Subject: CVS commit: pkgsrc/www/apache-tomcat9
From: Ryo ONODERA
Date: 2024-07-18 13:48:07
Message id: 20240718114807.84B15FC74@cvs.NetBSD.org

Log Message:
www/apache-tomcat9: Update to 9.0.91

Changelog:
Tomcat 9.0.91 (remm)

Catalina

  * Fix: Allow JAASRealm to use the configuration source to load a configured
    configFile, for easier use with testing. (remm)
  * Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
  * Fix: 69131: Expand the implementation of the filter value of the
    Authenticator attribute allowCorsPreflight, so that it applies to all
    requests that match the configured URL patterns for the CORS filter, rather
    than only applying if the CORS filter is mapped to /*. (markt)

Coyote

  * Fix: Improve the algorithm used to identify the IP address to use to unlock
    the acceptor thread when a Connector is listening on all local addresses.
    Interfaces that are configured for point to point connections or are not
    currently up are now skipped. (markt)
  * Fix: 69121: Ensure that the onComplete() event is triggered if
    AsyncListener.onError() dispatches to a target that throws an exception.
    (markt)
  * Fix: Following the trailer header field refactoring, -1 is no longer an
    allowed value for maxTrailerSize. Adjust documentation accordingly. (remm)

Jasper

  * Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of
    new classes added to the java.lang package in Java 23. (markt)
  * Fix: Ensure that an exception in toString() still results in an ELException
    when an object is coerced to a String using ExpressionFactory.coerceToType
    (). (markt)
  * Add: Add support for specifying Java 24 (with the value 24) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)
  * Fix: 69135: When using include directives in a tag file packaged in a JAR
    file, ensure that context relative includes are processed correctly.
    (markt)
  * Fix: 69135: When using include directives in a tag file packaged in a JAR
    file, ensure that file relative includes are processed correctly. (markt)
  * Fix: 69135: When using include directives in a tag file packaged in a JAR
    file, ensure that file relative includes are are not permitted to access
    files outside of the /META_INF/tags/ directory nor outside of the JAR file.
    (markt)

Web applications

  * Fix: Fix status servlet detailed view of the connectors when using
    automatic port. (remm)

Other

  * Update: Add test-only build target to allow running only the testsuite,
    supporting Java versions down to the minimum supported to run Tomcat.
    (rjung)
  * Update: Update UnboundID to 7.0.1. (markt)
  * Update: Update to SpotBugs 4.8.6. (markt)
  * Update: Remove cglib dependency as it is not required by the version of
    EasyMock used by the unit tests. (markt)
  * Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy
    1.14.17. (markt)
  * Add: Improvements to Czech translations by Vladimi'r Chlup. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)
  * Add: Improvements to Chinese translations by fangzheng. (markt)

2024-06-19 Tomcat 9.0.90 (remm)

Catalina

  * Add: Add support for shallow copies when using WebDAV. (markt)
  * Code: Deprecate the WebdavFixFilter as it is no longer required. (markt)
  * Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64.
    Submitted by Daniel Lyko. (remm)
  * Update: Update minimum recommended version of Tomcat Native to 1.3.0. Pull
    request #728 provided by Dimitrios Soumis. (markt)
  * Update: The system property org.apache.catalina.connector.RECYCLE_FACADES
    will now default to true if not specified, which will in turn set the
    default value for the discardFacades connector attribute, thus causing
    facade objects to be discarded by default. (remm)
  * Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for
    retrieving extended/additional information from an established GSS context.
    (michaelo)
  * Fix: Correct a regression in the fix for 68721 that caused some instances
    of LinkageError to be reported as ClassNotFoundException. (markt)
  * Fix: Ensure that static resources deployed via a JAR file remain accessible
    when the context is configured to use a bloom filter. Based on pull request
    #730 provided by bergander. (markt)
  * Add: Introduce reference counting so the AprLifecycleListener is more
    robust. This particularly targets more complex embedded configurations with
    multiple server instances with independent lifecycles where more than one
    server instance requires the AprLifecycleListener. (markt)

Coyote

  * Fix: 69068: Ensure read timouts are triggered for asynchronous,
    non-blocking reads when using HTTP/2. (markt)
  * Update: 69133: Add task queue size configuration on the Connector element,
    similar to the Executor element, for consistency. (remm)
  * Fix: Make counting of active HTTP/2 streams per connection more robust.
    (markt)
  * Add: Add support for TLS 1.3 client initiated re-keying. (markt)

Jasper

  * Fix: 68546: Small additional optimisation for initial loading of Servlet
    code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt)

Web applications

  * Add: Add the ability to set a sub-title for the Manager web application
    main page. This is intended to allow users with lots of instances to easily
    distinguish them. Based on pull request #724 by Simon Arame. (markt)

Other

  * Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby
    that runs on Java 17. (markt)
  * Update: Update to Commons Daemon 1.4.0. (markt)
  * Update: Update to Objenesis 3.4. (markt)
  * Update: Update to Checkstyle 10.17.0. (markt)
  * Update: Update to SpotBugs 4.8.5. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

2024-05-07 Tomcat 9.0.89 (remm)

Catalina

  * Update: Deprecate and remove sessionCounter (replaced by the addition of
    the active session count and the expired session count, as a reasonable
    approximation) and duplicates (which does not represent a possible event in
    current implementations) statistics from the session manager. (remm)
  * Fix: 68890 Align output encoding of JSPs in the Manager webapp with the XML
    declarations in those same files. (schultz)
  * Fix: Update Basic authentication to implement the requirements of RFC 7617
    including the changing of the trimCredentials setting which is now defaults
    to false. Note that the trimCredentials setting will be removed in Tomcat
    11. (markt)
  * Add: Small performance optimization when logging cookies with no values.
    (schultz)
  * Fix: Correct error handling for asynchronous requests. If the application
    performs an dispatch during AsyncListener.onError() the dispatch is now
    performed rather than completing the request using the error page
    mechanism. (markt)
  * Fix: Fix WebDAV lock null (locks for non existing resources) thread safety
    and removal. (remm)
  * Fix: Add periodic checking for WebDAV locks expiration. (remm)
  * Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo)

Coyote

  * Fix: Align non-secure and secure writes with NIO and skip the write attempt
    when there are no bytes to be written. (markt)
  * Fix: Allow any positive value for socket.unlockTimeout. If a negative or
    zero value is configured, the default of 250ms will be used. (mark)
  * Fix: Reduce the time spent waiting for the connector to unlock. The
    previous default of 10s was noticeably too long for cases where the unlock
    has failed. The wait time is now 100ms plus twice socket.unlockTimeout.
    (markt)
  * Fix: Ensure that the onAllDataRead() event is triggered when the request
    body uses chunked encoding and is read using non-blocking IO. (markt)
  * Fix: 68934: Add debug logging in the latch object when exceeding
    maxConnections. (remm)
  * Fix: Refactor trailer field handling to use a MimeHeaders instance to store
    trailer fields. (markt)
  * Fix: Ensure that multiple instances of the same trailer field are handled
    correctly. (markt)
  * Fix: Fix non-blocking reads of chunked request bodies. (markt)
  * Fix: When an invalid HTTP response header was dropped, an off-by-one error
    meant that the first header in the response was also dropped. Fix based on
    pull request #710 by foremans. (markt)

Jasper

  * Add: Add support for specifying Java 23 (with the value 23) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

WebSocket

  * Fix: 68884: Reduce the write timeout when writing WebSocket close messages
    for abnormal closes. The timeout defaults to 50 milliseconds and may be
    controlled using the
    org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property in
    the user properties collection associated with the WebSocket session.
    (markt)

Web applications

  * Fix: Examples: Improve performance of WebSocket chat application when
    multiple clients disconnect at the same time. (markt)
  * Update: Examples: Increase the number of previous messages displayed when
    using the WebSocket chat application. (markt)
  * Fix: Examples: Improve performance of WebSocket snake application when
    multiple clients disconnect at the same time. (markt)

Other

  * Update: Switch to using the Base64 encoder and decoder provided by the JRE
    rather than the version provided by Commons Codec. The internal fork of
    Commons Codec has been deprecated and will be removed in Tomcat 11. (markt)
  * Update: Update NSIS to 3.10. (mark0t)
  * Update: Update UnboundID to 7.0.0. (markt)
  * Update: Update Checkstyle to 10.16.0. (markt)
  * Update: Update JaCoCo to 0.8.12. (markt)
  * Update: Update SpotBugs to 4.8.4. (markt)
  * Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
  * Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

2024-04-16 Tomcat 9.0.88 (remm)

Catalina

  * Update: Add highConcurrencyStatus attribute to the SemaphoreValve to
    optionally allow the valve to return an error status code to the client
    when a permit cannot be acquired from the semaphore. (remm)
  * Add: Add checking of the "age" of the running Tomcat instance since its
    build-date to the SecurityListener, and log a warning if the server is old.
    (schultz)
  * Fix: When using the AsyncContext, throw an IllegalStateException, rather
    than allowing an NullPointerException, if an attempt is made to use the
    AsyncContext after it has been recycled. (markt)
  * Fix: Change the thread-safety mechanism for protecting
    StandardServer.services from a simple synchronized lock to a
    ReentrantReadWriteLock to allow multiple readers to operate simultaneously.
    Based upon a suggestion by Markus Wolfe. (schultz)
  * Fix: Improve Service connectors, Container children and Service executors
    access sync using a ReentrantReadWriteLock. (remm)
  * Fix: Improve handling of integer overflow if an attempt is made to upload a
    file via the Servlet API and the file is larger than Integer.MAX_VALUE.
    (markt)
  * Fix: 68862: Handle possible response commit when processing read errors.
    (remm)

Coyote

  * Fix: Add threadsMaxIdleTime attribute to the endpoint, to allow configuring
    the amount of time before an internal executor will scale back to the
    configured minSpareThreads size. (remm)

Jasper

  * Fix: Handle the case where the JSP engine forwards a request/response to a
    Servlet that uses an OutputStream rather than a Writer. This was triggering
    an IllegalStateException on code paths where there was a subsequent attempt
    to obtain a Writer. (markt)
  * Fix: Correctly handle the case where a tag library is packaged in a JAR
    file and the web application is deployed as a WAR file rather than an
    unpacked directory. (markt)
  * Fix: Prevent the web application's ClassLoader from being pinned by the JSP
    compiler if an application uses a custom XMLInputFactory. Based upon a
    suggestion from Simon Niederberger. (schultz)

Other

  * Update: Update Checkstyle to 10.14.1. (markt)
  * Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
  * Update: Update the internal fork of Apache Commons Codec to 1.16.1. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (remm)
  * Add: Improvements to Chinese translations by leeyazhou. (remm)

2024-03-14 Tomcat 9.0.87 (remm)

Catalina

  * Fix: Minor performance improvement for building filter chains. Based on
    ideas from pull request #702 by Luke Miao. (remm)
  * Fix: Align error handling for Writer and OutputStream. Ensure use of either
    once the response has been recycled triggers a NullPointerException
    provided that discardFacades is configured with the default value of true.
    (markt)
  * Fix: 68692: The standard thread pool implementations that are configured
    using the Executor element now implement ExecutorService for better support
    NIO2. (remm)
  * Fix: 68495: When restoring a saved POST request after a successful FORM
    authentication, ensure that neither the URI, the query string nor the
    protocol are corrupted when restoring the request body. (markt)
  * Fix: 68721: Workaround a possible cause of duplicate class definitions when
    using ClassFileTransformers and the transformation of a class also triggers
    the loading of the same class. (markt)
  * Fix: The rewrite valve should not do a rewrite if the output is identical
    to the input. (remm)
  * Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow
    skipping over the next valve in the Catalina pipeline. (remm)

Coyote

  * Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all
    of the connection windows and still has content to write, it will now be
    added to the backlog immediately rather than waiting until the write
    attempt for the remaining content. (markt)
  * Fix: Correct a regression in the support for user provided SSLContext
    instances that broke the
    org.apache.catalina.security.TLSCertificateReloadListener. (markt)

Jasper

  * Add: Add support for specifying Java 22 (with the value 22) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

Cluster

  * Fix: Avoid updating request count stats on async. (remm)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)
  * Fix: 57130: Allow digest.(sh|bat) to accept password from a file or stdin.
    (csutherl/schultz)

2024-02-19 Tomcat 9.0.86 (remm)

Catalina

  * Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by removing
    reference to org.apache.catalina.ssi package that is no longer included in
    the JAR. Based on pull request #684 by Jendrik Johannes. (markt)
  * Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are
    correctly removed from files containing property values when configured to
    do so. Bug identified by Coverity Scan. (markt)
  * Add: Add improvements to the CSRF prevention filter including the ability
    to skip adding nonces for resource name and subtree URL patterns. (schultz)
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. (remm)
  * Fix: 68089: Further improve the performance of request attribute access for
    ApplicationHttpRequest and ApplicationRequest. (markt)
  * Fix: 68559: Allow asynchronous error handling to write to the response
    after an error during asynchronous processing. (markt)

Coyote

  * Fix: Make asynchronous error handling more robust. Ensure that once a
    connection is marked to be closed, further asynchronous processing cannot
    change that. (markt)
  * Fix: Make asynchronous error handling more robust. Ensure that once the
    call to AsyncListener.onError() has returned to the container, only
    container threads can access the AsyncContext. This protects against
    various race conditions that woudl otherwise occur if application threads
    continued to access the AsyncContext.
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. In particular, most of the HTTP/2
    debug logging has been changed to trace level. (remm)
  * Fix: Add support for user provided SSLContext instances configured on
    SSLHostConfigCertificate instances. Based on pull request #673 provided by
    Hakan Alt??nda?. (markt)
  * Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of
    a JVM crash during Tomcat shutdown. (markt)
  * Fix: Partial fix for 68558: Cache the result of converting to String for
    request URI, HTTP header names and the request Content-Type value to
    improve performance by reducing repeated byte[] to String conversions.
    (markt)
  * Fix: Improve error reporting to HTTP/2 clients for header processing errors
    by reporting problems at the end of the frame where the error was detected
    rather than at the end of the headers. (markt)
  * Fix: Remove the remaining reference to a stream once the stream has been
    recycled. This makes the stream eligible for garbage collection earlier and
    thereby improves scalability. (markt)

Jasper

  * Fix: 68546: Generate optimal size and types for JSP imports maps, as
    suggested by John Engebretson. (remm)
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. (remm)

WebSocket

  * Fix: Correct a regression in the fix for 66508 that could cause an
    UpgradeProcessor leak in some circumstances. (markt)
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. (remm)
  * Fix: Ensure that WebSocket connection closure completes if the connection
    is closed when the server side has used the proprietary suspend/resume
    feature to suspend the connection. (markt)

Web applications

  * Add: Add support for responses in JSON format from the examples application
    RequestHeaderExample. (schultz)

Other

  * Update: Update Checkstyle to 10.13.0. (markt)
  * Update: Update JSign to 6.0. (markt)
  * Update: Add strings for debug level messages. (remm)
  * Update: Update Tomcat Native to 1.3.0. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

2024-01-09 Tomcat 9.0.85 (remm)

Catalina

  * Update: 68378: Align extension to MIME type mappings in the global web.xml
    with those in httpd by adding application/vnd.geogebra.slides for ggs, text
    /javascript for mjs and audio/ogg for opus. (markt)

Coyote

  * Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2
    connector which was using platform threads even when configured to use
    virtual threads. (markt)
  * Fix: Correct a regression in the fix for 67675 that broke TLS key file
    parsing for PKCS#8 format keys that do not specify an explicit
    pseudo-random function and rely on the default. This typically affects keys
    generated by OpenSSL 1.0.2. (markt)
  * Fix: Allow multiple operations with the same name on introspected mbeans,
    fixing a regression caused by the introduction of a second addSslHostConfig
    method. (remm)
  * Fix: Relax the check that the HTTP Host header is consistent with the host
    used in the request line, if any, to make the check case insensitive since
    host names are case insensitive. (markt)
  * Add: 68348: Add support for the partitioned attribute for cookies. (markt)

Web Applications

  * Fix: 68035: Additional fix to the Manager application to enable the
    deployment of a web application located in a Host's appBase where the web
    application is specified by a bare (no path) WAR or directory name as shown
    in the documentation. (markt)

Other

  * Update: Update Checkstyle to 10.12.7. (markt)
  * Update: Update SpotBugs to 4.8.3. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

2023-12-12 Tomcat 9.0.84 (remm)

Catalina

  * Fix: Background processes should not be run concurrently with lifecycle
    operations of a container. (remm)
  * Fix: Correct unintended escaping of XML in some WebDAV responses. The XML
    list of support locks when provided in response to a PROPFIND request was
    incorrectly XML escaped. (markt)
  * Fix: 68227: Ensure that AsyncListener.onComplete() is called if
    AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
  * Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP
    request processing. Includes a test case based on code provided by
    adwsingh. (markt)

Jasper

  * Code: 68119: Refactor the CompositeELResolver to improve performance during
    type conversion operations. (markt)

Web Applications

  * Fix: Examples. Improve the error handling so snakes associated with a user
    that drops from the network are removed from the game. (markt)

Other

  * Update: Update UnboundID to 6.0.11. (markt)
  * Update: Update Checkstyle to 10.12.5. (markt)
  * Update: Update SpotBugs to 4.8.2. (markt)
  * Update: Update Derby to 10.17.1. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)
  * Add: Improvements to Brazilian Portuguese translations by John William
    Vicente. (markt)
  * Add: Improvements to Russian translations by usmazat and remm. (markt)

2023-11-15 Tomcat 9.0.83 (remm)

Catalina

  * Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of
    X509Certificate#getNotAfter(). (michaelo)
  * Update: The status servlet included in the manager webapp can now output
    statistics as JSON, using the JSON=true URL parameter. (remm)
  * Update: Optionally allow ServiceBindingPropertySource to trim a trailing
    newline from a file containing a property-value. (schultz)
  * Fix: 67793: Ensure the original session timeout is restored after FORM
    authentication if the user refreshes a page during the FORM authentication
    process. Based on a suggestion by Mircea Butmalai. (markt)
  * Update: 67926: PEMFile prints unidentifiable string representation of ASN.1
    OIDs. (michaelo)
  * Fix: 66875: Ensure that setting the request attribute
    jakarta.servlet.error.exception is not sufficient to trigger error handling
    for the current request and response. (markt)
  * Fix: 68054: Avoid some file canonicalization calls introduced by the fix
    for 65433. (remm)
  * Fix: 68089: Improve performance of request attribute access for
    ApplicationHttpRequest and ApplicationRequest. (markt)
  * Fix: Use a 400 status code to report an error due to a bad request (e.g. an
    invalid trailer header) rather than a 500 status code. (markt)
  * Fix: Ensure that an IOException during the reading of the request triggers
    always error handling, regardless of whether the application swallows the
    exception. (markt)

Coyote

  * Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#
    certificateKeystorePasswordFile. (michaelo)
  * Add: When calling SSLHostConfigCertificate.setCertificateKeystore(ks),
    automatically call setCertificateKeystoreType(ks.getType()). (markt)
  * Fix: 67628: Clarify how the ciphers attribute of the SSLHostConfig is used.
    (markt)
  * Fix: 67666: Ensure TLS connectors using PEM files either work with the
    TLSCertificateReloadListener or, in the rare case that they do not, log a
    warning on Connector start. (markt)
  * Fix: 67675: Support a wider range of KDF and ciphers for PEM files than the
    combinations supported by the JVM by default. Specifically, support the
    OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
  * Fix: 67927: Reloading TLS configuration can cause the Connector to refuse
    new connections or the JVM to crash. (markt)
  * Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are available, prefer
    1.2.x since it supports the APR/Native connector whereas 2.0.x does not.
    (markt)
  * Fix: 67938: Correct handling of large TLS client hello messages that were
    causing the TLS handshake to fail. (markt)
  * Fix: 68026: Convert selected MessageByte values to String when first
    accessed to speed up subsequent accesses and reduce garbage collection.
    (markt)

Jasper

  * Fix: 68068: Performance improvement for EL. Based on a suggestion by John
    Engebretson. (markt)

Web applications

  * Fix: 68035: Correct a regression in the fix for 56248 that prevented
    deployment via the Manager of a WAR or directory that was already present
    in the appBase or a context file that was already present in the xmlBase.
    (markt)

Other

  * Add: 67538: Make use of Ant's <javaversion /> task to enfore the mininum
    Java build version. (michaelo)
  * Update: Update Checkstyle to 10.12.4. (markt)
  * Update: Update JaCoCo to 0.8.11. (markt)
  * Update: Update SpotBugs to 4.8.0. (markt)
  * Update: Update BND to 7.0.0. (markt)
  * Update: The minimum Java version required to build Tomcat has been raised
    to Java 17. (markt)

2023-10-13 Tomcat 9.0.82 (remm)

Coyote

  * Fix: 67670: Fix regression with HTTP compression after code refactoring.
    (remm)

jdbc-pool

  * Fix: 67664: Correct a regression in the clean-up of unnecessary use of
    fully qualified class names in 9.0.81 that broke the jdbc-pool. (markt)

2023-10-10 Tomcat 9.0.81 (remm)

Catalina

  * Add: 65770: Provide a lifecycle listener that will automatically reload TLS
    configurations a set time before the certificate is due to expire. This is
    intended to be used with third-party tools that regularly renew TLS
    certificates. (markt)
  * Fix: Fix handling of an error reading a context descriptor on deployment.
    (remm)
  * Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was
    also use, while it should instead take precedence. (remm)
  * Fix: 67472: Send fewer CORS-related headers when CORS is not actually being
    engaged. (schultz)
  * Add: Improve handling of failures within recycle() methods. (markt)

Coyote

  * Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization
    takes precedence over the tomcatAuthentication attribute when processing an
    auth_type attribute received from a proxy server. (markt)
  * Fix: 67235: Fix a NullPointerException when an AsyncListener handles an
    error with a dispatch rather than a complete. (markt)
  * Fix: When an error occurs during asynchronous processing, ensure that the
    error handling process is only triggered once per asynchronous cycle.
    (markt)
  * Fix: Fix logic issue trying to match no argument method in
    IntropectionUtil. (remm)
  * Fix: Improve thread safety around readNotify and writeNotify in the NIO2
    endpoint. (remm)
  * Fix: Avoid rare thread safety issue accessing message digest map. (remm)
  * Fix: Improve statistics collection for upgraded connections under load.
    (remm)
  * Fix: Align validation of HTTP trailer fields with standard fields. (markt)
  * Fix: Improvements to HTTP/2 overhead protection. (markt)

Jasper

  * Fix: 67080: Improve performance of EL expressions in JSPs that use implicit
    objects. Based on suggestions by John Engebretson, Anurag Dubey and
    Christopher Schultz. (markt)

Other

  * Update: Update the internal fork of Apache Commons FileUpload to 7a8c324
    (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
    branch requiring additional Commons IO dependencies, Tomcat has switched to
    tracking the 1.x branch. (markt)
  * Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs.
    (markt)
  * Update: Update UnboundID to 6.0.10. (markt)
  * Update: Update Checkstyle to 10.12.3. (markt)
  * Update: Update Tomcat Native to 1.2.39 to pick up Windows binaries built
    with OpenSSL 3.0.11. (markt)
  * Update: Update Commons Pool to 2.12.0. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)
  * Add: Improvements to Russian translations by usmazat. (markt)

2023-08-25 Tomcat 9.0.80 (markt)

Catalina

  * Fix: If an application or library sets both a non-500 error code and the
    javax.servlet.error.exception request attribute, use the provided error
    code during error page processing rather than assuming an error code of
    500. (markt)
  * Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024
    bytes and KiB for 1024 bytes rather than MB and kB. (martk)
  * Fix: Avoid protocol relative redirects in FORM authentication. (markt)

Web applications

  * Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes
    and KiB for 1024 bytes rather than MB and kB. (martk)

Other

  * Add: Improvements to Chinese translations. (lihan)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

2023-08-15 Tomcat 9.0.79 (remm)

Catalina

  * Fix: Fix potential database connection leaks in DataSourceUserDatabase
    identified by Coverity Scan. (markt)
  * Fix: Make parsing of ExtendedAccessLogValve patterns more robust. (markt)
  * Fix: Fix failure trying to persist configuration for an internal credential
    handler. (remm)
  * Fix: 66680: When serializing a session during the session presistence
    process, do not log a warning that null Principals are not serializable.
    Pull request #638 provided by tsryo. (markt)
  * Fix: Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up
    to 17 to signal closed connections. (fschumacher)
  * Fix: 66822: Use the same naming format in log messages for Connector
    instances as the associated ProtocolHandler instance. (markt)
  * Fix: The parts count should also lower the actual maxParameterCount used
    for parsing parameters if parts are parsed first. (remm)

Coyote

  * Fix: Refactor blocking reads and writes for the NIO connector to remove
    code paths that could allow a notification from the Poller to be missed
    resuting in a timeout rather than the expected read or write. (markt)
  * Fix: Refactor waiting for an HTTP/2 stream or connection window update to
    handle spurious wake-ups during the wait. (markt)
  * Fix: Correct a regression introduced in 9.0.78 and use the correct constant
    when constructing the default value for the certificateKeystoreFile
    attribute of an SSLHostConfigCertificate instance. (markt)
  * Code: Refactor HTTP/2 implementation to reduce pinning when using virtual
    threads. (markt)
  * Fix: Pass through ciphers referring to an OpenSSL profile, such as PROFILE=
    SYSTEM instead of producing an error trying to parse it. (remm)
  * Fix: 66841: Ensure that AsyncListener.onError() is called after an error
    during asynchronous processing with HTTP/2. (markt)
  * Fix: 66842: When using asynchronous I/O (the default for NIO and NIO2),
    include DATA frames when calculating the HTTP/2 overhead count to ensure
    that connections are not prematurely terminated. (markt)
  * Fix: Correct a race condition that could cause spurious RST messages to be
    sent after the response had been written to an HTTP/2 stream. (markt)

WebSocket

  * Fix: 66681: Fix a NullPointerException when flushing batched messages with
    compression enabled using permessage-deflate. (markt)

jdbc-pool

  * Fix: Fix the releaseIdleCounter does not increment when testAllIdle
    releases them. Pull request #241 provided by Arun Chaitanya Miriappalli
    (lihan)
  * Fix: Fix the ConnectionState state will be inconsistent with actual state
    on the connection when an exception occurs while writing. Pull request #643
    provided by Wenjun Xiao. (lihan)

Other

  * Fix: Align documentation for maxParameterCount to match hard-coded
    defaults. Contributed by Michal Sobkiewicz. (schultz)
  * Update: Update NSIS to 3.09. (markt)
  * Update: Update Checkstyle to 10.12.2. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Contributed by tak7iji and
    Shirayuking. (markt)
  * Fix: 66829: Fix quoting so users can use the _RUNJAVA environment variable
    as intended on Windows when the path to the Java executable contains
    spaces. (markt)
  * Update: Update Tomcat Native to 1.2.38 to pick up Windows binaries built
    with OpenSSL 1.1.1v. (markt)

2023-07-10 Tomcat 9.0.78 (remm)

Other

  * Fix: Correct properties for JSign dependency. (rjung)

not released Tomcat 9.0.77 (remm)

Catalina

  * Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener, a
    listener which creates context naming information environment entries.
    (michaelo)
  * Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a
    listener which populates the context's role mapping from a properties file.
    (michaelo)
  * Fix: Fix an edge case where intra-web application symlinks would be
    followed if the web applications were deliberately crafted to allow it even
    when allowLinking was set to false. (markt)
  * Update: Add utlity config file resource lookup on Context to allow looking
    up resources from the webapp (prefixed with webapp:) and make the resource
    lookup API more visible. (remm)

Coyote

  * Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that
    it returns the type of the original content rather than reflecting the most
    recent conversion. (markt)
  * Fix: 66635: Correct certificate logging on start-up so it differentiates
    between keystore based keys/certificates and PEM file based keys/
    certificates and logs the relevant information for each. (markt)

WebSocket

  * Fix: Improve handling of error conditions for the WebSocket server,
    particularly during Tomcat shutdown. (markt)
  * Fix: Correct a regression in the fix for 66574 that meant the WebSocket
    session could return false for onOpen() before the onClose() event had been
    completed. (markt)

Web applications

  * Add: Documentation. Expand the security guidance to cover the embedded use
    case and add notes on the uses made of the java.io.tmpdir system property.
    (markt)
  * Fix: 66662: Documentation. Fix a typo in the name of the algorithms
    attribute in the configuration section for the Digest authentication valve.
    Pull request #629 provided by gohilmca. (markt)

Other

  * Add: Include the Windows specific binary distributions in the files
    uploaded to Maven Central. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
  * Update: Update UnboundID to 6.0.9. (markt)
  * Update: Update Checkstyle to 10.12.1. (markt)
  * Update: Update BND to 6.4.1. (markt)
  * Update: Update JSign to 5.0. (markt)

2023-06-09 Tomcat 9.0.76 (remm)

Catalina

  * Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force
    attacks. (isapir)
  * Code: Move the management of the utility executor from the init()/destroy()
    methods of components to the start()/stop() methods. (markt)
  * Add: Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual
    thread based executor that may be used with one or more Connectors to
    process requests received by those Connectors using virtual threads. This
    Executor requires a minimum Java version of Java 21. (markt)
  * Fix: 66513: Add a per session Semaphore to the PersistentValve that ensures
    that, within a single Tomcat instance, there is no more than one concurrent
    request per session. Also expand the debug logging to include whether a
    request bypasses the Valve and the reason if a request fails to obtain the
    per session Semaphore. (markt)
  * Fix: 66609: Ensure that the default servlet correctly escapes file names in
    directory listings when using XML output. Based on pull request #621 by
    Alex Kachanov. (markt)
  * Add: 66618: Add a numeric last modified field to the XML directory listings
    produced by the default servlet to enable sorting in the XSLT. Pull request
    #622 by Alex Kachanov. (markt)
  * Fix: 66621: Attempts to lock a collection with WebDAV may incorrectly fail
    if a child collection has an expired lock. (markt)
  * Fix: 66622: Deprecate the xssProtectionEnabled setting from the
    HttpHeaderSecurityFilter and change the default value to false as support
    for the associated HTTP header has been removed from all major browsers.
    (markt)

Coyote

  * Update: Update the HTTP/2 implementation to use the prioritization scheme
    defined in RFC 9218 rather than the one defined in RFC 7540. (markt)
  * Fix: 66602: not sending WINDOW_UPDATE when dataLength is ZERO on call
    SwallowedDataFramePayload. Pull request #619 by ledefe. (lihan)

WebSocket

  * Fix: 66548: Expand the validation of the value of the Sec-Websocket-Key
    header in the HTTP upgrade request that initiates a WebSocket connection.
    The value is not decoded but it is checked for the correct length and that
    only valid characters from the base64 alphabet are used. (markt)

Other

  * Update: Update to Commons Daemon 1.3.4. (markt)
  * Add: Improvements to French translations. (remm)
  * Update: Update Checkstyle to 10.12.0. (markt)
  * Update: Update the packaged version of the Apache Tomcat Native Library to
    1.2.37 to pick up the Windows binaries built with with OpenSSL 1.1.1u.
    (markt)

2023-05-10 Tomcat 9.0.75 (remm)

Catalina

  * Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was
    converted to using URI instead of URL. (remm)
  * Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is
    used which contains verbatim characters that need escaping. (rjung)
  * Update: Change output of vertical tab in AccessLogValve from \v to \u000b.
    (rjung)
  * Update: Improve performance of escaping in AccessLogValve roughly by a
    factor of two. (rjung)
  * Update: Improve JsonAccessLogValve: support more patterns like for headers
    and attributes. Those will be logged as sub objects. (rjung)
  * Fix: #613: Fix possible partial corrupted file copies when using file
    locking protection or the manager servlet. Submitted by Jack Shirazi.
    (remm)

Coyote

  * Add: Add support for a new character set, gb18030-2022 - introduced in Java
    21, to the character set caching mechanism. (markt)
  * Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers
    without names are treated as invalid. (markt)
  * Update: Deprecate the HTTP Connector settings rejectIllegalHeader and
    allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards.
    (markt)
  * Fix: 66591: Fix a regression introduced in the fix for 66512 that meant
    that an AJP Send Headers was not sent for responses where no HTTP headers
    were set. (markt)

Jasper

  * Fix: 66582: Account for EL having stricter requirements for static imports
    than JSPs when adding JSP static imports to the EL context. (markt)

WebSocket

  * Fix: 66574: Refactor WebSocket session close to remove the lock on the
    SocketWrapper which was a potential cause of deadlocks if the application
    code used simulated blocking. (markt)
  * Fix: 66575: Avoid unchecked use of the backing array of a buffer provided
    by the user in the compression transformation. (remm)
  * Fix: Improve exception handling when flushing batched messages during
    WebSocket session close. (markt)
  * Fix: 66581: Update AsyncChannelGroupUtil to align it with the current
    defaults for AsynchronousChannelGroup. Pull request #612 by Matthew
    Painter. (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Chinese translations. (lihan)
  * Update: Update Checkstyle to 10.10.0. (markt)
  * Update: Update Jacoco to 0.8.10. (markt)

2023-04-18 Tomcat 9.0.74 (remm)

Catalina

  * Fix: 65995: Implement RFC 9239 and use text/javascript as the media type
    for JavaScript rather than application/javascript. (markt)
  * Add: Add an access log valve that uses a json format. Based on pull request
    #539 provided by Thomas Meyer. (remm)
  * Add: Harden the FORM authentication process against DoS attacks by using a
    reduced session timeout if the FORM authentication process creates a
    session. The duration of this timeout is configured by the
    authenticationSessionTimeout attribute of the FORM authenticator. (markt)
  * Fix: 66527: Correct the Javadoc for the Tomcat.addWebapp() methods that
    incorrectly stated that the docBase parameter could be a relative path.
    (markt)
  * Fix: 66524 Correct eviction ordering in WebResource cache to be LRU as
    intended. (schultz)
  * Update: Use server.xml to reduce the default value of maxParameterCount
    from 10,000 to 1,000. If not configured in server.xml, the default remains
    10,000. (markt)
  * Add: Update Digest authentication support to align with RFC 7616. This adds
    a new configuration attribute, algorithms, to the DigestAuthenticator with
    a default of SHA-256,MD5. (markt)
  * Update: Add support code for custom user attributes in RealmBase. Based on
    code from #473 by Carsten Klein. (remm)
  * Fix: Expand the set of HTTP request headers considered sensitive that
    should be skipped when generating a response to a TRACE request. This
    aligns with 11.0.x. (markt)
  * Fix: 66541: Improve handling for cached resources for resources that use
    custom URL schemes. The scheme specific equals() and hashCode() algorithms,
    if present, will now be used for URLs for these resources. This addresses a
    potential performance issue with some OSGi custom URL schemes that can
    trigger potentially slow DNS lookups in some configurations. Based on a
    patch provided by Tom Whitmore. (markt)
  * Fix: When using a custom session manager deployed as part of the web
    application, avoid ClassNotFoundExceptions when validating session IDs
    extracted from requests. (markt)
  * Fix: 66543: Give StandardContext#fireRequestDestroyEvent its own log
    message. (fschumacher)
  * Fix: 66554: Initialize Random during server initialization to avoid
    possible JVM thread creation in the webapp context on some platforms.
    (remm)
  * Update: Make the server utility executor available to webapps using a
    Servlet context attribute named
    org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor. (remm)

Coyote

  * Fix: JSON filter should support specific escaping for common special
    characters as defined in RFC 8259. Based on code submitted by Thomas Meyer.
    (remm)
  * Fix: 66511: Fix GzipOutputFilter (used for compressed HTTP responses) when
    used with direct buffers. Patch suggested by Arjen Poutsma. (markt)
  * Fix: 66512: Align AJP handling of invalid HTTP response headers (they are
    now removed from the response) with HTTP. (markt)
  * Fix: 66530: Correct a regression in the fix for bug 66442 that meant that
    streams without a response body did not decrement the active stream count
    when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some
    connections. (markt)
  * Code: Refactor synchronization blocks locking on SocketWrapper to use
    ReentrantLock to support users wishing to experiment with project Loom.
    (markt)

Jasper

  * Fix: 66536: Fix parsing of tag files that meant that tag directives could
    be ignored for some tag files. (markt)

Cluster

  * Fix: 66535: Redefine the maxValidTime attribute of FarmWarDeployer to be
    the maximum time allowed between receiving parts of a transferred file
    before the transfer is cancelled and the associated resources cleaned-up. A
    new warning message will be logged if the file transfer is cancelled.
    (markt)

WebSocket

  * Fix: 66508: When using WebSocket with NIO2, avoid waiting for a timeout
    before sending the close frame if an I/O error occurs during a write.
    (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking and
    tak7iji. (markt)
  * Add: Improvements to Chinese translations. Contributed by totoo. (markt)
  * Code: Refactor code using MD5Encoder to use HexUtils.toHexString(). (markt)
  * Fix: 66507: Fix a bug that $JAVA_OPTS is not passed to the jvm in
    catalina.sh when calling version. Patch suggested by Eric Hamilton. (lihan)
  * Update: Update the internal fork of Commons DBCP to f131286 (2023-03-08,
    2.10.0-SNAPSHOT). This corrects a regression introduced in 9.0.71. (markt)
  * Fix: Improve the error messages if JRE_HOME or JAVA_HOME are not set
    correctly. On windows, align the handling of JRE_HOME and JAVA_HOME for the
    start-up scripts and the service install script. (markt)
  * Update: Update UnboundID to 6.0.8. (markt)
  * Update: Update Checkstyle to 10.9.3. (markt)
  * Update: Update Jacoco to 0.8.9. (markt)
  * Fix: Enhance PEMFile to load from an InputStream. Patch provided by Romain
    Manni-Bucau. (schultz)

2023-03-03 Tomcat 9.0.73 (remm)

General

  * Fix: Fix a bug that memory allocation is larger than limit in
    SynchronizedStack to reduce memory footprint. (lihan)

Catalina

  * Add: Add support for txt: and rnd: rewrite map types from mod_rewrite.
    Based on a pull request #591 provided by Dimitrios Soumis. (remm)
  * Update: Provide a more appropriate response (501 rather than 400) when
    rejecting an HTTP request using the CONNECT method. (markt)
  * Fix: 66488: Correct a regression introduced in the fix for bug 66196 that
    meant that the HTTP headers and/or request line could get corrupted (one
    part overwriting another part) within a single request. (markt)

Coyote

  * Add: Add a check for the validity of the scheme pseudo-header in HTTP/2.
    (markt)
  * Fix: 66482: Restore inline state after async operation in NIO2, to account
    the fact that unexpected exceptions are sometimes thrown by the
    implementation. Patch submitted by zhougang. (remm)

2023-02-23 Tomcat 9.0.72 (remm)

Catalina

  * Fix: Allow a Valve to access cookies from a request that cannot be mapped
    to a Context. (markt)
  * Fix: Refactor uses of String.replaceAll() to use String.replace() where
    regular expressions where not being used. Pull request #581 provided by
    Andrei Briukhov. (markt)
  * Add: Add error report valve that allows redirecting to of proxying from an
    external web server. Based on code and ideas from pull request #506
    provided by Max Fortun. (remm)
  * Add: 66470: Add the Shared Address Space defined by RFC 6598 (100.64.0.0/
    10) to the regular expression used to identify internal proxies for the
    RemoteIpFilter and RemoteIpValve. (markt)
  * Fix: 66471: Fix JSessionId secure attribute missing When RemoteIpFilter
    determines that this request was submitted via a secure channel. (lihan)

Coyote

  * Add: Log basic information for each configured TLS certificate when Tomcat
    starts. (markt)
  * Fix: 66442: When an HTTP/2 response must not include a body, ensure that
    the end of stream flag is set on the headers frame and that no data frame
    is sent. (markt)
  * Fix: 66455: Fix the cause of a potential ClassCastException when processing
    a WINDOW_UPDATE frame on an HTTP/2 connection where the flow control window
    for the overall connection has been exhausted. (markt)
  * Fix: Fix a regression introduced in 9.0.65 that prevented HTTP/2
    connections from timing out when using a Connector configured with
    useAsyncIO=true (the default for NIO and NIO2). (markt)
  * Add: Provided dedicated loggers
    (org.apache.tomcat.util.net.NioEndpoint.certificate /
    org.apache.tomcat.util.net.Nio2Endpoint.certificate /
    org.apache.tomcat.util.net.AprEndpoint.certificate) for logging of
    configured TLS certificates. (markt)

Jasper

  * Fix: 66419: Fix calls from expression language to a method that accepts
    varargs when only one argument was passed. (markt)
  * Fix: 66441: Make imports of static fields in JSPs visible to any EL
    expressions used on the page. (markt)

Web applications

  * Fix: 66429: Documentation. Limit access to the documentation web
    application to localhost by default. (markt)
  * Fix: 66429: Examples. Limit access to the examples web application to
    localhost by default. (markt)

Other

  * Update: Update BND to 6.4.0. (markt)
  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update the packaged version of the Apache Tomcat Native Library to
    1.2.36 to pick up the Windows binaries built with with OpenSSL 1.1.1t.
    (markt)

2023-01-13 Tomcat 9.0.71 (remm)

Catalina

  * Fix: 66388: Correct a regression in the refactoring that replaced the use
    of the URL constructors. The regression broke lookups for resources that
    contained one or more characters in their name that required escaping when
    used in a URI path. (markt)
  * Fix: 66392: Change the default value of AccessLogValve's file encoding to
    UTF-8 and update documentation. (lihan)
  * Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation.
    (lihan)

Coyote

  * Fix: When resetting an HTTP/2 stream because the final response has been
    generated before the request has been fully read, use the HTTP/2 error code
    NO_ERROR so that client does not discard the response. Based on a
    suggestion by Lorenzo Dalla Vecchia. (markt)
  * Fix: 66196: Align HTTP/1.1 with HTTP/2 and throw an exception when
    attempting to commit a response with an header value that includes one or
    more characters with a code point above 255. (markt)
  * Fix: 66385: Correct a bug in HTTP/2 where a non-blocking read for a new
    frame with the NIO2 connector was incorrectly made using the read timeout
    leading to unexpected stream closure. (markt)

Jasper

  * Fix: 66370: Change the default of the
    org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless
    the EL library is running on Tomcat in which case the default remains false
    as the EL library is already called from within a privileged block and
    skipping the unnecessary privileged block improves performance. (markt)
  * Add: Add support for specifying Java 21 (with the value 21) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

Other

  * Update: Update the internal fork of Apache Commons BCEL to 2ee2bff
    (2023-01-03, 6.7.1-SNAPSHOT). (markt)
  * Update: Update the internal fork of Apache Commons Codec to 3eafd6c
    (2023-01-03, 1.16-SNAPSHOT). (markt)
  * Update: Update the internal fork of Apache Commons FileUpload to 34eb241
    (2023-01-03, 2.0-SNAPSHOT). (markt)
  * Update: Update the internal fork of Apache Commons DBCP to f131286
    (2023-01-03, 2.10.0-SNAPSHOT). (markt)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking.
    (markt)
  * Add: Improvements to Portuguese translations. Contributed by Guilherme
    Custo'dio. (markt)
  * Update: Update Checkstyle to 10.6.0. (markt)
  * Update: Update Unboundid to 6.0.7. (markt)
  * Update: Update SpotBugs to 4.7.3. (markt)

2022-12-05 Tomcat 9.0.70 (remm)

Catalina

  * Fix: Correct the default implementation of
    HttpServletRequest.isTrailerFieldsReady() to return true so it is
    consistent with the default implementation of
    HttpServletRequest.getTrailerFields() and with the Servlet API provided by
    the Jakarta EE project. (markt)
  * Fix: Improve the behavior of the credential handler attribute that is set
    in the Servlet context so that it actually reflects what is used during
    authentication. (remm)
  * Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with
    correct protocolHeader default value of "X-Forwarded-Proto". (lihan)

Coyote

  * Fix: When an HTTP/2 stream was reset, the current active stream count was
    not reduced. If enough resets occurred on a connection, the current active
    stream count limit was reached and no new streams could be created on that
    connection. (markt)

Web applications

  * Fix: 66348: Update the JARs listed in the class loader documentation and
    note which ones are optional. (markt)
  * Fix: Documentation. Replace references in the application developer's guide
    to CVS with more general references to a source code control system.
    (markt)

Other

  * Code: Refactor code base to replace use of URL constructors. While they are
    deprecated in Java 20 onwards, the reasons for deprecation are valid for
    all versions so move away from them now. (markt)
  * Update: Update the internal fork of Apache Commons BCEL to b015e90
    (2022-11-28, 6.7.0-RC1). (markt)
  * Update: Update the internal fork of Apache Commons Codec to ae32a3f
    (2022-11-29, 1.16-SNAPSHOT). (markt)
  * Update: Update to Commons Daemon 1.3.3. (markt)
  * Update: Update the internal fork of Apache Commons FileUpload to aa8eff6
    (2022-11-29, 2.0-SNAPSHOT). (markt)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking and
    tak7iji. (markt)

2022-11-14 Tomcat 9.0.69 (remm)

Catalina

  * Add: 66209: Add a configuration option to allow bloom filters used to index
    JAR files to be retained for the lifetime of the web application. Prior to
    this addition, the indexes were always flushed by the periodic calls to
    WebResourceRoot.gc(). As part of this addition, configuration of archive
    indexing moves from Context to WebResourceRoot. Based on a patch provided
    by Rahul Jaisimha. (markt)
  * Fix: 66330: Correct a regression introduced when fixing 62897 that meant
    any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context
    was ignored and the default was always used. (markt)
  * Fix: 66331: Fix a regression in refactoring for Stack on the
    SystemLogHandler which caught incorrect exception. (lihan)
  * Fix: 66338: Fix a regression that caused a nuance in refactoring for
    ErrorReportValve. (lihan)
  * Fix: Escape values used to construct output for the JsonErrorReportValve to
    ensure that it always outputs valid JSON. (markt)

Coyote

  * Fix: Correct the date format used with the expires attribute of HTTP
    cookies. A single space rather than a single dash should be used to
    separate the day, month and year components to be compliant with RFC 6265.
    (markt)
  * Add: Include the name of the current stream state in the error message when
    a stream is cancelled due to an attempt to write to the stream when it is
    in a state that does not permit writes. (markt)
  * Code: NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL not to do
    so and remove checks for this return value. Based on #562 by tianshuang.
    (markt)
  * Code: Remove unnecessary code that exposed the asyncTimeout to components
    that never used it. (markt)

Jasper

  * Fix: 66294: Make the use of a privileged block to obtain the thread context
    class loader added to address 62080 optional and disabled by default. This
    is now controlled by the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED
    system property. (markt)
  * Fix: 66325: Fix concurrency issue in evaluation of expression language
    containing lambda expressions. (markt)

jdbc-pool

  * Fix: 66346: Ensure all JDBC pool JARs are reproducible. Pull request #566
    provided by John Neffenger. (markt)

Other

  * Update: Update to Commons Daemon 1.3.2. (markt)
  * Add: Improvements to Chinese translations. Contributed by DigitalCat and
    lihan. (markt)
  * Add: Improvements to French translations. Contributed by Mathieu Bouchard.
    (markt)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking.
    (markt)

2022-10-07 Tomcat 9.0.68 (markt)

Catalina

  * Fix: Update the RewriteValve to perform pattern matching using dotall mode
    to avoid unexpected behaviour if the URL includes encoded line terminators.
    (markt)

Coyote

  * Fix: 66276: Fix incorrect class cast when adding a descendant of HTTP/2
    streams. (lihan)
  * Fix: 66281: Fix unexpected timeouts that may appear as client
    disconnections when using HTTP/2 and NIO2. (markt)
  * Fix: Enforce the requirement of RFC 7230 onwards that a request with a
    malformed content-length header should always be rejected with a 400
    response. (markt)

Jasper

  * Fix: 66277: Fix regressions in refactoring from Stack ArrayDeque.
  * Add: Add support for specifying Java 20 (with the value 20) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

Web applications

  * Fix: Documentation. Document the nonceRequestParameterName attribute for
    the CsrfPreventionFilter. Based on #553 by Mert U:lkgu:n. (markt)

Other

  * Update: Update Objenesis to 3.2. (markt)
  * Update: Update UnboundID to 6.0.6. (markt)
  * Update: Update Checkstyle to 10.3.4. (markt)
  * Update: Update JaCoCo to 0.8.8. (markt)
  * Update: Update SpotBugs to 4.7.2. (markt)
  * Update: Update JSign to 4.2. (markt)
  * Update: Update Derby to 10.16.1.1. (markt)
  * Add: Improvements to Chinese translations. (markt)
  * Add: Improvements to Czech translations. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Contributed by tak7iji and
    Shirayuking. (markt)
  * Add: Improvements to Korean translations. (markt)
  * Add: Improvements to Spanish translations. (markt)

2022-09-26 Tomcat 9.0.67 (remm)

Coyote

  * Fix: Fix a regression in refactoring for Hashtables which caused mbeans to
    lose many of their attributes. (remm)

not released Tomcat 9.0.66 (remm)

Catalina

  * Fix: Correct handling of HTTP TRACE requests where there are multiple
    instances of an HTTP header with the same name. (markt)
  * Fix: Implement the requirements of RFC 7231 and do not include sensitive
    headers in responses to HTTP TRACE requests. (markt)
  * Fix: Implement the clarification in RFC 9110 that the units in HTTP range
    specifiers are case insensitive. (markt)
  * Fix: Properly-escape role and group information when writing
    MemoryUserDatabase to an XML file. (schultz)
  * Fix: Move control of XML-export logic from individual support classes into
    MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser,
    MemoryRole, and MemoryGroup classes. (schultz)
  * Fix: 66183: When logging cookie values in an access log valve and there are
    multiple cookies with the same name, log all cookie values rather than just
    the first. Based on pull request #541 by Han Li. (markt)
  * Fix: 66184: Ensure that JULI root loggers have a default level of INFO.
    Pull request #533 provided by Piotr P. Karwasz. (markt)
  * Fix: Improve handling of stack overflow errors when parsing SSI
    expressions. (markt)
  * Fix: 66120: Enable FORM authentication to work correctly if session
    persistence and restoration occurs during the authentication process.
    (markt)
  * Fix: 66233: Include an error message when sending a 400 response because a
    request has too many cookies. (markt)
  * Fix: When web application deployment fails due to JARs with duplicate
    fragment names, improve the error message by listing the JARs that contain
    the duplicates. Based on pull request #535 by Mads Rolsdorph. (markt)
  * Fix: Replace logging thread for JULI's AsyncFileHandler with an executor to
    protect against failure of the logging thread. Based on pull request #545
    by Piotr P. Karwasz. (markt)

Coyote

  * Fix: Avoid potential NPE by skipping duplicate accept check when using a
    Unix Domain Socket. Based on #532 by Han Li. (markt)
  * Fix: Address an edge case in HTTP header parsing that allowed CRCRLF to be
    used as a valid line terminator. (markt)
  * Fix: Ensure HTTP/2 requests that include connection specific headers are
    rejected. (markt)
  * Fix: When processing HTTP/2 requests, allow a host header to be used in
    place of an :authority header. (markt)
  * Fix: When processing HTTP/2 requests, allow a host header and an :authority
    header to be present providing they are consistent. (markt)
  * Fix: When processing HTTP/2 requests, reject requests containing multiple
    host headers. (markt)
  * Fix: Make parsing of invalid filename directives in Content-Disposition
    headers more robust. Invalid filename directives will now be ignored rather
    than triggering a 500 response. (markt)
  * Fix: 66194: Log HTTP/2 stream closures (usually caused by client errors)
    via a UserDataHelper to broadly align it with the behaviour of HTTP/1.1 for
    parsing issues and exceeding limits. (markt)
  * Fix: 66236: Implement support for the special values zero and minus one
    when configuring maxSavePostSize for a Connector when used in conjunction
    with TLS renegotiation. (markt)
  * Fix: 66240: Avoid int overflow when parsing octets by limiting the maximum
    value to 255. Based on a PR #548 by Stefan Mayr. (lihan)
  * Fix: #550: Correctly handle case where a Servlet responds to a request with
    an expectation with a 2xx response without reading the request body. Pull
    request provided by Malay Shah. (markt)
  * Fix: #551: Avoid potential IndexOutOfBoundsException by fixing incorrect
    check when matching HTTP/2 preface. Submitted by ??????. (lihan)

Jasper

  * Fix: Improve handling of stack overflow errors when parsing EL expressions.
    (markt)
  * Fix: Correct parsing of integer and floating point literals in EL
    expressions so that larger values are correctly parsed to BigInteger and
    BigDecimal respectively. (markt)
  * Add: 66203: Log an error message when the JSP compiler is unable to create
    the output directory for the generated code. (markt)
  * Fix: 66235: Fix various issues with the bean resolver used for Graal.
    (remm)
  * Fix: Improve the performance of the ImportHandler in the Expression
    Language implementation. This removes a previous optimisation that is now
    detrimental rather than helpful. Pull request #547 provided by rmannibucau.
    (markt)
  * Fix: Improve handling of EL error messages so instances of Number are not
    formatted in unexpected ways. (markt/kkolinko)
  * Fix: Switch to using ELException rather than IllegalArgumentException when
    a type conversion fails during an EL arithmetic operation. This is an EL
    error so ELException seems more appropriate. (markt)
  * Fix: 66246: Fix JspC generates invalid web.xml due to incorrect header.
    (lihan)
  * Fix: Fix a bug in MethodExpression handling that triggered an error when
    invoking a static method on an instance of the class rather than directly
    on the class. (markt)
  * Fix: Use BigInteger.remainder() rather than BigInteger.mod() when
    performing the modulus operation for instances of BigInteger as part of an
    EL expression. (markt)

Cluster

  * Fix: To aid future additions of new functionality, rather than throw an
    IllegalArgumentException if a DeltaRequest is passed an unrecognised action
    type, a warning message will now be logged. (markt)
  * Fix: 66120: Enable FORM authentication to work correctly if session
    failover occurs during the authentication process. (markt)

WebSocket

  * Add: 62312: Add support for authenticating WebSocket clients with an HTTP
    forward proxy when establishing a connection to a WebSocket endpoint via a
    forward proxy that requires authentication. Based on a patch provided by
    Joe Mokos. (markt)

Other

  * Fix: Ensure that zip archives use UTC for file modification times to ensure
    repeatable builds across time zones. (markt)
  * Add: Improvements to Chinese translations. (lihan)
  * Add: Improvements to Czech translations. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to German translations. (markt)
  * Add: Improvements to Japanese translations. Contributed by tak7iji and
    Shirayuking. (markt)
  * Add: Improvements to Korean translations. Contributed by ????. (markt)
  * Add: Improvements to Russian translations. (markt)
  * Add: Improvements to Spanish translations. (markt)
  * Add: Further automation to the build process to reduce the number of manual
    steps that release managers must perform. (markt)

2022-07-20 Tomcat 9.0.65 (remm)

Catalina

  * Fix: 66104: Avoid error message by not trying to clean up old files from
    the logging directory before the directory has been created. Based on #521
    by HanLi. (markt)

Coyote

  * Add: Provide dedicated loggers
    (org.apache.tomcat.util.net.NioEndpoint.handshake /
    org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake
    failures. (markt)
  * Add: Enable the use of the FIPS provider for TLS enabled Connectors when
    using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
    (markt)
  * Code: Deprecated the jvmRoute system property used to configure a default
    value for the jvmRoute attribute of an Engine. (markt)
  * Fix: Fix duplicate Poller registration with HTTP/2, NIO and async IO that
    could cause HTTP/2 connections to unexpectedly fail. (markt)

Jasper

  * Add: Add support for specifying Java 19 (with the value 19) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

Web applications

  * Fix: Documentation. 62245: Include contextXsltFile when discussing options
    for configuring directory listings. (markt)
  * Fix: Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
    Form authentication example. (markt)
  * Fix: Documentation. Expand the description of the useSendfile attribute for
    HTTP/2 and reference the possibility of file locking when using this
    feature on Windows operating systems. (markt)

Other

  * Update: Update to bnd 6.3.1. (markt)
  * Update: The minimum Ant version required to build Tomcat 9.0.x is now
    1.10.2. (markt)
  * Add: Add additional automation to the build process to reduce the number of
    manual steps that release managers must perform. (schultz)
  * Add: Implement support for reproducible builds. Reproducible builds are
    independent of operating system but require the same Ant version and same
    JDK (vendor and version) to be used as associated version information is
    embedded in a number of build outputs such as JAR file manifests. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.34
    to improve the support for building with OpenSSL 3.0.x.(markt)
  * Fix: Remove and/or update references to the removed
    org.apache.tomcat.util.threads.res package. The LocalStrings*.properties
    files in that package were moved to org.apache.tomcat.util.threads package
    for consistency with the rest of the Tomcat code base.
  * Fix: 66134: The NSIS based Tomcat installer for Windows now correctly
    handles the combination of TomcatAdminRoles defined in a configuration file
    and selecting the Manager and/or Host Manager web applications in the
    installer's GUI. (markt)
  * Update: Update the OWB module to Apache OpenWebBeans 2.0.27. (remm)
  * Update: Update the CXF module to Apache CXF 3.5.3. (remm)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.35
    to pick up Windows binaries built with OpenSSL 1.1.1q.(markt)

2022-06-09 Tomcat 9.0.64 (remm)

Catalina

  * Fix: Update the memory leak protection code to support stopping application
    created executor threads when running on Java 19 and later. (markt)
  * Fix: Improve the error message if a required --add-opens option is missing.
    (markt)
  * Fix: Disable the memory leak correction code enabled by the Context
    attribute clearReferencesObjectStreamClassCaches when running on a JRE that
    includes a fix for the underlying memory leak. (markt)
  * Fix: #515: Avoid deadlock on startup with some utility executor
    configurations. Submitted by Han Li. (remm)
  * Fix: 66068: Ensure that the changes made to a request by the RemoteIPValve
    persist after the request is put into asynchronous mode. (markt)
  * Add: Include the major version in the recommended version used for Tomcat
    Native with the AprLifecycleListener. (markt)

Coyote

  * Fix: Additional fix for 65118. Fix a potential NullPointerException when
    pruning closed HTTP/2 streams from the connection. (markt)
  * Fix: 66076: When using TLS with non-blocking writes and the NIO connector,
    ensure that flushing the buffers attempts to empty all of the output
    buffers. (markt)
  * Fix: 66084: Correctly calculate bytes written to a response. Pull request #
    516 provided by aooohan HanLi. (markt)
  * Add: Correct a regression in the support added for encrypted PKCS#1
    formatted private keys in the previous release that broke support for
    unencrypted PKCS#1 formatted private keys. (jfclere/markt)
  * Update: Remove support for NPN when using the Tomcat Native Connector as
    NPN was never standardised and browser support for NPN was removed several
    years ago. (markt)

Jasper

  * Fix: Update ImportHandler optimisation for new classes introduced in Java
    19. (markt)

Web applications

  * Fix: 66064: Update the building page in the documentation web application
    to reflect changes in required Java version and source repository. (markt)
  * Fix: Documentation. Make the description of the HTTP/1.1 configuration
    attributes that control the maximum allowed HTTP header size more specific.
    (markt)

Tribes

  * Fix: Increase the default buffer size for replication messages from 43800
    to 65536 bytes. This is expected to improve performance for large messages
    when running on Linux based systems. (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations contributed by Shirayuking and
    tak7iji. (markt)
  * Add: Improvements to Chinese translations contributed by Dingzi2012.
    (markt)

2022-05-16 Tomcat 9.0.63 (remm)

Catalina

  * Fix: 65736: Disable the forceString option for the JNDI BeanFactory and
    replace it with an automatic search for an alternative setter with the same
    name that accepts a String. This is a security hardening measure. (markt)
  * Code: 65853: Refactor the CsrfPreventionFilter to make it easier for
    sub-classes to modify the nonce generation and storage. Based on
    suggestions by Marvin Fro:hlich. (markt)
  * Fix: 65991: Avoid NPE with SSLAuthenticator when boundOnInit is used on a
    connector, during the check for client certificate authentication
    availability. (remm)
  * Fix: 66009: Use getSubjectX500Principal().toString() rather than
    getSubjectX500Principal().getName(...) to retrieve a certificate DN, to
    match the output of the deprecated getSubjectDN().getName() that was used
    previously. (remm)
  * Add: Revert the change in 9.0.59 that added a mapping of Shift_JIS for the
    ja locale to the default mappings used by ServletResponse.setLocale() as it
    caused regressions for applications using UTF-8. (markt)
  * Add: Provide a property source that sources values from Kubernetes service
    bindings. Pull request #512 provided by Sumit Kulhadia and Gareth Evans.
    (markt)

Coyote

  * Add: #501: Add new maxHttpRequestHeaderSize and maxHttpResponseHeaderSize
    attributes which allow setting the maximum HTTP header sizes independently.
    If not specified, the value of the maxHttpHeaderSize connector attribute
    will be used. Submitted by Zhongming Hua. (remm)
  * Fix: The root cause of the Linux kernel duplicate accept bug has been
    identified along with the version of the kernel that includes the fix. The
    error message displayed when this bug occurs has been updated to reflect
    this new information and to advise users to update to a version of the OS
    that uses kernel 5.10 or later. Thanks to Christopher Gual for the research
    into this issue. (markt)
  * Fix: 66023: Improve the fix for 65726 and support HTTP upgrade with a
    request body for a wider set of use cases. (markt)
  * Add: Add support for encrypted PKCS#1 formatted private keys when
    configuring the internal, in memory key store. Based on #511. (jfclere/
    markt)
  * Fix: Remove the prestartminSpareThreads attribute of the
    StandardThreadExecutor since all core threads are always started by default
    making this attribute meaningless. Pull request #510 provided by Aooohan.
    (markt)

Webapps

  * Fix: 66008: In the documentation web application, clarify the
    recommendation for the use the trimSpaces option for Jasper in production
    environments. (markt)
  * Fix: Update the documentation web application to state that the
    EncryptInterceptor does not provide sufficient protection to run Tomcat
    clustering over an untrusted network. This is CVE-2022-29885. (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to German translations contributed by Thomas Hoffmann.
    (markt)
  * Add: Improvements to Japanese translations contributed by Shirayuking.
    (markt)
  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update to Commons Daemon 1.3.1. This fixes a known regression in
    1.3.0 when configuring the Windows service with custom scripts as described
    in 66055. (markt)
  * Update: Update to JSign 4.1. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.33
    to pick up Windows binaries built with OpenSSL 1.1.1o.(markt)

2022-04-01 Tomcat 9.0.62 (remm)

Catalina

  * Add: Effectively disable the WebappClassLoaderBase.getResources() method as
    it is not used and if something accidentally exposes the class loader this
    method can be used to gain access to Tomcat internals. (markt)

Files:
RevisionActionfile
1.13modifypkgsrc/www/apache-tomcat9/Makefile
1.10modifypkgsrc/www/apache-tomcat9/PLIST
1.13modifypkgsrc/www/apache-tomcat9/distinfo