Changelog since 5.5.7
Tomcat 5.5.9 (yoavs)
General
Add JULI, a java.util.logging implementation, used to provide sane
add defaults and configurability equivalent to Tomcat 4.0 for Tomcat 5.5
logging (remm)
docs Add JULI documentation to the logging page (remm)
add Add host manager webapp (remm)
add Add ant JkStatusUpdateTask for remote status worker handling ( >=mod_jk
1.2.9) (pero)
add 33739: Add reference to RUNNING.txt in setup.html. (yoavs)
fix 33719: Update reference to Ant download page. (yoavs)
fix 33883: Bad options in SSL-HowTo. (yoavs)
update Update to MX4J 3.0.1 (pero)
update 34139: Updated Realm-HowTo to specify JMX, Commons-Logging jars for
RealmBase. (yoavs)
add 33325: Added top-level clean target to Netbuild build.xml file.
(yoavs)
update 33755: Clarified Postgresql JNDI datasource example. [patch submitted
by Tom Witmer] (yoavs)
Catalina
fix Remove some instances of expanded folder removal (remm)
fix Don't call mkdirs if we're not going to save the configuration in
StandardContext (remm)
fix Fix context classloader binding during loader initialization (it was set
to null before) (remm)
fix The webapp logger should only be retrieved when the context classloader
is set to the webapp's classloader (remm)
fix 34170: Add back retry logic in JDBC realm in case of a connection
failure (remm)
fix 22041: Support dynamic proxies as session objects. (markt)
fix Fix logger names for wrappers (remm)
34006: If antiResourceLocking was used, HostConfig considered the
fix path as external, and web application resources were not correctly
removed or tacked; also simplify the code a lot (remm)
fix 34016: Save and restore docBase when using antiResourceLocking, for
compatibility with the admin webapp (remm)
add 33636: Set lastModified attribute when expanding WAR files. (yoavs)
add 32938: Allow Salted SHA (SSHA) passwords in JNDIRealm. (yoavs)
add 31288: Allow SMTP authentication for JNDI MailSessionFactory. (yoavs)
update Harmonize processing of the context.xml defaults with the way web.xml is
processed (remm)
fix Ignore ';' if it is in the query string (remm)
fix private to protected for the webapp classloader (remm)
fix Improve logging of filters and listeners startup errors (remm)
fix 33774: Retry once in JNDI realm authenticate failure regardless of
the exception message (remm)
fix 33961: Don't encode '~' in context paths (remm)
fix 32866: Propagate distributable property from context to manager
(yoavs)
fix 32867: Reset distributable attribute in context for clean reload
handling (yoavs)
update Fix some RealmBase/JNDIRealm log.isXXXEnabled (pero)
fix 34161: Harmonize StandardContext.stop with ContainerBase.stop (remm)
Coyote
fix 33971: Set remoteHost to null when Apache doesn't send one.
(billbarker)
fix Fix calculation of threadRatio for the ms thread pool, and fix setting
the updated timeout value (remm)
Update the ms thread pool so that we allocate a worker before
accepting a update new socket, and wait a little if the pool
is exhausted; this should make low maxThreads values work
a lot better (remm)
update 33857: Update information on automatic mod_jk configuration in
Apache-HowTo (yoavs)
fix Fix sync block placement in Mapper.addContext (remm)
fix 32741: Fix spelling of "committed" [patch from Ben Souther] (yoavs)
fix 34133: Make setHeader clear multi-valued headers (billbarker)
Jasper
fix 34034: Jasper does not respect external entities (billbarker)
fix 33810: Incorrect recycling of BodyContent if close is called (remm)
update Per instance loggers in Jasper (remm)
Cluster
fix Fix JvmRouteBinderValve primary failover attribute to
org.apache.catalina.cluster.session.JvmRouteOrignalSessionID (pero)
fix Change attribute name waitForAck to sendAck at ReplicationListener (pero)
Integrate new fastasyncqueue cluster sender mode. Support queue size
add limitation, get all queued objects and send it to the backup node, no
queue thread lock contention under high replication load, submitted by
Rainer Jung (pero)
Add compress attribute to Sender and Receiver to transfer data
add uncompressed. At high cluster load this option consume lesser cpu and
memory. Implement the compress handling to ReplicationTransmitter,
ReplicationListener, XByteBuffer and Jdk13ReplicationListener (pero)
Add doProcessingStats to synchronous, asynchronous and fastqueueasync
add sender modes to get min, avg, max processing times as IDataSender JMX
MBeans (pero)
fix TcpThreadPool use constant ACK byte array instead create new 3 byte
buffer for every message ack (pero)
update Refactor ReplicationTransmitter and ReplicationListener (pero)
update add getCatalinaCluster() to ClusterReceiver and SimpleTcpCluster (pero)
update Update the Api documentation (pero)
Webapps
update Use the standard struts taglib URIs in admin JSPs. (billbarker)
add Add more host parameters to create new host with host-manager (pero)
fix 34033: Fix quoting related bugs (remm)
fix 33713: Add Struts init code in frameset.jsp as well (remm)
Tomcat 5.5.8 (yoavs)
General
fix 33204: Fixed SSL HowTo page. (yoavs)
fix 33351: Fix silent uninstallation. (remm)
fix 33489: Missing space in uninstaller message. (yoavs)
Catalina
Unregister host mbean and all context mbeans at remove a host, s.
fix StandardHost.destroy() and MBeanFactory.createStandardHost/removeHost(,)
detected by Thorsten Kamann (pero)
fix make it possible to restart connector, now serversocket recreated after
stop,start (pero)
fix change mbean names from Mapper and ProtocolHandler to connector naming
style (pero)
update Add some log.isXXXEnabled (pero)
fix Deregister MapperListener after remove connector (pero)
fix Remove host only at own domain with same name at all services, detected
by Thorsten Kamann (pero)
fix 33187: Remove any logging of the password in the JAAS realm,
submitted by Andrew Jaquith (remm)
fix 33033: Don't do anything to the response in the ErrorReportValve if
data has already been written (remm)
update Add charset support for the URLs used by the tasks, to remove
deprecation (remm)
26135: Workaround for memory leak when reloading Struts based web
fix applications by clearing the bean instrospector cache of the JVM on
classloader stop, submitted by Tobias Lofstrand. (remm)
fix Ensure that if CLASSPATH is declared on startup - it is not used.
(funkman)
fix Add back use of deployOnStartup in HostConfig (remm)
docs Ant tasks docs patches, submitted by Gabriele Garuglieri. (remm)
update Use NIO for the raw copying operation, as it is faster (a little under
30%), and decreases a little the impact of antiResourceLocking. (remm)
fix 33357: Fix connection leaks with the DataSourceRealm, as well as
improve efficiency, submitted by Dominik Drzewiecki. (remm)
update Improve a little logging of servlet exceptions, which should all log the
root cause. (remm)
Add new Manager.createSession(sessionId) method, allowing
the client to update "specify" the session id which should
be used using a cookie when using emptySessionPath="true".
This fixes session tracking in this case. (remm)
fix 33368: Fix memory leak in swallowOutput feature which occurred when
the thread pool size is reduced, submitted by Rainer Jung. (remm)
fix StoreConfig: can't save cluster Membership element (pero)
add StoreConfig: suppress default jkHome attribute at connector (pero)
add StoreConfig: Save new dymanic properties from ReplicationTransmitter
(pero)
fix 33463: Remove attributes after context destroy. (remm)
fix 33572: context.xml should be a redeploy resource, and add
prioritization for redeploy resources. (remm)
Coyote
fix PoolTcpEndpoint recreate ServerSocket after start,stop,start connector
(pero)
update Add some log.isXXXEnabled (pero)
add JkMX: make log4j mbean configurable with attribute log4jEnabled (pero)
When Tomcat runs on Windows and IE is uploading data to the server, the
fix first read must be at least 8KB, otherwise upload speed is extremely
low, submitted by Noel Rocher (remm)
Jasper
fix 33223: pageContext.forward and jsp:include result in
StringIndexOutOfBoundsException (luehe)
fix 33373: Fix handling of context classloader in jspc (remm)
fix 33538: Ignore example and tag-extension elements in
TagLibraryInfoImpl. (yoavs)
fix 33539: Better error message when an unknown element is encountered in
the tag file. (yoavs)
fix 33219: Minor JspServletWrapper code cleanup. (yoavs)
Cluster
fix Add instance based ReplicationValve statistics to Mbean descriptor
(pero)
fix Better I18N support to cluster session and tcp classes (pero)
Support optional primaryIndicator at ReplicationValve to mark that
add request processing to existing session is at primary cluster node. Easy
failover detection, when mark is not at configurable primaryIndicator
attribute, submitted by Rainer Jung (pero)
update Refactor all implementation from interface IDataSenders (pero)
add Add some usefull attributes and operations to the all sender MBeans.
(pero)
add Add keepAlive and waitForAck handling to AsyncSocketSender and factor
out a DataSender base class.(pero)
add ReplicationTransmitter: Enable and Disable autoreconnect sender and
waitForAck. (pero)
add ReplicationTransmitter: transfer all properties to socket sender from
server.xml configuration. (pero)
Webapps
fix Fix create and remove Host for Admin app. (pero)
pkgsrc as patches/patch-ai):
Security
- Added the ability for Mailman generated passwords (both member and list
admin) to be more cryptographically secure. See new configuration
variables USER_FRIENDLY_PASSWORDS, MEMBER_PASSWORD_LENGTH, and
ADMIN_PASSWORD_LENGTH. Also added a new bin/withlist script called
reset_pw.py which can be used to reset all member passwords. Passwords
generated by Mailman are now 8 characters by default for members, and 10
characters for list administrators.
- A potential cross-site scripting hole in the driver script has been
closed. Thanks to Florian Weimer for its discovery. Also, turn
STEALTH_MODE on by default.
Internationalization
- Chinese languages are now supported. They have been moved from 'big5'
and 'gb' to 'zh_TW' and 'zh_CN' respectively for compliance to the IANA
spec. Note, however, that the character sets were changed from 'Big5'
or 'GB2312' to 'UTF-8' to cope with the insufficient codecs support in
Python 2.3 and earlier. You may have to install Chinese capable codecs
(like CJKCodecs) separately to handle the incoming messages which are in
local charsets, or upgrade your Python to 2.4 or newer.
Behavior or defaults changes
- VERP_PROBES is disabled by default.
- bin/withlist can be run without a list name, but only if -i is given.
Also, withlist puts the directory it's found in at the end of sys.path,
making it easier to run withlist scripts that live in $prefix/bin.
- bin/newlist grew two new options: -u/--urlhost and -e/--emailhost which
lets the user provide the web and email hostnames for the new mailing
list. This is a better way to specify the domain for the list, rather
than the old 'mylist@hostname' syntax (which is still supported for
backward compatibility, but deprecated).
Compatibility
- Python 2.4 compatibility issue: time.strftime() became strict about the
'day of year' range. (1078482)
New Features
- New feature: automatic discards of held messages. List owners can now
set how many days to hold the messages in the moderator request queue.
cron/checkdb will automatically discard old messages. See the
max_days_to_hold variable in the General Options and
DEFAULT_MAX_DAYS_TO_HOLD in Defaults.py. This defaults to 0
(i.e. disabled). (790494)
- New feature: subject_prefix can be configured to include a sequence
number which is taken from the post_id variable. Also, the prefix is
always put at the start of the subject, i.e. "[list-name] Re: original
subject", if mm_cfg.OLD_STYLE_PREFIXING is set No. The default style
is "Re: [list-name]" if numbering is not set, for backward compatibility.
If the list owner is using numbering feature by "%d" directive, the new
style, "[list-name 123] Re:", is always used.
- List owners can now cusomize the non-member rejection notice from
admin/<listname>/privacy/sender page. (1107169)
- Allow editing of the welcome message from the admin page (1085501).
- List owners can now use Scrubber to get the attachments scrubbed (held
in the web archive), if the site admin permits it in mm_cfg.py. New
variables introduced are SCRUBBER_DONT_USE_ATTACHMENT_FILENAME and
SCRUBBER_USE_ATTACHMENT_FILENAME_EXTENSION in Defaults.py for scrubber
behavior. (904850)
Documentation
- Most of the installation instructions have been moved to a latex
document. See admin/www/mailman-install/index.html for details.
Bug fixes and other patches
- Mail-to-news gateway now strips subject prefix off from a response
by a mail user if news_prefix_subject_too is not set.
- Date and Message-Id headers are added for digests. (1116952)
- Improved mail address sanity check. (1030228)
- SpamDetect.py now checks attachment header. (1026977)
- Filter attachments by filename extensions. (1027882)
- Bugs and patches: 955381 (older Python compatibility), 1020102/1013079/
1020013 (fix spam filter removed), 665569 (newer Postfix bounce
detection), 970383 (moderator -1 admin requests pending), 873035
(subject handling in -request mail), 799166/946554 (makefile
compatibility), 872068 (add header/footer via unicode), 1032434
(KNOWN_SPAMMERS check for multi-header), 1025372 (empty Cc:), 789015
(fix pipermail URL), 948152 (Out of date link on Docs), 1099138
(Scrubber.py breaks on None part), 1099840/1099840 (deprecated %
insertion), 880073/933762 (List-ID RFC compliance), 1090439 (passwd
reminder shunted), 1112349 (case insensitivity in acceptable_aliases),
1117618 (Don't Cc for personalized anonymous list), 1190404 (wrong
permission after editing html)
- Thanks to taca@ and gavan@ for feedback and patch review
- This also enables experimental PAM support (on platforms that support it)
- Security fixes included
- From the ChangeLog:
Changes from 4.0.7 to 4.0.8:
> ---------------------------
> 1. Fix compilation error on HPUX.
> 2. Fix some compilation warnings.
> 3. Update man page with '-x' option.
> 4. Fix problems with 'make install'
>
>
> Changes from 4.0.6 to 4.0.7:
> ---------------------------
> 1. Fix '-V' for standalone.
> 2. Include 'man' directory in tarball.
>
>
> Changes from 4.0.5 to 4.0.6:
> ----------------------------
> 1. Minor fixes for true64.
> 2. Patch from Uli Zappe to fix SCRAM compilation bugs.
> 3. Minor fixes for true64.
> 4. poppassd now runs smbpasswd as user, not root, to avoid exploit
> 5. Remove -traditional-cpp from the compiler options for Darwin
> builds (otherwise build fails)
> 6. Open stdout and stderr as O_WRONLY instead of O_RDONLY so that
> should anything actually be written to them it will show up
> 7. When configured as --with-pam and required,
> include <pam/pam_appl.h> instead of <security/pam_appl.h>
> (otherwise build fails)
> 8. strdup the pw.pw_name field from getpwnam so that it's still
> valid by the time genpath is called; also added corresponding
> free (without this fix when the bug manifests, clients are
> erroneously told there are 0 messages in the mail drop
> regardless of the actual number)
> 9. Add a pam bug workaround at the beginning of main to do a
> pam_start and pam_end immediately when the program starts up
> in order to avoid bogus authentication failed messages from
> pam_authenticate later (only when configured as --with-pam)
> [ Thanks to Kyle McKay for changes 5-9 ]
> 10. Fixed error in configure script for Mac OS / Darwin.
> 11. Support chained certs for OpenSSL [from Daniel Senie].
> 12. Fixes to compile better on Linux [from Daniel Senie].
> 13. X-UIDL header no longer written when Update_status_hdrs is false
> [thanks to Helge Oldach]
> 14. Now calling SSL_shutdown() again if it fails the first time.
> 15. Now logging TLS errors when compiled with debugging and debug is
> enabled (instead of either) [thanks to Maks N. Polunin].
> 16. Config file now always closed (not just on error).
> 17. When using pam, Kerberos tickets are now destroyed.
> Otherwise dead tickets accumulate in cache directory which runs
> out of space quickly on busy server. Problem noted by Rodney
> McDuff ITS UQ. (Directory permissions on ticket cache dir need
> to be 1777).
> 18. Always log "Servicing request" (instead of just when debugging is
> on). This allows start of pop sessions to be logged always which
> is useful for diagnosis of problems.
> 19. Worked around problem on some systems causing SIGALRM to be masked,
> leaving hung pop processes which should have timed out waiting
> for a command from the client.
> [ Thanks to David Shrimpton for changes 16-19 ]
> 20. Now defaulting to "EXPIRE NEVER" instead of "EXPIRE 0".
> 21. Fix core dump on 64-bit Solaris 2.8 [thanks to Kenny Nguyen]
> 22. Log facility set on command line now applies to daemon as well.
> [Thanks to Helge Oldach]
> 23. '-y' to set log facility on command line now works again.
> 24. Allow '-V' as synonym for '-v' (to see version).
> 25. Process user and spool config files as user, not as root (fix
> security hole reported by Jens Steube)
> 26. Added "xtnd_xmit" as a boolean option to permit/deny XTND XMIT
> and 'x' as a command-line option to disable it. You should
> disable it unless you really need it, and even then it is better
> to move to SMTP AUTH.
> 27. popauth now opens trace file as user, not root (fix security
> hole reported by Jens Steube); also umask now set.
> 28. Fix race crash on FreeBSD (thanks to Martin Haller).
> 29. Resolve some compiler warnings.
> 30. Fix check for libcrypt on FreeBSD.
> 31. Added sample pam configuration file (also installed by 'make
> install')
> 32. Use generic error msg and sleep in more auth failure cases.
> 33. Added code to use mkstemp() instead of our perfectly safe usage
> of tempnam() because some compilers issue overly broad warnings
> implying that all uses of tempnam() are unsafe. To bypass,
> use '--enable-tempnam' with ./configure.
- Thanks to taca@ and gavan@ for feedback and patch review
- This also enables experimental PAM support (on platforms that support it)
- Security fixes included
- From the ChangeLog:
> Changes from 4.0.7 to 4.0.8:
> ---------------------------
> 1. Fix compilation error on HPUX.
> 2. Fix some compilation warnings.
> 3. Update man page with '-x' option.
> 4. Fix problems with 'make install'
>
>
> Changes from 4.0.6 to 4.0.7:
> ---------------------------
> 1. Fix '-V' for standalone.
> 2. Include 'man' directory in tarball.
>
>
> Changes from 4.0.5 to 4.0.6:
> ----------------------------
> 1. Minor fixes for true64.
> 2. Patch from Uli Zappe to fix SCRAM compilation bugs.
> 3. Minor fixes for true64.
> 4. poppassd now runs smbpasswd as user, not root, to avoid exploit
> 5. Remove -traditional-cpp from the compiler options for Darwin
> builds (otherwise build fails)
> 6. Open stdout and stderr as O_WRONLY instead of O_RDONLY so that
> should anything actually be written to them it will show up
> 7. When configured as --with-pam and required,
> include <pam/pam_appl.h> instead of <security/pam_appl.h>
> (otherwise build fails)
> 8. strdup the pw.pw_name field from getpwnam so that it's still
> valid by the time genpath is called; also added corresponding
> free (without this fix when the bug manifests, clients are
> erroneously told there are 0 messages in the mail drop
> regardless of the actual number)
> 9. Add a pam bug workaround at the beginning of main to do a
> pam_start and pam_end immediately when the program starts up
> in order to avoid bogus authentication failed messages from
> pam_authenticate later (only when configured as --with-pam)
> [ Thanks to Kyle McKay for changes 5-9 ]
> 10. Fixed error in configure script for Mac OS / Darwin.
> 11. Support chained certs for OpenSSL [from Daniel Senie].
> 12. Fixes to compile better on Linux [from Daniel Senie].
> 13. X-UIDL header no longer written when Update_status_hdrs is false
> [thanks to Helge Oldach]
> 14. Now calling SSL_shutdown() again if it fails the first time.
> 15. Now logging TLS errors when compiled with debugging and debug is
> enabled (instead of either) [thanks to Maks N. Polunin].
> 16. Config file now always closed (not just on error).
> 17. When using pam, Kerberos tickets are now destroyed.
> Otherwise dead tickets accumulate in cache directory which runs
> out of space quickly on busy server. Problem noted by Rodney
> McDuff ITS UQ. (Directory permissions on ticket cache dir need
> to be 1777).
> 18. Always log "Servicing request" (instead of just when debugging is
> on). This allows start of pop sessions to be logged always which
> is useful for diagnosis of problems.
> 19. Worked around problem on some systems causing SIGALRM to be masked,
> leaving hung pop processes which should have timed out waiting
> for a command from the client.
> [ Thanks to David Shrimpton for changes 16-19 ]
> 20. Now defaulting to "EXPIRE NEVER" instead of "EXPIRE 0".
> 21. Fix core dump on 64-bit Solaris 2.8 [thanks to Kenny Nguyen]
> 22. Log facility set on command line now applies to daemon as well.
> [Thanks to Helge Oldach]
> 23. '-y' to set log facility on command line now works again.
> 24. Allow '-V' as synonym for '-v' (to see version).
> 25. Process user and spool config files as user, not as root (fix
> security hole reported by Jens Steube)
> 26. Added "xtnd_xmit" as a boolean option to permit/deny XTND XMIT
> and 'x' as a command-line option to disable it. You should
> disable it unless you really need it, and even then it is better
> to move to SMTP AUTH.
> 27. popauth now opens trace file as user, not root (fix security
> hole reported by Jens Steube); also umask now set.
> 28. Fix race crash on FreeBSD (thanks to Martin Haller).
> 29. Resolve some compiler warnings.
> 30. Fix check for libcrypt on FreeBSD.
> 31. Added sample pam configuration file (also installed by 'make
> install')
> 32. Use generic error msg and sleep in more auth failure cases.
> 33. Added code to use mkstemp() instead of our perfectly safe usage
> of tempnam() because some compilers issue overly broad warnings
> implying that all uses of tempnam() are unsafe. To bypass,
> use '--enable-tempnam' with ./configure.
USE_TOOLS and any of "autoconf", "autoconf213", "automake" or
"automake14". Also, we don't need to call the auto* tools via
${ACLOCAL}, ${AUTOCONF}, etc., since the tools framework takes care
to symlink the correct tool to the correct name, so we can just use
aclocal, autoconf, etc.
