Tomcat 5.5.27 (fhanik)
General
44463: War file upload in manager webapp fails due to missing commons-io dependency. Added commons-io 1.4. (rjung)
Catalina
44021, 43013: Add support for # to signify multi-level contexts for directories and wars.
44494: Backport from 6.0 (rjung)
Add additional checks for URI normalization. (remm)
Don't throw an ArrayIndexOutOfBoundsException when empty URL is requested. Patch provided by Charles R Caldarale. (markt)
29936: Don't use parser from a webapp to parse web.xml and possibly context.xml files. (markt)
43079: Correct pattern verification for suspicious URLs. Patch provided by John Kew. (markt)
43080: Log suspicious URL pattern warnings to the correct web application. (markt)
43117: Setting an empty workDIR could delete all of CATALINA_HOME. Patch provided by Takayuki Kaneko. (markt)
44282: Prevent security exception in trace level logging for web application class loader when running under a security manager. (markt)
44529: No roles specified (deny all) should take precedence over no auth-constraint specified (allow-all). (markt)
43578: Enable start on Linux if $CATALINA_HOME contains a space. Original patch provided by Ray Sauers with improvements by Ian Ward Comfort. (markt)
44673: Throw IOE if ServletInputStream is closed and a call is made to any read(), ready(), mark(), reset(), or skip() method as per javadocs for Reader. (markt)
Enable the CGIServlet to work with Windows Vista. (markt)
Add additional permission required to read JDK logging configuration when running with a security manager. (markt)
44943: Reduce copy/paste issues caused by different engine names in server.xml. (markt)
45195: Prevent NPE when calling Session.getAttribute(null) and Session.removeAttribute(null). The spec is unclear but this is a regression from 5.0.x. (markt)
45293: Update name of commons-logging jar in security policy. (markt)
45453: Fix race condition in JDBC Realm. Based on a patch provided by Santtu Hyrkk. (markt)
JAAS Realm did not read role information for users. (markt)
Connectors
Log errors for AJP signoffs at DEBUG level, since it is harmless if mod_jk has hung up the phone. (billbarker)
42727: Handle request lines that are exact multiples of 4096 in length. Patch provided by Will Pugh. (markt)
43191: Compression could not be disabled for some file types. Based on a patch by Len Popp. (markt)
45591: Fix NPE on shutdown failure in some cases. Based on a patch by Matt Passell. (markt)
Jasper
31257: Quote endorsed dirs if they contain a space. (markt)
42943: Make sure nested element is inside <jsp:text> element before throwing exception. (markt)
44877: Prevent collisions in tag pool names. (markt)
45015: Enfore JSP spec rules on quoting in attrbutes. This is configurable using the system property org.apache.jasper.compiler.Parser.STRICT_QUOTE_ESCAPING. (markt)
Webapps
42899: When saving config from admin app, correctly handle case where the old config file does not exist. (markt)
44541: Document packetSize attribute for AJP connector. (markt)
44715: Document use of secret for AJP connector. (markt)
45323: Add note that context.xml files can only contain a single Context element. (markt)
Update JNDI datasource docs since maxActive setting for unlimited changed in commons-pool > 1.2. (markt)
Specification
Use a localised error message if a user tries to write a negative length byte array during default processing of a HEAD request. (markt)
44562: HEAD requests cannot use includes. Patch provided by David Jencks. (markt)
patches to add it). Drop pax from the default USE_TOOLS list.
Make bsdtar the default for those places that wanted gtar to extract
long links etc, as bsdtar can be built of the tree.
http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
Of note:
important: Data integrity CVE-2007-6286
important: Information disclosure CVE-2007-5461
low: Elevated privileges CVE-2007-5342
low: Session hi-jacking CVE-2007-5333
Are all fixed in this release.
Fix install permissions to silence checkperms
In brief:
Fix WebDAV Servlet so it works correctly with MS clients. (markt)
Fix XSS security vulnerability (CVE-2007-2450) in the Manager and Host Manager. Reported by Daiki Fukumori. (markt)
Fix NPE when a ResourceLink in context.xml tries to override an env-entry in web.xml. (markt)
Fix XSS security vulnerabilities (CVE-2007-2449) in the examples. Reported by Toshiharu Sugiyama. (markt)
Add some additional mime-type mappings. (markt)
Ensure JARs in webapps are scanned for TLDs when the Tomcat installation path contains spaces. (markt)
Add link to httpd 2.2 mod_proxy_ajp docs in AJP connector doc. (yoavs)
For all the details see:
http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
Tomcat 5.5.23 (fhanik)
Catalina
41608 Make log levels consistent when Servlet.service() throws an exception. (markt)
41666 Correct handling of boundary conditions for If-Unmodified-Since and If-Modified-Since headers. Patch provided by Suzuki Yuichiro. (markt)
41674 Fix error messages when parsing context.xml that incorrectly referred to web.xml. (markt)
41739 Correct handling of servlets with a load-on-startup value of zero. These are now the first servlets to be started. (markt)
Coyote
Requests with multiple content-length headers are now rejected. (markt)
Tomcat 5.5.22 (fhanik)
General
Fix regression in build that prevented connectors from building. (markt)
Tomcat 5.5.21 (fhanik)
Catalina
41401: StandardService.getConnectorNames() return array of Connector JMX objectnames. (pero)
29727: If env-entry values in web.xml are changed then ensure new values are applied when context is reloaded. (markt)
34956: Ensure request and response objects passed to a RequestDispatcher meet the requirements of SRV.8.2 and SRV.14.2.5.1. This is disabled by default. The Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true is required to enable this test. (markt)
36274: When including static content with the DefaultServlet also treat content types ending in xml as text. (markt)
36976: Don't use CATALINA_OPTS when stopping Tomcat. This allows options for starting and stopping to be set on JAVA_OPTS and options for starting only to be set on CATALINA_OPTS. Without this fix, some startup options (eg the port for remote JMX) would cause stop to fail. Based on a fix suggested by Michael Vorburger. (markt)
37070: Update mbean name documentation to include the StandardWrapper. (markt)
37356: Ensure sessions time out correctly. This has been fixed by removing the accessCount feature by default. This feature prevents the session from timing out whilst requests that last longer than the session time out are being processed. This feature is enabled by setting the Java option -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=true The feature is now implemented with synchronization which addresses the thread safety issues associated with the original bug report. (markt)
37439: Update documentation for Engine component to add the requirement that the name must be unique. (markt)
37458: Add syncs to the WebappClassloader to address rare issues when multiple threads attempt to load the same class concurrently. (markt)
37509: Do not remove whitespace from the end of values defined in logging.properties files. (markt)
38198: Add reference to Context documentation from Host documentation that explains how Context name is obtained from the Context filename. (markt)
39088: Prevent infinte loops when an exception is thrown that returns itself for getRootCause(). Based on a patch by Wouter Zelle. (markt)
39436: Correct MIME type for SVG. (markt)
39627: JULI no longer ignores a ".level=XXX" directive in logging.properties. Patch provided by Roger Keays and Richard Fearn. (markt)
39724: Removing the last valve from a pipeline did not return the pipeline to the original state. Patch provided by David Gagon. (markt)
40367: Update JK auto configuration documentation to clarify that workers.properties must also exist. (markt)
40524: HttpServletRequest.getAuthType() now returns CLIENT_CERT rather than CLIENT-CERT for certificate authentication as per the spec. Note that web.xml continues to use CLIENT-CERT to specify the certificate authentication should be used. (markt)
40526: Add support for JPDA_OPTS to catalina.bat and add a JPDA_SUSPEND environment variable to both startup scripts. Patch provided by Kurt Roy. (markt)
40528: Add missing message localisations as provided by Ben Clifford. (markt)
40585: Fix parameterised constructor for o.a.juli.FileHandler so parameters have an effect. (markt)
40625: Stop CGIServlet swallowing the root cause of an exception. Patch provided by Takayoshi Kimura. (markt)
40723: Correct table creation example in JavaDoc for JDBCAccessLogValve. (markt)
40802: Add jsp-api.jar to fileset in catalina-tasks.xml as provided by Daniel Santos. (pero)
40817: Correct problem where CGI scripts in the root of the ROOT context threw a StringIndexOutOfBoundsException. (markt)
Set the SCRIPT_FILENAME environment variable required by PHP when using the CGIServlet to execute PHP. (markt)
40823: Update context doc to clarify use of ROOT.xml, multi-level context paths and to further discourage use of server.xml (markt)
40844: Add additional syncs to JDBCRealm to resolve NPE when two users try to authenticate using DIGEST authentication at the same time. (markt)
40860: Log exceptions and other problems during parameter processing. (markt)
40901: Encode directory listing output. Based on a patch provided by Chris Halstead. (markt)
40929: Correct JavaDoc for StandardCalssLoader. (markt)
41008: Allow POST to be used for indexed queries with CGI Servlet. Patch provided by Chris Halstead. (markt)
41020: Improve error message when custom error report Valve fails to load. Also remove requirement that custom error report Valves extend ValveBase. (markt)
41217: Set secure attribute on SSO cookie when cookie is created during a secure request. Patch provided by Chris Halstead. (markt)
Ensure Accept-Language headers conform to RFC 2616. Ignore them if they do not. (markt)
Make provided instances of RequestDispatcher thread safe. (markt)
Fix formatting of CGI variable SCRIPT_NAME. (markt)
34643: Improved documentation for per-user / per-session clientAuth usage in SSL Authenticator. Docs provided by jack and Ralf Hauser. (yoavs)
40668: Update release notes and readme files specific to v5.5.20 to notify users of missing MailSessionFactory in distribution, suggest workarounds, and link to relevant Bugzilla issue. (yoavs)
37977: adapt BUILDING.txt and net build.xml for SVN. Patch by Christopher Sahnwaldt. (yoavs)
39055: Link to sample workaround code for using JSR160 JMX monitoring with a local firewall. Thanks to George Lindholm for the patch. (yoavs)
39476: add xml declaration to most build.xml files, as suggested by Gregory S. Hoerner Sr. (yoavs)
40326: stop using File#deleteOnExit in DefaultServlet to avoid JVM memory leak, as suggested by quartz. (yoavs)
40192: update setup.html notes regarding Windows tray icon. (yoavs)
40177: add more warnings to documentation about RequestDumperValve character encoding. (yoavs)
39255: NPE in AuthenticatorBase when logging level is set to DEBUG and no prinicpal found. (yoavs)
41437: Make log messages and loglevel consistent during Context start. Patch provided by Suzuki Yuichiro. (markt)
Coyote
38332: Add backlog attribute to ChannelSocket as provided by Takayoshi Kimura. (pero)
Backport packetSize feature from Tomcat 6.0.x at standard coyote AJP Jk handler. (pero)
40771: Fix implementation of SavedRequestInputFilter.doRead() so POST data may be read using a Valve or Filter. Patch provided by Michael Dufel. (markt)
41017: Restore behaviour of MessageBytes.setString(null). (remm/markt)
41057: Modify StringCache to add a configurable upper bound to the length of cached strings. (remm/markt)
38774: Check javax.net.ssl.keyStorePassword system property as a secondary source for keystore password in JSSESocketFactory, as suggested by Ted X. Toth. (yoavs)
39402: Modify existing Vary HTTP header, rather than overwrite it, if it exists when using GZip compression. Patch by Matthew Cooke. (yoavs)
40241: Catch Exceptions instead of Throwables in Default and SSI servlets. Also improve relevant logging while we're at it. (yoavs)
40133: Better error message when context name is not available on startup, as suggested by Andreas Plesner Jacobsen. (yoavs)
Jasper
39975: don't have static Log references to prevent classloader leaks. (yoavs)
40104: When displaying JSP source after an exception, handle included files. (markt)
40797: This was a regression as a result of the fix for 33407. TLD validation was failing as a result of the use of the escape character (0x1b) as a temporary replacement for \$. An alternative character (0xe000) from the unicode private use range is now used. (markt)
41057: Make jsp:plugin output XHTML compliant. (markt)
41327: Show full URI for a 404. Patch provided by Vijay. (markt)
41265: Allow JspServlet checkInterval init parameter to be explicitly set to the stated default value of zero by removing the code that resets it to 300 if explicitly specified as zero. (markt)
Display the JSP source when a compilation error occurs and display the correct line number rather than start of a scriptlet block. (markt)
Webapps
34952: Clarify that the Windows Installer always installs a Windows service. (markt)
35968: Make environment entry properties input a text area. Patch provided by Tristan Marly. (markt)
37588: Fix creation of JNDI Realm in admin application. Patch provided by Terry Zhou. (markt)
38048: Fix memory leak assoaciated with use of expression language in JSPs. Patch provided by Taras Tielkes. (markt)
39572: Improvements to CompressionFilter example provided by Eric Hedstrom. (markt)
40507: Update host-manager and servlet-examples web-apps to use the servlet 2.4 xsd. Patch provided by Chris Halstead. (markt)
40581: Add information on the use of a symbloic link as the docBase for a Context to the Context documentation. (markt)
40633: Remove references to the DefaultContext from the documentation. (markt)
40677: Update SSL documentation to indicate that PKCS11 keystores may be used. (markt)
40714: Admin webapp no longer requires a username for a DataSource since it is not required in all cases. (markt)
40720: Fix exception in admin webapp when adding a group to a user. (markt)
40874: Correct log4j configuration in documentation webapp. Patch provided by Franck Borel. (markt)
40999: Add trust store configuration for SSL connectors to the admin webapp. (markt)
41051: Add information on keystore aliases and case sensitivity to SSL HOW-TO. (markt)
41182: Update the Jasper documentation for the classpath attribute. (markt)
41493: Fix handling of APR connectors in Admin webapp. (markt)
41512: Version number was not inserted in release notes. (markt)
40257: Update Manager webapp howto on remote deployment to reflect need for explicit path in one specific use-case. Thanks to Venkatesh Jayaraman. (yoavs)
40160: add reference to the Filter proposed in this Bugzilla item to the WebdavServlet. While at it, give the WebdavServlet some long-overdue TLC by cleaning up some of the old data structures in favor of modern (but still JDK 1.4-compliant) interfaces. (yoavs)
Add a virtual hosting how-to contributed by Hassan Schroeder. (markt)
Cluster
Add clustered SSO code and backport feature from Tomcat 6.0.x, submitted by Fabien Carrion (pero)
Add better recovery at FastAsyncQueueSender. Made the startegy more robust for temporary connection problems (pero)
Changes:
Tomcat 5.5.20 (fhanik)
Catalina
fix Fix logic error in UserDatbaseRealm.getprincipal() that caused user roles assigned via groups to be ignored. (markt)
Jasper
fix 31804: Unnested tags within a tag file are now configured with the Tag represented by the containing tag file as their parent tag. (markt)
fix 33356: Tag attributes that contained $ followed by 1 or more non-special characters and then a { character caused an exception. (markt)
fix 33407: The string \$ in template text was reduced to $ when the isELIgnored page directive was set to true. (markt)
Tomcat 5.5.19 (fhanik)
General
update Add multi attribute setting to jmx:set JMX remote ant task. Patch contributed by Didier Donsez (pero)
Catalina
fix 30762: Re-fix this bug that was re-introduced by the fix to 37264. (markt)
fix 37588: Fix JNDI realm creation through JMX. Patch contributed by TerryZhou (fhanik)
fix 39704: The use of custom classloaders failed when the context was specified in server.xml. Correction of the fault will require setting the new loader attribute useSystemClassLoaderAsParent to false. (markt)
Coyote
fix 40418: APR Endpoint socket evaluation (remm)
Webapps
fix 31339: Admin app threw exceptions if a name other than Catalina was configured for the Engine. Patch based on a suggestion from Amila Suriarachchi. (markt)
Tomcat 5.5.18 (yoavs)
General
update Change MD5 release signature files to have md5 (lowercase) extension instead of MD5 (uppercase), as suggested by Henk Penning and specified in the ASF release publishing guidelines. (yoavs)
Catalina
fix Fix that ManagerBase increment expireSessions counter at background task two times. (pero)
fix 39406: Fix that StandardSession#getLastAccessedTime() uses correct exception message, suggested by Takayoshi Kimura. (pero)
add 39661: Add documentation on JULI FileHandler properties. (yoavs)
add 39657: Warn (and don't load jar) if JSP API is in webapp classloader repository, as suggested by David Sanchez Crespillo. (yoavs)
add 39674: Support JRockit JVM in service.bat script, as suggested by lizongbo. (yoavs)
fix 39711: Update Loader configuration documentation, as suggested by Stephane Bailliez. (yoavs)
fix 39865: Add Open Office mime types to conf/web.xml. (markt)
fix 38814: Align CGI handling of indexed queries, parameters and POST content with other CGI providers. The changes: only provide parameters on the command line for indexed queries; always provide the query string via the QUERY_STRING environment variable; provide POST content unmodified to stdin; and never call getParameters(). (markt)
fix 34801: Partial fix that adds handling of IOExceptions during long running CGI requests. Based on a patch by Chris Davey. (markt)
fix 39689: Allow single quotes (') and backticks (`) as well as double quotes (") to be used to delimit SSI attribute values. (markt)
fix 40053: Correct application deployment documentation so it agrees with the classloader documentation regarding shared lib and CATALINA_BASE. (markt)
fix 39592: Stop HEAD requests for resources handled by SSI servlet or filter generating stack traces in the logs. (markt)
fix Improve handling of the ';' character in the URL so that it is now allowed if properly %xx encoded. (remm)
Coyote
fix Fix APR endpoint so that the acceptor thread now only processes socket accepts. (remm)
Webapps
fix 39813: Correct handling of new line characters in JMX attributes. Patch provided by R Bramley. (markt)
fix 37781: Make sure that StoreConfig save external referenced war files at context.xml correct. (pero)
fix 39791: Use correct default for useNaming within a Context. (markt)
fix Correctly generate re-direct for admin app index.jsp to prevent login page being displayed twice when cookies are disabled. (markt)
Cluster
fix 39473: Session timeout much shorter than setting at web.xml at cluster environment, suggested by Jin Jiang. (pero)
If ${FILESDIR}/getsite.sh exists, then use it to determine the fetch
URL for each of the distfiles for the package. Otherwise, use
SITE_<file> and MASTER_SITES, in order, to determine the URL for each
distfile.
If the script path differs from ${FILESDIR}/getsite.sh, then set
DYNAMIC_SITE_SCRIPT to the full path to that script.
Remove the need to set DYNAMIC_MASTER_SITES explicitly in the package
Makefile for:
graphics/ns-cult3d
wm/sawfish-themes
www/apache-tomcat55
www/jakarta-tomcat4
www/jakarta-tomcat5
"extract" script for extraction. Many cases where a custom EXTRACT_CMD
simply copied the distfile into the work directory are no longer
needed. The extract script also hides differences between pax and
tar behind a common command-line interface, so we no longer need code
that's conditional on whether EXTRACT_USING is tar or pax.
Tomcat is the Java Servlet / Java Server Page environment produced
by the Apache Foundation's Tomcat Project. Tomcat can be run as a
standalone web server with Servlet and JSP support, or using Apache
Server as its web server via the mod_jk Apache module (www/ap-jk).
This is the Tomcat 5.5 package, which is a Java Serlet 2.4 and JSP
2.0 server.
This replaces jakarta-tomcat55, the old name for apache-tomcat.
pkgsrc previously had
pkgsrc jakarta-tomcat55 was 5.5.9 - there are over 300 lines of
changelog between that and 5.5.14:
http://tomcat.apache.org/tomcat-5.5-doc/changelog.html
