Tomcat 6.0.36 (jfclere)
Catalina
++++++++
update 48692: Provide option to parse
application/x-www-form-urlencoded PUT requests. (schultz)
add 50306: New StuckThreadDetectionValve to detect requests
that take a long time to process, which might indicate that
their processing threads are stuck. Based on a patch
provided by TomLu. (kkolinko)
fix 50570: Enable FIPS mode to be set in AprLifecycleListener.
Based upon a patch from Chris Beckey. Note that this mode
requires tomcat-native 1.1.23 or later linked to a
FIPS-capable OpenSSL library, which one has to build by
themselves. (schultz/kkolinko)
fix Improve synchronization and error handling in
AprLifecycleListener. Do not allow to change SSL options
if SSL has already been initialized. (schultz/kkolinko)
fix 52225: Fix ClassCastException when adding an alias for an
existing host via JMX. (kkolinko)
fix 52293: Correctly handle the case when antiResourceLocking
is enabled at the Context level when unpackWARs is disabled
at the Host level. Correctly handle multi-level contexts
when antiResourceLocking is enabled. Patch by Justin Miller.
(kkolinko)
fix Do not throw IllegalArgumentException from parseParameters()
call when chunked POST request is too large, but treat it
like an IO error. The FailedRequestFilter filter can be
used to detect this condition. (kkolinko)
fix 52384: Do not fail with parameter parsing when debug
logging is enabled. (kkolinko)
fix Do not flag extra '&' characters in parameters as
parse errors. (kkolinko)
fix 52488: Correct typos: exipre -> expire. Based on a patch
by prockter. (markt)
fix Reduce log level for the message about hitting
maxParameterCount limit from WARN to INFO. Fix limit
comparison to allow exactly maxParameterCount parameters,
as documentation says, instead of (maxParameterCount-1).
(kkolinko)
fix Slightly improve performance of UDecoder.convert(). Align
%2f handling between implementations. (kkolinko)
add Add denyStatus attribute to RequestFilterValve
(RemoteAddrValve, RemoteHostValve valves). It allows to
use different HTTP response code when rejecting denied
request. E.g. 404 instead of 403. (kkolinko)
add Add SetCharacterEncodingFilter (similar to the one
contained in the examples web application) to the
org.apache.catalina.filters package so that it is
available for all web applications. (kkolinko)
add 52500: Added configurable mechanism to retrieve user
names from X509 client certificates. Based on a patch
provided by Michael Furman. (schultz/kkolinko)
fix 52719: Fix a theoretical resource leak in the JAR
validation that checks for non-permitted classes in
web application JARs. (markt)
fix 52830: Correct JNDI lookups when using javax.naming.Name
to identify the resource rather than a java.lang.String.
(markt)
add 52850: Extend memory leak prevention and detection
code to work with IBM as well as Oracle JVMs. Based on
a patch provided by Rohit Kelapure. (kkolinko)
add 52996: In StandardThreadExecutor: Add the ability to
configure a job queue size (maxQueueSize attribute).
Add a variant of execute method that allows to specify
a timeout for how long we want to try to add something
to the queue. Based on a patch by Rüdiger Plüm. (kkolinko)
fix 53047: If a JDBCRealm or DataSourceRealm is configured
for an all roles mode that only requires authorization
(and no roles) and no role table or column is defined,
don't populate the Principal's roles. (markt/kkolinko)
fix 53050: Fix handling of entropy value when initializing
session id generator in session manager. Based on proposal
by Andras Rozsa. (kkolinko)
fix 53056: Add APR version number to tcnative version INFO
log message. (schultz)
fix 53057: Add OpenSSL version number INFO log message
when initializing. (schultz)
fix 53071: Use the message from the Throwable for the error
report generated by the ErrorReportValve if none was
specified via sendError(). Use the standard text for
HTTP error codes. (markt/rjung)
update 53230: Change session managers to throw
TooManyActiveSessionsException instead of
IllegalStateException when the maximum number of sessions
has been exceeded and a new session will not be created.
(schultz/kkolinko)
fix 53267: Ensure that using the GC Daemon Protection feature
of the JreMemoryLeakPreventionListener does not trigger
a full GC every hour. (markt/kkolinko)
fix 53531: Fix ExpandWar.expand to check the return value
of File.mkdir and File.mkdirs. (schultz)
fix Make the CSRF nonce cache in CsrfPreventionFilter
serializable so that it can be replicated across a cluster
and/or persisted across Tomcat restarts. (markt)
fix 53584: Ignore path parameters when comparing URIs for
FORM authentication. This prevents users being prompted
twice for passwords when logging in when session IDs
are being encoded as path parameters. (markt)
fix Various improvements to the DIGEST authenticator
including 52954, the disabling caching of an authenticated
user in the session by default, tracking server rather
than client nonces and better handling of stale nonce
values. (markt)
fix Remove unneeded handling of FORM authentication in
RealmBase. (kkolinko)
fix 53800: FileDirContext.list() did not provide correct paths
for subdirectories. Patch provided by Kevin Wooten.
(kkolinko)
fix 53830: Better handling of Manager.randomFile default
value on Windows. (kkolinko)
fix Improve session management in CsrfPreventionFilter.
(kkolinko)
Coyote
++++++
fix 42181: Better handling of edge conditions in chunk
header processing. (kkolinko)
update 51477: Support all SSL protocol combinations in the
APR/native connector. This only works when using the
native library version 1.1.21 or later. (rjung)
fix 52055 (comment 14): Correctly reset
ChunkedInputFilter.needCRLFParse flag when the filter
is recycled. (kkolinko)
fix 52606: Ensure replayed POST bodies are available when
using AJP. (markt)
fix 52858: Fix high CPU load with SSL, NIO and sendfile
when client breaks the connection before reading all
the requested data. (fhanik/kkolinko)
fix 53119: Prevent buffer overflow errors being reported
when a client disconnects before the response has been
fully written from an AJP connection using the APR/native
connector. (kkolinko)
fix Improve InternalNioInputBuffer.parseHeaders(). (kkolinko)
add Implement maxHeaderCount attribute on Connector.
It is equivalent of LimitRequestFields directive of
Apache HTTPD. Default value is 100. (kkolinko)
fix In JkCoyoteHandler connector for AJP/1.3 protocol
(in JkMain.setProperty()): Fix setting of properties
when connector has already started for properties that
have aliases. E.g. it now allows to change maxHeaderCount
attribute on Connector MBean via JMX. (kkolinko)
fix 53725: Fix possible corruption of GZIP'd output. (kkolinko)
Jasper
++++++
fix 48097 (comment 7), 53366 (comment 1): If JSP page
unexpectedly fails to initialize PageContext instance,
write exception to the logs instead of silent swallowing.
(kkolinko)
fix 52335: Only handle <\% and not \% as escaped in
template text. (markt)
fix 52666: Correct coercion order in EL when processing the
equality and inequality operators. (markt)
fix 53001: Revert the fix for 46915 since the use case
described in the bug is invalid since it breaks the EL
specification. (markt)
fix 53032: Modify JspC so it extends org.apache.tools.ant.Task
enabling it to work with features such as namespaces
within build.xml files. (markt)
Cluster
+++++++
fix Replicate principal in ClusterSingleSignOn. (kfujino)
fix 53513: Fix race condition between the processing of
session sync message and transfer complete message. (kfujino)
fix 53606: Fix potential NPE in TcpPingInterceptor. Based
on a patch by F. Arnoud. (markt)
fix 53607: To avoid NPE, set TCP PING data to ChannelMessage.
Patch provided by F.Arnoud (kfujino)
fix Fix a behavior of TcpPingInterceptor#useThread. Do not
start a ping thread when useThread is set to false. (kfujino)
Web applications
++++++++++++++++
fix 52243: Improve windows service documentation to clarify
how to include # and/or ; in the value of an environment
variable that is passed to the service. (markt)
fix 52515: Make it clear in the Realm how-to in the
documentation web application that digested password
storage when using DIGEST authentication requires that
MD5 digests are used. (markt)
fix 52641: Remove mentioning of ldap.jar from docs. Patch
provided by Felix Schumacher. (rjung)
fix Remove obsolete bug warning from windows service
documentation page. (rjung)
fix 52983: Remove unnecessary code that makes switching to
other authentication methods difficult. (markt)
fix 53158: Fix documented defaults for DBCP. Patch provided
by ph.dezanneau at gmail.com. (rjung)
update Update JavaSE documentation links to point to the current
docs.oracle.com site, instead of obsolete ones
(download.oracle.com, java.sun.com). (kkolinko)
update 53289: Clarify ResourceLink example that uses
DataSource.getConnection(username, password) method.
Not all data source implementations support it. (kkolinko)
fix Prevent the custom error pages for the Manager and
Host Manager applications from being accessed directly.
Configure custom pages for error codes 401 and 403
in Host Manager application. (markt/kkolinko)
fix Correct documentation for enableLookups attribute of
a Connector. By default DNS lookups are disabled. (kkolinko)
fix Fix several HTML markup errors in servlets of examples
web application. (kkolinko)
update Change the index page of ROOT webapp to mention
"manager-gui" role instead of "manager" one. (kkolinko)
fix 53473: Correct the allowed values for the SSI option
isVirtualWebappRelative which are true or false. (markt)
fix 53664: Minor JNDI Howto document enhancement concerning
mail properties. Patch provided by Mark Eggers. (schultz)
fix 53601: Clarify that to build Apache Tomcat 6 from sources
a Java 5 JDK is recommended. (kkolinko)
fix 53793: Change links on the list of applications in the
Manager to point to /appname/ instead of /appname. (kkolinko)
Other
+++++
fix 49402, 52124: Fix Maven publishing script: make sure it
finds tomcat-juli.jar and use later version of wagon-ssh.
(jfclere)
fix Update Apache Commons Daemon to 1.0.10. It resolves
52548 which meant that services created with service.bat
did not set the catalina.home and catalina.base system
properties. (markt, kkolinko)
update Update Apache Commons Pool to 1.5.7. (kkolinko)
update 52579: Add a note about Sun's Charset.decode() bug to
the RELEASE-NOTES file. (kkolinko)
update 52805: Update to Eclipse JDT Compiler 3.7.2. (kkolinko)
update Update the native component of the APR/native connectors
to 1.1.23 and take advantage of the simplified distribution.
(kkolinko)
fix When building a Windows installer do not copy whole
"res" folder to output/dist, but only the files that
we need. Apply fixcrlf filter only after the files are
copied, so that INSTALLLICENSE file had correct line
ends. (kkolinko)
update Remove res/License.rtf. The file that is actually shown
by the Windows installer is res/INSTALLLICENSE. (kkolinko)
update Improve RUNNING.txt. (kkolinko)
update Align the script that deploys Maven jars for Tomcat
(res/maven/mvn-pub.xml) with the Tomcat 7 version, making
full use of Nexus. (markt)
add 53034: Add project.url and project.licenses sections to
the POMs for the Maven artifacts. (kkolinko)
fix 53454: Return correct content-length header for HEAD
requests when content length is greater than 2GB. (markt)
Tomcat 6.0.35 (jfclere)
+++++++++++++++++++++++
Catalina
--------
fix Fix regression in decoding of parameters that contain spaces.
Patch by Willem Fibbe. (kkolinko)
Tomcat 6.0.34 (jfclere) not released
++++++++++++++++++++++++++++++++++++
Catalina
--------
fix 51550: Display an error page rather than an empty response
for an IllegalStateException caused by too many active sessions.
(markt)
add 51640: Improve the memory leak prevention for leaks triggered
by java.sql.DriverManager. (markt/kkolinko)
fix 51688: JreMemoryLeakPreventionListener now protects against
AWT thread creation. (schultz)
fix 51758: The digester (used for processing XML files) used
the logger name org.apache.commons.digester.Digester rather
than the expected org.apache.tomcat.util.digester.Digester.
The digester has been changed to use the expected logger name.
(kkolinko)
add 51862: Added a classesToInitialize attribute to
JreMemoryLeakPreventionListener to allow pre-loading of
configurable classes to avoid some classloader leaks. (slaurent)
fix 51872: Ensure that the access log always uses the correct
value for the remote IP address associated with the request
and that requests with multiple errors do not result in
multiple entries in the access log. (markt)
add Allow to overwrite the check for distributability of session
attributes by session implementations. (rjung)
add Provide the log format "OneLineFormatter" for JULI that
provides the same information as the default plus thread
name but on a single line. (markt/rjung)
fix Ensure the the memory leak protection for the HttpClient
keep-alive always operates even if the thread has already
stopped. (markt)
fix 51940: Do not limit saving of request bodies during FORM
authentication to POST requests since any HTTP method may
include a request body. Based on a patch by Nicholas Sushkin.
(kkolinko)
fix 52091: Address performance issues related to lock contention
in StandardWrapper. Based on patch provided by Taiki Sugawara.
(kkolinko)
update In GenericPrincipal, SerializablePrincipal: Do not sort lists
of roles that have only one element. (kkolinko)
add Make configuration issue for CsrfPreventionFilter result in
the failure of the filter rather than just a warning message.
(kkolinko)
fix Ensure changes to the configuration of RemoteAddrValve and
RemoteHostValve via JMX are thread-safe. (kkolinko)
add Make configuration issue for RemoteAddrValve and
RemoteHostValve result in the failure of the valve rather
than just a warning message. (kkolinko)
update In RequestFilterValve (RemoteAddrValve, RemoteHostValve):
refactor value matching logic into separate method and expose
this new method isAllowed through JMX. (kkolinko)
add Improve performance of parameter processing for GET and POST
requests. Also add an option to limit the maximum number of
parameters processed per request. This defaults to 10000.
Excessive parameters are ignored. Note that FailedRequestFilter
can be used to reject the request if some parameters were
ignored. (markt/kkolinko)
add New filter FailedRequestFilter that will reject a request
if there were errors during HTTP parameter parsing. (kkolinko)
Coyote
------
fix 50394: Return -1 from read operation instead of throwing an
exception when encountering an EOF with the HTTP APR connector.
(kkolinko)
fix 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt)
fix Detect incomplete AJP messages and reject the associated
request if one is found. (markt)
fix 51794: Fix race condition in NioEndpoint selector.
Patch provided by dlord. (fhanik)
fix 51905: Fix infinite loop in AprEndpoint shutdown if acceptor
unlock fails. Reduce timeout before forcefully closing the
socket from 30s to 10s. (kkolinko)
fix 52121: Fix possible output corruption when compression is
enabled for a connector and the response is flushed.
Test case provided by David Marcks. (kkolinko)
fix Replace unneeded call that iterated events queue in
NioEndpoint.Poller. (kkolinko)
fix Improve MimeHeaders.toString(). (kkolinko)
fix Allow the BIO HTTP connector to be used with SSL when
running under Java 7. (markt)
fix Improve multi-byte character handling in all connectors. (rjung)
Jasper
------
fix 51220: Correct copy/paste error in original commit for this
issue. (markt)
fix 52091: Address performance issues related to log creation
in TagHandlerPool. Patch provided by Taiki Sugawara. (markt)
Cluster
-------
add 51736: Make rpcTimeout configurable in BackupManager. (kfujino)
add New cluster manager attribute sessionAttributeFilter allows
to filter which session attributes are replicated using a
regular expression applied to the attribute name. (rjung)
fix Avoid an unnecessary session ID change notice.
Notice of changed session ID by JvmRouteBinderValve is
unnecessary to BackupManager. In BackupManager, change of
session ID is replicated by the call of a setId() method.
(kfujino)
fix Fix unneeded duplicate resetDeltaRequest() call in
DeltaSession.setId(String). (kkolinko)
add When Context manager does not exist, no context manager
message is replied in order to avoid timeout (default 60 sec)
of GET_ALL_SESSIONS sync phase. (kfujino)
Webapps
-------
fix Correct the documentation for the connectionLinger attribute
of the HTTP connector. (markt)
add Show build date and version in the header on every
documentation page. (kkolinko)
fix 52049: Improve setup instructions for running as a Windows
service: correct information on how a JRE is identified and
selected. (markt)
update 52172: Clarify Tomcat build instructions. Patch provided by
bmargulies. (kkolinko)
Other
-----
update Update the native component of the APR/native connectors
to 1.1.22. (markt)
update Update the recommended version of the native component
of the APR/native connectors to 1.1.22. (kkolinko)
update Update the Eclipse compiler (used for JSPs) to 3.7. (markt)
fix Correct two typos in the Windows installer. (kkolinko)
fix 52059: In Windows uninstaller: Do not forget to remove
Tomcat keys from 32-bit registry on deinstallation. (kkolinko)
Upstream changelog:
Catalina
--------
add Allow to search the virtual paths before the webapp or after it.
(rjung)
fix 27988: Improve reporting of missing files. (markt)
fix 28852: Add URL encoding where missing to parameters in URLs
presented by Ant tasks to the Manager application.
Based on a patch by Stephane Bailliez. (markt)
add 46252: Allow to specify character set to be used to write
the access log in AccessLogValve. (kkolinko)
add 48863: Provide an warning if there is a problem with a class
path entry but use debug level logging if it is expected due
to catalina home/base split. (kkolinko)
add 49180: Add an option to disable file rotation in JULI FileHandler.
(kkolinko)
fix 50189: Once the application has finished writing to the response,
prevent further reads from the request since this causes various
problems in the connectors which do not expect this. (markt)
fix 50700: Ensure that the override attribute of context parameters
is correctly followed. (markt)
fix 50734: Return 404 rather than 400 for requests to the ROOT
context when no ROOT context is deployed. Patch provided by
Violeta Georgieva. (markt)
fix 50751: When authenticating with the JNDI Realm, only attempt
to read user attributes from the directory if attributes are
required. (markt)
fix 50752: Fix typo in debug message in
org.apache.catalina.startup.Embedded. (markt)
fix 50855: Fix NPE on AuthenticatorBase.register() when debug
logging is enabled. (markt)
fix Correctly format the timestamp reported by version.[sh|bat].
(markt)
fix Remove unnecessary whitespace from MIME mapping entries in
global web.xml file. (markt)
fix 51042: Don't trigger session creation listeners when a
session ID is changed as part of the authentication process.
(markt)
add 51119: Add JAAS authentication support to the
JMXRemoteLifecycleListener. Patch provided by Neil Laurance.
(markt)
update Implement display of multiple request headers in AccessLogValve:
print not just the value of the first header, but of the all
of them, separated by commas. (kkolinko)
fix Correct the SSLValve so it returns the SSL key size as an
Integer rather than as a String. (markt)
fix 51162: Prevent possible NPE when removing a web application. (markt)
fix 51249: Improve system property replacement code in
ClassLoaderLogManager of Tomcat JULI to cover some corner
cases. (kkolinko)
fix 51315: Fix IAE when removing an authenticator valve from a
container. Patch provided by Violeta Georgieva. (markt)
fix 51324: Improve handling of exceptions when flushing the
response buffer to ensure that the doFlush flag does not get
stuck in the enabled state. Patch provided by Jeremy Norris.
(kkolinko)
fix 51348: Fix possible NPE when processing WebDAV locks. (markt)
add Add a container event that is fired when a session's ID is
changed, e.g. on authentication. (markt)
fix Fix CVE-2011-2204. Prevent user passwords appearing in log files
if a runtime exception (e.g. OOME) occurs while creating a
new user for a MemoryUserDatabase via JMX. (markt)
fix 51400: Avoid jvm bottleneck on String/byte[] conversion
triggered by a JVM bug. Based on patches by Dave Engberg and
Konstantin Preißer. (markt)
add 51403: Avoid NPE in JULI FileHandler if formatter is
misconfigured. (kkolinko)
update Create a directory for access log or error log (in AccessLogValve
and in JULI FileHandler) automatically when it is specified
as a part of the file name, e.g. in the prefix attribute.
Earlier this happened only if it was specified with the
directory attribute. (kkolinko)
fix Log a failure if access log file cannot be opened. Improve
i18n of messages. (kkolinko)
fix Improve handling of URLs with path parameters and prevent
incorrect 404 responses that could occur when path parameters
were present. (kkolinko)
fix 51473: Fix concatenation of values in
SecurityConfig.setSecurityProperty(). (kkolinko)
fix 51509: Fix potential concurrency issue in CSRF prevention
filter that may lead to some requests failing that should not.
(markt)
fix 51588: Make it easier to extend the AccessLogValve to add
support for custom elements. (markt)
fix Unregister DataSource MBeans when web application stops. (kfujino)
add Add additional configuration options to the DIGEST
authenticator. (markt)
Coyote
------
fix Reduce level of log message for invalid URL parameters from
WARNING to INFO. (kkolinko)
add 48208: Provide an option to specify a custom trust manager
for BIO and NIO HTTP connectors using SSL. Based on a patch
by Luciana Moreira. (markt)
fix 49595: Protect against crashes when using the APR/native
connector. (jfclere)
fix 49929: Make sure flush packet is not send after END_RESPONSE
packet. (mturk/markt)
add 50887: Enable the provider to be configured when generating
SSL certs. Based on a patch by pknopp. (markt)
fix 51073: Throw an exception and do not start the APR connector
if it is configured for SSL and an invalid value is provided
for SSLProtocol. (markt)
fix Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO)
and crashes (HTTP APR) if sendfile is configured to send more
data than is available in the file. (markt)
fix Prevent NPEs when a socket is closed in non-error conditions
after sendfile processing when using the HTTP NIO connector.
(markt)
fix 51515: Prevent immediate socket close when comet is used over
HTTPS. (markt)
Jasper
------
fix 36362: Handle the case where tag file attributes (which can
use any valid XML name) have a name which is not a Java
identifier. (markt)
fix 47371: Correctly coerce the empty string to zero when used
as an operand in EL arithmetic. Patch provided by gbt. (markt)
fix 50726: Ensure that the use of the genStringAsCharArray does
not result in String constants that are too long for valid
Java code. (markt)
fix 50895: Don't initialize classes created during the compilation
stage. (markt)
add 51124: Make Tomcat more robust if an OOME occurs. Usually
after an OOME all bets are off but this change appears to help
some users and the description of a 'recoverable' OOME in
the bug is a plausible one. Based on a patch by Ramiro. (markt)
fix 51177: Ensure Tomcat's MapELResolver and ListELResolver
always return Object.class for getType() as required by the
EL specification. (markt)
fix Correct possible threading issue in JSP compilation when
development mode is used. (markt)
add 51220: Add a system property to enable tag pooling with JSPs
that use a custom base class. Based on a patch by Dan Mikusa.
(markt)
add Broaden the exception handling in the EL Parser so that more
failures to parse an expression include the failed expression
in the exception message. Hopefully, this will help track
down the cause of 51088. (markt)
add Improve error reporting of Jasper compilation. (schultz)
Cluster
-------
fix 50646: Fix cluster message data corruption if message size
exceeds the underlying buffer size. Patch provided by
Olivier Costet. (markt)
fix 50771: Ensure HttpServletRequest#getAuthType() returns the
name of the authentication scheme if request has already been
authenticated. (kfujino)
fix 50950: Correct possible NotSerializableException for an
authenticated session when running with a security manager.
(markt)
fix 51306: Avoid NPE when handleSESSION_EXPIRED is processed while
handleSESSION_CREATED is being processed. (kfujino)
fix The change in session ID is notified to the container event
listener on the backup node in cluster. This notification is
controlled by notifyContainerListenersOnReplication. (kfujino)
Webapps
-------
fix 41498: Add the allRolesMode attribute to the Realm
configuration page in the documentation web application. (markt)
fix 48997: Fixed some typos and improve cross-referencing to the
HTTP Connector and APR documentation with the SSL How-To page
of the documentation web application. (markt)
fix 50804: Update links for Servlet 2.5 and JSP 2.1 Javadoc. (markt)
update Improve class loading documentation and logging documentation.
(kkolinko)
update Configure Security Manager How-To to include a copy of the
actual conf/catalina.policy file when the documentation is
built, rather than maintaining a copy of its content. (kkolinko)
fix 51147: Fix deployment via HTML Manager that was broken by
addition of CRSF protection. Patch provided by Alexis Hassler.
(markt)
fix 51156: Ensure session expiration option is available in
Manager application was running web applications that were
defined in server.xml. (markt)
fix Correct the log4j configuration settings when defining
conversion patterns in the documentation web application. (markt)
fix Update Maven repository information in the documentation to
reflect current usage. (markt)
fix 51346: Update the documentation web application to make clear
the circumstances in which the RequestDumperValve will consume
the request's InputStream. Based on a patch by pid. (markt)
fix 51443: Document the notifySessionListenersOnReplication
attribute for the DeltaManager. (markt)
fix 51516: Correct documentation web application to show correct
system property name for changing the name of the SSO session
cookie. (markt)
update Update documentation to be even more explicit about the
implications of setting the path attribute on a Context element
in server.xml. (markt/kkolinko)
Other
-----
update Clarify error messages in *.sh files to mention that if a
script is not found it might be because execute permission
is needed. (kkolinko)
add 33262, 40510, 50949, 51135: Various improvements to the
Windows installer to be able to install several copies of
Tomcat 6 side by side. Allow to configure service name,
connector and shutdown ports. Allow to choose whether to
install Start menu shortcuts and Apache Tomcat monitor
application for all users or for the current one only.
Improve auto-detection of JAVA_HOME for 64-bit Windows
platforms: autoselect 32-bit JRE if it exists and 64-bit
one is not available. Improve server.xml file handling.
Fix uninstallation icon. (markt/kkolinko)
fix 50854: Add additional entries to the default catalina.policy
file to support running the manager web application from
CATALINA_HOME or CATALINA_BASE. (markt)
fix Update default download sources to use the central
Apache Maven 2 repository as some libraries have been removed
from the central Apache Maven 1 repository. (kkolinko)
fix 51155: Add comments to @deprecated tags that have none.
Patch provided by sebb. (kkolinko)
fix 51309: Correct logic in catalina.sh stop when using a PID
file to ensure the correct message is shown. Patch provided
by Caio Cezar. (markt)
update Update Apache Commons Pool to 1.5.6. (kkolinko)
update Update Apache Commons Daemon to 1.0.7. (kkolinko)
update At build time use two alternative download locations for
components downloaded from apache.org. (kkolinko)
(and a little Makefile cosmetics)
fixes two of the currently known security issues
Upstream changelog:
Tomcat 6.0.29 (jfclere) released 2010-07-22
Catalina
add 48960: Add a new option to the SSI Servlet and SSI Filter to
allow the disabling of the exec command. This is now disabled
by default. Based on a patch by Yair Lenga. (markt)
fix 49551: Allow default context.xml location to be specified using
an absolute path. (markt)
fix 49598: When session is changed and the session cookie is
replaced, ensure that the new Set-Cookie header overwrites the
old Set-Cookie header. (markt)
fix Fix order when listing Webapp loader search URLs. (rjung)
add Add support for *.jar pattern in VirtualWebappLoader. (kkolinko)
Tomcat 6.0.28 (jfclere) released 2010-07-09
Catalina
fix Arrange filter logic. (jfclere)
fix 49230: Enhance JRE leak prevention listener with protection for
the keep-alive thread started by sun.net.www.http.HttpClient.
Patch provided by Rob Kooper. (markt)
fix 49351: Fix possible NPe when embedding and no name is specified
for the Service. (markt)
fix 49424: Avoid NPE if client provides no data with a chunked
POST request. (markt)
fix 49414: Differentiate between request threads and application
created threads when warning about still running threads when
an application stops. (markt)
fix 49443: Use remoteIpHeader rather than remoteIPHeader
consistently. (markt)
add Add property searchExternalFirst to WebappLoader. If set,
the external repositories will be searched before the WEB-INF
ones. (rjung)
Cluster
fix 49445: When session ID is changed after authentication, ensure
the DeltaManager replicates the change in ID to the other nodes
in the cluster. (kfujino)
Webapps
fix 49213: Grant permissions required by manager application when
running under a security manager. (markt/kkolinko)
fix 49436: Correct documented default for readonly attribute of
the UserDatabase component. (markt)
Tomcat 6.0.27 (jfclere) not released
General
update Update DBCP to 1.3. (markt)
Catalina
fix Fix CVE-2010-1157. Prevent possible disclosure of host name
or IP address via the HTTP WWW-Authenticate header when using
BASIC or DIGEST authentication. (markt)
add Include context name when reporting memory leaks to aid root
cause identification. (markt)
fix Improve exception handling on session de-serialization to
assist in identifying the root cause of 48007. (kkolinko)
add 48379: Make session cookie name, domain and path configurable
per context. (markt)
fix 48589: Make JNDIRealm easier to extend. Based on a patch by
Candid Dauth. (markt/kkolinko)
fix 48629: Allow user names as well as DNs to be used with the
nested role search. Add roleNested to the documentation.
Patch provided by Felix Schumacher. (markt)
fix 48661: Make error page behavior consistent, regardless of how
the error page is defined. If a response has been committed,
always include the error page. (markt)
fix 48729: Return roles defined by both userRoleName and roleName
mechanisms. Patch provided by 'eric'. Also make user's role
list immutable.(markt)
fix 48760: Fix potential multi-threading issue in static resource
serving where multiple threads could try to use the the same
InputStream. (markt)
fix 48790: Fix thread safety issue in the count of the maximum
number of active session. (markt/kkolinko)
fix 48793: Make catalina.sh more robust to different return values
on different platforms. Patch provided by Thomas GL. (markt)
fix 48840: Swallow output (if any) from use of cd when determining
$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts.
Based on patch provided by mdietze. (markt/kkolinko)
fix 48895: Make clearing of ThreadLocals that are causing memory
leaks on web application stop, reload or undeploy configurable
since the process of clearing them is not thread-safe. (markt)
fix 48903: Fix deadlock in webapp class loader. (rjung)
fix 48971: Make stopping of leaking Timer threads optional and
disabled by default. (markt)
fix 48976: Document JAVA_ENDORSED_DIRS in start-up scripts.
Patch provided by Laurent Vaills. (markt)
fix 48983: Improve debug logging for situations when RemoteIpValve
is bypassed. Patch provided by Cyrille Le Clerc. (markt)
fix 49018: Fix processing of time argument in the Expire sessions
action in the Manager web application. (kkolinko)
fix 49116: If session is already invalid, expire session to prevent
memory leak. (kfujino)
fix 49158: Ensure only one session cookie is returned for a single
request. (markt/fhanik)
fix 49245: Fix session expiration check in cross-context requests.
(markt)
fix 49398: ByteChunk.indexOf(String, int, int, int) could not find
a string of length 1. (kkolinko)
fix Fix possible overflows when calculating session statistics.
(kkolinko)
add Log unexpected exceptions when providing access to web
application resources in ApplicationContext. (kkolinko)
fix Improve exception handling in CatalinaShutdownHook. (kkolinko)
add Expose properties of VirtualWebappLoader and WebappClassLoader
via JMX. (rjung)
Coyote
fix 48839: Correctly handle HTTP header folding in the NIO connector.
Patch suggested by Richa Baronia. (markt)
fix 48843: Prevent possible deadlock for worker allocation in
connectors. (kkolinko)
fix 48843: Fix handling of add queues in AprEndpoint.Poller and
AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko)
add 48862: Add support for the backlog parameter to the AJP
connector. (pero/markt)
fix 48917: Correct name of mod_jk module in ApacheConfig.
Patch provided by Todd Hicks. (markt)
fix 49095: AprEndpoint did not wakeup acceptors during shutdown
when deferAccept option was enabled. Based on a patch provided
by Ruediger Pluem. (kkolinko)
add Use chunked encoding for http 1.1 requests with no
content-length (regardless of keep-alive) so client can
differentiate between complete and partial responses. (markt)
fix Correct the SSL session timeout attribute name so the code
agrees with the documentation. (markt)
add CoyotePrincipal now implements Serializable. (fhanik)
fix Enable the BIO AJP connector to run under a security manager.
(markt)
Jasper
fix 45015: Correct a regression in quote handling caused by the
re-factoring of attribute parsing. (markt)
fix 48701: Add a system property to allow disabling enforcement
of JSP.5.3. The specification recommends, but does not require,
this enforcement. (kkolinko)
fix 48737: Don't assume paths that start with /META-INF/... are
always in JARs. This is not true for some IDEs.
Patch provided by Fabrizio Giustina. (markt)
fix 49081: Correctly handle EL expressions of the form #${...}. (markt)
fix 49196: Avoid NullPointerException in PageContext.getErrorData()
if an error-handling JSP page is called directly. (markt)
Cluster
fix 48717: When a node joins a cluster and it receives all the
current sessions, ensure the sessionCreated event is fired
if the Manager is configured to replicate session events. (markt)
fix 48934: Previous fix to handle dropped connections incorrectly
permanently disabled session replication. (fhanik)
fix 49051: memberAlive is not called if member has not already
existed in membership. (kfujino)
fix 49151: Avoid ClassCastException in BackupManager#stop. (kfujino)
fix 49170: Do not send duplicated session. (kfujino)
fix Add missing messages and ensure cluster listeners log messages
to correct logger. (markt)
Webapps
add Use underscores instead of spaces in anchor names in Tomcat
documentation. (kkolinko)
add Add support for displaying the Spring Security user name
(if present) in the Manager application. (markt)
update Improve the ChatServlet Comet example (/examples/jsp/chat/).
(kkolinko)
Other
update Update to Commons Daemon 1.0.2. Use service launcher (procrun)
from the Commons Daemon release. Do not keep a copy of it in
our source tree. (mturk/kkolinko)
update Update to NSIS 2.46. (kkolinko)
fix 48990: Fix the skip.installer build property so if set, only
the Windows installer is skipped. (markt)
fix 49178: Provide in catalina.policy an example of additional
permissions that might be needed for code located in
$CATALINA_BASE/lib. (markt)
fix 49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
fix Remove unused code from org.apache.tomcat.util.buf classes.
(kkolinko)
update Rearrange tomcat-juli.jar permissions and wrap long lines in
the conf/catalina.policy file, to make the text more readable
when cited in documentation. (kkolinko)
fix Do not evaluate the execute.installer property when building
a release. The skip.installer property is used instead. (kkolinko)
Tomcat 6.0.26 (jfclere) released 2010-03-11
Catalina
fix Close security hole in unreleased 6.0.25 by ensuring new find
leaks functionality is protected by a security constraint.
(kkolinko)
fix 48831: Improve logging shutdown behaviour. Use Catalina's
shutdown hook to shutdown JULI. This enables them to be shutdown
in the correct order. Do not shutdown global handlers several
times. (markt/kkolinko)
Coyote
fix 48584: Prevent the APR connector logging an error if the
acceptor fails during shutdown since this is expected. (mturk)
fix 48660: Using compression should not overwrite any Vary header
set by a web application. (markt)
Jasper
fix 48371: Ensure generated servlet mappings are inserted at the
correct location when using JspC and allow the option that
controls this to be configured on the command line.
Also allow the encoding of web.xml to be configured when using
JspC and deprecate some unused JspC methods. (markt/kkolinko)
fix 48498: Avoid ArrayIndexOutOfBoundsException triggered by a
Java 6/7 XML parser bug. (markt/kkolinko)
fix 48668: Additional fixes to ensure deferred syntax is handled
correctly. (kkolinko)
fix 48827: Correct a regression in the fix for 47977 that caused
an incorrect non-empty body error to be reported for valid
JSP documents. (markt)
Webapps
add Make changelog.xml be directly rendered as HTML by certain
browsers. (kkolinko)
add Add support for automated generation of TOC tables and for
links to svn revisions to tomcat-docs.xsl in documentation.
(kkolinko/fhanik)
add Move Manager application JSPs that are not intended to be
accessed directly under the WEB-INF directory. (kkolinko)
fix Improve the messages displayed by the find leaks diagnostic
in the Manager application. (kkolinko)
Other
fix Encode all property files using ascii escaped UTF-8. Also
fixes deployment problem when using French locale. (jfclere/rjung)
Tomcat 6.0.25 (jfclere) not released
Catalina
fix 48039: Return immediately if start() is called on an already
started StandardService. (markt)
fix 48109: Ensure InputStream is closed on error condition in web
application class loader. (markt)
fix 48179: Clean up dead code that was used to read tldCache file.
(kkolinko)
fix 48318: Handle case where WebDAV resource is in directory
listing but is not accessible. (markt)
add 48384: Add a per context xslt option for directory listings.
Make the fallback options work as described in the
documentation. (markt)
fix 48577: Filter URL when displaying missing included page. (markt)
fix 48612: Prevent exception on shutdown if the address attribute
is specified for a connector. (markt)
fix 48613: Further fixes to ensure APRLifecycleListener is only
used if defined in server.xml. (fhanik)
fix 48614: Correct JULI log file buffering so default behaviour
is no buffering. (fhanik)
fix 48625: Provide an option to exit if an error occurs during
the initialization phase. (fhanik)
fix 48645: Use specified encoding rather than null in calls to
RequestUtil.URLDecode(byte[] bytes, String enc) (markt)
fix 48653: Force request.secure and request.scheme to false and
http if the X-Forwarded-Proto header has the value http.
Patch provided by Cyrille Le Clerc. (markt)
fix 48678: Remove duplicate server field from
org.apache.catalina.startup.Catalina. (markt)
fix 48694: Remove potential deadlock in web application class
loader. (markt)
add 48716: Provide additional configuration options for JULI. (markt)
fix 48726: Prevent OOME when uploading large WAR files with the
deployer. Patch provided by adam. (markt)
add Improve memory leak protection by safely stopping threads
started via java.util.Timer that an application starts but
fails to stop and by clearing references retained due to the
use of java.util.ResourceBundle. (markt)
update Modify ThreadLocal memory leak detection to not report false
positives and to simplify implementation. (markt/kkolinko)
add Basic memory leak detection was added to the standard Host
implementation and exposed via JMX to detect memory leaks on
web application reload. (markt/kkolinko)
Coyote
update Update the native/APR library version bundled with Tomcat to
1.1.20. (kkolinko)
Jasper
add Add some debug logging to the compiler where exceptions were
previously swallowed. (markt)
fix 48170: Remove unnecessary synchronization that is causing
issues under load. (markt)
fix 48580: Prevent AccessControlException if first access is to
a JSP that uses a FunctionMapper. (markt)
fix 48582: Avoid NPE on background compilation failure. (markt)
fix 48616: Don't declare or synchronize scripting variables for
JSP fragments since they are scriptless. This is an alternative
fix for 42390 that avoids both the original problem and the
regression in the first fix. (kkolinko)
fix 48627: Fix regression in re-factored EL parsing. Keep literals
as literals and handle deferredSyntaxAllowedAsLiteral. (kkolinko)
fix 48668: When parsing JSPs only parse EL as EL if EL is enabled
else strings such as ${ will be silently dropped. (markt)
fix Various EL TCK failures. (markt)
Cluster
fix Force a disconnect if an error occurs during replication such
as a firewall dropping the connection. (fhanik)
Webapps
add Add new "Find leaks" command to the Manager application.
It allows to detect web applications that have caused memory
leaks on stop, reload or undeploy. (markt/kkolinko)
Other
fix Ensure files in conf directory have CRLF line endings when
using the Windows installer. (kkolinko)
fix Allow special characters recognized by the Windows command-line
shell to be present in the names of CATALINA_HOME/_BASE and
the current directory used to call the Tomcat scripts. (kkolinko)
fix Don't use @Deprecated annotations in javax.servlet.jsp.JspContext
since the specification does not include them in the API
definition. (markt)
add Improve the information in the JAR manifest files. (markt)
In brief:
46933: Update StringManager to use Java 5 features. Patch provided by Jens Kapitza. (markt)
46990: Fix synchronization issues reported by FindBugs. Patch provided by Sebb. (markt)
Allow huge request body packets for AJP13. (rjung)
Manager application prints FAIL if application was deployed but failed to start (fhanik)
When shutdown port is disabled, print user friendly message and not a stack trace. (fhanik)
The invoker servlet has been deprecated and will be removed in Tomcat 7 onwards. (markt)
45154 Implement SEND_FILE behavior for SSL connections using NIO (fhanik)
For full details see:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
improvements made in Tomcat 5.5.x and implements the Servlet 2.5 and JSP 2.1
specifications. In addition to that, it includes the following improvements:
* Memory usage optimizations
* Advanced IO capabilities
* Refactored clustering
While we're here make a number of improvements based on the old 5.5.x pkg:
- Use MASTER_SITE_APACHE
- Default to running as an unprived user
- Use a more standard rc.d script
- Cleaner pkg_delete operation based on standard files/dirs that change
spz
joerg
adrianp