e3b29bdf61
Changelog: Tomcat 9.0.22 (markt) Catalina Fix: Improve parsing of Range request headers. (markt) Fix: Range headers that specify a range unit Tomcat does not recognise should be ignored rather than triggering a 416 response. Based on a pull request by zhanhb. (markt) Fix: When comparing a date from a If-Range header, an exact match is required. Based on a pull request by zhanhb. (markt) Fix: Add an option to the default servlet to disable processing of PUT requests with Content-Range headers as partial PUTs. The default behaviour (processing as partial PUT) is unchanged. Based on a pull request by zhanhb. (markt) Fix: Improve parsing of Content-Range headers. (markt) Update: Update the recommended minimum Tomcat Native version to 1.2.23. (markt) Coyote Fix: Remove a source of potential deadlocks when using HTTP/2 when the Connector is configured with useAsyncIO as true. (markt) Fix: 63523: Restore SSLUtilBase methods as protected to preserve compatibility. (remm) Fix: Fix typo in UTF-32LE charset name. Patch by zhanhb vi Github. (fschumacher) Fix: Once a URI is identified as invalid don't attempt to process it further. Based on a PR by Alex Repert. (markt) Fix: Fix to avoid the possibility of long poll times for individual pollers when using mutliple pollers with APR. (markt) Fix: Refactor the fix for 63205 so it only applies when using PKCS12 keystores as regressions have been reported with some other keystore types. (markt) Jasper Add: Include file names if SMAP processor is unable to delete or rename a class file during SMAP generation. (markt) Update: Update to the Eclipse JDT compiler 4.12. (markt) WebSocket Fix: 63521: As required by the WebSocket specification, if a POJO that is deployed as a result of the SCI scan for annotated POJOs is subsequently deployed via the programmatic API ignore the programmatic deployment. (markt) Other Fix: Switch the check for terminal availability to test for stdin as using stdout does not work when output is piped to another process. Patch provided by Radosław Józwik. (markt) Add: Add user buildable optional modules for easier CDI 2 and JAX-RS support. Also include a new documentation page describing how to use it. (remm) 2019-06-07 Tomcat 9.0.21 (markt) Catalina Add: 57287: Add file sorting to DefaultServlet (schultz) Fix: Fix --no-jmx flag processing, which was called after registry initialization. (remm) Fix: Ensure that a default request character encoding set on a ServletContext is used when calling ServletRequest#getReader(). (markt) Fix: Make a best efforts attempt to clean-up if a request fails during processing due to an OutOfMemoryException. (markt) Fix: Improve the BoM detection for static files handled by the default servlet for the rarely used UTF-32 encodings. Identified by Coverity Scan. (markt) Fix: Ensure that the default servlet reads the entire global XSLT file if one is defined. Identified by Coverity Scan. (markt) Fix: Avoid potential NullPointerException when generating an HTTP Allow header. Identified by Coverity Scan. (markt) Code: Add Context.createInstanceManager() for easier framework integration. (remm) Code: Add utility org.apache.catalina.core.FrameworkListener to allow replicating adding a Listener to context.xml in a programmatic way. (remm) Code: Move Container.ADD_CHILD_EVENT to before the child container start, and Container.REMOVE_CHILD_EVENT to before removal of the child from the internal child collection. (remm) Add: Remove any fragment included in the target path used to obtain a RequestDispatcher. The requested target path is logged as a warning since this is an application error. (markt) Coyote Fix: NIO poller seems to create some unwanted concurrency, causing rare CI test failures. Add sync when processing async operation to avoid this. (remm) Fix: Fix concurrency issue that lead to incorrect HTTP/2 connection timeout. (remm/markt) Fix: Avoid useless exception wrapping in async IO. (remm) Fix: 63412: Security manager failure when using the async IO API from a webapp. (remm) Fix: Remove acceptorThreadCount Connector attribute, one accept thread is sufficient. As documented, value 2 was the only other sensible value, but without and impact beyond certain microbenchmarks. (remm) Fix: Avoid possible NPEs on connector stop. (remm) Update: Remove pollerThreadCount Connector attribute for NIO, one poller thread is sufficient. (remm) Add: Add async IO for APR connector for consistency, but disable it by default due to low performance. (remm) Fix: Avoid blocking write of internal buffer when using async IO. (remm) Code: Refactor async IO implementation to the SocketWrapperBase. (remm) Update: Refactor SocketWrapperBase close using an atomic boolean and a doClose method that subclasses will implement, with a guarantee that it will be run only once. (remm) Fix: Decouple the socket wrapper, which is not recycled, from the NIOx channel after close, and replace it with a dummy static object. (remm) Fix: Clear buffers on socket wrapper close. (remm) Fix: NIO2 failed to properly close sockets on connector stop. (remm) Update: Reduce the default for maxConcurrentStreams on the Http2Protocol from 200 to 100 to align with typical defaults for HTTP/2 implementations. (markt) Update: Reduce the default HTTP/2 header list size from 4GB to 32kB to align with typical HTTP/2 implementations. (markt) Add: Add support for same-site cookie attribute. Patch provided by John Kelly. (markt) Fix: Drop legacy NIO double socket close (close channel, then close socket). (remm) Fix: Fix HTTP/2 end of stream concurrency with async. (remm) Fix: Correct a bug in the stream flushing code that could lead to multiple threads processing the stream concurrently which in turn could cause errors processing the stream. (markt) Cluster Fix: 62841: Refactor the DeltaRequest serialization to reduce the window during which the DeltaSession is locked and to remove a potential cause of deadlocks during serialization. (markt) Fix: 63441: Further streamline the processing of session creation messages in the DeltaManager to reduce the possibility of a session update message being processed before the session has been created. (markt) WebSocket d: Expand the explanation of how deprecated TLS configuration attributes are converted to the new TLS configuration style. (markt) Tribes Fix: Treat NoRouteToHostException the same way as SocketTimeoutException when checking the health of group membaven packaging. (remm) Fix: 63403: Fix TestHttp2InitialConnection test failures when running with a non-English locale. (kkolinko) Fix: Add Graal JreCompat, and use it to disable JMX and URL stream handlers. (remm) Add: Expand the coverage and Expand the coverage and quality of the Simplified Chinese translations provided with Apache Tomcat. Includes contributions by 諵. (markt) Fix: Use the test command to check for terminal availability rather than the tty command since the tty based te Fix: Fix some edge cases where the docBase was not being set using a canonical path which in turn meant resource URLs were not being constructed as expected. (markt) Fix: Fix a potential resource leak when executing CGI scripts from a WAR file. Identified by Coverity scan. (markt) Fix: Fix a potential concurrency issue in the StringCache identified by Coverity scan. (markt) Fix: Fix a potential concurrency issue in the main Sendfile thread of the APR connector. Identified by Coverity scan. (markt) Fix: Fix a potential resource leak when running a web application from a WAR file. Identified by Coverity scan. (markt) Fix: Fix a potential resource leak on some exception paths in the DataSourceRealm. Identified by Coverity scan. (markt) Fix: Fix a potential resource leak on an exception path when parsing JSP files. Identified by Coverity scan. (markt) Fix: Fix a potential resource leak when a JNDI lookup returns an object of an in compatible class. Identified by Coverity scan. (markt) Code: Refactor ManagerServlet to avoid loading classes when filtering JNDI resources for resources of a specified type. (markt) Fix: 63324: Refactor the CrawlerSessionManagerValve so that the object placed in the session is compatible with session serialization with mem-cached. Patch provided by Martin Lemanski. (markt) Add: 63358: Expand the throwOnFailure support in the Connector to include the adding of a Connector to a running Service. (markt) Add: 63361: Add a new method (Registry.disableRegistry()) that can be used to disable JMX registration of Tomcat components providing it is called before the first component is registered. (markt) Fix: Avoid OutOfMemoryErrors and ArrayIndexOutOfBoundsExceptions when accessing large files via the default servlet when resource caching has been disabled. (markt) Fix: Avoid a NullPointerException when a Context is defined in server.xml with a docBase but not the optional path. (markt) Fix: 63333: Override the isAvailable() method in the JAASRealm so that only login failures caused by invalid credentials trigger account lock out when the LockOutRealm is in use. Patch provided by jchobantonov. (markt) Fix: Add --no-jmx flag to allow disabling JMX in startup.Tomcat.main. (remm) Coyote Fix: The useAsyncIO boolean attribute on the Connector element value now defaults to true. (remm) Fix: Possible HTTP/2 connection leak issue when using async with NIO. (remm) Fix: Fix socket close discrepancies for NIO, now the wrapper close is used everywhere except for socket accept problems. (remm) Fix: Implement poller timeout when using async IO with NIO. (remm) Fix: Avoid creating and using object caches when they are disabled. (remm) Fix: When running on newer JREs that don't support SSLv2Hello, don't warn that it is not available unless explicitly configured. (markt) Fix: Change default value of pollerThreadCount of NIO to 1. (remm) Fix: Associate BlockPoller thread name with its NIO connector for better readability. (remm) Fix: The async HTTP/2 frame parser should tolerate concurrency so clearing shared buffers before attempting a read is not possible. (remm) Update: Update the HTTP/2 connection preface and initial frame reading to be asynchronous instead of blocking IO. (remm) Code: Refactor Hostname validation to improve performance. Patch provided by Uwe Hees. (markt) Update: Add additional NIO2 style read and write methods closer to core NIO2, for possible use with an asynchronous workflow like CompletableFuture. (remm) Fix: Expand HTTP/2 timeout handling to include connection window exhaustion on write. This is the fix for CVE-2019-10072. (markt) Jasper Fix: 63359: Ensure that the type conversions used when converting from strings for jsp:setProperty actions are correctly implemented as per section JSP.1.14.2.1 of the JSP 2.3 specification. (markt) Other Fix: 63335: Ensure that stack traces written by the OneLineFormatter are fully indented. The entire stack trace is now indented by an additional TAB character. (markt) Fix: 63370: Message files (LocalStrings_*.properties) of the examples webapp not converted to ascii. (woonsan) Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm) Add: Expand the coverage and quality of the Japanese translations provided with Apache Tomcat. Includes contributions by motohashi.yuki. (markt) Add: Expand the coverage and quality of the Czech translations provided with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt) Fix: When using the OneLineFormatter, don't print a blank line in the log after printing a stack trace. (markt) Update: Update the internal fork of Apache Commons FileUpload to 41e4047 (2019-04-24) pick up some enhancements. (markt) Update: Update the internal fork of Apache Commons DBCP 2 to dcdbc72 (2019-04-24) to pick up some clean-up and enhancements. (markt) Update: Update the internal fork of Apache Commons Pool 2 to 0664f4d (2019-04-30) to pick up some enhancements and bug fixes. (markt) 2019-04-13 Tomcat 9.0.19 (markt) Catalina Fix: Fix wrong JMX registration regression in 9.0.18. (remm) Coyote Update: Add vectoring for NIO in the base and SSL channels. (remm) Add: Add asynchronous IO from NIO2 to the NIO connector, with support for the async IO implementations for HTTP/2 and Websockets. The useAsyncIO boolean attribute on the Connector element allows enabling use of the asynchronous IO API. (remm) Other Fix: Ensure that the correct files are included in the source distribution for javacc based parsers depending on whether jjtree is used or not. (markt) Fix: Ensure that text files in the source distribution have the correct line endings for the target platform. (markt) not released Tomcat 9.0.18 (markt) Catalina Fix: 63196: Provide a default (X-Forwarded-Proto) for the protocolHeader attribute of the RemoteIpFilter and RemoteIpValve. (markt) Fix: 63235: Refactor Charset cache to reduce start time. (markt) Fix: 63249: Use a consistent log level (WARN) when logging the failure to register or deregister a JMX Bean. (markt) Fix: 63249: Use a consistent log level (ERROR) when logging the LifecycleException associated with the failure to start or stop a component. (markt) Fix: When the SSI directive fsize is used with an invalid target, return a file size of - rather than 1k. (markt) Fix: 63251: Implement a work-around for a known JRE bug (JDK-8194653) that may cause a dead-lock when Tomcat starts. (markt) Fix: 63275: When using a RequestDispatcher ensure that HttpServletRequest.getContextPath() returns an encoded path in the dispatched request. (markt) Update: Add optional listeners for Server/Listener, as a slight variant of a standard listener. The difference is that loading is not fatal when it fails. This would allow adding example configuration to the standard server.xml if deemed useful. Storeconfig will not attempt to persist the new listener. (remm) Fix: 63286: Document the differences in behaviour between the LogFormat directive in httpd and the pattern attribute in the AccessLogValve for %D and %T. (markt) Fix: 63287: Make logging levels more consistent for similar issues of similar severity. (markt) Fix: 63311: Add support for https URLs to the local resolver within Tomcat used to resolve standard XML DTDs and schemas when Tomcat is configured to validate XML configuration files such as web.xml. (markt) Fix: Encode the output of the SSI printenv command. This is the fix for CVE-2019-0221. (markt) Code: Use constants for SSI encoding values. (markt) Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the encoded form of the individual command line arguments to those values allowed by RFC 3875. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsEncoded. (markt) Add: When the CGI Servlet is configured with enableCmdLineArguments set to true, limit the decoded form of the individual command line arguments to known safe values when running on Windows. This restriction may be relaxed by the use of the new initialisation parameter cmdLineArgumentsDecoded. This is the fix for CVE-2019-0232. (markt) Coyote Fix: Fix bad interaction between NIO2 async read API and the regular read. (remm) Fix: Refactor NIO2 write pending strategy for the classic IO API. (remm) Fix: Restore original maxConnections default for NIO2 as the underlying close issues have been fixed. (remm) Fix: Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm) Fix: When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and instead dropped the connection. (markt) Fix: Correct a regression in the TLS connector refactoring in Tomcat 9.0.17 that prevented the use of PKCS#8 private keys with OpenSSL based connectors. (markt) Fix: Fix NIO2 SSL edge cases. (remm) Fix: When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any query string present in the original HTTP/1.1 request is passed to the HTTP/2 request processing. (markt) Fix: When Tomcat writes a final response without reading all of an HTTP/2 request, reset the stream to inform the client that the remaining request body is not required. (markt) Jasper Add: Add support for specifying Java 11 (with the value 11) as the compiler source and/or compiler target for JSP compilation. (markt) Add: Add support for specifying Java 12 (with the value 12) and Java 13 (with the value 13) as the compiler source and/or compiler target for JSP compilation. If used with an ECJ version that does not support these values, a warning will be logged and the latest supported version will used. Based on a patch by Thomas Collignon. (markt) Web applications Fix: 63184: Expand the SSI documentation to provide more information on the supported directives and their attributes. Patch provided by nightwatchcyber. (markt) Add: Add a note to the documentation about the risk of DoS with poorly written regular expressions and the RewriteValve. Patch provided by salgattas. (markt) jdbc-pool Fix: Improved maxAge handling. Add support for age check on idle connections. Connection that expired reconnects rather than closes it. Patch provided by toby1984. (kfujino) Fix: 63320: Ensure that StatementCache caches statements that include arrays in arguments. (kfujino) Other Update: Update to the Eclipse JDT compiler 4.10. (markt) Add: Expand the coverage and quality of the Spanish translations provided with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta. (markt) Add: Expand the coverage and quality of the Czech translations provided with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt) Add: Expand the coverage and quality of the Chinese translations provided with Apache Tomcat. Includes contributions by winsonzhao and wjt. (markt) Add: Expand the coverage and quality of the Russian translations provided with Apache Tomcat. (kkolinko) Add: Expand the coverage and quality of the Japanese translations provided with Apache Tomcat. (kfujino) Add: Expand the coverage and quality of the Korean translations provided with Apache Tomcat. (woonsan) Add: Expand the coverage and quality of the German translations provided with Apache Tomcat. (fschumacher) Add: Expand the coverage and quality of the French translations provided with Apache Tomcat. (remm) |
||
---|---|---|
.. | ||
files | ||
DESCR | ||
distinfo | ||
INSTALL | ||
Makefile | ||
MESSAGE | ||
PLIST |