---------------------------------------------------
Picks securiy part from
https://dev.mysql.com/doc/relnotes/mysql/5.5/en/news-5-5-55.html
-----
Security Notes
The mysql_options() C API function now supports a
MYSQL_OPT_SSL_MODE option. The only permitted option value is
SSL_MODE_REQUIRED, to require a secure connection to the server. It
causes mysql_real_connect() to fail if an encrypted connection cannot
be obtained, without falling back to an unencrypted connection. Thus,
mysql_real_connect() returns an error if the server does not support
SSL or the client is not configured to use SSL. The client/server
exchange terminates immediately after the initial server packet has
been received if the server indicates that it does not support SSL.
To require an encrypted connection in MySQL 5.5, the standard MySQL
client programs call mysql_options() to set MYSQL_OPT_SSL_MODE if the
--ssl-mode=REQUIRED command-line option was specified. Third-party
applications that must be able to require encrypted connections can
use the same technique. For details, see mysql_ssl_set().
The minor C API version number was not incremented for this
change. Application programs compiled for MySQL 5.5 that require
MYSQL_OPT_SSL_MODE may fail to operate properly if the dynamic loader
provides an older client library without MYSQL_OPT_SSL_MODE. Such
applications must be written to handle this possibility by checking
whether the mysql_options() call succeeds or fails. (Bug #25575605)
-------------------------------
v1.1.4
cli : new : can compress in *.gz format, using --format=gzip command, by
Przemyslaw Skibinski
cli : new : advanced benchmark command --priority=rt
cli : fix : write on sparse-enabled file systems in 32-bits mode, by @ds77
cli : fix : --rm remains silent when input is stdin
cli : experimental : xzstd, with support for xz/lzma decoding, by Przemyslaw
Skibinski
speed : improved decompression speed in streaming mode for single shot scenarios (+5%)
memory : DDict (decompression dictionary) memory usage down from 150 KB to 20 KB
arch : 32-bits variant able to generate and decode very long matches (>32 MB),
by Sean Purcell
API : new : ZSTD_findFrameCompressedSize(),
ZSTD_getFrameContentSize(), ZSTD_findDecompressedSize()
API : changed : dropped support of legacy versions <= v0.3 (can be changed by
modifying ZSTD_LEGACY_SUPPORT value)
build: new: meson build system in contrib/meson, by Dima Krasner
build: improved cmake script, by @Majlen
build: added -Wformat-security flag, as recommended by Padraig Brady
doc : new : educational decoder, by Sean Purcell
(pkgsrc changes)
+ MAKE_JOBS_SAFE= no
------------------------------------------
ADVANCECOMP VERSION 1.23 2016/11
================================
* Fixed build issue from source code due missing libdeflate header.
ADVANCECOMP VERSION 1.22 2016/11
================================
* Enabled again the command line wildcard expansion in the Windows
builds. The new MingW compiler was disabling it by default.
ADVANCECOMP VERSION 1.21 2016/11
================================
* Added libdeflate support. It's the new default because it provides
better performance and compression than 7z.
From https://github.com/ebiggers/libdeflate
at commit 28cc14994b8b57f590d31a7340c8fffc5cc37d88
* Update to te latest zopfli library.
From https://github.com/google/zopfli
at commit 6818a0859063b946094fb6f94732836404a0d89a.
* Windows binaries built with MingW 4.9.3 using the MXE cross compiler at
commit 62bcdbee56e87c81f1faa105b8777a5879d4e2e with targets
i686-w64-mingw32 and x86_64-w64-mingw32.
* DOS binaries built with DJGPP 4.8.5 from
https://github.com/andrewwutw/build-djgpp
ADVANCECOMP VERSION 1.20 2015/08
================================
* Fixed .gz recompression of data bigger than 400 MB.
* Fixed .gz recompression with -0 and -1 options.
* Updated to the latest zopfli [Aaron Kaluszka].
* Preserve the EFS flag in .zip files [Jason Penney].
LD_LIBRARY_PATH is not propagated when set with env, e.g.:
env LD_LIBRARY_PATH=path/to/lib ./script.sh
will not work (other variable names work correctly).
GNU/kFreeBSD, and adds a new page_flip_handler2 event handler, which
when run on a suitably capable kernel, can provide the CRTC ID to
userspace for atomic completion events.
Cheers,
Daniel
Ander Conselvan de Oliveira (1):
Add CRTC ID to vblank event
Daniel Stone (2):
Headers: Sync drm{,_mode}.h with the kernel
configure.ac: bump version for release
Emil Velikov (1):
configure.ac: pthread-stubs is not a thing on GNU/kFreeBSD
Eric Engestrom (4):
man/drm(7): fix typo
man: fix bug report instruction
man: fix bug report instructions (for real this time)
man: fix bug report instructions (third time's the charm)
2.4.79:
Marek Olšák (1):
configure.ac: bump version for release
Samuel Pitoiset (1):
amdgpu: allow to query GPU sensor related information
Some of the more important changes:
- Fix incorrect truncation in Bcrypt. Passwords in length between 56 and
72 characters were truncated at 56 characters. Found and reported by
Solar Designer. (CVE-2017-7252) (GH #938)
- Fix a bug in X509 DN string comparisons that could result in out of
bound reads. This could result in information leakage, denial of
service, or potentially incorrect certificate validation results.
Found independently by Cisco Talos team and OSS-Fuzz. (CVE-2017-2801)
- Correct minimum work factor for Bcrypt password hashes. All other
implementations require the work factor be at least 4. Previously
Botan simply required it be greater than zero. (GH #938)
- Converge on a single side channel silent EC blinded multiply
algorithm. Uses Montgomery ladder with order/2 bits scalar blinding
and point randomization now by default. (GH #893)
- Add ability to search for certificates using the SHA-256 of the
distinguished name. (GH #900)
- Support a 0-length IV in ChaCha stream cipher. Such an IV is treated
identically to an 8-byte IV of all zeros.
- Previously Botan forbid any use of times past 2037 to avoid Y2038
issues. Now this restriction is only in place on systems which have a
32-bit time_t. (GH #933 fixing #917)
- Fix a longstanding bug in modular exponentiation which caused most
exponentiations modulo an even number to have an incorrect result;
such moduli occur only rarely in cryptographic contexts. (GH #754)
- Fix a bug in BigInt multiply operation, introduced in 1.11.30, which
could cause incorrect results. Found by OSS-Fuzz fuzzing the ressol
function, where the bug manifested as an incorrect modular
exponentiation. OSS-Fuzz bug #287
- Fix a bug that meant the “ietf/modp/6144” and “ietf/modp/8192”
discrete log groups used an incorrect value for the generator,
specifically the value (p-1)/2 was used instead of the correct value
of 2.
- DL_Group strong generation previously set the generator to 2. However
sometimes 2 generates the entire group mod p, rather than the subgroup
mod q. This is invalid by X9.42 standard, and exposes incautious
applications to small subgroup attacks. Now DL_Group uses the smallest
g which is a quadratic residue. (GH #818)
- The default TLS policy now requires 2048 or larger DH groups by
default.
- The default Path_Validation_Restrictions constructor has changed to
require at least 110 bit signature strength. This means 1024 bit RSA
certificates and also SHA-1 certificates are rejected by default. Both
settings were already the default for certificate validation in TLS
handshake, but this changes it for applications also.
- Fix integer overflow during BER decoding, found by Falko Strenzke.
This bug is not thought to be directly exploitable but upgrading ASAP
is advised. (CVE-2016-9132)
- Add post-quantum signature scheme XMSS. Provides either 128 or 256 bit
(post-quantum) security, with small public and private keys, fast
verification, and reasonably small signatures (2500 bytes for 128-bit
security). Signature generation is very slow, on the order of seconds.
And very importantly the signature scheme is stateful: each leaf index
must only be used once, or all security is lost. In the appropriate
system where signatures are rarely generated (such as code signing)
XMSS makes an excellent choice. (GH #717#736)
- Add support for client-side OCSP stapling to TLS. (GH #738)
- Previously both public and private keys performed automatic self
testing after generation or loading. However this often caused
unexpected application performance problems, and so has been removed.
Instead applications must call check_key explicitly. (GH #704)
- Fix TLS session resumption bugs which caused resumption failures if an
application used a single session cache for both TLS and DTLS. (GH
#688)
- The default TLS policy now disables static RSA ciphersuites, all DSA
ciphersuites, and the AES CCM-8 ciphersuites. Disabling static RSA by
default protects servers from oracle attacks, as well as enforcing a
forward secure ciphersuite. Some applications may be forced to
re-enable RSA for interop reasons. DSA and CCM-8 are rarely used, and
likely should not be negotiated outside of special circumstances.
- The default TLS policy now prefers ChaCha20Poly1305 cipher over any
AES mode.
- The default TLS policy now orders ECC curve preferences in order by
performance, with x25519 first, then P-256, then P-521, then the rest.
pkgsrc changes:
- depends on python3* now that filters can be written in Python
- update MASTER_SITES and HOMEPAGE (old homepage seems no longer available)
- take MAINTAINERship
Changes:
0.43
----
- Added Hisanobu Okuda's rlwrapfilter.py python3 module
and example filters. Filters can now be written in python
as well as perl.
- If a filter was used, rlwrap would pass all input, output,
history items, prompts, ... through the filter, even if it
wouldn't change them. Now, at startup, filters (even filter
pipelines) tell rlwrap which messages they handle, after which
rlwrap won't bother them with anything else.
- Added bindable readline command rlwrap-direct-keypress
that bypasses readline editing and sends its keypress directly
to the rlwrapped command (like CTRL-G for the Erlang shell)
- Added bindable readline command rlwrap-hotkey that passes
the current input buffer and history to the filter (or
filter pipeline) specified with the '-z' option. This can
be used e.g. to insert the current selection at the cursor
position, or to edit (re-write) the history.
This uncovered quite a few bugs and inconsistencies:
- My ncurses' termcap emulation misses some codes (like
term_cursor_hpos) that its terminfo has. rlwrap now
always searches terminfo before termcap.
- rlwrap was confused about the role of history_offset,
resulting in muddled and unclear (although correct) code.
- rlwrap --history-size -0 would clobber the history file
(as per the manual - that has been updated as well)
- rlwrap's ad hoc way of sending lists of strings to filters
by interspersing them with TABS or spaces is becoming
unwieldy, it has been replaced by a standard encoding
<length1><string1><length2><string2>.... (where the
<lengths> are fixed length hexadecimal numbers (this is a
contribution by Hisanobu Okuda)
- Playing back a readline macro consisting of more than one line
would crash with SIGSEGV
- rlwrap with negative --histsize would fail when there is no
history file yet.
- An empty prompt would make $filter->{cumulative_output} miss
its last line
- Pre-given (-P) input would only be put in input line after
cooking timeout (usually 40 msec)
- One-shot (-o) rlwrap could accept more than one line when input
in quick succession.
- rlwrap didn't delete the tempfiles used in a multi-line
edit
- configure.ac now works even when cross-compiling (skipping some
tests, but providing sensible defaults)
- --enable-pedantic-ansi is a new configure option separate from
--enable-debug (it used to be implied by --enable-debug)
- --complete-filenames (-c) will now work on OS X and FreeBSD as well
Fix a bug in X509 DN string comparisons that could result in out of
bound reads. This could result in information leakage, denial of
service, or potentially incorrect certificate validation results.
(CVE-2017-2801)
Avoid throwing during a destructor since this is undefined in
C++11 and rarely a good idea. (GH #930)
Fix a bug causing modular exponentiations done modulo even numbers
to almost always be incorrect, unless the values were small. This
bug is not known to affect any cryptographic operation in Botan. (GH
#754)
Avoid use of C++11 std::to_string in some code added in 1.10.14
(GH #747#834)
Fix integer overflow during BER decoding, found by Falko Strenzke.
This bug is not thought to be directly exploitable but upgrading ASAP
is advised. (CVE-2016-9132)
Fix two cases where (in error situations) an exception would be thrown
from a destructor, causing a call to std::terminate.
When RC4 is disabled in the build, also prevent it from being included
in the OpenSSL provider. (GH #638)
-----------------------------------
(Changes to 3.2.9 is unknown)
Changes from 3.2.6 to 3.2.8
Protected delta.strftime() against segfaults on Windows, which
only allows day values <= 31 and segfaults for higher
values. Thanks to Frank Boje for reporting this problem.
Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications are
developed under the Java Community Process.
Apache Tomcat is developed in an open and participatory environment and
released under the Apache Software License. Apache Tomcat is intended to
be a collaboration of the best-of-breed developers from around the world.
We invite you to participate in this open development project.
Apache Tomcat powers numerous large-scale, mission-critical web applications
across a diverse range of industries and organizations.
This package tracks 8.5.x release branch.
Changelog:
Tomcat 8.0.43 (violetagg)
Catalina
Add: 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
Fix: 60876: Ensure that Set-Cookie headers generated by the Rfc6265CookieProcessor are aligned with the specification. Patch provided by Jim Griswold. (markt)
Fix: 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote
Fix: When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. (markt)
Fix: 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
Fix: Improve sendfile handling when requests are pipelined. (markt)
Jasper
Fix: Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
Fix: 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
jdbc-pool
Fix: 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Other
Fix: Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
2017-03-14 Tomcat 8.0.42 (markt)
Catalina
Update: 60596: Improve performance of DefaultServlet when sendfile feature is disabled on connector. (kkolinko)
Fix: Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. (markt)
Add: Extend the JreMemoryLeakPreventionListener to provide protection against ForkJoinPool.commonPool() related memory leaks. (markt)
Code: 60674: Remove final marker from CorsFilter to enable sub-classing. (markt)
Fix: 60683: Security manager failure causing NPEs when doing IO on some JVMs. (csutherl)
Fix: 60688: Update the internal fork of Apache Commons BCEL to r1782855 to add early access Java 9 support to the annotation scanning code. (markt)
Fix: When HTTP TRACE requests are disabled on the Connector, ensure that the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the returned Allow header. (markt)
Fix: 60718: Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed() event was not being fired and an entry wasn't being made in the access logs. (markt)
Fix: 60722: Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext.dispatch(). (markt)
Fix: 60728: Make the separator Tomcat uses in the Tomcat specific war:file:... URL protocol customizable via a system property. The separator is equivalent to the use of the ! character in jar:file:... URLs. The default separator of * remains unchanged. (markt)
Fix: 60798: Correct a bug in the handling of JARs in unpacked WARs that meant multiple attempts to read the same entry from a JAR in succession would fail for the second and subsequent attempts. (markt)
Fix: 60808: Ensure that the Map returned by ServletRequest.getParameterMap() is fully immutable. Based on a patch provided by woosan. (markt)
Fix: 60824: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. (markt)
Fix: Ensure request and response facades are used when firing application listeners. (markt/remm)
Coyote
Fix: Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. (markt)
Add: 60594: Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
Fix: Modify the cookie header generated by the Rfc6265CookieProcessor so it always sends an Expires attribute as well as a Max-Age attribute to avoid problems with Microsoft browsers that do not support the Max-Age attribute. (markt)
Jasper
Fix: Follow up to the fix for 58178. When creating the ELContext for a tag file, ensure that any registered ELContextListeners are fired. (markt)
Fix: Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
Update: Update to the Eclipse JDT Compiler 4.6.1. (markt)
Cluster
Add: Make the accessTimeout configurable in ClusterSingleSignOn. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Fix: 60806: To avoid ClassNotFoundException, make sure that the web application class loader is passed to ReplicatedContext. (kfujino)
WebSocket
Fix: 60617: Correctly create a CONNECT request when establishing a WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
Tribes
Fix: Ensure that NoRpcChannelReply messages are not received on RpcCallback. (kfujino)
Other
Update: Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
Add: 60784: Update all unit tests that test the HTTP status line to check for the required space after the status code. Patch provided by Michael Osipov. (markt)
Update: Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
Changelog:
Tomcat 7.0.77 (violetagg)
Catalina
add 54618: Add support to the HttpHeaderSecurityFilter for the HSTS preload parameter. (markt)
fix 60911: Ensure NPE will not be thrown when looking for SSL session ID. Based on a patch by Didier Gutacker. (violetagg)
Coyote
fix When using the NIO2 connector, ensure a WebSocket close frame is processed before the end of stream is processed to ensure that the end of stream is processed correctly. (markt)
fix 60852: Correctly spell compressible when used in configuration attributes and internal code. Based on a patch by Michael Osipov. (markt)
fix Improve sendfile handling when requests are pipelined. (markt)
Jasper
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm, violetagg)
fix 60844: Correctly handle the error when fewer parameter values than required by the method are used to invoke an EL method expression. Patch provided by Daniel Gray. (markt)
jdbc-pool
fix 60764: Implement equals() and hashCode() in the StatementFacade in order to enable these methods to be called on the closed statements if any statement proxy is set. This behavior can be changed with useStatementFacade attribute. (kfujino)
Tomcat 7.0.76 (markt) released 2017-03-16
Catalina
code Make it easier for sub-classes of Tomcat to modify the default web.xml settings by over-riding getDefaultWebXmlListener(). Patch provided by Aaron Anderson. (markt)
fix Reduce the contention in the default InstanceManager implementation when multiple threads are managing objects and need to reference the annotation cache. (markt)
code 60674: Remove final marker from CorsFilter to enable sub-classing. (markt)
fix 60683: Security manager failure causing NPEs when doing IO on some JVMs. (csutherl)
fix 60688: Update the internal fork of Apache Commons BCEL to r1782855 to add early access Java 9 support to the annotation scanning code. (markt)
fix 60718: Improve error handling for asynchronous processing and correct a number of cases where the requestDestroyed() event was not being fired and an entry wasn't being made in the access logs. (markt)
fix 60808: Ensure that the Map returned by ServletRequest.getParameterMap() is fully immutable. Based on a patch provided by woosan. (markt)
fix 60824: Correctly cache the Subject in the session - if there is a session - when running under a SecurityManager. Patch provided by Jan Engehausen. (markt)
fix Ensure request and response facades are used when firing application listeners. (markt/remm)
fix When HTTP TRACE requests are disabled on the Connector, ensure that the HTTP OPTIONS response from the WebDAV servlet does not include TRACE in the returned Allow header. (markt)
Coyote
fix Ensure that executor thread pools used with connectors pre-start the configured minimum number of idle threads. (markt)
add 60594: Allow some invalid characters that were recently restricted to be processed in requests by using the system property tomcat.util.http.parser.HttpParser.requestTargetAllow. (csutherl)
Jasper
fix Refactor code generated for JSPs to reduce the size of the code required for tags. (markt)
Cluster
add Make the accessTimeout configurable in ClusterSingleSignOn. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
fix 60806: To avoid ClassNotFoundException, make sure that the web application class loader is passed to ReplicatedContext. (kfujino)
WebSocket
fix 60617: Correctly create a CONNECT request when establishing a WebSocket connection via a proxy. Patch provided by Svetlin Zarev. (markt)
Tribes
fix Ensure that NoRpcChannelReply messages are not received on RpcCallback. (kfujino)
fix 60722: Take account of the dispatchersUseEncodedPaths setting on the current Context when generating paths for dispatches triggered by AsyncContext.dispatch(). (markt)
Other
fix 60620: Fix configuration of Eclipse projects, broken by introduction of SafeForkJoinWorkerThreadFactory helper class. This class cannot be built with Java 6. (kkolinko)
update Update the packaged version of the Tomcat Native Library to 1.2.12 to pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
add 60784: Update all unit tests that test the HTTP status line to check for the required space after the status code. Patch provided by Michael Osipov. (markt)
update Update the NSIS Installer used to build the Windows installer to version 3.01. (markt)
fix Refactor the build script and the NSIS installer script so that either NSIS 2.x or NSIS 3.x can be used to build the installer. This is primarily to re-enable building the installer on the Linux based CI system where the combination of NSIS 3.x and wine leads to failed installer builds. (markt)
Tomcat 7.0.75 (violetagg) released 2017-01-24
Cluster
add Make the accessTimeout configurable in BackupManager. The accessTimeout is used as a timeout period for PING in replication map. (kfujino)
Web applications
fix Ensure the ASF logo image is correctly displayed in docs and host-manager applications. (violetagg)
Tomcat 7.0.74 (violetagg) not released
Catalina
add 53602: Add HTTP status code 451 (RFC 7725) to the list of HTTP status codes recognised by Tomcat. (markt)
fix Correctly handle the configClass attribute of a Host when embedding Tomcat. (markt)
fix 60379: Dispose of the GSS credential once it is no longer required. Patch provided by Michael Osipov. (markt)
fix 60380: Ensure that a call to HttpServletRequest#logout() triggers a call to TomcatPrincipal#logout(). Based on a patch by Michael Osipov. (markt)
fix 60387: Correct the javadoc for o.a.catalina.AccessLog.setRequestAttributesEnabled. The default value is different for the different implementations. (violetagg)
code 60393: Use consistent parameter naming in implementations of Realm#authenticate(GSSContext, boolean). (markt)
fix 60395: Log when an Authenticator passes an incomplete GSSContext to a Realm since it indicates a bug in the Authenticator. Patch provided by Michael Osipov. (markt)
update Update the warnings that reference required options for running on Java 9 to use the latest syntax for those options. (markt)
fix 60513: Fix thread safety issue with RMI cleanup code. (remm)
add 60620: Extend thed memory leaks. (markt)
Coyote
fix Ensure that the endpoint is able to unlock the acceptor thread during shutdown if the endpoint is configured to listen to any local address of a specific type such as 0.0.0.0 or ::. (markt)
fix Ensue is enabled by default for APR. (markt)
fix Prevent read time out when the file is deleted while serving the response. The issue was observed only with APR Connector and sendfile enabled. (violetagg)
fix Improve the logic that selects an to unlock the Acceptor to take account of platforms what do not listen on all local addresses when configured with an address of 0.0.0.0 or ::. (markt)
fix 60409: When unable to complete sendfile request, ensure the Processor will be added to the(markt)
fix 60431: Improve handling of varargs in UEL expressions. Based on a patch by Ben Wolfe. (markt)
fix 60497: Restore previous tag reuse behavior following the use of try/finally. (remm)
fix Improve the error handling for simple tags to ensure that the tag is released and destroyed once used. (remm)
fix 60497: Follow up fix using a better variable name for the tag reuse flag. (remm)
fix Revert use of try/finally for simple tags. (remm)
Web applications
fix Correct a typo in Host Configuration Reference. Issue reported via comments.apache.org. (violetagg)
add In the documentation web application, be explicit that clustering requires a secure network for all of the cluster network traffic. (markt)
update Update the ASF logos to the new versions.
Tribes
fix Reduce the warning logs for a message received from a different domain in order to avoid excessive log outputs. (kfujino)
add Add log message that PING message has received beyond the timeout period. (kfujino)
fix When a PING message that beyond the time-out period has been received, make sure that valid member is added to the map membership. (kfujino)
WebSocket
fix 60437: Avoid possible handshake overflows in the websocket client. (remm)
jdbc-pool
add 58816: Implement the statistics of jdbc-pool. The stats infos are borrowedCount, returnedCount, createdCount, releasedCount, reconnectedCount, releasedIdleCount and removeAbandonedCount. (kfujino)
fix 60194: If validationQuery is not specified, connection validation is done by calling the isValid() method. (kfujino)
fix 60398: Fix testcase of TestSlowQueryReport. (kfujino)
add Enable reset the statistics without restarting the pool. (kfujino)
Other
fix 60366: Change catalina.bat to use directly LOGGING_MANAGER and LOGGING_CONFIG variables in order to configure logging, instead of modifying JAVA_OPTS. Patch provided by Petter Isberg. (violetagg)
add New property is added test.verbose in order to control whether the output of the tests is displayed on the console or not. Patch provided by Emmanuel Bourg. (violetagg)
update Update the ASF logos used in the Apache Tomcat installer for Windows to use the new versions.
fix Spelling corrections provided by Josh Soref. (violetagg)
Tomcat 7.0.73 (violetagg) released 2016-11-14
Catalina
fix 60117: Ensure that the name of LogLevel is localized when using OneLineFormatter. Patch provided by Tatsuya Bessho. (kfujino)
add 60151: Improve the exception error messages when a ResourceLink fails to specify the type, specifies an unknown type or specifies the wrong type. (markt)
fix 60167: Ignore empty lines in /etc/passwd files when using the PasswdUserDatabase. (markt)
fix Improve the access checks for linked global resources to handle the case where the current class loader is a child of the web application class loader. (markt)
fix 60199: Log a warning if deserialization issues prevent a session attribute from being loaded. (markt)
fix Correctly test for control characters when reading the provided shutdown password. (markt)
fix When configuring the JMX remote listener, specify the allowed types for the credentials. (markt)
Coyote
fix 60123: Avoid potential threading issues that could cause excessively large vales to be returned for the processing time of a current request. (markt)
fix 60174: Log instances of HeadersTooLargeException during request processing. (markt)
fix Correct the HTTP header parser so that DEL is not treated as a valid token character. (markt)
fix 60319: When using an Executor, disconnect it from the Connector attributes maxThreads, minSpareThreads and threadPriority to enable the configuration settings to be consistently reported. These Connector attributes will be reported as -1 when an Executor is in use. The values used by the executor may be set and obtained via the Executor. (markt)
fix If an I/O error occurs during async processing on a non-container thread, ensure that the onError() event is triggered. (markt)
fix Improve detection of I/O errors during async processing on non-container threads and trigger async error handling when they are detected. (markt)
add Add additional checks for valid characters to the HTTP request line parsing so invalid request lines are rejected sooner. (markt)
Web applications
add Add an example of using the classesToInitialize attribute of the JreMemoryLeakPreventionListener to the documentation web application. Based on a patch by Cris Berneburg. (markt)
fix 60192: Correct a typo in the status output of the Manager application. Patch provided by Radhakrishna Pemmasani. (markt)
fix Correct a typo in HTTP Connector How-To. Issue reported via comments.apache.org. (violetagg)
fix Fix default value of validationInterval attribute in jdbc-pool. (kfujino)
fix Correct a typo in CGI How-To. Issue reported via comments.apache.org. (violetagg)
fix 60344: Add a note to BUILDING.txt regarding using the source bundle with the correct line endings. (markt)
Tribes
fix When the proxy node sends a backup retrieve message, ensure that using the channelSendOptions that has been set rather than the default channelSendOptions. (kfujino)
jdbc-pool
fix 60099: Ensure that use all method arguments as a cache key when using StatementCache. (kfujino)
fix 60139: Correct Javadocs for PoolConfiguration.getValidationInterval and setValidationInterval. Reported by Phillip Webb. (kfujino)
Other
add Add documentation to the bin/catalina.bat script to remind users that environment variables don't affect the configuration of Tomcat when run as a Windows Service. Based upon a documentation patch by James H.H. Lampert. (schultz)
Tomcat 7.0.72 (violetagg) released 2016-09-19
Catalina
fix Ensure Digester.useContextClassLoader is considered in case the class loader is used. (violetagg)
Jasper
fix 60101: Remove preloading of the class that was deleted. (violetagg)
jdbc-pool
fix Notify jmx when returning the connection that has been marked suspect. (kfujino)
fix Ensure that the POOL_EMPTY notification has been added to the jmx notification types. (kfujino)
Other
update Update the packaged version of the Tomcat Native Library to 1.2.10 to pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
Tomcat 7.0.71 (violetagg) not released
Catalina
fix 57705: Add debug logging for requests denied by the remote host and remote address valves and filters. Based on a patch by Graham Leggett. (markt)
update Change the default of the sessionCookiePathUsesTrailingSlash attribute of the Context element to false since the problems caused when a Servlet is mapped to /* are more significant than the security risk of not enabling this option by default. (markt)
fix 59708: Modify the LockOutRealm logic. Valid authentication attempts during the lock out period will no longer reset the lock out timer to zero. (markt)
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Ensure that reading the singleThreadModel attribute of a StandardWrapper via JMX does not trigger initialisation of the associated servlet. With some frameworks this can trigger an unexpected initialisation thread and if initilisation is not thread-safe the initialisation can then fail. (markt)
fix By default, treat paths used to obtain a request dispatcher as encoded. This behaviour can be changed per web application via the dispatchersUseEncodedPaths attribute of the Context. (markt)
fix 59839: Apply roleSearchAsUser to all nested searches in JNDIRealm. (fschumacher)
add Provide a mechanism that enables the container to check if a component (typically a web application) has been granted a given permission when running under a SecurityManager without the current execution stack having to have passed through the component. Use this new mechanism to extend SecurityManager protection to the system property replacement feature of the digester. (markt)
add When retrieving an object via a ResourceLink, ensure that the object obtained is of the expected type. (markt)
fix 59866: When scanning WEB-INF/classes for annotations, don't scan the contents of WEB-INF/classes/META-INF (if present) since classes will never be loaded from that location. (markt)
fix 59912: Fix an edge case in input stream handling where an IOException could be thrown when reading a POST body. (markt)
fix 59966: Do not start the web application if the error page configuration in web.xml is invalid. (markt)
fix Switch the CGI servlet to the standard logging mechanism and remove support for the debug attribute. (markt)
add Add a new initialisation parameter, envHttpHeaders, to the CGI Servlet to mitigate httpoxy (CVE-2016-5388) by default and to provide a mechanism that can be used to mitigate any future, similar issues. (markt)
add When adding and removing ResourceLinks dynamically, ensure that the global resource is only visible via the ResourceLinkFactory when it is meant to be. (markt)
fix 60008: When processing CORs requests, treat any origin with a URI scheme of file as a valid origin. (markt)
fix Improve handling of exceptions during a Lifecycle events triggered by a state transition. The exception is now caught and the component is now placed into the FAILED state. (markt)
fix Fix a file descriptor leak when reading the global web.xml. (markt)
fix 60041: Better error message if a JAR is deleted while a web application is running. Note: Deleting a JAR while the application is running is not supported and errors are expected. Based on a patch by gehui. (markt)
Coyote
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59904: Add a limit (default 200) for the number of cookies allowed per request. Based on a patch by gehui. (markt)
fix Make timing attacks against the Realm implementations harder. (schultz)
add Refactor the code that implements the requirement that a call to complete() or dispatch() made from a non-container thread before the container initiated thread that called startAsync() completes must be delayed until the container initiated thread has completed. Rather than implementing this by blocking the non-container thread, extend the internal state machine to track this. This removes the possibility that blocking the non-container thread could trigger a deadlock. (markt)
Jasper
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix Improve the error handling for custom tags to ensure that the tag is returned to the pool or released and destroyed once used. (markt)
fix Fixed StringIndexOutOfBoundsException. Based on a patch provided by wuwen via Github. (violetagg)
WebSocket
fix Improve error handling around user code prior to calling InstanceManager.destroy() to ensure that the method is executed. (markt)
fix 59868: Clarify the documentation for the Manager web application to make clearer that the host name and IP address in the server section are the primary host name and IP address. (markt)
fix 59908: Ensure that a reason phrase is included in the close message if a session is closed due to a timeout. (markt)
Web Applications
fix Do not log an additional case of IOExceptions in the error handler for the Drawboard WebSocket example when the root cause is the client disconnecting since the logs add no value. (markt)
fix 59642: Mention the localDataSource in the DataSourceRealm section of the Realm How-To. (markt)
fix Follow-up to the fix for 59399. Ensure that the new attribute transportGuaranteeRedirectStatus is documented for all Realms. Also document the NullRealm and when it is automatically created for an Engine. (markt)
fix MBeans Descriptors How-To is moved to mbeans-descriptors-howto.html. Patch provided by Radoslav Husar. (violetagg)
fix 60034: Correct a typo in the Manager How-To page of the documentation web application. (markt)
Tribes
add Add log message when the ping has timed-out. (kfujino)
fix If the ping message has been received at the AbstractReplicatedMap#leftOver method, ensure that notify the member is alive than ignore it. (kfujino)
jdbc-pool
fix Fix the duplicated connection release when connection verification failed. (kfujino)
fix Ensure that do not remove the abandoned connection that has been already released. (kfujino)
fix In order to avoid the unintended skip of PoolCleaner, remove the check code of the execution interval in the task that has been scheduled. (kfujino)
fix 59849: Ensure that the connection verification is executed by initSQL (if required) if the borrowing PooledConnection has not been initialized. (kfujino)
fix 59850: Ensure that the ResultSet is closed when enabling the StatementCache interceptor. (kfujino)
fix 59923: Reduce the default value of validationInterval in order to avoid the potential issue that continues to return an invalid connection after database restart. (kfujino)
fix Ensure that the ResultSet is returned as Proxy object when enabling the StatementDecoratorInterceptor. (kfujino)
fix 60043: Ensure that the suspectTimeout works without removing connection when the removeAbandoned is disabled. (kfujino)
fix Add log message of when returning the connection that has been marked suspect. (kfujino)
fix Correct Javadoc for ConnectionPool.suspect(). Based on a patch by Yahya Cahyadi. (markt)
Other
add Use the mirror network rather than the ASF master site to download the current ASF dependencies. (markt)
update Update the packaged version of the Tomcat Native Library to 1.2.8 to pick up the latest fixes and make 1.2.8 the minimum recommended version. (markt)
fix Fixed typos in mbeans-descriptors.xml files. (violetagg)
update Update the internal fork of Commons BCEL to r1757132 to align with the BCEL 6 release. (markt)
update Update the internal fork of Commons Codec to r1757174. Code formatting changes only. (markt)
update Update the internal fork of Commons FileUpload to afdedc9. This pulls in a fix to improve the performance with large multipart boundaries. (markt)
fix Update the download location for Objenesis. (violetagg)
Tomcat 7.0.70 (violetagg) released 2016-06-20
Catalina
fix 59219: Ensure AsyncListener.onError() is called if an Exception is thrown during async processing. (markt)
fix 59220: Ensure that AsyncListener.onComplete() is called if the async request times out and the response is already committed. (markt)
fix 59261: ServletRequest.getAsyncContext() now throws an IllegalStateException as required by the Servlet specification if the request is not in asynchronous mode when called. (markt)
fix 59310: Do not add a Content-Length: 0 header for custom responses to HEAD requests that do not set a Content-Length value. (markt)
fix When normalizing paths, improve the handling when paths end with /. or /.. and ensure that input and output are consistent with respect to whether or not they end with /. (markt)
fix 59317: Ensure that HttpServletRequest.getRequestURI() returns an encoded URI rather than a decoded URI after a dispatch. (markt)
fix Ensure that the value for the header X-Frame-Options is constructed correctly according to the specification when ALLOW-FROM option is used. (violetagg)
add 59399: Add a new option to the Realm implementations that ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS redirects to be controlled per Realm. (markt)
fix 59449: In ContainerBase, ensure that the process to remove a child container is the reverse of the process to add one. Patch provided by Huxing Zhang. (markt)
fix RMI Target related memory leaks are avoidable which makes them an application bug that needs to be fixed rather than a JRE bug to work around. Therefore, start logging RMI Target related memory leaks on web application stop. Add an option that controls if the check for these leaks is made. Log a warning if running on Java 9 with this check enabled but without the command line option it requires. (markt)
fix Fix a potential concurrency issue with the web application class loader and concurrent reads and writes of the resource cache. (markt)
fix 59619: Within the web application class loader, always use path as the key for the resource cache to improve the hit ratio. This also fixes a problem exposed by the fix for 56777 that enabled file based configuration resources to be loaded from the class path. (markt)
fix Fix error message when failed to register MBean. (kfujino)
Coyote
fix 58970: Fix a connection counting bug in the NIO connector that meant some dropped connections were not removed from the current connection count. (markt)
fix 59289: Do not recycle upgrade processors in unexpected close situations. (remm)
fix Ensure that requests with HTTP method names that are not tokens (as required by RFC 7231) are rejected with a 400 response. (markt)
fix When an asynchronous request is processed by the AJP connector, ensure that request processing has fully completed before starting the next request. (markt)
fix If an async dispatch results in the completion of request processing, ensure that any remaining request body is swallowed before starting the processing of the next request else the remaining body may be read as the start of the next request leading to a 400 response. (markt)
Jasper
fix Fix a memory leak in the expression language implementation that caused the class loader of the first web application to use expressions to be pinned in memory. (markt)
fix 59654: Enforce the requirements of section 7.3.1 of the JSP specification regarding the permitted locations for TLD files. Patch provided by Huxing Zhang. (markt)
WebSocket
fix Ensure that a client disconnection triggers the error handling for the associated WebSocket end point. (markt)
Web Applications
fix Correct a typo in SSL/TLS Configuration How-To. Issue reported via comments.apache.org. (violetagg)
fix 58891: Update the SSL how-to. Based on a suggestion by Alexander Kjäll. (markt)
Tribes
fix Fix potential NPE that depends on the setting order of attributes of static member when using the static cluster. (kfujino)
add Add get/set method for the channel that is related to ChannelInterceptorBase. (kfujino)
fix As with the multicast cluster environment, in the static cluster environment, the local member inherits properties from the cluster receiver. (kfujino)
add Add get/set method for the channel that is related to each Channel services. (kfujino)
add Add name to channel in order to identify channels. In tomcat cluster environment, it is set the cluster name + "-Channel" as default value. (kfujino)
add Add the channel name to the thread which is invoked by channel services in order to identify the associated channel. (kfujino)
fix Ensure that clear the channel instance from channel services when stopping channel. (kfujino)
add Implement map state in the replication map. (kfujino)
fix Ensure that the ping is not executed during the start/stop of the replication map. (kfujino)
fix In ping processing in the replication map, send not the INIT message but the newly introduced PING message. (kfujino)
jdbc-pool
fix Fix a memory leak with the pool cleaner thread that retained a reference to the web application class loader for the first web application to use a connection pool. (markt)
Other
update Update the packaged version of the Tomcat Native Library to 1.2.7 to pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR 1.5.2. (violetagg/markt)
update Remove native code (Windows Service Wrapper, APR/native connector) support for Windows Itanium. (markt)
update Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus additional fixes). (markt)
fix 58626: Add support for a new environment variable (USE_NOHUP) that causes nohup to be used when starting Tomcat. It is disabled by default except on HP-UX where it is enabled by default since it is required when starting Tomcat at boot on HP-UX. (markt)
Use png_set_option(PNG_IGNORE_ADLER32) to control ADLER32 handling.
Changed LD=gcc to LD=$(CC) in Makefile and Makefile-nolib
PkgSrc:
Removed patch-aa as build and installation are done from the main Makefile.
Major changes and fixes since 1.9:
- fix parsing of gcc 4.7 gcov format
- make empty data directories non-fatal
- fix bug when converting function data in --diff operation
- fix handling of user-specified prefixes with trailing /
- fix whitespace handling in --rc command line option
- fix --config-file not being passed to geninfo
- fix --no-external not working with --initial
- Fix handling of non-english locales
- add exclude marker for branch coverage
- make geninfo compatible with LLVM's gcov
- Fix error when using --demangle-cpp
- Implement option to specify coverage rate precision
- make line exclusion markers configurable
- support a comma separated list of prefixes
- Allow prefix paths with spaces
- Fix --remove pattern matching
- Fix gcov version detection for XCode 8.0
