensure that when Tomcat's anti-resource locking features
are used that the temporary copy of the web application
and not the original is removed when the web application
stops. (markt/kkolinko)
fix 55019: Fix a potential exception when accessing JSPs
while running under a SecurityManager. (jfclere)
fix 55052: Make JULI's LogManager to additionally look for
logging properties without prefixes if the property
cannot be found with a prefix. (kkolinko)
fix 55266: Ensure that the session ID is parsed from the
request before any redirect as the session ID may need
to be encoded as part of the redirect URL. (markt)
fix 55404: Log warnings about using security roles in web.xml
as warnings. (markt)
fix 55268: Added optional --service-start-wait-time
command-line option to change service start wait time
from default of 10 seconds. (schultz)
fix Correctly associate the default resource bundle with
the English locale so that requests that specify an
Accept-Language of English ahead of French, Spanish or
Japanese get the English messages they asked for. (markt)
fix Add missing JavaEE 5 XML schema definitions. (markt)
fix When Catalina parses TLD files, always use a namespace
aware parser to be consistent with how Jasper parses
TLD files. The tldNamespaceAware attribute of the Context
is now ignored. (markt)
fix As per section SRV.14.4.3 of the Servlet 2.5 specification,
a namespace aware, validating parser will be used when
processing *.tld and web.xml files if the system property
org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set
to true. (markt)
fix Ensure that sessions IDs are not parsed from URLs for
Contexts where disableURLRewriting is true. (markt)
add Add an option to the Context to control the blocking of
XML external entities when parsing XML configuration
files and enable this blocking by default when a security
manager is used. The block is implemented via a custom
resolver to enable the logging of any blocked entities.
(markt)
fix 56016: When loading resources for XML schema validation,
take account of the possibility that servlet-api.jar and
jsp-api.jar may not be loaded by the same class loader.
Patch by Juan Carlos Estibariz. (markt)
Coyote
fix 52811: Fix parsing of Content-Type header in
HttpServletResponse.setContentType(). Introduces a new
HTTP header parser that follows RFC2616. (markt)
fix 54691: Add configuration attribute "sslEnabledProtocols"
to HTTP connector and document it. (Internally this
attribute has been already implemented but not documented,
under names "protocols" and "sslProtocols". \
Those names
of this attribute are now deprecated). (schultz)
fix 54947: Fix the HTTP NIO connector that incorrectly
rejected a request if the CRLF terminating the request
line was split across multiple packets.
Patch by Konstantin PreiÃer. (markt)
fix 55228: Allow web applications to set a HTTP Date header.
(markt)
fix Better adherence to RFC2616 for content-length headers.
(markt)
fix Add support for limiting the size of chunk extensions
when using chunked encoding. (markt)
fix 55749: Improve the error message when SSLEngine is
disabled in the AprLifecycleListener and SSL is
configured for an APR/native connector. (markt)
fix Avoid possible NPE if a content type is specified without
a character set. (markt)
Jasper
fix 55198: Ensure attribute values in tagx files that include
EL and quoted XML characters are correctly quoted in
the output. (markt)
fix 55671: Consistently use the configuration option name
genStringAsCharArray rather than a mixture of
genStrAsCharArray and genStringAsCharArray but retain
support for genStrAsCharArray as in initialisation
parameter for the JSP servlet to retain backwards
compatibility with existing configurations. (markt)
fix 55691: Fix javax.el.ArrayELResolver to correctly handle
the case where the base object is an array of primitives.
(markt)
fix 55973: Fix processing of XML schemas when validation
is enabled in Jasper. (kkolinko)
Web applications
add Add documentation for
o.a.c.tribes.group.interceptors.TcpFailureDetector. (kfujino)
add Complete the documentation for MessageDispatch15Interceptor.
(kfujino)
add Add to cluster document a description of
notifyLifecycleListenerOnFailure and
heartbeatBackgroundEnabled. (kfujino)
fix 55746: Add documentation on the allRolesMode to the
CombinedRealm and LockOutRealm. Patch by Cédric Couralet.
(markt)
fix Fix the sample configuration of StaticMembershipInterceptor
in order to prevent warning log. uniqueId must be 16 bytes.
(kfujino)
fix 55119: Avoid CVE-2013-1571 when generating Javadoc. (markt)
Other
update Update Maven Central location used to download
dependencies at build time to be repo.maven.apache.org.
(kkolinko)
fix 55663: Minor correction to the wording of the NOTICE files
to align them with the requirements for NOTICE files.
(violetagg)
fix Add @since markers to the common annotations classes and
fix a few specification compliance issues. (markt)
update Update to Eclipse JDT Compiler 4.3.1. (markt)
update Update the Apache Jakarta JSTL implementation used by
the exmaples web application to 1.1.2. (markt)
|
| 2013-07-12 12:45:05 by Jonathan Perkin | Files touched by this commit (181) |
Log message: Bump PKGREVISION of all packages which create users, to pick up change of sysutils/user_* packages. |
| 2013-05-18 17:19:15 by S.P.Zeidler | Files touched by this commit (3) | |
Log message: security update: Important: Session fixation CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat's session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable. This was fixed in revision 1417891. This issue was identified by the Tomcat security team on 15 Oct 2012 and made public on 10 May 2013. Affects: 6.0.21-6.0.36 Important: Denial of service CVE-2012-3544 When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server. This was fixed in revision 1476592. This issue was reported to the Tomcat security team on 10 November 2011 and made public on 10 May 2013. Affects: 6.0.0-6.0.36 ChangeLog: ++++++++++ Catalina fix 52055: Ensure that filters are recycled. (markt/kkolinko) fix 52184: Reduce log level for invalid cookies. (markt) fix 53481: Added support for SSLHonorCipherOrder to allow the server to impose its cipher order on the client. Based on a patch provided by Marcel Å ebek. (schultz) fix 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt) fix In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko) fix 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt) fix 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt/kkolinko) fix 54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt) fix Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one, and of filter instances if their destroy() method fails with an Error. (kkolinko) fix 54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt) fix 54483: Correct one of the Spanish translations. Based on a suggestion from adinamita. (kkolinko) update 54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt) Coyote fix 54248: Ensure that byte order marks are swallowed when using a Reader to read a request body with a BOM for those encodings that require byte order marks. (markt) fix 54324: Allow APR connector to disable TLS compression if OpenSSL supports it. (schultz) fix 54456: Ensure that if a client aborts a request when sending a chunked request body that this is communicated correctly to the client reading the request body. (markt) update Update the native component of the APR/native connector to 1.1.27 and make that version the recommended minimum version. (kkolinko) Jasper fix 54615: Tomcat 6 doesn't build against ecj 4.x (kkolinko) Cluster fix 54045: Make sure getMembers() returns available member when TcpFailureDetector works in static cluster. (kfujino) Web applications update 22278: Add a commented out sample configuration of RemoteAddrValve to META-INF/context.xml files of the Manager and Host Manager applications. (kkolinko) fix 54080: Clarify documentation for initial value of internalProxies attribute of RemoteIpValve. (schultz/kkolinko) fix 54198: Clarify that HttpServletResponse.sendError(int) results in an HTML response by default. (markt) fix 54207: Correct JNDI factory package name in Javadoc for org.apache.naming.java.javaURLContextFactory. (markt) Other update Add sample Apache Commons Daemon JSVC wrapper script bin/daemon.sh that can be used with /etc/init.d. (kkolinko) update In the build configuration: introduce property "tomcat.output" that is used to specify location of the build output directory. This simplifies configuration if someone wants to move the output directory elsewhere (e.g. out of the source tree). (kkolinko) fix 54390: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME. (schultz) update 54601: Change catalina.sh to consistently use LOGGING_MANAGER variable to configure logging, instead of modifying JAVA_OPTS one. (kkolinko) update 54890: Update to Apache Commons Daemon 1.0.15. (mturk) |
| 2012-12-02 12:31:17 by S.P.Zeidler | Files touched by this commit (3) | |
Log message:
update to apache-tomcat 6.0.36. Upstream changelog:
Tomcat 6.0.36 (jfclere)
Catalina
++++++++
update 48692: Provide option to parse
application/x-www-form-urlencoded PUT requests. (schultz)
add 50306: New StuckThreadDetectionValve to detect requests
that take a long time to process, which might indicate that
their processing threads are stuck. Based on a patch
provided by TomLu. (kkolinko)
fix 50570: Enable FIPS mode to be set in AprLifecycleListener.
Based upon a patch from Chris Beckey. Note that this mode
requires tomcat-native 1.1.23 or later linked to a
FIPS-capable OpenSSL library, which one has to build by
themselves. (schultz/kkolinko)
fix Improve synchronization and error handling in
AprLifecycleListener. Do not allow to change SSL options
if SSL has already been initialized. (schultz/kkolinko)
fix 52225: Fix ClassCastException when adding an alias for an
existing host via JMX. (kkolinko)
fix 52293: Correctly handle the case when antiResourceLocking
is enabled at the Context level when unpackWARs is disabled
at the Host level. Correctly handle multi-level contexts
when antiResourceLocking is enabled. Patch by Justin Miller.
(kkolinko)
fix Do not throw IllegalArgumentException from parseParameters()
call when chunked POST request is too large, but treat it
like an IO error. The FailedRequestFilter filter can be
used to detect this condition. (kkolinko)
fix 52384: Do not fail with parameter parsing when debug
logging is enabled. (kkolinko)
fix Do not flag extra '&' characters in parameters as
parse errors. (kkolinko)
fix 52488: Correct typos: exipre -> expire. Based on a patch
by prockter. (markt)
fix Reduce log level for the message about hitting
maxParameterCount limit from WARN to INFO. Fix limit
comparison to allow exactly maxParameterCount parameters,
as documentation says, instead of (maxParameterCount-1).
(kkolinko)
fix Slightly improve performance of UDecoder.convert(). Align
%2f handling between implementations. (kkolinko)
add Add denyStatus attribute to RequestFilterValve
(RemoteAddrValve, RemoteHostValve valves). It allows to
use different HTTP response code when rejecting denied
request. E.g. 404 instead of 403. (kkolinko)
add Add SetCharacterEncodingFilter (similar to the one
contained in the examples web application) to the
org.apache.catalina.filters package so that it is
available for all web applications. (kkolinko)
add 52500: Added configurable mechanism to retrieve user
names from X509 client certificates. Based on a patch
provided by Michael Furman. (schultz/kkolinko)
fix 52719: Fix a theoretical resource leak in the JAR
validation that checks for non-permitted classes in
web application JARs. (markt)
fix 52830: Correct JNDI lookups when using javax.naming.Name
to identify the resource rather than a java.lang.String.
(markt)
add 52850: Extend memory leak prevention and detection
code to work with IBM as well as Oracle JVMs. Based on
a patch provided by Rohit Kelapure. (kkolinko)
add 52996: In StandardThreadExecutor: Add the ability to
configure a job queue size (maxQueueSize attribute).
Add a variant of execute method that allows to specify
a timeout for how long we want to try to add something
to the queue. Based on a patch by Rüdiger Plüm. (kkolinko)
fix 53047: If a JDBCRealm or DataSourceRealm is configured
for an all roles mode that only requires authorization
(and no roles) and no role table or column is defined,
don't populate the Principal's roles. (markt/kkolinko)
fix 53050: Fix handling of entropy value when initializing
session id generator in session manager. Based on proposal
by Andras Rozsa. (kkolinko)
fix 53056: Add APR version number to tcnative version INFO
log message. (schultz)
fix 53057: Add OpenSSL version number INFO log message
when initializing. (schultz)
fix 53071: Use the message from the Throwable for the error
report generated by the ErrorReportValve if none was
specified via sendError(). Use the standard text for
HTTP error codes. (markt/rjung)
update 53230: Change session managers to throw
TooManyActiveSessionsException instead of
IllegalStateException when the maximum number of sessions
has been exceeded and a new session will not be created.
(schultz/kkolinko)
fix 53267: Ensure that using the GC Daemon Protection feature
of the JreMemoryLeakPreventionListener does not trigger
a full GC every hour. (markt/kkolinko)
fix 53531: Fix ExpandWar.expand to check the return value
of File.mkdir and File.mkdirs. (schultz)
fix Make the CSRF nonce cache in CsrfPreventionFilter
serializable so that it can be replicated across a cluster
and/or persisted across Tomcat restarts. (markt)
fix 53584: Ignore path parameters when comparing URIs for
FORM authentication. This prevents users being prompted
twice for passwords when logging in when session IDs
are being encoded as path parameters. (markt)
fix Various improvements to the DIGEST authenticator
including 52954, the disabling caching of an authenticated
user in the session by default, tracking server rather
than client nonces and better handling of stale nonce
values. (markt)
fix Remove unneeded handling of FORM authentication in
RealmBase. (kkolinko)
fix 53800: FileDirContext.list() did not provide correct paths
for subdirectories. Patch provided by Kevin Wooten.
(kkolinko)
fix 53830: Better handling of Manager.randomFile default
value on Windows. (kkolinko)
fix Improve session management in CsrfPreventionFilter.
(kkolinko)
Coyote
++++++
fix 42181: Better handling of edge conditions in chunk
header processing. (kkolinko)
update 51477: Support all SSL protocol combinations in the
APR/native connector. This only works when using the
native library version 1.1.21 or later. (rjung)
fix 52055 (comment 14): Correctly reset
ChunkedInputFilter.needCRLFParse flag when the filter
is recycled. (kkolinko)
fix 52606: Ensure replayed POST bodies are available when
using AJP. (markt)
fix 52858: Fix high CPU load with SSL, NIO and sendfile
when client breaks the connection before reading all
the requested data. (fhanik/kkolinko)
fix 53119: Prevent buffer overflow errors being reported
when a client disconnects before the response has been
fully written from an AJP connection using the APR/native
connector. (kkolinko)
fix Improve InternalNioInputBuffer.parseHeaders(). (kkolinko)
add Implement maxHeaderCount attribute on Connector.
It is equivalent of LimitRequestFields directive of
Apache HTTPD. Default value is 100. (kkolinko)
fix In JkCoyoteHandler connector for AJP/1.3 protocol
(in JkMain.setProperty()): Fix setting of properties
when connector has already started for properties that
have aliases. E.g. it now allows to change maxHeaderCount
attribute on Connector MBean via JMX. (kkolinko)
fix 53725: Fix possible corruption of GZIP'd output. (kkolinko)
Jasper
++++++
fix 48097 (comment 7), 53366 (comment 1): If JSP page
unexpectedly fails to initialize PageContext instance,
write exception to the logs instead of silent swallowing.
(kkolinko)
fix 52335: Only handle <\% and not \% as escaped in
template text. (markt)
fix 52666: Correct coercion order in EL when processing the
equality and inequality operators. (markt)
fix 53001: Revert the fix for 46915 since the use case
described in the bug is invalid since it breaks the EL
specification. (markt)
fix 53032: Modify JspC so it extends org.apache.tools.ant.Task
enabling it to work with features such as namespaces
within build.xml files. (markt)
Cluster
+++++++
fix Replicate principal in ClusterSingleSignOn. (kfujino)
fix 53513: Fix race condition between the processing of
session sync message and transfer complete message. (kfujino)
fix 53606: Fix potential NPE in TcpPingInterceptor. Based
on a patch by F. Arnoud. (markt)
fix 53607: To avoid NPE, set TCP PING data to ChannelMessage.
Patch provided by F.Arnoud (kfujino)
fix Fix a behavior of TcpPingInterceptor#useThread. Do not
start a ping thread when useThread is set to false. (kfujino)
Web applications
++++++++++++++++
fix 52243: Improve windows service documentation to clarify
how to include # and/or ; in the value of an environment
variable that is passed to the service. (markt)
fix 52515: Make it clear in the Realm how-to in the
documentation web application that digested password
storage when using DIGEST authentication requires that
MD5 digests are used. (markt)
fix 52641: Remove mentioning of ldap.jar from docs. Patch
provided by Felix Schumacher. (rjung)
fix Remove obsolete bug warning from windows service
documentation page. (rjung)
fix 52983: Remove unnecessary code that makes switching to
other authentication methods difficult. (markt)
fix 53158: Fix documented defaults for DBCP. Patch provided
by ph.dezanneau at gmail.com. (rjung)
update Update JavaSE documentation links to point to the current
docs.oracle.com site, instead of obsolete ones
(download.oracle.com, java.sun.com). (kkolinko)
update 53289: Clarify ResourceLink example that uses
DataSource.getConnection(username, password) method.
Not all data source implementations support it. (kkolinko)
fix Prevent the custom error pages for the Manager and
Host Manager applications from being accessed directly.
Configure custom pages for error codes 401 and 403
in Host Manager application. (markt/kkolinko)
fix Correct documentation for enableLookups attribute of
a Connector. By default DNS lookups are disabled. (kkolinko)
fix Fix several HTML markup errors in servlets of examples
web application. (kkolinko)
update Change the index page of ROOT webapp to mention
"manager-gui" role instead of "manager" one. \
(kkolinko)
fix 53473: Correct the allowed values for the SSI option
isVirtualWebappRelative which are true or false. (markt)
fix 53664: Minor JNDI Howto document enhancement concerning
mail properties. Patch provided by Mark Eggers. (schultz)
fix 53601: Clarify that to build Apache Tomcat 6 from sources
a Java 5 JDK is recommended. (kkolinko)
fix 53793: Change links on the list of applications in the
Manager to point to /appname/ instead of /appname. (kkolinko)
Other
+++++
fix 49402, 52124: Fix Maven publishing script: make sure it
finds tomcat-juli.jar and use later version of wagon-ssh.
(jfclere)
fix Update Apache Commons Daemon to 1.0.10. It resolves
52548 which meant that services created with service.bat
did not set the catalina.home and catalina.base system
properties. (markt, kkolinko)
update Update Apache Commons Pool to 1.5.7. (kkolinko)
update 52579: Add a note about Sun's Charset.decode() bug to
the RELEASE-NOTES file. (kkolinko)
update 52805: Update to Eclipse JDT Compiler 3.7.2. (kkolinko)
update Update the native component of the APR/native connectors
to 1.1.23 and take advantage of the simplified distribution.
(kkolinko)
fix When building a Windows installer do not copy whole
"res" folder to output/dist, but only the files that
we need. Apply fixcrlf filter only after the files are
copied, so that INSTALLLICENSE file had correct line
ends. (kkolinko)
update Remove res/License.rtf. The file that is actually shown
by the Windows installer is res/INSTALLLICENSE. (kkolinko)
update Improve RUNNING.txt. (kkolinko)
update Align the script that deploys Maven jars for Tomcat
(res/maven/mvn-pub.xml) with the Tomcat 7 version, making
full use of Nexus. (markt)
add 53034: Add project.url and project.licenses sections to
the POMs for the Maven artifacts. (kkolinko)
fix 53454: Return correct content-length header for HEAD
requests when content length is greater than 2GB. (markt)
|
| 2011-12-13 10:44:17 by S.P.Zeidler | Files touched by this commit (3) | |
Log message: Upstream changelog: Tomcat 6.0.35 (jfclere) +++++++++++++++++++++++ Catalina -------- fix Fix regression in decoding of parameters that contain spaces. Patch by Willem Fibbe. (kkolinko) Tomcat 6.0.34 (jfclere) not released ++++++++++++++++++++++++++++++++++++ Catalina -------- fix 51550: Display an error page rather than an empty response for an IllegalStateException caused by too many active sessions. (markt) add 51640: Improve the memory leak prevention for leaks triggered by java.sql.DriverManager. (markt/kkolinko) fix 51688: JreMemoryLeakPreventionListener now protects against AWT thread creation. (schultz) fix 51758: The digester (used for processing XML files) used the logger name org.apache.commons.digester.Digester rather than the expected org.apache.tomcat.util.digester.Digester. The digester has been changed to use the expected logger name. (kkolinko) add 51862: Added a classesToInitialize attribute to JreMemoryLeakPreventionListener to allow pre-loading of configurable classes to avoid some classloader leaks. (slaurent) fix 51872: Ensure that the access log always uses the correct value for the remote IP address associated with the request and that requests with multiple errors do not result in multiple entries in the access log. (markt) add Allow to overwrite the check for distributability of session attributes by session implementations. (rjung) add Provide the log format "OneLineFormatter" for JULI that provides the same information as the default plus thread name but on a single line. (markt/rjung) fix Ensure the the memory leak protection for the HttpClient keep-alive always operates even if the thread has already stopped. (markt) fix 51940: Do not limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a request body. Based on a patch by Nicholas Sushkin. (kkolinko) fix 52091: Address performance issues related to lock contention in StandardWrapper. Based on patch provided by Taiki Sugawara. (kkolinko) update In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles that have only one element. (kkolinko) add Make configuration issue for CsrfPreventionFilter result in the failure of the filter rather than just a warning message. (kkolinko) fix Ensure changes to the configuration of RemoteAddrValve and RemoteHostValve via JMX are thread-safe. (kkolinko) add Make configuration issue for RemoteAddrValve and RemoteHostValve result in the failure of the valve rather than just a warning message. (kkolinko) update In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor value matching logic into separate method and expose this new method isAllowed through JMX. (kkolinko) add Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko) add New filter FailedRequestFilter that will reject a request if there were errors during HTTP parameter parsing. (kkolinko) Coyote ------ fix 50394: Return -1 from read operation instead of throwing an exception when encountering an EOF with the HTTP APR connector. (kkolinko) fix 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt) fix Detect incomplete AJP messages and reject the associated request if one is found. (markt) fix 51794: Fix race condition in NioEndpoint selector. Patch provided by dlord. (fhanik) fix 51905: Fix infinite loop in AprEndpoint shutdown if acceptor unlock fails. Reduce timeout before forcefully closing the socket from 30s to 10s. (kkolinko) fix 52121: Fix possible output corruption when compression is enabled for a connector and the response is flushed. Test case provided by David Marcks. (kkolinko) fix Replace unneeded call that iterated events queue in NioEndpoint.Poller. (kkolinko) fix Improve MimeHeaders.toString(). (kkolinko) fix Allow the BIO HTTP connector to be used with SSL when running under Java 7. (markt) fix Improve multi-byte character handling in all connectors. (rjung) Jasper ------ fix 51220: Correct copy/paste error in original commit for this issue. (markt) fix 52091: Address performance issues related to log creation in TagHandlerPool. Patch provided by Taiki Sugawara. (markt) Cluster ------- add 51736: Make rpcTimeout configurable in BackupManager. (kfujino) add New cluster manager attribute sessionAttributeFilter allows to filter which session attributes are replicated using a regular expression applied to the attribute name. (rjung) fix Avoid an unnecessary session ID change notice. Notice of changed session ID by JvmRouteBinderValve is unnecessary to BackupManager. In BackupManager, change of session ID is replicated by the call of a setId() method. (kfujino) fix Fix unneeded duplicate resetDeltaRequest() call in DeltaSession.setId(String). (kkolinko) add When Context manager does not exist, no context manager message is replied in order to avoid timeout (default 60 sec) of GET_ALL_SESSIONS sync phase. (kfujino) Webapps ------- fix Correct the documentation for the connectionLinger attribute of the HTTP connector. (markt) add Show build date and version in the header on every documentation page. (kkolinko) fix 52049: Improve setup instructions for running as a Windows service: correct information on how a JRE is identified and selected. (markt) update 52172: Clarify Tomcat build instructions. Patch provided by bmargulies. (kkolinko) Other ----- update Update the native component of the APR/native connectors to 1.1.22. (markt) update Update the recommended version of the native component of the APR/native connectors to 1.1.22. (kkolinko) update Update the Eclipse compiler (used for JSPs) to 3.7. (markt) fix Correct two typos in the Windows installer. (kkolinko) fix 52059: In Windows uninstaller: Do not forget to remove Tomcat keys from 32-bit registry on deinstallation. (kkolinko) |
New packages: