./www/apache-tomcat85, Implementation of Java Servlet and JavaServer Pages technologies

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]


Branch: CURRENT, Version: 8.5.100, Package name: apache-tomcat-8.5.100, Maintainer: ryoon

Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications are
developed under the Java Community Process.

Apache Tomcat is developed in an open and participatory environment and
released under the Apache Software License. Apache Tomcat is intended to
be a collaboration of the best-of-breed developers from around the world.
We invite you to participate in this open development project.

Apache Tomcat powers numerous large-scale, mission-critical web applications
across a diverse range of industries and organizations.

This package tracks 8.5.x release branch.


Required to run:
[lang/openjdk11]

Required to build:
[pkgtools/cwrappers]

Master sites:

Filesize: 10630.07 KB

Version history: (Expand)


CVS history: (Expand)


   2024-07-18 13:51:12 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
www/apache-tomcat85: Update to 8.5.100

Changelog:
2024-03-25 Tomcat 8.5.100 (schultz)

Catalina

  * Fix: Align error handling for Writer and OutputStream. Ensure use of either
    once the response has been recycled triggers a NullPointerException
    provided that discardFacades is configured with the default value of true.
  * Fix: 68495: When restoring a saved POST request after a successful FORM
    authentication, ensure that neither the URI, the query string nor the
    protocol are corrupted when restoring the request body. (markt)
  * Fix: 68721: Workaround a possible cause of duplicate class definitions when
    using ClassFileTransformers and the transformation of a class also triggers
    the loading of the same class. (markt)
  * Fix: The rewrite valve should not do a rewrite if the output is identical
    to the input. (remm)
  * Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow
    skipping over the next valve in the Catalina pipeline. (remm)
  * Add: Add checking of the "age" of the running Tomcat instance since its
    build-date to the SecurityListener, and log a warning if the server is old.
    (schultz)
  * Fix: When using the AsyncContext, throw an IllegalStateException, rather
    than allowing an NullPointerException, if an attempt is made to use the
    AsyncContext after it has been recycled. (markt)

Coyote

  * Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all
    of the connection windows and still has content to write, it will now be
    added to the backlog immediately rather than waiting until the write
    attempt for the remaining content. (markt)
  * Fix: Correct a regression in the support for user provided SSLContext
    instances that broke the
    org.apache.catalina.security.TLSCertificateReloadListener. (markt)

Jasper

  * Add: Add support for specifying Java 22 (with the value 22) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)
  * Fix: Handle the case where the JSP engine forwards a request/response to a
    Servlet that uses an OutputStream rather than a Writer. This was triggering
    an IllegalStateException on code paths where there was a subsequent attempt
    to obtain a Writer. (markt)
  * Fix: Correctly handle the case where a tag library is packaged in a JAR
    file and the web application is deployed as a WAR file rather than an
    unpacked directory. (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)
  * Fix: 57130: Allow digest.(sh|bat) to accept password from a file or stdin.
    (csutherl/schultz)
  * Update: Update Checkstyle to 10.14.1. (markt)

2024-02-19 Tomcat 8.5.99 (schultz)

Catalina

  * Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are
    correctly removed from files containing property values when configured to
    do so. Bug identified by Coverity Scan. (markt)
  * Add: Add improvements to the CSRF prevention filter including the ability
    to skip adding nonces for resource name and subtree URL patterns. (schultz)
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. (remm)
  * Fix: 68089: Further improve the performance of request attribute access for
    ApplicationHttpRequest and ApplicationRequest. (markt)
  * Fix: 68559: Allow asynchronous error handling to write to the response
    after an error during asynchronous processing. (markt)

Coyote

  * Fix: Make asynchronous error handling more robust. Ensure that once a
    connection is marked to be closed, further asynchronous processing cannot
    change that. (markt)
  * Fix: Make asynchronous error handling more robust. Ensure that once the
    call to AsyncListener.onError() has returned to the container, only
    container threads can access the AsyncContext. This protects against
    various race conditions that woudl otherwise occur if application threads
    continued to access the AsyncContext.
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. In particular, most of the HTTP/2
    debug logging has been changed to trace level. (remm)
  * Fix: Add support for user provided SSLContext instances configured on
    SSLHostConfigCertificate instances. Based on pull request #673 provided by
    Hakan Alt??nda?. (markt)
  * Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of
    a JVM crash during Tomcat shutdown. (markt)
  * Fix: Partial fix for 68558: Cache the result of converting to String for
    request URI, HTTP header names and the request Content-Type value to
    improve performance by reducing repeated byte[] to String conversions.
    (markt)
  * Fix: Improve error reporting to HTTP/2 clients for header processing errors
    by reporting problems at the end of the frame where the error was detected
    rather than at the end of the headers. (markt)
  * Fix: Remove the remaining reference to a stream once the stream has been
    recycled. This makes the stream eligible for garbage collection earlier and
    thereby improves scalability. (markt)

Jasper

  * Fix: 68546: Generate optimal size and types for JSP imports maps, as
    suggested by John Engebretson. (remm)
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. (remm)

WebSocket

  * Fix: Correct a regression in the fix for 66508 that could cause an
    UpgradeProcessor leak in some circumstances. (markt)
  * Fix: Review usage of debug logging and downgrade trace or data dumping
    operations from debug level to trace. (remm)
  * Fix: Ensure that WebSocket connection closure completes if the connection
    is closed when the server side has used the proprietary suspend/resume
    feature to suspend the connection. (markt)

Web applications

  * Add: Add support for responses in JSON format from the examples application
    RequestHeaderExample. (schultz)

Other

  * Update: Update Checkstyle to 10.13.0. (markt)
  * Update: Update JSign to 6.0. (markt)
  * Update: Add strings for debug level messages. (remm)

2024-01-09 Tomcat 8.5.98 (schultz)

Catalina

  * Update: 68378: Align extension to MIME type mappings in the global web.xml
    with those in httpd by adding application/vnd.geogebra.slides for ggs, text
    /javascript for mjs and audio/ogg for opus. (markt)

Coyote

  * Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2
    connector which was using platform threads even when configured to use
    virtual threads. (markt)
  * Fix: Correct a regression in the fix for 67675 that broke TLS key file
    parsing for PKCS#8 format keys that do not specify an explicit
    pseudo-random function and rely on the default. This typically affects keys
    generated by OpenSSL 1.0.2. (markt)
  * Fix: Allow multiple operations with the same name on introspected mbeans,
    fixing a regression caused by the introduction of a second addSslHostConfig
    method. (remm)
  * Fix: Relax the check that the HTTP Host header is consistent with the host
    used in the request line, if any, to make the check case insensitive since
    host names are case insensitive. (markt)
  * Add: 68348: Add support for the partitioned attribute for cookies. (markt)

Other

  * Update: Update Checkstyle to 10.12.7. (markt)
  * Update: Update SpotBugs to 4.8.3. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

2023-12-12 Tomcat 8.5.97 (schultz)

Catalina

  * Fix: Background processes should not be run concurrently with lifecycle
    operations of a container. (remm)
  * Fix: Correct unintended escaping of XML in some WebDAV responses. The XML
    list of support locks when provided in response to a PROPFIND request was
    incorrectly XML escaped. (markt)
  * Fix: 68227: Ensure that AsyncListener.onComplete() is called if
    AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
  * Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP
    request processing. Includes a test case based on code provided by
    adwsingh. (markt)

Jasper

  * Code: 68119: Refactor the CompositeELResolver to improve performance during
    type conversion operations. (markt)

Web Applications

  * Fix: Examples. Improve the error handling so snakes associated with a user
    that drops from the network are removed from the game. (markt)

Other

  * Update: Update UnboundID to 6.0.11. (markt)
  * Update: Update Checkstyle to 10.12.5. (markt)
  * Update: Update SpotBugs to 4.8.2. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)
  * Add: Improvements to Russian translations by usmazat and remm. (markt)

2023-11-13 Tomcat 8.5.96 (schultz)

Catalina

  * Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of
    X509Certificate#getNotAfter(). (michaelo)
  * Update: The status servlet included in the manager webapp can now output
    statistics as JSON, using the JSON=true URL parameter. (remm)
  * Update: Optionally allow ServiceBindingPropertySource to trim a trailing
    newline from a file containing a property-value. (schultz)
  * Fix: 67793: Ensure the original session timeout is restored after FORM
    authentication if the user refreshes a page during the FORM authentication
    process. Based on a suggestion by Mircea Butmalai. (markt)
  * Update: 67926: PEMFile prints unidentifiable string representation of ASN.1
    OIDs. (michaelo)
  * Fix: 66875: Ensure that setting the request attribute
    jakarta.servlet.error.exception is not sufficient to trigger error handling
    for the current request and response. (markt)
  * Fix: 68054: Avoid some file canonicalization calls introduced by the fix
    for 65433. (remm)
  * Fix: 68089: Improve performance of request attribute access for
    ApplicationHttpRequest and ApplicationRequest. (markt)
  * Fix: Use a 400 status code to report an error due to a bad request (e.g. an
    invalid trailer header) rather than a 500 status code. (markt)
  * Fix: Ensure that an IOException during the reading of the request triggers
    always error handling, regardless of whether the application swallows the
    exception. (markt)

Coyote

  * Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#
    certificateKeystorePasswordFile. (michaelo)
  * Add: When calling SSLHostConfigCertificate.setCertificateKeystore(ks),
    automatically call setCertificateKeystoreType(ks.getType()). (markt)
  * Fix: 67628: Clarify how the ciphers attribute of the SSLHostConfig is used.
    (markt)
  * Fix: 67666: Ensure TLS connectors using PEM files either work with the
    TLSCertificateReloadListener or, in the rare case that they do not, log a
    warning on Connector start. (markt)
  * Fix: 67675: Support a wider range of KDF and ciphers for PEM files than the
    combinations supported by the JVM by default. Specifically, support the
    OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
  * Fix: 67927: Reloading TLS configuration can cause the Connector to refuse
    new connections or the JVM to crash. (markt)
  * Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are available, prefer
    1.2.x since it supports the APR/Native connector whereas 2.0.x does not.
    (markt)
  * Fix: 67938: Correct handling of large TLS client hello messages that were
    causing the TLS handshake to fail. (markt)
  * Fix: 68026: Convert selected MessageByte values to String when first
    accessed to speed up subsequent accesses and reduce garbage collection.
    (markt)

Jasper

  * Fix: 68068: Performance improvement for EL. Based on a suggestion by John
    Engebretson. (markt)

Other

  * Add: 67538: Make use of Ant's <javaversion /> task to enfore the mininum
    Java build version. (michaelo)
  * Update: Update Checkstyle to 10.12.4. (markt)
  * Update: Update JaCoCo to 0.8.11. (markt)
  * Update: Update SpotBugs to 4.8.0. (markt)

2023-10-16 Tomcat 8.5.95 (schultz)

Coyote

  * Fix: 67670: Fix regression with HTTP compression after code refactoring.
    (remm)

jdbc-pool

  * Fix: 67664: Correct a regression in the clean-up of unnecessary use of
    fully qualified class names in 8.5.94 that broke the jdbc-pool. (markt)

2023-10-10 Tomcat 8.5.94 (schultz)

Catalina

  * Add: 65770: Provide a lifecycle listener that will automatically reload TLS
    configurations a set time before the certificate is due to expire. This is
    intended to be used with third-party tools that regularly renew TLS
    certificates. (markt)
  * Fix: Fix handling of an error reading a context descriptor on deployment.
    (remm)
  * Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was
    also use, while it should instead take precedence. (remm)
  * Fix: 67472: Send fewer CORS-related headers when CORS is not actually being
    engaged. (schultz)
  * Add: Improve handling of failures within recycle() methods. (markt)

Coyote

  * Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization
    takes precedence over the tomcatAuthentication attribute when processing an
    auth_type attribute received from a proxy server. (markt)
  * Fix: 67235: Fix a NullPointerException when an AsyncListener handles an
    error with a dispatch rather than a complete. (markt)
  * Fix: When an error occurs during asynchronous processing, ensure that the
    error handling process is only triggered once per asynchronous cycle.
    (markt)
  * Fix: Fix logic issue trying to match no argument method in
    IntropectionUtil. (remm)
  * Fix: Improve thread safety around readNotify and writeNotify in the NIO2
    endpoint. (remm)
  * Fix: Avoid rare thread safety issue accessing message digest map. (remm)
  * Fix: Align validation of HTTP trailer fields with standard fields. (markt)
  * Fix: Improvements to HTTP/2 overhead protection. (markt)

Jasper

  * Fix: 67080: Improve performance of EL expressions in JSPs that use implicit
    objects. Based on suggestions by John Engebretson, Anurag Dubey and
    Christopher Schultz. (markt)

Other

  * Update: Update the internal fork of Apache Commons FileUpload to 7a8c324
    (2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
    branch requiring additional Commons IO dependencies, Tomcat has switched to
    tracking the 1.x branch. (markt)
  * Update: Update UnboundID to 6.0.10. (markt)
  * Update: Update Checkstyle to 10.12.3. (markt)
  * Update: Update Tomcat Native to 1.2.39 to pick up Windows binaries built
    with OpenSSL 3.0.11. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)
  * Add: Improvements to Russian translations by usmazat. (markt)

2023-08-25 Tomcat 8.5.93 (markt)

Catalina

  * Fix: If an application or library sets both a non-500 error code and the
    javax.servlet.error.exception request attribute, use the provided error
    code during error page processing rather than assuming an error code of
    500. (markt)
  * Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024
    bytes and KiB for 1024 bytes rather than MB and kB. (martk)
  * Fix: Avoid protocol relative redirects in FORM authentication. (markt)

Web applications

  * Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes
    and KiB for 1024 bytes rather than MB and kB. (martk)

Other

  * Add: Improvements to Chinese translations. (lihan)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations by tak7iji. (markt)

2023-08-14 Tomcat 8.5.92 (markt)

Catalina

  * Fix: Align documentation for maxParameterCount to match hard-coded
    defaults. Contributed by Michal Sobkiewicz. (schultz)
  * Fix: 66680: When serializing a session during the session presistence
    process, do not log a warning that null Principals are not serializable.
    Pull request #638 provided by tsryo. (markt)
  * Fix: Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up
    to 17 to signal closed connections. (fschumacher)
  * Fix: 66822: Use the same naming format in log messages for Connector
    instances as the associated ProtocolHandler instance. (markt)
  * Fix: The parts count should also lower the actual maxParameterCount used
    for parsing parameters if parts are parsed first. (remm)

Coyote

  * Fix: Correct a regression introduced in 8.5.91 and use the correct constant
    when constructing the default value for the certificateKeystoreFile
    attribute of an SSLHostConfigCertificate instance. (markt)
  * Code: Refactor HTTP/2 implementation to reduce pinning when using virtual
    threads. (markt)
  * Fix: 66841: Ensure that AsyncListener.onError() is called after an error
    during asynchronous processing with HTTP/2. (markt)
  * Fix: Correct a race condition that could cause spurious RST messages to be
    sent after the response had been written to an HTTP/2 stream. (markt)

WebSocket

  * Fix: 66681: Fix a NullPointerException when flushing batched messages with
    compression enabled using permessage-deflate. (markt)

jdbc-pool

  * Fix: Fix the releaseIdleCounter does not increment when testAllIdle
    releases them. Pull request #241 provided by Arun Chaitanya Miriappalli
    (lihan)
  * Fix: Fix the ConnectionState state will be inconsistent with actual state
    on the connection when an exception occurs while writing. Pull request #643
    provided by Wenjun Xiao. (lihan)

Other

  * Update: Update NSIS to 3.0.9. (markt)
  * Update: Update Checkstyle to 10.12.2. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Contributed by tak7iji and
    Shirayuking. (markt)
  * Fix: 66829: Fix quoting so users can use the _RUNJAVA environment variable
    as intended on Windows when the path to the Java executable contains
    spaces. (markt)
  * Update: Update Tomcat Native to 1.2.38 to pick up Windows binaries built
    with OpenSSL 1.1.1v. (markt)

2023-07-10 Tomcat 8.5.91 (schultz)

Catalina

  * Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener, a
    listener which creates context naming information environment entries.
    (michaelo)
  * Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a
    listener which populates the context's role mapping from a properties file.
    (michaelo)
  * Fix: Fix an edge case where intra-web application symlinks would be
    followed if the web applications were deliberately crafted to allow it even
    when allowLinking was set to false. (markt)
  * Fix: Make parsing of ExtendedAccessLogValve patterns more robust. (markt)

Coyote

  * Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that
    it returns the type of the original content rather than reflecting the most
    recent conversion. (markt)
  * Fix: 66635: Correct certificate logging on start-up so it differentiates
    between keystore based keys/certificates and PEM file based keys/
    certificates and logs the relevant information for each. (markt)
  * Fix: Refactor blocking reads and writes for the NIO connector to remove
    code paths that could allow a notification from the Poller to be missed
    resuting in a timeout rather than the expected read or write. (markt)
  * Fix: Refactor waiting for an HTTP/2 stream or connection window update to
    handle spurious wake-ups during the wait. (markt)

WebSocket

  * Fix: Improve handling of error conditions for the WebSocket server,
    particularly during Tomcat shutdown. (markt)
  * Fix: Correct a regression in the fix for 66574 that meant the WebSocket
    session could return false for onOpen() before the onClose() event had been
    completed. (markt)

Web applications

  * Add: Documentation. Expand the security guidance to cover the embedded use
    case and add notes on the uses made of the java.io.tmpdir system property.
    (markt)
  * Fix: 66662: Documentation. Fix a typo in the name of the algorithms
    attribute in the configuration section for the Digest authentication valve.
    Pull request #629 provided by gohilmca. (markt)

Other

  * Add: Include the Windows specific binary distributions in the files
    uploaded to Maven Central. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
  * Update: Update UnboundID to 6.0.9. (markt)
  * Update: Update Checkstyle to 10.12.1. (markt)
  * Update: Update JSign to 5.0. (markt/rjung)

2023-06-12 Tomcat 8.5.90 (schultz)

Catalina

  * Add: Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual
    thread based executor that may be used with one or more Connectors to
    process requests received by those Connectors using virtual threads. This
    Executor requires a minimum Java version of Java 21. (markt)
  * Fix: 66513: Add a per session Semaphore to the PersistentValve that ensures
    that, within a single Tomcat instance, there is no more than one concurrent
    request per session. Also expand the debug logging to include whether a
    request bypasses the Valve and the reason if a request fails to obtain the
    per session Semaphore. (markt)
  * Fix: 66609: Ensure that the default servlet correctly escapes file names in
    directory listings when using XML output. Based on pull request #621 by
    Alex Kachanov. (markt)
  * Add: 66618: Add a numeric last modified field to the XML directory listings
    produced by the default servlet to enable sorting in the XSLT. Pull request
    #622 by Alex Kachanov. (markt)
  * Fix: 66621: Attempts to lock a collection with WebDAV may incorrectly fail
    if a child collection has an expired lock. (markt)
  * Fix: 66622: Deprecate the xssProtectionEnabled setting from the
    HttpHeaderSecurityFilter and change the default value to false as support
    for the associated HTTP header has been removed from all major browsers.
    (markt)

Coyote

  * Update: Update the HTTP/2 implementation to use the prioritization scheme
    defined in RFC 9218 rather than the one defined in RFC 7540. (markt)
  * Fix: 66602: not sending WINDOW_UPDATE when dataLength is ZERO on call
    SwallowedDataFramePayload. Pull request #619 by ledefe. (lihan)

WebSocket

  * Fix: 66548: Expand the validation of the value of the Sec-Websocket-Key
    header in the HTTP upgrade request that initiates a WebSocket connection.
    The value is not decoded but it is checked for the correct length and that
    only valid characters from the base64 alphabet are used. (markt)

Other

  * Update: Update to Commons Daemon 1.3.4. (markt)
  * Add: Improvements to French translations. (remm)
  * Update: Update Checkstyle to 10.12.0. (markt)
  * Update: Update the packaged version of the Apache Tomcat Native Library to
    1.2.37 to pick up the Windows binaries built with with OpenSSL 1.1.1u.
    (markt)

2023-05-19 Tomcat 8.5.89 (schultz)

Catalina

  * Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was
    converted to using URI instead of URL. (remm)
  * Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is
    used which contains verbatim characters that need escaping. (rjung)
  * Update: Change output of vertical tab in AccessLogValve from \v to \u000b.
    (rjung)
  * Update: Improve performance of escaping in AccessLogValve roughly by a
    factor of two. (rjung)
  * Update: Improve JsonAccessLogValve: support more patterns like for headers
    and attributes. Those will be logged as sub objects. (rjung)
  * Fix: #613: Fix possible partial corrupted file copies when using file
    locking protection or the manager servlet. Submitted by Jack Shirazi.
    (remm)
  * Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force
    attacks. (isapir)

Coyote

  * Add: Add support for a new character set, gb18030-2022 - introduced in Java
    21, to the character set caching mechanism. (markt)
  * Code: The default for the HTTP Connector attribute allowHostHeaderMismatch
    has been changed from true to false to harden the default configuration.
    (markt)
  * Code: The default for the HTTP Connector attribute rejectIllegalHeader has
    been changed from false to true to harden the default configuration.
    (markt)
  * Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers
    without names are treated as invalid. (markt)
  * Update: Deprecate the HTTP Connector settings rejectIllegalHeader and
    allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards.
    (markt)
  * Fix: 66591: Fix a regression introduced in the fix for 66512 that meant
    that an AJP Send Headers was not sent for responses where no HTTP headers
    were set. (markt)

Jasper

  * Fix: 66582: Account for EL having stricter requirements for static imports
    than JSPs when adding JSP static imports to the EL context. (markt)

WebSocket

  * Fix: 66574: Refactor WebSocket session close to remove the lock on the
    SocketWrapper which was a potential cause of deadlocks if the application
    code used simulated blocking. (markt)
  * Fix: 66575: Avoid unchecked use of the backing array of a buffer provided
    by the user in the compression transformation. (remm)
  * Fix: Improve exception handling when flushing batched messages during
    WebSocket session close. (markt)
  * Fix: 66581: Update AsyncChannelGroupUtil to align it with the current
    defaults for AsynchronousChannelGroup. Pull request #612 by Matthew
    Painter. (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Chinese translations. (lihan)
  * Update: Update Checkstyle to 10.10.0. (markt)
  * Update: Update Jacoco to 0.8.10. (markt)

2023-04-19 Tomcat 8.5.88 (schultz)

Catalina

  * Fix: 65995: Implement RFC 9239 and use text/javascript as the media type
    for JavaScript rather than application/javascript. (markt)
  * Add: Add an access log valve that uses a json format. Based on pull request
    #539 provided by Thomas Meyer. (remm)
  * Add: Harden the FORM authentication process against DoS attacks by using a
    reduced session timeout if the FORM authentication process creates a
    session. The duration of this timeout is configured by the
    authenticationSessionTimeout attribute of the FORM authenticator. (markt)
  * Fix: 66527: Correct the Javadoc for the Tomcat.addWebapp() methods that
    incorrectly stated that the docBase parameter could be a relative path.
    (markt)
  * Fix: 66524 Correct eviction ordering in WebResource cache to be LRU as
    intended. (schultz)
  * Update: Use server.xml to reduce the default value of maxParameterCount
    from 10,000 to 1,000. If not configured in server.xml, the default remains
    10,000. (markt)
  * Add: Update Digest authentication support to align with RFC 7616. This adds
    a new configuration attribute, algorithms, to the DigestAuthenticator with
    a default of SHA-256,MD5. (markt)
  * Update: Add support code for custom user attributes in RealmBase. Based on
    code from #473 by Carsten Klein. (remm)
  * Fix: 66541: Improve handling for cached resources for resources that use
    custom URL schemes. The scheme specific equals() and hashCode() algorithms,
    if present, will now be used for URLs for these resources. This addresses a
    potential performance issue with some OSGi custom URL schemes that can
    trigger potentially slow DNS lookups in some configurations. Based on a
    patch provided by Tom Whitmore. (markt)
  * Fix: When using a custom session manager deployed as part of the web
    application, avoid ClassNotFoundExceptions when validating session IDs
    extracted from requests. (markt)
  * Fix: 66543: Give StandardContext#fireRequestDestroyEvent its own log
    message. (fschumacher)
  * Fix: 66554: Initialize Random during server initialization to avoid
    possible JVM thread creation in the webapp context on some platforms.
    (remm)

Coyote

  * Fix: JSON filter should support specific escaping for common special
    characters as defined in RFC 8259. Based on code submitted by Thomas Meyer.
    (remm)
  * Fix: 66511: Fix GzipOutputFilter (used for compressed HTTP responses) when
    used with direct buffers. Patch suggested by Arjen Poutsma. (markt)
  * Fix: 66512: Align AJP handling of invalid HTTP response headers (they are
    now removed from the response) with HTTP. (markt)
  * Fix: 66530: Correct a regression in the fix for bug 66442 that meant that
    streams without a response body did not decrement the active stream count
    when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some
    connections. (markt)
  * Code: Refactor synchronization blocks locking on SocketWrapper to use
    ReentrantLock to support users wishing to experiment with project Loom.
    (markt)

Jasper

  * Fix: 66536: Fix parsing of tag files that meant that tag directives could
    be ignored for some tag files. (markt)

Cluster

  * Fix: 66535: Redefine the maxValidTime attribute of FarmWarDeployer to be
    the maximum time allowed between receiving parts of a transferred file
    before the transfer is cancelled and the associated resources cleaned-up. A
    new warning message will be logged if the file transfer is cancelled.
    (markt)

WebSocket

  * Fix: 66508: When using WebSocket with NIO2, avoid waiting for a timeout
    before sending the close frame if an I/O error occurs during a write.
    (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking and
    tak7iji. (markt)
  * Add: Improvements to Chinese translations. Contributed by totoo. (markt)
  * Code: Refactor code using MD5Encoder to use HexUtils.toHexString(). (markt)
  * Fix: 66507: Fix a bug that $JAVA_OPTS is not passed to the jvm in
    catalina.sh when calling version. Patch suggested by Eric Hamilton. (lihan)
  * Fix: Improve the error messages if JRE_HOME or JAVA_HOME are not set
    correctly. On windows, align the handling of JRE_HOME and JAVA_HOME for the
    start-up scripts and the service install script. (markt)
  * Update: Update UnboundID to 6.0.8. (markt)
  * Update: Update Checkstyle to 10.9.3. (markt)
  * Update: Update Jacoco to 0.8.9. (markt)
  * Fix: Enhance PEMFile to load from an InputStream. Patch provided by Romain
    Manni-Bucau. (schultz)

2023-03-03 Tomcat 8.5.87 (schultz)

General

  * Fix: Fix a bug that memory allocation is larger than limit in
    SynchronizedStack to reduce memory footprint. (lihan)

Catalina

  * Update: Add support for txt: and rnd: rewrite map types from mod_rewrite.
    Based on a pull request #591 provided by Dimitrios Soumis. (markt)
  * Update: Provide a more appropriate response (501 rather than 400) when
    rejecting an HTTP request using the CONNECT method. (markt)
  * Fix: 66488: Correct a regression introduced in the fix for bug 66196 that
    meant that the HTTP headers and/or request line could get corrupted (one
    part overwriting another part) within a single request. (markt)

Coyote

  * Add: Add a check for the validity of the scheme pseudo-header in HTTP/2.
    (markt)
  * Fix: 66482: Restore inline state after async operation in NIO2, to account
    the fact that unexpected exceptions are sometimes thrown by the
    implementation. Patch submitted by zhougang. (remm)

2023-02-24 Tomcat 8.5.86 (schultz)

Catalina

  * Fix: Allow a Valve to access cookies from a request that cannot be mapped
    to a Context. (markt)
  * Fix: Refactor uses of String.replaceAll() to use String.replace() where
    regular expressions where not being used. Pull request #581 provided by
    Andrei Briukhov. (markt)
  * Add: Add error report valve that allows redirecting to of proxying from an
    external web server. Based on code and ideas from pull request #506
    provided by Max Fortun. (remm)
  * Add: 66470: Add the Shared Address Space defined by RFC 6598 (100.64.0.0/
    10) to the regular expression used to identify internal proxies for the
    RemoteIpFilter and RemoteIpValve. (markt)
  * Fix: 66471: Fix JSessionId secure attribute missing When RemoteIpFilter
    determines that this request was submitted via a secure channel. (lihan)

Coyote

  * Add: Log basic information for each configured TLS certificate when Tomcat
    starts. (markt)
  * Fix: 66442: When an HTTP/2 response must not include a body, ensure that
    the end of stream flag is set on the headers frame and that no data frame
    is sent. (markt)
  * Fix: 66455: Fix the cause of a potential ClassCastException when processing
    a WINDOW_UPDATE frame on an HTTP/2 connection where the flow control window
    for the overall connection has been exhausted. (markt)
  * Add: Provided dedicated loggers
    (org.apache.tomcat.util.net.NioEndpoint.certificate /
    org.apache.tomcat.util.net.Nio2Endpoint.certificate /
    org.apache.tomcat.util.net.AprEndpoint.certificate) for logging of
    configured TLS certificates. (markt)

Jasper

  * Fix: 66419: Fix calls from expression language to a method that accepts
    varargs when only one argument was passed. (markt)
  * Fix: 66441: Make imports of static fields in JSPs visible to any EL
    expressions used on the page. (markt)

Web applications

  * Fix: 66429: Documentation. Limit access to the documentation web
    application to localhost by default. (markt)
  * Fix: 66429: Examples. Limit access to the examples web application to
    localhost by default. (markt)

Other

  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update the packaged version of the Apache Tomcat Native Library to
    1.2.36 to pick up the Windows binaries built with with OpenSSL 1.1.1t.
    (markt)

2023-01-19 Tomcat 8.5.85 (schultz)

Catalina

  * Fix: Improve the behavior of the credential handler attribute that is set
    in the Servlet context so that it actually reflects what is used during
    authentication. (remm)
  * Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with
    correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
  * Fix: 66388: Correct a regression in the refactoring that replaced the use
    of the URL constructors. The regression broke lookups for resources that
    contained one or more characters in their name that required escaping when
    used in a URI path. (markt)
  * Fix: 66392: Change the default value of AccessLogValve's file encoding to
    UTF-8 and update documentation. (lihan)
  * Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation.
    (lihan)

Coyote

  * Fix: When an HTTP/2 stream was reset, the current active stream count was
    not reduced. If enough resets occurred on a connection, the current active
    stream count limit was reached and no new streams could be created on that
    connection. (markt)
  * Fix: 66196: Align HTTP/1.1 with HTTP/2 and throw an exception when
    attempting to commit a response with an header value that includes one or
    more characters with a code point above 255. (markt)
  * Fix: 66388: Correct a regression in the refactoring that replaced the use
    of the URL constructors. The regression broke lookups for resources that
    contained one or more characters in their name that required escaping when
    used in a URI path. (markt)

Jasper

  * Fix: 66370: Change the default of the
    org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless
    the EL library is running on Tomcat in which case the default remains false
    as the EL library is already called from within a privileged block and
    skipping the unnecessary privileged block improves performance. (markt)
  * Add: Add support for specifying Java 21 (with the value 21) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

Web applications

  * Fix: 66348: Update the JARs listed in the class loader documentation and
    note which ones are optional. (markt)
  * Fix: Documentation. Replace references in the application developer's guide
    to CVS with more general references to a source code control system.
    (markt)

Other

  * Code: Refactor code base to replace use of URL constructors. While they are
    deprecated in Java 20 onwards, the reasons for deprecation are valid for
    all versions so move away from them now. (markt)
  * Update: Update to Commons Daemon 1.3.3. (markt)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking and
    tak7iji. (markt)
  * Update: Update the internal fork of Apache Commons FileUpload to 34eb241
    (2023-01-03, 2.0-SNAPSHOT). (markt)
  * Update: Update the internal fork of Apache Commons BCEL to 2ee2bff
    (2023-01-03, 6.7.1-SNAPSHOT). (markt)
  * Update: Update the internal fork of Apache Commons Codec to 3eafd6c
    (2023-01-03, 1.16-SNAPSHOT). (markt)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking.
    (markt)
  * Add: Improvements to Portuguese translations. Contributed by Guilherme
    Custo'dio. (markt)
  * Update: Update Checkstyle to 10.6.0. (markt)
  * Update: Update Unboundid to 6.0.7. (markt)
  * Update: Update SpotBugs to 4.7.3. (markt)

2022-11-21 Tomcat 8.5.84 (schultz)

Catalina

  * Fix: 66330: Correct a regression introduced when fixing 62897 that meant
    any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context
    was ignored and the default was always used. (markt)
  * Fix: 66331: Fix a regression in refactoring for Stack on the
    SystemLogHandler which caught incorrect exception. (lihan)
  * Fix: 66338: Fix a regression that caused a nuance in refactoring for
    ErrorReportValve. (lihan)
  * Fix: Escape values used to construct output for the JsonErrorReportValve to
    ensure that it always outputs valid JSON. (markt)

Coyote

  * Fix: Correct the date format used with the expires attribute of HTTP
    cookies. A single space rather than a single dash should be used to
    separate the day, month and year components to be compliant with RFC 6265.
    (markt)
  * Add: Include the name of the current stream state in the error message when
    a stream is cancelled due to an attempt to write to the stream when it is
    in a state that does not permit writes. (markt)
  * Code: NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL not to do
    so and remove checks for this return value. Based on #562 by tianshuang.
    (markt)
  * Code: Remove unnecessary code that exposed the asyncTimeout to components
    that never used it. (markt)

Jasper

  * Fix: 66294: Make the use of a privileged block to obtain the thread context
    class loader added to address 62080 optional and disabled by default. This
    is now controlled by the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED
    system property. (markt)
  * Fix: 66325: Fix concurrency issue in evaluation of expression language
    containing lambda expressions. (markt)

jdbc-pool

  * Fix: 66346: Ensure all JDBC pool JARs are reproducible. Pull request #566
    provided by John Neffenger. (markt)

Other

  * Update: Update to Commons Daemon 1.3.2. (markt)
  * Add: Improvements to Chinese translations. Contributed by DigitalCat and
    lihan. (markt)
  * Add: Improvements to French translations. Contributed by Mathieu Bouchard.
    (markt)
  * Add: Improvements to Japanese translations. Contributed by Shirayuking.
    (markt)

2022-10-11 Tomcat 8.5.83 (markt)

Catalina

  * Fix: 66183: When logging cookie values in an access log valve and there are
    multiple cookies with the same name, log all cookie values rather than just
    the first. Based on pull request #541 by Han Li. (markt)
  * Fix: 66184: Ensure that JULI root loggers have a default level of INFO.
    Pull request #533 provided by Piotr P. Karwasz. (markt)
  * Fix: Improve handling of stack overflow errors when parsing SSI
    expressions. (markt)
  * Fix: 66120: Enable FORM authentication to work correctly if session
    persistence and restoration occurs during the authentication process.
    (markt)
  * Fix: 66233: Include an error message when sending a 400 response because a
    request has too many cookies. (markt)
  * Fix: When web application deployment fails due to JARs with duplicate
    fragment names, improve the error message by listing the JARs that contain
    the duplicates. Based on pull request #535 by Mads Rolsdorph. (markt)
  * Fix: Replace logging thread for JULI's AsyncFileHandler with an executor to
    protect against failure of the logging thread. Based on pull request #545
    by Piotr P. Karwasz. (markt)
  * Add: Add JsonErrorReportValve that extends the ErrorReportValve that
    returns response as JSON instead of HTML. Back-porting kfujino's
    implementation. (lihan)
  * Fix: Update the RewriteValve to perform pattern matching using dotall mode
    to avoid unexpected behaviour if the URL includes encoded line terminators.
    (markt)

Coyote

  * Fix: Make parsing of invalid filename directives in Content-Disposition
    headers more robust. Invalid filename directives will now be ignored rather
    than triggering a 500 response. (markt)
  * Fix: 66194: Log HTTP/2 stream closures (usually caused by client errors)
    via a UserDataHelper to broadly align it with the behaviour of HTTP/1.1 for
    parsing issues and exceeding limits. (markt)
  * Fix: 66236: Implement support for the special values zero and minus one
    when configuring maxSavePostSize for a Connector when used in conjunction
    with TLS renegotiation. (markt)
  * Fix: 66240: Avoid int overflow when parsing octets by limiting the maximum
    value to 255. Based on a PR #548 by Stefan Mayr. (lihan)
  * Fix: #550: Correctly handle case where a Servlet responds to a request with
    an expectation with a 2xx response without reading the request body. Pull
    request provided by Malay Shah. (markt)
  * Fix: #551: Avoid potential IndexOutOfBoundsException by fixing incorrect
    check when matching HTTP/2 preface. Submitted by ??????. (lihan)
  * Fix: 66276: Fix incorrect class cast when adding a descendant of HTTP/2
    streams. (lihan)
  * Fix: 66281: Fix unexpected timeouts that may appear as client
    disconnections when using HTTP/2 and NIO2. (markt)
  * Fix: Enforce the requirement of RFC 7230 onwards that a request with a
    malformed content-length header should always be rejected with a 400
    response. (markt)

Jasper

  * Fix: Improve handling of stack overflow errors when parsing EL expressions.
    (markt)
  * Fix: Correct parsing of integer and floating point literals in EL
    expressions so that larger values are correctly parsed to BigInteger and
    BigDecimal respectively. (markt)
  * Add: 66203: Log an error message when the JSP compiler is unable to create
    the output directory for the generated code. (markt)
  * Fix: Improve the performance of the ImportHandler in the Expression
    Language implementation. This removes a previous optimisation that is now
    detrimental rather than helpful. Pull request #547 provided by rmannibucau.
    (markt)
  * Fix: Improve handling of EL error messages so instances of Number are not
    formatted in unexpected ways. (markt/kkolinko)
  * Fix: Switch to using ELException rather than IllegalArgumentException when
    a type conversion fails during an EL arithmetic operation. This is an EL
    error so ELException seems more appropriate. (markt)
  * Fix: Fix a bug in MethodExpression handling that triggered an error when
    invoking a static method on an instance of the class rather than directly
    on the class. (markt)
  * Fix: Use BigInteger.remainder() rather than BigInteger.mod() when
    performing the modulus operation for instances of BigInteger as part of an
    EL expression. (markt)
  * Fix: 66277: Fix regressions in refactoring from Stack ArrayDeque.
  * Add: Add support for specifying Java 20 (with the value 20) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

Cluster

  * Fix: To aid future additions of new functionality, rather than throw an
    IllegalArgumentException if a DeltaRequest is passed an unrecognised action
    type, a warning message will now be logged. (markt)
  * Fix: 66120: Enable FORM authentication to work correctly if session
    failover occurs during the authentication process. (markt)

WebSocket

  * Add: 62312: Add support for authenticating WebSocket clients with an HTTP
    forward proxy when establishing a connection to a WebSocket endpoint via a
    forward proxy that requires authentication. Based on a patch provided by
    Joe Mokos. (markt)

Web applications

  * Fix: Documentation. Document the nonceRequestParameterName attribute for
    the CsrfPreventionFilter. Based on #553 by Mert U:lkgu:n. (markt)

Other

  * Fix: Ensure that zip archives use UTC for file modification times to ensure
    repeatable builds across time zones. (markt)
  * Add: Improvements to Chinese translations. (lihan)
  * Add: Improvements to Czech translations. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to German translations. (markt)
  * Add: Improvements to Japanese translations. Contributed by tak7iji and
    Shirayuking. (markt)
  * Add: Improvements to Korean translations. Contributed by ????. (markt)
  * Add: Improvements to Russian translations. (markt)
  * Add: Improvements to Spanish translations. (markt)
  * Add: Further automation to the build process to reduce the number of manual
    steps that release managers must perform. (markt)
  * Update: Update Objenesis to 3.2. (markt)
  * Update: Update UnboundID to 6.0.6. (markt)
  * Update: Update Checkstyle to 10.3.4. (markt)
  * Update: Update JaCoCo to 0.8.8. (markt)
  * Update: Update SpotBugs to 4.7.2. (markt)
  * Update: Update JSign to 4.2. (markt)

2022-08-13 Tomcat 8.5.82 (schultz)

Catalina

  * Fix: Correct handling of HTTP TRACE requests where there are multiple
    instances of an HTTP header with the same name. (markt)
  * Fix: Implement the clarification in RFC 9110 that the units in HTTP range
    specifiers are case insensitive. (markt)
  * Fix: Properly-escape role and group information when writing
    MemoryUserDatabase to an XML file. (schultz)
  * Fix: Move control of XML-export logic from individual support classes into
    MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser,
    MemoryRole, and MemoryGroup classes. (schultz)

Coyote

  * Add: Provide dedicated loggers
    (org.apache.tomcat.util.net.NioEndpoint.handshake /
    org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake
    failures. (markt)
  * Add: Enable the use of the FIPS provider for TLS enabled Connectors when
    using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
    (markt)
  * Fix: Address an edge case in HTTP header parsing that allowed CRCRLF to be
    used as a valid line terminator. (markt)
  * Fix: Ensure HTTP/2 requests that include connection specific headers are
    rejected. (markt)
  * Fix: When processing HTTP/2 requests, allow a host header to be used in
    place of an :authority header. (markt)
  * Fix: When processing HTTP/2 requests, allow a host header and an :authority
    header to be present providing they are consistent. (markt)
  * Fix: When processing HTTP/2 requests, reject requests containing multiple
    host headers. (markt)

Web applications

  * Fix: Documentation. 62245: Include contextXsltFile when discussing options
    for configuring directory listings. (markt)
  * Fix: Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
    Form authentication example. (markt)

Other

  * Update: The minimum Ant version required to perform a release build for
    Tomcat 8.5.x is now 1.10.2. (markt)
  * Add: Add additional automation to the build process to reduce the number of
    manual steps that release managers must perform. (schultz)
  * Add: Implement support for reproducible builds. Reproducible builds are
    independent of operating system but require the same Ant version and same
    JDK (vendor and version) to be used as associated version information is
    embedded in a number of build outputs such as JAR file manifests. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.34
    to improve the support for building with OpenSSL 3.0.x.(markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.35
    to pick up Windows binaries built with OpenSSL 1.1.1q.(markt)

2022-06-11 Tomcat 8.5.81 (schultz)

Catalina

  * Fix: Correct a regression in the 8.5.80 (not released) that broken or
    unexpectedly modified some TLS configurations when running on a Java 8 JDK.
    (markt)
  * Fix: 66134: The NSIS based Tomcat installer for Windows now correctly
    handles the combination of TomcatAdminRoles defined in a configuration file
    and selecting the Manager and/or Host Manager web applications in the
    installer's GUI. (markt)

not released Tomcat 8.5.80 (schultz)

Catalina

  * Fix: Update the memory leak protection code to support stopping application
    created executor threads when running on Java 19 and later. (markt)
  * Fix: Improve the error message if a required --add-opens option is missing.
    (markt)
  * Fix: Disable the memory leak correction code enabled by the Context
    attribute clearReferencesObjectStreamClassCaches when running on a JRE that
    includes a fix for the underlying memory leak. (markt)
  * Fix: 66068: Ensure that the changes made to a request by the RemoteIPValve
    persist after the request is put into asynchronous mode. (markt)
  * Add: Include the major version in the recommended version used for Tomcat
    Native with the AprLifecycleListener. (markt)
  * Fix: 66104: Avoid error message by not trying to clean up old files from
    the logging directory before the directory has been created. Based on #521
    by HanLi. (markt)

Coyote

  * Fix: Additional fix for 65118. Fix a potential NullPointerException when
    pruning closed HTTP/2 streams from the connection. (markt)
  * Fix: 66076: When using TLS with non-blocking writes and the NIO connector,
    ensure that flushing the buffers attempts to empty all of the output
    buffers. (markt)
  * Fix: 66084: Correctly calculate bytes written to a response. Pull request #
    516 provided by aooohan HanLi. (markt)
  * Add: Correct a regression in the support added for encrypted PKCS#1
    formatted private keys in the previous release that broke support for
    unencrypted PKCS#1 formatted private keys. (jfclere/markt)
  * Update: Remove support for NPN when using the Tomcat Native Connector as
    NPN was never standardised and browser support for NPN was removed several
    years ago. (markt)

Jasper

  * Fix: Update ImportHandler optimisation for new classes introduced in Java
    19. (markt)
  * Add: Add support for specifying Java 19 (with the value 19) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

Web applications

  * Fix: 66064: Update the building page in the documentation web application
    to reflect changes in required Java version and source repository. (markt)
  * Fix: Documentation. Make the description of the HTTP/1.1 configuration
    attributes that control the maximum allowed HTTP header size more specific.
    (markt)

Tribes

  * Fix: Increase the default buffer size for replication messages from 43800
    to 65536 bytes. This is expected to improve performance for large messages
    when running on Linux based systems. (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations contributed by Shirayuking and
    tak7iji. (markt)
  * Add: Improvements to Chinese translations contributed by Dingzi2012.
    (markt)

2022-05-23 Tomcat 8.5.79 (schultz)

Catalina

  * Fix: 65736: Disable the forceString option for the JNDI BeanFactory and
    replace it with an automatic search for an alternative setter with the same
    name that accepts a String. This is a security hardening measure. (markt)
  * Code: 65853: Refactor the CsrfPreventionFilter to make it easier for
    sub-classes to modify the nonce generation and storage. Based on
    suggestions by Marvin Fro:hlich. (markt)
  * Fix: 65991: Avoid NPE with SSLAuthenticator when boundOnInit is used on a
    connector, during the check for client certificate authentication
    availability. (remm)
  * Fix: 66009: Use getSubjectX500Principal().toString() rather than
    getSubjectX500Principal().getName(...) to retrieve a certificate DN, to
    match the output of the deprecated getSubjectDN().getName() that was used
    previously. (remm)
  * Add: Revert the change in 8.5.76 that added a mapping of Shift_JIS for the
    ja locale to the default mappings used by ServletResponse.setLocale() as it
    caused regressions for applications using UTF-8. (markt)
  * Add: Provide a property source that sources values from Kubernetes service
    bindings. Pull request #512 provided by Sumit Kulhadia and Gareth Evans.
    (markt)

Coyote

  * Add: #501: Add new maxHttpRequestHeaderSize and maxHttpResponseHeaderSize
    attributes which allow setting the maximum HTTP header sizes independently.
    If not specified, the value of the maxHttpHeaderSize connector attribute
    will be used. Submitted by Zhongming Hua. (remm)
  * Fix: The root cause of the Linux kernel duplicate accept bug has been
    identified along with the version of the kernel that includes the fix. The
    error message displayed when this bug occurs has been updated to reflect
    this new information and to advise users to update to a version of the OS
    that uses kernel 5.10 or later. Thanks to Christopher Gual for the research
    into this issue. (markt)
  * Fix: 66023: Improve the fix for 65726 and support HTTP upgrade with a
    request body for a wider set of use cases. (markt)
  * Add: Add support for encrypted PKCS#1 formatted private keys when
    configuring the internal, in memory key store. Based on #511. (jfclere/
    markt)
  * Fix: Remove the prestartminSpareThreads attribute of the
    StandardThreadExecutor since all core threads are always started by default
    making this attribute meaningless. Pull request #510 provided by Aooohan.
    (markt)

Webapps

  * Fix: 66008: In the documentation web application, remove the recommendation
    for the use the trimSpaces option for Jasper in production environments.
    (markt)
  * Fix: Update the documentation web application to state that the
    EncryptInterceptor does not provide sufficient protection to run Tomcat
    clustering over an untrusted network. This is CVE-2022-29885. (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to German translations contributed by Thomas Hoffmann.
    (markt)
  * Add: Improvements to Japanese translations contributed by Shirayuking.
    (markt)
  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update to Commons Daemon 1.3.1. This fixes a known regression in
    1.3.0 when configuring the Windows service with custom scripts as described
    in 66055. (markt)
  * Update: Update to JSign 4.1. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.33
    to pick up Windows binaries built with OpenSSL 1.1.1o.(markt)

2022-04-01 Tomcat 8.5.78 (markt)

Catalina

  * Add: 41007: Add the ability to specify static HTML responses for specific
    error codes and/or exception types with the ErrorReportValve. (markt)
  * Code: Harden the CredentialHandler implementations by switching to a
    constant-time implementation for credential comparisons. (schultz/markt)
  * Add: Effectively disable the WebappClassLoaderBase.getResources() method as
    it is not used and if something accidentally exposes the class loader this
    method can be used to gain access to Tomcat internals. (markt)

Coyote

  * Fix: #487: Improve logging of unknown settings frames. Pull request by
    Thomas Hoffmann. (remm)
  * Add: 65975: Add a warning if a TLS virtual host is configured with optional
    certificate authentication and the containing connector is also configured
    to support HTTP/2 as HTTP/2 does not permit optional certificate
    authentication. (markt)
  * Add: 65975: Add a warning if a TLS virtual host is configured for TLS 1.3
    with a JSSE implementation and a web application is configured for
    CLIENT-CERT authentication. CLIENT-CERT authentication requires
    post-handshake authentication (PHA) when used with TLS 1.3 but the JSSE TLS
    1.3 implementation does not support PHA. (markt)
  * Fix: Improve the recycling of Processor objects to make it more robust.
    (markt)

Jasper

  * Fix: 65959: Serialize Function as String[] rather Class[]. (remm)

Web applications

  * Fix: 65952: Align --add-opens configuration for jsvc with the current
    Tomcat scripts. (markt)
  * Fix: Correct the AJP and HTTP/1.1 Connector configuration pages in the
    documentation web application to show which attributes are applicable to
    all Connectors and which are implementation specific. (markt)

Other

  * Update: Update to Commons Daemon 1.3.0. (markt)
  * Update: Update to Checkstyle 10.0. (markt)
  * Update: Update to SpotBugs 4.6.0. (markt)
  * Add: Expand the spotbugs Ant task to also cover test code. (markt)
  * Code: Refactor the resource files for the Apache Tomcat installer for
    Windows so that all the resource files are located in a single directory in
    the source tree. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.32
    to pick up Windows binaries built with OpenSSL 1.1.1n.(markt)
  * Add: Improvements to Chinese translations contributed by 15625988003.
    (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  * Add: Expand coverage of translations for jakarta.el package. Based on #488
    from Volodymyr Siedlecki. (markt)

2022-03-17 Tomcat 8.5.77 (schultz)

Catalina

  * Fix: 65921: The type substitution flag for the rewrite valve should set the
    content type for the response, not the request. (markt)
  * Fix: #479: Enable the rewrite valve to redirect requests when the original
    request cannot be mapped to a context. This typically happens when no ROOT
    context is defined. Pull request by elkman. (markt)
  * Fix: 65940: Fix NullPointerException if an exception occurs during the
    destruction of a Servlet. (markt)

Coyote

  * Fix: Fix regression introduced with 65757 bugfix which better identified
    non request threads but which introduced a similar problem when user code
    was doing sequential operations in a single thread. Test case code
    submitted by Istvan Szekely. (remm)
  * Fix: Fix potential thread-safety issue that could cause HTTP/1.1 request
    processing to wait, and potentially timeout, waiting for additional data
    when the full request has been received. (markt)
  * Fix: Throw IOException rather than IllegalStateException when the
    application attempts to write to an HTTP/2 stream after the client has
    closed the stream. (markt)

Jasper

  * Fix: When resolving methods in EL expressions that use beans and/or static
    fields, ensure that any custom type conversion is considered when
    identifying the method to call. (markt)

Other

  * Fix: Correct a spelling mistake in the German translations. Thanks to
    Thomas Hoffmann. (markt)

2022-02-28 Tomcat 8.5.76 (schultz)

Catalina

  * Add: 61171: Add the portOffset attribute to the Server element which is
    added to the configured shutdown and Connector ports. Based on a patch by
    Marek Czernek. (markt)
  * Add: 64080: Enhance the graceful shutdown feature. Includes a new option
    for StandardService, gracefulStopAwaitMillis, that allows a time to be
    specified to wait for client connections to complete and close before the
    Container hierarchy is stopped. (markt/remm)
  * Add: Add ha-api-*.jar and jaxws-rt-*.jar to the list of JARs to skip when
    scanning for TLDs, web fragments and annotations. (michaelo)
  * Add: Expand the default mappings used by ServletResponse.setLocale() to
    include a mapping from the ja locale to the Shift_JIS encoding. (markt)
  * Fix: 65806: Improve the handling of session ID generation when the default
    algorithm for SecureRandom (SHA1PRNG) is not supported by the configured
    providers as will be the case for a FIPS compliant configuration. (markt)
  * Fix: #464: Fall back to the class loader used to load JULI when the thread
    context class loader is not set. In a normal Tomcat configuration, this
    will be the system class loader. Based on a pull request by jackshirazi.
    (markt)
  * Fix: #469: Include the Java Annotations API in the classes that Tomcat will
    not load from web applications. Pull request provided by ppkarwasz. (markt)
  * Fix: Fix a potential StringIndexOutOfBoundsException exception when
    generating a WebDAV multi-status response after an error during a copy or
    delete. Report the paths relative to the server root for any resources with
    an error. (markt)
  * Fix: Improve the format of WebDAV XML responses to make them easier for
    humans to read. The change ensures that there is always a line break before
    starting a new element. (markt)
  * Fix: Improve validation of the Destination header for WebDAV MOVE and COPY
    requests. (markt)

Coyote

  * Fix: 65408: Backport the socket close refactoring - along with supporting
    changes - that ensures that a socket is only closed once. Pooled objects
    associated with the socket are now replaced with dummy instances to protect
    against applications that attempt to continue to use the socket after it
    has been closed. (markt/remm)
  * Fix: Correct a regression in the fix for 65454 that meant that
    minSpareThreads and maxThreads settings were ignored when the Connector
    used an internal executor. (markt)
  * Fix: 65776: Improve the detection of the Linux duplicate accept bug and
    reduce (hopefully avoid) instances of false positives. (markt)
  * Fix: 65848: Revert the change that attempted to align the behaviour of
    client certificate authentication with NIO or NIO2 with OpenSSL for TLS
    between MacOS and Linux/Windows as the root cause was traced to
    configuration differences. (markt)
  * Fix: #467: When system time moves backwards (e.g. after clock correction),
    ensure that the cached formatted current date used for HTTP headers tracks
    this change. Pull request provided by zhenguoli. (markt)
  * Update: Remove pollerThreadCount Connector attribute for NIO. One poller
    thread is sufficient. (remm/markt)
  * Fix: Avoid creating and using object caches when they are disabled. (remm/
    markt)

Jasper

  * Fix: #474: Prevent a tag file from corrupting the ELContext of the calling
    page. Pull request provided by Dmitri Blinov. (markt)
  * Fix: Minor optimisation of serialization for FunctionMapperImpl in response
    to pull request #476. (markt)

Web applications

  * Fix: Remove the applet example from the example web application as applets
    are no longer supported in any major browser. (markt)
  * Code: Refactor a small number of pages in the examples web application to
    avoid an issue with reproducible builds due to differences in file ordering
    across different operating systems with Ant's zip task. (markt)
  * Fix: Better documentation for the protocol attribute of the JNDIRealm.
    (markt)
  * Fix: Clarify the some custer settings described in the documentation web
    application. (markt)
  * Add: Add information on the OpenSSLConf and OpenSSLConfCmd elements to the
    HTTP SSL configuration page in the documentation web applications. (markt)

jdbc-pool

  * Code: Use LF line endings for text files in JARs to support reproducible
    builds across different operating systems. (markt)

Other

  * Code: Switch to building with Java 11 and using --release to target Java 8.
    Once back-ported to all currently supported branches, this will reduce the
    number of Java versions developers need to juggle. (markt)
  * Code: Use LF line endings for text files in JARs to support reproducible
    builds across different operating systems. (markt)
  * Fix: Fix dependencies for individual test targets in Ant build file. Based
    on #468 provided by Totoo chenyonghui. (markt)

2022-01-17 Tomcat 8.5.75 (schultz)

Coyote

  * Fix: Correct a regression in the fix for 65785 that broke HTTP/2 server
    push. (markt)

not released Tomcat 8.5.74 (schultz)

Catalina

  * Fix: Make SPNEGO authentication more robust for the case where the provided
    credential has expired. (markt)
  * Fix: 65684: Fix a potential NullPointerException when using JULI. (markt)
  * Docs: Document conditions under which the AprLifecycleListener can be used
    to avoid JVM crashes. (michaelo)
  * Fix: Refactor the AsyncFileHandler to reduce the possibility of log
    messages being lost on shutdown. (markt)
  * Update: Refactor the AsyncFileHandler to remove the need for the
    org.apache.juli.AsyncLoggerPollInterval. If set, this property now has no
    effect. (markt)
  * Add: Add debug logging to the RestCsrfPreventionFilter. Based on pull
    request #452 by Polina Georgieva. (markt)
  * Add: 65710: Implement a workaround for a JVM bug that can trigger a file
    descriptor leak when using multi-part upload and the application does not
    explicitly close an input stream for an uploaded file that was cached on
    disk. (markt)
  * Fix: Add recycling check in the input and output stream isReady to try to
    give a more informative ISE when the facade has been recycled. (remm)
  * Update: Remove the deprecated JmxRemoteLifecycleListener. (markt)
  * Fix: Make the calculation of the session storage location more robust when
    using file based persistent storage. (markt)

Coyote

  * Fix: Fix a potential JVM crash when using the APR/Native connector with
    TLS. A crash could occur if the connector was stopped whilst a connection
    was performing a TLS handshake. (markt)
  * Add: Provide protection against a known OS bug that causes the acceptor to
    report an incoming connection more than once. (markt)
  * Fix: 65677: Improve exception handling for errors during HTTP/1.1 reads
    with NIO2. (markt)
  * Fix: Refactor APR/native connector shutdown to remove a potential source of
    JVM crashes on shutdown when sendfile is used. (markt)
  * Fix: When an error occurs that triggers a stream reset, ensure that the
    first RST frame sent to the client is the one associated with the error
    that triggered the reset. (markt)
  * Fix: 65714: Fix exceptions when the security manager is enabled and the
    first request received after starting is an HTTP request to a TLS enabled
    NIO2 connector. (markt)
  * Add: Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same
    way on MacOS as it does on Linux and Windows when no trusted certificate
    authorities are configured and reject all client certificates. (markt)
  * Fix: 65726: Implement support for HTTP/1.1 upgrade when the request
    includes a body. The maximum permitted size of the body is controlled by
    maxSavePostSize. (markt)
  * Fix: Restore pre-starting of minSpareThreads lost in the fix for 65454.
    (markt)
  * Fix: 65757: Missing initial IO listener notification on Servlet container
    dispatch to another container thread. (remm)
  * Fix: Expand the fix for 65757 so that rather than just checking if
    processing is happening on a container thread, the check is now if
    processing is happening on the container thread currently allocated to this
    request/response. (markt)
  * Fix: Avoid a potential deadlock during the concurrent processing of
    incoming HTTP/2 frames for a stream and that stream being reset. (markt)
  * Add: 65767: Add support for certificates that use keys encrypted using
    PBES2. Based on a pull request provided by xiezhaokun. (markt)
  * Code: Refactor testing whether a String is a valid HTTP token. (markt)
  * Fix: 65785: Perform additional validation of HTTP headers when using HTTP/
    2. (markt)
  * Fix: When a Connector or Endpoint is paused, ensure that only new
    connections and new requests on existing connections are stopped while
    allowing in progress requests to run to completion. (markt)
  * Fix: Explicitly release ByteBuffer instances associated with pooled
    channels when stopping the NioEndpoint and Nio2Endpoint. (markt)
  * Fix: Narrow the scope of the logging of invalid cookie headers to just the
    invalid cookie rather than the whole cookie header. (markt)

Jasper

  * Fix: 65724: Fix missing messages for some PropertyNotWritableExceptions
    caused by a typo in the name used for a resource string. (markt)
  * Add: Add support for specifying Java 18 (with the value 18) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the default will used. (markt)

WebSocket

  * Add: Add support for POJO WebSocket endpoints to the programmatic upgrade
    that allows applications to opt to upgrade an HTTP connection to WebSocket.
    (markt)
  * Fix: 65763: Improve handling of WebSocket connection close if a message
    write times out before the message is fully written. (markt)

Other

  * Fix: Switch from Cobertura to JaCoCo for code coverage as Cobertura does
    not support code coverage for code compiled for Java 11 onwards. It also
    removes the need to use a single thread to run the tests. (markt)
  * Add: Improvements to Chinese translations contributed by zhnnn. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations contributed by Shirayuking,
    yoshy and tak7iji. (markt)
  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update the NSIS installer to 3.08. (markt)
  * Update: Update UnboundID to 6.0.3. (markt)

2021-11-17 Tomcat 8.5.73 (schultz)

Catalina

  * Fix: Improve robustness of JNDIRealm for exceptions occurring when getting
    the connection. Also add missing close when running into issues getting the
    passord of a user. (remm)
  * Docs: Add Javadoc comment which listeners must be nested within Server
    elements only. (michaelo)
  * Update: Log warning if a listener is not nested inside a Server element
    although it must have been. (michaelo)

Coyote

  * Code: Improve performance of Connector shutdown - primarily to reduce the
    time it takes to run the test suite. (markt)
  * Add: #457: Add a toString() method to MimeHeader to aid debugging.
    (dblevins)
  * Fix: Do not ignore the error condition if the APR connector is not able to
    open a server socket as continuing in this case will trigger a JVM crash.
    (markt)
  * Fix: Improve error handling if APR/Native fails to attach TLS capabilities
    to a TLS enabled client connection. (markt)
  * Fix: Improve error handling if APR/Native fails to accept an incoming
    connection. (markt)
  * Add: Hard code all connectors to use a single acceptor thread. (markt)

WebSocket

  * Update: Add a new method WsServerContainer.upgradeHttpToWebSocket() to
    align with the new method that will be available from WebSocket 2.1
    onwards. (markt)

2021-10-06 Tomcat 8.5.72 (schultz)

Catalina

  * Fix: 65553: Implement a work-around for a JRE bug that can trigger a memory
    leak when using the JNDI realm. (markt)
  * Fix: #451: Improve the usefulness of the thread name cache used in JULI.
    Pull request provided by t-gergely. (markt)

Coyote

  * Fix: Further improvements in the management of the connection flow control
    window. This addresses various bugs that caused streams to incorrectly
    report that they had timed out waiting for an allocation from the
    connection flow control window. (markt)
  * Fix: 65577: Fix a AccessControlException reporting when running an NIO2
    connector with TLS enabled. (markt)
  * Update: Reclassify TLS ciphers that use AESCCM8 as medium security rather
    than high security to align with recent changes in OpenSSL. (markt)
  * Fix: Fix an issue that caused some Servlet non-blocking API reads of the
    HTTP request body to incorrectly use blocking IO. (markt)

Jasper

  * Fix: Fix the implementation of MethodExpression.getMethodInfo() so that it
    returns the expected value rather than failing when the method expression
    is defined with the parameter values in the expression rather than the
    types being passed explicitly to ExpressionFactory.createMethodExpression
    (). (markt)
  * Update: Regenerate the EL parser using JavaCC 7.0.10. (markt)
  * Fix: Fix a bug that prevented the EL parser correctly parsing a literal Map
    that used variables rather than literals for both keys and values. (markt)

WebSocket

  * Fix: The internal upgrade handler should close the associated WebConnection
    on destroy. (remm)

Web applications

  * Fix: Clarify the JASPIC configuration options in the documentation web
    application. (markt)

Other

  * Fix: 65585: Update obsolete comments at the start of the
    build.properties.default file. (markt)

2021-09-13 Tomcat 8.5.71 (schultz)

Catalina

  * Fix: Enable Tomcat to start if an (old) XML parser is configured that does
    not support allow-java-encodings. A warning will be logged if such an XML
    parser is detected. (markt)
  * Fix: Change the behaviour of custom error pages. If an error occurs after
    the response is committed, once the custom error page content has been
    added to the response the connection is now closed immediately rather than
    closed cleanly. i.e. the last chunk that marks the end of the response body
    is no longer sent. This acts as an additional signal to the client that the
    request experienced an error. (markt)
  * Fix: 65479: When handling requests using JASPIC authentication, ensure that
    PasswordValidationCallback.getResult() returns the result of the password
    validation rather than always returning false. Fixed via pull request #438
    provided by Robert Rodewald. (markt)
  * Code: Refactor the authenticators to delegate the check for preemptive
    authentication to the individual authenticators where an authentication
    scheme specific check can be performed. Based on pull request #444 by
    Robert Rodewald. (markt)
  * Add: Add derby-*.jar to the list of JARs to skip when scanning for TLDs,
    web fragments and annotations. (markt)

Coyote

  * Fix: Correct a logic error that meant setting certificateKeystoreFile to
    NONE did not have the expected effect. NONE was incorrectly treated as a
    file path. Patch provided by Mikael Sterner. (markt)
  * Fix: 65505: When an HTTP header value is removed, ensure that the order of
    the remaining header values is unchanged. (markt)
  * Fix: 65563: Correct parsing of HTTP Content-Range headers. Tomcat was
    incorrectly requiring an = character after bytes. Fix based on pull request
    #449 by Thierry Gue'rin. (markt)

WebSocket

  * Fix: 65506: Fix write timeout check that was using the read timeout value.
    Patch submitted by Gustavo Mahlow. (remm)

Web applications

  * Fix: Remove unnecessary Context settings from the examples web application.
    (markt)
  * Fix: Document default value for unpackWARs and related clean-up. Pull
    request #439 provided by Robert Rodewald. (markt)
  * Fix: Clarify the documentation of the compressionMinSize and
    compressibleMimeType HTTP Connector attributes. Pull request #442 provided
    by crisgeek. (markt)

Other

  * Fix: Fix failing build when building on non-English locales. Pull request #
    441 provided by Dachuan J. (markt)
  * Update: Update to JSign version 4.0 to enable code signing without the need
    for the installation of additional client tools. (markt)
  * Add: Update the internal fork of Apache Commons BCEL to 40d5eb4
    (2021-09-01, 6.6.0-SNAPSHOT). Code clean-up only. (markt)
  * Add: Update the internal fork of Apache Commons Codec to fd44e6b
    (2021-09-01, 1.16-SNAPSHOT). Minor refactoring. (markt)
  * Add: 65661: Update the internal fork of Apache Commons FileUpload to
    33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. As a
    result of Commons File Upload now using java.nio.file.Files, applications
    using multi-part uploads need to ensure that the JVM is configured with
    sufficient direct memory to store all in progress multi-part uploads.
    (markt)
  * Add: Update the internal fork of Apache Commons Pool to 0da5c54
    (2021-02-02, 2.9.1-SNAPSHOT). Refactoring and code clean-up. (markt)
  * Add: Update the internal fork of Apache Commons DBCP to c6d5cd9
    (2021-06-05, 2.9.0-SNAPSHOT). Refactoring and code clean-up. (markt)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.31
    to pick up Windows binaries built with OpenSSL 1.1.1l.(markt)
  * Update: Switch to the CDN as the primary download location for ASF
    dependencies. (markt)
  * Add: Improvements to Chinese translations contributed by syseal, wolibo,
    ZhangJieWen and DigitalFatCat. (markt)
  * Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  * Add: Improvements to Korean translations. (woonsan)

2021-08-16 Tomcat 8.5.70 (markt)

Catalina

  * Fix: 65411: Always close the connection when an uncaught NamingException
    occurs to avoid connection locking. Submitted by Ole Ostergaard. (remm)
  * Fix: 65433: Correct a regression in the fix for 65397 where a
    StringIndexOutOfBoundsException could be triggered if the canonical path of
    the target of a symlink was shorter than the canonical path of the
    directory in which the symlink had been created. Patch provided by Cedomir
    Igaly. (markt)
  * Add: 65443: Refactor the CorsFilter to make it easier to extend. (markt)
  * Fix: To avoid unnecessary cache revalidation, do not add an HTTP Expires
    header when setting adding an HTTP header of CacheControl: private. (markt)

Coyote

  * Fix: Correct bugs in the HTTP/2 connection flow control management that
    meant it was possible for a connection to stall waiting for a connection
    flow control window update that had already arrived. Any streams on that
    connection that were trying to write when this happened would time out.
    (markt)
  * Fix: 65454: Fix a race condition that could result in a delay to a new
    request. The new request could be queued to wait for an existing request to
    finish processing rather than the thread pool creating a new thread to
    process the new request. (markt)
  * Fix: 65460: Correct a regression introduced in the previous release in the
    change to reduce the number of small HTTP/2 window updates sent for
    streams. A logic error meant that small window updates for the connection
    were not flushed. This meant that the connection flow window may not update
    quite as quickly as the ideal. (markt)

Other

  * Add: Improvements to Chinese translations contributed by ZhangJieWen and
    chengzheyan. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations contributed by tak7iji. (markt)
  * Add: Improvements to Korean translations. (woonsan)

2021-07-05 Tomcat 8.5.69 (schultz)

Catalina

  * Code: Refactor the RemoteIpValve to use the common utility method for list
    to comma separated string conversion. (markt)
  * Fix: Fix serialization warnings in UserDatabasePrincipal reported by
    SpotBugs. (markt)
  * Fix: 65397: Calls to ServletContext.getResourcePaths() no longer include
    symbolic links in the results unless allowLinking has been set to true. If
    a resource is skipped because of this change, a warning will be logged as
    this typically indicates a configuration issue. (markt)

Coyote

  * Fix: 65368: Improve handling of clean closes of inbound TLS connections.
    Treat them the same way as clean closes of non-TLS connections rather than
    as unknown errors. (markt)
  * Fix: Modify the HTTP/2 connector not to sent small updates for stream flow
    control windows to the user agent as, depending on how the user agent is
    written, this may trigger small writes from the user agent that in turn
    trigger the overhead protection. Small updates for stream flow control
    windows are now combined with subsequent flow control window updates for
    that stream to ensure that all stream flow control window updates sent from
    Tomcat are larger than overheadWindowUpdateThreshold. (markt)
  * Add: Add additional debug logging to track the current state of the HTTP/2
    overhead count that Tomcat uses to detect and close potentially malicious
    connections. (markt)
  * Update: Many HTTP/2 requests from browsers will trigger one overhead frame
    and one non-overhead frame. Change the overhead calculation so that a
    non-overhead frame reduces the current overhead count by 2 rather than 1.
    This means that, over time, the overhead count for a well-behaved
    connection will trend downwards. (markt)
  * Update: Change the initial HTTP/2 overhead count from -10 to -10 *
    overheadCountFactor. This means that, regardless of the value chosen for
    overheadCountFactor, when a connection opens 10 overhead frames in a row
    will be required to trigger the overhead protection. (markt)
  * Update: Increase the default overheadCountFactor from 1 to 10 and change
    the reduction in overhead count for a non-overhead frame from -2 to -20.
    This allows for a larger range (0-20) to be used for overheadCountFactor
    providing for finer-grained control. (markt)
  * Fix: Modify the parsing of HTTP header values that use the 1#token to
    ignore empty elements as per RFC 7230 section 7 instead of treating the
    presence of empty elements as an error. (markt)
  * Fix: Expand the unit tests for HttpServlet.doHead() and correct the
    flushing of the response buffer. The buffer used to behave as if it was one
    byte smaller than the configured size. The buffer was flushed (and the
    response committed if required) when the buffer was full. The buffer is now
    flushed (and the response committed if required) if the buffer is full and
    there is more data to write. (markt)
  * Fix: Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to
    the same connection could hang and eventually timeout when async IO was
    enabled (it is enabled by default). (markt)

Jasper

  * Fix: 65390: Correct a regression in the fix for 65124 and restore code that
    was removed in error leading to JSP compilation failures in some
    circumstances. (markt)
  * Add: Add support for specifying Java 17 (with the value 17) as the compiler
    source and/or compiler target for JSP compilation. If used with an Eclipse
    JDT compiler version that does not support these values, a warning will be
    logged and the latest supported version will used. (markt)
  * Fix: 65377: Update the Java code generation for JSPs not to use the boxed
    primitive constructors as they have been deprecated in Java 9 and marked
    for future removal in Java 16. valueOf() is now used instead. (markt)

WebSocket

  * Code: Refactor the DigestAuthenticator to reuse a shared SecureRandom
    instance rather than create a new one to generate the cnonce if required.
    (markt)

Web applications

  * Fix: 65385: Correct the link in the documentation web application the Maven
    Central repository. (markt)
  * Fix: 65404: Correct a regression in the fix for 63362 that caused the
    server status page in the Manager web application to be truncated if HTTP
    upgrade was used such as when starting a WebSocket connection. (markt)

Other

  * Update: Update JUnit to version 4.13.2. (markt)
  * Update: Update UnboundID to 6.0.0. (markt)
  * Update: Update CheckStyle backport to 8.43 . (markt)

2021-06-15 Tomcat 8.5.68 (schultz)

Other

  * Update: Update to the Java 7 compatible build of JSign 3.1 to pick up a fix
    for SHA-512 signatures. (markt)
  * Fix: 65369 / #422: Add the additional --add-opens=... options required for
    running Tomcat on Java 16 onwards to the service.bat script to align it
    with the other start-up scripts. PR provided by MCMicS. (markt)

not released Tomcat 8.5.67 (schultz)

Catalina

  * Fix: 65301: RemoteIpValve will now avoid getting the local host name when
    it is not needed. (remm)
  * Fix: 65308: NPE in JNDIRealm when no userRoleAttribute is given.
    (fschumacher)
  * Add: #412: Add commented out, sample users for the Tomcat Manager app to
    the default tomcat-users.xml file. Based on a PR by Arnaud Dagnelies.
    (markt)
  * Add: #418: Add a new option, pass-through, to the default servlet's
    useBomIfPresent initialization parameter that causes the default servlet to
    leave any BOM in place when processing a static file and not to use the BOM
    to determine the encoding of the file. Based on a pull request by
    Jean-Louis Monteiro. (markt)
  * Update: Add cookieName attribute to the SSO valve to configure the SSO
    cookie name. (remm)
  * Fix: #419: When processing POST requests of type multipart/form-data for
    parts without a filename that are added to the parameter map in String
    form, check the size of the part before attempting conversion to String.
    Pull request provided by tianshuang. (markt)
  * Fix: 62912: Don't mutate an application provided content header if it does
    not contain a charset. Also remove the outdated workaround for the buggy
    Adobe Reader 9 plug-in for IE. (markt)
  * Fix: AprLifecycleListener does not show dev version suffix for libtcnative
    and libapr. (michaelo)
  * Update: Refactor principal handling in UserDatabaseRealm using an inner
    class that extends GenericPrincipal. (remm)
  * Fix: Enable the default doHead() implementation in HttpServlet to correctly
    handle responses where the content length needs to be represented as a long
    since it is larger than the maximum value that can be represented by an
    int. (markt)
  * Fix: Avoid synchronization on roles verification for the memory
    UserDatabase. (remm)
  * Fix: Fix the default doHead() implementation in HttpServlet to correctly
    handle responses where the Servlet calls ServletResponse.reset() and/or
    ServletResponse.resetBuffer(). (markt)
  * Fix: Fix the default doHead() implementation in HttpServlet to correctly
    handle responses generated using the Servlet non-blocking API. (markt)

Coyote

  * Fix: 65303: Fix a possible NullPointerException if an error occurs on an
    HTTP/1.1 connection being upgraded to HTTP/2 or on a pushed HTTP/2 stream.
    (markt)
  * Fix: 65311: Fix a race condition in the NioBlockingSelector that could
    cause a delay to select operations. (markt)
  * Update: Simplify AprEndpoint socket bind for all platforms. (michaelo)
  * Fix: 65340: Add missing check for a negative return value for
    Hpack.decodeInteger in the HpackDecoder, which could cause a
    NegativeArraySizeException exception. Submitted by Thomas, and verified the
    fix is present in the donated hpack code in a further update. (remm)
  * Add: Add debug logging for HTTP/2 HPACK header decoding. (markt)
  * Fix: Correct parsing of HTTP headers consisting of a list of tokens so that
    a header with an empty token is treated consistently regardless of whether
    the empty token is at the start, middle or end of the list of tokens.
    (markt)
  * Fix: Remove support for the identity transfer encoding. The inclusion of
    this encoding in RFC 2616 was an error that was corrected in 2001. Requests
    using this transfer encoding will now receive a 501 response. (markt)
  * Fix: Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
    clients. (markt)
  * Fix: Ensure that if the transfer encoding header contains the chunked, that
    the chunked encoding is the final encoding listed. (markt)

Jasper

  * Code: Review code used to generate Java source from JSPs and tags and
    remove code found to be unnecessary. (markt)
  * Code: Refactor use of internal ChildInfo class to use compile time type
    checking rather than run time type checking. (markt)
  * Fix: 65358: Improve expression language method matching for methods with
    varargs. Where multiple methods may match the provided parameters, the
    method that requires the fewest varargs is preferred. (markt)
  * Add: 65332: Add a commented out section in catalina.policy that provides
    the necessary permissions to compile JSPs with javac when running on Java 9
    onwards with a security manager. It is commented out as it will cause
    errors if used with earlier Java versions. (markt)

WebSocket

  * Fix: 65317: When using permessage-deflate, the WebSocket connection was
    incorrectly closed if the uncompressed payload size was an exact multiple
    of 8192. Based on a patch provided by Saksham Verma. (markt)
  * Fix: 65342: Correct a regression introduced with the fix for 65262 that
    meant Tomcat's WebSocket implementation would only work with Tomcat's
    implementation of the Java EE WebSocket API. (markt)

Web applications

  * Fix: Improve the description of the maxConnections and acceptCount
    attributes in the Connector section of the documentation web application.
    (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.30.
    Also update the minimum recommended version to 1.2.30. (markt)
  * Add: Use JSign to integrate the build script with the code signing service
    to enable release builds to be created on Linux as well as Windows. (markt)

2021-05-12 Tomcat 8.5.66 (markt)

Catalina

  * Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP
    SDK for Java. (markt)
  * Fix: 65224: Ensure the correct escaping of attribute values and search
    filters in the JNDIRealm. (markt)
  * Fix: 65235: Add missing attributes to the MBean descriptor file for the
    RemoteIpValve. (markt)
  * Fix: 65244: HandlesTypes should include classes that use the specified
    annotation types on fields or methods. (remm)
  * Fix: 65251: Correct a regression introduced in 8.5.64 that meant that the
    auto-deployment process may attempt a second, concurrent deployment of a
    web application that is being deployed by the Manager resulting in one of
    the deployments failing and errors being reported. (markt)
  * Fix: Improve the SSLValve so it is able to handle escaped client
    certificate headers from Nginx. Based on a patch by Florent Guillaume.
    (markt)

Coyote

  * Fix: Ensure that all HTTP requests that contain an invalid character in the
    protocol component of the request line are rejected with a 400 response
    rather than some requests being rejected with a 505 response. (markt)
  * Fix: When generating the error message for an HTTP request with an invalid
    request line, ensure that all the available data is included in the error
    message. (markt)
  * Fix: 65272: Restore the optional HTTP feature that allows LF to be treated
    as a line terminator for the request line and/or HTTP headers lines as well
    as the standard CRLF. This behaviour was previously removed as a
    side-effect of the fix for CVE-2020-1935. (markt)

Jasper

  * Code: Review code used to generate Java source from JSPs and tags and
    remove code found to be unnecessary. (markt)
  * Update: <servlet> entries in web.xml that include a <jsp-file> \ 
element and
    a negative <load-no-startup> element that is not the default value of -1
    will no longer be loaded at start-up. This makes it possible to define a
    <jsp-file> that will not be loaded at start-up. (markt)
  * Fix: Allow the JSP configuration option useInstanceManagerForTags to be
    used with Tags that are implemented as inner classes. (markt)

WebSocket

  * Code: Refactor the way Tomcat passes path parameters to POJO end points to
    simplify the code. (markt)
  * Fix: 65262: Refactor the creation of WebSocket end point, decoder and
    encoder instances to be more IoC friendly. Instances are now created via
    the InstanceManager where possible. (markt)

Web applications

  * Fix: 65235: Correct name of changeLocalName in the documentation for the
    RemoteIpValve. (markt)
  * Fix: 65265: Avoid getting the boot classpath when it is not available in
    the Manager diagnostics. (remm)

Other

  * Update: Update the packaged version of the Tomcat Native Library to 1.2.28.
    (markt)
  * Fix: Move SystemPropertySource to be a regular class to allow more precise
    configuration if needed. The system property source will still always be
    enabled. (remm)
  * Add: Improvements to Chinese translations. Provided by bytesgo. (mark)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Korean translations. (woonsan)

2021-04-06 Tomcat 8.5.65 (markt)

Catalina

  * Fix: Avoid NPE when a JNDI reference cannot be resolved in favor of a
    NamingException. (remm)
  * Fix: Avoid using reflection for setting properties on the webapp
    classloader. Based on a patch submitted by Romain Manni-Bucau. (remm)

Coyote

  * Fix: Improve consistency of OpenSSL error stack handling in the TLS engine,
    and log all errors found as debug. (remm)
  * Code: Re-factor the HTTP/2 implementation classes to better align with
    9.0.x and 10.0.x to make maintenance simpler. (markt)
  * Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts
    to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt)
  * Code: Simplify the closing on an HTTP/2 stream when an error condition is
    present. (markt)
  * Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady()
    corrupting the input buffer. (markt)
  * Fix: 65179: Ensure that the connection level flow control window from the
    client to the server is updated when handling DATA frames received for
    completed streams else the flow control window may become exhausted.
    (markt)
  * Fix: 65203: Fix a regression introduced in 8.5.64 that meant that an error
    during an asynchronous read broke all future asynchronous reads associated
    with the same request instance. (markt)
  * Fix: Disable keep-alive when inconsistent content delimitation is present
    in a request. (remm)

Other

  * Add: Implement the first phase of reproducible builds. Sequential builds on
    the same machine now produce identical output provided that the Ant
    property ant.tstamp.now is set. The minimum required Ant version is now
    1.9.10. (markt)
  * Add: Improvements to Chinese translations. Provided by Ruan Wenjun. (mark)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Japanese translations. Provided by kfujino and
    Shirayuking. (markt)
  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.27.
    (markt)

2021-03-10 Tomcat 8.5.64 (markt)

Catalina

  * Fix: Revert an incorrect fix for a potential resource leak that broke
    deployment via the Ant deploy task. (markt)
  * Fix: Ensure that the AsyncListener.onError() event is triggered when a I/O
    error occurs during non-blocking I/O. There were some cases discovered
    where this was not happening. (markt)
  * Add: Make the non-blocking I/O error handling more robust by handling the
    case where the application code swallows an IOException in
    WriteListener.onWritePossible() and ReadListener.onDataAvailable(). (markt)
  * Fix: 64938: Align the behaviour when null is passed to the ServletResponse
    methods setCharacterEncoding(), setContentType() and setLocale() with the
    recent clarification from the Jakarta Servlet project of the expected
    behaviour in these cases. (markt)
  * Code: Make the StandardContext.postWorkDirectory() protected rather than
    private to help users wishing to customise the default work directory
    behaviour. (markt)

Coyote

  * Fix: 65118: Fix a potential NullPointerException when pruning closed HTTP/2
    streams from the connection. (markt)
  * Fix: Avoid NullPointerException when a secure channel is closed before the
    SSL engine was initialized. (remm)
  * Fix: Improve error message for failed ConfigFileLoader lookups. (remm)
  * Fix: Ensure that the ReadListener's onError() event is triggered if the
    client closes the connection before sending the entire request body and the
    server is reading the request body using non-blocking I/O. (markt)
  * Fix: 65137: Ensure that a response is not corrupted as well as incomplete
    if the connection is closed before the response is fully written due to a
    write timeout. (markt)
  * Fix: Related to bug 65131, make sure all errors from OpenSSL are fully
    cleared, as there could be more than one error present after an operation
    (confirmed in the OpenSSL API documentation). (remm)
  * Fix: Make handling of OpenSSL read errors more robust when plain text data
    is reported to be available to read. (markt)
  * Fix: Correct handling of write errors during non-blocking I/O to ensure
    that the associated AsyncContext was closed down correctly. (markt)

Web applications

  * Fix: 65136: Remove the restriction that prevented the Manager web
    application deploying different web applications in parallel. This required
    some refactoring, most notably to HostConfig.check() and how it is used.
    (markt)

Other

  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Korean translations. (woonsan)
  * Add: Improvements to Russian translations. Provided by Azat. (mark)
  * Add: Improvements to Chinese translations. Provided by shawn. (mark)

2021-02-03 Tomcat 8.5.63 (markt)

Catalina

  * Fix: 65106: Fix the ConfigFileLoader handling of file URIs when running
    under a security manager on some JREs. (markt)

Coyote

  * Fix: Ensure that SNI provided host names are matched to SSL virtual host
    configurations in a case insensitive manner. (markt)

not released Tomcat 8.5.62 (markt)

Catalina

  * Fix: 50175: Add a new attribute to the standard context implementation,
    skipMemoryLeakChecksOnJvmShutdown, that allows the user to configure Tomcat
    to skip the memory leak checks usually performed during web application
    stop if that stop is triggered by a JVM shutdown. (markt)
  * Fix: 60781: Escape elements in the access log that need to be escaped for
    the access log to be parsed unambiguously. (fschumacher/markt)
  * Add: 64110: Add support for additional TLS related request attributes that
    provide details of the protocols and ciphers requested by a client in the
    initial TLS handshake. (markt)
  * Add: Let the RemoteCIDRValve inherit from RequestFilterValve and support
    all of its features. Especially add support for connector specific
    configuration using addConnectorPort. (rjung)
  * Add: Add peerAddress to coyote request, which contains the IP address of
    the direct connection peer. If a reverse proxy sits in front of Tomcat and
    the protocol used is AJP or HTTP in combination with the RemoteIp(Valve|
    Filter), the peer address might differ from the remoteAddress. The latter
    then contains the address of the client in front of the reverse proxy, not
    the address of the proxy itself. Support for the peer address has been
    added to the RemoteAddrValve and RemoteCIDRValve with the new attribute
    usePeerAddress. This can be used to restrict access to Tomcat based on the
    reverse proxy IP address, which is especially useful to harden access to
    AJP connectors. The peer address can also be logged in the access log using
    the new %{peer}a syntax. (rjung)
  * Fix: Avoid uncaught InaccessibleObjectException on Java 16 trying to clear
    references threads. (remm)
  * Fix: 65033: Fix JNDI realm error handling when connecting to a failed
    server when pooling was not enabled. (remm)
  * Fix: 65047: If the AccessLogValve is unable to open the access log file,
    include information on the current user in the associated log message
    (markt)

Coyote

  * Fix: Additional fix for 64830 to address an edge case that could trigger
    request corruption with h2c connections. (markt)
  * Fix: 64974: Improve handling of pipelined HTTP requests in combination with
    the Servlet non-blocking IO API. It was possible that some requests could
    get dropped. (markt)
  * Fix: 65001: Fix error handling for exceptions thrown from calls to
    ReadListener and WriteListener. (markt)
  * Fix: Avoid possible infinite loop in OpenSSLEngine.unwrap when the
    destination buffers state is changed concurrently. (remm)

Jasper

  * Add: Add a new StringInterpreter interface that allows applications to
    provide customised string attribute value to type conversion within JSPs.
    This allows applications to provide a conversion implementation that is
    optimised for the application. (markt)
  * Fix: 64965: JspContextWrapper.findAttribute should ignore expired sessions
    rather than throw an IllegalStateException. (remm)

Web applications

  * Fix: 65007: Clarify that the commands shown in the TLS documentation for
    importing a signed TLS certificate from a certificate authority are typical
    examples that may need to be adjusted in some cases. (markt)

Other

  * Add: Improvements to Chinese translations. Provided by leeyazhou and Yi
    Shen. (markt)
  * Add: Improvements to French translations. (remm)
  * Add: Improvements to Korean translations. (woonsan)
  * Update: Update the packaged version of the Tomcat Native Library to 1.2.26.
    (markt)
  * Add: Update the internal fork of Apache Commons Pool to 2.9.1-SNAPSHOT
    (2021-01-15). (markt)
  * Add: Update the internal fork of Apache Commons DBCP to 2.9.0-SNAPSHOT
    (2021-01-15). (markt)
  * Update: Migrate to new code signing service. (markt)
  * Code: Use java.nio.file.Path to test for one directory being a
    sub-directory of another in a consistent way. (markt)
  * Update: Update to Commons Daemon 1.2.4. (markt)
  * Add: Improvements to Russian translations. Provided by Polina and Azat.
    (markt)
  * Update: Update the NSIS Installer used to build the Windows installer to
    version 3.06.1. (kkolinko)
   2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030)
Log message:
www: Replace RMD160 checksums with BLAKE2s checksums

All checksums have been double-checked against existing RMD160 and
SHA512 hashes

Not committed (merge conflicts):
www/nghttp2/distinfo

Unfetchable distfiles (almost certainly fetched conditionally...):
./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx-devel/distinfo naxsi-1.3.tar.gz
./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx-devel/distinfo njs-0.5.0.tar.gz
./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz
./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz
./www/nginx/distinfo echo-nginx-module-0.62.tar.gz
./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz
./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz
./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz
./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz
./www/nginx/distinfo naxsi-1.3.tar.gz
./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz
./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz
./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz
./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz
./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz
./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz
./www/nginx/distinfo njs-0.5.0.tar.gz
./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz
   2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033)
Log message:
www: Remove SHA1 hashes for distfiles
   2020-12-09 22:40:39 by Juraj Lutter | Files touched by this commit (3)
Log message:
www/apache-tomcat85: Update to 8.5.61

Changelog for 8.5.61:
  - Align the behaviour of ServletContext.getRealPath(String path) with the
    recent clarification from the Servlet specification project. If the path
    parameter does not start with / then Tomcat processes the call as if / is
    appended to the beginning of the provided path.
  - Fix a potential file descriptor leak when WebSocket connections are
    attempted and fail.
  - Ensure that the LoadBalancerDrainingValve uses the correct setting for the
    secure attribute for any session cookies it creates.

Changelog for 8.5.60:
  - Statistics are now available (via JMX) for HTTP/2, WebSocket and HTTP/1.1
    upgraded connections
  - Stability improvements for HTTP/2
  - Improvements to error handling in the connection pool used by the JNDI
    Realm
   2020-10-15 18:16:24 by Juraj Lutter | Files touched by this commit (2)
Log message:
www/apache-tomcat85: Update to 8.5.58

Changes for 8.5.59:
  - Refactor the handling of closed HTTP/2 streams to reduce the heap usage
    associated with used streams and to retain information for more streams in
    the priority tree.
  - Deprecate the JDBCRealm.
  - Ensure that none of the methods on a ServletContext instance always fail
    when running under a SecurityManager.

Full changelog is available at:
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html#Tomcat_8.5.59_(markt)

Also CONFLICTS have been adjusted.
   2020-10-05 14:19:13 by Juraj Lutter | Files touched by this commit (3)
Log message:
www/apache-tomcat85: Update to 8.5.58

Changes for 8.5.58:
  - For requests containing the Expect: 100-continue header, optional
    support has been added to delay sending an intermediate 100 status
    response until the servlet reads the request body, allowing the
    servlet the opportunity to respond without asking for the request
    body. Based on a pull request by malaysf.
  - Add support for a read idle timeout and a write idle timeout to the
    WebSocket session via custom properties in the user properties
    instance associated with the session. Based on a pull request by
    sakshamverma.
  - Update the packaged version of the Tomcat Native Library to 1.2.25

Changes for 8.5.57:
  - Improvements to the creation of OSGi manifests.
  - Reduce the memory footprint of closed HTTP/2 streams

Changes for 8.5.56:
  - Add support for ALPN on recent OpenJDK 8 releases.
  - Add support for the CATALINA_OUT_CMD environment variable that
    defines a command to which captured stdout and stderr will be
    redirected. For use with, for example, rotatelogs. Patch provided by
    Harald Dunkel.
  - Be more flexible with respect to the ordering of groups, roles and
    users in the tomcat-users.xml file.

Changes for 8.5.55:
  - Improve the handling of requests that use an expectation. Do not
    disable keep-alive where the response has a non-2xx status code but
    the request body has been fully read.
  - Change default value separator for property replacement to ":-" due
    to possible conflicts. The syntax is now "${name:-default}".
  - Update the packaged version of the Tomcat Native Library to 1.2.24.

For full list of changes see
https://tomcat.apache.org/tomcat-8.5-doc/changelog.html
   2020-04-26 00:23:06 by Jean-Yves Migeon | Files touched by this commit (10)
Log message:
For clarity, use tomcat_start (resp. tomcat_stop) function instead of
calling ${command} directly for start (resp. stop) within rc.d.

Tested on tomcat9; but applicable down to tomcat6.

Bump PKGREVISION.

ok ryo@.
   2020-04-17 01:00:01 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
apache-tomcat85: Update to 8.5.54

Changelog:
The notable changes compared to 8.5.53 include:

    Add support for default values when using ${...} property replacement in \ 
configuration files. Based on a pull request provided by Bernd Bohmann.
    When configuring an HTTP Connector, warn if the encoding specified for \ 
URIEncoding is not a superset of US-ASCII as required by RFC 7230.
    Replace the system property \ 
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector \ 
attribute encodedSolidusHandling that adds an additional option to pass the %2f \ 
sequence through to the application without decoding it in addition to rejecting \ 
such sequences and decoding such sequences.

The notable changes compared to 8.5.51 include:

    Add new attribute persistAuthentication to both StandardManager and \ 
PersistentManager to support authentication persistence. Patch provided by \ 
Carsten Klein
    A zero length AJP secret will now behave as if it has not been specified.
    Add the TLS request attributes used by IIS to the attributes that an AJP \ 
Connector will always accept.

The notable changes compared to 8.5.50 include:

    AJP defaults changed to listen the loopback address, require a secret and to \ 
be disabled in the sample server.xml file. If you are using the AJP protocol, \ 
please refer to the Migration Guide and update your configuration.
    The JmxRemoteLifecycleListener is now deprecated
    The HTTP Connector attribute rejectIllegalHeaderName is renamed to \ 
rejectIllegalHeader and expanded to include header values as well as names