Commit graph

15 commits

Author SHA1 Message Date
ryoon
9669f4eb32 Update to 6.0.45
Changelog:
Tomcat 6.0.45 (jfclere)

    Catalina

        fix	Back-port various improvements to the AprLifecycleListener including the fix for 57021 that improves logging when the Tomcat-Native DLL fails to load. (markt)
        add	57154: Add support for web applications (Context elements) that do not have a docBase. This is intended for use when embedding, such as Tomcat unit tests, when a web application is configured programmatically and does not serve any files. Based on a patch provided by Huxing Zhang. (kkolinko)
        add	57741: Enable the CGI servlet to use the standard error page mechanism. Note that if the CGI servlet's debug init parameter is set to 10 or higher then the standard error page mechanism will be bypassed and a debug response generated by the CGI servlet will be returned instead. (markt)
        fix	57896: Support defensive copying of "cookie" header so that unescaping double quotes in a cookie value does not corrupt original value of "cookie" header. This is an opt-in feature, enabled by org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER or org.apache.catalina.STRICT_SERVLET_COMPLIANCE system property. (kkolinko)
        fix	58031: Make the (first) reason parameter parsing failed available as a request attribute and then use it to provide a better status code via the FailedRequstFilter (if configured). (markt)
        fix	58313: Fix concurrent access of encoders map when clearing encoders during Comet processing. (markt)
        fix	58508: Escape role names when generating associated MBeans in case the role name contains characters not permitted in an MBean name. (markt)
        fix	58582: Combined realm should perform background processing on its sub-realms. Based upon a patch provided by Aidan. (kkolinko)
        add	Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. (markt)
        fix	58635: Enable break points to be set within agent code when running Tomcat with a Java agent. Based on a patch by Huxing Zhang. (markt)
        fix	Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. (markt)
        fix	Remove redundant copy of catalina.properties from o.a.c.startup. Generate this copy during the ant "compile" task. (kkolinko)
        fix	58817: Fix ArrayIndexOutOfBoundsException caused by MapperListener when ROOT context is being undeployed and mapperContextRootRedirectEnabled="false". (kkolinko)
        fix	58836: Correctly merge query string parameters when processing a forwarded request where the target includes a query string that contains a parameter with no value. (markt/kkolinko)
        add	Allow singleton server instance stored by ServerFactory to be cleared. Allow ResourceLinkFactory to be initialized more than once. This is used by unit tests when running several copies of Tomcat sequentially in the same JVM. When running with a SecurityManager the initialization method of ResourceLinkFactory is protected by requiring a RuntimePermission. (kkolinko)
        add	Extend the feature available in the cluster session manager implementations that enables session attribute replication to be filtered bases on attribute name to all session manager implementations. Note that configuration attribute name has changed from sessionAttributeFilter to sessionAttributeNameFilter. Apply the filter on load as well as unload to ensure that configuration changes made while the web application is stopped are applied to any persisted data. (markt)
        add	Extend the session attribute filtering options to include filtering based on the implementation class of the value and optional WARN level logging if an attribute is filtered. These options are available for all of the Manager implementations that ship with Tomcat. When a SecurityManager is used filtering will be enabled by default. (markt)
        fix	58946: Ensure that the request parameter map remains immutable when processing via a RequestDispatcher. (markt)

    Coyote

        add	Align the Java side of the tc-native connector with the Tomcat 7 implementation to ease future maintenance. (markt)
        fix	51503: Add additional validation that prevents a connector from starting if it does not have a valid port number. (kkolinko)
        add	52028: Add support for automatic binding to a free port by a connector if the special value of zero is used for the port. This is mainly useful in embedded and testing scenarios. (kkolinko)
        fix	52926: Avoid NPE when an NIO Comet connection times out on one thread at the same time as it is closed on another thread. (markt/kkolinko)
        fix	57943: Prevent the same socket being added to the cache twice. Patch based on analysis by Ian Luo / Sun Qi. (markt/kkolinko)
        fix	Improve HTTP header validation. (markt)

    Web applications

        fix	57971: Correct the documentation for the cluster configuration setting recoverySleepTime. (markt)
        fix	58112: Update the documentation for using the Catalina tasks in an Apache Ant build file. (markt)
        fix	Improve the Javadoc for some of the APR socket read functions that have inconsistent behaviour for return values. (markt)
        add	58255: Document the Semaphore valve. Patch provided by Kyohei Nakamu. (markt)
        fix	58631: Correct the continuation character use in the Windows Service How-To page of the documenation web application. (markt)
        fix	Correct some typos in the JNDI resources How-To. (markt)
        fix	Add a redirect to the web interface to the root of the Manager web application. (markt)
        fix	Don't create sessions unnecessarily in the Manager application. (markt)
        fix	Add a redirect to the web interface to the root of the Host Manager web application. (markt)
        fix	Don't create sessions unnecessarily in the Host Manager application. (markt)

    Other

        fix	Ensure JULI adapters JAR in Tomcat extras package does not include the LogFactoryImpl[$*] classes. Based on patch provided by Benjamin Gandon. (kkolinko)
        code	Convert test classes to JUnit 4. (kkolinko)
        update	58596: Clarify the description in RUNNING.txt of how environment variables are used. (markt)
        update	Update the NSIS Installer used to build the Windows Installers to version 2.50. (markt/kkolinko)
        add	Add framework for client-server unit tests, porting it from Tomcat 7. Add support for running the tests with Apache Ant. (kkolinko)
        update	Update to Tomcat Native Library version 1.1.34. (jfclere)
        update	Remove support for Intel Itanium CPU (i64, IA-64) in the Windows installer, as the current release of Tomcat Native does not have binaries for that processor architecture. (jfclere)
2016-02-28 10:14:53 +00:00
agc
b9b754e081 Add SHA512 digests for distfiles for www category
Problems found locating distfiles:
	Package haskell-cgi: missing distfile haskell-cgi-20001206.tar.gz
	Package nginx: missing distfile array-var-nginx-module-0.04.tar.gz
	Package nginx: missing distfile encrypted-session-nginx-module-0.04.tar.gz
	Package nginx: missing distfile headers-more-nginx-module-0.261.tar.gz
	Package nginx: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package nginx-devel: missing distfile echo-nginx-module-0.58.tar.gz
	Package nginx-devel: missing distfile form-input-nginx-module-0.11.tar.gz
	Package nginx-devel: missing distfile lua-nginx-module-0.9.16.tar.gz
	Package nginx-devel: missing distfile nginx_http_push_module-0.692.tar.gz
	Package nginx-devel: missing distfile set-misc-nginx-module-0.29.tar.gz
	Package php-owncloud: missing distfile owncloud-8.2.0.tar.bz2

Otherwise, existing SHA1 digests verified and found to be the same on
the machine holding the existing distfiles (morden).  All existing
SHA1 digests retained for now as an audit trail.
2015-11-04 02:46:46 +00:00
spz
8380dd82c7 Update to Tomcat 6.0.44
Upstream changelog:

Catalina
++++++++
fix	Correct typo in the message shown by HttpServlet for unexpected
	HTTP method. (kkolinko)
add	Allow to configure RemoteAddrValve and RemoteHostValve to adopt
	behavior depending on the connector port. Implemented by
	optionally adding the connector port to the string compared with
	the patterns allow and deny. Configured using addConnectorPort
	attribute on valve. (rjung)
fix	56608: Fix IllegalStateException for JavaScript files when
	switching from Writer to OutputStream. The special handling of
	this case in the DefaultServlet was broken due to a MIME type
	change for JavaScript. (markt)
fix	57675: Correctly quote strings when using the extended access
	log. (markt)

Coyote
++++++
fix	57234: Make SSL protocol filtering to remove insecure protocols
	case insensitive. Correct spelling of filterInsecureProtocols
	method. (kkolinko/schultz)
fix	When applying the maxSwallowSize limit to a connection read
	that many bytes first before closing the connection to give
	the client a chance to read the response. (markt)
fix	57544: Fix a potential infinite loop when preparing a kept
	alive HTTP connection for the next request. (markt)
add	57570: Make the processing of chunked encoding trailing headers
	optional and disabled by default. (markt)
fix	57581: Change statistics byte counter in coyote Request object
	to be long to allow values above 2Gb. (kkolinko)
update	Update the minimum recommended version of the Tomcat Native
	library (if used) to 1.1.33. (markt)

Jasper
++++++
fix	Fix potential issue with BeanELResolver when running under a
	security manager. Some classes may not be accessible but may
	have accessible interfaces. (markt)
fix	Simplify code in ProtectedFunctionMapper class of Jasper
	runtime. (kkolinko)
fix	57801: Improve the error message in the start script in case
	the PID read from the PID file is already owned by a process.
	(rjung)

Web applications
++++++++++++++++
fix	Update documentation for CGI servlet. Recommend to copy the
	servlet declaration into web application instead of enabling
	it globally. Correct documentation for cgiPathPrefix. (kkolinko)
update	Improve Tomcat Manager documentation. Rearrange, add section
	on HTML GUI, document /expire command and Server Status page.
	(kkolinko)
add	54143: Add display of the memory pools usage (including PermGen)
	to the Status page of the Manager web application. (kkolinko)
fix	Fix several issues with status.xsd schema in Manager web
	application, testing it against actual output of
	StatusTransformer class. (kkolinko)
update	Align algorithm that generates anchor names in Tomcat
	documentation with Tomcat 7/8/9. No visible changes, but may
	help with future updates to the documentation. (kkolinko)
fix	56058: Add links to the AccessLogValve documentation for
	configuring reverse proxies and/or Tomcat to ensure that the
	desired information is used entered in the access log when
	Tomcat is running behind a reverse proxy. (markt)
fix	57503: Make clear that the JULI integration for log4j only
	works with log4j 1.2.x. (markt)
update	57644: Update examples to use Apache Standard Taglib 1.2.5.
	(jboynes/kkolinko)
fix	57706: Clarify the documentation for the AJP connector to make
	clearer that when using tomcatAuthentication="false" the user
	provided by the reverse proxy will not be associated with any
	roles. (markt)
fix	Correct the documentation for deployOnStartup to make clear
	that if a WAR file is updated while Tomcat is stopped and
	unpackWARs is true, Tomcat will not detect the changed WAR
	file when it starts and will not replace the unpacked WAR file
	with the contents of the updated WAR. (markt)
add	57759: Add information to the keyAlias documentation to make
	it clear that the order keys are read from the keystore is
	implementation dependent. (markt)
fix	57864: Update the documentation web application to make it
	clearer that hex values are not valid for cluster send options.
	Based on a patch by Kyohei Nakamura. (markt)

Other
+++++
add	57344: Provide sha1 checksum files for Tomcat downloads.
	(kkolinko)
fix	57558: Change catalina-tasks.xml to use all jars in
	${catalina.home}/lib to define Tomcat Ant tasks. This fixes
	a NoClassDefFoundError with validate task. (kkolinko)
update	Update to Tomcat Native Library version 1.1.33 to pick up the
	Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1.
	(markt)
2015-05-19 19:33:54 +00:00
ryoon
13090acd35 Update to 6.0.43
Changelog:
# Tomcat 6.0.43 (markt)
## Catalina
* fix	Assert that mapping result object is empty before performing mapping work in Mapper. (kkolinko)

## Coyote
* fix	53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. (schultz/jfclere)
* fix	56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt/kkolinko)
* fix	57102: Fix bug that meant sslEnabledProtocols setting was not recognised for the HTTPS NIO connector. (markt)
* add	Disable SSLv3 by default for the APR/native HTTPS connector. (markt/schultz)
* fix	Do not increase remaining counter at end of stream in IdentityInputFilter. (kkolinko)
* fix	Disable SSLv3 by default (along with SSLv2 which was already disabled by default) in light of the recently announced POODLE vulnerability (CVE-2014-3566). (markt)
* fix	57116: Do not fallback to default protocol list for HTTPS BIO connector if sslEnabledProtocols has no matches. (markt)
* update	Align calculation of default ciphers and default protocols for JSSE HTTPS connectors with Tomcat 7 which allows for per connector defaults based on the choice of sslProtocol. (markt/kkolinko)

## Web applications
* fix	Configure the Javadoc tool to read sources as ISO-8859-1, suppress timestamp comments and enable charset header. (kkolinko)
* fix	Correct typos in configuration samples on SSL Configuration page of Tomcat documentation. (kkolinko)

## Other
* update	56079: The Apache Tomcat Windows service and the Apache Tomcat Windows service monitor application are now digitally signed. (markt/kkolinko)
* update	56988: Allow to use relative path in base.path setting when building Tomcat. (kkolinko)
fix	Update documentation: the minimum version of Apache Ant required to build Tomcat is 1.8.0. (kkolinko)
* update	56596: Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt)
* fix	Fix timestamps in Tomcat build to use 24-hour instead of 12-hour format and use UTC timezone. (kkolinko)

# Tomcat 6.0.42 (jfclere)	not released
## Catalina
* fix	56600: In WebdavServlet: Do not waste time generating response for broken PROPFIND request. (kkolinko)
* fix	56648: Reduce scope of synchronization when adding children to a container (e.g. adding a Context to a Host) to prevent blocking requests to other children while the new child starts. (markt)
* fix	56684: Ensure that Tomcat does not shut down if the socket waiting for the shutdown command experiences a SocketTimeoutException. (markt)

## Coyote
fix	Various improvements to ChunkedInputFilter including clean-up, i18n for error messages and adding an error flag to allow subsequent attempts at reading after an error to fail fast. (markt)
fix	56661: Support using AJP request attribute AJP_LOCAL_ADDR to fix getLocalAddr(). (rjung)

## Jasper
* fix	43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko)
* fix	56334: Fix a regression in EL parsing when quoted string follows a whitespace. (markt)
* fix	56560: Fix NoClassDefFoundError when using Jasper Ant task defined by catalina-tasks.xml file. Patch provided by M Gemmell. (kkolinko)
* fix	56561: Avoid NoSuchElementException while handling attributes with empty string value. (violetagg)
* fix	56612: Correctly parse consecutive escaped single quotes when used in an EL expression. (markt)
* code	Use if { ... } else if { ... } rather than multiple if { ... } for alternative branches in the JSP parser. (kkolinko)
* fix	Fix a potential resource leak in JDTCompiler when checking wether a resource is a package. Reported by Coverity Scan. (fschumacher)

## Other
* fix	56606: When creating tomcat-users.xml in the Windows Installer, use the new attribute name for the name of the user. (markt)
* add	56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko)
2015-01-03 16:43:44 +00:00
spz
3e7585f7ce security'ish update. Changelog:
Tomcat 6.0.41
=============
Jasper
------
fix	56529: Avoid NoSuchElementException while handling attributes
	with empty string value in custom tags. Based on a patch
	provided by Hariprasad Manchi. (violetagg/kkolinko)

Tomcat 6.0.40	not released
============================
Catalina
--------
fix	56027: Add more options for managing FIPS mode in the
	AprLifecycleListener. (schultz/kkolinko)
fix	56082: Fix a concurrency bug in JULI's LogManager
	implementation. (markt)
fix	56236: Enable Tomcat to work with alternative Servlet and
	JSP API JARs that package the XML schemas in such as way as
	to require a dependency on the JSP API before enabling
	validation for web.xml. Tomcat has no such dependency. (markt)
fix	Change the default value of the xmlBlockExternal attribute
	of Context elements. It is now true. (kkolinko)
fix	Don't log to standard out in SSLValve. (kkolinko/markt)
code	Use StringBuilder in DefaultServlet. (kkolinko)
fix	56275: Allow web applications to be stopped cleanly even
	if filters throw exceptions when their destroy() method is
	called. (markt/kkolinko)
fix	Redefine the globalXsltFile initialisation parameter of the
	DefaultServlet as relative to CATALINA_BASE/conf or
	CATALINA_HOME/conf. Prevent user supplied XSLTs used by the
	DefaultServlet from defining external entities. (markt)
fix	Add a work around for validating XML documents (often TLDs)
	that use just the file name to refer to refer to the JavaEE
	schema on which they are based. (kkolinko)
fix	56369: Ensure that removing an MBean notification listener
	reverts all the operations performed when adding an MBean
	notification listener. (markt)
fix	Only create XML parsing objects if required and fix associated
	potential memory leak in the default Servlet. (markt)
fix	Ensure that a TLD parser obtained from the cache has the
	correct value of blockExternal. (markt/kkolinko)
add	Extend XML factory, parser etc. memory leak protection to
	cover some additional locations where, theoretically, a
	memory leak could occur. (markt)
add	Add the org.apache.naming package to the packages requiring
	code to have the defineClassInPackage permission when running
	under a security manager. (markt)
add	Add the org.apache.naming.resources package to the packages
	requiring code to have the accessClassInPackage permission
	when running under a security manager. (markt)
fix	Make the naming context tokens for containers more robust.
	Require RuntimePermission when introducing a new token.
	(markt/kkolinko)

Coyote
------
fix	Improve processing of chuck size from chunked headers.
	Avoid overflow and use a bit shift instead of a multiplication
	as it is marginally faster. (markt/kkolinko)
fix	Fix possible overflow when parsing long values from a byte
	array. (markt)
update	56363: Update to version 1.1.30 of Tomcat Native library.
	The minimum required version of this library for APR connector
	is now 1.1.30. (kkolinko)

Jasper
------
fix	Change the default behaviour of JspC to block XML external
	entities by default. (kkolinko)
fix	Restore the validateXml option to Jasper that was previously
	renamed validateTld. Both options are now supported.
	validateXml controls the validation of web.xml files when
	Jasper parses them and validateTld controls the validation
	of *.tld files when Jasper parses them. (markt)
fix	54475: Add Java 8 support to SMAP generation for JSPs.
	Patch by Robbie Gibson. (markt)
fix	56010: Don't throw an IllegalArgumentException when
	JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER.
	Based on a patch by Eugene Chung. (markt)
fix	56265: Do not escape values of dynamic tag attributes
	ontaining EL expressions. (kkolinko)
fix	56283: Add support for running Tomcat 6 with ecj-P20140317-1600.jar
	(as drop-in replacement for ecj-4.3.1.jar). Add support for
	value "1.8" for the compilerSourceVM and compilerTargetVM
	options. Note that ecj-P20140317-1600.jar can only be used
	when running with Java 6 or later. The "1.8" options make
	sense only when running with Java 8 (or later). (kkolinko)
fix	56334: Fix a regression in the handling of back-slash escaping
	introduced by the fix for 55735. (markt/kkolinko)
fix	Correct the handling of back-slash escaping in the EL parser
	and no longer require that \$ or \# must be followed by { in
	order for the back-slash escaping to take effect. (markt)

Cluster
-------
code	Refactor AbstractReplicatedMap and related classes to enable
	Tomcat 6 to be compiled using Java 8. (markt)

Web applications
----------------
add	56093: Documentation for SSLValve. (markt/kkolinko)
fix	Correct documentation on Windows service options, aligning
	it with Apache Commons Daemon documentation. (kkolinko)
add	Add support for version-major, version-major-minor tags in
	documentation XSLT, to simplify documentation backports. (kkolinko)
fix	Fix target and rel attributes on links in documentation.
	They were lost during XSLT transformation. (kkolinko)

Other
-----
code	Remove svn keywords (such as $Id) from source files and
	documentation. (kkolinko)
update	Improvements to the Windows installer, to align it with
	installing the sevice with service.bat. Use explicit memory
	sizes (--JvmMs 128 Mb and --JvmMx 256 Mb). Specify log
	directory path when ininstalling, so that the log file is
	written to the Tomcat logs directory, instead of
	"%SystemRoot%\System32\LogFiles\Apache". (kkolinko)
update	49993, 56143: Improve service.bat script. Allow it to be
	launched from non-UAC console. The UAC prompt will be shown
	only once. Now there is no need to run the command shell
	with elevated privileges. Improve check for JAVA_HOME and
	add support for JRE_HOME. Warn if neither "client" nor
	"server" JVM is found. Align classpath, display name and
	other options with the exe installer. Make command names
	case-insensitive. Update documentation. (kkolinko)
2014-06-28 17:05:46 +00:00
spz
822182ead2 Update apache-tomcat6 to 6.0.39, including avoidance for CVE-2013-1571.
Upstream changelog:

Tomcat 6.0.39 (markt)
    Catalina
        fix	55166: Fix regression that broke XML validation when
                running on some Java 5 JVMs. (kkolinko)

    Coyote
        fix	Make the HTTP NIO connector tolerant of whitespace
                in the individual values used for the ciphers attribute.
                (markt)
        fix	Remove dependency introduced on the jsp-api.jar as
                part of the XML validation changes introduced in 6.0.38.
                (markt)

    Jasper
        fix	Correct several errors in jspxml Schema and DTD. (kkolinko)

    Cluster
        code	Remove an empty TestTwoPhaseCommit test from Tribes. (kkolinko)

    Web applications
        fix	Fix broken link in Jasper How-To documentation. (markt)
        fix	Align index.html and index.jsp in ROOT web application.
                Correct links to specifications and to the Tomcat mailing
                lists. (kkolinko)
        fix	Remove second copy of RUNNING.txt from the full-docs
                distribution. Some unpacking utilities can't handle
                multiple copies of a file with the same name in a directory.
                (kkolinko)

    Other
        update	Update sample Eclipse IDE project: use JUnit 4 library
                and prefer a Java 5 JDK when several JDKs are configured.
                Cleanup the Ant build files. (kkolinko)
        fix	Correct Maven dependencies for individual JAR files. (markt)

Tomcat 6.0.38 (markt)	not released

    Catalina
        fix	Ensure that when Tomcat's anti-resource locking features
                are used that the temporary copy of the web application
                and not the original is removed when the web application
                stops. (markt/kkolinko)
        fix	55019: Fix a potential exception when accessing JSPs
                while running under a SecurityManager. (jfclere)
        fix	55052: Make JULI's LogManager to additionally look for
                logging properties without prefixes if the property
                cannot be found with a prefix. (kkolinko)
        fix	55266: Ensure that the session ID is parsed from the
                request before any redirect as the session ID may need
                to be encoded as part of the redirect URL. (markt)
        fix	55404: Log warnings about using security roles in web.xml
                as warnings. (markt)
        fix	55268: Added optional --service-start-wait-time
                command-line option to change service start wait time
                from default of 10 seconds. (schultz)
        fix	Correctly associate the default resource bundle with
                the English locale so that requests that specify an
                Accept-Language of English ahead of French, Spanish or
                Japanese get the English messages they asked for. (markt)
        fix	Add missing JavaEE 5 XML schema definitions. (markt)
        fix	When Catalina parses TLD files, always use a namespace
                aware parser to be consistent with how Jasper parses
                TLD files. The tldNamespaceAware attribute of the Context
                is now ignored. (markt)
        fix	As per section SRV.14.4.3 of the Servlet 2.5 specification,
                a namespace aware, validating parser will be used when
                processing *.tld and web.xml files if the system property
                org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set
                to true. (markt)
        fix	Ensure that sessions IDs are not parsed from URLs for
                Contexts where disableURLRewriting is true. (markt)
        add	Add an option to the Context to control the blocking of
                XML external entities when parsing XML configuration
                files and enable this blocking by default when a security
                manager is used. The block is implemented via a custom
                resolver to enable the logging of any blocked entities.
                (markt)
        fix	56016: When loading resources for XML schema validation,
                take account of the possibility that servlet-api.jar and
                jsp-api.jar may not be loaded by the same class loader.
                Patch by Juan Carlos Estibariz. (markt)

    Coyote
        fix	52811: Fix parsing of Content-Type header in
                HttpServletResponse.setContentType(). Introduces a new
                HTTP header parser that follows RFC2616. (markt)
        fix	54691: Add configuration attribute "sslEnabledProtocols"
                to HTTP connector and document it. (Internally this
                attribute has been already implemented but not documented,
                under names "protocols" and "sslProtocols". Those names
                of this attribute are now deprecated). (schultz)
        fix	54947: Fix the HTTP NIO connector that incorrectly
                rejected a request if the CRLF terminating the request
                line was split across multiple packets.
                Patch by Konstantin Preißer. (markt)
        fix	55228: Allow web applications to set a HTTP Date header.
                (markt)
        fix	Better adherence to RFC2616 for content-length headers.
                (markt)
        fix	Add support for limiting the size of chunk extensions
                when using chunked encoding. (markt)
        fix	55749: Improve the error message when SSLEngine is
                disabled in the AprLifecycleListener and SSL is
                configured for an APR/native connector. (markt)
        fix	Avoid possible NPE if a content type is specified without
                a character set. (markt)

    Jasper
        fix	55198: Ensure attribute values in tagx files that include
                EL and quoted XML characters are correctly quoted in
                the output. (markt)
        fix	55671: Consistently use the configuration option name
                genStringAsCharArray rather than a mixture of
                genStrAsCharArray and genStringAsCharArray but retain
                support for genStrAsCharArray as in initialisation
                parameter for the JSP servlet to retain backwards
                compatibility with existing configurations. (markt)
        fix	55691: Fix javax.el.ArrayELResolver to correctly handle
                the case where the base object is an array of primitives.
                (markt)
        fix	55973: Fix processing of XML schemas when validation
                is enabled in Jasper. (kkolinko)

    Web applications
        add	Add documentation for
                o.a.c.tribes.group.interceptors.TcpFailureDetector. (kfujino)
        add	Complete the documentation for MessageDispatch15Interceptor.
                (kfujino)
        add	Add to cluster document a description of
                notifyLifecycleListenerOnFailure and
                heartbeatBackgroundEnabled. (kfujino)
        fix	55746: Add documentation on the allRolesMode to the
                CombinedRealm and LockOutRealm. Patch by Cédric Couralet.
                (markt)
        fix	Fix the sample configuration of StaticMembershipInterceptor
                in order to prevent warning log. uniqueId must be 16 bytes.
                (kfujino)
        fix	55119: Avoid CVE-2013-1571 when generating Javadoc. (markt)

    Other
        update	Update Maven Central location used to download
                dependencies at build time to be repo.maven.apache.org.
                (kkolinko)
        fix	55663: Minor correction to the wording of the NOTICE files
                to align them with the requirements for NOTICE files.
                (violetagg)
        fix	Add @since markers to the common annotations classes and
                fix a few specification compliance issues. (markt)
        update	Update to Eclipse JDT Compiler 4.3.1. (markt)
        update	Update the Apache Jakarta JSTL implementation used by
                the exmaples web application to 1.1.2. (markt)
2014-02-06 12:01:43 +00:00
spz
09b30e93b2 security update:
Important: Session fixation CVE-2013-2067

FORM authentication associates the most recent request requiring
authentication with the current session. By repeatedly sending
a request for an authenticated resource while the victim is
completing the login form, an attacker could inject a request
that would be executed using the victim's credentials.

Note that the option to change session ID on authentication was
added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of
session fixation was an application responsibility.
This vulnerability represents a bug in Tomcat's session fixation
protection that was added in 6.0.21. Hence, only versions 6.0.21
onwards are listed as vulnerable.

This was fixed in revision 1417891.

This issue was identified by the Tomcat security team on
15 Oct 2012 and made public on 10 May 2013.

Affects: 6.0.21-6.0.36

Important: Denial of service CVE-2012-3544

When processing a request submitted using the chunked transfer
encoding, Tomcat ignored but did not limit any extensions that
were included. This allows a client to perform a limited DOS
by streaming an unlimited amount of data to the server.

This was fixed in revision 1476592.

This issue was reported to the Tomcat security team on
10 November 2011 and made public on 10 May 2013.

Affects: 6.0.0-6.0.36


ChangeLog:
++++++++++
Catalina

fix	52055: Ensure that filters are recycled. (markt/kkolinko)
fix	52184: Reduce log level for invalid cookies. (markt)
fix	53481: Added support for SSLHonorCipherOrder to allow the
	server to impose its cipher order on the client. Based on
	a patch provided by Marcel Šebek. (schultz)
fix	54044: Correct bug in timestamp cache used by logging
	(including the access log valve) that meant entries could
	be made with an earlier timestamp than the true timestamp. (markt)
fix	In FormAuthenticator: If it is configured to change
	Session IDs, do the change before displaying the login
	form. (kkolinko)
fix	54054: Do not share shell environment variables between
	multiple instances of the CGI servlet. (markt)
fix	54087: Correctly handle (ignore) invalid If-Modified-Since
	header rather than throwing an exception. (markt/kkolinko)
fix	54220: Ensure the ErrorReportValve only generates an error
	report if the error flag on the response has been set. (markt)
fix	Fix memory leak of servlet instances when running with
	a SecurityManager and either init() or destroy() methods
	fail or the servlet is a SingleThreadModel one, and of
	filter instances if their destroy() method fails with an
	Error. (kkolinko)
fix	54382: Fix NPE when SSI processing is enabled and an empty
	SSI directive is present. (markt)
fix	54483: Correct one of the Spanish translations. Based on
	a suggestion from adinamita. (kkolinko)
update	54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt)

Coyote

fix	54248: Ensure that byte order marks are swallowed when
	using a Reader to read a request body with a BOM for those
	encodings that require byte order marks. (markt)
fix	54324: Allow APR connector to disable TLS compression
	if OpenSSL supports it. (schultz)
fix	54456: Ensure that if a client aborts a request when
	sending a chunked request body that this is communicated
	correctly to the client reading the request body. (markt)
update	Update the native component of the APR/native connector
	to 1.1.27 and make that version the recommended minimum
	version. (kkolinko)

Jasper

fix	54615: Tomcat 6 doesn't build against ecj 4.x (kkolinko)

Cluster

fix	54045: Make sure getMembers() returns available member
	when TcpFailureDetector works in static cluster. (kfujino)

Web applications

update	22278: Add a commented out sample configuration of
	RemoteAddrValve to META-INF/context.xml files of the
	Manager and Host Manager applications. (kkolinko)
fix	54080: Clarify documentation for initial value of
	internalProxies attribute of RemoteIpValve. (schultz/kkolinko)
fix	54198: Clarify that HttpServletResponse.sendError(int)
	results in an HTML response by default. (markt)
fix	54207: Correct JNDI factory package name in Javadoc for
	org.apache.naming.java.javaURLContextFactory. (markt)

Other

update	Add sample Apache Commons Daemon JSVC wrapper script
	bin/daemon.sh that can be used with /etc/init.d. (kkolinko)
update	In the build configuration: introduce property
	"tomcat.output" that is used to specify location of the
	build output directory. This simplifies configuration if
	someone wants to move the output directory elsewhere
	(e.g. out of the source tree). (kkolinko)
fix	54390: Use 'java_home' on Mac OS X to auto-detect
	JAVA_HOME. (schultz)
update	54601: Change catalina.sh to consistently use
	LOGGING_MANAGER variable to configure logging, instead
	of modifying JAVA_OPTS one. (kkolinko)
update	54890: Update to Apache Commons Daemon 1.0.15. (mturk)
2013-05-18 15:19:15 +00:00
spz
acc5cb1c66 update to apache-tomcat 6.0.36. Upstream changelog:
Tomcat 6.0.36 (jfclere)

   Catalina
   ++++++++
   update  48692: Provide option to parse
           application/x-www-form-urlencoded PUT requests. (schultz)
   add     50306: New StuckThreadDetectionValve to detect requests
           that take a long time to process, which might indicate that
           their processing threads are stuck. Based on a patch
           provided by TomLu. (kkolinko)
   fix     50570: Enable FIPS mode to be set in AprLifecycleListener.
           Based upon a patch from Chris Beckey. Note that this mode
           requires tomcat-native 1.1.23 or later linked to a
           FIPS-capable OpenSSL library, which one has to build by
           themselves. (schultz/kkolinko)
   fix     Improve synchronization and error handling in
           AprLifecycleListener. Do not allow to change SSL options
           if SSL has already been initialized. (schultz/kkolinko)
   fix     52225: Fix ClassCastException when adding an alias for an
           existing host via JMX. (kkolinko)
   fix     52293: Correctly handle the case when antiResourceLocking
           is enabled at the Context level when unpackWARs is disabled
           at the Host level. Correctly handle multi-level contexts
           when antiResourceLocking is enabled. Patch by Justin Miller.
           (kkolinko)
   fix     Do not throw IllegalArgumentException from parseParameters()
           call when chunked POST request is too large, but treat it
           like an IO error. The FailedRequestFilter filter can be
           used to detect this condition. (kkolinko)
   fix     52384: Do not fail with parameter parsing when debug
           logging is enabled. (kkolinko)
   fix     Do not flag extra '&' characters in parameters as
           parse errors. (kkolinko)
   fix     52488: Correct typos: exipre -> expire. Based on a patch
           by prockter. (markt)
   fix     Reduce log level for the message about hitting
           maxParameterCount limit from WARN to INFO. Fix limit
           comparison to allow exactly maxParameterCount parameters,
           as documentation says, instead of (maxParameterCount-1).
           (kkolinko)
   fix     Slightly improve performance of UDecoder.convert(). Align
           %2f handling between implementations. (kkolinko)
   add     Add denyStatus attribute to RequestFilterValve
           (RemoteAddrValve, RemoteHostValve valves). It allows to
           use different HTTP response code when rejecting denied
           request. E.g. 404 instead of 403. (kkolinko)
   add     Add SetCharacterEncodingFilter (similar to the one
           contained in the examples web application) to the
           org.apache.catalina.filters package so that it is
           available for all web applications. (kkolinko)
   add     52500: Added configurable mechanism to retrieve user
           names from X509 client certificates. Based on a patch
           provided by Michael Furman. (schultz/kkolinko)
   fix     52719: Fix a theoretical resource leak in the JAR
           validation that checks for non-permitted classes in
           web application JARs. (markt)
   fix     52830: Correct JNDI lookups when using javax.naming.Name
           to identify the resource rather than a java.lang.String.
           (markt)
   add     52850: Extend memory leak prevention and detection
           code to work with IBM as well as Oracle JVMs. Based on
           a patch provided by Rohit Kelapure. (kkolinko)
   add     52996: In StandardThreadExecutor: Add the ability to
           configure a job queue size (maxQueueSize attribute).
           Add a variant of execute method that allows to specify
           a timeout for how long we want to try to add something
           to the queue. Based on a patch by Rüdiger Plüm. (kkolinko)
   fix     53047: If a JDBCRealm or DataSourceRealm is configured
           for an all roles mode that only requires authorization
           (and no roles) and no role table or column is defined,
           don't populate the Principal's roles. (markt/kkolinko)
   fix     53050: Fix handling of entropy value when initializing
           session id generator in session manager. Based on proposal
           by Andras Rozsa. (kkolinko)
   fix     53056: Add APR version number to tcnative version INFO
           log message. (schultz)
   fix     53057: Add OpenSSL version number INFO log message
           when initializing. (schultz)
   fix     53071: Use the message from the Throwable for the error
           report generated by the ErrorReportValve if none was
           specified via sendError(). Use the standard text for
           HTTP error codes. (markt/rjung)
   update  53230: Change session managers to throw
           TooManyActiveSessionsException instead of
           IllegalStateException when the maximum number of sessions
           has been exceeded and a new session will not be created.
           (schultz/kkolinko)
   fix     53267: Ensure that using the GC Daemon Protection feature
           of the JreMemoryLeakPreventionListener does not trigger
           a full GC every hour. (markt/kkolinko)
   fix     53531: Fix ExpandWar.expand to check the return value
           of File.mkdir and File.mkdirs. (schultz)
   fix     Make the CSRF nonce cache in CsrfPreventionFilter
           serializable so that it can be replicated across a cluster
           and/or persisted across Tomcat restarts. (markt)
   fix     53584: Ignore path parameters when comparing URIs for
           FORM authentication. This prevents users being prompted
           twice for passwords when logging in when session IDs
           are being encoded as path parameters. (markt)
   fix     Various improvements to the DIGEST authenticator
           including 52954, the disabling caching of an authenticated
           user in the session by default, tracking server rather
           than client nonces and better handling of stale nonce
           values. (markt)
   fix     Remove unneeded handling of FORM authentication in
           RealmBase. (kkolinko)
   fix     53800: FileDirContext.list() did not provide correct paths
           for subdirectories. Patch provided by Kevin Wooten.
           (kkolinko)
   fix     53830: Better handling of Manager.randomFile default
           value on Windows. (kkolinko)
   fix     Improve session management in CsrfPreventionFilter.
           (kkolinko)

   Coyote
   ++++++
   fix     42181: Better handling of edge conditions in chunk
           header processing. (kkolinko)
   update  51477: Support all SSL protocol combinations in the
           APR/native connector. This only works when using the
           native library version 1.1.21 or later. (rjung)
   fix     52055 (comment 14): Correctly reset
           ChunkedInputFilter.needCRLFParse flag when the filter
           is recycled. (kkolinko)
   fix     52606: Ensure replayed POST bodies are available when
           using AJP. (markt)
   fix     52858: Fix high CPU load with SSL, NIO and sendfile
           when client breaks the connection before reading all
           the requested data. (fhanik/kkolinko)
   fix     53119: Prevent buffer overflow errors being reported
           when a client disconnects before the response has been
           fully written from an AJP connection using the APR/native
           connector. (kkolinko)
   fix     Improve InternalNioInputBuffer.parseHeaders(). (kkolinko)
   add     Implement maxHeaderCount attribute on Connector.
           It is equivalent of LimitRequestFields directive of
           Apache HTTPD. Default value is 100. (kkolinko)
   fix     In JkCoyoteHandler connector for AJP/1.3 protocol
           (in JkMain.setProperty()): Fix setting of properties
           when connector has already started for properties that
           have aliases. E.g. it now allows to change maxHeaderCount
           attribute on Connector MBean via JMX. (kkolinko)
   fix     53725: Fix possible corruption of GZIP'd output. (kkolinko)

   Jasper
   ++++++
   fix     48097 (comment 7), 53366 (comment 1): If JSP page
           unexpectedly fails to initialize PageContext instance,
           write exception to the logs instead of silent swallowing.
           (kkolinko)
   fix     52335: Only handle <\% and not \% as escaped in
           template text. (markt)
   fix     52666: Correct coercion order in EL when processing the
           equality and inequality operators. (markt)
   fix     53001: Revert the fix for 46915 since the use case
           described in the bug is invalid since it breaks the EL
           specification. (markt)
   fix     53032: Modify JspC so it extends org.apache.tools.ant.Task
           enabling it to work with features such as namespaces
           within build.xml files. (markt)

   Cluster
   +++++++
   fix     Replicate principal in ClusterSingleSignOn. (kfujino)
   fix     53513: Fix race condition between the processing of
           session sync message and transfer complete message. (kfujino)
   fix     53606: Fix potential NPE in TcpPingInterceptor. Based
           on a patch by F. Arnoud. (markt)
   fix     53607: To avoid NPE, set TCP PING data to ChannelMessage.
           Patch provided by F.Arnoud (kfujino)
   fix     Fix a behavior of TcpPingInterceptor#useThread. Do not
           start a ping thread when useThread is set to false. (kfujino)

   Web applications
   ++++++++++++++++
   fix     52243: Improve windows service documentation to clarify
           how to include # and/or ; in the value of an environment
           variable that is passed to the service. (markt)
   fix     52515: Make it clear in the Realm how-to in the
           documentation web application that digested password
           storage when using DIGEST authentication requires that
           MD5 digests are used. (markt)
   fix     52641: Remove mentioning of ldap.jar from docs. Patch
           provided by Felix Schumacher. (rjung)
   fix     Remove obsolete bug warning from windows service
           documentation page. (rjung)
   fix     52983: Remove unnecessary code that makes switching to
           other authentication methods difficult. (markt)
   fix     53158: Fix documented defaults for DBCP. Patch provided
           by ph.dezanneau at gmail.com. (rjung)
   update  Update JavaSE documentation links to point to the current
           docs.oracle.com site, instead of obsolete ones
           (download.oracle.com, java.sun.com). (kkolinko)
   update  53289: Clarify ResourceLink example that uses
           DataSource.getConnection(username, password) method.
           Not all data source implementations support it. (kkolinko)
   fix     Prevent the custom error pages for the Manager and
           Host Manager applications from being accessed directly.
           Configure custom pages for error codes 401 and 403
           in Host Manager application. (markt/kkolinko)
   fix     Correct documentation for enableLookups attribute of
           a Connector. By default DNS lookups are disabled. (kkolinko)
   fix     Fix several HTML markup errors in servlets of examples
           web application. (kkolinko)
   update  Change the index page of ROOT webapp to mention
           "manager-gui" role instead of "manager" one. (kkolinko)
   fix     53473: Correct the allowed values for the SSI option
           isVirtualWebappRelative which are true or false. (markt)
   fix     53664: Minor JNDI Howto document enhancement concerning
           mail properties. Patch provided by Mark Eggers. (schultz)
   fix     53601: Clarify that to build Apache Tomcat 6 from sources
           a Java 5 JDK is recommended. (kkolinko)
   fix     53793: Change links on the list of applications in the
           Manager to point to /appname/ instead of /appname. (kkolinko)

   Other
   +++++
   fix     49402, 52124: Fix Maven publishing script: make sure it
           finds tomcat-juli.jar and use later version of wagon-ssh.
           (jfclere)
   fix     Update Apache Commons Daemon to 1.0.10. It resolves
           52548 which meant that services created with service.bat
           did not set the catalina.home and catalina.base system
           properties. (markt, kkolinko)
   update  Update Apache Commons Pool to 1.5.7. (kkolinko)
   update  52579: Add a note about Sun's Charset.decode() bug to
           the RELEASE-NOTES file. (kkolinko)
   update  52805: Update to Eclipse JDT Compiler 3.7.2. (kkolinko)
   update  Update the native component of the APR/native connectors
           to 1.1.23 and take advantage of the simplified distribution.
           (kkolinko)
   fix     When building a Windows installer do not copy whole
           "res" folder to output/dist, but only the files that
           we need. Apply fixcrlf filter only after the files are
           copied, so that INSTALLLICENSE file had correct line
           ends. (kkolinko)
   update  Remove res/License.rtf. The file that is actually shown
           by the Windows installer is res/INSTALLLICENSE. (kkolinko)
   update  Improve RUNNING.txt. (kkolinko)
   update  Align the script that deploys Maven jars for Tomcat
           (res/maven/mvn-pub.xml) with the Tomcat 7 version, making
           full use of Nexus. (markt)
   add     53034: Add project.url and project.licenses sections to
           the POMs for the Maven artifacts. (kkolinko)
   fix     53454: Return correct content-length header for HEAD
           requests when content length is greater than 2GB. (markt)
2012-12-02 11:31:17 +00:00
spz
994732e8da Upstream changelog:
Tomcat 6.0.35 (jfclere)
+++++++++++++++++++++++

Catalina
--------

fix	Fix regression in decoding of parameters that contain spaces.
	Patch by Willem Fibbe. (kkolinko)

Tomcat 6.0.34 (jfclere)	not released
++++++++++++++++++++++++++++++++++++

Catalina
--------

fix	51550: Display an error page rather than an empty response
	for an IllegalStateException caused by too many active sessions.
	(markt)
add	51640: Improve the memory leak prevention for leaks triggered
	by java.sql.DriverManager. (markt/kkolinko)
fix	51688: JreMemoryLeakPreventionListener now protects against
	AWT thread creation. (schultz)
fix	51758: The digester (used for processing XML files) used
	the logger name org.apache.commons.digester.Digester rather
	than the expected org.apache.tomcat.util.digester.Digester.
	The digester has been changed to use the expected logger name.
	(kkolinko)
add	51862: Added a classesToInitialize attribute to
	JreMemoryLeakPreventionListener to allow pre-loading of
	configurable classes to avoid some classloader leaks. (slaurent)
fix	51872: Ensure that the access log always uses the correct
	value for the remote IP address associated with the request
	and that requests with multiple errors do not result in
	multiple entries in the access log. (markt)
add	Allow to overwrite the check for distributability of session
	attributes by session implementations. (rjung)
add	Provide the log format "OneLineFormatter" for JULI that
	provides the same information as the default plus thread
	name but on a single line. (markt/rjung)
fix	Ensure the the memory leak protection for the HttpClient
	keep-alive always operates even if the thread has already
	stopped. (markt)
fix	51940: Do not limit saving of request bodies during FORM
	authentication to POST requests since any HTTP method may
	include a request body. Based on a patch by Nicholas Sushkin.
	(kkolinko)
fix	52091: Address performance issues related to lock contention
	in StandardWrapper. Based on patch provided by Taiki Sugawara.
	(kkolinko)
update	In GenericPrincipal, SerializablePrincipal: Do not sort lists
	of roles that have only one element. (kkolinko)
add	Make configuration issue for CsrfPreventionFilter result in
	the failure of the filter rather than just a warning message.
	(kkolinko)
fix	Ensure changes to the configuration of RemoteAddrValve and
	RemoteHostValve via JMX are thread-safe. (kkolinko)
add	Make configuration issue for RemoteAddrValve and
	RemoteHostValve result in the failure of the valve rather
	than just a warning message. (kkolinko)
update	In RequestFilterValve (RemoteAddrValve, RemoteHostValve):
	refactor value matching logic into separate method and expose
	this new method isAllowed through JMX. (kkolinko)
add	Improve performance of parameter processing for GET and POST
	requests. Also add an option to limit the maximum number of
	parameters processed per request. This defaults to 10000.
	Excessive parameters are ignored. Note that FailedRequestFilter
	can be used to reject the request if some parameters were
	ignored. (markt/kkolinko)
add	New filter FailedRequestFilter that will reject a request
	if there were errors during HTTP parameter parsing. (kkolinko)

Coyote
------

fix	50394: Return -1 from read operation instead of throwing an
	exception when encountering an EOF with the HTTP APR connector.
	(kkolinko)
fix	51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt)
fix	Detect incomplete AJP messages and reject the associated
	request if one is found. (markt)
fix	51794: Fix race condition in NioEndpoint selector.
	Patch provided by dlord. (fhanik)
fix	51905: Fix infinite loop in AprEndpoint shutdown if acceptor
	unlock fails. Reduce timeout before forcefully closing the
	socket from 30s to 10s. (kkolinko)
fix	52121: Fix possible output corruption when compression is
	enabled for a connector and the response is flushed.
	Test case provided by David Marcks. (kkolinko)
fix	Replace unneeded call that iterated events queue in
	NioEndpoint.Poller. (kkolinko)
fix	Improve MimeHeaders.toString(). (kkolinko)
fix	Allow the BIO HTTP connector to be used with SSL when
	running under Java 7. (markt)
fix	Improve multi-byte character handling in all connectors. (rjung)

Jasper
------

fix	51220: Correct copy/paste error in original commit for this
	issue. (markt)
fix	52091: Address performance issues related to log creation
	in TagHandlerPool. Patch provided by Taiki Sugawara. (markt)

Cluster
-------

add	51736: Make rpcTimeout configurable in BackupManager. (kfujino)
add	New cluster manager attribute sessionAttributeFilter allows
	to filter which session attributes are replicated using a
	regular expression applied to the attribute name. (rjung)
fix	Avoid an unnecessary session ID change notice.
	Notice of changed session ID by JvmRouteBinderValve is
	unnecessary to BackupManager. In BackupManager, change of
	session ID is replicated by the call of a setId() method.
	(kfujino)
fix	Fix unneeded duplicate resetDeltaRequest() call in
	DeltaSession.setId(String). (kkolinko)
add	When Context manager does not exist, no context manager
	message is replied in order to avoid timeout (default 60 sec)
	of GET_ALL_SESSIONS sync phase. (kfujino)

Webapps
-------

fix	Correct the documentation for the connectionLinger attribute
	of the HTTP connector. (markt)
add	Show build date and version in the header on every
	documentation page. (kkolinko)
fix	52049: Improve setup instructions for running as a Windows
	service: correct information on how a JRE is identified and
	selected. (markt)
update	52172: Clarify Tomcat build instructions. Patch provided by
	bmargulies. (kkolinko)

Other
-----

update	Update the native component of the APR/native connectors
	to 1.1.22. (markt)
update	Update the recommended version of the native component
	of the APR/native connectors to 1.1.22. (kkolinko)
update	Update the Eclipse compiler (used for JSPs) to 3.7. (markt)
fix	Correct two typos in the Windows installer. (kkolinko)
fix	52059: In Windows uninstaller: Do not forget to remove
	Tomcat keys from 32-bit registry on deinstallation. (kkolinko)
2011-12-13 09:44:17 +00:00
spz
5e7727ae18 security fixes (two of three) for a leaf package
Upstream changelog:

Catalina
--------

add	Allow to search the virtual paths before the webapp or after it.
	(rjung)
fix	27988: Improve reporting of missing files. (markt)
fix	28852: Add URL encoding where missing to parameters in URLs
	presented by Ant tasks to the Manager application.
	Based on a patch by Stephane Bailliez. (markt)
add	46252: Allow to specify character set to be used to write
	the access log in AccessLogValve. (kkolinko)
add	48863: Provide an warning if there is a problem with a class
	path entry but use debug level logging if it is expected due
	to catalina home/base split. (kkolinko)
add	49180: Add an option to disable file rotation in JULI FileHandler.
	(kkolinko)
fix	50189: Once the application has finished writing to the response,
	prevent further reads from the request since this causes various
	problems in the connectors which do not expect this. (markt)
fix	50700: Ensure that the override attribute of context parameters
	is correctly followed. (markt)
fix	50734: Return 404 rather than 400 for requests to the ROOT
	context when no ROOT context is deployed. Patch provided by
	Violeta Georgieva. (markt)
fix	50751: When authenticating with the JNDI Realm, only attempt
	to read user attributes from the directory if attributes are
	required. (markt)
fix	50752: Fix typo in debug message in
	org.apache.catalina.startup.Embedded. (markt)
fix	50855: Fix NPE on AuthenticatorBase.register() when debug
	logging is enabled. (markt)
fix	Correctly format the timestamp reported by version.[sh|bat].
	(markt)
fix	Remove unnecessary whitespace from MIME mapping entries in
	global web.xml file. (markt)
fix	51042: Don't trigger session creation listeners when a
	session ID is changed as part of the authentication process.
	(markt)
add	51119: Add JAAS authentication support to the
	JMXRemoteLifecycleListener. Patch provided by Neil Laurance.
	(markt)
update	Implement display of multiple request headers in AccessLogValve:
	print not just the value of the first header, but of the all
	of them, separated by commas. (kkolinko)
fix	Correct the SSLValve so it returns the SSL key size as an
	Integer rather than as a String. (markt)
fix	51162: Prevent possible NPE when removing a web application. (markt)
fix	51249: Improve system property replacement code in
	ClassLoaderLogManager of Tomcat JULI to cover some corner
	cases. (kkolinko)
fix	51315: Fix IAE when removing an authenticator valve from a
	container. Patch provided by Violeta Georgieva. (markt)
fix	51324: Improve handling of exceptions when flushing the
	response buffer to ensure that the doFlush flag does not get
	stuck in the enabled state. Patch provided by Jeremy Norris.
	(kkolinko)
fix	51348: Fix possible NPE when processing WebDAV locks. (markt)
add	Add a container event that is fired when a session's ID is
	changed, e.g. on authentication. (markt)
fix	Fix CVE-2011-2204. Prevent user passwords appearing in log files
	if a runtime exception (e.g. OOME) occurs while creating a
	new user for a MemoryUserDatabase via JMX. (markt)
fix	51400: Avoid jvm bottleneck on String/byte[] conversion
	triggered by a JVM bug. Based on patches by Dave Engberg and
	Konstantin Preißer. (markt)
add	51403: Avoid NPE in JULI FileHandler if formatter is
	misconfigured. (kkolinko)
update	Create a directory for access log or error log (in AccessLogValve
	and in JULI FileHandler) automatically when it is specified
	as a part of the file name, e.g. in the prefix attribute.
	Earlier this happened only if it was specified with the
	directory attribute. (kkolinko)
fix	Log a failure if access log file cannot be opened. Improve
	i18n of messages. (kkolinko)
fix	Improve handling of URLs with path parameters and prevent
	incorrect 404 responses that could occur when path parameters
	were present. (kkolinko)
fix	51473: Fix concatenation of values in
	SecurityConfig.setSecurityProperty(). (kkolinko)
fix	51509: Fix potential concurrency issue in CSRF prevention
	filter that may lead to some requests failing that should not.
	(markt)
fix	51588: Make it easier to extend the AccessLogValve to add
	support for custom elements. (markt)
fix	Unregister DataSource MBeans when web application stops. (kfujino)
add	Add additional configuration options to the DIGEST
	authenticator. (markt)

Coyote
------

fix	Reduce level of log message for invalid URL parameters from
	WARNING to INFO. (kkolinko)
add	48208: Provide an option to specify a custom trust manager
	for BIO and NIO HTTP connectors using SSL. Based on a patch
	by Luciana Moreira. (markt)
fix	49595: Protect against crashes when using the APR/native
	connector. (jfclere)
fix	49929: Make sure flush packet is not send after END_RESPONSE
	packet. (mturk/markt)
add	50887: Enable the provider to be configured when generating
	SSL certs. Based on a patch by pknopp. (markt)
fix	51073: Throw an exception and do not start the APR connector
	if it is configured for SSL and an invalid value is provided
	for SSLProtocol. (markt)
fix	Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO)
	and crashes (HTTP APR) if sendfile is configured to send more
	data than is available in the file. (markt)
fix	Prevent NPEs when a socket is closed in non-error conditions
	after sendfile processing when using the HTTP NIO connector.
	(markt)
fix	51515: Prevent immediate socket close when comet is used over
	HTTPS. (markt)

Jasper
------

fix	36362: Handle the case where tag file attributes (which can
	use any valid XML name) have a name which is not a Java
	identifier. (markt)
fix	47371: Correctly coerce the empty string to zero when used
	as an operand in EL arithmetic. Patch provided by gbt. (markt)
fix	50726: Ensure that the use of the genStringAsCharArray does
	not result in String constants that are too long for valid
	Java code. (markt)
fix	50895: Don't initialize classes created during the compilation
	stage. (markt)
add	51124: Make Tomcat more robust if an OOME occurs. Usually
	after an OOME all bets are off but this change appears to help
	some users and the description of a 'recoverable' OOME in
	the bug is a plausible one. Based on a patch by Ramiro. (markt)
fix	51177: Ensure Tomcat's MapELResolver and ListELResolver
	always return Object.class for getType() as required by the
	EL specification. (markt)
fix	Correct possible threading issue in JSP compilation when
	development mode is used. (markt)
add	51220: Add a system property to enable tag pooling with JSPs
	that use a custom base class. Based on a patch by Dan Mikusa.
	(markt)
add	Broaden the exception handling in the EL Parser so that more
	failures to parse an expression include the failed expression
	in the exception message. Hopefully, this will help track
	down the cause of 51088. (markt)
add	Improve error reporting of Jasper compilation. (schultz)

Cluster
-------

fix	50646: Fix cluster message data corruption if message size
	exceeds the underlying buffer size. Patch provided by
	Olivier Costet. (markt)
fix	50771: Ensure HttpServletRequest#getAuthType() returns the
	name of the authentication scheme if request has already been
	authenticated. (kfujino)
fix	50950: Correct possible NotSerializableException for an
	authenticated session when running with a security manager.
	(markt)
fix	51306: Avoid NPE when handleSESSION_EXPIRED is processed while
	handleSESSION_CREATED is being processed. (kfujino)
fix	The change in session ID is notified to the container event
	listener on the backup node in cluster. This notification is
	controlled by notifyContainerListenersOnReplication. (kfujino)

Webapps
-------

fix	41498: Add the allRolesMode attribute to the Realm
	configuration page in the documentation web application. (markt)
fix	48997: Fixed some typos and improve cross-referencing to the
	HTTP Connector and APR documentation with the SSL How-To page
	of the documentation web application. (markt)
fix	50804: Update links for Servlet 2.5 and JSP 2.1 Javadoc. (markt)
update	Improve class loading documentation and logging documentation.
	(kkolinko)
update	Configure Security Manager How-To to include a copy of the
	actual conf/catalina.policy file when the documentation is
	built, rather than maintaining a copy of its content. (kkolinko)
fix	51147: Fix deployment via HTML Manager that was broken by
	addition of CRSF protection. Patch provided by Alexis Hassler.
	(markt)
fix	51156: Ensure session expiration option is available in
	Manager application was running web applications that were
	defined in server.xml. (markt)
fix	Correct the log4j configuration settings when defining
	conversion patterns in the documentation web application. (markt)
fix	Update Maven repository information in the documentation to
	reflect current usage. (markt)
fix	51346: Update the documentation web application to make clear
	the circumstances in which the RequestDumperValve will consume
	the request's InputStream. Based on a patch by pid. (markt)
fix	51443: Document the notifySessionListenersOnReplication
	attribute for the DeltaManager. (markt)
fix	51516: Correct documentation web application to show correct
	system property name for changing the name of the SSO session
	cookie. (markt)
update	Update documentation to be even more explicit about the
	implications of setting the path attribute on a Context element
	in server.xml. (markt/kkolinko)

Other
-----

update	Clarify error messages in *.sh files to mention that if a
	script is not found it might be because execute permission
	is needed. (kkolinko)
add	33262, 40510, 50949, 51135: Various improvements to the
	Windows installer to be able to install several copies of
	Tomcat 6 side by side. Allow to configure service name,
	connector and shutdown ports. Allow to choose whether to
	install Start menu shortcuts and Apache Tomcat monitor
	application for all users or for the current one only.
	Improve auto-detection of JAVA_HOME for 64-bit Windows
	platforms: autoselect 32-bit JRE if it exists and 64-bit
	one is not available. Improve server.xml file handling.
	Fix uninstallation icon. (markt/kkolinko)
fix	50854: Add additional entries to the default catalina.policy
	file to support running the manager web application from
	CATALINA_HOME or CATALINA_BASE. (markt)
fix	Update default download sources to use the central
	Apache Maven 2 repository as some libraries have been removed
	from the central Apache Maven 1 repository. (kkolinko)
fix	51155: Add comments to @deprecated tags that have none.
	Patch provided by sebb. (kkolinko)
fix	51309: Correct logic in catalina.sh stop when using a PID
	file to ensure the correct message is shown. Patch provided
	by Caio Cezar. (markt)
update	Update Apache Commons Pool to 1.5.6. (kkolinko)
update	Update Apache Commons Daemon to 1.0.7. (kkolinko)
update	At build time use two alternative download locations for
	components downloaded from apache.org. (kkolinko)
2011-09-24 16:20:57 +00:00
spz
04efe068a5 Update to the latest version; the full changelog is at
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Security relevant fixes:
CVE-2011-0534 - remote denial of service
CVE-2011-0013 - cross site scripting
CVE-2010-4172 - cross site scripting
CVE-2010-3718 - SecurityManager file permission bypass
2011-02-15 07:03:11 +00:00
spz
8096de53fa Update of apache-tomcat to version 6.0.29
(and a little Makefile cosmetics)
fixes two of the currently known security issues

Upstream changelog:
Tomcat 6.0.29 (jfclere)	released 2010-07-22

Catalina

add	48960: Add a new option to the SSI Servlet and SSI Filter to
	allow the disabling of the exec command. This is now disabled
	by default. Based on a patch by Yair Lenga. (markt)
fix	49551: Allow default context.xml location to be specified using
	an absolute path. (markt)
fix	49598: When session is changed and the session cookie is
	replaced, ensure that the new Set-Cookie header overwrites the
		old Set-Cookie header. (markt)
fix	Fix order when listing Webapp loader search URLs. (rjung)
add	Add support for *.jar pattern in VirtualWebappLoader. (kkolinko)

Tomcat 6.0.28 (jfclere)	released 2010-07-09

Catalina

fix	Arrange filter logic. (jfclere)
fix	49230: Enhance JRE leak prevention listener with protection for
	the keep-alive thread started by sun.net.www.http.HttpClient.
	Patch provided by Rob Kooper. (markt)
fix	49351: Fix possible NPe when embedding and no name is specified
	for the Service. (markt)
fix	49424: Avoid NPE if client provides no data with a chunked
	POST request. (markt)
fix	49414: Differentiate between request threads and application
	created threads when warning about still running threads when
	an application stops. (markt)
fix	49443: Use remoteIpHeader rather than remoteIPHeader
	consistently. (markt)
add	Add property searchExternalFirst to WebappLoader. If set,
	the external repositories will be searched before the WEB-INF
	ones. (rjung)

Cluster

fix	49445: When session ID is changed after authentication, ensure
	the DeltaManager replicates the change in ID to the other nodes
	in the cluster. (kfujino)

Webapps

fix	49213: Grant permissions required by manager application when
	running under a security manager. (markt/kkolinko)
fix	49436: Correct documented default for readonly attribute of
	the UserDatabase component. (markt)

Tomcat 6.0.27 (jfclere)	not released

General

update	Update DBCP to 1.3. (markt)

Catalina

fix	Fix CVE-2010-1157. Prevent possible disclosure of host name
	or IP address via the HTTP WWW-Authenticate header when using
	BASIC or DIGEST authentication. (markt)
add	Include context name when reporting memory leaks to aid root
	cause identification. (markt)
fix	Improve exception handling on session de-serialization to
	assist in identifying the root cause of 48007. (kkolinko)
add	48379: Make session cookie name, domain and path configurable
	per context. (markt)
fix	48589: Make JNDIRealm easier to extend. Based on a patch by
	Candid Dauth. (markt/kkolinko)
fix	48629: Allow user names as well as DNs to be used with the
	nested role search. Add roleNested to the documentation.
	Patch provided by Felix Schumacher. (markt)
fix	48661: Make error page behavior consistent, regardless of how
	the error page is defined. If a response has been committed,
	always include the error page. (markt)
fix	48729: Return roles defined by both userRoleName and roleName
	mechanisms. Patch provided by 'eric'. Also make user's role
	list immutable.(markt)
fix	48760: Fix potential multi-threading issue in static resource
	serving where multiple threads could try to use the the same
	InputStream. (markt)
fix	48790: Fix thread safety issue in the count of the maximum
	number of active session. (markt/kkolinko)
fix	48793: Make catalina.sh more robust to different return values
	on different platforms. Patch provided by Thomas GL. (markt)
fix	48840: Swallow output (if any) from use of cd when determining
	$CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts.
	Based on patch provided by mdietze. (markt/kkolinko)
fix	48895: Make clearing of ThreadLocals that are causing memory
	leaks on web application stop, reload or undeploy configurable
	since the process of clearing them is not thread-safe. (markt)
fix	48903: Fix deadlock in webapp class loader. (rjung)
fix	48971: Make stopping of leaking Timer threads optional and
	disabled by default. (markt)
fix	48976: Document JAVA_ENDORSED_DIRS in start-up scripts.
	Patch provided by Laurent Vaills. (markt)
fix	48983: Improve debug logging for situations when RemoteIpValve
	is bypassed. Patch provided by Cyrille Le Clerc. (markt)
fix	49018: Fix processing of time argument in the Expire sessions
	action in the Manager web application. (kkolinko)
fix	49116: If session is already invalid, expire session to prevent
	memory leak. (kfujino)
fix	49158: Ensure only one session cookie is returned for a single
	request. (markt/fhanik)
fix	49245: Fix session expiration check in cross-context requests.
	(markt)
fix	49398: ByteChunk.indexOf(String, int, int, int) could not find
	a string of length 1. (kkolinko)
fix	Fix possible overflows when calculating session statistics.
	(kkolinko)
add	Log unexpected exceptions when providing access to web
	application resources in ApplicationContext. (kkolinko)
fix	Improve exception handling in CatalinaShutdownHook. (kkolinko)
add	Expose properties of VirtualWebappLoader and WebappClassLoader
	via JMX. (rjung)

Coyote

fix	48839: Correctly handle HTTP header folding in the NIO connector.
	Patch suggested by Richa Baronia. (markt)
fix	48843: Prevent possible deadlock for worker allocation in
	connectors. (kkolinko)
fix	48843: Fix handling of add queues in AprEndpoint.Poller and
	AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko)
add	48862: Add support for the backlog parameter to the AJP
	connector. (pero/markt)
fix	48917: Correct name of mod_jk module in ApacheConfig.
	Patch provided by Todd Hicks. (markt)
fix	49095: AprEndpoint did not wakeup acceptors during shutdown
	when deferAccept option was enabled. Based on a patch provided
	by Ruediger Pluem. (kkolinko)
add	Use chunked encoding for http 1.1 requests with no
	content-length (regardless of keep-alive) so client can
	differentiate between complete and partial responses. (markt)
fix	Correct the SSL session timeout attribute name so the code
	agrees with the documentation. (markt)
add	CoyotePrincipal now implements Serializable. (fhanik)
fix	Enable the BIO AJP connector to run under a security manager.
	(markt)

Jasper

fix	45015: Correct a regression in quote handling caused by the
	re-factoring of attribute parsing. (markt)
fix	48701: Add a system property to allow disabling enforcement
	of JSP.5.3. The specification recommends, but does not require,
	this enforcement. (kkolinko)
fix	48737: Don't assume paths that start with /META-INF/... are
	always in JARs. This is not true for some IDEs.
	Patch provided by Fabrizio Giustina. (markt)
fix	49081: Correctly handle EL expressions of the form #${...}. (markt)
fix	49196: Avoid NullPointerException in PageContext.getErrorData()
	if an error-handling JSP page is called directly. (markt)

Cluster

fix	48717: When a node joins a cluster and it receives all the
	current sessions, ensure the sessionCreated event is fired
	if the Manager is configured to replicate session events. (markt)
fix	48934: Previous fix to handle dropped connections incorrectly
	permanently disabled session replication. (fhanik)
fix	49051: memberAlive is not called if member has not already
	existed in membership. (kfujino)
fix	49151: Avoid ClassCastException in BackupManager#stop. (kfujino)
fix	49170: Do not send duplicated session. (kfujino)
fix	Add missing messages and ensure cluster listeners log messages
	to correct logger. (markt)

Webapps

add	Use underscores instead of spaces in anchor names in Tomcat
	documentation. (kkolinko)
add	Add support for displaying the Spring Security user name
	(if present) in the Manager application. (markt)
update	Improve the ChatServlet Comet example (/examples/jsp/chat/).
	(kkolinko)

Other

update	Update to Commons Daemon 1.0.2. Use service launcher (procrun)
	from the Commons Daemon release. Do not keep a copy of it in
	our source tree. (mturk/kkolinko)
update	Update to NSIS 2.46. (kkolinko)
fix	48990: Fix the skip.installer build property so if set, only
	the Windows installer is skipped. (markt)
fix	49178: Provide in catalina.policy an example of additional
	permissions that might be needed for code located in
	$CATALINA_BASE/lib. (markt)
fix	49236: Do not use indexing when packing Tomcat JARs. (kkolinko)
fix	Remove unused code from org.apache.tomcat.util.buf classes.
	(kkolinko)
update	Rearrange tomcat-juli.jar permissions and wrap long lines in
	the conf/catalina.policy file, to make the text more readable
	when cited in documentation. (kkolinko)
fix	Do not evaluate the execute.installer property when building
	a release. The skip.installer property is used instead. (kkolinko)

Tomcat 6.0.26 (jfclere)	released 2010-03-11

Catalina

fix	Close security hole in unreleased 6.0.25 by ensuring new find
	leaks functionality is protected by a security constraint.
	(kkolinko)
fix	48831: Improve logging shutdown behaviour. Use Catalina's
	shutdown hook to shutdown JULI. This enables them to be shutdown
	in the correct order. Do not shutdown global handlers several
	times. (markt/kkolinko)

Coyote

fix	48584: Prevent the APR connector logging an error if the
	acceptor fails during shutdown since this is expected. (mturk)
fix	48660: Using compression should not overwrite any Vary header
	set by a web application. (markt)

Jasper

fix	48371: Ensure generated servlet mappings are inserted at the
	correct location when using JspC and allow the option that
	controls this to be configured on the command line.
	Also allow the encoding of web.xml to be configured when using
	JspC and deprecate some unused JspC methods. (markt/kkolinko)
fix	48498: Avoid ArrayIndexOutOfBoundsException triggered by a
	Java 6/7 XML parser bug. (markt/kkolinko)
fix	48668: Additional fixes to ensure deferred syntax is handled
	correctly. (kkolinko)
fix	48827: Correct a regression in the fix for 47977 that caused
	an incorrect non-empty body error to be reported for valid
	JSP documents. (markt)

Webapps

add	Make changelog.xml be directly rendered as HTML by certain
	browsers. (kkolinko)
add	Add support for automated generation of TOC tables and for
	links to svn revisions to tomcat-docs.xsl in documentation.
	(kkolinko/fhanik)
add	Move Manager application JSPs that are not intended to be
	accessed directly under the WEB-INF directory. (kkolinko)
fix	Improve the messages displayed by the find leaks diagnostic
	in the Manager application. (kkolinko)

Other

fix	Encode all property files using ascii escaped UTF-8. Also
	fixes deployment problem when using French locale. (jfclere/rjung)

Tomcat 6.0.25 (jfclere)	not released

Catalina

fix	48039: Return immediately if start() is called on an already
	started StandardService. (markt)
fix	48109: Ensure InputStream is closed on error condition in web
	application class loader. (markt)
fix	48179: Clean up dead code that was used to read tldCache file.
	(kkolinko)
fix	48318: Handle case where WebDAV resource is in directory
	listing but is not accessible. (markt)
add	48384: Add a per context xslt option for directory listings.
	Make the fallback options work as described in the
	documentation. (markt)
fix	48577: Filter URL when displaying missing included page. (markt)
fix	48612: Prevent exception on shutdown if the address attribute
	is specified for a connector. (markt)
fix	48613: Further fixes to ensure APRLifecycleListener is only
	used if defined in server.xml. (fhanik)
fix	48614: Correct JULI log file buffering so default behaviour
	is no buffering. (fhanik)
fix	48625: Provide an option to exit if an error occurs during
	the initialization phase. (fhanik)
fix	48645: Use specified encoding rather than null in calls to
	RequestUtil.URLDecode(byte[] bytes, String enc) (markt)
fix	48653: Force request.secure and request.scheme to false and
	http if the X-Forwarded-Proto header has the value http.
	Patch provided by Cyrille Le Clerc. (markt)
fix	48678: Remove duplicate server field from
	org.apache.catalina.startup.Catalina. (markt)
fix	48694: Remove potential deadlock in web application class
	loader. (markt)
add	48716: Provide additional configuration options for JULI. (markt)
fix	48726: Prevent OOME when uploading large WAR files with the
	deployer. Patch provided by adam. (markt)
add	Improve memory leak protection by safely stopping threads
	started via java.util.Timer that an application starts but
	fails to stop and by clearing references retained due to the
	use of java.util.ResourceBundle. (markt)
update	Modify ThreadLocal memory leak detection to not report false
	positives and to simplify implementation. (markt/kkolinko)
add	Basic memory leak detection was added to the standard Host
	implementation and exposed via JMX to detect memory leaks on
	web application reload. (markt/kkolinko)

Coyote

update	Update the native/APR library version bundled with Tomcat to
	1.1.20. (kkolinko)

Jasper

add	Add some debug logging to the compiler where exceptions were
	previously swallowed. (markt)
fix	48170: Remove unnecessary synchronization that is causing
	issues under load. (markt)
fix	48580: Prevent AccessControlException if first access is to
	a JSP that uses a FunctionMapper. (markt)
fix	48582: Avoid NPE on background compilation failure. (markt)
fix	48616: Don't declare or synchronize scripting variables for
	JSP fragments since they are scriptless. This is an alternative
	fix for 42390 that avoids both the original problem and the
	regression in the first fix. (kkolinko)
fix	48627: Fix regression in re-factored EL parsing. Keep literals
	as literals and handle deferredSyntaxAllowedAsLiteral. (kkolinko)
fix	48668: When parsing JSPs only parse EL as EL if EL is enabled
	else strings such as ${ will be silently dropped. (markt)
fix	Various EL TCK failures. (markt)

Cluster

fix	Force a disconnect if an error occurs during replication such
	as a firewall dropping the connection. (fhanik)

Webapps

add	Add new "Find leaks" command to the Manager application.
	It allows to detect web applications that have caused memory
	leaks on stop, reload or undeploy. (markt/kkolinko)

Other

fix	Ensure files in conf directory have CRLF line endings when
	using the Windows installer. (kkolinko)
fix	Allow special characters recognized by the Windows command-line
	shell to be present in the names of CATALINA_HOME/_BASE and
	the current directory used to call the Tomcat scripts. (kkolinko)
fix	Don't use @Deprecated annotations in javax.servlet.jsp.JspContext
	since the specification does not include them in the API
	definition. (markt)
add	Improve the information in the JAR manifest files. (markt)
2010-09-19 14:32:04 +00:00
spz
7cc9684ff4 update to the fresh release
The changelog from 6.0.20 to 6.0.24 is quite lengthy, please refer to
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html for details

fixes CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902
2010-01-28 12:16:45 +00:00
adrianp
4fc674c14e Update from .18->.20
In brief:
46933: Update StringManager to use Java 5 features. Patch provided by Jens Kapitza. (markt)
46990: Fix synchronization issues reported by FindBugs. Patch provided by Sebb. (markt)
Allow huge request body packets for AJP13. (rjung)
Manager application prints FAIL if application was deployed but failed to start (fhanik)
When shutdown port is disabled, print user friendly message and not a stack trace. (fhanik)
The invoker servlet has been deprecated and will be removed in Tomcat 7 onwards. (markt)
45154  Implement SEND_FILE behavior for SSL connections using NIO (fhanik)

For full details see:
	http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
2009-06-06 17:34:08 +00:00
adrianp
01c1be3786 Apache Tomcat 6.x is the current focus of development. It builds upon the
improvements made in Tomcat 5.5.x and implements the Servlet 2.5 and JSP 2.1
specifications. In addition to that, it includes the following improvements:

* Memory usage optimizations
* Advanced IO capabilities
* Refactored clustering

While we're here make a number of improvements based on the old 5.5.x pkg:
- Use MASTER_SITE_APACHE
- Default to running as an unprived user
- Use a more standard rc.d script
- Cleaner pkg_delete operation based on standard files/dirs that change
2009-02-14 12:02:08 +00:00