Navigation:
Browse pkgsrc
(this page)
www apache-t..
CVSweb ] [ 
Homepage ] [ 
RSS ] [ 
Required by ] [ 
Add to tracker ] 2024-07-18 13:48:07 by Ryo ONODERA | Files touched by this commit (3) |  |
Log message:
www/apache-tomcat9: Update to 9.0.91
Changelog:
Tomcat 9.0.91 (remm)
Catalina
* Fix: Allow JAASRealm to use the configuration source to load a configured
configFile, for easier use with testing. (remm)
* Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
* Fix: 69131: Expand the implementation of the filter value of the
Authenticator attribute allowCorsPreflight, so that it applies to all
requests that match the configured URL patterns for the CORS filter, rather
than only applying if the CORS filter is mapped to /*. (markt)
Coyote
* Fix: Improve the algorithm used to identify the IP address to use to unlock
the acceptor thread when a Connector is listening on all local addresses.
Interfaces that are configured for point to point connections or are not
currently up are now skipped. (markt)
* Fix: 69121: Ensure that the onComplete() event is triggered if
AsyncListener.onError() dispatches to a target that throws an exception.
(markt)
* Fix: Following the trailer header field refactoring, -1 is no longer an
allowed value for maxTrailerSize. Adjust documentation accordingly. (remm)
Jasper
* Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of
new classes added to the java.lang package in Java 23. (markt)
* Fix: Ensure that an exception in toString() still results in an ELException
when an object is coerced to a String using ExpressionFactory.coerceToType
(). (markt)
* Add: Add support for specifying Java 24 (with the value 24) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse
JDT compiler version that does not support these values, a warning will be
logged and the default will used. (markt)
* Fix: 69135: When using include directives in a tag file packaged in a JAR
file, ensure that context relative includes are processed correctly.
(markt)
* Fix: 69135: When using include directives in a tag file packaged in a JAR
file, ensure that file relative includes are processed correctly. (markt)
* Fix: 69135: When using include directives in a tag file packaged in a JAR
file, ensure that file relative includes are are not permitted to access
files outside of the /META_INF/tags/ directory nor outside of the JAR file.
(markt)
Web applications
* Fix: Fix status servlet detailed view of the connectors when using
automatic port. (remm)
Other
* Update: Add test-only build target to allow running only the testsuite,
supporting Java versions down to the minimum supported to run Tomcat.
(rjung)
* Update: Update UnboundID to 7.0.1. (markt)
* Update: Update to SpotBugs 4.8.6. (markt)
* Update: Remove cglib dependency as it is not required by the version of
EasyMock used by the unit tests. (markt)
* Update: Update EasyMock to 5.3.0. This adds a test dependency on Byte-Buddy
1.14.17. (markt)
* Add: Improvements to Czech translations by Vladimi'r Chlup. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Add: Improvements to Chinese translations by fangzheng. (markt)
2024-06-19 Tomcat 9.0.90 (remm)
Catalina
* Add: Add support for shallow copies when using WebDAV. (markt)
* Code: Deprecate the WebdavFixFilter as it is no longer required. (markt)
* Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64.
Submitted by Daniel Lyko. (remm)
* Update: Update minimum recommended version of Tomcat Native to 1.3.0. Pull
request #728 provided by Dimitrios Soumis. (markt)
* Update: The system property org.apache.catalina.connector.RECYCLE_FACADES
will now default to true if not specified, which will in turn set the
default value for the discardFacades connector attribute, thus causing
facade objects to be discarded by default. (remm)
* Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for
retrieving extended/additional information from an established GSS context.
(michaelo)
* Fix: Correct a regression in the fix for 68721 that caused some instances
of LinkageError to be reported as ClassNotFoundException. (markt)
* Fix: Ensure that static resources deployed via a JAR file remain accessible
when the context is configured to use a bloom filter. Based on pull request
#730 provided by bergander. (markt)
* Add: Introduce reference counting so the AprLifecycleListener is more
robust. This particularly targets more complex embedded configurations with
multiple server instances with independent lifecycles where more than one
server instance requires the AprLifecycleListener. (markt)
Coyote
* Fix: 69068: Ensure read timouts are triggered for asynchronous,
non-blocking reads when using HTTP/2. (markt)
* Update: 69133: Add task queue size configuration on the Connector element,
similar to the Executor element, for consistency. (remm)
* Fix: Make counting of active HTTP/2 streams per connection more robust.
(markt)
* Add: Add support for TLS 1.3 client initiated re-keying. (markt)
Jasper
* Fix: 68546: Small additional optimisation for initial loading of Servlet
code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt)
Web applications
* Add: Add the ability to set a sub-title for the Manager web application
main page. This is intended to allow users with lots of instances to easily
distinguish them. Based on pull request #724 by Simon Arame. (markt)
Other
* Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby
that runs on Java 17. (markt)
* Update: Update to Commons Daemon 1.4.0. (markt)
* Update: Update to Objenesis 3.4. (markt)
* Update: Update to Checkstyle 10.17.0. (markt)
* Update: Update to SpotBugs 4.8.5. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
2024-05-07 Tomcat 9.0.89 (remm)
Catalina
* Update: Deprecate and remove sessionCounter (replaced by the addition of
the active session count and the expired session count, as a reasonable
approximation) and duplicates (which does not represent a possible event in
current implementations) statistics from the session manager. (remm)
* Fix: 68890 Align output encoding of JSPs in the Manager webapp with the XML
declarations in those same files. (schultz)
* Fix: Update Basic authentication to implement the requirements of RFC 7617
including the changing of the trimCredentials setting which is now defaults
to false. Note that the trimCredentials setting will be removed in Tomcat
11. (markt)
* Add: Small performance optimization when logging cookies with no values.
(schultz)
* Fix: Correct error handling for asynchronous requests. If the application
performs an dispatch during AsyncListener.onError() the dispatch is now
performed rather than completing the request using the error page
mechanism. (markt)
* Fix: Fix WebDAV lock null (locks for non existing resources) thread safety
and removal. (remm)
* Fix: Add periodic checking for WebDAV locks expiration. (remm)
* Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo)
Coyote
* Fix: Align non-secure and secure writes with NIO and skip the write attempt
when there are no bytes to be written. (markt)
* Fix: Allow any positive value for socket.unlockTimeout. If a negative or
zero value is configured, the default of 250ms will be used. (mark)
* Fix: Reduce the time spent waiting for the connector to unlock. The
previous default of 10s was noticeably too long for cases where the unlock
has failed. The wait time is now 100ms plus twice socket.unlockTimeout.
(markt)
* Fix: Ensure that the onAllDataRead() event is triggered when the request
body uses chunked encoding and is read using non-blocking IO. (markt)
* Fix: 68934: Add debug logging in the latch object when exceeding
maxConnections. (remm)
* Fix: Refactor trailer field handling to use a MimeHeaders instance to store
trailer fields. (markt)
* Fix: Ensure that multiple instances of the same trailer field are handled
correctly. (markt)
* Fix: Fix non-blocking reads of chunked request bodies. (markt)
* Fix: When an invalid HTTP response header was dropped, an off-by-one error
meant that the first header in the response was also dropped. Fix based on
pull request #710 by foremans. (markt)
Jasper
* Add: Add support for specifying Java 23 (with the value 23) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse
JDT compiler version that does not support these values, a warning will be
logged and the default will used. (markt)
WebSocket
* Fix: 68884: Reduce the write timeout when writing WebSocket close messages
for abnormal closes. The timeout defaults to 50 milliseconds and may be
controlled using the
org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property in
the user properties collection associated with the WebSocket session.
(markt)
Web applications
* Fix: Examples: Improve performance of WebSocket chat application when
multiple clients disconnect at the same time. (markt)
* Update: Examples: Increase the number of previous messages displayed when
using the WebSocket chat application. (markt)
* Fix: Examples: Improve performance of WebSocket snake application when
multiple clients disconnect at the same time. (markt)
Other
* Update: Switch to using the Base64 encoder and decoder provided by the JRE
rather than the version provided by Commons Codec. The internal fork of
Commons Codec has been deprecated and will be removed in Tomcat 11. (markt)
* Update: Update NSIS to 3.10. (mark0t)
* Update: Update UnboundID to 7.0.0. (markt)
* Update: Update Checkstyle to 10.16.0. (markt)
* Update: Update JaCoCo to 0.8.12. (markt)
* Update: Update SpotBugs to 4.8.4. (markt)
* Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt)
* Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt)
* Add: Improvements to Japanese translations by tak7iji. (markt)
2024-04-16 Tomcat 9.0.88 (remm)
Catalina
* Update: Add highConcurrencyStatus attribute to the SemaphoreValve to
optionally allow the valve to return an error status code to the client
when a permit cannot be acquired from the semaphore. (remm)
* Add: Add checking of the "age" of the running Tomcat instance since its
build-date to the SecurityListener, and log a warning if the server is old.
(schultz)
* Fix: When using the AsyncContext, throw an IllegalStateException, rather
than allowing an NullPointerException, if an attempt is made to use the
AsyncContext after it has been recycled. (markt)
* Fix: Change the thread-safety mechanism for protecting
StandardServer.services from a simple synchronized lock to a
ReentrantReadWriteLock to allow multiple readers to operate simultaneously.
Based upon a suggestion by Markus Wolfe. (schultz)
* Fix: Improve Service connectors, Container children and Service executors
access sync using a ReentrantReadWriteLock. (remm)
* Fix: Improve handling of integer overflow if an attempt is made to upload a
file via the Servlet API and the file is larger than Integer.MAX_VALUE.
(markt)
* Fix: 68862: Handle possible response commit when processing read errors.
(remm)
Coyote
* Fix: Add threadsMaxIdleTime attribute to the endpoint, to allow configuring
the amount of time before an internal executor will scale back to the
configured minSpareThreads size. (remm)
Jasper
* Fix: Handle the case where the JSP engine forwards a request/response to a
Servlet that uses an OutputStream rather than a Writer. This was triggering
an IllegalStateException on code paths where there was a subsequent attempt
to obtain a Writer. (markt)
* Fix: Correctly handle the case where a tag library is packaged in a JAR
file and the web application is deployed as a WAR file rather than an
unpacked directory. (markt)
* Fix: Prevent the web application's ClassLoader from being pinned by the JSP
compiler if an application uses a custom XMLInputFactory. Based upon a
suggestion from Simon Niederberger. (schultz)
Other
* Update: Update Checkstyle to 10.14.1. (markt)
* Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt)
* Update: Update the internal fork of Apache Commons Codec to 1.16.1. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (remm)
* Add: Improvements to Chinese translations by leeyazhou. (remm)
2024-03-14 Tomcat 9.0.87 (remm)
Catalina
* Fix: Minor performance improvement for building filter chains. Based on
ideas from pull request #702 by Luke Miao. (remm)
* Fix: Align error handling for Writer and OutputStream. Ensure use of either
once the response has been recycled triggers a NullPointerException
provided that discardFacades is configured with the default value of true.
(markt)
* Fix: 68692: The standard thread pool implementations that are configured
using the Executor element now implement ExecutorService for better support
NIO2. (remm)
* Fix: 68495: When restoring a saved POST request after a successful FORM
authentication, ensure that neither the URI, the query string nor the
protocol are corrupted when restoring the request body. (markt)
* Fix: 68721: Workaround a possible cause of duplicate class definitions when
using ClassFileTransformers and the transformation of a class also triggers
the loading of the same class. (markt)
* Fix: The rewrite valve should not do a rewrite if the output is identical
to the input. (remm)
* Update: Add a new valveSkip (or VS) rule flag to the rewrite valve to allow
skipping over the next valve in the Catalina pipeline. (remm)
Coyote
* Fix: Improve the HTTP/2 stream prioritisation process. If a stream uses all
of the connection windows and still has content to write, it will now be
added to the backlog immediately rather than waiting until the write
attempt for the remaining content. (markt)
* Fix: Correct a regression in the support for user provided SSLContext
instances that broke the
org.apache.catalina.security.TLSCertificateReloadListener. (markt)
Jasper
* Add: Add support for specifying Java 22 (with the value 22) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse
JDT compiler version that does not support these values, a warning will be
logged and the default will used. (markt)
Cluster
* Fix: Avoid updating request count stats on async. (remm)
Other
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Fix: 57130: Allow digest.(sh|bat) to accept password from a file or stdin.
(csutherl/schultz)
2024-02-19 Tomcat 9.0.86 (remm)
Catalina
* Fix: Correct JPMS and OSGi meta-data for tomcat-enbed-core.jar by removing
reference to org.apache.catalina.ssi package that is no longer included in
the JAR. Based on pull request #684 by Jendrik Johannes. (markt)
* Fix: Fix ServiceBindingPropertySource so that trailing \r\n sequences are
correctly removed from files containing property values when configured to
do so. Bug identified by Coverity Scan. (markt)
* Add: Add improvements to the CSRF prevention filter including the ability
to skip adding nonces for resource name and subtree URL patterns. (schultz)
* Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
* Fix: 68089: Further improve the performance of request attribute access for
ApplicationHttpRequest and ApplicationRequest. (markt)
* Fix: 68559: Allow asynchronous error handling to write to the response
after an error during asynchronous processing. (markt)
Coyote
* Fix: Make asynchronous error handling more robust. Ensure that once a
connection is marked to be closed, further asynchronous processing cannot
change that. (markt)
* Fix: Make asynchronous error handling more robust. Ensure that once the
call to AsyncListener.onError() has returned to the container, only
container threads can access the AsyncContext. This protects against
various race conditions that woudl otherwise occur if application threads
continued to access the AsyncContext.
* Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. In particular, most of the HTTP/2
debug logging has been changed to trace level. (remm)
* Fix: Add support for user provided SSLContext instances configured on
SSLHostConfigCertificate instances. Based on pull request #673 provided by
Hakan Alt??nda?. (markt)
* Fix: Improve the Tomcat Native shutdown process to reduce the likelihood of
a JVM crash during Tomcat shutdown. (markt)
* Fix: Partial fix for 68558: Cache the result of converting to String for
request URI, HTTP header names and the request Content-Type value to
improve performance by reducing repeated byte[] to String conversions.
(markt)
* Fix: Improve error reporting to HTTP/2 clients for header processing errors
by reporting problems at the end of the frame where the error was detected
rather than at the end of the headers. (markt)
* Fix: Remove the remaining reference to a stream once the stream has been
recycled. This makes the stream eligible for garbage collection earlier and
thereby improves scalability. (markt)
Jasper
* Fix: 68546: Generate optimal size and types for JSP imports maps, as
suggested by John Engebretson. (remm)
* Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
WebSocket
* Fix: Correct a regression in the fix for 66508 that could cause an
UpgradeProcessor leak in some circumstances. (markt)
* Fix: Review usage of debug logging and downgrade trace or data dumping
operations from debug level to trace. (remm)
* Fix: Ensure that WebSocket connection closure completes if the connection
is closed when the server side has used the proprietary suspend/resume
feature to suspend the connection. (markt)
Web applications
* Add: Add support for responses in JSON format from the examples application
RequestHeaderExample. (schultz)
Other
* Update: Update Checkstyle to 10.13.0. (markt)
* Update: Update JSign to 6.0. (markt)
* Update: Add strings for debug level messages. (remm)
* Update: Update Tomcat Native to 1.3.0. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
2024-01-09 Tomcat 9.0.85 (remm)
Catalina
* Update: 68378: Align extension to MIME type mappings in the global web.xml
with those in httpd by adding application/vnd.geogebra.slides for ggs, text
/javascript for mjs and audio/ogg for opus. (markt)
Coyote
* Fix: Refactor the VirtualThreadExecutor so that it can be used by the NIO2
connector which was using platform threads even when configured to use
virtual threads. (markt)
* Fix: Correct a regression in the fix for 67675 that broke TLS key file
parsing for PKCS#8 format keys that do not specify an explicit
pseudo-random function and rely on the default. This typically affects keys
generated by OpenSSL 1.0.2. (markt)
* Fix: Allow multiple operations with the same name on introspected mbeans,
fixing a regression caused by the introduction of a second addSslHostConfig
method. (remm)
* Fix: Relax the check that the HTTP Host header is consistent with the host
used in the request line, if any, to make the check case insensitive since
host names are case insensitive. (markt)
* Add: 68348: Add support for the partitioned attribute for cookies. (markt)
Web Applications
* Fix: 68035: Additional fix to the Manager application to enable the
deployment of a web application located in a Host's appBase where the web
application is specified by a bare (no path) WAR or directory name as shown
in the documentation. (markt)
Other
* Update: Update Checkstyle to 10.12.7. (markt)
* Update: Update SpotBugs to 4.8.3. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
2023-12-12 Tomcat 9.0.84 (remm)
Catalina
* Fix: Background processes should not be run concurrently with lifecycle
operations of a container. (remm)
* Fix: Correct unintended escaping of XML in some WebDAV responses. The XML
list of support locks when provided in response to a PROPFIND request was
incorrectly XML escaped. (markt)
* Fix: 68227: Ensure that AsyncListener.onComplete() is called if
AsyncListener.onError() calls AsyncContext.dispatch(). (markt)
* Fix: 68228: Use a 408 status code if a read timeout occurs during HTTP
request processing. Includes a test case based on code provided by
adwsingh. (markt)
Jasper
* Code: 68119: Refactor the CompositeELResolver to improve performance during
type conversion operations. (markt)
Web Applications
* Fix: Examples. Improve the error handling so snakes associated with a user
that drops from the network are removed from the game. (markt)
Other
* Update: Update UnboundID to 6.0.11. (markt)
* Update: Update Checkstyle to 10.12.5. (markt)
* Update: Update SpotBugs to 4.8.2. (markt)
* Update: Update Derby to 10.17.1. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Add: Improvements to Brazilian Portuguese translations by John William
Vicente. (markt)
* Add: Improvements to Russian translations by usmazat and remm. (markt)
2023-11-15 Tomcat 9.0.83 (remm)
Catalina
* Fix: 67667: TLSCertificateReloadListener prints unreadable rendering of
X509Certificate#getNotAfter(). (michaelo)
* Update: The status servlet included in the manager webapp can now output
statistics as JSON, using the JSON=true URL parameter. (remm)
* Update: Optionally allow ServiceBindingPropertySource to trim a trailing
newline from a file containing a property-value. (schultz)
* Fix: 67793: Ensure the original session timeout is restored after FORM
authentication if the user refreshes a page during the FORM authentication
process. Based on a suggestion by Mircea Butmalai. (markt)
* Update: 67926: PEMFile prints unidentifiable string representation of ASN.1
OIDs. (michaelo)
* Fix: 66875: Ensure that setting the request attribute
jakarta.servlet.error.exception is not sufficient to trigger error handling
for the current request and response. (markt)
* Fix: 68054: Avoid some file canonicalization calls introduced by the fix
for 65433. (remm)
* Fix: 68089: Improve performance of request attribute access for
ApplicationHttpRequest and ApplicationRequest. (markt)
* Fix: Use a 400 status code to report an error due to a bad request (e.g. an
invalid trailer header) rather than a 500 status code. (markt)
* Fix: Ensure that an IOException during the reading of the request triggers
always error handling, regardless of whether the application swallows the
exception. (markt)
Coyote
* Add: 66670: Add SSLHostConfig#certificateKeyPasswordFile and SSLHostConfig#
certificateKeystorePasswordFile. (michaelo)
* Add: When calling SSLHostConfigCertificate.setCertificateKeystore(ks),
automatically call setCertificateKeystoreType(ks.getType()). (markt)
* Fix: 67628: Clarify how the ciphers attribute of the SSLHostConfig is used.
(markt)
* Fix: 67666: Ensure TLS connectors using PEM files either work with the
TLSCertificateReloadListener or, in the rare case that they do not, log a
warning on Connector start. (markt)
* Fix: 67675: Support a wider range of KDF and ciphers for PEM files than the
combinations supported by the JVM by default. Specifically, support the
OpenSSL default of HmacSHA256 and DES-EDE3-CBC. (markt)
* Fix: 67927: Reloading TLS configuration can cause the Connector to refuse
new connections or the JVM to crash. (markt)
* Fix: 67934: If both Tomcat Native 1.2.x and 2.0.x are available, prefer
1.2.x since it supports the APR/Native connector whereas 2.0.x does not.
(markt)
* Fix: 67938: Correct handling of large TLS client hello messages that were
causing the TLS handshake to fail. (markt)
* Fix: 68026: Convert selected MessageByte values to String when first
accessed to speed up subsequent accesses and reduce garbage collection.
(markt)
Jasper
* Fix: 68068: Performance improvement for EL. Based on a suggestion by John
Engebretson. (markt)
Web applications
* Fix: 68035: Correct a regression in the fix for 56248 that prevented
deployment via the Manager of a WAR or directory that was already present
in the appBase or a context file that was already present in the xmlBase.
(markt)
Other
* Add: 67538: Make use of Ant's <javaversion /> task to enfore the mininum
Java build version. (michaelo)
* Update: Update Checkstyle to 10.12.4. (markt)
* Update: Update JaCoCo to 0.8.11. (markt)
* Update: Update SpotBugs to 4.8.0. (markt)
* Update: Update BND to 7.0.0. (markt)
* Update: The minimum Java version required to build Tomcat has been raised
to Java 17. (markt)
2023-10-13 Tomcat 9.0.82 (remm)
Coyote
* Fix: 67670: Fix regression with HTTP compression after code refactoring.
(remm)
jdbc-pool
* Fix: 67664: Correct a regression in the clean-up of unnecessary use of
fully qualified class names in 9.0.81 that broke the jdbc-pool. (markt)
2023-10-10 Tomcat 9.0.81 (remm)
Catalina
* Add: 65770: Provide a lifecycle listener that will automatically reload TLS
configurations a set time before the certificate is due to expire. This is
intended to be used with third-party tools that regularly renew TLS
certificates. (markt)
* Fix: Fix handling of an error reading a context descriptor on deployment.
(remm)
* Fix: Fix rewrite rule qsd (query string discard) being ignored if qsa was
also use, while it should instead take precedence. (remm)
* Fix: 67472: Send fewer CORS-related headers when CORS is not actually being
engaged. (schultz)
* Add: Improve handling of failures within recycle() methods. (markt)
Coyote
* Fix: 67198: Ensure that the AJP connector attribute tomcatAuthorization
takes precedence over the tomcatAuthentication attribute when processing an
auth_type attribute received from a proxy server. (markt)
* Fix: 67235: Fix a NullPointerException when an AsyncListener handles an
error with a dispatch rather than a complete. (markt)
* Fix: When an error occurs during asynchronous processing, ensure that the
error handling process is only triggered once per asynchronous cycle.
(markt)
* Fix: Fix logic issue trying to match no argument method in
IntropectionUtil. (remm)
* Fix: Improve thread safety around readNotify and writeNotify in the NIO2
endpoint. (remm)
* Fix: Avoid rare thread safety issue accessing message digest map. (remm)
* Fix: Improve statistics collection for upgraded connections under load.
(remm)
* Fix: Align validation of HTTP trailer fields with standard fields. (markt)
* Fix: Improvements to HTTP/2 overhead protection. (markt)
Jasper
* Fix: 67080: Improve performance of EL expressions in JSPs that use implicit
objects. Based on suggestions by John Engebretson, Anurag Dubey and
Christopher Schultz. (markt)
Other
* Update: Update the internal fork of Apache Commons FileUpload to 7a8c324
(2023-09-16, 1.x-SNAPSHOT). Due to significant refactoring in the 2.x
branch requiring additional Commons IO dependencies, Tomcat has switched to
tracking the 1.x branch. (markt)
* Add: Add the Bundle-License header to the JAR manifest for all Tomcat JARs.
(markt)
* Update: Update UnboundID to 6.0.10. (markt)
* Update: Update Checkstyle to 10.12.3. (markt)
* Update: Update Tomcat Native to 1.2.39 to pick up Windows binaries built
with OpenSSL 3.0.11. (markt)
* Update: Update Commons Pool to 2.12.0. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
* Add: Improvements to Russian translations by usmazat. (markt)
2023-08-25 Tomcat 9.0.80 (markt)
Catalina
* Fix: If an application or library sets both a non-500 error code and the
javax.servlet.error.exception request attribute, use the provided error
code during error page processing rather than assuming an error code of
500. (markt)
* Fix: Update code comments and Tomcat output to use MiB for 1024 * 1024
bytes and KiB for 1024 bytes rather than MB and kB. (martk)
* Fix: Avoid protocol relative redirects in FORM authentication. (markt)
Web applications
* Fix: Documentation. Update documentation to use MiB for 1024 * 1024 bytes
and KiB for 1024 bytes rather than MB and kB. (martk)
Other
* Add: Improvements to Chinese translations. (lihan)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations by tak7iji. (markt)
2023-08-15 Tomcat 9.0.79 (remm)
Catalina
* Fix: Fix potential database connection leaks in DataSourceUserDatabase
identified by Coverity Scan. (markt)
* Fix: Make parsing of ExtendedAccessLogValve patterns more robust. (markt)
* Fix: Fix failure trying to persist configuration for an internal credential
handler. (remm)
* Fix: 66680: When serializing a session during the session presistence
process, do not log a warning that null Principals are not serializable.
Pull request #638 provided by tsryo. (markt)
* Fix: Catch NamingException in JNDIRealm#getPrincipal. It is used in Java up
to 17 to signal closed connections. (fschumacher)
* Fix: 66822: Use the same naming format in log messages for Connector
instances as the associated ProtocolHandler instance. (markt)
* Fix: The parts count should also lower the actual maxParameterCount used
for parsing parameters if parts are parsed first. (remm)
Coyote
* Fix: Refactor blocking reads and writes for the NIO connector to remove
code paths that could allow a notification from the Poller to be missed
resuting in a timeout rather than the expected read or write. (markt)
* Fix: Refactor waiting for an HTTP/2 stream or connection window update to
handle spurious wake-ups during the wait. (markt)
* Fix: Correct a regression introduced in 9.0.78 and use the correct constant
when constructing the default value for the certificateKeystoreFile
attribute of an SSLHostConfigCertificate instance. (markt)
* Code: Refactor HTTP/2 implementation to reduce pinning when using virtual
threads. (markt)
* Fix: Pass through ciphers referring to an OpenSSL profile, such as PROFILE=
SYSTEM instead of producing an error trying to parse it. (remm)
* Fix: 66841: Ensure that AsyncListener.onError() is called after an error
during asynchronous processing with HTTP/2. (markt)
* Fix: 66842: When using asynchronous I/O (the default for NIO and NIO2),
include DATA frames when calculating the HTTP/2 overhead count to ensure
that connections are not prematurely terminated. (markt)
* Fix: Correct a race condition that could cause spurious RST messages to be
sent after the response had been written to an HTTP/2 stream. (markt)
WebSocket
* Fix: 66681: Fix a NullPointerException when flushing batched messages with
compression enabled using permessage-deflate. (markt)
jdbc-pool
* Fix: Fix the releaseIdleCounter does not increment when testAllIdle
releases them. Pull request #241 provided by Arun Chaitanya Miriappalli
(lihan)
* Fix: Fix the ConnectionState state will be inconsistent with actual state
on the connection when an exception occurs while writing. Pull request #643
provided by Wenjun Xiao. (lihan)
Other
* Fix: Align documentation for maxParameterCount to match hard-coded
defaults. Contributed by Michal Sobkiewicz. (schultz)
* Update: Update NSIS to 3.09. (markt)
* Update: Update Checkstyle to 10.12.2. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations. Contributed by tak7iji and
Shirayuking. (markt)
* Fix: 66829: Fix quoting so users can use the _RUNJAVA environment variable
as intended on Windows when the path to the Java executable contains
spaces. (markt)
* Update: Update Tomcat Native to 1.2.38 to pick up Windows binaries built
with OpenSSL 1.1.1v. (markt)
2023-07-10 Tomcat 9.0.78 (remm)
Other
* Fix: Correct properties for JSign dependency. (rjung)
not released Tomcat 9.0.77 (remm)
Catalina
* Add: 59232: Add org.apache.catalina.core.ContextNamingInfoListener, a
listener which creates context naming information environment entries.
(michaelo)
* Add: 66665: Add org.apache.catalina.core.PropertiesRoleMappingListener, a
listener which populates the context's role mapping from a properties file.
(michaelo)
* Fix: Fix an edge case where intra-web application symlinks would be
followed if the web applications were deliberately crafted to allow it even
when allowLinking was set to false. (markt)
* Update: Add utlity config file resource lookup on Context to allow looking
up resources from the webapp (prefixed with webapp:) and make the resource
lookup API more visible. (remm)
Coyote
* Fix: 66627: Restore the documented behaviour of MessageBytes.getType() that
it returns the type of the original content rather than reflecting the most
recent conversion. (markt)
* Fix: 66635: Correct certificate logging on start-up so it differentiates
between keystore based keys/certificates and PEM file based keys/
certificates and logs the relevant information for each. (markt)
WebSocket
* Fix: Improve handling of error conditions for the WebSocket server,
particularly during Tomcat shutdown. (markt)
* Fix: Correct a regression in the fix for 66574 that meant the WebSocket
session could return false for onOpen() before the onClose() event had been
completed. (markt)
Web applications
* Add: Documentation. Expand the security guidance to cover the embedded use
case and add notes on the uses made of the java.io.tmpdir system property.
(markt)
* Fix: 66662: Documentation. Fix a typo in the name of the algorithms
attribute in the configuration section for the Digest authentication valve.
Pull request #629 provided by gohilmca. (markt)
Other
* Add: Include the Windows specific binary distributions in the files
uploaded to Maven Central. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations. Contributed by tak7iji. (markt)
* Update: Update UnboundID to 6.0.9. (markt)
* Update: Update Checkstyle to 10.12.1. (markt)
* Update: Update BND to 6.4.1. (markt)
* Update: Update JSign to 5.0. (markt)
2023-06-09 Tomcat 9.0.76 (remm)
Catalina
* Add: Add RateLimitFilter which can be used to mitigate DoS and Brute Force
attacks. (isapir)
* Code: Move the management of the utility executor from the init()/destroy()
methods of components to the start()/stop() methods. (markt)
* Add: Add org.apache.catalina.core.StandardVirtualThreadExecutor, a virtual
thread based executor that may be used with one or more Connectors to
process requests received by those Connectors using virtual threads. This
Executor requires a minimum Java version of Java 21. (markt)
* Fix: 66513: Add a per session Semaphore to the PersistentValve that ensures
that, within a single Tomcat instance, there is no more than one concurrent
request per session. Also expand the debug logging to include whether a
request bypasses the Valve and the reason if a request fails to obtain the
per session Semaphore. (markt)
* Fix: 66609: Ensure that the default servlet correctly escapes file names in
directory listings when using XML output. Based on pull request #621 by
Alex Kachanov. (markt)
* Add: 66618: Add a numeric last modified field to the XML directory listings
produced by the default servlet to enable sorting in the XSLT. Pull request
#622 by Alex Kachanov. (markt)
* Fix: 66621: Attempts to lock a collection with WebDAV may incorrectly fail
if a child collection has an expired lock. (markt)
* Fix: 66622: Deprecate the xssProtectionEnabled setting from the
HttpHeaderSecurityFilter and change the default value to false as support
for the associated HTTP header has been removed from all major browsers.
(markt)
Coyote
* Update: Update the HTTP/2 implementation to use the prioritization scheme
defined in RFC 9218 rather than the one defined in RFC 7540. (markt)
* Fix: 66602: not sending WINDOW_UPDATE when dataLength is ZERO on call
SwallowedDataFramePayload. Pull request #619 by ledefe. (lihan)
WebSocket
* Fix: 66548: Expand the validation of the value of the Sec-Websocket-Key
header in the HTTP upgrade request that initiates a WebSocket connection.
The value is not decoded but it is checked for the correct length and that
only valid characters from the base64 alphabet are used. (markt)
Other
* Update: Update to Commons Daemon 1.3.4. (markt)
* Add: Improvements to French translations. (remm)
* Update: Update Checkstyle to 10.12.0. (markt)
* Update: Update the packaged version of the Apache Tomcat Native Library to
1.2.37 to pick up the Windows binaries built with with OpenSSL 1.1.1u.
(markt)
2023-05-10 Tomcat 9.0.75 (remm)
Catalina
* Fix: 66567: Fix missing IllegalArgumentException after the Tomcat code was
converted to using URI instead of URL. (remm)
* Fix: Escape timestamp output in AccessLogValve if a SimpleDateFormat is
used which contains verbatim characters that need escaping. (rjung)
* Update: Change output of vertical tab in AccessLogValve from \v to \u000b.
(rjung)
* Update: Improve performance of escaping in AccessLogValve roughly by a
factor of two. (rjung)
* Update: Improve JsonAccessLogValve: support more patterns like for headers
and attributes. Those will be logged as sub objects. (rjung)
* Fix: #613: Fix possible partial corrupted file copies when using file
locking protection or the manager servlet. Submitted by Jack Shirazi.
(remm)
Coyote
* Add: Add support for a new character set, gb18030-2022 - introduced in Java
21, to the character set caching mechanism. (markt)
* Fix: Fix an edge case in HTTP header parsing and ensure that HTTP headers
without names are treated as invalid. (markt)
* Update: Deprecate the HTTP Connector settings rejectIllegalHeader and
allowHostHeaderMismatch as they have been removed in Tomcat 11 onwards.
(markt)
* Fix: 66591: Fix a regression introduced in the fix for 66512 that meant
that an AJP Send Headers was not sent for responses where no HTTP headers
were set. (markt)
Jasper
* Fix: 66582: Account for EL having stricter requirements for static imports
than JSPs when adding JSP static imports to the EL context. (markt)
WebSocket
* Fix: 66574: Refactor WebSocket session close to remove the lock on the
SocketWrapper which was a potential cause of deadlocks if the application
code used simulated blocking. (markt)
* Fix: 66575: Avoid unchecked use of the backing array of a buffer provided
by the user in the compression transformation. (remm)
* Fix: Improve exception handling when flushing batched messages during
WebSocket session close. (markt)
* Fix: 66581: Update AsyncChannelGroupUtil to align it with the current
defaults for AsynchronousChannelGroup. Pull request #612 by Matthew
Painter. (markt)
Other
* Add: Improvements to French translations. (remm)
* Add: Improvements to Chinese translations. (lihan)
* Update: Update Checkstyle to 10.10.0. (markt)
* Update: Update Jacoco to 0.8.10. (markt)
2023-04-18 Tomcat 9.0.74 (remm)
Catalina
* Fix: 65995: Implement RFC 9239 and use text/javascript as the media type
for JavaScript rather than application/javascript. (markt)
* Add: Add an access log valve that uses a json format. Based on pull request
#539 provided by Thomas Meyer. (remm)
* Add: Harden the FORM authentication process against DoS attacks by using a
reduced session timeout if the FORM authentication process creates a
session. The duration of this timeout is configured by the
authenticationSessionTimeout attribute of the FORM authenticator. (markt)
* Fix: 66527: Correct the Javadoc for the Tomcat.addWebapp() methods that
incorrectly stated that the docBase parameter could be a relative path.
(markt)
* Fix: 66524 Correct eviction ordering in WebResource cache to be LRU as
intended. (schultz)
* Update: Use server.xml to reduce the default value of maxParameterCount
from 10,000 to 1,000. If not configured in server.xml, the default remains
10,000. (markt)
* Add: Update Digest authentication support to align with RFC 7616. This adds
a new configuration attribute, algorithms, to the DigestAuthenticator with
a default of SHA-256,MD5. (markt)
* Update: Add support code for custom user attributes in RealmBase. Based on
code from #473 by Carsten Klein. (remm)
* Fix: Expand the set of HTTP request headers considered sensitive that
should be skipped when generating a response to a TRACE request. This
aligns with 11.0.x. (markt)
* Fix: 66541: Improve handling for cached resources for resources that use
custom URL schemes. The scheme specific equals() and hashCode() algorithms,
if present, will now be used for URLs for these resources. This addresses a
potential performance issue with some OSGi custom URL schemes that can
trigger potentially slow DNS lookups in some configurations. Based on a
patch provided by Tom Whitmore. (markt)
* Fix: When using a custom session manager deployed as part of the web
application, avoid ClassNotFoundExceptions when validating session IDs
extracted from requests. (markt)
* Fix: 66543: Give StandardContext#fireRequestDestroyEvent its own log
message. (fschumacher)
* Fix: 66554: Initialize Random during server initialization to avoid
possible JVM thread creation in the webapp context on some platforms.
(remm)
* Update: Make the server utility executor available to webapps using a
Servlet context attribute named
org.apache.tomcat.util.threads.ScheduledThreadPoolExecutor. (remm)
Coyote
* Fix: JSON filter should support specific escaping for common special
characters as defined in RFC 8259. Based on code submitted by Thomas Meyer.
(remm)
* Fix: 66511: Fix GzipOutputFilter (used for compressed HTTP responses) when
used with direct buffers. Patch suggested by Arjen Poutsma. (markt)
* Fix: 66512: Align AJP handling of invalid HTTP response headers (they are
now removed from the response) with HTTP. (markt)
* Fix: 66530: Correct a regression in the fix for bug 66442 that meant that
streams without a response body did not decrement the active stream count
when completing leading to ERR_HTTP2_SERVER_REFUSED_STREAM for some
connections. (markt)
* Code: Refactor synchronization blocks locking on SocketWrapper to use
ReentrantLock to support users wishing to experiment with project Loom.
(markt)
Jasper
* Fix: 66536: Fix parsing of tag files that meant that tag directives could
be ignored for some tag files. (markt)
Cluster
* Fix: 66535: Redefine the maxValidTime attribute of FarmWarDeployer to be
the maximum time allowed between receiving parts of a transferred file
before the transfer is cancelled and the associated resources cleaned-up. A
new warning message will be logged if the file transfer is cancelled.
(markt)
WebSocket
* Fix: 66508: When using WebSocket with NIO2, avoid waiting for a timeout
before sending the close frame if an I/O error occurs during a write.
(markt)
Other
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations. Contributed by Shirayuking and
tak7iji. (markt)
* Add: Improvements to Chinese translations. Contributed by totoo. (markt)
* Code: Refactor code using MD5Encoder to use HexUtils.toHexString(). (markt)
* Fix: 66507: Fix a bug that $JAVA_OPTS is not passed to the jvm in
catalina.sh when calling version. Patch suggested by Eric Hamilton. (lihan)
* Update: Update the internal fork of Commons DBCP to f131286 (2023-03-08,
2.10.0-SNAPSHOT). This corrects a regression introduced in 9.0.71. (markt)
* Fix: Improve the error messages if JRE_HOME or JAVA_HOME are not set
correctly. On windows, align the handling of JRE_HOME and JAVA_HOME for the
start-up scripts and the service install script. (markt)
* Update: Update UnboundID to 6.0.8. (markt)
* Update: Update Checkstyle to 10.9.3. (markt)
* Update: Update Jacoco to 0.8.9. (markt)
* Fix: Enhance PEMFile to load from an InputStream. Patch provided by Romain
Manni-Bucau. (schultz)
2023-03-03 Tomcat 9.0.73 (remm)
General
* Fix: Fix a bug that memory allocation is larger than limit in
SynchronizedStack to reduce memory footprint. (lihan)
Catalina
* Add: Add support for txt: and rnd: rewrite map types from mod_rewrite.
Based on a pull request #591 provided by Dimitrios Soumis. (remm)
* Update: Provide a more appropriate response (501 rather than 400) when
rejecting an HTTP request using the CONNECT method. (markt)
* Fix: 66488: Correct a regression introduced in the fix for bug 66196 that
meant that the HTTP headers and/or request line could get corrupted (one
part overwriting another part) within a single request. (markt)
Coyote
* Add: Add a check for the validity of the scheme pseudo-header in HTTP/2.
(markt)
* Fix: 66482: Restore inline state after async operation in NIO2, to account
the fact that unexpected exceptions are sometimes thrown by the
implementation. Patch submitted by zhougang. (remm)
2023-02-23 Tomcat 9.0.72 (remm)
Catalina
* Fix: Allow a Valve to access cookies from a request that cannot be mapped
to a Context. (markt)
* Fix: Refactor uses of String.replaceAll() to use String.replace() where
regular expressions where not being used. Pull request #581 provided by
Andrei Briukhov. (markt)
* Add: Add error report valve that allows redirecting to of proxying from an
external web server. Based on code and ideas from pull request #506
provided by Max Fortun. (remm)
* Add: 66470: Add the Shared Address Space defined by RFC 6598 (100.64.0.0/
10) to the regular expression used to identify internal proxies for the
RemoteIpFilter and RemoteIpValve. (markt)
* Fix: 66471: Fix JSessionId secure attribute missing When RemoteIpFilter
determines that this request was submitted via a secure channel. (lihan)
Coyote
* Add: Log basic information for each configured TLS certificate when Tomcat
starts. (markt)
* Fix: 66442: When an HTTP/2 response must not include a body, ensure that
the end of stream flag is set on the headers frame and that no data frame
is sent. (markt)
* Fix: 66455: Fix the cause of a potential ClassCastException when processing
a WINDOW_UPDATE frame on an HTTP/2 connection where the flow control window
for the overall connection has been exhausted. (markt)
* Fix: Fix a regression introduced in 9.0.65 that prevented HTTP/2
connections from timing out when using a Connector configured with
useAsyncIO=true (the default for NIO and NIO2). (markt)
* Add: Provided dedicated loggers
(org.apache.tomcat.util.net.NioEndpoint.certificate /
org.apache.tomcat.util.net.Nio2Endpoint.certificate /
org.apache.tomcat.util.net.AprEndpoint.certificate) for logging of
configured TLS certificates. (markt)
Jasper
* Fix: 66419: Fix calls from expression language to a method that accepts
varargs when only one argument was passed. (markt)
* Fix: 66441: Make imports of static fields in JSPs visible to any EL
expressions used on the page. (markt)
Web applications
* Fix: 66429: Documentation. Limit access to the documentation web
application to localhost by default. (markt)
* Fix: 66429: Examples. Limit access to the examples web application to
localhost by default. (markt)
Other
* Update: Update BND to 6.4.0. (markt)
* Add: Improvements to Korean translations. (woonsan)
* Update: Update the packaged version of the Apache Tomcat Native Library to
1.2.36 to pick up the Windows binaries built with with OpenSSL 1.1.1t.
(markt)
2023-01-13 Tomcat 9.0.71 (remm)
Catalina
* Fix: 66388: Correct a regression in the refactoring that replaced the use
of the URL constructors. The regression broke lookups for resources that
contained one or more characters in their name that required escaping when
used in a URI path. (markt)
* Fix: 66392: Change the default value of AccessLogValve's file encoding to
UTF-8 and update documentation. (lihan)
* Fix: 66393: Align ExtendedAccessLogValve's x-P(XXX) with the documentation.
(lihan)
Coyote
* Fix: When resetting an HTTP/2 stream because the final response has been
generated before the request has been fully read, use the HTTP/2 error code
NO_ERROR so that client does not discard the response. Based on a
suggestion by Lorenzo Dalla Vecchia. (markt)
* Fix: 66196: Align HTTP/1.1 with HTTP/2 and throw an exception when
attempting to commit a response with an header value that includes one or
more characters with a code point above 255. (markt)
* Fix: 66385: Correct a bug in HTTP/2 where a non-blocking read for a new
frame with the NIO2 connector was incorrectly made using the read timeout
leading to unexpected stream closure. (markt)
Jasper
* Fix: 66370: Change the default of the
org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED system property to true unless
the EL library is running on Tomcat in which case the default remains false
as the EL library is already called from within a privileged block and
skipping the unnecessary privileged block improves performance. (markt)
* Add: Add support for specifying Java 21 (with the value 21) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse
JDT compiler version that does not support these values, a warning will be
logged and the default will used. (markt)
Other
* Update: Update the internal fork of Apache Commons BCEL to 2ee2bff
(2023-01-03, 6.7.1-SNAPSHOT). (markt)
* Update: Update the internal fork of Apache Commons Codec to 3eafd6c
(2023-01-03, 1.16-SNAPSHOT). (markt)
* Update: Update the internal fork of Apache Commons FileUpload to 34eb241
(2023-01-03, 2.0-SNAPSHOT). (markt)
* Update: Update the internal fork of Apache Commons DBCP to f131286
(2023-01-03, 2.10.0-SNAPSHOT). (markt)
* Add: Improvements to Japanese translations. Contributed by Shirayuking.
(markt)
* Add: Improvements to Portuguese translations. Contributed by Guilherme
Custo'dio. (markt)
* Update: Update Checkstyle to 10.6.0. (markt)
* Update: Update Unboundid to 6.0.7. (markt)
* Update: Update SpotBugs to 4.7.3. (markt)
2022-12-05 Tomcat 9.0.70 (remm)
Catalina
* Fix: Correct the default implementation of
HttpServletRequest.isTrailerFieldsReady() to return true so it is
consistent with the default implementation of
HttpServletRequest.getTrailerFields() and with the Servlet API provided by
the Jakarta EE project. (markt)
* Fix: Improve the behavior of the credential handler attribute that is set
in the Servlet context so that it actually reflects what is used during
authentication. (remm)
* Fix: 66359: Update javadoc for RemoteIpValve and RemoteIpFilter with
correct protocolHeader default value of "X-Forwarded-Proto". (lihan)
Coyote
* Fix: When an HTTP/2 stream was reset, the current active stream count was
not reduced. If enough resets occurred on a connection, the current active
stream count limit was reached and no new streams could be created on that
connection. (markt)
Web applications
* Fix: 66348: Update the JARs listed in the class loader documentation and
note which ones are optional. (markt)
* Fix: Documentation. Replace references in the application developer's guide
to CVS with more general references to a source code control system.
(markt)
Other
* Code: Refactor code base to replace use of URL constructors. While they are
deprecated in Java 20 onwards, the reasons for deprecation are valid for
all versions so move away from them now. (markt)
* Update: Update the internal fork of Apache Commons BCEL to b015e90
(2022-11-28, 6.7.0-RC1). (markt)
* Update: Update the internal fork of Apache Commons Codec to ae32a3f
(2022-11-29, 1.16-SNAPSHOT). (markt)
* Update: Update to Commons Daemon 1.3.3. (markt)
* Update: Update the internal fork of Apache Commons FileUpload to aa8eff6
(2022-11-29, 2.0-SNAPSHOT). (markt)
* Add: Improvements to Japanese translations. Contributed by Shirayuking and
tak7iji. (markt)
2022-11-14 Tomcat 9.0.69 (remm)
Catalina
* Add: 66209: Add a configuration option to allow bloom filters used to index
JAR files to be retained for the lifetime of the web application. Prior to
this addition, the indexes were always flushed by the periodic calls to
WebResourceRoot.gc(). As part of this addition, configuration of archive
indexing moves from Context to WebResourceRoot. Based on a patch provided
by Rahul Jaisimha. (markt)
* Fix: 66330: Correct a regression introduced when fixing 62897 that meant
any value configured for skipMemoryLeakChecksOnJvmShutdown on the Context
was ignored and the default was always used. (markt)
* Fix: 66331: Fix a regression in refactoring for Stack on the
SystemLogHandler which caught incorrect exception. (lihan)
* Fix: 66338: Fix a regression that caused a nuance in refactoring for
ErrorReportValve. (lihan)
* Fix: Escape values used to construct output for the JsonErrorReportValve to
ensure that it always outputs valid JSON. (markt)
Coyote
* Fix: Correct the date format used with the expires attribute of HTTP
cookies. A single space rather than a single dash should be used to
separate the day, month and year components to be compliant with RFC 6265.
(markt)
* Add: Include the name of the current stream state in the error message when
a stream is cancelled due to an attempt to write to the stream when it is
in a state that does not permit writes. (markt)
* Code: NIO writes never return -1 so refactor CLOSED_NIO_CHANNEL not to do
so and remove checks for this return value. Based on #562 by tianshuang.
(markt)
* Code: Remove unnecessary code that exposed the asyncTimeout to components
that never used it. (markt)
Jasper
* Fix: 66294: Make the use of a privileged block to obtain the thread context
class loader added to address 62080 optional and disabled by default. This
is now controlled by the org.apache.el.GET_CLASSLOADER_USE_PRIVILEGED
system property. (markt)
* Fix: 66325: Fix concurrency issue in evaluation of expression language
containing lambda expressions. (markt)
jdbc-pool
* Fix: 66346: Ensure all JDBC pool JARs are reproducible. Pull request #566
provided by John Neffenger. (markt)
Other
* Update: Update to Commons Daemon 1.3.2. (markt)
* Add: Improvements to Chinese translations. Contributed by DigitalCat and
lihan. (markt)
* Add: Improvements to French translations. Contributed by Mathieu Bouchard.
(markt)
* Add: Improvements to Japanese translations. Contributed by Shirayuking.
(markt)
2022-10-07 Tomcat 9.0.68 (markt)
Catalina
* Fix: Update the RewriteValve to perform pattern matching using dotall mode
to avoid unexpected behaviour if the URL includes encoded line terminators.
(markt)
Coyote
* Fix: 66276: Fix incorrect class cast when adding a descendant of HTTP/2
streams. (lihan)
* Fix: 66281: Fix unexpected timeouts that may appear as client
disconnections when using HTTP/2 and NIO2. (markt)
* Fix: Enforce the requirement of RFC 7230 onwards that a request with a
malformed content-length header should always be rejected with a 400
response. (markt)
Jasper
* Fix: 66277: Fix regressions in refactoring from Stack ArrayDeque.
* Add: Add support for specifying Java 20 (with the value 20) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse
JDT compiler version that does not support these values, a warning will be
logged and the default will used. (markt)
Web applications
* Fix: Documentation. Document the nonceRequestParameterName attribute for
the CsrfPreventionFilter. Based on #553 by Mert U:lkgu:n. (markt)
Other
* Update: Update Objenesis to 3.2. (markt)
* Update: Update UnboundID to 6.0.6. (markt)
* Update: Update Checkstyle to 10.3.4. (markt)
* Update: Update JaCoCo to 0.8.8. (markt)
* Update: Update SpotBugs to 4.7.2. (markt)
* Update: Update JSign to 4.2. (markt)
* Update: Update Derby to 10.16.1.1. (markt)
* Add: Improvements to Chinese translations. (markt)
* Add: Improvements to Czech translations. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations. Contributed by tak7iji and
Shirayuking. (markt)
* Add: Improvements to Korean translations. (markt)
* Add: Improvements to Spanish translations. (markt)
2022-09-26 Tomcat 9.0.67 (remm)
Coyote
* Fix: Fix a regression in refactoring for Hashtables which caused mbeans to
lose many of their attributes. (remm)
not released Tomcat 9.0.66 (remm)
Catalina
* Fix: Correct handling of HTTP TRACE requests where there are multiple
instances of an HTTP header with the same name. (markt)
* Fix: Implement the requirements of RFC 7231 and do not include sensitive
headers in responses to HTTP TRACE requests. (markt)
* Fix: Implement the clarification in RFC 9110 that the units in HTTP range
specifiers are case insensitive. (markt)
* Fix: Properly-escape role and group information when writing
MemoryUserDatabase to an XML file. (schultz)
* Fix: Move control of XML-export logic from individual support classes into
MemoryUserDatabase.save(). Deprecate and discontinue use of MemoryUser,
MemoryRole, and MemoryGroup classes. (schultz)
* Fix: 66183: When logging cookie values in an access log valve and there are
multiple cookies with the same name, log all cookie values rather than just
the first. Based on pull request #541 by Han Li. (markt)
* Fix: 66184: Ensure that JULI root loggers have a default level of INFO.
Pull request #533 provided by Piotr P. Karwasz. (markt)
* Fix: Improve handling of stack overflow errors when parsing SSI
expressions. (markt)
* Fix: 66120: Enable FORM authentication to work correctly if session
persistence and restoration occurs during the authentication process.
(markt)
* Fix: 66233: Include an error message when sending a 400 response because a
request has too many cookies. (markt)
* Fix: When web application deployment fails due to JARs with duplicate
fragment names, improve the error message by listing the JARs that contain
the duplicates. Based on pull request #535 by Mads Rolsdorph. (markt)
* Fix: Replace logging thread for JULI's AsyncFileHandler with an executor to
protect against failure of the logging thread. Based on pull request #545
by Piotr P. Karwasz. (markt)
Coyote
* Fix: Avoid potential NPE by skipping duplicate accept check when using a
Unix Domain Socket. Based on #532 by Han Li. (markt)
* Fix: Address an edge case in HTTP header parsing that allowed CRCRLF to be
used as a valid line terminator. (markt)
* Fix: Ensure HTTP/2 requests that include connection specific headers are
rejected. (markt)
* Fix: When processing HTTP/2 requests, allow a host header to be used in
place of an :authority header. (markt)
* Fix: When processing HTTP/2 requests, allow a host header and an :authority
header to be present providing they are consistent. (markt)
* Fix: When processing HTTP/2 requests, reject requests containing multiple
host headers. (markt)
* Fix: Make parsing of invalid filename directives in Content-Disposition
headers more robust. Invalid filename directives will now be ignored rather
than triggering a 500 response. (markt)
* Fix: 66194: Log HTTP/2 stream closures (usually caused by client errors)
via a UserDataHelper to broadly align it with the behaviour of HTTP/1.1 for
parsing issues and exceeding limits. (markt)
* Fix: 66236: Implement support for the special values zero and minus one
when configuring maxSavePostSize for a Connector when used in conjunction
with TLS renegotiation. (markt)
* Fix: 66240: Avoid int overflow when parsing octets by limiting the maximum
value to 255. Based on a PR #548 by Stefan Mayr. (lihan)
* Fix: #550: Correctly handle case where a Servlet responds to a request with
an expectation with a 2xx response without reading the request body. Pull
request provided by Malay Shah. (markt)
* Fix: #551: Avoid potential IndexOutOfBoundsException by fixing incorrect
check when matching HTTP/2 preface. Submitted by ??????. (lihan)
Jasper
* Fix: Improve handling of stack overflow errors when parsing EL expressions.
(markt)
* Fix: Correct parsing of integer and floating point literals in EL
expressions so that larger values are correctly parsed to BigInteger and
BigDecimal respectively. (markt)
* Add: 66203: Log an error message when the JSP compiler is unable to create
the output directory for the generated code. (markt)
* Fix: 66235: Fix various issues with the bean resolver used for Graal.
(remm)
* Fix: Improve the performance of the ImportHandler in the Expression
Language implementation. This removes a previous optimisation that is now
detrimental rather than helpful. Pull request #547 provided by rmannibucau.
(markt)
* Fix: Improve handling of EL error messages so instances of Number are not
formatted in unexpected ways. (markt/kkolinko)
* Fix: Switch to using ELException rather than IllegalArgumentException when
a type conversion fails during an EL arithmetic operation. This is an EL
error so ELException seems more appropriate. (markt)
* Fix: 66246: Fix JspC generates invalid web.xml due to incorrect header.
(lihan)
* Fix: Fix a bug in MethodExpression handling that triggered an error when
invoking a static method on an instance of the class rather than directly
on the class. (markt)
* Fix: Use BigInteger.remainder() rather than BigInteger.mod() when
performing the modulus operation for instances of BigInteger as part of an
EL expression. (markt)
Cluster
* Fix: To aid future additions of new functionality, rather than throw an
IllegalArgumentException if a DeltaRequest is passed an unrecognised action
type, a warning message will now be logged. (markt)
* Fix: 66120: Enable FORM authentication to work correctly if session
failover occurs during the authentication process. (markt)
WebSocket
* Add: 62312: Add support for authenticating WebSocket clients with an HTTP
forward proxy when establishing a connection to a WebSocket endpoint via a
forward proxy that requires authentication. Based on a patch provided by
Joe Mokos. (markt)
Other
* Fix: Ensure that zip archives use UTC for file modification times to ensure
repeatable builds across time zones. (markt)
* Add: Improvements to Chinese translations. (lihan)
* Add: Improvements to Czech translations. (markt)
* Add: Improvements to French translations. (remm)
* Add: Improvements to German translations. (markt)
* Add: Improvements to Japanese translations. Contributed by tak7iji and
Shirayuking. (markt)
* Add: Improvements to Korean translations. Contributed by ????. (markt)
* Add: Improvements to Russian translations. (markt)
* Add: Improvements to Spanish translations. (markt)
* Add: Further automation to the build process to reduce the number of manual
steps that release managers must perform. (markt)
2022-07-20 Tomcat 9.0.65 (remm)
Catalina
* Fix: 66104: Avoid error message by not trying to clean up old files from
the logging directory before the directory has been created. Based on #521
by HanLi. (markt)
Coyote
* Add: Provide dedicated loggers
(org.apache.tomcat.util.net.NioEndpoint.handshake /
org.apache.tomcat.util.net.Nio2Endpoint.handshake) for TLS handshake
failures. (markt)
* Add: Enable the use of the FIPS provider for TLS enabled Connectors when
using Tomcat Native 1.2.34 onwards built with OpenSSL 3.0.x onwards.
(markt)
* Code: Deprecated the jvmRoute system property used to configure a default
value for the jvmRoute attribute of an Engine. (markt)
* Fix: Fix duplicate Poller registration with HTTP/2, NIO and async IO that
could cause HTTP/2 connections to unexpectedly fail. (markt)
Jasper
* Add: Add support for specifying Java 19 (with the value 19) as the compiler
source and/or compiler target for JSP compilation. If used with an Eclipse
JDT compiler version that does not support these values, a warning will be
logged and the default will used. (markt)
Web applications
* Fix: Documentation. 62245: Include contextXsltFile when discussing options
for configuring directory listings. (markt)
* Fix: Examples. Fix CVE-2022-34305, a low severity XSS vulnerability in the
Form authentication example. (markt)
* Fix: Documentation. Expand the description of the useSendfile attribute for
HTTP/2 and reference the possibility of file locking when using this
feature on Windows operating systems. (markt)
Other
* Update: Update to bnd 6.3.1. (markt)
* Update: The minimum Ant version required to build Tomcat 9.0.x is now
1.10.2. (markt)
* Add: Add additional automation to the build process to reduce the number of
manual steps that release managers must perform. (schultz)
* Add: Implement support for reproducible builds. Reproducible builds are
independent of operating system but require the same Ant version and same
JDK (vendor and version) to be used as associated version information is
embedded in a number of build outputs such as JAR file manifests. (markt)
* Update: Update the packaged version of the Tomcat Native Library to 1.2.34
to improve the support for building with OpenSSL 3.0.x.(markt)
* Fix: Remove and/or update references to the removed
org.apache.tomcat.util.threads.res package. The LocalStrings*.properties
files in that package were moved to org.apache.tomcat.util.threads package
for consistency with the rest of the Tomcat code base.
* Fix: 66134: The NSIS based Tomcat installer for Windows now correctly
handles the combination of TomcatAdminRoles defined in a configuration file
and selecting the Manager and/or Host Manager web applications in the
installer's GUI. (markt)
* Update: Update the OWB module to Apache OpenWebBeans 2.0.27. (remm)
* Update: Update the CXF module to Apache CXF 3.5.3. (remm)
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations contributed by tak7iji. (markt)
* Update: Update the packaged version of the Tomcat Native Library to 1.2.35
to pick up Windows binaries built with OpenSSL 1.1.1q.(markt)
2022-06-09 Tomcat 9.0.64 (remm)
Catalina
* Fix: Update the memory leak protection code to support stopping application
created executor threads when running on Java 19 and later. (markt)
* Fix: Improve the error message if a required --add-opens option is missing.
(markt)
* Fix: Disable the memory leak correction code enabled by the Context
attribute clearReferencesObjectStreamClassCaches when running on a JRE that
includes a fix for the underlying memory leak. (markt)
* Fix: #515: Avoid deadlock on startup with some utility executor
configurations. Submitted by Han Li. (remm)
* Fix: 66068: Ensure that the changes made to a request by the RemoteIPValve
persist after the request is put into asynchronous mode. (markt)
* Add: Include the major version in the recommended version used for Tomcat
Native with the AprLifecycleListener. (markt)
Coyote
* Fix: Additional fix for 65118. Fix a potential NullPointerException when
pruning closed HTTP/2 streams from the connection. (markt)
* Fix: 66076: When using TLS with non-blocking writes and the NIO connector,
ensure that flushing the buffers attempts to empty all of the output
buffers. (markt)
* Fix: 66084: Correctly calculate bytes written to a response. Pull request #
516 provided by aooohan HanLi. (markt)
* Add: Correct a regression in the support added for encrypted PKCS#1
formatted private keys in the previous release that broke support for
unencrypted PKCS#1 formatted private keys. (jfclere/markt)
* Update: Remove support for NPN when using the Tomcat Native Connector as
NPN was never standardised and browser support for NPN was removed several
years ago. (markt)
Jasper
* Fix: Update ImportHandler optimisation for new classes introduced in Java
19. (markt)
Web applications
* Fix: 66064: Update the building page in the documentation web application
to reflect changes in required Java version and source repository. (markt)
* Fix: Documentation. Make the description of the HTTP/1.1 configuration
attributes that control the maximum allowed HTTP header size more specific.
(markt)
Tribes
* Fix: Increase the default buffer size for replication messages from 43800
to 65536 bytes. This is expected to improve performance for large messages
when running on Linux based systems. (markt)
Other
* Add: Improvements to French translations. (remm)
* Add: Improvements to Japanese translations contributed by Shirayuking and
tak7iji. (markt)
* Add: Improvements to Chinese translations contributed by Dingzi2012.
(markt)
2022-05-16 Tomcat 9.0.63 (remm)
Catalina
* Fix: 65736: Disable the forceString option for the JNDI BeanFactory and
replace it with an automatic search for an alternative setter with the same
name that accepts a String. This is a security hardening measure. (markt)
* Code: 65853: Refactor the CsrfPreventionFilter to make it easier for
sub-classes to modify the nonce generation and storage. Based on
suggestions by Marvin Fro:hlich. (markt)
* Fix: 65991: Avoid NPE with SSLAuthenticator when boundOnInit is used on a
connector, during the check for client certificate authentication
availability. (remm)
* Fix: 66009: Use getSubjectX500Principal().toString() rather than
getSubjectX500Principal().getName(...) to retrieve a certificate DN, to
match the output of the deprecated getSubjectDN().getName() that was used
previously. (remm)
* Add: Revert the change in 9.0.59 that added a mapping of Shift_JIS for the
ja locale to the default mappings used by ServletResponse.setLocale() as it
caused regressions for applications using UTF-8. (markt)
* Add: Provide a property source that sources values from Kubernetes service
bindings. Pull request #512 provided by Sumit Kulhadia and Gareth Evans.
(markt)
Coyote
* Add: #501: Add new maxHttpRequestHeaderSize and maxHttpResponseHeaderSize
attributes which allow setting the maximum HTTP header sizes independently.
If not specified, the value of the maxHttpHeaderSize connector attribute
will be used. Submitted by Zhongming Hua. (remm)
* Fix: The root cause of the Linux kernel duplicate accept bug has been
identified along with the version of the kernel that includes the fix. The
error message displayed when this bug occurs has been updated to reflect
this new information and to advise users to update to a version of the OS
that uses kernel 5.10 or later. Thanks to Christopher Gual for the research
into this issue. (markt)
* Fix: 66023: Improve the fix for 65726 and support HTTP upgrade with a
request body for a wider set of use cases. (markt)
* Add: Add support for encrypted PKCS#1 formatted private keys when
configuring the internal, in memory key store. Based on #511. (jfclere/
markt)
* Fix: Remove the prestartminSpareThreads attribute of the
StandardThreadExecutor since all core threads are always started by default
making this attribute meaningless. Pull request #510 provided by Aooohan.
(markt)
Webapps
* Fix: 66008: In the documentation web application, clarify the
recommendation for the use the trimSpaces option for Jasper in production
environments. (markt)
* Fix: Update the documentation web application to state that the
EncryptInterceptor does not provide sufficient protection to run Tomcat
clustering over an untrusted network. This is CVE-2022-29885. (markt)
Other
* Add: Improvements to French translations. (remm)
* Add: Improvements to German translations contributed by Thomas Hoffmann.
(markt)
* Add: Improvements to Japanese translations contributed by Shirayuking.
(markt)
* Add: Improvements to Korean translations. (woonsan)
* Update: Update to Commons Daemon 1.3.1. This fixes a known regression in
1.3.0 when configuring the Windows service with custom scripts as described
in 66055. (markt)
* Update: Update to JSign 4.1. (markt)
* Update: Update the packaged version of the Tomcat Native Library to 1.2.33
to pick up Windows binaries built with OpenSSL 1.1.1o.(markt)
2022-04-01 Tomcat 9.0.62 (remm)
Catalina
* Add: Effectively disable the WebappClassLoaderBase.getResources() method as
it is not used and if something accidentally exposes the class loader this
method can be used to gain access to Tomcat internals. (markt)
|
| 2022-04-11 23:35:36 by S.P.Zeidler | Files touched by this commit (3) | |
Log message:
contains mitigation for the Spring4Shell vulnerability
Upstream changelog:
Tomcat 9.0.62 (remm)
Catalina
Add: Effectively disable the WebappClassLoaderBase.getResources()
method as it is not used and if something accidently exposes the class
loader this method can be used to gain access to Tomcat internals. (markt)
Tomcat 9.0.61 (remm)
Catalina
Code: Harden the CredentialHandler implementations by switching to a
constant-time implementation for credential comparisons. (schultz/markt)
Coyote
Fix: Use a constant for the default TLS cipher suite. This will allow
skipping setting it in some cases (for example, it does not make sense for
OpenSSL TLS 1.3). (remm)
Fix: #487: Improve logging of unknown settings frames. Pull request by
Thomas Hoffmann. (remm)
Add: 65975: Add a warning if a TLS virtual host is configured with
optional certificate authentication and the containing connector is also
configured to support HTTP/2 as HTTP/2 does not permit optional
certificate authentication. (markt)
Add: 65975: Add a warning if a TLS virtual host is configured for TLS
1.3 with a JSSE implementation and a web application is configured for
CLIENT-CERT authentication. CLIENT-CERT authentication requires
post-handshake authentication (PHA) when used with TLS 1.3 but the JSSE
TLS 1.3 implementation does not support PHA. (markt)
Fix: Improve the recycling of Processor objects to make it more
robust. (markt)
Jasper
Fix: 65959: Serialize Function as String[] rather Class[]. (remm)
Web applications
Fix: 65952: Align --add-opens configuration for jsvc with the current
Tomcat scripts. (markt)
Fix: Correct the AJP and HTTP/1.1 Connector configuration pages in the
documentation web application to show which attributes are applicable to
all Connectors and which are implementation specific. (markt)
Other
Fix: Correct a spelling mistake in the German translations. Thanks to
Thomas Hoffmann. (markt)
Fix: 65951: Use the tomcat.output property for OSGi bundle manifest
paths. (isapir)
Update: Update to Commons Daemon 1.3.0. (markt)
Update: Update to Checkstyle 10.0. (markt)
Update: Update to SpotBugs 4.6.0. (markt)
Add: Expand the spotbugs Ant task to also cover test code. (markt)
Update: Update to bnd 6.2.0. (markt)
Update: Remove OSGi annotations dependency as it is no longer required
with bnd 6.2.0. (markt)
Code: Refactor the resource files for the Apache Tomcat installer for
Windows so that all the resource files are located in a single directory
in the source tree. (markt)
Update: Update the packaged version of the Tomcat Native Library to
1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n.(markt)
Add: Improvements to Chinese translations contributed by 15625988003.
(markt)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations contributed by tak7iji.
(markt)
Add: Expand coverage of translations for jakarta.el package. Based on
#488 from Volodymyr Siedlecki. (markt)
2022-03-14 Tomcat 9.0.60 (remm)
Catalina
Fix: 65921: The type substitution flag for the rewrite valve should
set the content type for the response, not the request. (markt)
Fix: #479: Enable the rewrite valve to redirect requests when the
original request cannot be mapped to a context. This typically happens
when no ROOT context is defined. Pull request by elkman. (markt)
Fix: 65940: Fix NullPointerException if an exception occurs during the
destruction of a Servlet. (markt)
Coyote
Fix: Fix regression introduced with 65757 bugfix which better
identified non request threads but which introduced a similar problem when
user code was doing sequential operations in a single thread. Test case
code submitted by Istvan Szekely. (remm)
Fix: Fix potential thread-safety issue that could cause HTTP/1.1
request processing to wait, and potentially timeout, waiting for
additional data when the full request has been received. (markt)
Fix: Throw IOException rather than IllegalStateException when the
application attempts to write to an HTTP/2 stream after the client has
closed the stream. (markt)
Jasper
Fix: When resolving methods in EL expressions that use beans and/or
static fields, ensure that any custom type conversion is considered when
identifying the method to call. (markt)
Web applications
Fix: Correct the name of the value attribute in the new documentation
of OpenSSLConfCmd elements. (rjung)
2022-02-28 Tomcat 9.0.59 (remm)
Catalina
Add: Add ha-api-*.jar and jaxws-rt-*.jar to the list of JARs to skip
when scanning for TLDs, web fragments and annotations. (michaelo)
Add: Expand the default mappings used by ServletResponse.setLocale()
to include a mapping from the ja locale to the Shift_JIS encoding. (markt)
Fix: 65806: Improve the handling of session ID generation when the
default algorithm for SecureRandom (SHA1PRNG) is not supported by the
configured providers as will be the case for a FIPS compliant
configuration. (markt)
Fix: #464: Fall back to the class loader used to load JULI when the
thread context class loader is not set. In a normal Tomcat configuration,
this will be the system class loader. Based on a pull request by
jackshirazi. (markt)
Fix: #469: Include the Java Annotations API in the classes that Tomcat
will not load from web applications. Pull request provided by ppkarwasz.
(markt)
Add: #472: Add support for additional user attributes to
TomcatPrincipal and GenericPrincipal. Patch provided by Carsten Klein.
(michaelo)
Fix: Fix a potential StringIndexOutOfBoundsException exception when
generating a WebDAV multi-status response after an error during a copy or
delete. Report the paths relative to the server root for any resources
with an error. (markt)
Fix: Improve the format of WebDAV XML responses to make them easier
for humans to read. The change ensures that there is always a line break
before starting a new element. (markt)
Fix: Improve validation of the Destination header for WebDAV MOVE and
COPY requests. (markt)
Coyote
Fix: Correct a regression in the fix for 65454 that meant that
minSpareThreads and maxThreads settings were ignored when the Connector
used an internal executor. (markt)
Fix: 65776: Improve the detection of the Linux duplicate accept bug
and reduce (hopefully avoid) instances of false positives. (markt)
Fix: 65848: Revert the change that attempted to align the behaviour of
client certificate authentication with NIO or NIO2 with OpenSSL for TLS
between MacOS and Linux/Windows as the root cause was traced to
configuration differences. (markt)
Fix: #467: When system time moves backwards (e.g. after clock
correction), ensure that the cached formatted current date used for HTTP
headers tracks this change. Pull request provided by zhenguoli. (markt)
Jasper
Fix: #474: Prevent a tag file from corrupting the ELContext of the
calling page. Pull request provided by Dmitri Blinov. (markt)
Fix: Minor optimisation of serialization for FunctionMapperImpl in
response to pull request #476. (markt)
Web applications
Fix: Remove the applet example from the example web application as
applets are no longer supported in any major browser. (markt)
Code: Refactor a small number of pages in the examples web application
to avoid an issue with reproducible builds due to differences in file
ordering across different operating systems with Ant's zip task. (markt)
Fix: Better documentation for the protocol attribute of the JNDIRealm.
(markt)
Fix: Clarify the settings described in the documentation web
application to configure a cluster using static membership. (markt)
Add: Add information on the OpenSSLConf and OpenSSLConfCmd elements to
the HTTP SSL configuration page in the documentation web applications.
(markt)
jdbc-pool
Code: Use LF line endings for text files in JARs to support
reproducible builds across different operating systems. (markt)
Other
Code: Switch to building with Java 11 and using --release to target
Java 8. Once back-ported to all currently supported branches, this will
reduce the number of Java versions developers need to juggle. (markt)
Code: Use LF line endings for text files in JARs to support
reproducible builds across different operating systems. (markt)
Fix: Fix dependencies for individual test targets in Ant build file.
Based on #468 provided by Totoo chenyonghui. (markt)
Update: Update the OWB module to Apache OpenWebBeans 2.0.26. (remm)
Fix: Revert the cherry-pick of JavaDoc fix from DBCP applied in 9.0.57
that broke the DataSourceMXBean by using a type that isn't supported by
MXBeans. (markt)
2022-01-20 Tomcat 9.0.58 (remm)
Coyote
Fix: Correct a regression in the fix for 65785 that broke HTTP/2
server push. (markt)
not released Tomcat 9.0.57 (remm)
Catalina
Fix: Add additional locking to DataSourceUserDatabase to provide
improved protection for concurrent modifications. (markt)
Fix: Add recycling check in the input and output stream isReady to try
to give a more informative ISE when the facade has been recycled. (remm)
Update: Remove the deprecated JmxRemoteLifecycleListener. (markt)
Fix: Make the calculation of the session storage location more robust
when using file based persistent storage. (markt)
Coyote
Fix: 65726: Implement support for HTTP/1.1 upgrade when the request
includes a body. The maximum permitted size of the body is controlled by
maxSavePostSize. (markt)
Fix: Restore pre-starting of minSpareThreads lost in the fix for
65454. (markt)
Fix: Revert the previous fix for 65714 and implement a more
comprehensive fix. (markt)
Fix: 65757: Missing initial IO listener notification on Servlet
container dispatch to another container thread. (remm)
Fix: Expand the fix for 65757 so that rather than just checking if
processing is happening on a container thread, the check is now if
processing is happening on the container thread currently allocated to
this request/response. (markt)
Fix: Improve the fix for RST frame ordering added in 9.0.56 to avoid a
potential deadlock on some systems in non-default configurations. (markt)
Add: 65767: Add support for certificates that use keys encrypted using
PBES2. Based on a pull request provided by xiezhaokun. (markt)
Code: Refactor testing whether a String is a valid HTTP token. (markt)
Fix: 65785: Perform additional validation of HTTP headers when using
HTTP/2. (markt)
Fix: When a Connector or Endpoint is paused, ensure that only new
connections and new requests on existing connections are stopped while
allowing in progress requests to run to completion. (markt)
Fix: Explicitly release ByteBuffer instances associated with pooled
channels when stopping the NioEndpoint and Nio2Endpoint. (markt)
Fix: Narrow the scope of the logging of invalid cookie headers to just
the invalid cookie rather than the whole cookie header. (markt)
Jasper
Fix: 65724: Fix missing messages for some
PropertyNotWritableExceptions caused by a typo in the name used for a
resource string. (markt)
Add: Add support for specifying Java 18 (with the value 18) as the
compiler source and/or compiler target for JSP compilation. If used with
an Eclipse JDT compiler version that does not support these values, a
warning will be logged and the default will used. (markt)
WebSocket
Add: Add support for POJO WebSocket endpoints to the programmatic
upgrade that allows applications to opt to upgrade an HTTP connection to
WebSocket. (markt)
Fix: 65763: Improve handling of WebSocket connection close if a
message write times out before the message is fully written. (markt)
Other
Update: Update the OWB module to Apache OpenWebBeans 2.0.25. (remm)
Update: Update the CXF module to Apache CXF 3.5.0. (remm)
Add: Improvements to Chinese translations contributed by zhnnn.
(markt)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations contributed by Shirayuking,
yoshy and tak7iji. (markt)
Add: Improvements to Korean translations. (woonsan)
Update: Update SpotBugs to 4.5.2. (markt)
Update: Update the NSIS installer to 3.08. (markt)
Update: Update UnboundID to 6.0.3. (markt)
Update: Update CheckStyle to 9.2.1. (markt)
Update: Update BND to 6.1.0. (markt)
Update: Update OSGI annotations to 1.1.1. (markt)
2021-12-02 Tomcat 9.0.56 (remm)
Catalina
Fix: Make SPNEGO authentication more robust for the case where the
provided credential has expired. (markt)
Fix: 65684: Fix a potential NullPointerException when using JULI.
(markt)
Docs: Document conditions under which the AprLifecycleListener can be
used to avoid JVM crashes. (michaelo)
Fix: Refactor the AsyncFileHandler to reduce the possibility of log
messages being lost on shutdown. (markt)
Update: Refactor the AsyncFileHandler to remove the need for the
org.apache.juli.AsyncLoggerPollInterval. If set, this property now has no
effect. (markt)
Add: Add debug logging to the RestCsrfPreventionFilter. Based on pull
request #452 by Polina Georgieva. (markt)
Add: 65710: Implement a workaround for a JVM bug that can trigger a
file descriptor leak when using multi-part upload and the application does
not explicitly close an input stream for an uploaded file that was cached
on disk. (markt)
Coyote
Fix: Improve error handling if APR/Native fails to attach TLS
capabilities to a TLS enabled client connection. (markt)
Fix: Improve error handling if APR/Native fails to accept an incoming
connection. (markt)
Add: Provide protection against a known OS bug that causes the
acceptor to report an incoming connection more than once. (markt)
Fix: Avoid unnecessary duplicate read registrations for blocking I/O
with the NIO connector. (markt)
Fix: 65677: Improve exception handling for errors during HTTP/1.1
reads with NIO2. (markt)
Fix: Refactor APR/native connector shutdown to remove a potential
source of JVM crashes on shutdown when sendfile is used. (markt)
Fix: When an error occurs that triggers a stream reset, ensure that
the first RST frame sent to the client is the one associated with the
error that triggered the reset. (markt)
Fix: 65714: Fix exceptions when the security manager is enabled and
the first request received after starting is an HTTP request to a TLS
enabled NIO2 connector. (markt)
Add: Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the
same way on MacOS as it does on Linux and Windows when no trusted
certificate authorities are configured and reject all client certificates.
(markt)
Fix: Avoid a potential deadlock during the concurrent processing of
incoming HTTP/2 frames for a stream and that stream being reset. (markt)
Other
Fix: Switch from Cobertura to JaCoCo for code coverage as Cobertura
does not support code coverage for code compiled for Java 11 onwards. It
also removes the need to use a single thread to run the tests. (markt)
2021-11-10 Tomcat 9.0.55 (remm)
Catalina
Fix: Improve robustness of JNDIRealm for exceptions occurring when
getting the connection. Also add missing close when running into issues
getting the passord of a user. (remm)
Docs: Add Javadoc comment which listeners must be nested whithin
Server elements only. (michaelo)
Add: Add support for custom caching strategies for web application
resources. This initial implementation allows control over whether or not
a resource is cached. (markt)
Update: Log warning if a listener is not nested inside a Server
element although it must have been. (michaelo)
Coyote
Code: Improve performance of Connector shutdown - primarily to reduce
the time it takes to run the test suite. (markt)
Fix: Refactor the APR/native connector shutdown to reduce the
possibility of a JVM crash during the connector shutdown. (markt)
Add: #457: Add a toString() method to MimeHeader to aid debugging.
(dblevins)
Add: Add experimental OpenSSL support through the Panama API
incubating in Java 17, with support for OpenSSL 1.1+. This no longer
requires tomcat-native or APR. Please refer to the openssl-java17 module
from the main branch for more details. (remm)
Fix: Fix APR connector stop so it correctly waits for the sendfile
thread, if any, to exit. (markt)
Fix: Do not ignore the error condition if the APR connector is not
able to open a server socket as continuing in this case will trigger a JVM
crash. (markt)
Fix: Fix a potential JVM crash when using the APR/Native connector
with TLS. A crash could occur if the connector was stopped whilst a
connection was performing a TLS handshake. (markt)
Jasper
Update: Regenerate the EL parser using JavaCC 7.0.10. (markt)
Fix: Fix a bug that prevented the EL parser correctly parsing a
literal Map that used variables rather than literals for both keys and
values. (markt)
WebSocket
Update: Add a new method WsServerContainer.upgradeHttpToWebSocket() to
align with the new method that will be available from WebSocket 2.1
onwards. (markt)
Tribes
Fix: #454: Differentiate warning messages in
KubernetesMembershipProvider so that the missing attribute is clear
to the user. PR provided by Hal Deadman. (markt)
2021-10-01 Tomcat 9.0.54 (remm)
Catalina
Fix: Provide the DataSource in the constructor of
DataSourceUserDatabase, since it is always global. (remm)
Fix: Fix delete then create object manipulations with
DataSourceUserDatabase. (remm)
Fix: 65553: Implement a work-around for a JRE bug that can trigger a
memory leak when using the JNDI realm. (markt)
Fix: 65586: Fix the bloom filter used to improve performance of
archive file look ups in the web resources implementation so it works
correctly for directory lookups whether or not the provided directory name
includes the trailing /. (markt)
Fix: #451: Improve the usefulness of the thread name cache used in
JULI. Pull request provided by t-gergely. (markt)
Coyote
Fix: 65563: Correct parsing of HTTP Content-Range headers. Tomcat was
incorrectly requiring an = character after bytes. Fix based on pull
request #449 by Thierry Guérin. (markt)
Fix: Correct a potential StackOverflowException with HTTP/2 and
sendfile. (markt)
Fix: Further improvements in the management of the connection flow
control window. This addresses various bugs that caused streams to
incorrectly report that they had timed out waiting for an allocation from
the connection flow control window. (markt)
Fix: 65577: Fix a AccessControlException reporting when running an
NIO2 connector with TLS enabled. (markt)
Update: Reclassify TLS ciphers that use AESCCM8 as medium security
rather than high security to align with recent changes in OpenSSL. (markt)
Fix: Fix an issue that caused some Servlet non-blocking API reads of
the HTTP request body to incorrectly use blocking IO. (markt)
Jasper
Fix: Fix the implementation of MethodExpression.getMethodInfo() so
that it returns the expected value rather than failing when the method
expression is defined with the parameter values in the expression rather
than the types being passed explicitly to
ExpressionFactory.createMethodExpression(). (markt)
WebSocket
Fix: The internal upgrade handler should close the associated
WebConnection on destroy. (remm)
Web applications
Fix: Clarify the JASPIC configuration options in the documentation web
application. (markt)
Other
Fix: 65585: Update obsolete comments at the start of the
build.properties.default file. (markt)
2021-09-10 Tomcat 9.0.53 (remm)
Catalina
Fix: Enable Tomcat to start if an (old) XML parser is configured that
does not support allow-java-encodings. A warning will be logged if such an
XML parser is detected. (markt)
Fix: Change the behaviour of custom error pages. If an error occurs
after the response is committed, once the custom error page content has
been added to the response the connection is now closed immediately rather
than closed cleanly. i.e. the last chunk that marks the end of the
response body is no longer sent. This acts as an additional signal to the
client that the request experienced an error. (markt)
Fix: 65479: When handling requests using JASPIC authentication, ensure
that PasswordValidationCallback.getResult() returns the result of the
password validation rather than always returning false. Fixed via pull
request #438 provided by Robert Rodewald. (markt)
Code: Refactor the authenticators to delegate the check for preemptive
authentication to the individual authenticators where an authentication
scheme specific check can be performed. Based on pull request #444 by
Robert Rodewald. (markt)
Update: Improve the reusability of the UserDatabase by adding
intermediate concrete implementation classes and allowing to do partial
database updates on save. (remm)
Add: Add a UserDatabase implementation as a superset of the
DataSourceRealm functionality. (remm)
Fix: Make sure the dynamic Principal returned by UserDatabaseRealm
stays up to date with the database contents, and add an option to have it
be static, similar to the other realms. (remm)
Add: Add derby-*.jar to the list of JARs to skip when scanning for
TLDs, web fragments and annotations. (markt)
Fix: #447. Correct JPMS metadata for catalina.jar. Pull request
provided by Hui Wang. (markt)
Coyote
Fix: Correct a logic error that meant setting certificateKeystoreFile
to NONE did not have the expected effect. NONE was incorrectly treated as
a file path. Patch provided by Mikael Sterner. (markt)
Fix: 65505: When an HTTP header value is removed, ensure that the
order of the remaining header values is unchanged. (markt)
WebSocket
Fix: 65506: Fix write timeout check that was using the read timeout
value. Patch submitted by Gustavo Mahlow. (remm)
Web applications
Fix: Remove unnecessary Context settings from the examples web
application. (markt)
Fix: Document default value for unpackWARs and related clean-up. Pull
request #439 provided by Robert Rodewald. (markt)
Fix: Clarify the documentation of the compressionMinSize and
compressibleMimeType HTTP Connector attributes. Pull request #442 provided
by crisgeek. (markt)
Other
Fix: Fix failing build when building on non-English locales. Pull
request #441 provided by Dachuan J. (markt)
Update: Update to JSign version 4.0 to enable code signing without the
need for the installation of additional client tools. (markt)
Add: Update the internal fork of Apache Commons BCEL to 40d5eb4
(2021-09-01, 6.6.0-SNAPSHOT). Code clean-up only. (markt)
Add: Update the internal fork of Apache Commons Codec to fd44e6b
(2021-09-01, 1.16-SNAPSHOT). Minor refactoring. (markt)
Update: Add Apache Derby 10.14.2.0 to the testsuite dependencies, for
JDBC and DataSource testing. (remm)
Add: 65661: Update the internal fork of Apache Commons FileUpload to
33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. As a
result of Commons File Upload now using java.nio.file.Files, applications
using multi-part uploads need to ensure that the JVM is configured with
sufficient direct memory to store all in progress multi-part uploads.
(markt)
Add: Update the internal fork of Apache Commons Pool to 2.11.1
(2021-08-17). Improvements, code clean-up and refactoring. (markt)
Add: Update the internal fork of Apache Commons DBCP to 2.9.0
(2021-08-03). Improvements, code clean-up and refactoring. (markt)
Update: Update the packaged version of the Tomcat Native Library to
1.2.31 to pick up Windows binaries built with OpenSSL 1.1.1l.(markt)
Update: Switch to the CDN as the primary download location for ASF
dependencies. (markt)
Add: Improvements to Chinese translations contributed by syseal,
wolibo, ZhangJieWen and DigitalFatCat. (markt)
Add: Improvements to Japanese translations contributed by tak7iji.
(markt)
Add: Improvements to Korean translations. (woonsan)
2021-08-06 Tomcat 9.0.52 (remm)
Catalina
Code: 65476: Correct an error in some code clean-up that mean that web
application classes were not configured with the correct package. (markt)
not released Tomcat 9.0.51 (remm)
Catalina
Fix: 65411: Always close the connection when an uncaught
NamingException occurs to avoid connection locking. Submitted by Ole
Ostergaard. (remm)
Fix: 65433: Correct a regression in the fix for 65397 where a
StringIndexOutOfBoundsException could be triggered if the canonical path
of the target of a symlink was shorter than the canonical path of the
directory in which the symlink had been created. Patch provided by Cedomir
Igaly. (markt)
Add: 65443: Refactor the CorsFilter to make it easier to extend.
(markt)
Fix: To avoid unnecessary cache revalidation, do not add an HTTP
Expires header when setting adding an HTTP header of CacheControl:
private. (markt)
Coyote
Fix: When writing an HTTP/2 response via sendfile (only enabled when
useAsyncIO is true) the connection flow control window was sometimes
ignored leading to various error conditions. sendfile now checks both the
stream and connection flow control windows before writing. (markt)
Add: Add debug logging for writing an HTTP/2 response via sendfile.
(markt)
Fix: Correct bugs in the HTTP/2 connection flow control management
that meant it was possible for a connection to stall waiting for a
connection flow control window update that had already arrived. Any
streams on that connection that were trying to write when this happened
would time out. (markt)
Fix: 65448: When using TLS with NIO, it was possible for a blocking
response write to hang just before the final TLS packet associated with
the response until the connection timed out at which point the final
packet would be sent and the connection closed. (markt)
Fix: 65454: Fix a race condition that could result in a delay to a new
request. The new request could be queued to wait for an existing request
to finish processing rather than the thread pool creating a new thread to
process the new request. (markt)
Fix: 65460: Correct a regression introduced in the previous release in
the change to reduce the number of small HTTP/2 window updates sent for
streams. A logic error meant that small window updates for the connection
were dropped. This meant that the connection flow window slowly reduced
over time until nothing could be sent. (markt)
Web applications
Fix: 65404: Correct a regression in the fix for 63362 that caused the
server status page in the Manager web application to be truncated if HTTP
upgrade was used such as when starting a WebSocket connection. (markt)
Other
Add: Improvements to Chinese translations contributed by ZhangJieWen
and chengzheyan. (markt)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations contributed by tak7iji.
(markt)
Add: Improvements to Korean translations. (woonsan)
Fix: Use of GraalVM native images no longer automatically disables JMX
support. JMX support may still be disabled by calling
org.apache.tomcat.util.modeler.Registry.disableRegistry(). (markt)
2021-07-02 Tomcat 9.0.50 (remm)
Jasper
Fix: Jakarta to Javax backport issue in tests. (remm)
not released Tomcat 9.0.49 (remm)
Catalina
Code: Refactor the RemoteIpValve to use the common utility method for
list to comma separated string conversion. (markt)
Code: Refactor JNDIRealm$JNDIConnection so its fields are accessible
to sub-classes of JNDIRealm. (markt)
Fix: Fix serialization warnings in UserDatabasePrincipal reported by
SpotBugs. (markt)
Fix: 65397: Calls to ServletContext.getResourcePaths() no longer
include symbolic links in the results unless allowLinking has been set to
true. If a resource is skipped because of this change, a warning will be
logged as this typically indicates a configuration issue. (markt)
Coyote
Fix: 65368: Improve handling of clean closes of inbound TLS
connections. Treat them the same way as clean closes of non-TLS
connections rather than as unknown errors. (markt)
Fix: Modify the HTTP/2 connector not to sent small updates for stream
flow control windows to the user agent as, depending on how the user agent
is written, this may trigger small writes from the user agent that in turn
trigger the overhead protection. Small updates for stream flow control
windows are now combined with subsequent flow control window updates for
that stream to ensure that all stream flow control window updates sent
from Tomcat are larger than overheadWindowUpdateThreshold. (markt)
Add: Add additional debug logging to track the current state of the
HTTP/2 overhead count that Tomcat uses to detect and close potentially
malicious connections. (markt)
Update: Many HTTP/2 requests from browsers will trigger one overhead
frame and one non-overhead frame. Change the overhead calculation so that
a non-overhead frame reduces the current overhead count by 2 rather than
1. This means that, over time, the overhead count for a well-behaved
connection will trend downwards. (markt)
Update: Change the initial HTTP/2 overhead count from -10 to -10 *
overheadCountFactor. This means that, regardless of the value chosen for
overheadCountFactor, when a connection opens 10 overhead frames in a row
will be required to trigger the overhead protection. (markt)
Update: Increase the default overheadCountFactor from 1 to 10 and
change the reduction in overhead count for a non-overhead frame from -2 to
-20. This allows for a larger range (0-20) to be used for
overheadCountFactor providing for finer-grained control. (markt)
Fix: Modify the parsing of HTTP header values that use the 1#token to
ignore empty elements as per RFC 7230 section 7 instead of treating the
presence of empty elements as an error. (markt)
Fix: Expand the unit tests for HttpServlet.doHead() and correct the
flushing of the response buffer. The buffer used to behave as if it was
one byte smaller than the configured size. The buffer was flushed (and the
response committed if required) when the buffer was full. The buffer is
now flushed (and the response committed if required) if the buffer is full
and there is more data to write. (markt)
Fix: Fix an issue where concurrent HTTP/2 writes (or concurrent reads)
to the same connection could hang and eventually timeout when async IO was
enabled (it is enabled by default). (markt)
Jasper
Fix: 65390: Correct a regression in the fix for 65124 and restore code
that was removed in error leading to JSP compilation failures in some
circumstances. (markt)
Update: Update to the Eclipse JDT compiler 4.20. (markt)
Add: Add support for specifying Java 17 (with the value 17) as the
compiler source and/or compiler target for JSP compilation. If used with
an Eclipse JDT compiler version that does not support these values, a
warning will be logged and the latest supported version will used. (markt)
Fix: 65377: Update the Java code generation for JSPs not to use the
boxed primitive constructors as they have been deprecated in Java 9 and
marked for future removal in Java 16. valueOf() is now used instead.
(markt)
WebSocket
Code: Refactor the DigestAuthenticator to reuse a shared SecureRandom
instance rather than create a new one to generate the cnonce if required.
(markt)
Web applications
Fix: 65385: Correct the link in the documentation web application the
Maven Central repository. (markt)
Other
Update: Update the OWB module to Apache OpenWebBeans 2.0.23. (remm)
Update: Update the CXF module to Apache CXF 3.4.4. (remm)
Fix: 65369 / #422: Add the additional --add-opens=... options required
for running Tomcat on Java 16 onwards to the service.bat script to align
it with the other start-up scripts. PR provided by MCMicS. (markt)
Update: Update JUnit to version 4.13.2. (markt)
Update: Update EasyMock to 4.3. (markt)
Update: Update Objenesis to 3.2. (markt)
Update: Update UnboundID to 6.0.0. (markt)
Update: Update CheckStyle to 8.43. (markt)
Update: Update SpotBugs to 4.2.3. (markt)
Update: Update OSGi annotations to 1.1.0. (markt)
2021-06-15 Tomcat 9.0.48 (remm)
Coyote
Fix: Regression when generating reflection due to removed NIO classes
in 9.0.47. (remm)
Other
Add: Use JSign to integrate the build script with the code signing
service to enable release builds to be created on Linux as well as
Windows. (markt)
not released Tomcat 9.0.47 (remm)
Catalina
Fix: 65301: RemoteIpValve will now avoid getting the local host name
when it is not needed. (remm)
Fix: 65308: NPE in JNDIRealm when no userRoleAttribute is given.
(fschumacher)
Add: #412: Add commented out, sample users for the Tomcat Manager app
to the default tomcat-users.xml file. Based on a PR by Arnaud Dagnelies.
(markt)
Add: #418: Add a new option, pass-through, to the default servlet's
useBomIfPresent initialization parameter that causes the default servlet
to leave any BOM in place when processing a static file and not to use the
BOM to determine the encoding of the file. Based on a pull request by
Jean-Louis Monteiro. (markt)
Update: Add cookieName attribute to the SSO valve to configure the SSO
cookie name. (remm)
Fix: #419: When processing POST requests of type multipart/form-data
for parts without a filename that are added to the parameter map in String
form, check the size of the part before attempting conversion to String.
Pull request provided by tianshuang. (markt)
Fix: 62912: Don't mutate an application provided content header if it
does not contain a charset. Also remove the outdated workaround for the
buggy Adobe Reader 9 plug-in for IE. (markt)
Fix: AprLifecycleListener does not show dev version suffix for
libtcnative and libapr. (michaelo)
Update: Refactor principal handling in UserDatabaseRealm using an
inner class that extends GenericPrincipal. (remm)
Fix: Enable the default doHead() implementation in HttpServlet to
correctly handle responses where the content length needs to be
represented as a long since it is larger than the maximum value that can
be represented by an int. (markt)
Fix: Avoid synchronization on roles verification for the memory
UserDatabase. (remm)
Fix: Fix the default doHead() implementation in HttpServlet to
correctly handle responses where the Servlet calls ServletResponse.reset()
and/or ServletResponse.resetBuffer(). (markt)
Fix: Fix the default doHead() implementation in HttpServlet to
correctly handle responses generated using the Servlet non-blocking API.
(markt)
Coyote
Add: 64943: Add support for Unix Domain Sockets to
org.apache.coyote.http11.Http11AprProtocol. Depends on tomcat-native
1.2.26 and up. (minfrin)
Fix: 65303: Fix a possible NullPointerException if an error occurs on
an HTTP/1.1 connection being upgraded to HTTP/2 or on a pushed HTTP/2
stream. (markt)
Fix: 65311: Fix a race condition in the NioBlockingSelector that could
cause a delay to select operations. (markt)
Update: Simplify AprEndpoint socket bind for all platforms. (michaelo)
Update: Add back simplification of NIO block read and write, now
better validated in Tomcat 10. (remm)
Fix: Optimize NIO selector handling for Java 11. (remm)
Fix: 65340: Add missing check for a negative return value for
Hpack.decodeInteger in the HpackDecoder, which could cause a
NegativeArraySizeException exception. Submitted by Thomas, and verified
the fix is present in the donated hpack code in a further update. (remm)
Add: Add debug logging for HTTP/2 HPACK header decoding. (markt)
Fix: Correct parsing of HTTP headers consisting of a list of tokens so
that a header with an empty token is treated consistently regardless of
whether the empty token is at the start, middle or end of the list of
tokens. (markt)
Fix: Remove support for the identity transfer encoding. The inclusion
of this encoding in RFC 2616 was an error that was corrected in 2001.
Requests using this transfer encoding will now receive a 501 response.
(markt)
Fix: Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1
clients. (markt)
Fix: Ensure that if the transfer encoding header contains the chunked,
that the chunked encoding is the final encoding listed. (markt)
Jasper
Code: Review code used to generate Java source from JSPs and tags and
remove code found to be unnecessary. (markt)
Code: Refactor use of internal ChildInfo class to use compile time
type checking rather than run time type checking. (markt)
Fix: 65358: Improve expression language method matching for methods
with varargs. Where multiple methods may match the provided parameters,
the method that requires the fewest varargs is preferred. (markt)
Add: 65332: Add a commented out section in catalina.policy that
provides the necessary permissions to compile JSPs with javac when running
on Java 9 onwards with a security manager. It is commented out as it will
cause errors if used with earlier Java versions. (markt)
WebSocket
Fix: 65317: When using permessage-deflate, the WebSocket connection
was incorrectly closed if the uncompressed payload size was an exact
multiple of 8192. Based on a patch provided by Saksham Verma. (markt)
Fix: 65342: Correct a regression introduced with the fix for 65262
that meant Tomcat's WebSocket implementation would only work with Tomcat's
implementation of the Java EE WebSocket API. (markt)
Web applications
Fix: Improve the description of the maxConnections and acceptCount
attributes in the Connector section of the documentation web application.
(markt)
Other
Add: Improvements to French translations. (remm)
Add: Improvements to Korean translations. (woonsan)
Fix: 65362: Correct a regression in the previous release. The change
to create OSGi Require-Capability sections in manifests for Jakarta API
JARs manually rather than with bnd annotations did not add the necessary
manual entries to the embedded JARs. (markt)
Update: Update the packaged version of the Tomcat Native Library to
1.2.30. Also update the minimum recommended version to 1.2.30. (markt)
2021-05-12 Tomcat 9.0.46 (markt)
Catalina
Fix: Allow APR connector creation using the listener with the flag and
the default HTTP/1.1 protocol. (rjung/remm)
Code: Expand coverage of unit tests for JNDIRealm using the UnboundID
LDAP SDK for Java. (markt)
Fix: 65224: Ensure the correct escaping of attribute values and search
filters in the JNDIRealm. (markt)
Fix: 65235: Add missing attributes to the MBean descriptor file for
the RemoteIpValve. (markt)
Fix: 65244: HandlesTypes should include classes that use the specified
annotation types on fields or methods. (remm)
Fix: 65251: Correct a regression introduced in 9.0.44 that meant that
the auto-deployment process may attempt a second, concurrent deployment of
a web application that is being deployed by the Manager resulting in one
of the deployments failing and errors being reported. (markt)
Fix: Improve the SSLValve so it is able to handle escaped client
certificate headers from Nginx. Based on a patch by Florent Guillaume.
(markt)
Coyote
Fix: Ensure that all HTTP requests that contain an invalid character
in the protocol component of the request line are rejected with a 400
response rather than some requests being rejected with a 505 response.
(markt)
Fix: When generating the error message for an HTTP request with an
invalid request line, ensure that all the available data is included in
the error message. (markt)
Fix: 65272: Restore the optional HTTP feature that allows LF to be
treated as a line terminator for the request line and/or HTTP headers
lines as well as the standard CRLF. This behaviour was previously removed
as a side-effect of the fix for CVE-2020-1935. (markt)
Jasper
Code: Review code used to generate Java source from JSPs and tags and
remove code found to be unnecessary. (markt)
Update: <servlet> entries in web.xml that include a <jsp-file> \
element
and a negative <load-no-startup> element that is not the default value of
-1 will no longer be loaded at start-up. This makes it possible to define
a <jsp-file> that will not be loaded at start-up. (markt)
Fix: Allow the JSP configuration option useInstanceManagerForTags to
be used with Tags that are implemented as inner classes. (markt)
WebSocket
Code: Refactor the way Tomcat passes path parameters to POJO end
points to simplify the code. (markt)
Fix: 65262: Refactor the creation of WebSocket end point, decoder and
encoder instances to be more IoC friendly. Instances are now created via
the InstanceManager where possible. (markt)
Web applications
Fix: 65235: Correct name of changeLocalName in the documentation for
the RemoteIpValve. (markt)
Fix: 65265: Avoid getting the boot classpath when it is not available
in the Manager diagnostics. (remm)
Other
Fix: Create OSGi Require-Capability sections in manifests for Jakarta
API JARs manually rather than via the
aQute.bnd.annotation.spi.ServiceConsumer annotation as this triggers TCK
failures for downstream consumers of the API JARs. (markt)
Update: Update the packaged version of the Tomcat Native Library to
1.2.28. (markt)
Update: Update the OWB module to Apache OpenWebBeans 2.0.22. (remm)
Update: Update the CXF module to Apache CXF 3.4.3. (remm)
Fix: Move SystemPropertySource to be a regular class to allow more
precise configuration if needed. The system property source will still
always be enabled. (remm)
Add: Improvements to Chinese translations. Provided by bytesgo. (mark)
Add: Improvements to French translations. (remm)
Add: Improvements to Korean translations. (woonsan)
2021-04-06 Tomcat 9.0.45 (markt)
Catalina
Fix: Avoid NPE when a JNDI reference cannot be resolved in favor of a
NamingException. (remm)
Fix: Avoid using reflection for setting properties on the webapp
classloader. Based on a patch submitted by Romain Manni-Bucau. (remm)
Coyote
Fix: Improve consistency of OpenSSL error stack handling in the TLS
engine, and log all errors found as debug. (remm)
Fix: Ensure that HTTP/2 streams are only recycled once as multiple
attempts to recycle an HTTP/2 stream may result in NullPointerExceptions.
(markt)
Code: Simplify the closing on an HTTP/2 stream when an error condition
is present. (markt)
Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady()
corrupting the input buffer. (markt)
Fix: 65179: Ensure that the connection level flow control window from
the client to the server is updated when handling DATA frames received
for completed streams else the flow control window may become exhausted.
(markt)
Fix: 65203: Fix a regression introduced in 9.0.44 that meant that an
error during an asynchronous read broke all future asynchronous reads
associated with the same request instance. (markt)
Fix: Disable keep-alive when inconsistent content delimitation is
present in a request. (remm)
Jasper
Fix: Include the new org.apache.jasper.optimizations package in the
list of OSGi exported packages for the Jasper embedded JAR.
Patch provided by Sokratis Zappis. (markt)
Add: Add a new option for the trimSpaces configuration. extended will
attempt to remove leading and trailing whitespace from template text and
collapse sequences of whitespace and newlines within template text into a
single new line. Based on a pull request by kamnani. (markt)
Other
Add: Implement the first phase of reproducible builds. Sequential
builds on the same machine now produce identical output provided that
the Ant property ant.tstamp.now is set. The minimum required Ant
version is now 1.9.10. (markt)
Add: Improvements to Chinese translations. Provided by Ruan Wenjun.
(mark)
Add: Improvements to French translations. (remm)
Add: Improvements to Japanese translations. Provided by kfujino and
Shirayuking. (markt)
Add: Improvements to Korean translations. (woonsan)
Update: Update the packaged version of the Tomcat Native Library to
1.2.27. (markt)
2021-03-10 Tomcat 9.0.44 (markt)
Catalina
Fix: Revert an incorrect fix for a potential resource leak that broke
deployment via the Ant deploy task. (markt)
Fix: Improve error message for failed ConfigurationSource lookups in
the Catalina implementation. (remm)
Fix: 64938: Align the behaviour when null is passed to the
ServletResponse methods setCharacterEncoding(), setContentType() and
setLocale() with the recent clarification from the Jakarta Servlet
project of the expected behaviour in these cases. (markt)
Fix: 65135: Rename Context method isParallelAnnotationScanning to
getParallelAnnotationScanning for consistency and ease of use in JMX
descriptors. (remm)
Fix: Ensure that the AsyncListener.onError() event is triggered when a
I/O error occurs during non-blocking I/O. There were some cases
discovered where this was not happening. (markt)
Add: Make the non-blocking I/O error handling more robust by handling
the case where the application code swallows an IOException in
WriteListener.onWritePossible() and ReadListener.onDataAvailable().
(markt)
Fix: Correct syntax error in output of JsonErrorReportValve. Pull
request provided by Viraj Kanwade. (markt)
Code: Make the StandardContext.postWorkDirectory() protected rather
than private to help users wishing to customise the default work directory
behaviour. (markt)
Coyote
Fix: 65118: Fix a potential NullPointerException when pruning closed
HTTP/2 streams from the connection. (markt)
Fix: Avoid NullPointerException when a secure channel is closed before
the SSL engine was initialized. (remm)
Fix: Ensure that the ReadListener's onError() event is triggered if
the client closes the connection before sending the entire request body
and the server is ready the request body using non-blocking I/O. (markt)
Fix: 65137: Ensure that a response is not corrupted as well as
incomplete if the connection is closed before the response is fully
written due to a write timeout. (markt)
Fix: Related to bug 65131, make sure all errors from OpenSSL are fully
cleared, as there could be more than one error present after an operation
(confirmed in the OpenSSL API documentation). (remm)
Fix: Make handling of OpenSSL read errors more robust when plain text
data is reported to be available to read. (markt)
Fix: Correct handling of write errors during non-blocking I/O to
ensure that the associated AsyncContext was closed down correctly. (markt)
Web applications
Fix: 65136: Remove the restriction that prevented the Manager web
application deploying different web applications in parallel. This
required some refactoring, most notably to HostConfig.check() and how it
is used. (markt)
Other
Update: Update the OWB module to Apache OpenWebBeans 2.0.21. (remm)
Update: Update the CXF module to Apache CXF 3.4.2. (remm)
Add: Improvements to French translations. (remm)
Add: Improvements to Korean translations. (woonsan)
Add: Improvements to Brazilian Portuguese translations. Provided by
Thiago. (mark)
Add: Improvements to Russian translations. Provided by Azat. (mark)
Add: Improvements to Chinese translations. Provided by shawn. (mark)
Update: Update to bnd 5.3.0. (markt)
2021-02-02 Tomcat 9.0.43 (markt)
Catalina
Fix: 65106: Fix the ConfigFileLoader handling of file URIs when
running under a security manager on some JREs. (markt)
Coyote
Fix: Ensure that SNI provided host names are matched to SSL virtual
host configurations in a case insensitive manner. (markt)
Fix: 65111: Free direct memory buffers in the APR connector. (remm)
not released Tomcat 9.0.42 (markt)
Catalina
Fix: 60781: Escape elements in the access log that need to be escaped
for the access log to be parsed unambiguously. (fschumacher/markt)
Add: 64110: Add support for additional TLS related request attributes
that provide details of the protocols and ciphers requested by a client in
the initial TLS handshake. (markt)
Add: Let the RemoteCIDRValve inherit from RequestFilterValve and
support all of its features. Especially add support for connector specific
configuration using addConnectorPort. (rjung)
Add: Add peerAddress to coyote request, which contains the IP address
of the direct connection peer. If a reverse proxy sits in front of Tomcat
and the protocol used is AJP or HTTP in combination with the
RemoteIp(Valve|Filter), the peer address might differ from the
remoteAddress. The latter then contains the address of the client in front
of the reverse proxy, not the address of the proxy itself. Support for the
peer address has been added to the RemoteAddrValve and RemoteCIDRValve
with the new attribute usePeerAddress. This can be used to restrict access
to Tomcat based on the reverse proxy IP address, which is especially
useful to harden access to AJP connectors. The peer address can also be
logged in the access log using the new %{peer}a syntax. (rjung)
Fix: Avoid uncaught InaccessibleObjectException on Java 16 trying to
clear references threads. (remm)
Fix: 65033: Fix JNDI realm error handling when connecting to a failed
server when pooling was not enabled. (remm)
Fix: 65047: If the AccessLogValve is unable to open the access log
file, include information on the current user in the associated log
message (markt)
Coyote
Fix: Additional fix for 64830 to address an edge case that could
trigger request corruption with h2c connections. (markt)
Fix: 64974: Improve handling of pipelined HTTP requests in combination
with the Servlet non-blocking IO API. It was possible that some requests
could get dropped. (markt)
Add: Add support for using Unix domain sockets for NIO when running on
Java 16 or later. This uses NIO specific unixDomainSocketPath and
unixDomainSocketPathPermissions attributes. Based on a PR submitted by
Graham Leggett. (remm)
Fix: 65001: Fix error handling for exceptions thrown from calls to
ReadListener and WriteListener. (markt)
Fix: Avoid possible infinite loop in OpenSSLEngine.unwrap when the
destination buffers state is changed concurrently. (remm)
Jasper
Add: Add a new StringInterpreter interface that allows applications to
provide customised string attribute value to type conversion within JSPs.
This allows applications to provide a conversion implementation that is
optimised for the application. (markt)
Fix: 64965: JspContextWrapper.findAttribute should ignore expired
sessions rather than throw an IllegalStateException. (remm)
Update: Update to the Eclipse JDT compiler 4.18. (markt)
Web applications
Fix: 65007: Clarify that the commands shown in the TLS documentation
for importing a signed TLS certificate from a certificate authority are
typical examples that may need to be adjusted in some cases. (markt)
Tribes
Fix: Work around DNS caching for the DNS provider of the cloud
membership. (jfclere)
Other
Add: Improvements to Chinese translations. Provided by leeyazhou and
Yi Shen. (markt)
Add: Improvements to French translations. (remm)
Add: Improvements to Korean translations. (woonsan)
Update: Update the packaged version of the Tomcat Native Library to
1.2.26. (markt)
Add: Update the internal fork of Apache Commons Pool to 2.9.1-SNAPSHOT
(2021-01-15). (markt)
Add: Update the internal fork of Apache Commons DBCP to 2.9.0-SNAPSHOT
(2021-01-15). (markt)
Update: Migrate to new code signing service. (markt)
Code: Use java.nio.file.Path to test for one directory being a
sub-directory of another in a consistent way. (markt)
Update: Update to Commons Daemon 1.2.4. (markt)
Add: Improvements to Brazilian Portuguese translations. Provided by
Rual Zaninetti Rosa and Lucas. (markt)
Add: Improvements to Russian translations. Provided by Polina and
Azat. (markt)
Update: Update the NSIS Installer used to build the Windows installer
to version 3.06.1. (kkolinko)
|
| 2021-10-26 13:31:15 by Nia Alarie | Files touched by this commit (1030) |
Log message: www: Replace RMD160 checksums with BLAKE2s checksums All checksums have been double-checked against existing RMD160 and SHA512 hashes Not committed (merge conflicts): www/nghttp2/distinfo Unfetchable distfiles (almost certainly fetched conditionally...): ./www/nginx-devel/distinfo array-var-nginx-module-0.05.tar.gz ./www/nginx-devel/distinfo echo-nginx-module-0.62.tar.gz ./www/nginx-devel/distinfo encrypted-session-nginx-module-0.08.tar.gz ./www/nginx-devel/distinfo form-input-nginx-module-0.12.tar.gz ./www/nginx-devel/distinfo headers-more-nginx-module-0.33.tar.gz ./www/nginx-devel/distinfo lua-nginx-module-0.10.19.tar.gz ./www/nginx-devel/distinfo naxsi-1.3.tar.gz ./www/nginx-devel/distinfo nginx-dav-ext-module-3.0.0.tar.gz ./www/nginx-devel/distinfo nginx-rtmp-module-1.2.2.tar.gz ./www/nginx-devel/distinfo nginx_http_push_module-1.2.10.tar.gz ./www/nginx-devel/distinfo ngx_cache_purge-2.5.1.tar.gz ./www/nginx-devel/distinfo ngx_devel_kit-0.3.1.tar.gz ./www/nginx-devel/distinfo ngx_http_geoip2_module-3.3.tar.gz ./www/nginx-devel/distinfo njs-0.5.0.tar.gz ./www/nginx-devel/distinfo set-misc-nginx-module-0.32.tar.gz ./www/nginx/distinfo array-var-nginx-module-0.05.tar.gz ./www/nginx/distinfo echo-nginx-module-0.62.tar.gz ./www/nginx/distinfo encrypted-session-nginx-module-0.08.tar.gz ./www/nginx/distinfo form-input-nginx-module-0.12.tar.gz ./www/nginx/distinfo headers-more-nginx-module-0.33.tar.gz ./www/nginx/distinfo lua-nginx-module-0.10.19.tar.gz ./www/nginx/distinfo naxsi-1.3.tar.gz ./www/nginx/distinfo nginx-dav-ext-module-3.0.0.tar.gz ./www/nginx/distinfo nginx-rtmp-module-1.2.2.tar.gz ./www/nginx/distinfo nginx_http_push_module-1.2.10.tar.gz ./www/nginx/distinfo ngx_cache_purge-2.5.1.tar.gz ./www/nginx/distinfo ngx_devel_kit-0.3.1.tar.gz ./www/nginx/distinfo ngx_http_geoip2_module-3.3.tar.gz ./www/nginx/distinfo njs-0.5.0.tar.gz ./www/nginx/distinfo set-misc-nginx-module-0.32.tar.gz |
| 2021-10-07 17:09:00 by Nia Alarie | Files touched by this commit (1033) |
Log message: www: Remove SHA1 hashes for distfiles |
| 2020-12-09 22:34:27 by Juraj Lutter | Files touched by this commit (3) |
Log message:
www/apache-tomcat9: Update to 9.0.41
Changelog for 9.0.41:
- Align the behaviour of ServletContext.getRealPath(String path) with the
recent clarification from the Servlet specification project. If the path
parameter does not start with / then Tomcat processes the call as if / is
appended to the beginning of the provided path.
- Fix a potential file descriptor leak when WebSocket connections are
attempted and fail.
- Ensure that the LoadBalancerDrainingValve uses the correct setting for the
secure attribute for any session cookies it creates.
Changelog for 9.0.40:
- Statistics are now available (via JMX) for HTTP/2, WebSocket and HTTP/1.1
upgraded connections
- Stability improvements for HTTP/2
- Stability improvements for the NIO connector
|
| 2020-10-15 18:12:22 by Juraj Lutter | Files touched by this commit (2) |
Log message:
www/apache-tomcat9: Update to 9.0.39
Changes for 9.0.39:
- Refactor the handling of closed HTTP/2 streams to reduce the heap usage
associated with used streams and to retain information for more streams in
the priority tree.
- Allow using the utility executor for annotation scanning.
- Add a bloom filter to speed up archive lookup and improve deployment speed
of applications with a large number of JARs.
Full changelog is available at:
https://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.39
Also CONFLICTS have been adjusted.
|
| 2020-10-05 14:09:54 by Juraj Lutter | Files touched by this commit (3) |
Log message:
www/apache-tomcat9: Update to 9.0.38
Changes for 9.0.38:
- For requests containing the Expect: 100-continue header, optional
support has been added to delay sending an intermediate 100 status
response until the servlet reads the request body, allowing the
servlet the opportunity to respond without asking for the request
body. Based on a pull request by malaysf.
- Add support for a read idle timeout and a write idle timeout to the
WebSocket session via custom properties in the user properties
instance associated with the session. Based on a pull request by
sakshamverma.
- Update the packaged version of the Tomcat Native Library to 1.2.25
Changes for 9.0.37:
- Implement a significant portion of the TLS environment variables for
the rewrite valve.
- Improvements to the creation of OSGi manifests.
- Reduce the memory footprint of closed HTTP/2 streams
- Improve parsing of RFC 2109 cookies
Changes for 9.0.36:
- Add support for ALPN on recent OpenJDK 8 releases.
- Add support for the CATALINA_OUT_CMD environment variable that
defines a command to which captured stdout and stderr will be
redirected. For use with, for example, rotatelogs. Patch provided by
Harald Dunkel.
- Be more flexible with respect to the ordering of groups, roles and
users in the tomcat-users.xml file
Changes for 9.0.35:
- Improve the handling of requests that use an expectation. Do not
disable keep-alive where the response has a non-2xx status code but
the request body has been fully read.
- Change default value separator for property replacement to ":-" due
to possible conflicts. The syntax is now "${name:-default}".
- Update the packaged version of the Tomcat Native Library to 1.2.24.
|
| 2020-04-26 00:23:06 by Jean-Yves Migeon | Files touched by this commit (10) |
Log message:
For clarity, use tomcat_start (resp. tomcat_stop) function instead of
calling ${command} directly for start (resp. stop) within rc.d.
Tested on tomcat9; but applicable down to tomcat6.
Bump PKGREVISION.
ok ryo@.
|
New packages: