* CVE-2012-4431 is fixed in 7.0.32
Changelog:
Tomcat 7.0.34 (markt) 2012-12-12
Catalina
fix 53871: Improve error message if annotation scanning fails during web application start due to poor configuration or illegal cyclic inheritance with the application's classes. (markt)
fix Fix unit test for AccessLogValve when using non-GMT time zone. (rjung)
fix 54170: Ensure correct registration of Filters and Servlets in the JMX registry if the Filter or Servlet name includes a character that must be quoted if used in an ObjectName value. (markt)
add Add new attribute renameOnRotate to the AccessLogValve. (rjung)
fix 54190: Correct unit tests for BASIC authentication so that session timeout is correctly tested. Also refactor unit test to make it easier to add additional tests. Patch by Brian Burch. (markt)
fix 54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt)
fix Simplify time zone handling in the access log valve and correctly handle various edge cases for non-standard DST changes. (markt)
Web applications
fix 54198: Clarify that HttpServletResponse.sendError(int) results in an HTML response by default. (markt)
fix 54207: Correct JNDI factory package name in Javadoc for org.apache.naming.java.javaURLContextFactory. (markt)
jdbc-pool
code Fix a handful of Eclipse warnings in the JDBC pool source code including the warnings reported in 53565. (markt)
fix 54150: Make sure that SlowQueryReportJmx mbean deregistered during webapp shutdown. Reported by Alex Franken. (kfujino)
fix 54194: Make sure that connection pool mbean is not registered when jmxEnabled is false. Patch provided by tobias.gierke. (kfujino)
Other
update Update to Eclipse JDT Compiler 4.2.1. (markt)
Tomcat 7.0.33 (markt) 2012-11-21
Catalina
add 53960, 54115: Extensions to HttpClient test helper class. Patches by Brian Burch. (markt/kkolinko)
fix 53993: Avoid a possible NPE in the AccessLogValve when the session ID is logged and a session is invalidated. (markt)
fix Add support for LAST_ACCESS_AT_START system property to PersistentManager. (kfujino)
add Update MIME type mapping with additional / updated mime.types from the Apache web server. (markt)
fix 54007: Fix a memory leak that prevented deletion of a context.xml file associated with a Context that had failed to deploy. Also fix the problems uncovered with undeploying such a Context once the leak had been fixed and the file could be deleted. (markt)
fix 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt)
fix 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt)
fix 54060: Use a simple parser rather than a regular expression to parse HTTP Digest authentication headers so the header is correctly parsed. The new approach is also faster and generates less garbage. (markt)
fix 54068: Rewrite the web fragment ordering algorithm to resolve multiple issues that resulted in incorrect ordering or failure to find a correct, valid order. (markt)
update The HTTP header parser added to address 52811 has been removed and replaced with the light-weight HTTP header parser created to address 54060. The new parser includes a work-around for a bug in the Adobe Acrobat Reader 9.x plug-in for Microsoft Internet Explorer that was identified when the old parser was introduced (53814).
fix 54076: Add an alternative work-around for clients that use SPNEGO authentication and expect the authenticated user to be cached per connection (Tomcat only does this if an HTTP session is available). (markt)
fix 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt)
fix 54096: In web.xml, <env-entry> should accept any type that has a constructor that takes a single String or char. (markt)
add 54127: Add support for sending a WebSocket Ping. Patch provided by Sean Winterberger. (markt)
fix In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko)
fix Ensure AsyncListener.timeout() and AsyncListener.complete() are called with the correct thread context class loader. (fhanik)
fix 54123: If an asynchronous request times out without any AsyncListeners defined, a 500 error will be triggered. (markt)
fix 54124: Correct provided value of request attribute javax.servlet.async.request_uri and add missing request attribute javax.servlet.async.path_info. (markt)
add Add denyStatus initialization parameter to CsrfPreventionFilter, allowing to customize the HTTP status code used for denied requests. (kkolinko)
fix 54141: Increase the permitted number of nested Realm levels from 2 to 3 by default and make the limit configurable via a system property. (markt)
fix Revert occasional API change in BaseDirContext class that was done in 7.0.32. Methods should not be final. (kkolinko)
fix Prevent failures in the AccessLogValve when running under a SecurityManager and the first request received is an asynchronous one. (markt)
Coyote
fix Correct an issue that prevented WebSockets from being used over SSL when using the HTTP NIO connector. (markt)
fix 54022: Ensure the Comet END event is triggered on client disconnect with APR/native on Windows Vista/2k8 or later. Patch provided by Douglas Beachy. (markt)
fix 54067: Ensure responses with 1xx response codes are correctly marked as not containing an entity body. This caused an issue for some WebSocket clients when an Transfer-Encoding header was sent with the 101 (HTTP upgrade) response. (markt)
Jasper
code 53867: Optimise the XML escaping provided by the PageContext implementation. Based on a patch by Sheldon Shao. (markt)
code 53896: Use an optimised CompositeELResolver for Jasper that skips resolvers that are known to be unable to resolve the value. Patch by Jarek Gawor. (markt)
fix 53986: Correct a regression introduced by the fix for 53713. JSP comments that ended with the sequence ---%> (or any similar sequence with a odd number of - characters) was not correctly parsed. (markt)
fix 54011: Fix a bug in the tag plug-in for <c:out> that triggered a JSP compilation error if the escapeXml attribute was used. Patch provided by Sheldon Shao. (markt)
code Follow up to 5401. Simplify generated code for <c:out>. Based on a patch by Sheldon Shao. (markt)
fix 54012: Fix a bug in the tag plug-in infrastructure that meant the <c:set> triggered a JSP compilation error when used in a tag file. Based on a patch provided byx 54144: Fix a bug in the tag plug-in for <c:out> that meant that if the value of the tag evaluated to a java.io.Reader object then it was not correctly handled. (markt)
Cluster
fix Add getSessionIdsFull operation to mbeans-descriptor. listSpplications
add 54143: Add display of the memory pools usage (including PermGen) to the Status page of the Manager web application. (kkolinko)
Tribes
fix 54045: Make sure getMembers() returns available member when TcpFailureDetector fix Revert multiple operation support for the JMXProxyServlet pending further discussion. (schultz)
fix CVE-2012-4431: Fix bypass of CsrfPreventionFilter when there is no session. Improve session management in the filter. (kkolinko)
Web apit servlets (JSP and default) are marked as override-able when using embedded mode. (markt)
fix When the DefaultServlet is under heavy load, the HTTP header parser added to address 52811 generates large amounts of garbage and uses significant CPU time. A cache has been added that significantly reduces the overhead of this parser. (markt)
fix 53854: Make directory listings work correctly when aliases are used. (markt)
Jasper
code 53713: Performance improvement of up to four times faster parsing of JSP pages. Patch provided by Sheldon Shao. (markt)
Cluster
add Make the cluster members and the cluster deployer associated with the cluster accessible via JMX. (markt)
fix Fix a behavior of TcpPingInterceptor#uhread. If set to false, ping thread is never started. (kfujino)
Web applications
add Improve the documentation web application to clarify the difference between the tag and version parameters when using text interface of the Manager web application. (markt)
add Make sessions saved in the Store associated with a Manager that extends PersistentManager optionally visible (via the showProxySessions Servlet initialisation parameter in web.xml) to the Manager web application. (markt)
Changelog:
The Apache Tomcat Project is proud to announce the release of version 7.0.30
of Apache Tomcat. This release contains numerous bug fixes and improvements
compared to version 7.0.29. The notable changes include:
* Significantly reduced memory footprint during web application start while
Servlet 3.0 annotation and SCI scanning is in progress.
* Adds support for scanning of classes that use Java 7 specific byte code
for Servlet 3.0 annotation and SCI scanning.
* Improvements to DIGEST and FORM authentication.
Full details of these changes, and all the other changes, are available in the
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html .
Tomcat 7.0.26 (markt)
Catalina
code Provide constants for commonly used Charset objects
and use these constants where appropriate. (markt)
Refactor the fix for 52184 to correct two issues (a
fix missing class and incorrect class/method names) when
using the extras logging packages. (markt)
52444: Only load classes during HandlesTypes
fix processing if the class is a match. Previously,
every class in the web application was loaded
regardless of whether it was a match or not. (markt)
fix 52488: Correct typo: exipre -> expire. (markt)
add Add a unit test for SSO authentication. Patch
provided by Brian Burch. (markt)
52511: Correct regression in the fix for 51741 that
fix caused a harmless exception to be logged when
scanning for annotations and WEB-INF/classes did not
exist. (markt)
code Refactor to remove a circular dependency between
org.apache.catalina and org.apache.naming. (markt)
Remove some initialisation code from the standard
code start process (i.e. via the scripts) that was
intended for embedding but is not required when
performing a standard start.(markt)
Add new method to MBeanFactory that allows any Valve
add to be created and deprecate the methods to create
specific Valves. (markt)
add Partial sync of MIME type mapping with mime.types
from the Apache web server. (rjung)
52577: Fix a regression in the fix for 52328.
fix Prevent output truncation when reset() is called on
a response. (mark)
52586: Remove an old and now unnecessary hack that
fix modified the path info reported via the
javax.servlet.forward.path_info request attribute
when forwarding to an error page. (markt)
52587: Ensure that if it is necessary to fall back
fix to the default NullRealm, the NullRealm instance is
created early enough for it to be correctly
initialised. (markt)
fix Fix millisecond output in AccessLogValve when using
a SimpleDateFormat based time pattern. (rjung)
52591: When dumping MBean data, skip attributes
fix where getters throw UnsupportedOperationException.
(markt)
52607: Ensure that the extension validator checks
fix the JARs in the shared and common class loaders for
extensions. (markt)
Correct a threading issue in the generation of the
list of standard authenticators during Context
fix initialization that could lead to a web application
failing to start if Contexts were started in
parallel. (markt)
52669: Correct regression that broke annotation
processing in /WEB-INF/classes for web applications
fix deployed as WARs, packageless classes and some
embedding scenarios. The regression was introduced
by the invalid assumptions made in the fix for
51741. (markt)
fix 52671: When dumping MBean data, skip attributes
where getters throw NullPointerException. (markt)
Javadocs
Coyote
51543: Provide a meaningful error message when
add writing more response headers than permitted.
(markt)
52547: Ensure that bytes written (which is used by
fix the access log) is correctly reset after an HTTP 1.0
request has been processed. (markt)
code Minor refactoring to reduce code duplication in the
HTTP connectors. (markt)
52606: Ensure that POST bodies are available for
fix reply after FORM authentication when using the AJP
connectors. (markt)
* Building
Jasper
52474: Ensure that leading and trailing white space
fix is removed from listener class names when parsing TLD
files. (markt)
52480: When converting class path entries from URLs
to files/directories, ensure that any URL encoded
fix characters are converted. Fixes JSP compilation with
javac when Tomcat is installed at a path that
includes spaces. (markt)
fix 52666: Correct coercion order in EL when processing
the equality and inequality operators. (markt)
Web applications
Improve BUILDING.txt. Update instructions for
update building. Add instructions for using Checkstyle
and running the tests. (kkolinko)
38216: Improve handling of null return values in
add the JMX proxy servlet which is part of the Manager
application. (kkolinko)
52515: Make it clear in the Realm how-to in the
fix documentation web application that digested
password storage when using DIGEST authentication
requires that MD5 digests are used. (markt)
fix 52634: Fix typos in JSP examples. Patch provided
by Felix Schumacher. (rjung)
fix 52641: Remove mentioning of ldap.jar from docs.
Patch provided by Felix Schumacher. (rjung)
jdbc-pool
Fix code style issues and enable Checkstyle checks
fix for jdbc-pool when it is built within Tomcat.
(kkolinko)
fix 51582 Correct set and reset the query cache to avoid
NPE (fhanik)
Other
Update Commons Daemon to 1.0.9 to resolve 52548 which
fix meant that services created with service.bat did not
set the catalina.home and catalina.base system
properties. (markt)
Implement check for correct end-of-line characters in
add the source files. It is run as separate target in
build.xml. (kkolinko)
Apache Tomcat is an implementation of the Java Servlet and JavaServer Pages
technologies. The Java Servlet and JavaServer Pages specifications are
developed under the Java Community Process.
Apache Tomcat is developed in an open and participatory environment and
released under the Apache Software License. Apache Tomcat is intended to
be a collaboration of the best-of-breed developers from around the world.
We invite you to participate in this open development project.
Apache Tomcat powers numerous large-scale, mission-critical web applications
across a diverse range of industries and organizations.
I have tested some war apps and they works. But not fully tested.
