It fixes an Important vulnerability.
Changes between 1.2.22 and 1.2.23
Native
Change the default value of JkOptions to ForwardURICompatUnparsed. The
old default value was ForwardURICompat. This should make URL
interpretation between Apache httpd and Tomcat consistent (prevent
double decoding problems). (rjung)
Changes between 1.2.21 and 1.2.22
Native
Refactor line endings logging to make it correct for all platforms and webservers. (mturk)
Added command line windows make files. (mturk)
Allow fail_on_status directive to be multi line. (mturk)
42076: Fix name of new option from ForwardCertChain to ForwardSSLCertChain as documented. (rjung)
Docs: Fix a couple of typos, change format of a few tables, fix links to news pages. (rjung)
Fix correct URL for TC 6 examples in new IIS rewrite.properties configuration example file. (rjung)
Add svn properties to several files. (rjung)
Add TC 6 examples to uriworkermap.properties in config examples. (rjung)
Allow multiple status codes for fail_on_status directive. The status codes can be delimited by space or comma characters. (mturk)
IIS. Added pcre like regular expressions for url rewrite rules. (mturk)
41922: Apache 1.3. Enable JkEnvVar. (mturk)
Apache. Add --enable-flock configure parameter for explicit compilation of faster flock() system calls for OS supporting those calls. By default the fcntl system call for locking will be used that is a little bit slower but it can work on NFS mounted volumes as well. (mturk)
41562: Add Debug logging for read from client in ISAPI Redirector. Contributed by Tim Whittington. (mturk)
Apache. Add ForwardSSLCertChain JkOption. Contributed by Patrik Schnellmann. (mturk)
IIS. Do not forbid access to web-inf or meta-inf if there is no mapped worker. This allows to have resource with those names that are outside mapped contexts. (mturk)
Apache. Use process id for creating shared memory name and delete shared memory and shared memory lock files on exit. (mturk)
IIS. Fix Keep-Alive regression introduced in 1.2.21. (mturk)
Delete unused check for empty init_map during startup. (rjung)
41770: Fix startup error if no JkWorkersFile is used. (rjung)
Use JK_TRUE/JK_FALSE instead of OK/!OK as return values in init_jk(). (rjung)
Minor adjustments to apache startup log messages (when to use STDERR, remove deprecated NOERRNO flag, shm warning and warnings for usage of default files). (rjung)
Replace APR precompiler directive by httpd mpm_query to detect MPM threading. Add a debug log message about auto-detected pool size. (rjung)
Make MMN check easier to understand and a little more precise (for new ap_get_server_banner()/ap_get_server_description()). We use the new API only for Apache httpd 2.3. This way our binaries are not tightly coupled to a minor 2.0 version, and we don't use ap_get_server_banner() any way. (rjung)
Use the full description string ap_get_server_description() instead of the truncated info from ap_get_server_banner(), because this info gets used internally (status worker display and ajp14 backend communication) and is not send back to the normal user. (rjung)
41757: Document the "--enable-prefork" flag of configure. (rjung)
Enhance log messages for failures when parsing attribute maps. (rjung)
Correct log message during worker initialization, in case remote host could not be resolved. We logged the default host name "localhost" instead of the configured one. (rjung)
41770: Fix the second part of the bug: local_worker and local_worker_only is missing from the list of deprecated attributes (and not supported either), so prevents the web server from startup. (rjung)
Changes between 1.2.20 and 1.2.21
Native
CVE-2007-0774 : A denial of service and critical remote code execution vulnerability. Caused by buffer overflow in map_uri_to_worker() when URL were longer that 4095 bytes. Reported by ZDI (www.zerodayintiative.com). Please note this issue only affected versions 1.2.19 and 1.2.20 of the Apache Tomcat JK Web Server Connector and not previous versions. Tomcat 5.5.20 and Tomcat 4.1.34 included a vulnerable version in their source packages. Other versions of Tomcat were not affected.
Check the worker. parameters and don't start if the parameter is not a valid one. (jfclere)
41439: Allow session IDs to get stripped off URLs of static content in Apache by adding JkStripSession directive (configurable per vhost). (mturk)
Change semantics of empty defaults for JkEnvVar variables. Until 1.2.19: not allowed. In 1.2.20: send variables as empty strings, if neither set to non empty in config, nor during runtime. Starting with 1.2.21: If config has no second argument only send variable if set (even when set to empty string) during runtime. Allows good combination with condition attribute in tomcat access log. (rjung)
41610: Fix incorrect detection of missing Content-Length header leading to duplicate headers. Contributed by Boris Maras. (rjung)
Better build support for SunONE (Netscape/iPlanet) webservers. (jim)
Add warning if duplicate map keys are read and are not allowed, e.g. when parsing uriworkermap.properties. (rjung)
Don't concat worker names, if uriworkermap.properties has a duplicate pattern, instead overwrite the worker. (rjung)
Log deprecation message even in duplication case. (rjung)
uriworkermap.properties: Fix off-by-one problem when deleting URL mapping during reloading of uriworkermap.properties. (rjung)
41439: Allow session IDs to get stripped off URLs of static content in IIS (configurable). (rjung)
41333: Refactoring isapi_plugin configuration reading. (rjung)
41332: Add some more errno logging and unify the format. (rjung)
JkStatus: Improved logging by adding status worker name to messages. Added messages to the recover worker action. (rjung)
JkStatus: Refactoring searching for workers and sub workers. (rjung)
41318: Add configuration to make status worker user name checks case insensitive. (rjung)
JkStatus: Add estimated time until next global maintenance to other mime types and adopt jkstatus ant task. (rjung)
JkStatus: Show estimated time until next global maintenance. Change displayed time until next recovery to a min/max pair. (rjung)
JkStatus: Allow a user of a read/write status worker to switch it to and from read_only mode temporarily. (rjung)
JkStatus: Do not show read/write commands in a read_only status worker. (rjung)
JkStatus: Allow lb sub workers in error state to be marked for recovery administratively from the status worker. (rjung)
Load Balancer: Do not try to recover multiple times in parallel. Use additional runtime states "PROBE" and "FORCED". (rjung)
JkStatus: Improve data synchronization between different processes. (rjung)
41381: Fix segfault in feature fail_on_status (wrong order of log arguments). Patch by Juri Haberland. (rjung)
Use correct windows line endings for log file on WIN32 platform. (rjung)
Changes between 1.2.19 and 1.2.20
Native
JkStatus Ant Task documentation page. (pero/rjung)
JkStatus Ant Tasks: Add new tasks for update and reset. (pero)
JkStatus Ant Tasks: Update for new xml status format. (pero)
Allow integer and string values when setting enumeration/boolean attributes via status worker update action. (rjung)
Docs: New reference guide page for status worker. (rjung)
Docs: Renaming the config dir to reference and using the title Reference Guide in the docs. (rjung)
Added retry_on_status for workers directive. (mturk)
Status Worker: Add directive to make property prefix and good/bad rule configurable. (rjung)
Status Worker: Omit lb members when att=nosw. (rjung)
Status Worker: New command cmd=version for a short version output. (rjung)
Status Worker: New output stype mime=prop produces property lists. (rjung)
Apache: Fix incorrect handling of JkEnvVar when Vars are set multiple times. (rjung)
Renamed jvm_route to route. Deprecated jvm_route, but still use it as fallback when parsing the worker configuration. (rjung)
IIS: Make uriworkermap file reload check interval configurable. (mturk)
Apache: Make uriworkermap file reload check interval configurable. (rjung)
Status Worker: Add directives for customizing the XML output (ns, xmlns, doctype). (mturk)
Docs: New page with description of uriworkermap. (rjung)
Docs: Added short description of max_packet_size to worker reference. (rjung)
Status Worker: All functions accessible also for xml and txt mime types (list, show, update, reset). (rjung)
Status Worker: New global health indicators for load balancers named bad (error, recovering or stopped), degraded (busy or disabled) and good (the rest, active and OK or N/A). (rjung)
Status Worker: New edit page, to change one attribute for all members of a load balancer. (rjung)
Status Worker: Standard logging for status worker. (rjung)
Status Worker: code refactoring. (rjung)
Status Worker: New attribute user (list) denies access, if the request user in the sense of remote_user is not in this list. Empty list = no deny (rjung)
Status Worker: New attribute read_only disables the parts of the status worker, that change states and configurations. (rjung)
36121: Don't change main uri when mod_jk serves included uri. (markt)
Apache VHosts: Merge JkOptions +base - -base + +vhost - -vhost. (rjung)
Apache Docs: Adding requirements, context information, default values and inheritance rules to the Apache config documentation. (rjung)
Status Worker: Add source type to status worker, remove the redundant "context" column in the map listing (context=uri). (rjung)
uriworkermap: On reload of the file, all old entries from the previous file version get deleted, before the new ones are being read. (rjung)
Keep normal maps and exclusion maps internally separate. Don't treat them as the same when adding a rule. (rjung)
Status Worker: Display mapping rules also for non-lb workers and in global view. (rjung)
Apache VHosts: Use the vhost log files instead of the main log. (rjung)
Apache VHosts: Allow individual timestamp formats by refactoring the formatting method. (rjung)
Apache VHosts: Adding all missing config items to the virtual host level. Don't overwrite the settings from the global server, but inherit them in case they are not set in the virtual host. (rjung)
Apache: remove unnecessary function names from log messages. (rjung)
Apache: add a default log file location and a message, if the default gets used. (rjung)
Apache: add missing JK_IS_DEBUG_LEVEL() (rjung)
Apache VHosts: Allow JkWorkersFile, JKWorkerProperty, JkShmFile and JkShmFileSize only in global virtual server. (rjung)
Add some more jk_close_socket() and reduce log level for some info messages. (rjung)
Load Balancer: Added the Sessions strategy. Contributed by Takayuki Kaneko. (rjung)
Docs: Minor enhancements and syncing with more recent versions. (rjung)
40997: Separate uri mappings from their '!' counterpart when checking for duplicates in uriworkermap reloading. (rjung)
40877: Make sure the shared memory is reset on attach for multiple web server child processes. (mturk)
IIS: Added shm_size property to be able to deal with over 64 workers configurations. (mturk)
IIS: Increase default thread count to 250, so its the same as Apache Httpd default configuration. (mturk)
40966: Fix socket descriptor checks on windows. (mturk)
40965: Initialize missing service parameters. (mturk)
40938: Fix releasing of rewrite map. Thanks to Chris Adams for spotting that. (mturk)
Apache: Added +FlushHeader JkOptions. (mturk)
Added explicit flush when AJP body packet size is zero. (mturk)
40856: Fixing case sensitivity bug in URL mapping. (rjung)
40793: Documentation: Improvements to Apache HowTo provided by Paul Charles Leddy. (markt)
40774: Fixing wrong recursion termination. This one restricted the "reference" feature unintentionally to 20 workers. (rjung)
40716: Adding "reference" feature to IIS and Netscape. (rjung)
Documentation: Corrected SetEnvIf syntax in JK_WORKER_NAME example. (rjung)
Documentation: Added forgotten STATE and ACTIVATION notes for load balancer logging in Apache. (rjung)
Apache: Use instdso.sh instead libtool: libtool does not work on HP-UX for example. (jfclere)
Changes between 1.2.18 and 1.2.19
Native
update Docs: Add SetHandler and new env var to Apache config docs. (rjung)
update Apache 1.3: Backport "no-jk" feature. (rjung)
update Apache: Add an environment variable to make SetHandler "jakarta-servlet" more useful. The variable is JK_WORKER_NAME, but can be changed by the new directive JkWorkerIndicator. (rjung)
fix LB: Don't use single worker shortcut, if the single worker is being diabled. (rjung)
fix Status worker: Add short explanation of activation and error states to legend. (rjung)
fix Docs: Add meaning of zero timeout values for various timeouts in workers.properties. (rjung)
fix LB: Cleanup of Mladens forced recovery. (rjung)
fix LB: Do not change lb_value for recovering workers to max, if we are using BUSYNESS method. (rjung)
fix Apache: Since 1.2.14 mod_jk failed to detect client abort. (rjung)
fix Docs: Corrected description of JkEnvVar. (rjung)
fix Solaris: Detect filio.h in configure to make the new connection detection build on solaris (r432825). (rjung)
update Add feature to force the recovery of workers that are member of loadbalancer if all the members are in error state. This fixes the time gap where 503 was returned caused by recovery_timeout although the backend was ready to handle the requests. (mturk)
update Docs: Seperate deprecated directives in their own table. (rjung)
update Docs: Allow "-" and "_" in worker names. (rjung)
update Allow multiple lines with attributes "balance_workers" and "mount". (rjung)
fix Make jk_is_some_property match more precisely. (rjung)
update JkStatus: Make refresh interval changeable. (rjung)
fix JkStatus: Adjust display of recover time wrt. global maintenance. (rjung)
update LB: Resetting worker state from OK to NA, if worker has been idle too long. (rjung)
fix Avoid compiler warnings concerning the use of lb_*_type arrays. Use functions instead. (rjung)
update Added %R JkRequestLogFormat option for Apache 1 and Apache 2. (mturk)
update Allow changing jvm Route from status manager. (mturk)
fix Do not retun 400 if Tomcat fails in the midle of the post request. Return 500 insted. (mturk)
update LB: Combine ok/error/recovering/busy runtime states into a single scalar. (rjung)
update LB: Combine active/disabled/stopped configuration states into a single scalar. (rjung)
update LB: Add several Apache notes to enable standard logging for load balancer results. (rjung)
update LB: Reorganisation of the main load balancer service loop. (rjung)
update Implement hierarchical worker configuration via attribute "reference". (rjung)
update Log deprecated properties. (rjung)
fix IIS: Fix simple_rewrite for the cases where the rewritten url is larger then the original one. (mturk)
update New JkOption "DisableReuse" to disable connection persistence. (jim)
update LB: Move sessionid retrieval out of get_most_suitable_worker into service. (rjung)
update Code cleanup for all service methods (use TRACE, JK_LOG_NULL_PARAMS, null pointer checks). (rjung)
update JKSTATUS: add refresh link. No refresh for updates. Redirect to list view after update. (rjung)
update Add new hook add_log_items into servers. (rjung)
update APACHE httpd: Rename apache logging notes. (rjung)
update LB: Rename lock and method constants. Add constants for defaults. (rjung)
fix Default log level should be INFO and not DEBUG. Default log level should be the same for all server types. (rjung)
fix Make rewrite_rule_map and log_level as non mandatory directives for isapi_redirect. (mturk)
fix 40107: Rewrite is_socket_connected function. Non blocking socket is not used any more. (mturk)
update Allow building with VS2005 without too many warnings. (mturk)
fix Decide by MMN, which piped log API we should use. mod_jk 1.2.18 broke compilation with Apache 1.3 pre 1.3.28. (rjung)
Changes between 1.2.17 and 1.2.18
Native
fix Using socklen_t in getsockopt. Also introducing jk_sock_t. (mturk)
update Allow recovery wait time below 60 seconds (new minimum is 1 second). (mturk)
Changes between 1.2.16 and JK 1.2.17
Native
fix Fix hanging jk status worker when certain attributes are being updated due to double locking. (rjung)
update Allow JkMount to behave like uriworkermap.properties by parsing pipe symbol as two directive marker. (mturk)
Changes between 1.2.15 and JK 1.2.16
Native
update Added simple rewrite capability for IIS. Although simple it will fulfill most needs. (mturk)
update Added RECOVER_ABORT_IF_CLIENTERROR recovery_option that closes the connection if client connection is broken during the request. (mturk)
update Renamed cache_timeout directive to connection_pool_timeout. (mturk)
update Added connection_pool_minsize directive. (mturk)
update Deprecate recycle_timeout directive. (mturk)
update Corrected some HTML syntax bugs in output of status worker. (rjung)
update Added the refresh=n parameter to the status worker. It will update the display every n seconds. (rjung)
update Balancer: Add attribute distance to balanced workers to express preferences between workers. (rjung)
update Balancer: Add attribute jvm_route to balanced workers to be able to use the same target in different balancers. (rjung)
update Status: Add lb_mult to status. (rjung)
update Balancer: Make different balancing strategies work in a similar way (use lb_value, use decay during global maintenance, use integer factors for weights. (rjung)
update Balancer: Improve locking. (rjung)
update Balancer: Workers start slower after recovering. (rjung)
update Balancer: Make different balancing strategies work in a similar way (use lb_value, use decay during global maintenance, use integer factors lb_mult for weights). (rjung)
update Balancer: Move recovery check to global maintenance. (rjung)
update Balancer: Add global maintenance method, that is called in only one process. (rjung)
update Extend our use of autoconf to find a 32Bit and a 64Bit unsigned type and their printf formats. (rjung)
update Logging: piped loggers for JkLogFile and Apache 1.3. (rjung)
update Logging: Add PID to log lines for each log level apart from REQUEST. (rjung)
update Logging: flush buffered logs to keep lines in correct order. Output final newline together with log message. (rjung)
update Reducing shm size. (rjung)
update Only log removing of old worker, when we actually do it. (rjung)
fix 37469: Fix shared memory close for forked childs. The shared memory will be closed by the parent process. (mturk)
fix 37332: Fix potential misuse of buffer length with snprintf functions. (mturk)
fix 38859: Protect mod_jk against buggy or malicious AJP servers in the backend. Patch provided by Ruediger Pluem. (mturk)
fix 38889: Use worker map sorting depending on the path elements, to comply with Servlet spec. Patch provided by Steve Revilak. (mturk)
update 36138: Added Busyness lb method. Patch provided by Chris Lamprecht. (mturk)
fix Fix pessimistic locking mode. The patch correctly handles the burst load, by syncing the access to the shared memory data. (mturk)
fix 38806: Reclycle worker even if it is disabled. This fixes hot-standby workers in error state. (mturk)
fix 37167: Allow building with BSD-ish like make. (mturk)
fix ISAPI plugin (isapi_redirect.dll) did not provide correct request data for IIS to include in the IIS log. (markt)
all PEAR packages to php?-pear-* and all Apache packages to ap13-* or
ap2-* respectively. Add new variables to simplify the Makefile
handling. Add CONFLICTS on the old names. Reset revisions of bumped
packages. ap-php will now depend on the default Apache and PHP version.
All programs using it have an implicit option of the Apache version
as well.
OK from jlam@ and adrianp@.
Changes from the released JK 1.2.14
Native
fix Fix lb for worker mpm's with cachesize set to lower
number then ThreadsPerChild is. If retries is set to
value larger then 3 sleep for 100 ms on each attempt.
This enables to tune the connection cache, and
serialize incoming connections instead returning busy
if connection count is larger then cachesize. (mturk)
fix 36525: Solaris core dump. (mturk)
fix 36102: Worker actions do not persist. (mturk)
fix 35864: Status worker doesn't list workers. Patch
provided by Martin Goldhahn. (mturk)
fix 35809: JkMountCopy don't work for Apache 2.0 Patch
provided by Christophe Dubach. (mturk)
fix 35298: Multiple JK/ISAPI redirectors on a single IIS
site are not supported Patch provided by Tim
Whittington. (mturk)
Changes from the released JK 1.2.13
Native
fix 34397: Emergency was handled as Error. (jfclere)
fix 34474: // in URL were not handled correctly with
Apache-1.3. (jfclere)
fix Use 64 bits int for transferred/read bytes.
update Added JkOptions +FlushPackets used to optimize
memory usage when sending large data. (mturk)
update Added lock directive for load balancer that allows
more acurate load balancing in case of burst load.
(mturk)
update Added worker.maintain directive to allow
customizing default 10 second timeout. On busy
servers this value needs to be set on higher value.
(mturk)
fix Fix for NetWare compiler to deal with different
types between AP13 and AP2 SDKs. (fuankg)
update Emit much more legible user.dmp crash analysis
output for WIN32. (wrowe)
fix 34558: Fix first failover request. (mturk)
Changes from the released JK 1.2.12
Native
update Added ForwardLocallAddres JkOptions flag for
passing local instead remote address. Useful for
remote addr valve. (mturk)
fix Fix that worker not used, when stopped flag is
true. (pero)
update Add loadbalance default worker secret attribute to
the documentation (pero)
Changes from the released JK 1.2.11
Native
fix Backport SC_M_JK_STORED from JK2 for passing
arbitrary methods instead failing the request.
(mturk)
fix Added missing SEARCH and ACL http methods. (mturk)
update Add worker secret attribute to the documentation
(pero)
update Add a stopped flag to worker configuration. Set
flag True and complete traffic to worker is
stopped. Also update the Ant JkStatusUpdateTask at
Tomcat 5.5.10 release. Only usefull in a replicated
session cluster.(pero)
update Added worker maintain function that will maintain
all the workers instead just the current one. This
enables to recycle the connections on all workers.
(mturk)
update Use shutdown when recycling connections instead
hard breaking the socket. (mturk)
update Add unique directives checking. The directives if
unique are now overwritten instead concatenated.
(mturk)
update Allow multiple worker.list directives. (mturk)
fix 34577: For IIS log original request instead loging
the request for ISAPI extension. (mturk)
fix 34558: Make sure the returned status codes are the
same for ajp and lb workers. (mturk)
fix 34423: Use APR_USE_FLOCK_SERIALIZE for setting log
lock on platforms like FreeBSD. Patch provided by
Allan Saddi. (mturk)
fix 33843: Fix obtaining LDFLAGS that were used for
building Apache HTTPD. Patch provided by Beat
Kneubuehl. (mturk)
fix 34358: Enable load balancer method configuration.
(glenn)
fix 34357: In some situations Apache 2 mod_jk could
segfault when the JkAutoAlias directive is used.
(glenn)
update Add --enable-prefork to the documentation (pero)
Changes from the released JK 1.2.10
Native
update Set default shared memory to 64K instead 1M.
(mturk)
fix Do not mark the worker in error state if headers
are larger then AJP13 limit. (mturk)
update On Series you should use the latest PTF for Apache
2.0 (which is now 2.0.52) and ad minima SI17402/
SI17061 or cumulative including them. (hgomez)
update Change the xml status format to xml attribute
syntax (pero)
fix 33248: Fix builds where apxs defines multiple
directories for APR includes. (mturk)
fix 32696: Return 404 instead 403 when WEB-INF is
requested to comply with Servlet spec. (mturk)
update Added ANT task for managing jkstatus. (pero)
update If socket_timeout is set, check if socket is alive
before sending any request to Tomcat. (mturk)
update Added JkMountFile for Apache web servers. This file
can contain uri mappings in the form (/url=worker),
and is checked for updates at regular 60 second
interval. (mturk)
update Added status worker for managing worker runtime
data using web page. (mturk)
update Added load balancer method directive that is used
for setting the algorithm used for balancing
workers. Method can be either Request (default) or
Traffic. (mturk)
update Added shared memory to allow dynamic configuration.
Shared memory is needed only for unix platform and
web servers having multiple child processes. For
Apache web server two new directives has been added
(JkShmFile and JkShmSize). (mturk)
update Added textupdate mode to status worker to handle
remote updates from ant tasks.(pero)
fix 33562: Fix Reply_timeout when recovery_options is
larger than 1. Patch provided by Takashi Satou.
(mturk)
fix 33308: Fix segfaults when ForwardDirectories is
enabled with Apache 1.3
Changes from the released JK 1.2.8
Native
update Allow anyone to debug and diagnose stack dumps
using windbg or any other debugging tool, and (if
they add the .pdb files to their installation) to
make sense of dr watson logs. Patch provided by
William A. Rowe (wrowe)
fix Fix in_addr_t usage by using the real struct
ignoring typedef. Patch provided by William A. Rowe
(wrowe)
fix Fix url rewriting by restoring the in place uri
from which the jsessionid was removed. (mturk)
update Make load balancer algorithm thread safe by
introducing mutex to the load balancer worker.
(mturk)
fix Fix sending error pages for IIS to client by adding
Content-Type header using correct api function
call. (mturk)
fix 32696: Prevent IIS from crushing when web-inf url
was requested. (mturk)
update Use default cachesize for servers that support
discovering the number of threads per child
process. (mturk).
fix Fix Apache content-length header parsing using case
insensitive compare. (billbarker)
fix Fix parsing AJP headers using case insensitive
compare. (mturk)
fix Use infinite socket timeout if socket_timeout is
set to zero or less then zero. (mturk)
update Change balanced_workers to balance_workers but keep
backward compatibility preserving the old
directive. (mturk).
fix Fix ajp initialization for workers with cache_size
set to zero. (mturk)
update 32317: Making mod_jk replication aware (Clustering
Support). Patch provided by Rainer Jung. (mturk).
fix 31132: Core dump when JkLogFile is missing from
conf. (mturk)
rather than PKG_FAIL_REASON, so that they provide useful error
messages in build logs, and so that they continue to work on platforms
where they aren't broken.
We are not advancing to the 3.3 or 4.0 branches at the moment, as neither
will work with our native JDK without a lot more work.
Changes since Tomcat 3.2.3 (the last pkgsrc version):
7.1 Fixes and Enhancements in Release 3.2.4
This section highlights the bugs fixed in this release.
- Cookie name expires is a reserved token (#1114)
- Thread initialization problem in thread pool (#1745)
- AJP12 returned invalid HTTP headers when redirecting to very
long URLS (#2333)
- Fixed casting problem in JspFactoryImpl.getPageContext(). (#4260)
- Setting sesstion-timeout in web.xml did not prevent sessions from
timing out. (#4412)
- Fixed race condition in ServerSocketFactory.getDefault(). (#4418)
- Removed the restrictions on encoded spcecial characters in URLs
that was added as a security precaution in 3.2.3. The encoded
special characters are not decoded and remain the URL and
path info returned to servlets.
- Jk_nt_service now supports the ability to be restarted automatically
by the Windows 2000 service control manager if Tomcat terminates
abnormally.
- Fixed invalid servlet mapping in web.xml generated by JspC (#3474, #3499)
- Added findResource() and findResources() to AdaptiveClassLoader12
- A Date: HTTP header is now sent in responses when running stand
alone. (#345)
- Simple held on to a reference to removed objects preventing
garbage collection.
- Tomcat 3.2.4 now ships with JAXP 1.1. Prior releases used
JAXP 1.0.1. Tomcat 3.2.4 remains completely compatible with
the older version of JAXP and there is no requirement for users
to upgrade to JAXP 1.1 unless their applications require the new
version.
- Fixed NullPointerException in HttpConnectionHandler. (#4577)
7.2 Security Vulnerabilities fixed in Tomcat 3.2.4
The randomness of generated session ids has been enhanced to prevent the
generation of guessable ids.
foo-* to foo-[0-9]*. This is to cause the dependencies to match only the
packages whose base package name is "foo", and not those named "foo-bar".
A concrete example is p5-Net-* matching p5-Net-DNS as well as p5-Net. Also
change dependency examples in Packages.txt to reflect this.
so we need to set -I to get the headers there. (There's some
-I.../include/netbsd already, i guess that's for a NetBSD-native JDK or
something, not touching that one).
Adresses PR 12571 by Omar Asfour <oasfour@email.com>
