Path to this page:
Subject: CVS commit: pkgsrc/www/apache-tomcat6
From: Ryo ONODERA
Date: 2024-07-18 14:05:43
Message id: 20240718120543.2ED6DFC74@cvs.NetBSD.org
Log Message:
www/apache-tomcat6: Update to 6.0.53
Changelog:
Tomcat 6.0.53 (violetagg)
Coyote
fix Ensure that the socket is returned only once to the poller.
(violetagg)
Tomcat 6.0.52 (violetagg) not released
Coyote
fix Improve sendfile handling when requests are pipelined. (markt)
Tomcat 6.0.51 (violetagg) released 2017-03-16
Jasper
fix 60613: Refactor code generated for JSPs to reduce the size of
the code required for tags. (markt)
Other
Change Realm configuration in the default conf/server.xml
update file to use a org.apache.catalina.realm.LockOutRealm. The
LockOutRealm is available since 6.0.19, but has not been
configured by default. (kkolinko)
Update the packaged version of the Tomcat Native Library to
update 1.2.12 to pick up the latest Windows binaries built with
OpenSSL 1.0.2k. (violetagg)
update Update the NSIS Installer used to build the Windows
installer to version 3.01. (markt)
Refactor the build script and the NSIS installer script so
that either NSIS 2.x or NSIS 3.x can be used to build the
fix installer. This is primarily to re-enable building the
installer on the Linux based CI system where the combination
of NSIS 3.x and wine leads to failed installer builds.
(markt)
Tomcat 6.0.50 (violetagg) not released
Web applications
fix Ensure the ASF logo image is correctly displayed in ROOT, docs
and host-manager applications. (violetagg)
Tomcat 6.0.49 (violetagg) not released
Coyote
fix 57799: Remove useless sendfile check for NIO SSL. (remm)
60409: When unable to complete sendfile request, ensure the
fix Processor will be added to the cache only once. (markt/
violetagg)
Jasper
add 44294: Add support for varargs in UEL expressions. (markt)
fix 60356: Fix pre-compilation of JSPs that depend on nested tag
files packaged in a JAR. (markt)
fix 60431: Improve handling of varargs in UEL expressions. Based on
a patch by Ben Wolfe. (markt)
fix 60497: Restore previous tag reuse behavior following the use of
try/finally. (remm)
fix Improve the error handling for simple tags to ensure that the
tag is released and destroyed once used. (remm)
fix 60497: Follow up fix using a better variable name for the tag
reuse flag. (remm)
fix Revert use of try/finally for simple tags. (remm)
Web applications
fix Correct a typo in Host Configuration Reference. Issue
reported via comments.apache.org. (violetagg)
In the documentation web application, be explicit that
add clustering requires a secure network for all of the cluster
network traffic. (markt)
update Update the ASF logos to the new versions. (markt)
Other
update Update the ASF logos used in the Apache Tomcat installer for
Windows to use the new versions. (markt)
Tomcat 6.0.48 (violetagg) released 2016-11-15
Catalina
fix Correctly test for control characters when reading the provided
shutdown password. (markt)
fix When configuring the JMX remote listener, specify the allowed
types for the credentials. (markt)
Coyote
fix Correct the HTTP header parser so that DEL is not treated as a
valid token character. (markt)
Add additional checks for valid characters to the HTTP request
add line parsing so invalid request lines are rejected sooner.
(markt)
Web applications
fix Correct a typo in CGI How-To. Issue reported via
comments.apache.org. (violetagg)
Extras
55017: Add the ability to configure the RMI bind address when
add using the JMX remote listener. Patch provided by Alexey Noskov.
(markt)
fix 56039: Enable the JmxRemoteLifecycleListener to work over SSL.
Patch by esengstrom. (markt)
56096: When the attribute rmiBindAddress of the JMX Remote
fix Lifecycle Listener is specified it's value will be used when
constructing the address of a JMX API connector server. Patch
is provided by Jim Talbut. (markt)
57377: Remove the restriction that prevented the use of SSL
fix when specifying a bind address with the
JMXRemoteLifecycleListener. Also enable SSL to be configured
for the registry as well as the server. (markt)
Tomcat 6.0.47 (violetagg) released 2016-10-16
Catalina
fix Fixed a warning message that is logged during Tomcat startup.
(violetagg)
Tomcat 6.0.46 (violetagg) not released
Catalina
Log a warning message if a user tries to configure the default
add session timeout via the deprecated (and ignored)
Manager.setMaxInactiveInterval() method. (markt)
Correct a regression introduced in 6.0.45 where the deprecated
fix Manager.getMaxInactiveInterval() method returned the current
default session timeout in minutes rather than seconds. (markt)
fix 58486: Expand memory leak protection to include additional
issues identified related to XML parsing. (markt)
fix 59123: Close NamingEnumeration objects used by the JNDIRealm
once they are no longer required. (fschumacher/markt)
59138: Correct a false positive warning for ThreadLocal related
fix memory leaks when the key class but not the value class has
been loaded by the web application class loader. (markt)
59269: Correct the implementation of PersistentManagerBase so
fix that minIdleSwap functions as designed and sessions are swapped
out to keep the active session count below maxActiveSessions.
(markt)
fix 59247: Preload ResourceEntry as a workaround for security
manager issues on some JVMs. (kkolinko/remm)
59310: Do not add a Content-Length: 0 header for custom
fix responses to HEAD requests that do not set a Content-Length
value. (markt)
59449: In ContainerBase, ensure that the process to remove a
fix child container is the reverse of the process to add one. Patch
provided by Huxing Zhang. (markt)
RMI Target related memory leaks are avoidable which makes them
an application bug that needs to be fixed rather than a JRE bug
to work around. Therefore, start logging RMI Target related
fix memory leaks on web application stop. Add an option that
controls if the check for these leaks is made. Log a warning if
running on Java 9 with this check enabled but without the
command line option it requires. (markt)
59708: Modify the LockOutRealm logic. Valid authentication
fix attempts during the lock out period will no longer reset the
lock out timer to zero. (markt)
By default, treat paths used to obtain a request dispatcher as
fix encoded. This behaviour can be changed per web application via
the dispatchersUseEncodedPaths attribute of the Context.
(markt)
Provide a mechanism that enables the container to check if a
component (typically a web application) has been granted a
given permission when running under a SecurityManager without
add the current execution stack having to have passed through the
component. Use this new mechanism to extend SecurityManager
protection to the system property replacement feature of the
digester. (markt)
add When retrieving an object via a ResourceLink, ensure that the
object obtained is of the expected type. (markt)
fix Switch the CGI servlet to the standard logging mechanism and
remove support for the debug attribute. (markt)
Add a new initialisation parameter, envHttpHeaders, to the CGI
add Servlet to mitigate httpoxy (CVE-2016-5388) by default and to
provide a mechanism that can be used to mitigate any future,
similar issues. (markt)
When adding and removing ResourceLinks dynamically, ensure that
add the global resource is only visible via the ResourceLinkFactory
when it is meant to be. (markt)
fix Make timing attacks against the Realm implementations harder.
(schultz/markt)
fix Ensure Digester.useContextClassLoader is considered in case the
class loader is used. (violetagg)
60151: Improve the exception error messages when a ResourceLink
add fails to specify the type, specifies an unknown type or
specifies the wrong type. (markt)
Correct basePackage and PrivilegedFindResourceByName in
fix SecurityClassLoad so that tomcat can successfully start with
the Security Manager enabled. (csutherl)
Improve the access checks for linked global resources to handle
fix the case where the current class loader is a child of the web
application class loader. (markt)
Coyote
58646: Correct a problem with sendfile that resulted in a
fix Processor being added to the cache twice leading to broken
responses. (markt)
fix Limit the default TLS ciphers for JSSE (BIO, NIO) and OpenSSL
(APR) to those currently considered secure. (markt)
Add a new environment variable JSSE_OPTS that is intended to be
add used to pass JVM wide configuration to the JSSE implementation.
The default value is -Djdk.tls.ephemeralDHKeySize=2048 which
protects against weak Diffie-Hellman keys. (markt)
fix 59451: Correct Javadoc for MessageBytes. Patch provided by
Kyohei Nakamura. (markt)
Ensure that requests with HTTP method names that are not tokens
fix (as required by RFC 7231) are rejected with a 400 response.
(markt)
fix 59904: Add a limit (default 200) for the number of cookies
allowed per request. Based on a patch by gehui. (markt)
60123: Avoid potential threading issues that could cause
fix excessively large vales to be returned for the processing time
of a current request. (markt)
Jasper
Fix a memory leak in the expression language implementation
fix that caused the class loader of the first web application to
use expressions to be pinned in memory. (markt)
59654: Enforce the requirements of section 7.3.1 of the JSP
fix specification regarding the permitted locations for TLD files.
Patch provided by Huxing Zhang. (markt)
fix Catch and log any Exceptions during calls to Servlet.destroy()
when destroying the Servlet associated with a JSP page. (markt)
Improve the error handling for custom tags to ensure that the
fix tag is returned to the pool or released and destroyed once
used. (markt)
Web applications
fix 58935: Remove incorrect references in the documentation to
using jar:file: URLs with the Manager application. (markt)
Correct the description of the ServletRequest.getServerPort()
fix in Proxy How-To. Issue reported via comments.apache.org.
(violetagg)
fix Fix a potential indefinite wait in the Comet Chat servlet in
the examples web application. (markt)
fix Update in the documentation the link to the maven repository
where Tomcat snapshot artifacts are deployed. (markt/violetagg)
Clarify in the documentation that calls to ServletContext.log
fix (String, Throwable) or GenericServlet.log(String, Throwable)
are logged at the SEVERE level. (violetagg)
fix Correct a typo in SSL/TLS Configuration How-To. Issue reported
via comments.apache.org. (violetagg)
fix 58891: Update the SSL how-to. Based on a suggestion by
Alexander Kja:ll. (markt)
fix 59642: Mention the localDataSource in the DataSourceRealm
section of the Realm How-To. (markt)
fix 60034: Correct a typo in the Manager How-To page of the
documentation web application. (markt)
Add an example of using the classesToInitialize attribute of
add the JreMemoryLeakPreventionListener to the documentation web
application. Based on a patch by Cris Berneburg. (markt)
fix 60192: Correct a typo in the status output of the Manager
application. Patch provided by Radhakrishna Pemmasani. (markt)
Other
58283: Change the default download location for libraries
fix during the build process from /usr/share/java to $
{user.home}/temp. Patch provided by Ahmed Hosni. (markt)
59031: When using the Windows uninstaller, do not remove the
fix contents of any directories that have been symlinked into
the Tomcat directory structure. (markt)
Modify the default tomcat-users.xml file to make it harder
update for users to configure the entries intended for use with the
examples web application for the Manager application.
(markt)
update 59280: Update the NSIS Installer used to build the Windows
Installers to version 2.51. (kkolinko)
58626: Add support for a new environment variable
(USE_NOHUP) that causes nohup to be used when starting
fix Tomcat. It is disabled by default except on HP-UX where it
is enabled by default since it is required when starting
Tomcat at boot on HP-UX. (markt)
add Use the mirror network rather than the ASF master site to
download the current ASF dependencies. (markt)
Update the packaged version of the Tomcat Native Library to
update 1.2.10 to pick up the latest Windows binaries built with
OpenSSL 1.0.2j. (markt)
Files: