15 commits
Author | SHA1 | Message | Date | |
---|---|---|---|---|
ryoon
|
9669f4eb32 |
Update to 6.0.45
Changelog: Tomcat 6.0.45 (jfclere) Catalina fix Back-port various improvements to the AprLifecycleListener including the fix for 57021 that improves logging when the Tomcat-Native DLL fails to load. (markt) add 57154: Add support for web applications (Context elements) that do not have a docBase. This is intended for use when embedding, such as Tomcat unit tests, when a web application is configured programmatically and does not serve any files. Based on a patch provided by Huxing Zhang. (kkolinko) add 57741: Enable the CGI servlet to use the standard error page mechanism. Note that if the CGI servlet's debug init parameter is set to 10 or higher then the standard error page mechanism will be bypassed and a debug response generated by the CGI servlet will be returned instead. (markt) fix 57896: Support defensive copying of "cookie" header so that unescaping double quotes in a cookie value does not corrupt original value of "cookie" header. This is an opt-in feature, enabled by org.apache.tomcat.util.http.ServerCookie.PRESERVE_COOKIE_HEADER or org.apache.catalina.STRICT_SERVLET_COMPLIANCE system property. (kkolinko) fix 58031: Make the (first) reason parameter parsing failed available as a request attribute and then use it to provide a better status code via the FailedRequstFilter (if configured). (markt) fix 58313: Fix concurrent access of encoders map when clearing encoders during Comet processing. (markt) fix 58508: Escape role names when generating associated MBeans in case the role name contains characters not permitted in an MBean name. (markt) fix 58582: Combined realm should perform background processing on its sub-realms. Based upon a patch provided by Aidan. (kkolinko) add Move the functionality that provides redirects for context roots and directories where a trailing / is added from the Mapper to the DefaultServlet. This enables such requests to be processed by any configured Valves and Filters before the redirect is made. This behaviour is configurable via the mapperContextRootRedirectEnabled and mapperDirectoryRedirectEnabled attributes of the Context which may be used to restore the previous behaviour. (markt) fix 58635: Enable break points to be set within agent code when running Tomcat with a Java agent. Based on a patch by Huxing Zhang. (markt) fix Add the StatusManagerServlet to the list of Servlets that can only be loaded by privileged applications. (markt) fix Remove redundant copy of catalina.properties from o.a.c.startup. Generate this copy during the ant "compile" task. (kkolinko) fix 58817: Fix ArrayIndexOutOfBoundsException caused by MapperListener when ROOT context is being undeployed and mapperContextRootRedirectEnabled="false". (kkolinko) fix 58836: Correctly merge query string parameters when processing a forwarded request where the target includes a query string that contains a parameter with no value. (markt/kkolinko) add Allow singleton server instance stored by ServerFactory to be cleared. Allow ResourceLinkFactory to be initialized more than once. This is used by unit tests when running several copies of Tomcat sequentially in the same JVM. When running with a SecurityManager the initialization method of ResourceLinkFactory is protected by requiring a RuntimePermission. (kkolinko) add Extend the feature available in the cluster session manager implementations that enables session attribute replication to be filtered bases on attribute name to all session manager implementations. Note that configuration attribute name has changed from sessionAttributeFilter to sessionAttributeNameFilter. Apply the filter on load as well as unload to ensure that configuration changes made while the web application is stopped are applied to any persisted data. (markt) add Extend the session attribute filtering options to include filtering based on the implementation class of the value and optional WARN level logging if an attribute is filtered. These options are available for all of the Manager implementations that ship with Tomcat. When a SecurityManager is used filtering will be enabled by default. (markt) fix 58946: Ensure that the request parameter map remains immutable when processing via a RequestDispatcher. (markt) Coyote add Align the Java side of the tc-native connector with the Tomcat 7 implementation to ease future maintenance. (markt) fix 51503: Add additional validation that prevents a connector from starting if it does not have a valid port number. (kkolinko) add 52028: Add support for automatic binding to a free port by a connector if the special value of zero is used for the port. This is mainly useful in embedded and testing scenarios. (kkolinko) fix 52926: Avoid NPE when an NIO Comet connection times out on one thread at the same time as it is closed on another thread. (markt/kkolinko) fix 57943: Prevent the same socket being added to the cache twice. Patch based on analysis by Ian Luo / Sun Qi. (markt/kkolinko) fix Improve HTTP header validation. (markt) Web applications fix 57971: Correct the documentation for the cluster configuration setting recoverySleepTime. (markt) fix 58112: Update the documentation for using the Catalina tasks in an Apache Ant build file. (markt) fix Improve the Javadoc for some of the APR socket read functions that have inconsistent behaviour for return values. (markt) add 58255: Document the Semaphore valve. Patch provided by Kyohei Nakamu. (markt) fix 58631: Correct the continuation character use in the Windows Service How-To page of the documenation web application. (markt) fix Correct some typos in the JNDI resources How-To. (markt) fix Add a redirect to the web interface to the root of the Manager web application. (markt) fix Don't create sessions unnecessarily in the Manager application. (markt) fix Add a redirect to the web interface to the root of the Host Manager web application. (markt) fix Don't create sessions unnecessarily in the Host Manager application. (markt) Other fix Ensure JULI adapters JAR in Tomcat extras package does not include the LogFactoryImpl[$*] classes. Based on patch provided by Benjamin Gandon. (kkolinko) code Convert test classes to JUnit 4. (kkolinko) update 58596: Clarify the description in RUNNING.txt of how environment variables are used. (markt) update Update the NSIS Installer used to build the Windows Installers to version 2.50. (markt/kkolinko) add Add framework for client-server unit tests, porting it from Tomcat 7. Add support for running the tests with Apache Ant. (kkolinko) update Update to Tomcat Native Library version 1.1.34. (jfclere) update Remove support for Intel Itanium CPU (i64, IA-64) in the Windows installer, as the current release of Tomcat Native does not have binaries for that processor architecture. (jfclere) |
||
agc
|
b9b754e081 |
Add SHA512 digests for distfiles for www category
Problems found locating distfiles: Package haskell-cgi: missing distfile haskell-cgi-20001206.tar.gz Package nginx: missing distfile array-var-nginx-module-0.04.tar.gz Package nginx: missing distfile encrypted-session-nginx-module-0.04.tar.gz Package nginx: missing distfile headers-more-nginx-module-0.261.tar.gz Package nginx: missing distfile nginx_http_push_module-0.692.tar.gz Package nginx: missing distfile set-misc-nginx-module-0.29.tar.gz Package nginx-devel: missing distfile echo-nginx-module-0.58.tar.gz Package nginx-devel: missing distfile form-input-nginx-module-0.11.tar.gz Package nginx-devel: missing distfile lua-nginx-module-0.9.16.tar.gz Package nginx-devel: missing distfile nginx_http_push_module-0.692.tar.gz Package nginx-devel: missing distfile set-misc-nginx-module-0.29.tar.gz Package php-owncloud: missing distfile owncloud-8.2.0.tar.bz2 Otherwise, existing SHA1 digests verified and found to be the same on the machine holding the existing distfiles (morden). All existing SHA1 digests retained for now as an audit trail. |
||
spz
|
8380dd82c7 |
Update to Tomcat 6.0.44
Upstream changelog: Catalina ++++++++ fix Correct typo in the message shown by HttpServlet for unexpected HTTP method. (kkolinko) add Allow to configure RemoteAddrValve and RemoteHostValve to adopt behavior depending on the connector port. Implemented by optionally adding the connector port to the string compared with the patterns allow and deny. Configured using addConnectorPort attribute on valve. (rjung) fix 56608: Fix IllegalStateException for JavaScript files when switching from Writer to OutputStream. The special handling of this case in the DefaultServlet was broken due to a MIME type change for JavaScript. (markt) fix 57675: Correctly quote strings when using the extended access log. (markt) Coyote ++++++ fix 57234: Make SSL protocol filtering to remove insecure protocols case insensitive. Correct spelling of filterInsecureProtocols method. (kkolinko/schultz) fix When applying the maxSwallowSize limit to a connection read that many bytes first before closing the connection to give the client a chance to read the response. (markt) fix 57544: Fix a potential infinite loop when preparing a kept alive HTTP connection for the next request. (markt) add 57570: Make the processing of chunked encoding trailing headers optional and disabled by default. (markt) fix 57581: Change statistics byte counter in coyote Request object to be long to allow values above 2Gb. (kkolinko) update Update the minimum recommended version of the Tomcat Native library (if used) to 1.1.33. (markt) Jasper ++++++ fix Fix potential issue with BeanELResolver when running under a security manager. Some classes may not be accessible but may have accessible interfaces. (markt) fix Simplify code in ProtectedFunctionMapper class of Jasper runtime. (kkolinko) fix 57801: Improve the error message in the start script in case the PID read from the PID file is already owned by a process. (rjung) Web applications ++++++++++++++++ fix Update documentation for CGI servlet. Recommend to copy the servlet declaration into web application instead of enabling it globally. Correct documentation for cgiPathPrefix. (kkolinko) update Improve Tomcat Manager documentation. Rearrange, add section on HTML GUI, document /expire command and Server Status page. (kkolinko) add 54143: Add display of the memory pools usage (including PermGen) to the Status page of the Manager web application. (kkolinko) fix Fix several issues with status.xsd schema in Manager web application, testing it against actual output of StatusTransformer class. (kkolinko) update Align algorithm that generates anchor names in Tomcat documentation with Tomcat 7/8/9. No visible changes, but may help with future updates to the documentation. (kkolinko) fix 56058: Add links to the AccessLogValve documentation for configuring reverse proxies and/or Tomcat to ensure that the desired information is used entered in the access log when Tomcat is running behind a reverse proxy. (markt) fix 57503: Make clear that the JULI integration for log4j only works with log4j 1.2.x. (markt) update 57644: Update examples to use Apache Standard Taglib 1.2.5. (jboynes/kkolinko) fix 57706: Clarify the documentation for the AJP connector to make clearer that when using tomcatAuthentication="false" the user provided by the reverse proxy will not be associated with any roles. (markt) fix Correct the documentation for deployOnStartup to make clear that if a WAR file is updated while Tomcat is stopped and unpackWARs is true, Tomcat will not detect the changed WAR file when it starts and will not replace the unpacked WAR file with the contents of the updated WAR. (markt) add 57759: Add information to the keyAlias documentation to make it clear that the order keys are read from the keystore is implementation dependent. (markt) fix 57864: Update the documentation web application to make it clearer that hex values are not valid for cluster send options. Based on a patch by Kyohei Nakamura. (markt) Other +++++ add 57344: Provide sha1 checksum files for Tomcat downloads. (kkolinko) fix 57558: Change catalina-tasks.xml to use all jars in ${catalina.home}/lib to define Tomcat Ant tasks. This fixes a NoClassDefFoundError with validate task. (kkolinko) update Update to Tomcat Native Library version 1.1.33 to pick up the Windows binaries that are based on OpenSSL 1.0.1m and APR 1.5.1. (markt) |
||
ryoon
|
13090acd35 |
Update to 6.0.43
Changelog: # Tomcat 6.0.43 (markt) ## Catalina * fix Assert that mapping result object is empty before performing mapping work in Mapper. (kkolinko) ## Coyote * fix 53952: Add support for TLSv1.1 and TLSv1.2 for APR connector. Based upon a patch by Marcel Šebek. (schultz/jfclere) * fix 56780: Enable Tomcat to start when using SSL with an IBM JRE in strict SP800-131a mode. (markt/kkolinko) * fix 57102: Fix bug that meant sslEnabledProtocols setting was not recognised for the HTTPS NIO connector. (markt) * add Disable SSLv3 by default for the APR/native HTTPS connector. (markt/schultz) * fix Do not increase remaining counter at end of stream in IdentityInputFilter. (kkolinko) * fix Disable SSLv3 by default (along with SSLv2 which was already disabled by default) in light of the recently announced POODLE vulnerability (CVE-2014-3566). (markt) * fix 57116: Do not fallback to default protocol list for HTTPS BIO connector if sslEnabledProtocols has no matches. (markt) * update Align calculation of default ciphers and default protocols for JSSE HTTPS connectors with Tomcat 7 which allows for per connector defaults based on the choice of sslProtocol. (markt/kkolinko) ## Web applications * fix Configure the Javadoc tool to read sources as ISO-8859-1, suppress timestamp comments and enable charset header. (kkolinko) * fix Correct typos in configuration samples on SSL Configuration page of Tomcat documentation. (kkolinko) ## Other * update 56079: The Apache Tomcat Windows service and the Apache Tomcat Windows service monitor application are now digitally signed. (markt/kkolinko) * update 56988: Allow to use relative path in base.path setting when building Tomcat. (kkolinko) fix Update documentation: the minimum version of Apache Ant required to build Tomcat is 1.8.0. (kkolinko) * update 56596: Update to Tomcat Native Library version 1.1.32 to pick up the Windows binaries that are based on OpenSSL 1.0.1j and APR 1.5.1. (markt) * fix Fix timestamps in Tomcat build to use 24-hour instead of 12-hour format and use UTC timezone. (kkolinko) # Tomcat 6.0.42 (jfclere) not released ## Catalina * fix 56600: In WebdavServlet: Do not waste time generating response for broken PROPFIND request. (kkolinko) * fix 56648: Reduce scope of synchronization when adding children to a container (e.g. adding a Context to a Host) to prevent blocking requests to other children while the new child starts. (markt) * fix 56684: Ensure that Tomcat does not shut down if the socket waiting for the shutdown command experiences a SocketTimeoutException. (markt) ## Coyote fix Various improvements to ChunkedInputFilter including clean-up, i18n for error messages and adding an error flag to allow subsequent attempts at reading after an error to fail fast. (markt) fix 56661: Support using AJP request attribute AJP_LOCAL_ADDR to fix getLocalAddr(). (rjung) ## Jasper * fix 43001: Enable the JspC Ant task to set the JspC option mappedFile. (kkolinko) * fix 56334: Fix a regression in EL parsing when quoted string follows a whitespace. (markt) * fix 56560: Fix NoClassDefFoundError when using Jasper Ant task defined by catalina-tasks.xml file. Patch provided by M Gemmell. (kkolinko) * fix 56561: Avoid NoSuchElementException while handling attributes with empty string value. (violetagg) * fix 56612: Correctly parse consecutive escaped single quotes when used in an EL expression. (markt) * code Use if { ... } else if { ... } rather than multiple if { ... } for alternative branches in the JSP parser. (kkolinko) * fix Fix a potential resource leak in JDTCompiler when checking wether a resource is a package. Reported by Coverity Scan. (fschumacher) ## Other * fix 56606: When creating tomcat-users.xml in the Windows Installer, use the new attribute name for the name of the user. (markt) * add 56829: Add the ability for users to define their own values for _RUNJAVA and _RUNJDB environment variables. Be more strict with executable filename on Windows (s/java/java.exe/). Based on a patch by Neeme Praks. (markt/kkolinko) |
||
spz
|
3e7585f7ce |
security'ish update. Changelog:
Tomcat 6.0.41 ============= Jasper ------ fix 56529: Avoid NoSuchElementException while handling attributes with empty string value in custom tags. Based on a patch provided by Hariprasad Manchi. (violetagg/kkolinko) Tomcat 6.0.40 not released ============================ Catalina -------- fix 56027: Add more options for managing FIPS mode in the AprLifecycleListener. (schultz/kkolinko) fix 56082: Fix a concurrency bug in JULI's LogManager implementation. (markt) fix 56236: Enable Tomcat to work with alternative Servlet and JSP API JARs that package the XML schemas in such as way as to require a dependency on the JSP API before enabling validation for web.xml. Tomcat has no such dependency. (markt) fix Change the default value of the xmlBlockExternal attribute of Context elements. It is now true. (kkolinko) fix Don't log to standard out in SSLValve. (kkolinko/markt) code Use StringBuilder in DefaultServlet. (kkolinko) fix 56275: Allow web applications to be stopped cleanly even if filters throw exceptions when their destroy() method is called. (markt/kkolinko) fix Redefine the globalXsltFile initialisation parameter of the DefaultServlet as relative to CATALINA_BASE/conf or CATALINA_HOME/conf. Prevent user supplied XSLTs used by the DefaultServlet from defining external entities. (markt) fix Add a work around for validating XML documents (often TLDs) that use just the file name to refer to refer to the JavaEE schema on which they are based. (kkolinko) fix 56369: Ensure that removing an MBean notification listener reverts all the operations performed when adding an MBean notification listener. (markt) fix Only create XML parsing objects if required and fix associated potential memory leak in the default Servlet. (markt) fix Ensure that a TLD parser obtained from the cache has the correct value of blockExternal. (markt/kkolinko) add Extend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. (markt) add Add the org.apache.naming package to the packages requiring code to have the defineClassInPackage permission when running under a security manager. (markt) add Add the org.apache.naming.resources package to the packages requiring code to have the accessClassInPackage permission when running under a security manager. (markt) fix Make the naming context tokens for containers more robust. Require RuntimePermission when introducing a new token. (markt/kkolinko) Coyote ------ fix Improve processing of chuck size from chunked headers. Avoid overflow and use a bit shift instead of a multiplication as it is marginally faster. (markt/kkolinko) fix Fix possible overflow when parsing long values from a byte array. (markt) update 56363: Update to version 1.1.30 of Tomcat Native library. The minimum required version of this library for APR connector is now 1.1.30. (kkolinko) Jasper ------ fix Change the default behaviour of JspC to block XML external entities by default. (kkolinko) fix Restore the validateXml option to Jasper that was previously renamed validateTld. Both options are now supported. validateXml controls the validation of web.xml files when Jasper parses them and validateTld controls the validation of *.tld files when Jasper parses them. (markt) fix 54475: Add Java 8 support to SMAP generation for JSPs. Patch by Robbie Gibson. (markt) fix 56010: Don't throw an IllegalArgumentException when JspFactory.getPageContext is used with JspWriter.DEFAULT_BUFFER. Based on a patch by Eugene Chung. (markt) fix 56265: Do not escape values of dynamic tag attributes ontaining EL expressions. (kkolinko) fix 56283: Add support for running Tomcat 6 with ecj-P20140317-1600.jar (as drop-in replacement for ecj-4.3.1.jar). Add support for value "1.8" for the compilerSourceVM and compilerTargetVM options. Note that ecj-P20140317-1600.jar can only be used when running with Java 6 or later. The "1.8" options make sense only when running with Java 8 (or later). (kkolinko) fix 56334: Fix a regression in the handling of back-slash escaping introduced by the fix for 55735. (markt/kkolinko) fix Correct the handling of back-slash escaping in the EL parser and no longer require that \$ or \# must be followed by { in order for the back-slash escaping to take effect. (markt) Cluster ------- code Refactor AbstractReplicatedMap and related classes to enable Tomcat 6 to be compiled using Java 8. (markt) Web applications ---------------- add 56093: Documentation for SSLValve. (markt/kkolinko) fix Correct documentation on Windows service options, aligning it with Apache Commons Daemon documentation. (kkolinko) add Add support for version-major, version-major-minor tags in documentation XSLT, to simplify documentation backports. (kkolinko) fix Fix target and rel attributes on links in documentation. They were lost during XSLT transformation. (kkolinko) Other ----- code Remove svn keywords (such as $Id) from source files and documentation. (kkolinko) update Improvements to the Windows installer, to align it with installing the sevice with service.bat. Use explicit memory sizes (--JvmMs 128 Mb and --JvmMx 256 Mb). Specify log directory path when ininstalling, so that the log file is written to the Tomcat logs directory, instead of "%SystemRoot%\System32\LogFiles\Apache". (kkolinko) update 49993, 56143: Improve service.bat script. Allow it to be launched from non-UAC console. The UAC prompt will be shown only once. Now there is no need to run the command shell with elevated privileges. Improve check for JAVA_HOME and add support for JRE_HOME. Warn if neither "client" nor "server" JVM is found. Align classpath, display name and other options with the exe installer. Make command names case-insensitive. Update documentation. (kkolinko) |
||
spz
|
822182ead2 |
Update apache-tomcat6 to 6.0.39, including avoidance for CVE-2013-1571.
Upstream changelog: Tomcat 6.0.39 (markt) Catalina fix 55166: Fix regression that broke XML validation when running on some Java 5 JVMs. (kkolinko) Coyote fix Make the HTTP NIO connector tolerant of whitespace in the individual values used for the ciphers attribute. (markt) fix Remove dependency introduced on the jsp-api.jar as part of the XML validation changes introduced in 6.0.38. (markt) Jasper fix Correct several errors in jspxml Schema and DTD. (kkolinko) Cluster code Remove an empty TestTwoPhaseCommit test from Tribes. (kkolinko) Web applications fix Fix broken link in Jasper How-To documentation. (markt) fix Align index.html and index.jsp in ROOT web application. Correct links to specifications and to the Tomcat mailing lists. (kkolinko) fix Remove second copy of RUNNING.txt from the full-docs distribution. Some unpacking utilities can't handle multiple copies of a file with the same name in a directory. (kkolinko) Other update Update sample Eclipse IDE project: use JUnit 4 library and prefer a Java 5 JDK when several JDKs are configured. Cleanup the Ant build files. (kkolinko) fix Correct Maven dependencies for individual JAR files. (markt) Tomcat 6.0.38 (markt) not released Catalina fix Ensure that when Tomcat's anti-resource locking features are used that the temporary copy of the web application and not the original is removed when the web application stops. (markt/kkolinko) fix 55019: Fix a potential exception when accessing JSPs while running under a SecurityManager. (jfclere) fix 55052: Make JULI's LogManager to additionally look for logging properties without prefixes if the property cannot be found with a prefix. (kkolinko) fix 55266: Ensure that the session ID is parsed from the request before any redirect as the session ID may need to be encoded as part of the redirect URL. (markt) fix 55404: Log warnings about using security roles in web.xml as warnings. (markt) fix 55268: Added optional --service-start-wait-time command-line option to change service start wait time from default of 10 seconds. (schultz) fix Correctly associate the default resource bundle with the English locale so that requests that specify an Accept-Language of English ahead of French, Spanish or Japanese get the English messages they asked for. (markt) fix Add missing JavaEE 5 XML schema definitions. (markt) fix When Catalina parses TLD files, always use a namespace aware parser to be consistent with how Jasper parses TLD files. The tldNamespaceAware attribute of the Context is now ignored. (markt) fix As per section SRV.14.4.3 of the Servlet 2.5 specification, a namespace aware, validating parser will be used when processing *.tld and web.xml files if the system property org.apache.catalina.STRICT_SERVLET_COMPLIANCE is set to true. (markt) fix Ensure that sessions IDs are not parsed from URLs for Contexts where disableURLRewriting is true. (markt) add Add an option to the Context to control the blocking of XML external entities when parsing XML configuration files and enable this blocking by default when a security manager is used. The block is implemented via a custom resolver to enable the logging of any blocked entities. (markt) fix 56016: When loading resources for XML schema validation, take account of the possibility that servlet-api.jar and jsp-api.jar may not be loaded by the same class loader. Patch by Juan Carlos Estibariz. (markt) Coyote fix 52811: Fix parsing of Content-Type header in HttpServletResponse.setContentType(). Introduces a new HTTP header parser that follows RFC2616. (markt) fix 54691: Add configuration attribute "sslEnabledProtocols" to HTTP connector and document it. (Internally this attribute has been already implemented but not documented, under names "protocols" and "sslProtocols". Those names of this attribute are now deprecated). (schultz) fix 54947: Fix the HTTP NIO connector that incorrectly rejected a request if the CRLF terminating the request line was split across multiple packets. Patch by Konstantin Preißer. (markt) fix 55228: Allow web applications to set a HTTP Date header. (markt) fix Better adherence to RFC2616 for content-length headers. (markt) fix Add support for limiting the size of chunk extensions when using chunked encoding. (markt) fix 55749: Improve the error message when SSLEngine is disabled in the AprLifecycleListener and SSL is configured for an APR/native connector. (markt) fix Avoid possible NPE if a content type is specified without a character set. (markt) Jasper fix 55198: Ensure attribute values in tagx files that include EL and quoted XML characters are correctly quoted in the output. (markt) fix 55671: Consistently use the configuration option name genStringAsCharArray rather than a mixture of genStrAsCharArray and genStringAsCharArray but retain support for genStrAsCharArray as in initialisation parameter for the JSP servlet to retain backwards compatibility with existing configurations. (markt) fix 55691: Fix javax.el.ArrayELResolver to correctly handle the case where the base object is an array of primitives. (markt) fix 55973: Fix processing of XML schemas when validation is enabled in Jasper. (kkolinko) Web applications add Add documentation for o.a.c.tribes.group.interceptors.TcpFailureDetector. (kfujino) add Complete the documentation for MessageDispatch15Interceptor. (kfujino) add Add to cluster document a description of notifyLifecycleListenerOnFailure and heartbeatBackgroundEnabled. (kfujino) fix 55746: Add documentation on the allRolesMode to the CombinedRealm and LockOutRealm. Patch by Cédric Couralet. (markt) fix Fix the sample configuration of StaticMembershipInterceptor in order to prevent warning log. uniqueId must be 16 bytes. (kfujino) fix 55119: Avoid CVE-2013-1571 when generating Javadoc. (markt) Other update Update Maven Central location used to download dependencies at build time to be repo.maven.apache.org. (kkolinko) fix 55663: Minor correction to the wording of the NOTICE files to align them with the requirements for NOTICE files. (violetagg) fix Add @since markers to the common annotations classes and fix a few specification compliance issues. (markt) update Update to Eclipse JDT Compiler 4.3.1. (markt) update Update the Apache Jakarta JSTL implementation used by the exmaples web application to 1.1.2. (markt) |
||
spz
|
09b30e93b2 |
security update:
Important: Session fixation CVE-2013-2067 FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials. Note that the option to change session ID on authentication was added in Tomcat 6.0.21. In earlier 6.0.x releases, prevention of session fixation was an application responsibility. This vulnerability represents a bug in Tomcat's session fixation protection that was added in 6.0.21. Hence, only versions 6.0.21 onwards are listed as vulnerable. This was fixed in revision 1417891. This issue was identified by the Tomcat security team on 15 Oct 2012 and made public on 10 May 2013. Affects: 6.0.21-6.0.36 Important: Denial of service CVE-2012-3544 When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server. This was fixed in revision 1476592. This issue was reported to the Tomcat security team on 10 November 2011 and made public on 10 May 2013. Affects: 6.0.0-6.0.36 ChangeLog: ++++++++++ Catalina fix 52055: Ensure that filters are recycled. (markt/kkolinko) fix 52184: Reduce log level for invalid cookies. (markt) fix 53481: Added support for SSLHonorCipherOrder to allow the server to impose its cipher order on the client. Based on a patch provided by Marcel Šebek. (schultz) fix 54044: Correct bug in timestamp cache used by logging (including the access log valve) that meant entries could be made with an earlier timestamp than the true timestamp. (markt) fix In FormAuthenticator: If it is configured to change Session IDs, do the change before displaying the login form. (kkolinko) fix 54054: Do not share shell environment variables between multiple instances of the CGI servlet. (markt) fix 54087: Correctly handle (ignore) invalid If-Modified-Since header rather than throwing an exception. (markt/kkolinko) fix 54220: Ensure the ErrorReportValve only generates an error report if the error flag on the response has been set. (markt) fix Fix memory leak of servlet instances when running with a SecurityManager and either init() or destroy() methods fail or the servlet is a SingleThreadModel one, and of filter instances if their destroy() method fails with an Error. (kkolinko) fix 54382: Fix NPE when SSI processing is enabled and an empty SSI directive is present. (markt) fix 54483: Correct one of the Spanish translations. Based on a suggestion from adinamita. (kkolinko) update 54527: Synchronize conf/web.xml mime mapping with Tomcat 7. (markt) Coyote fix 54248: Ensure that byte order marks are swallowed when using a Reader to read a request body with a BOM for those encodings that require byte order marks. (markt) fix 54324: Allow APR connector to disable TLS compression if OpenSSL supports it. (schultz) fix 54456: Ensure that if a client aborts a request when sending a chunked request body that this is communicated correctly to the client reading the request body. (markt) update Update the native component of the APR/native connector to 1.1.27 and make that version the recommended minimum version. (kkolinko) Jasper fix 54615: Tomcat 6 doesn't build against ecj 4.x (kkolinko) Cluster fix 54045: Make sure getMembers() returns available member when TcpFailureDetector works in static cluster. (kfujino) Web applications update 22278: Add a commented out sample configuration of RemoteAddrValve to META-INF/context.xml files of the Manager and Host Manager applications. (kkolinko) fix 54080: Clarify documentation for initial value of internalProxies attribute of RemoteIpValve. (schultz/kkolinko) fix 54198: Clarify that HttpServletResponse.sendError(int) results in an HTML response by default. (markt) fix 54207: Correct JNDI factory package name in Javadoc for org.apache.naming.java.javaURLContextFactory. (markt) Other update Add sample Apache Commons Daemon JSVC wrapper script bin/daemon.sh that can be used with /etc/init.d. (kkolinko) update In the build configuration: introduce property "tomcat.output" that is used to specify location of the build output directory. This simplifies configuration if someone wants to move the output directory elsewhere (e.g. out of the source tree). (kkolinko) fix 54390: Use 'java_home' on Mac OS X to auto-detect JAVA_HOME. (schultz) update 54601: Change catalina.sh to consistently use LOGGING_MANAGER variable to configure logging, instead of modifying JAVA_OPTS one. (kkolinko) update 54890: Update to Apache Commons Daemon 1.0.15. (mturk) |
||
spz
|
acc5cb1c66 |
update to apache-tomcat 6.0.36. Upstream changelog:
Tomcat 6.0.36 (jfclere) Catalina ++++++++ update 48692: Provide option to parse application/x-www-form-urlencoded PUT requests. (schultz) add 50306: New StuckThreadDetectionValve to detect requests that take a long time to process, which might indicate that their processing threads are stuck. Based on a patch provided by TomLu. (kkolinko) fix 50570: Enable FIPS mode to be set in AprLifecycleListener. Based upon a patch from Chris Beckey. Note that this mode requires tomcat-native 1.1.23 or later linked to a FIPS-capable OpenSSL library, which one has to build by themselves. (schultz/kkolinko) fix Improve synchronization and error handling in AprLifecycleListener. Do not allow to change SSL options if SSL has already been initialized. (schultz/kkolinko) fix 52225: Fix ClassCastException when adding an alias for an existing host via JMX. (kkolinko) fix 52293: Correctly handle the case when antiResourceLocking is enabled at the Context level when unpackWARs is disabled at the Host level. Correctly handle multi-level contexts when antiResourceLocking is enabled. Patch by Justin Miller. (kkolinko) fix Do not throw IllegalArgumentException from parseParameters() call when chunked POST request is too large, but treat it like an IO error. The FailedRequestFilter filter can be used to detect this condition. (kkolinko) fix 52384: Do not fail with parameter parsing when debug logging is enabled. (kkolinko) fix Do not flag extra '&' characters in parameters as parse errors. (kkolinko) fix 52488: Correct typos: exipre -> expire. Based on a patch by prockter. (markt) fix Reduce log level for the message about hitting maxParameterCount limit from WARN to INFO. Fix limit comparison to allow exactly maxParameterCount parameters, as documentation says, instead of (maxParameterCount-1). (kkolinko) fix Slightly improve performance of UDecoder.convert(). Align %2f handling between implementations. (kkolinko) add Add denyStatus attribute to RequestFilterValve (RemoteAddrValve, RemoteHostValve valves). It allows to use different HTTP response code when rejecting denied request. E.g. 404 instead of 403. (kkolinko) add Add SetCharacterEncodingFilter (similar to the one contained in the examples web application) to the org.apache.catalina.filters package so that it is available for all web applications. (kkolinko) add 52500: Added configurable mechanism to retrieve user names from X509 client certificates. Based on a patch provided by Michael Furman. (schultz/kkolinko) fix 52719: Fix a theoretical resource leak in the JAR validation that checks for non-permitted classes in web application JARs. (markt) fix 52830: Correct JNDI lookups when using javax.naming.Name to identify the resource rather than a java.lang.String. (markt) add 52850: Extend memory leak prevention and detection code to work with IBM as well as Oracle JVMs. Based on a patch provided by Rohit Kelapure. (kkolinko) add 52996: In StandardThreadExecutor: Add the ability to configure a job queue size (maxQueueSize attribute). Add a variant of execute method that allows to specify a timeout for how long we want to try to add something to the queue. Based on a patch by Rüdiger Plüm. (kkolinko) fix 53047: If a JDBCRealm or DataSourceRealm is configured for an all roles mode that only requires authorization (and no roles) and no role table or column is defined, don't populate the Principal's roles. (markt/kkolinko) fix 53050: Fix handling of entropy value when initializing session id generator in session manager. Based on proposal by Andras Rozsa. (kkolinko) fix 53056: Add APR version number to tcnative version INFO log message. (schultz) fix 53057: Add OpenSSL version number INFO log message when initializing. (schultz) fix 53071: Use the message from the Throwable for the error report generated by the ErrorReportValve if none was specified via sendError(). Use the standard text for HTTP error codes. (markt/rjung) update 53230: Change session managers to throw TooManyActiveSessionsException instead of IllegalStateException when the maximum number of sessions has been exceeded and a new session will not be created. (schultz/kkolinko) fix 53267: Ensure that using the GC Daemon Protection feature of the JreMemoryLeakPreventionListener does not trigger a full GC every hour. (markt/kkolinko) fix 53531: Fix ExpandWar.expand to check the return value of File.mkdir and File.mkdirs. (schultz) fix Make the CSRF nonce cache in CsrfPreventionFilter serializable so that it can be replicated across a cluster and/or persisted across Tomcat restarts. (markt) fix 53584: Ignore path parameters when comparing URIs for FORM authentication. This prevents users being prompted twice for passwords when logging in when session IDs are being encoded as path parameters. (markt) fix Various improvements to the DIGEST authenticator including 52954, the disabling caching of an authenticated user in the session by default, tracking server rather than client nonces and better handling of stale nonce values. (markt) fix Remove unneeded handling of FORM authentication in RealmBase. (kkolinko) fix 53800: FileDirContext.list() did not provide correct paths for subdirectories. Patch provided by Kevin Wooten. (kkolinko) fix 53830: Better handling of Manager.randomFile default value on Windows. (kkolinko) fix Improve session management in CsrfPreventionFilter. (kkolinko) Coyote ++++++ fix 42181: Better handling of edge conditions in chunk header processing. (kkolinko) update 51477: Support all SSL protocol combinations in the APR/native connector. This only works when using the native library version 1.1.21 or later. (rjung) fix 52055 (comment 14): Correctly reset ChunkedInputFilter.needCRLFParse flag when the filter is recycled. (kkolinko) fix 52606: Ensure replayed POST bodies are available when using AJP. (markt) fix 52858: Fix high CPU load with SSL, NIO and sendfile when client breaks the connection before reading all the requested data. (fhanik/kkolinko) fix 53119: Prevent buffer overflow errors being reported when a client disconnects before the response has been fully written from an AJP connection using the APR/native connector. (kkolinko) fix Improve InternalNioInputBuffer.parseHeaders(). (kkolinko) add Implement maxHeaderCount attribute on Connector. It is equivalent of LimitRequestFields directive of Apache HTTPD. Default value is 100. (kkolinko) fix In JkCoyoteHandler connector for AJP/1.3 protocol (in JkMain.setProperty()): Fix setting of properties when connector has already started for properties that have aliases. E.g. it now allows to change maxHeaderCount attribute on Connector MBean via JMX. (kkolinko) fix 53725: Fix possible corruption of GZIP'd output. (kkolinko) Jasper ++++++ fix 48097 (comment 7), 53366 (comment 1): If JSP page unexpectedly fails to initialize PageContext instance, write exception to the logs instead of silent swallowing. (kkolinko) fix 52335: Only handle <\% and not \% as escaped in template text. (markt) fix 52666: Correct coercion order in EL when processing the equality and inequality operators. (markt) fix 53001: Revert the fix for 46915 since the use case described in the bug is invalid since it breaks the EL specification. (markt) fix 53032: Modify JspC so it extends org.apache.tools.ant.Task enabling it to work with features such as namespaces within build.xml files. (markt) Cluster +++++++ fix Replicate principal in ClusterSingleSignOn. (kfujino) fix 53513: Fix race condition between the processing of session sync message and transfer complete message. (kfujino) fix 53606: Fix potential NPE in TcpPingInterceptor. Based on a patch by F. Arnoud. (markt) fix 53607: To avoid NPE, set TCP PING data to ChannelMessage. Patch provided by F.Arnoud (kfujino) fix Fix a behavior of TcpPingInterceptor#useThread. Do not start a ping thread when useThread is set to false. (kfujino) Web applications ++++++++++++++++ fix 52243: Improve windows service documentation to clarify how to include # and/or ; in the value of an environment variable that is passed to the service. (markt) fix 52515: Make it clear in the Realm how-to in the documentation web application that digested password storage when using DIGEST authentication requires that MD5 digests are used. (markt) fix 52641: Remove mentioning of ldap.jar from docs. Patch provided by Felix Schumacher. (rjung) fix Remove obsolete bug warning from windows service documentation page. (rjung) fix 52983: Remove unnecessary code that makes switching to other authentication methods difficult. (markt) fix 53158: Fix documented defaults for DBCP. Patch provided by ph.dezanneau at gmail.com. (rjung) update Update JavaSE documentation links to point to the current docs.oracle.com site, instead of obsolete ones (download.oracle.com, java.sun.com). (kkolinko) update 53289: Clarify ResourceLink example that uses DataSource.getConnection(username, password) method. Not all data source implementations support it. (kkolinko) fix Prevent the custom error pages for the Manager and Host Manager applications from being accessed directly. Configure custom pages for error codes 401 and 403 in Host Manager application. (markt/kkolinko) fix Correct documentation for enableLookups attribute of a Connector. By default DNS lookups are disabled. (kkolinko) fix Fix several HTML markup errors in servlets of examples web application. (kkolinko) update Change the index page of ROOT webapp to mention "manager-gui" role instead of "manager" one. (kkolinko) fix 53473: Correct the allowed values for the SSI option isVirtualWebappRelative which are true or false. (markt) fix 53664: Minor JNDI Howto document enhancement concerning mail properties. Patch provided by Mark Eggers. (schultz) fix 53601: Clarify that to build Apache Tomcat 6 from sources a Java 5 JDK is recommended. (kkolinko) fix 53793: Change links on the list of applications in the Manager to point to /appname/ instead of /appname. (kkolinko) Other +++++ fix 49402, 52124: Fix Maven publishing script: make sure it finds tomcat-juli.jar and use later version of wagon-ssh. (jfclere) fix Update Apache Commons Daemon to 1.0.10. It resolves 52548 which meant that services created with service.bat did not set the catalina.home and catalina.base system properties. (markt, kkolinko) update Update Apache Commons Pool to 1.5.7. (kkolinko) update 52579: Add a note about Sun's Charset.decode() bug to the RELEASE-NOTES file. (kkolinko) update 52805: Update to Eclipse JDT Compiler 3.7.2. (kkolinko) update Update the native component of the APR/native connectors to 1.1.23 and take advantage of the simplified distribution. (kkolinko) fix When building a Windows installer do not copy whole "res" folder to output/dist, but only the files that we need. Apply fixcrlf filter only after the files are copied, so that INSTALLLICENSE file had correct line ends. (kkolinko) update Remove res/License.rtf. The file that is actually shown by the Windows installer is res/INSTALLLICENSE. (kkolinko) update Improve RUNNING.txt. (kkolinko) update Align the script that deploys Maven jars for Tomcat (res/maven/mvn-pub.xml) with the Tomcat 7 version, making full use of Nexus. (markt) add 53034: Add project.url and project.licenses sections to the POMs for the Maven artifacts. (kkolinko) fix 53454: Return correct content-length header for HEAD requests when content length is greater than 2GB. (markt) |
||
spz
|
994732e8da |
Upstream changelog:
Tomcat 6.0.35 (jfclere) +++++++++++++++++++++++ Catalina -------- fix Fix regression in decoding of parameters that contain spaces. Patch by Willem Fibbe. (kkolinko) Tomcat 6.0.34 (jfclere) not released ++++++++++++++++++++++++++++++++++++ Catalina -------- fix 51550: Display an error page rather than an empty response for an IllegalStateException caused by too many active sessions. (markt) add 51640: Improve the memory leak prevention for leaks triggered by java.sql.DriverManager. (markt/kkolinko) fix 51688: JreMemoryLeakPreventionListener now protects against AWT thread creation. (schultz) fix 51758: The digester (used for processing XML files) used the logger name org.apache.commons.digester.Digester rather than the expected org.apache.tomcat.util.digester.Digester. The digester has been changed to use the expected logger name. (kkolinko) add 51862: Added a classesToInitialize attribute to JreMemoryLeakPreventionListener to allow pre-loading of configurable classes to avoid some classloader leaks. (slaurent) fix 51872: Ensure that the access log always uses the correct value for the remote IP address associated with the request and that requests with multiple errors do not result in multiple entries in the access log. (markt) add Allow to overwrite the check for distributability of session attributes by session implementations. (rjung) add Provide the log format "OneLineFormatter" for JULI that provides the same information as the default plus thread name but on a single line. (markt/rjung) fix Ensure the the memory leak protection for the HttpClient keep-alive always operates even if the thread has already stopped. (markt) fix 51940: Do not limit saving of request bodies during FORM authentication to POST requests since any HTTP method may include a request body. Based on a patch by Nicholas Sushkin. (kkolinko) fix 52091: Address performance issues related to lock contention in StandardWrapper. Based on patch provided by Taiki Sugawara. (kkolinko) update In GenericPrincipal, SerializablePrincipal: Do not sort lists of roles that have only one element. (kkolinko) add Make configuration issue for CsrfPreventionFilter result in the failure of the filter rather than just a warning message. (kkolinko) fix Ensure changes to the configuration of RemoteAddrValve and RemoteHostValve via JMX are thread-safe. (kkolinko) add Make configuration issue for RemoteAddrValve and RemoteHostValve result in the failure of the valve rather than just a warning message. (kkolinko) update In RequestFilterValve (RemoteAddrValve, RemoteHostValve): refactor value matching logic into separate method and expose this new method isAllowed through JMX. (kkolinko) add Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko) add New filter FailedRequestFilter that will reject a request if there were errors during HTTP parameter parsing. (kkolinko) Coyote ------ fix 50394: Return -1 from read operation instead of throwing an exception when encountering an EOF with the HTTP APR connector. (kkolinko) fix 51698: Fix CVE-2011-3190. Prevent AJP message injection. (markt) fix Detect incomplete AJP messages and reject the associated request if one is found. (markt) fix 51794: Fix race condition in NioEndpoint selector. Patch provided by dlord. (fhanik) fix 51905: Fix infinite loop in AprEndpoint shutdown if acceptor unlock fails. Reduce timeout before forcefully closing the socket from 30s to 10s. (kkolinko) fix 52121: Fix possible output corruption when compression is enabled for a connector and the response is flushed. Test case provided by David Marcks. (kkolinko) fix Replace unneeded call that iterated events queue in NioEndpoint.Poller. (kkolinko) fix Improve MimeHeaders.toString(). (kkolinko) fix Allow the BIO HTTP connector to be used with SSL when running under Java 7. (markt) fix Improve multi-byte character handling in all connectors. (rjung) Jasper ------ fix 51220: Correct copy/paste error in original commit for this issue. (markt) fix 52091: Address performance issues related to log creation in TagHandlerPool. Patch provided by Taiki Sugawara. (markt) Cluster ------- add 51736: Make rpcTimeout configurable in BackupManager. (kfujino) add New cluster manager attribute sessionAttributeFilter allows to filter which session attributes are replicated using a regular expression applied to the attribute name. (rjung) fix Avoid an unnecessary session ID change notice. Notice of changed session ID by JvmRouteBinderValve is unnecessary to BackupManager. In BackupManager, change of session ID is replicated by the call of a setId() method. (kfujino) fix Fix unneeded duplicate resetDeltaRequest() call in DeltaSession.setId(String). (kkolinko) add When Context manager does not exist, no context manager message is replied in order to avoid timeout (default 60 sec) of GET_ALL_SESSIONS sync phase. (kfujino) Webapps ------- fix Correct the documentation for the connectionLinger attribute of the HTTP connector. (markt) add Show build date and version in the header on every documentation page. (kkolinko) fix 52049: Improve setup instructions for running as a Windows service: correct information on how a JRE is identified and selected. (markt) update 52172: Clarify Tomcat build instructions. Patch provided by bmargulies. (kkolinko) Other ----- update Update the native component of the APR/native connectors to 1.1.22. (markt) update Update the recommended version of the native component of the APR/native connectors to 1.1.22. (kkolinko) update Update the Eclipse compiler (used for JSPs) to 3.7. (markt) fix Correct two typos in the Windows installer. (kkolinko) fix 52059: In Windows uninstaller: Do not forget to remove Tomcat keys from 32-bit registry on deinstallation. (kkolinko) |
||
spz
|
5e7727ae18 |
security fixes (two of three) for a leaf package
Upstream changelog: Catalina -------- add Allow to search the virtual paths before the webapp or after it. (rjung) fix 27988: Improve reporting of missing files. (markt) fix 28852: Add URL encoding where missing to parameters in URLs presented by Ant tasks to the Manager application. Based on a patch by Stephane Bailliez. (markt) add 46252: Allow to specify character set to be used to write the access log in AccessLogValve. (kkolinko) add 48863: Provide an warning if there is a problem with a class path entry but use debug level logging if it is expected due to catalina home/base split. (kkolinko) add 49180: Add an option to disable file rotation in JULI FileHandler. (kkolinko) fix 50189: Once the application has finished writing to the response, prevent further reads from the request since this causes various problems in the connectors which do not expect this. (markt) fix 50700: Ensure that the override attribute of context parameters is correctly followed. (markt) fix 50734: Return 404 rather than 400 for requests to the ROOT context when no ROOT context is deployed. Patch provided by Violeta Georgieva. (markt) fix 50751: When authenticating with the JNDI Realm, only attempt to read user attributes from the directory if attributes are required. (markt) fix 50752: Fix typo in debug message in org.apache.catalina.startup.Embedded. (markt) fix 50855: Fix NPE on AuthenticatorBase.register() when debug logging is enabled. (markt) fix Correctly format the timestamp reported by version.[sh|bat]. (markt) fix Remove unnecessary whitespace from MIME mapping entries in global web.xml file. (markt) fix 51042: Don't trigger session creation listeners when a session ID is changed as part of the authentication process. (markt) add 51119: Add JAAS authentication support to the JMXRemoteLifecycleListener. Patch provided by Neil Laurance. (markt) update Implement display of multiple request headers in AccessLogValve: print not just the value of the first header, but of the all of them, separated by commas. (kkolinko) fix Correct the SSLValve so it returns the SSL key size as an Integer rather than as a String. (markt) fix 51162: Prevent possible NPE when removing a web application. (markt) fix 51249: Improve system property replacement code in ClassLoaderLogManager of Tomcat JULI to cover some corner cases. (kkolinko) fix 51315: Fix IAE when removing an authenticator valve from a container. Patch provided by Violeta Georgieva. (markt) fix 51324: Improve handling of exceptions when flushing the response buffer to ensure that the doFlush flag does not get stuck in the enabled state. Patch provided by Jeremy Norris. (kkolinko) fix 51348: Fix possible NPE when processing WebDAV locks. (markt) add Add a container event that is fired when a session's ID is changed, e.g. on authentication. (markt) fix Fix CVE-2011-2204. Prevent user passwords appearing in log files if a runtime exception (e.g. OOME) occurs while creating a new user for a MemoryUserDatabase via JMX. (markt) fix 51400: Avoid jvm bottleneck on String/byte[] conversion triggered by a JVM bug. Based on patches by Dave Engberg and Konstantin Preißer. (markt) add 51403: Avoid NPE in JULI FileHandler if formatter is misconfigured. (kkolinko) update Create a directory for access log or error log (in AccessLogValve and in JULI FileHandler) automatically when it is specified as a part of the file name, e.g. in the prefix attribute. Earlier this happened only if it was specified with the directory attribute. (kkolinko) fix Log a failure if access log file cannot be opened. Improve i18n of messages. (kkolinko) fix Improve handling of URLs with path parameters and prevent incorrect 404 responses that could occur when path parameters were present. (kkolinko) fix 51473: Fix concatenation of values in SecurityConfig.setSecurityProperty(). (kkolinko) fix 51509: Fix potential concurrency issue in CSRF prevention filter that may lead to some requests failing that should not. (markt) fix 51588: Make it easier to extend the AccessLogValve to add support for custom elements. (markt) fix Unregister DataSource MBeans when web application stops. (kfujino) add Add additional configuration options to the DIGEST authenticator. (markt) Coyote ------ fix Reduce level of log message for invalid URL parameters from WARNING to INFO. (kkolinko) add 48208: Provide an option to specify a custom trust manager for BIO and NIO HTTP connectors using SSL. Based on a patch by Luciana Moreira. (markt) fix 49595: Protect against crashes when using the APR/native connector. (jfclere) fix 49929: Make sure flush packet is not send after END_RESPONSE packet. (mturk/markt) add 50887: Enable the provider to be configured when generating SSL certs. Based on a patch by pknopp. (markt) fix 51073: Throw an exception and do not start the APR connector if it is configured for SSL and an invalid value is provided for SSLProtocol. (markt) fix Fix CVE 2011-2526. Protect against infinite loops (HTTP NIO) and crashes (HTTP APR) if sendfile is configured to send more data than is available in the file. (markt) fix Prevent NPEs when a socket is closed in non-error conditions after sendfile processing when using the HTTP NIO connector. (markt) fix 51515: Prevent immediate socket close when comet is used over HTTPS. (markt) Jasper ------ fix 36362: Handle the case where tag file attributes (which can use any valid XML name) have a name which is not a Java identifier. (markt) fix 47371: Correctly coerce the empty string to zero when used as an operand in EL arithmetic. Patch provided by gbt. (markt) fix 50726: Ensure that the use of the genStringAsCharArray does not result in String constants that are too long for valid Java code. (markt) fix 50895: Don't initialize classes created during the compilation stage. (markt) add 51124: Make Tomcat more robust if an OOME occurs. Usually after an OOME all bets are off but this change appears to help some users and the description of a 'recoverable' OOME in the bug is a plausible one. Based on a patch by Ramiro. (markt) fix 51177: Ensure Tomcat's MapELResolver and ListELResolver always return Object.class for getType() as required by the EL specification. (markt) fix Correct possible threading issue in JSP compilation when development mode is used. (markt) add 51220: Add a system property to enable tag pooling with JSPs that use a custom base class. Based on a patch by Dan Mikusa. (markt) add Broaden the exception handling in the EL Parser so that more failures to parse an expression include the failed expression in the exception message. Hopefully, this will help track down the cause of 51088. (markt) add Improve error reporting of Jasper compilation. (schultz) Cluster ------- fix 50646: Fix cluster message data corruption if message size exceeds the underlying buffer size. Patch provided by Olivier Costet. (markt) fix 50771: Ensure HttpServletRequest#getAuthType() returns the name of the authentication scheme if request has already been authenticated. (kfujino) fix 50950: Correct possible NotSerializableException for an authenticated session when running with a security manager. (markt) fix 51306: Avoid NPE when handleSESSION_EXPIRED is processed while handleSESSION_CREATED is being processed. (kfujino) fix The change in session ID is notified to the container event listener on the backup node in cluster. This notification is controlled by notifyContainerListenersOnReplication. (kfujino) Webapps ------- fix 41498: Add the allRolesMode attribute to the Realm configuration page in the documentation web application. (markt) fix 48997: Fixed some typos and improve cross-referencing to the HTTP Connector and APR documentation with the SSL How-To page of the documentation web application. (markt) fix 50804: Update links for Servlet 2.5 and JSP 2.1 Javadoc. (markt) update Improve class loading documentation and logging documentation. (kkolinko) update Configure Security Manager How-To to include a copy of the actual conf/catalina.policy file when the documentation is built, rather than maintaining a copy of its content. (kkolinko) fix 51147: Fix deployment via HTML Manager that was broken by addition of CRSF protection. Patch provided by Alexis Hassler. (markt) fix 51156: Ensure session expiration option is available in Manager application was running web applications that were defined in server.xml. (markt) fix Correct the log4j configuration settings when defining conversion patterns in the documentation web application. (markt) fix Update Maven repository information in the documentation to reflect current usage. (markt) fix 51346: Update the documentation web application to make clear the circumstances in which the RequestDumperValve will consume the request's InputStream. Based on a patch by pid. (markt) fix 51443: Document the notifySessionListenersOnReplication attribute for the DeltaManager. (markt) fix 51516: Correct documentation web application to show correct system property name for changing the name of the SSO session cookie. (markt) update Update documentation to be even more explicit about the implications of setting the path attribute on a Context element in server.xml. (markt/kkolinko) Other ----- update Clarify error messages in *.sh files to mention that if a script is not found it might be because execute permission is needed. (kkolinko) add 33262, 40510, 50949, 51135: Various improvements to the Windows installer to be able to install several copies of Tomcat 6 side by side. Allow to configure service name, connector and shutdown ports. Allow to choose whether to install Start menu shortcuts and Apache Tomcat monitor application for all users or for the current one only. Improve auto-detection of JAVA_HOME for 64-bit Windows platforms: autoselect 32-bit JRE if it exists and 64-bit one is not available. Improve server.xml file handling. Fix uninstallation icon. (markt/kkolinko) fix 50854: Add additional entries to the default catalina.policy file to support running the manager web application from CATALINA_HOME or CATALINA_BASE. (markt) fix Update default download sources to use the central Apache Maven 2 repository as some libraries have been removed from the central Apache Maven 1 repository. (kkolinko) fix 51155: Add comments to @deprecated tags that have none. Patch provided by sebb. (kkolinko) fix 51309: Correct logic in catalina.sh stop when using a PID file to ensure the correct message is shown. Patch provided by Caio Cezar. (markt) update Update Apache Commons Pool to 1.5.6. (kkolinko) update Update Apache Commons Daemon to 1.0.7. (kkolinko) update At build time use two alternative download locations for components downloaded from apache.org. (kkolinko) |
||
spz
|
04efe068a5 |
Update to the latest version; the full changelog is at
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html Security relevant fixes: CVE-2011-0534 - remote denial of service CVE-2011-0013 - cross site scripting CVE-2010-4172 - cross site scripting CVE-2010-3718 - SecurityManager file permission bypass |
||
spz
|
8096de53fa |
Update of apache-tomcat to version 6.0.29
(and a little Makefile cosmetics) fixes two of the currently known security issues Upstream changelog: Tomcat 6.0.29 (jfclere) released 2010-07-22 Catalina add 48960: Add a new option to the SSI Servlet and SSI Filter to allow the disabling of the exec command. This is now disabled by default. Based on a patch by Yair Lenga. (markt) fix 49551: Allow default context.xml location to be specified using an absolute path. (markt) fix 49598: When session is changed and the session cookie is replaced, ensure that the new Set-Cookie header overwrites the old Set-Cookie header. (markt) fix Fix order when listing Webapp loader search URLs. (rjung) add Add support for *.jar pattern in VirtualWebappLoader. (kkolinko) Tomcat 6.0.28 (jfclere) released 2010-07-09 Catalina fix Arrange filter logic. (jfclere) fix 49230: Enhance JRE leak prevention listener with protection for the keep-alive thread started by sun.net.www.http.HttpClient. Patch provided by Rob Kooper. (markt) fix 49351: Fix possible NPe when embedding and no name is specified for the Service. (markt) fix 49424: Avoid NPE if client provides no data with a chunked POST request. (markt) fix 49414: Differentiate between request threads and application created threads when warning about still running threads when an application stops. (markt) fix 49443: Use remoteIpHeader rather than remoteIPHeader consistently. (markt) add Add property searchExternalFirst to WebappLoader. If set, the external repositories will be searched before the WEB-INF ones. (rjung) Cluster fix 49445: When session ID is changed after authentication, ensure the DeltaManager replicates the change in ID to the other nodes in the cluster. (kfujino) Webapps fix 49213: Grant permissions required by manager application when running under a security manager. (markt/kkolinko) fix 49436: Correct documented default for readonly attribute of the UserDatabase component. (markt) Tomcat 6.0.27 (jfclere) not released General update Update DBCP to 1.3. (markt) Catalina fix Fix CVE-2010-1157. Prevent possible disclosure of host name or IP address via the HTTP WWW-Authenticate header when using BASIC or DIGEST authentication. (markt) add Include context name when reporting memory leaks to aid root cause identification. (markt) fix Improve exception handling on session de-serialization to assist in identifying the root cause of 48007. (kkolinko) add 48379: Make session cookie name, domain and path configurable per context. (markt) fix 48589: Make JNDIRealm easier to extend. Based on a patch by Candid Dauth. (markt/kkolinko) fix 48629: Allow user names as well as DNs to be used with the nested role search. Add roleNested to the documentation. Patch provided by Felix Schumacher. (markt) fix 48661: Make error page behavior consistent, regardless of how the error page is defined. If a response has been committed, always include the error page. (markt) fix 48729: Return roles defined by both userRoleName and roleName mechanisms. Patch provided by 'eric'. Also make user's role list immutable.(markt) fix 48760: Fix potential multi-threading issue in static resource serving where multiple threads could try to use the the same InputStream. (markt) fix 48790: Fix thread safety issue in the count of the maximum number of active session. (markt/kkolinko) fix 48793: Make catalina.sh more robust to different return values on different platforms. Patch provided by Thomas GL. (markt) fix 48840: Swallow output (if any) from use of cd when determining $CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch provided by mdietze. (markt/kkolinko) fix 48895: Make clearing of ThreadLocals that are causing memory leaks on web application stop, reload or undeploy configurable since the process of clearing them is not thread-safe. (markt) fix 48903: Fix deadlock in webapp class loader. (rjung) fix 48971: Make stopping of leaking Timer threads optional and disabled by default. (markt) fix 48976: Document JAVA_ENDORSED_DIRS in start-up scripts. Patch provided by Laurent Vaills. (markt) fix 48983: Improve debug logging for situations when RemoteIpValve is bypassed. Patch provided by Cyrille Le Clerc. (markt) fix 49018: Fix processing of time argument in the Expire sessions action in the Manager web application. (kkolinko) fix 49116: If session is already invalid, expire session to prevent memory leak. (kfujino) fix 49158: Ensure only one session cookie is returned for a single request. (markt/fhanik) fix 49245: Fix session expiration check in cross-context requests. (markt) fix 49398: ByteChunk.indexOf(String, int, int, int) could not find a string of length 1. (kkolinko) fix Fix possible overflows when calculating session statistics. (kkolinko) add Log unexpected exceptions when providing access to web application resources in ApplicationContext. (kkolinko) fix Improve exception handling in CatalinaShutdownHook. (kkolinko) add Expose properties of VirtualWebappLoader and WebappClassLoader via JMX. (rjung) Coyote fix 48839: Correctly handle HTTP header folding in the NIO connector. Patch suggested by Richa Baronia. (markt) fix 48843: Prevent possible deadlock for worker allocation in connectors. (kkolinko) fix 48843: Fix handling of add queues in AprEndpoint.Poller and AprEndpoint.Sendfile. Do not miss wakeups. (kkolinko) add 48862: Add support for the backlog parameter to the AJP connector. (pero/markt) fix 48917: Correct name of mod_jk module in ApacheConfig. Patch provided by Todd Hicks. (markt) fix 49095: AprEndpoint did not wakeup acceptors during shutdown when deferAccept option was enabled. Based on a patch provided by Ruediger Pluem. (kkolinko) add Use chunked encoding for http 1.1 requests with no content-length (regardless of keep-alive) so client can differentiate between complete and partial responses. (markt) fix Correct the SSL session timeout attribute name so the code agrees with the documentation. (markt) add CoyotePrincipal now implements Serializable. (fhanik) fix Enable the BIO AJP connector to run under a security manager. (markt) Jasper fix 45015: Correct a regression in quote handling caused by the re-factoring of attribute parsing. (markt) fix 48701: Add a system property to allow disabling enforcement of JSP.5.3. The specification recommends, but does not require, this enforcement. (kkolinko) fix 48737: Don't assume paths that start with /META-INF/... are always in JARs. This is not true for some IDEs. Patch provided by Fabrizio Giustina. (markt) fix 49081: Correctly handle EL expressions of the form #${...}. (markt) fix 49196: Avoid NullPointerException in PageContext.getErrorData() if an error-handling JSP page is called directly. (markt) Cluster fix 48717: When a node joins a cluster and it receives all the current sessions, ensure the sessionCreated event is fired if the Manager is configured to replicate session events. (markt) fix 48934: Previous fix to handle dropped connections incorrectly permanently disabled session replication. (fhanik) fix 49051: memberAlive is not called if member has not already existed in membership. (kfujino) fix 49151: Avoid ClassCastException in BackupManager#stop. (kfujino) fix 49170: Do not send duplicated session. (kfujino) fix Add missing messages and ensure cluster listeners log messages to correct logger. (markt) Webapps add Use underscores instead of spaces in anchor names in Tomcat documentation. (kkolinko) add Add support for displaying the Spring Security user name (if present) in the Manager application. (markt) update Improve the ChatServlet Comet example (/examples/jsp/chat/). (kkolinko) Other update Update to Commons Daemon 1.0.2. Use service launcher (procrun) from the Commons Daemon release. Do not keep a copy of it in our source tree. (mturk/kkolinko) update Update to NSIS 2.46. (kkolinko) fix 48990: Fix the skip.installer build property so if set, only the Windows installer is skipped. (markt) fix 49178: Provide in catalina.policy an example of additional permissions that might be needed for code located in $CATALINA_BASE/lib. (markt) fix 49236: Do not use indexing when packing Tomcat JARs. (kkolinko) fix Remove unused code from org.apache.tomcat.util.buf classes. (kkolinko) update Rearrange tomcat-juli.jar permissions and wrap long lines in the conf/catalina.policy file, to make the text more readable when cited in documentation. (kkolinko) fix Do not evaluate the execute.installer property when building a release. The skip.installer property is used instead. (kkolinko) Tomcat 6.0.26 (jfclere) released 2010-03-11 Catalina fix Close security hole in unreleased 6.0.25 by ensuring new find leaks functionality is protected by a security constraint. (kkolinko) fix 48831: Improve logging shutdown behaviour. Use Catalina's shutdown hook to shutdown JULI. This enables them to be shutdown in the correct order. Do not shutdown global handlers several times. (markt/kkolinko) Coyote fix 48584: Prevent the APR connector logging an error if the acceptor fails during shutdown since this is expected. (mturk) fix 48660: Using compression should not overwrite any Vary header set by a web application. (markt) Jasper fix 48371: Ensure generated servlet mappings are inserted at the correct location when using JspC and allow the option that controls this to be configured on the command line. Also allow the encoding of web.xml to be configured when using JspC and deprecate some unused JspC methods. (markt/kkolinko) fix 48498: Avoid ArrayIndexOutOfBoundsException triggered by a Java 6/7 XML parser bug. (markt/kkolinko) fix 48668: Additional fixes to ensure deferred syntax is handled correctly. (kkolinko) fix 48827: Correct a regression in the fix for 47977 that caused an incorrect non-empty body error to be reported for valid JSP documents. (markt) Webapps add Make changelog.xml be directly rendered as HTML by certain browsers. (kkolinko) add Add support for automated generation of TOC tables and for links to svn revisions to tomcat-docs.xsl in documentation. (kkolinko/fhanik) add Move Manager application JSPs that are not intended to be accessed directly under the WEB-INF directory. (kkolinko) fix Improve the messages displayed by the find leaks diagnostic in the Manager application. (kkolinko) Other fix Encode all property files using ascii escaped UTF-8. Also fixes deployment problem when using French locale. (jfclere/rjung) Tomcat 6.0.25 (jfclere) not released Catalina fix 48039: Return immediately if start() is called on an already started StandardService. (markt) fix 48109: Ensure InputStream is closed on error condition in web application class loader. (markt) fix 48179: Clean up dead code that was used to read tldCache file. (kkolinko) fix 48318: Handle case where WebDAV resource is in directory listing but is not accessible. (markt) add 48384: Add a per context xslt option for directory listings. Make the fallback options work as described in the documentation. (markt) fix 48577: Filter URL when displaying missing included page. (markt) fix 48612: Prevent exception on shutdown if the address attribute is specified for a connector. (markt) fix 48613: Further fixes to ensure APRLifecycleListener is only used if defined in server.xml. (fhanik) fix 48614: Correct JULI log file buffering so default behaviour is no buffering. (fhanik) fix 48625: Provide an option to exit if an error occurs during the initialization phase. (fhanik) fix 48645: Use specified encoding rather than null in calls to RequestUtil.URLDecode(byte[] bytes, String enc) (markt) fix 48653: Force request.secure and request.scheme to false and http if the X-Forwarded-Proto header has the value http. Patch provided by Cyrille Le Clerc. (markt) fix 48678: Remove duplicate server field from org.apache.catalina.startup.Catalina. (markt) fix 48694: Remove potential deadlock in web application class loader. (markt) add 48716: Provide additional configuration options for JULI. (markt) fix 48726: Prevent OOME when uploading large WAR files with the deployer. Patch provided by adam. (markt) add Improve memory leak protection by safely stopping threads started via java.util.Timer that an application starts but fails to stop and by clearing references retained due to the use of java.util.ResourceBundle. (markt) update Modify ThreadLocal memory leak detection to not report false positives and to simplify implementation. (markt/kkolinko) add Basic memory leak detection was added to the standard Host implementation and exposed via JMX to detect memory leaks on web application reload. (markt/kkolinko) Coyote update Update the native/APR library version bundled with Tomcat to 1.1.20. (kkolinko) Jasper add Add some debug logging to the compiler where exceptions were previously swallowed. (markt) fix 48170: Remove unnecessary synchronization that is causing issues under load. (markt) fix 48580: Prevent AccessControlException if first access is to a JSP that uses a FunctionMapper. (markt) fix 48582: Avoid NPE on background compilation failure. (markt) fix 48616: Don't declare or synchronize scripting variables for JSP fragments since they are scriptless. This is an alternative fix for 42390 that avoids both the original problem and the regression in the first fix. (kkolinko) fix 48627: Fix regression in re-factored EL parsing. Keep literals as literals and handle deferredSyntaxAllowedAsLiteral. (kkolinko) fix 48668: When parsing JSPs only parse EL as EL if EL is enabled else strings such as ${ will be silently dropped. (markt) fix Various EL TCK failures. (markt) Cluster fix Force a disconnect if an error occurs during replication such as a firewall dropping the connection. (fhanik) Webapps add Add new "Find leaks" command to the Manager application. It allows to detect web applications that have caused memory leaks on stop, reload or undeploy. (markt/kkolinko) Other fix Ensure files in conf directory have CRLF line endings when using the Windows installer. (kkolinko) fix Allow special characters recognized by the Windows command-line shell to be present in the names of CATALINA_HOME/_BASE and the current directory used to call the Tomcat scripts. (kkolinko) fix Don't use @Deprecated annotations in javax.servlet.jsp.JspContext since the specification does not include them in the API definition. (markt) add Improve the information in the JAR manifest files. (markt) |
||
spz
|
7cc9684ff4 |
update to the fresh release
The changelog from 6.0.20 to 6.0.24 is quite lengthy, please refer to http://tomcat.apache.org/tomcat-6.0-doc/changelog.html for details fixes CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902 |
||
adrianp
|
4fc674c14e |
Update from .18->.20
In brief: 46933: Update StringManager to use Java 5 features. Patch provided by Jens Kapitza. (markt) 46990: Fix synchronization issues reported by FindBugs. Patch provided by Sebb. (markt) Allow huge request body packets for AJP13. (rjung) Manager application prints FAIL if application was deployed but failed to start (fhanik) When shutdown port is disabled, print user friendly message and not a stack trace. (fhanik) The invoker servlet has been deprecated and will be removed in Tomcat 7 onwards. (markt) 45154 Implement SEND_FILE behavior for SSL connections using NIO (fhanik) For full details see: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html |
||
adrianp
|
01c1be3786 |
Apache Tomcat 6.x is the current focus of development. It builds upon the
improvements made in Tomcat 5.5.x and implements the Servlet 2.5 and JSP 2.1 specifications. In addition to that, it includes the following improvements: * Memory usage optimizations * Advanced IO capabilities * Refactored clustering While we're here make a number of improvements based on the old 5.5.x pkg: - Use MASTER_SITE_APACHE - Default to running as an unprived user - Use a more standard rc.d script - Cleaner pkg_delete operation based on standard files/dirs that change |