./www/apache-tomcat85, Implementation of Java Servlet and JavaServer Pages technologies

[ CVSweb ] [ Homepage ] [ RSS ] [ Required by ] [ Add to tracker ]

Branch: CURRENT, Version: 8.5.54nb1, Package name: apache-tomcat-8.5.54nb1, Maintainer: ryoon

Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications are
developed under the Java Community Process.

Apache Tomcat is developed in an open and participatory environment and
released under the Apache Software License. Apache Tomcat is intended to
be a collaboration of the best-of-breed developers from around the world.
We invite you to participate in this open development project.

Apache Tomcat powers numerous large-scale, mission-critical web applications
across a diverse range of industries and organizations.

This package tracks 8.5.x release branch.

Required to run:

Required to build:

Master sites: (Expand)

SHA1: 3c4e522adcfa20c286bde310194390d528025496
RMD160: e2807ef51497d4b73f26d8df7c920852b55d8512
Filesize: 10070.841 KB

Version history: (Expand)

CVS history: (Expand)

   2020-04-26 00:23:06 by Jean-Yves Migeon | Files touched by this commit (10) | Package updated
Log message:
For clarity, use tomcat_start (resp. tomcat_stop) function instead of
calling ${command} directly for start (resp. stop) within rc.d.

Tested on tomcat9; but applicable down to tomcat6.


ok ryo@.
   2020-04-17 01:00:01 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
apache-tomcat85: Update to 8.5.54

The notable changes compared to 8.5.53 include:

    Add support for default values when using ${...} property replacement in \ 
configuration files. Based on a pull request provided by Bernd Bohmann.
    When configuring an HTTP Connector, warn if the encoding specified for \ 
URIEncoding is not a superset of US-ASCII as required by RFC 7230.
    Replace the system property \ 
org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH with the Connector \ 
attribute encodedSolidusHandling that adds an additional option to pass the %2f \ 
sequence through to the application without decoding it in addition to rejecting \ 
such sequences and decoding such sequences.

The notable changes compared to 8.5.51 include:

    Add new attribute persistAuthentication to both StandardManager and \ 
PersistentManager to support authentication persistence. Patch provided by \ 
Carsten Klein
    A zero length AJP secret will now behave as if it has not been specified.
    Add the TLS request attributes used by IIS to the attributes that an AJP \ 
Connector will always accept.

The notable changes compared to 8.5.50 include:

    AJP defaults changed to listen the loopback address, require a secret and to \ 
be disabled in the sample server.xml file. If you are using the AJP protocol, \ 
please refer to the Migration Guide and update your configuration.
    The JmxRemoteLifecycleListener is now deprecated
    The HTTP Connector attribute rejectIllegalHeaderName is renamed to \ 
rejectIllegalHeader and expanded to include header values as well as names
   2020-01-19 00:36:14 by Roland Illig | Files touched by this commit (3046)
Log message:
all: migrate several HOMEPAGEs to https

pkglint --only "https instead of http" -r -F

With manual adjustments afterwards since pkglint 19.4.4 fixed a few
indentations in unrelated lines.

This mainly affects projects hosted at SourceForce, as well as
freedesktop.org, CTAN and GNU.
   2020-01-13 08:45:20 by Ryo ONODERA | Files touched by this commit (2) | Package updated
Log message:
apache-tomcat85: Update to 8.5.50

Tomcat 8.5.50 (markt)

    Add: Improvements to CsrfPreventionFilter: additional logging, allow the \ 
CSRF nonce request parameter name to be customized. (schultz)
    Add: 63681: Introduce RealmBase#authenticate(GSSName, GSSCredential) and \ 
friends. (michaelo)
    Fix: 63964: Correct a regression in the static resource caching changes \ 
introduced in 9.0.28. URLs constructed from URLs obtained from the cache could \ 
not be used to access resources. (markt)
    Fix: 63968: Fix ClassCastException in the Expires filter which was a \ 
regression in the fix for 63909. (markt)
    Fix: 63970: Correct a regression in the static resource caching changes \ 
introduced in 9.0.28. Connections to URLs obtained for JAR resources could not \ 
be cast to JarURLConnection. (markt)
    Add: 63937: Add a new attribute to the standard Authenticator \ 
implementations, allowCorsPreflight, that allows the Authenticators to be \ 
configured to allow CORS preflight requests to bypass authentication as required \ 
by the CORS specification. (markt)
    Fix: 63939: Correct the same origin check in the CORS filter. An origin with \ 
an explicit default port is now considered to be the same as an origin without a \ 
deafult port and origins are now compared in a case-sensitive manner as required \ 
by the CORS specification. (markt)
    Fix: 63982: CombinedRealm makes assumptions about principal implementation \ 
    Fix: 63983: Correct a regression in the static resource caching changes \ 
introduced in 9.0.28. A large number of file descriptors were opened that could \ 
reach the OS limit before being released by GC. (markt)
    Update: 63987: Deprecate Realm.getRoles(Principal). (michaelo)
    Code: Add a unit test for the session FileStore implementation and refactor \ 
loops in FileStore to use the ForEach style. Pull request provided by Govinda \ 
Sakhare. (markt)
    Fix: Refactor FORM authentication to reduce duplicate code and to ensure \ 
that the authenticated Principal is not cached in the session when caching is \ 
disabled. (markt)


    Code: Refactor the APR poller to always use a single pollset now that the \ 
Windows operating systems that required multiple smaller pollsets to be used are \ 
no longer supported. (markt)
    Update: Add vectoring for NIO in the base and SSL channels. (remm)
    Add: Add async API to the NIO and APR connector. (remm)
    Fix: 63931: Improve timeout handling for asyncIO to ensure that blocking \ 
operations see a SocketTimeoutException if one occurs. (remm/markt)
    Fix: 63932: By default, do not compress content that has a strong ETag. This \ 
behaviour is configuration for the HTTP/1.1 and HTTP/2 connectors via the new \ 
Connector attribute noCompressionStrongETag. (markt)
    Fix: Simplify regular endpoint writes by removing write(Non)BlockingDirect. \ 
All regular writes will now be buffered for a more predictable behavior. (remm)
    Fix: Send an exception directly to the completion handler when a timeout \ 
exception occurs for the operation, and add a boolean to make sure the \ 
completion handler is called only once. (remm/markt)


    Fix: Ensure a couple of very unlikely concurrency issues are avoided when \ 
writing WebSocket messages. (markt)

Web applications

    Fix: Fix the broken re-try link on the error page for the FORM \ 
authentication example in the JSP section of the examples web application. \ 
    Fix: Correct the documentation for the maxConnections attribute of the \ 
Connector in the documentation web application. (markt)
    Add: Add the ability to set and display session attributes in the JSP FORM \ 
authentication example to demonstrate session persistence across restarts for \ 
authenticated sessions. (markt)


    Fix: Correct the fix for 63815 (quoting the use of CATALINA_OPTS and \ 
JAVA_OPTS when used in shell scripts to avoid the expansion of *) as it caused \ 
various regressions, particularly with daemon.sh. (markt)
    Add: Expand the search made by the Windows installer for a suitable Java \ 
installation to include the 64-bit JDK registry entries and the JAVA_HOME \ 
environment variable. Pull request provided by Alexander Norz. (markt)
    Add: Expand the coverage of the German translations provided with Apache \ 
Tomcat. Contribution provided by Jens. (markt)
    Add: Expand the coverage of the French translations provided with Apache \ 
Tomcat. (remm)
    Add: Expand the coverage of the Japanese translations provided with Apache \ 
Tomcat. (markt)
    Add: Expand the coverage of the Korean translations provided with Apache \ 
Tomcat. (woonsan)
    Add: Expand the coverage of the Chinese translations provided with Apache \ 
Tomcat. Contributions provided by lins and 磊. (markt)
    Add: Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06, \ 
6.4.2-dev). Code clean-up only. (markt)
    Add: Update the internal fork of Apache Commons Codec to 9637dd4 \ 
(2019-12-06, 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
    Add: Update the internal fork of Apache Commons FileUpload to 2317552 \ 
(2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
    Add: Update the internal fork of Apache Commons Pool 2 to 6092f92 \ 
(2019-12-06, 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt)
    Add: Update the internal fork of Apache Commons DBCP 2 to a36390 \ 
(2019-12-06, 2.7.1-SNAPSHOT). Minor refactoring. (markt)

2019-11-21 Tomcat 8.5.49 (markt)

    Fix: Correption when using a RequestDispatcher. (markt)
    Add: Improvement to CsrfPreventionFilter: expose the latest available nonce \ 
as a request attribute; expose the expected nonce request parameter name as a \ 
context attribute. (schultz)

not released Tomcat 8 63872: Fix some edge cases where the docBase was not being \ 
set using a canonical path which in turn meant resource URLs were not being \ 
constructed as expected. (markt)
    Fix: Make a best effort attempt to clean-up if a request fails during \ 
processing dle to see an updated last modified time but the content would be \ 
that prior to the modification. (markt)
    Update: 63905 Clean up Tomcat CSS. (michaelo)
    Fix: 63909: When the ExpiresFilter is used without a default and the \ 
response is served by the D sets a 304 (Not Found) status code. (markt)
    Fix: Update the Servlet 4 preview API to reflect changes made to the API in \ 
the final release. Note that this preview API has been deprecated for over a \ 
year and may be removed as soon as the next 8.5.x release. (markt)
    Fix: Refactor JMX remote RMI registry creation. (remm)


    Fix: Ensure that ServletRequest.isAsyncStarted() returns false once \ 
AsyncContext.complete() or AsyncContext.dispatch() has been called during \ 
AsyncListener.onTimeout() or AsyncListener.onError(). (markt)
    Fix: 63816 and 63817: Correctly handle I/O errors after asynchronous \ 
processing has been started but before the container thread that started \ 
asynchronous processing has completed processing the current request/response. \ 
    Fix: 63825: When processing the Expect and Connection HTTP headers looking \ 
for a specific token, be stricter in ensuring that the exact token is present. \ 
    Fix: 63829: Improve the check of the Content-Encoding header when looking to \ 
see if Tomcat is serving pre-compressed content. Ensure that only a full token \ 
is matched and that the match is case insensitive. (markt)
    Add: 63835: Add support for Keep-Alive response header. (michaelo)
    Fix: 63864: Refactor parsing of the transfer-encoding request header to use \ 
the shared parsing code and reduce duplication. (markt)
    Fix: 63865: Add Unset option to same-site cookies and pass through None \ 
value if set by user. Patch provided by John Kelly. (markt)
    Fix: 63894: Ensure that the configured values for certificateVerification \ 
and certificateVerificationDepth are correctly passed to the OpenSSL based \ 
SSLEngine implementation. (remm/markt)
    Fix: Do not perform a blocking read after a CPING message is received by the \ 
AJP connector because, if the JK Connector is configured with \ 
ping_mode="I", the CPING message will not always be followed by the \ 
start of a request. (markt)
    Fix: Properly calculate all dynamic parts of the ErrorReportValve response \ 
on the fly in org.apache.coyote.http2.TestHttp2InitialConnection. (michaelo)


    Fix: 63897: Capture the timestamp of a JSP for the purposes of modification \ 
tracking before the JSP is compiled to prevent a race condition if the JSP is \ 
modified during compilation. Patch provided by Karl von Randow. (markt)
    Fix: Fix a race condition that could mean changes to a modified JSP were not \ 
visible to end users. (markt)


    Fix: 63913: Wrap any NullPointerExceptions throw by the Inflater or Deflater \ 
used by the PerMessageDeflate extension in an IOException so that the error can \ 
be caught and handled by the WebSocket error handling mechanism. (markt)

Web applications

    Fix: Correct the description of the default value for the server attribute \ 
in the security How-To. (markt)


    Fix: 63815: Quote the use of CATALINA_OPTS and JAVA_OPTS when used in shell \ 
scripts to avoid the expansion of *. Note that any newlines present in \ 
CATALINA_OPTS and/or JAVA_OPTS will no longer removed. (markt)
    Fix: 63826: Remove commons-daemon-native.tar.gz and tomcat-native.tar.gz \ 
from the binary zip distributions for Windows since compiled versions of those \ 
components are already included within the zip distributions. (markt)
    Fix: 63838: Suppress reflexive access warnings when running the unit tests \ 
on the command line. (markt)
    Fix: Add missing charsets from the HPE JVM on HP-UX to pass unit tests in \ 
org.apache.tomcat.util.buf.TestCharsetCache. (michaelo)
    Add: Expand the coverage and quality of the French translations provided \ 
with Apache Tomcat. (remm)
    Add: Expand the coverage and quality of the Korean translations provided \ 
with Apache Tomcat. (woonsan)
    Add: Expand the coverage and quality of the Simplified Chinese translations \ 
provided with Apache Tomcat. Contributions provided by rpo130, Mason Shen, \ 
leeyazhou, winsonzhao, qingshi huang, Lay, Shucheng Hou and Yanming Zhou. \ 

2019-10-11 Tomcat 8.5.47 (markt)

    Fix: Use URL safe base 64 encoding rather than standard base 64 encoding \ 
when generating or parsing the HTTP2-Settings header as part of an HTTP upgrade \ 
to h2c as required by RFC 7540. (markt)
    Fix: 63765: NIO2 should try to unwrap after TLS handshake to avoid edge \ 
cases. (remm)
    Fix: 63766: Ensure Processor objects are recycled when processing an HTTP \ 
upgrade connection that terminates before processing switches to the Processor \ 
for the upgraded protocol. (markt)


    Fix: 63781: When performing various checks related to the visibility of \ 
classes, fields and methods in the EL implementation, also check that the \ 
containing module has been exported. (markt)

Web Socket

    Fix: 63753: Ensure that the Host header in a Web Socket HTTP upgrade request \ 
only contains a port if a non-default port is being used. (markt)
    Fix: When running on Java 9 and above, don't attempt to instantiate \ 
WebSocket Endpoints found in modules that are not exported. (markt)

Web Applications

    Docs: Add Javadoc for the Common Annotations API implementation. (markt)


    Fix: When connections are validated without an explicit validation query, \ 
ensure that any transactions opened by the validation process are committed. \ 
Patch provided by Pascal Davoust. (markt)


    Code: Deprecate org.apache.tomcat.util.compat.TLS. Its functionality was \ 
only used for unit tests in org.apache.tomcat.util.net.TesterSupport and has \ 
been moved there. (rjung)
    Fix: 63759: When installing Tomcat with the Windows installer, grant \ 
sufficient privileges to enable the uninstaller to execute when user account \ 
control is active. (markt)
    Add: Use a build property to define the minimum supported Java version and \ 
use that build property to reduce the number of edits required to update the \ 
minimum supported Java version. (markt)
    Update: 63767: Update to Commons Daemon 1.2.2. This corrects a regression in \ 
Commons Daemon 1.2.0 and 1.2.1 that caused the Windows Service to crash on start \ 
when running on an operating system that had not been fully updated. (markt)
   2019-10-02 09:46:52 by Zafer Aydogan | Files touched by this commit (3) | Package updated
Log message:
Update to 8.5.46

Tomcat 8.5.46 (markt)
Fix:  63684: Wrapper never passed to RealmBase.hasRole() for given security \ 
constraints. (michaelo)
Fix:  Avoid a potential NullPointerException on Service stop if a Service is \ 
embedded directly (i.e. with no Server) in an applciation and JNDI is enabled. \ 
Patch provided by S. Ali Tokmen. (markt)
Add:  Add a new PropertySource implementation, EnvironmentPropertySource, that \ 
can be used to do property replacement in configuration files with environment \ 
variables. Based on a pull request provided by Thomas Meyer. (markt)
Fix:  63682: Fix a potential hang when using the asynchronous Servlet API to \ 
write the response body and the stream and/or connection window reaches 0 bytes \ 
in size. (markt)
Fix:  63690: Use the average of the current and previous sizes when calculating \ 
overhead for HTTP/2 DATA and WINDOW_UPDATE frames to avoid false positives as a \ 
result of client side buffering behaviour that causes a small percentage of \ 
non-final DATA frames to be smaller than expected. (markt)
Fix:  63706: Avoid NPE accessing https port with plaintext. (remm)
Fix:  Correct typos in the names of the configuration attributes \ 
overheadDataThreshold and overheadWindowUpdateThreshold. (markt)
Fix:  If the HTTP/2 connection requires an initial window size larger than the \ 
default, send a WINDOW_UPDATE to increase the flow control window for the \ 
connection so that the initial size of the flow control window for the \ 
connection is consistent with the increased value. (markt)
Fix:  63710: When using HTTP/2, ensure that a content-length header is not set \ 
for those responses with status codes that do not permit one. (markt)
Fix:  63737: Correct various issues when parsing the accept-encoding header to \ 
determine if gzip encoding is supported including only parsing the first header \ 
found. (markt)
Web applications
Fix:  Correct the source code links on the index page for the ROOT web \ 
application to point to Git rather than Subversion. (markt)
Fix:  Fix various issues with the Javadoc generated for the documentation web \ 
application to enable release builds to be built with Java 10 onwards. (markt)
Fix:  Fix a large number of Javadoc and documentation typos. Patch provided by \ 
KangZhiDong. (markt)
Fix:  Spelling and formatting corrections for the cluster how-to. Pull request \ 
provided by Bill Mitchell. (markt)
Fix:  Back-port various corrections and improvements to the English versions of \ 
the i18n messages. (markt)
Add:  Include the available German translations in the standard Tomcat \ 
distribution. Back-port additions and updates to the German i18n messages. \ 
Fix:  Back-port various corrections and improvements to the Spanish i18n \ 
messages. (markt)
Fix:  Back-port various corrections and improvements to the French i18n \ 
messages. (markt)
Fix:  Back-port various corrections and improvements to the Japanese i18n \ 
messages. (markt)
Fix:  Back-port various corrections and improvements to the Russian i18n \ 
messages. (markt)
Add:  Add Korean translations to the standard Tomcat distribution. (markt)
Add:  Add Simplifed Chinese translations to the standard Tomcat distribution. (markt)
Fix:  62140: Additional usage documentation in comments for catalina.[bat|sh]. \ 
Fix:  Fix JSSE_OPTS quoting in catalina.bat. Contributed by Peter Uhnak. \ 
Update:  63625: Update to Commons Daemon 1.2.1. This corrects several \ 
regressions in Commons Daemon 1.2.1, most notably the Windows Service crashing \ 
on start when using 32-bit JVMs. (markt)
Fix:  63689: Correct a regression in the fix for 63285 that meant that when \ 
installing a service, the service display name was not set. (markt)
Fix:  When performing a silent install with the Windows Installer, ensure that \ 
the registry entires are added to the 64-bit registry when using a 64-bit JVM. \ 
Fix:  Remove unused i18n messages and associated translations. Patch provided by \ 
KangZhiDong. (markt)
2019-08-21Tomcat 8.5.45 (markt)
Code:  Remove the code in the sendfile poller that ensured smaller pollsets were \ 
used with older, no longer supported versions of Windows that could not support \ 
larger pollsets. (markt)
not releasedTomcat 8.5.44 (markt)
Add:  62258: Don't trigger the standard error page mechanism when the error has \ 
caused the connection to the client to be closed as no-one will ever see the \ 
error page. (markt)
Update:  63627: Implement more fine-grained handling in \ 
RealmBase.authenticate(GSSContext, boolean). (michaelo)
Add:  62496: Add option to write auth information (remote user/auth type) to \ 
response headers. (michaelo)
Add:  51497: Add an option, ipv6Canonical, to the AccessLogValve that causes \ 
IPv6 addresses to be output in canonical form defined by RFC 5952. \ 
Add:  57665: Add support for the X-Forwarded-Host header to the RemoteIpFilter \ 
and RemoteIpValve. (markt)
Fix:  63550: Only try the alternateURL in the JNDIRealm if one has been \ 
specified. (markt)
Add:  63556: Mark request as forwarded in RemoteIpValve and RemoteIpFilter (michaelo)
Fix:  If an unhandled exception occurs on a asynchronous thread started via \ 
AsyncContext.start(Runnable), process it using the standard error page \ 
mechanism. (markt)
Fix:  Discard large byte buffers allocated using setBufferSize when recycling \ 
the request. (remm)
Fix:  63579: Correct parsing of malformed OPTIONS requests and reject them with \ 
a 400onse rather than triggering an internal error that results in a 500 \ 
response. (markt)
Fix:  Correct version information in X-Powered-By header. (markt)
Fix:  63608: Align the implementation of the negative match feature for patterns \ 
used with the RewriteVx:  Avoid a NullPointerException in the \ 
CrawlerSessionManagerValve if no ROOT Context is deployed and a request does not \ 
map to any of the other deployed Contexts. Patch provided by Jop Zinkweg. \ 
Fix:  63636: Context.findRoleMapping() never called 3524: Improve the handling \ 
of PEM file based keys and certificates that do not include a full certificate \ 
chain when configuring the internal, in-memory key store. Improve the handling \ 
of PKCS#1 formatted private keys when configuring the internal, in-memying to \ 
set tcpNoDelay on socket types that do not support it, which can occur when \ 
using the NIO inherited channel capability. Submitted by František Kučera. \ 
Fix:  Correct parsing of invalid host names that contain bytes in the range 128 \ 
to 255 or that results in a 500 response. (markt)
Fix:  63571: Allow users to configure infinite TLS session caches and/or \ 
timeouts. (markt)
Fix:  63578: Improve handling of invalid requests so that 400 responses are \ 
returned to the client rather than 500 respon an error if a Huffman encoded \ 
string literal contains the EOS symbol. (jfclere)
Add:  Connections that fail the TLS handshake will now appear in the access logs \ 
with a 400 status code. (markt)
Fix:  Timeouts for HTTP/2 connections were not always correctnger than expected. \ 
Add:  Expand the HTTP/2 excessive overhead protection to cover various forms of \ 
abusive client behaviour and close the connection if any such behaviour is \ 
detected. (markt)
Fix:  Fix a crash on shutdown with the APR/native connress when the connector \ 
stopped. (markt)
Web applications
Fix:  63597: Update the custom 404 error page for the Host Manager to take \ 
account of previous refactoring so that the page is used for 404 errors rather \ 
than falling back to the default error pagebat so that when installing a Windows \ 
service, by default, it changes the name of the executables used by the Windows \ 
service to match the service name. This makes the installation behaviour \ 
consistent with the Windows installer. The original executable nhe renaming can \ 
be disabled by using the new --no-rename option after the service name. (markt)
Update:  Switch from Checkstyle to the JRE6 backport and update to version 8.22. \ 
This allows Tomcat 8.5 to use the newer Checkstyle releases while still buildi \ 
digital signature for the Windows installer now uses SHA-256 for hashes. (markt)
Update:  63310: Update to Commons Daemon 1.2.0. This provides improved support \ 
for Java 11. This also changes the user configured by the Windows installer for \ 
the Windows seer privileged Local Service. (markt)
Fix:  55969: Tighten up the security of the Apache Tomcat installation created \ 
by the Windows installer. Change the default shutdown port used by the Windows \ 
installer from 8005 to -1 (disabled). Limit access to the cho local \ 
administrators, Local System and Local Service. (markt)
Add:  63285: Add an option to service.bat so that when installing a Windows \ 
service, the name of the executables used by the Windows service may be changed \ 
to match the service name. This maksistent with the Windows installer. The \ 
original executable names will be restored when the Windows service is removed. \ 
The renaming can be enabled by using the new --rename option after the service \ 
name. (markt)
Fix:  63567: Restore the passing of $LOGGIsh when calling stop. (markt)
Update:  Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to \ 
pick up the fix for CODEC-134. (markt)
Update:  Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to \ 
pick up the changes Commons Poe the internal fork of Commons DBCP2 to 87d9e3a \ 
(2018-08-01) to pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt)
Update:  63648: Update the test TLS keys and certificates used in the test suite \ 
to replace the keys and certificates that are about to expire. (markt)
   2019-07-15 16:28:24 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
Update to 8.5.43

Tomcat 8.5.43 (markt)

    Update: Modify the Default and WebDAV Servlets so that a 405 status code is \ 
returned for PUT and DELETE requests when disabled via the readonly \ 
initialisation parameter.
    Fix: Align the contents of the Allow header with the response code for the \ 
Default and WebDAV Servlets. For any given resource a method that returns a 405 \ 
status code will not be listed in the Allow header and a method listed in the \ 
Allow header will not return a 405 status code. (markt)
    Fix: When using WebDAV to copy a file resource to a destination that \ 
requires a collection to be overwritten, ensure that the operation succeeds \ 
rather than fails (with a 500 response). This enables Tomcat to pass two \ 
additional tests from the Litmus WebDAV test suite. (markt)
    Fix: 49464: Improve the Default Servlet's handling of static files when the \ 
file encoding is not compatible with the required response encoding. (markt)
    Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher)
    Add: 58590: Add the ability for a UserDatabase to monitor the backing XML \ 
file for changes and reload the source file if a change in the last modified \ 
time is detected. This is enabled by default meaning that changes to \ 
$CATALINA_BASE/conf/tomcat-users.xml will now take effect a short time after the \ 
file is saved. (markt)
    Fix: Improve parsing of Range request headers. (markt)
    Fix: Range headers that specify a range unit Tomcat does not recognise \ 
should be ignored rather than triggering a 416 response. Based on a pull request \ 
by zhanhb. (markt)
    Fix: When comparing a date from a If-Range header, an exact match is \ 
required. Based on a pull request by zhanhb. (markt)
    Fix: Add an option to the default servlet to disable processing of PUT \ 
requests with Content-Range headers as partial PUTs. The default behaviour \ 
(processing as partial PUT) is unchanged. Based on a pull request by zhanhb. \ 
    Fix: Improve parsing of Content-Range headers. (markt)
    Fix: Ensure that the HEAD response is consistent with the GET response when \ 
HttpServlet is relied upon to generate the HEAD response and the GET response \ 
uses chunking. (markt)
    Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt)


    Fix: Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat \ 
HTTPS connector configured to use NIO or NIO with OpenSSL 1.1.1 or later. \ 
    Fix: Once a URI is identified as invalid don't attempt to process it \ 
further. Based on a PR by Alex Repert. (markt)
    Fix: Fix to avoid the possibility of long poll times for individual pollers \ 
when using mutliple pollers with APR. (markt)
    Fix: Refactor the fix for 63205 so it only applies when using PKCS12 \ 
keystores as regressions have been reported with some other keystore types. \ 


    Add: Include file names in error messages if SMAP processor is unable to \ 
delete or rename a class file during SMAP generation. (markt)


    Fix: 63521: As required by the WebSocket specification, if a POJO that is \ 
deployed as a result of the SCI scan for annotated POJOs is subsequently \ 
deployed via the programmatic API ignore the programmatic deployment. (markt)


    Code: Switch i18n message files to use UTF-8 and convert to ASCII at build \ 
time. (markt)
    Fix: 63523: Restore SSLUtilBase methods as protected to preserve \ 
compatibility. (remm)
    Fix: Switch the check for terminal availability to test for stdin as using \ 
stdout does not work when output is piped to another process. Patch provided by \ 
Radosław Józwik. (markt)

2019-06-07 Tomcat 8.5.42 (markt)

    Add: 57287: Add file sorting to DefaultServlet (schultz)
    Fix: Ensure that the default servlet reads the entire global XSLT file if \ 
one is defined. Identified by Coverity Scan. (markt)
    Fix: Avoid potential NullPointerException when generating an HTTP Allow \ 
header. Identified by Coverity Scan. (markt)
    Add: Remove any fragment included in the target path used to obtain a \ 
RequestDispatcher. The requested target path is logged as a warning since this \ 
is an application error. (markt)


    Update: Add additional NIO2 style read and write methods closer to core \ 
NIO2, for possible use with an asynchronous workflow like CompletableFuture. \ 
    Fix: Avoid useless exception wrapping in async IO. (remm)
    Fix: 63412: Security manager failure when using the async IO API from a \ 
webapp. (remm)
    Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. \ 
    Update: Reduce the default for maxConcurrentStreams on the Http2Protocol \ 
from 200 to 100 to align with typical defaults for HTTP/2 implementations. \ 
    Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align \ 
with typical HTTP/2 implementations. (markt)
    Add: Add support for same-site cookie attribute. Patch provided by John \ 
Kelly. (markt)
    Fix: Correct a bug in the stream flushing code that could lead to multiple \ 
threads processing the stream concurrently which in turn could cause errors \ 
processing the stream. (markt)


    Fix: 62841: Refactor the DeltaRequest serialization to reduce the window \ 
during which the DeltaSession is locked and to remove a potential cause of \ 
deadlocks during serialization. (markt)
    Fix: 63441: Further streamline the processing of session creation messages \ 
in the DeltaManager to reduce the possibility of a session update message being \ 
processed before the session has been created. (markt)


    Fix: Treat NoRouteToHostException the same way as SocketTimeoutException \ 
when checking the health of group members. This avoids a SEVERE log message \ 
every time the check is performed when the host associated with a group member \ 
is not powered on. (markt)


    Update: Switch from FindBugs to SpotBugs. (fschumacher)and to check for \ 
terminal availability rather than the tty command since the tty based test fails \ 
on non-English locales. (markt)

2019-05-13 Tomcat 8.5.41 (markt)

    Fix: Fix a potential resource leak when executing CGI scripts from a WAR \ 
fileread of the APR connector. Identified by Coverity scan. (markt)
    Fix: Fix a potential resource leak when running a web application from a WAR \ 
file. Identified by Coverity scan. (markt)
    Fix: Fix a potential resource leak on some exception paths in ttified by \ 
Coverity scan. (markt)
    Fix: Fix a potential resource leak when a JNDI lookup returns an object of \ 
an in compatible class. Identified by Coverity scan. (markt)
    Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI \ 
rescaching has been disabled. (markt)
    Fix: Avoid a NullPointerException when a Context is defined in server.xml \ 
with a docBase but not the optional path. (markt)
    Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object \ 
placed in the sesials trigger account lock out when the LockOutRealm is in use. \ 
Patch provided by jchobantonov. (markt)


    Fix: When running on newer JREs that don't support SSLv2Hello, don't warn \ 
that it is not available unless explicitly configured. (markt)
    Code: Refactor Hostname validation to improve performance. Patch provided by \ 
Uwe Hees. (markt)
    Fix: Expand HTTP/2 timeout handling to include connection window exhaustion \ 
on write. This is the fix for CVE-2019-10072. (markt)


    Fix: 63335: Ensure that stack traces written by the OneLineFormatter are \ 
fully indented. The entire stack trace is now indented by an additional TAB \ 
character. (markt)
    Fix: When using the OneLineFormatter, don't print a blank line in the log \ 
after printing a stack trace. (markt)
    Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 \ 
(2019-04-24) to pick up some clean-up and enhancements less the JDBC 4.2 related \ 
changes that require Java 8. (markt)
    Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d \ 
(2019-04-30) to pick up some enhancements and bug fixes. (markt)
    Update: Update the internal fork of Apache Commons FileUpload to 41e4047 \ 
(2019-04-24) pick up some enhancements. (markt)

2019-04-12 Tomcat 8.5.40 (markt)

    Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader \ 
attribute of the RemoteIpFilter and RemoteIpValve. (markt)
    Fix: 63235: Refactor Charset cache to reduce start time. (markt)
    Fix: 63249: Use a consistent log level (WARN) when logging the failure to \ 
register or deregister a JMX Bean. (markt)
    Fix: 63249: Use a consistent log level (ERROR) when logging the \ 
LifecycleException associated with the failure to start or stop a component. \ 
    Fix: When the SSI directive fsize is used with an invalid target, return a \ 
file size of - rather than 1k. (markt)
    Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that \ 
may cause a dead-lock when Tomcat starts. (markt)
    Fix: 63275: When using a RequestDispatcher ensure that \ 
HttpServletRequest.getContextPath() returns an encoded path in the dispatched \ 
request. (markt)
    Fix: 63286: Document the differences in behaviour between the LogFormat \ 
directive in httpd and the pattern attribute in the AccessLogValve for %D and \ 
%T. (markt)
    Fix: 63311: Add support for https URLs to the local resolver within Tomcat \ 
used to resolve standard XML DTDs and schemas when Tomcat is configured to \ 
validate XML configuration files such as web.xml. (markt)
    Fix: Encode the output of the SSI printenv command. This is the fix for \ 
CVE-2019-0221. (markt)
    Code: Use constants for SSI encoding values. (markt)
    Add: When the CGI Servlet is configured with enableCmdLineArguments set to \ 
true, limit the encoded form of the individual command line arguments to those \ 
values allowed by RFC 3875. This restriction may be relaxed by the use of the \ 
new initialisation parameter cmdLineArgumentsEncoded. (markt)
    Add: When the CGI Servlet is configured with enableCmdLineArguments set to \ 
true, limit the decoded form of the individual command line arguments to known \ 
safe values when running on Windows. This restriction may be relaxed by the use \ 
of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for \ 
CVE-2019-0232. (markt)
    Update: Change the default for the enableCmdLineArguments parameter of the \ 
CGI servlet from true to false as additional hardening against CVE-2019-0232. \ 


    Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm)
    Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm)
    Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
    Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) \ 
and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and \ 
instead dropped the connection. (markt)
    Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 \ 
that prevented the use of PKCS#8 private keys with OpenSSL based connectors. \ 
    Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any \ 
query string present in the original HTTP/1.1 request is passed to the HTTP/2 \ 
request processing. (markt)
    Fix: When Tomcat writes a final response without reading all of an HTTP/2 \ 
request, reset the stream to inform the client that the remaining request body \ 
is not required. (markt)
    Fix: 63312: Correct a regression in the error page handling that prevented \ 
error pages from issuing redirects or taking other action that required the \ 
response status code to be changed. (markt)


    Add: Add support for specifying Java 11 (with the value 11) as the compiler \ 
source and/or compiler target for JSP compilation. (markt)
    Add: Add support for specifying Java 12 (with the value 12) and Java 13 \ 
(with the value 13) as the compiler source and/or compiler target for JSP \ 
compilation. If used with an ECJ version that does not support these values, a \ 
warning will be logged and the latest supported version will used. Based on a \ 
patch by Thomas Collignon. (markt)


    Fix: Improve the handling of exceptions during TLS handshakes for the \ 
WebSocket client. (markt)

Web applications

    Fix: 63184: Expand the SSI documentation to provide more information on the \ 
supported directives and their attributes. Patch provided by nightwatchcyber. \ 
    Add: Add a note to the documentation about the risk of DoS with poorly \ 
written regular expressions and the RewriteValve. Patch provided by salgattas. \ 


    Fix: 63320: Ensure that StatementCache caches statements that include arrays \ 
in arguments. (kfujino)
   2019-03-26 21:57:51 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
Update to 8.5.39

    The APR/Native connector now supports both OpenSSL and JSSE
    TLS configuration syntax (NIO and NIO2 already support this)

    Various improvements to NIO2

    Various fixes for HTTP/2 push requests

    Refactor error handling so that errors that occur early in
    request processing are handled by the application's error
    handling where the application can be identified
   2019-01-22 15:49:23 by Ryo ONODERA | Files touched by this commit (3) | Package updated
Log message:
Update to 8.5.37

Tomcat 8.5.37 (markt)

    Update: Update the recommended minimum Tomcat Native version to 1.2.19. (markt)


    Update: Update the packaged version of the Tomcat Native Library to 1.2.19 \ 
to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1a. \ 

not released Tomcat 8.5.36 (markt)

    Fix: 62788: Add explicit logging configuration to write log files using \ 
UTF-8 to align with Tomcat's use of UTF-8 by default elsewhere. (markt)
    Fix: The default Servlet should not override a previously set content-type. \ 
    Add: 62897: Provide a property (clearReferencesThreadLocals) on the standard \ 
Context implementation that enables the check for memory leaks via ThreadLocals \ 
to be disabled because this check depends on the use of an API that has been \ 
deprecated in later versions of Java. (markt)
    Fix: Fix more storeconfig issues with duplicated SSL attributes. (remm)
    Fix: 62968: Avoid unnecessary (and relatively expensive) getResources() call \ 
in the Mapper when processing rule 7. (markt)
    Fix: 62978: Update the RemoteIpValve to handle multiple values in the \ 
x-forwarded-proto header. Patch provided by Tom Groot. (markt)
    Fix: Update the RemoteIpFilter to handle multiple values in the \ 
x-forwarded-proto header. Based on a patch provided by Tom Groot. (markt)
    Code: 62986: Refactor the code that performs class scanning during web \ 
application start to make integration simpler for downstream users. Patch \ 
provided by rmannibucau. (markt)
    Fix: 62988: Fix the LoadBalancerDrainingValve so it works when the session \ 
cookie configuration is not explicitly declared. Based on a patch provided by \ 
Andreas Kurth. (markt)
    Fix: 63002: Fix setting rewrite qsdiscard flag. (remm)
    Fix: Implement the requirements of section 8.2.2 2c of the Servlet \ 
specification and prevent a web application from deploying if it has fragments \ 
with duplicate names and is configured to use relative ordering of fragments. \ 


    Fix: Avoid an exception when using Tomcat Native built with a version of \ 
OpenSSL that does not support TLSv1.3. (markt)
    Fix: 62899: Prevent the incorrect timing out of connections when Servlet \ 
non-blocking I/O is used to read a request body over an HTTP/2 stream. (markt)
    Fix: Avoid bad SSLHostConfig JMX registrations before init. (remm)


    Add: 53737: Extend JspC, the precompilation tool, to include support for \ 
resource JARs. (markt)
    Fix: 62976: Avoid an IllegalStateException when using background compilation \ 
when tag files are packaged in JAR files. (markt)

Web applications

    Fix: 62918: Filter out subtype mbeans to avoid breaking the connector status \ 
page. (remm)


    Fix: Prevent an error when running in a Cygwin shell and the \ 
JAVA_ENDORSED_DIRS system property is empty. Patch provided by Zemian Deng. \ 
    Add: 53930: Add support for the CATALINA_OUT_CMD environment variable that \ 
defines a command to which captured stdout and stderr will be redirected. Patch \ 
provided by Casey Lucas. (markt)

2018-11-07 Tomcat 8.5.35 (markt)

    Add: 61692: Add the ability to control which HTTP methods are handled by the \ 
CGI Servlet via a new initialization parameter cgiMethods. (markt)
    Fix: 62687: Expose content length information for resources when using a \ 
compressed war. (remm)
    Fix: 62737: Fix rewrite substitutions parsing of {} nesting. (remm)
    Fix: Add rewrite flags output when getting the rewrite configuration back. (remm)
    Fix: Add missing qsdiscard flag to the rewrite flags as a cleaner way to \ 
discard the query string. (remm)
    Fix: Add documentation about the files context.xml.default and \ 
web.xml.default that can be used to customize conf/context.xml and conf/web.xml \ 
on a per host basis. (fschumacher)
    Fix: Ensure that a canonical path is always used for the docBase of a \ 
Context to ensure consistent behaviour. (markt)
    Fix: 62803: Fix SSL connector configuration processing in storeconfig. (remm)
    Fix: 62797: Pass throwable to keep client aborts with status 200 rather than \ 
500. Patch submitted by zikfat. (remm)
    Fix: 62809: Correct a regression in the implementation of DIGEST \ 
authentication support for the Deployer Ant tasks (bug 45832) that prevented the \ 
DeployTask from working when authentication was required. (markt)
    Update: Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
    Add: Ignore an attribute named source on Context elements provided by \ 
StandardContext. This is to suppress warnings generated by the Eclipse / Tomcat \ 
integration provided by Eclipse. Based on a patch by mdfst13. (markt)
    Add: 62830: Added JniLifeCycleListener and static methods \ 
Library.loadLibrary(libraryName) and Library.load(filename) to load a native \ 
library by a shared class loader so that more than one Webapp can use it. \ 
    Fix: Correct a typo in the Spanish resource files. Patch provided by Diego \ 
Agulló. (markt)
    Fix: 62868: Order the Enumeration<URL> provided by \ 
WebappClassLoaderBase.getResources(String) according to the setting of the \ 
delegate flag. (markt)


    Add: Add TLSv1.3 to the default protocols and to the all alias for JSSE \ 
based TLS connectors when running on a JVM that supports TLS version 1.3. One \ 
such JVM is OpenJDK version 11. (rjung)
    Fix: 62685: Correct an error in host name validatin parsing that did not \ 
allow a fully qualified domain name to terminate with a period. Patch provided \ 
by AG. (markt)
    Fix: 62739: Do not reject requests with an empty HTTP Host header. Such \ 
requests are unusual but not invalid. Patch provided by MichaeNIO2 connector \ 
when using the OpenSSL backed JSSE implementation. (schultz/markt)
    Fix: 62791: Remove an unnecessary check in the NIO TLS implementation that \ 
prevented from secure WebSocket connections from being established. (markt)
    Fix: Fix servesed by the fix for 53492, that caused the JSP compiler to \ 
hang. (markt)
    Fix: 62721: Correct generation of web.xml header when using JspC. (markt)
    Fix: 62757: Correct a regression in the fix for 62603 that caused \ 
NullPointerExceptions when compiling tag files on first access when development \ 
mode was disabled and background compilation was enabled. Based on a patch by \ 
Jordi Llach. (markt)


    Fix: 62731: Make the URI returned by HandshakeRequest.getRequestURI() and \ 
Session.getRequestURI() absolute so that the scheme, host and port are \ 
accessible. (markt)

Web applications

    Fix: 62676: Expand the CORS filter documentation to make it clear that \ 
explicit configuration is required to enable support for cross-origin requests. \ 
    Fix: 62712: Correct NPE in Manager application when attempting to view \ 
configured certificates for an APR/native TLS connector. (markt)
    Fix: 62761: Correct the advanced CORS example in the Filter documentation to \ 
use a valid configuration. (markt)
    Fix: 62786: Add a note to the Context documentation to explain that, by \ 
default, settings for a Context element defined in server.xml will be \ 
overwritten by settings specified in a default context file such as \ 
conf/context.xml. (markt)
    Fix: Create a little visual separation between the Undeploy button and the \ 
other buttons in the Manager application. Patch provided by Łukasz Jąder. \ 


    Update: Update the internal fork of Apache Commons Pool 2 to d4e0e88 \ 
(2018-09-12) to pick up some bug fixes and enhancements. (markt)
    Update: Update the packaged version of the Tomcat Native Library to 1.2.18 \ 
to pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL 1.1.1. \ 

2018-09-10 Tomcat 8.5.34 (markt)

    Add: Make the isLocked() method of the LockOutRealm public and expose the \ 
method via JMX. (markt)
    Fix: Improve the handling of path parameters when working with \ 
RequestDispatcher objects. (markt)
    Fix: 62664: Process requests with content type multipart/form-data to \ 
servlets with a @MultipartConfig annotation regardless of HTTP method. (markt)
    Fix: 62667: Add recursion to rewrite substitution parsing. (remm)
    Fix: 62669: When using the SSIFilter and a resource does not specify a \ 
content type, do not force the content type to application/x-octet-stream. \ 
    Fix: 62670: Adjust the memory leak protection for the DriverManager so that \ 
JDBC drivers located in $CATALINA_HOME/lib and $CATALINA_BASE/lib are loaded via \ 
the service loader mechanism when the protection is enabled. (markt)
    Fix: When generating a redirect to a directory in the Default Servlet, avoid \ 
generating a protocol relative redirect. (markt)


    Fix: Fix potential deadlocks when using asynchronous Servlet processing with \ 
HTTP/2 connectors. (markt)
    Fix: 62620: Fix corruption of response bodies when writing large bodies \ 
using asynchronous processing over HTTP/2. (markt)
    Fix: 62628: Additional fixes for output corruption of response bodies when \ 
writing large bodies using asynchronous processing over HTTP/2. (markt)


    Fix: Correct the JSP version in the X-PoweredBy HTTP header generated when \ 
the xpoweredBy option is enabled. (markt)
    Fix: 62662: Fix the corruption of web.xml output during JSP compilation \ 
caused by the fix for 53492. Patch provided by Bernhard Frauendienst. (markt)

Web applications

    Add: Expand the information in the documentation web application regarding \ 
the use of CATALINA_HOME and CATALINA_BASE. Patch provided by Marek Czernek. \ 
    Fix: 62652: Make it clearer that the version of DBCP that is packaged in \ 
Tomcat 8.5.x is DBCP 2. Correct the names of some DBCP 2 configuration \ 
attributes that changed between 1.x and 2.x. (markt)
    Add: 62666: Expand internationalisation support in the Manager application \ 
to include the server status page and provide Russian translations in addition \ 
to English. Patch provided by Artem Chebykin. (markt)


    Fix: Switch the build script to use http for downloads from an ASF mirror \ 
using the closer.lua script to avoid failures due to HTTPS to HTTP redirects. \ 

2018-08-17 Tomcat 8.5.33 (markt)

    Fix: Ensure that the HTTP Vary header is set correctly when using the CORS \ 
filter and improve the cacheability of requests that pass through the COPRS \ 
filter. (markt)
    Fix: 62527: Revert restriction of JNDI to the java: namespace. (remm)
    Add: Introduce a new class - MultiThrowable - to report exceptions when \ 
multiple actions are taken where each action may throw an exception but all \ 
actions are taken before any errors are reported. Use this new class when \ 
reporting multiple container (e.g. web application) failures during start. \ 
    Fix: Correctly decode URL paths (+ should not be decoded to a space in the \ 
path) in the RequestDispatcher and the web application class loader. (markt)
    Add: Make logout more robust if JASPIC subject is unexpectedly unavailable. \ 
    Fix: 62547: JASPIC cleanSubject() was not called on logout when the \ 
authenticator was configured to cache the authenticated Principal. Patch \ 
provided by Guillermo González de Agüero. (markt)
    Add: 62559: Add jaxb-*.jar to the list of JARs ignored by \ 
StandardJarScanner. (markt)
    Add: 62560: Add oraclepki.jar to the list of JARs ignored by \ 
StandardJarScanner. (markt)
    Add: 62607: Return a non-zero exit code from catalina.[bat|sh] run if Tomcat \ 
fails to start. (markt)
    Code: Remove ServletException from declaration of \ 
Tomcat.addWebapp(String,String) since it is never thrown. Patch provided by \ 
Tzafrir. (markt)
    Fix: Use short circuit logic to prevent potential NPE in CorsFilter. \ 
    Code: Simplify construction of appName from container name in JAASRealm. \ 


    Update: 60560: Add support for using an inherited channel to the NIO \ 
connector. Based on a patch submitted by Thomas Meyer with testing and \ 
suggestions by Coty Sutherland. (remm)
    Fix: 62507: Ensure that JSSE based TLS connectors work correctly with a DKS \ 
keystore. Note: DKS keystores require Java 8 or later. (markt)
    Fix: Refactor code that adds an additional header name to the Vary HTTP \ 
response header to use a common utility method that addresses several additional \ 
edge cases. (markt)
    Fix: 62515: When a connector is configured (via setting bindOnInit to false) \ 
to bind/unbind the server socket during start/stop, close the socket earlier in \ 
the stop process so new connections do not sit in the TCP backlog during the \ 
shutdown process only to be dropped as stop completes. In this scenario new \ 
connections will now be refused immediately. (markt)
    Fix: 62526: Correctly handle PKCS12 format key stores when the key store \ 
password is configured to be the empty string. (markt)
    Fix: Fix error in back-port of HTTP/2 compression that meant compression was \ 
never enabled. (markt)
    Fix: 62605: Ensure ReadListener.onDataAvailable() is called when the initial \ 
request body data arrives after the request headers when using asynchronous \ 
processing over HTTP/2. (markt)
    Fix: 62614: Ensure that WriteListener.onWritePossible() is called after \ 
isReady() returns false and the window size is subsequently incremented when \ 
using asynchronous processing over HTTP/2. (markt)


    Fix: 53011: When pre-compiling with JspC, report all compilation errors \ 
rather than stopping after the first error. A new option -failFast can be used \ 
to restore the previous behaviour of stopping after the first error. Based on a \ 
patch provided by Marc Pompl. (markt)
    Add: 53492: Make the Java file generation process multi-threaded. By \ 
default, one thread will be used per core. Based on a patch by Dan Fabulich. \ 
    Add: 62453: Add a performance optimisation for using expressions in tags \ 
that depend on uninitialised tag attributes with implied scope. Generally, using \ 
an explicit scope with tag attributes in EL is the best way to avoid various \ 
potential performance issues. (markt)
    Fix: Correctly decode URL paths (+ should not be decoded to a space in the \ 
path) in the Jasper class loader. (markt)
    Fix: 62603: Fix a potential race condition when development mode is disabled \ 
and background compilation checks are enabled. It was possible that some updates \ 
would not take effect and/or ClassNotFoundExceptions would occur. (markt)


    Fix: 62596: Remove the limit on the size of the initial HTTP upgrade request \ 
used to establish the web socket connection. (markt)

Web applications

    Add: 61565: Add the ability to trigger a reloading of TLS host configuration \ 
(certificate and key files, server.xml is not re-parsed) via the Manager web \ 
application. (markt)
    Add: 62558: Add Russian translations for the Manager and Host Manager web \ 
applications. Based on a patch by Ivan Krasnov. (markt)
    Add: 62561: Add advanced class loader configuration information regarding \ 
the use of the Server and Shared class loaders to the documentation web \ 
application. (markt)


    Fix: Ensures that the specified rxBufSize is correctly set to receiver \ 
buffer size. (kfujino)


    Update: Support building with Java 9+ while preserving the Java 7 \ 
compatibility at runtime (requires Ant 1.9.8 or later). (ebourg)
    Update: Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko)
    Update: Update JUnit library to version 4.12 (from 4.11). (kkolinko)
    Update: Downgrade CGLib library used for testing with EasyMock to version \ 
2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central. \ 
    Add: Implement checksum checks when downloading dependencies that are used \ 
to build Tomcat. (kkolinko)
    Fix: Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
    Update: Update the internal fork of Apache Commons Pool 2 to 3e02523 \ 
(2018-08-09) to pick up some bug fixes and enhancements. (markt)
    Update: Update the internal fork of Apache Commons DBCP 2 to abc0484 \ 
(2018-08-09) to pick up some bug fixes and enhancements. (markt)
    Fix: Correct various spelling errors throughout the source code and \ 
documentation. Patch provided by Kazuhiro Sera. (markt)