You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/01/13 11:56:09 UTC
[tomcat] 17/18: Clear out the changelog for 10.0.0.x
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 9cd22e95a3a6fa9533fcdc8adb1d24ffae5e6407
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jan 13 11:46:46 2020 +0000
Clear out the changelog for 10.0.0.x
Expectation is that first release will be 10.0.0.0-M1
---
webapps/docs/changelog.xml | 8934 +-------------------------------------------
1 file changed, 1 insertion(+), 8933 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 4807d30..df3a222 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -44,8939 +44,7 @@
They eventually become mixed with the numbered issues (i.e., numbered
issues do not "pop up" wrt. others).
-->
-<section name="Tomcat 9.0.31 (markt)" rtext="in development">
- <subsection name="Catalina">
- <changelog>
- <update>
- Do not store username and password as session notes during
- authentication if they are not needed. (kkolinko)
- </update>
- <fix>
- Avoid useless environment restore when not using GSSCredential
- in JNDIRealm. (remm)
- </fix>
- <fix>
- <bug>64005</bug>: Correct a regression in the static resource caching
- changes introduced in 9.0.28. Avoid a <code>NullPointerException</code>
- when working with the URL provided for the root of a packed WAR. (markt)
- </fix>
- <fix>
- <bug>64006</bug>: Provide default configuration source based on the
- current directory if none has been set, for full compatibility with
- existing code. (remm)
- </fix>
- <fix>
- <bug>64008</bug>: Clarify/expand the Javadoc for the
- <code>Tomcat#addWebapp()</code> and related methods. (markt)
- </fix>
- <scode>
- Deprecate the <code>JmxRemoteLifecycleListener</code> as the features it
- provides are now available in the remote JMX capability included with
- the JRE. This listener will be removed in Tomcat 10 and may be removed
- from Tomcat 9.0.x some time after 2020-12-31. (markt)
- </scode>
- <fix>
- <bug>64011</bug>: <code>JNDIRealm</code> no longer authenticates to LDAP.
- (michaelo)
- </fix>
- <fix>
- <bug>64023</bug>: Skip null-valued session attributes when deserializing
- sessions. (schultz)
- </fix>
- <update>
- <bug>63691</bug>: Skip all jar and directory scanning when the wildcard
- pattern "*" or "*.jar" is set or added to
- <code>tomcat.util.scan.StandardJarScanFilter.jarsToSkip</code>. (isapir)
- </update>
- <fix>
- Do not throw a NullPointerException when an MBean or operation cannot
- be found by the JMXProxyServlet. (schultz)
- </fix>
- <fix>
- <bug>58577</bug>: Respect the argument-count when searching for MBean
- operations to invoke via the JMXProxyServlet. (schultz)
- </fix>
- <update>
- <bug>64067</bug>: Allow more than one parameter when defining RewriteMaps.
- (fschumacher)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <update>
- Simplify NIO blocking read and write. (remm)
- </update>
- <fix>
- Ensure that Servlet Asynchronous processing timeouts fire when requests
- are made using HTTP/2. (markt)
- </fix>
- <fix>
- Fix the corrupton of the TLS configuration when using the deprecated TLS
- attributes on the Connector if the configuration has already been set
- via the new <code>SSLHostConfig</code> and
- <code>SSLHostConfigCertificate</code> elements. (markt)
- </fix>
- <fix>
- <bug>63966</bug>: Switch the message shown when using HTTP to connect to
- an HTTPS port from ISO-8859-1 to UTF-8. (markt)
- </fix>
- <fix>
- <bug>64007</bug>: Cancel selection key in poller before wrapper close to
- avoid possible deadlock. (remm)
- </fix>
- <add>
- Add support for RFC 5915 formatted, unencrypted EC key files when using
- a JSSE based TLS connector. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Update the performance optimisation for using expressions in tags that
- depend on uninitialised tag attributes with implied scope to make the
- performance optimisation aware of the new public class
- (<code>java.lang.Record</code>) added in Java 14. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <fix>
- <bug>64043</bug>: Ensure that session ID changes are replicated during
- form-authentication. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>63995</bug>: Ensure statements are closed when a pooled JDBC
- connection is passivated in Tomcat's fork of Commons DBCP2. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.30 (markt)" rtext="2019-12-12">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>63681</bug>: Introduce RealmBase#authenticate(GSSName, GSSCredential)
- and friends. (michaelo)
- </add>
- <fix>
- <bug>63964</bug>: Correct a regression in the static resource caching
- changes introduced in 9.0.28. URLs constructed from URLs obtained from
- the cache could not be used to access resources. (markt)
- </fix>
- <fix>
- <bug>63970</bug>: Correct a regression in the static resource caching
- changes introduced in 9.0.28. Connections to URLs obtained for JAR
- resources could not be cast to <code>JarURLConnection</code>. (markt)
- </fix>
- <add>
- <bug>63937</bug>: Add a new attribute to the standard
- <code>Authenticator</code> implementations,
- <code>allowCorsPreflight</code>, that allows the
- <code>Authenticator</code>s to be configured to allow CORS preflight
- requests to bypass authentication as required by the CORS specification.
- (markt)
- </add>
- <fix>
- <bug>63939</bug>: Correct the same origin check in the CORS filter. An
- origin with an explicit default port is now considered to be the same as
- an origin without a default port and origins are now compared in a
- case-sensitive manner as required by the CORS specification. (markt)
- </fix>
- <fix>
- <bug>63981</bug>: Allow multiple calls to
- <code>Registry.disableRegistry()</code> without the second and
- subsequent calls triggering the logging of a warning. Based on a patch
- by Andy Wilkinson. (markt)
- </fix>
- <fix>
- <bug>63982</bug>: CombinedRealm makes assumptions about principal implementation
- (michaelo)
- </fix>
- <fix>
- <bug>63983</bug>: Correct a regression in the static resource caching
- changes introduced in 9.0.28. A large number of file descriptors were
- opened that could reach the OS limit before being released by GC.
- (markt)
- </fix>
- <update>
- <bug>63987</bug>: Deprecate <code>Realm.getRoles(Principal)</code>. (michaelo)
- </update>
- <scode>
- Add a unit test for the session <code>FileStore</code> implementation
- and refactor loops in <code>FileStore</code> to use the ForEach style.
- Pull request provided by Govinda Sakhare. (markt)
- </scode>
- <update>
- Moved server-side include (SSI) module into a separate JAR library. (schultz)
- </update>
- <fix>
- Refactor FORM authentication to reduce duplicate code and to ensure that
- the authenticated Principal is not cached in the session when caching is
- disabled. This is the fix for CVE-2019-17563. (markt/kkolinko)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Fix endpoint closeSocket and destroySocket discrepancies, in particular
- in the APR connector. (remm)
- </fix>
- <fix>
- Harmonize maxConnections default value to 8192 across all connectors.
- (remm)
- </fix>
- <fix>
- <bug>63931</bug>: Improve timeout handling for asyncIO to ensure that
- blocking operations see a <code>SocketTimeoutException</code> if one
- occurs. (remm/markt)
- </fix>
- <fix>
- <bug>63932</bug>: By default, do not compress content that has a strong
- ETag. This behaviour is configuration for the HTTP/1.1 and HTTP/2
- connectors via the new Connector attribute
- <code>noCompressionStrongETag</code>. (markt)
- </fix>
- <fix>
- <bug>63949</bug>: Fix non blocking write problems with NIO due to the
- need for a write loop. (remm)
- </fix>
- <fix>
- Simplify regular endpoint writes by removing write(Non)BlockingDirect.
- All regular writes will now be buffered for a more predictable
- behavior. (remm)
- </fix>
- <fix>
- Send an exception directly to the completion handler when a timeout
- exception occurs for the operation, and add a boolean to make sure the
- completion handler is called only once. (remm/markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Ensure a couple of very unlikely concurrency issues are avoided when
- writing WebSocket messages. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Fix the broken re-try link on the error page for the FORM authentication
- example in the JSP section of the examples web application. (markt)
- </fix>
- <add>
- Improvements to CsrfPreventionFilter: additional logging, allow the
- CSRF nonce request parameter name to be customized.
- (schultz)
- </add>
- <fix>
- Correct the documentation for the <code>maxConnections</code> attribute
- of the <code>Connector</code> in the documentation web application.
- (markt)
- </fix>
- <add>
- Add the ability to set and display session attributes in the JSP FORM
- authentication example to demonstrate session persistence across
- restarts for authenticated sessions. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Correct the fix for <bug>63815</bug> (quoting the use of
- <code>CATALINA_OPTS</code> and <code>JAVA_OPTS</code> when used in shell
- scripts to avoid the expansion of <code>*</code>) as it caused various
- regressions, particularly with <code>daemon.sh</code>. (markt)
- </fix>
- <update>
- Update the OWB module to Apache OpenWebBeans 2.0.13. (remm)
- </update>
- <update>
- Support Java 11 in Graal Native Images with Graal 19.3+. (remm)
- </update>
- <add>
- Expand the search made by the Windows installer for a suitable Java
- installation to include the 64-bit JDK registry entries and the
- <code>JAVA_HOME</code> environment variable. Pull request provided by
- Alexander Norz. (markt)
- </add>
- <add>
- Expand the coverage of the Korean translations provided with Apache
- Tomcat. (woonsan)
- </add>
- <add>
- Expand the coverage of the French translations provided with Apache
- Tomcat. (remm)
- </add>
- <add>
- Expand the coverage of the Chinese translations provided with Apache
- Tomcat. Contributions provided by lins and 磊. (markt)
- </add>
- <add>
- Update the internal fork of Apache Commons BCEL to ff6941e (2019-12-06,
- 6.4.2-dev). Code clean-up only. (markt)
- </add>
- <add>
- Update the internal fork of Apache Commons Codec to 9637dd4 (2019-12-06,
- 1.14-SNAPSHOT). Code clean-up and a fix for CODEC-265. (markt)
- </add>
- <add>
- Update the internal fork of Apache Commons FileUpload to 2317552
- (2019-12-06, 2.0-SNAPSHOT). Refactoring. (markt)
- </add>
- <add>
- Update the internal fork of Apache Commons Pool 2 to 6092f92 (2019-12-06,
- 2.8.0-SNAPSHOT). Clean-up and minor refactoring. (markt)
- </add>
- <add>
- Update the internal fork of Apache Commons DBCP 2 to a36390 (2019-12-06,
- 2.7.1-SNAPSHOT). Minor refactoring. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.29 (markt)" rtext="2019-11-21">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Refactor JMX remote RMI registry creation. This is the fix for
- CVE-2019-12418. (remm)
- </fix>
- <add>
- Improvement to CsrfPreventionFilter: expose the latest available nonce
- as a request attribute; expose the expected nonce request parameter
- name as a context attribute.
- (schultz)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- <bug>63835</bug>: Add support for Keep-Alive response header. (michaelo)
- </add>
- <fix>
- Correct a logic bug in the <code>NioEndpoint</code> timeout handling
- that meant a write timeout could be handled as a read timeout. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Add a warning regarding potential poor performance of the HTTP and AJP
- connectors if <code>socket.txBufSize</code> is configured with an
- explicit value rather than using the JVM default. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Improve OWB module based using custom shade appender. (remm)
- </fix>
- <fix>
- Add security filter in OWB module in addition to the valve for more flexibility. (remm)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.28 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Bad paths for URIs can cause exceptions on Windows due to its
- path separator, so wrap using an IOException. (remm)
- </fix>
- <fix>
- <bug>63832</bug>: Properly mark container as FAILED when a JVM error
- occurs on stop. (remm)
- </fix>
- <add>
- Add more details on the usage of <code>RewriteMap</code>
- functionality in the <code>RewriteValve</code>. (fschumacher)
- </add>
- <fix>
- <bug>63836</bug> Ensure that references to the Host object are cleared
- once the Host instance is destroyed. (markt)
- </fix>
- <fix>
- Ensure that, when static resource caching is enabled for a web
- application, all access to static files (including JSP files) goes via
- the cache so that a consistent view of the static files is seen. Prior
- to this change it was possible to see an updated last modified time but
- the content would be that prior to the modification. (markt)
- </fix>
- <update>
- <bug>63905</bug> Clean up Tomcat CSS. (michaelo)
- </update>
- <fix>
- <bug>63909</bug>: When the <code>ExpiresFilter</code> is used without a
- default and the response is served by the Default Servlet, ensure that
- the filter processes the response if the Default Servlet sets a 304 (Not
- Found) status code. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Ensure that <code>ServletRequest.isAsyncStarted()</code> returns
- <code>false</code> once <code>AsyncContext.complete()</code> or
- <code>AsyncContext.dispatch()</code> has been called during
- <code>AsyncListener.onTimeout()</code> or
- <code>AsyncListener.onError()</code>. (markt)
- </fix>
- <fix>
- <bug>63816</bug> and <bug>63817</bug>: Correctly handle I/O errors after
- asynchronous processing has been started but before the container thread
- that started asynchronous processing has completed processing the
- current request/response. (markt)
- </fix>
- <fix>
- <bug>63825</bug>: When processing the <code>Expect</code> and
- <code>Connection</code> HTTP headers looking for a specific token, be
- stricter in ensuring that the exact token is present. (markt)
- </fix>
- <fix>
- <bug>63829</bug>: Improve the check of the <code>Content-Encoding</code>
- header when looking to see if Tomcat is serving pre-compressed content.
- Ensure that only a full token is matched and that the match is case
- insensitive. (markt)
- </fix>
- <fix>
- <bug>63864</bug>: Refactor parsing of the <code>transfer-encoding</code>
- request header to use the shared parsing code and reduce duplication.
- (markt)
- </fix>
- <fix>
- <bug>63865</bug>: Add <code>Unset</code> option to same-site cookies
- and pass through <code>None</code> value if set by user. Patch provided
- by John Kelly. (markt)
- </fix>
- <fix>
- <bug>63879</bug>: Remove stack trace from debug logging on socket
- wrapper close. (remm)
- </fix>
- <update>
- Add connection tracking on the connector endpoint to remove excessive
- concurrency in the protocol handler when maintaining an association
- between the socket wrapper and its current processor. (remm)
- </update>
- <fix>
- <bug>63894</bug>: Ensure that the configured values for
- <code>certificateVerification</code> and
- <code>certificateVerificationDepth</code> are correctly passed to the
- OpenSSL based SSLEngine implementation. (remm/markt)
- </fix>
- <fix>
- Improve cleanup after errors when setting socket options. (remm)
- </fix>
- <fix>
- <bug>63859</bug>: Do not perform a blocking read after a
- <code>CPING</code> message is received by the AJP connector because, if
- the JK Connector is configured with
- <code>ping_mode="I"</code>, the <code>CPING</code> message
- will not always be followed by the start of a request. (markt)
- </fix>
- <fix>
- Properly calculate all dynamic parts of the ErrorReportValve response
- on the fly in
- <code>org.apache.coyote.http2.TestHttp2InitialConnection</code>.
- (michaelo)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>63897</bug>: Capture the timestamp of a JSP for the purposes of
- modification tracking before the JSP is compiled to prevent a race
- condition if the JSP is modified during compilation. Patch provided by
- Karl von Randow. (markt)
- </fix>
- <fix>
- Fix a race condition that could mean changes to a modified JSP were not
- visible to end users. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>63913</bug>: Wrap any <code>NullPointerException</code>s throw by
- the <code>Inflater</code> or <code>Deflater</code> used by the
- <code>PerMessageDeflate</code> extension in an <code>IOException</code>
- so that the error can be caught and handled by the WebSocket error
- handling mechanism. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Correct the description of the default value for the server attribute in
- the security How-To. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>63815</bug>: Quote the use of <code>CATALINA_OPTS</code> and
- <code>JAVA_OPTS</code> when used in shell scripts to avoid the expansion
- of <code>*</code>. Note that any newlines present in
- <code>CATALINA_OPTS</code> and/or <code>JAVA_OPTS</code> will no longer
- removed. (markt)
- </fix>
- <fix>
- <bug>63826</bug>: Remove <code>commons-daemon-native.tar.gz</code> and
- <code>tomcat-native.tar.gz</code> from the binary zip distributions for
- Windows since compiled versions of those components are already
- included within the zip distributions. (markt)
- </fix>
- <fix>
- <bug>63838</bug>: Suppress reflexive access warnings when running the
- unit tests on the command line. (markt)
- </fix>
- <fix>
- Add missing charsets from the HPE JVM on HP-UX to pass unit tests in
- <code>org.apache.tomcat.util.buf.TestCharsetCache</code>. (michaelo)
- </fix>
- <update>
- Update the CXF module to Apache CXF 3.3.4. (remm)
- </update>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- <add>
- Expand the coverage and quality of the Japanese translations provided
- with Apache Tomcat. Patch provided by motohashi.yuki. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Simplified Chinese translations
- provided with Apache Tomcat. Contributions provided by rpo130, Mason
- Shen, leeyazhou, winsonzhao, qingshi huang, Lay, Shucheng Hou and
- Yanming Zhou. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Brazilian Portuguese translations
- provided with Apache Tomcat. Patch provided by Danielamorais. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.27 (markt)" rtext="2019-10-11">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Correct a regression introduced in 9.0.25 that prevented configuration
- files from being loaded from the class path. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Use URL safe base 64 encoding rather than standard base 64 encoding when
- generating or parsing the <code>HTTP2-Settings</code> header as part of
- an HTTP upgrade to <code>h2c</code> as required by RFC 7540. (markt)
- </fix>
- <fix>
- <bug>63765</bug>: NIO2 should try to unwrap after TLS handshake to
- avoid edge cases. (remm)
- </fix>
- <fix>
- <bug>63766</bug>: Ensure Processor objects are recycled when processing
- an HTTP upgrade connection that terminates before processing switches to
- the Processor for the upgraded protocol. (markt)
- </fix>
- <fix>
- Fix a memory leak introduced by the HTTP/2 timeout refactoring in 9.0.23
- that could occur when HTTP/2 or WebSocket was used. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <update>
- Update to the Eclipse JDT compiler 4.13. (markt)
- </update>
- <fix>
- Add GraalVM specific ELResolver to avoid BeanInfo use in BeanElResolver
- if possible, as it needs manual reflection configuration. (remm)
- </fix>
- <fix>
- <bug>63781</bug>: When performing various checks related to the
- visibility of classes, fields an methods in the EL implementation, also
- check that the containing module has been exported. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web Socket">
- <changelog>
- <fix>
- <bug>63753</bug>: Ensure that the <code>Host</code> header in a Web
- Socket HTTP upgrade request only contains a port if a non-default port
- is being used. (markt)
- </fix>
- <fix>
- When running on Java 9 and above, don't attempt to instantiate WebSocket
- Endpoints found in modules that are not exported. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <add>
- Add base GraalVM documentation. (remm)
- </add>
- <add>
- Add Javadoc for the Common Annotations API implementation. (markt)
- </add>
- <fix>
- Correct various typos in the comments, error messages and Javadoc. Patch
- provided by 康智冬. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- When connections are validated without an explicit validation query,
- ensure that any transactions opened by the validation process are
- committed. Patch provided by Pascal Davoust. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <scode>
- Deprecate <code>org.apache.tomcat.util.compat.TLS</code>.
- Its functionality was only used for unit tests in
- <code>org.apache.tomcat.util.net.TesterSupport</code>
- and has been moved there. (rjung)
- </scode>
- <fix>
- <bug>63759</bug>: When installing Tomcat with the Windows installer,
- grant sufficient privileges to enable the uninstaller to execute when
- user account control is active. (markt)
- </fix>
- <add>
- Use a build property to define the minimum supported Java version and
- use that build property to reduce the number of edits required to update
- the minimum supported Java version. (markt)
- </add>
- <update>
- Update the OWB module to Apache OpenWebBeans 2.0.12. (remm)
- </update>
- <update>
- Update the CXF module to Apache CXF 3.3.3. (remm)
- </update>
- <update>
- <bug>63767</bug>: Update to Commons Daemon 1.2.2. This corrects a
- regression in Commons Daemon 1.2.0 and 1.2.1 that caused the Windows
- Service to crash on start when running on an operating system that had
- not been fully updated. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.26 (markt)" rtext="2019-09-19">
- <subsection name="Other">
- <changelog>
- <fix>
- Re-tagged to ensure that the source file for the changelog did not
- contain an XML byte order mark. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.25 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Avoid a possible <code>InvalidPathException</code> when obtaining a URI
- for a configuration file. (markt)
- </fix>
- <fix>
- <bug>63684</bug>: <code>Wrapper</code> never passed to
- <code>RealmBase.hasRole()</code> for given security constraints.
- (michaelo)
- </fix>
- <fix>
- <bug>63740</bug>: Ensure configuration files are loaded correctly when a
- <code>Host</code> is configured with an <code>xmlBase</code>. Patch
- provided by uk4sx. (markt)
- </fix>
- <fix>
- Avoid a potential <code>NullPointerException</code> on Service stop if a
- Service is embedded directly (i.e. with no Server) in an application
- and JNDI is enabled. Patch provided by S. Ali Tokmen. (markt)
- </fix>
- <add>
- Add a new <code>PropertySource</code> implementation,
- <code>EnvironmentPropertySource</code>, that can be used to do property
- replacement in configuration files with environment variables. Based on
- a pull request provided by Thomas Meyer. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>63682</bug>: Fix a potential hang when using the asynchronous
- Servlet API to write the response body and the stream and/or connection
- window reaches 0 bytes in size. (markt)
- </fix>
- <fix>
- <bug>63690</bug>: Use the average of the current and previous sizes when
- calculating overhead for HTTP/2 <code>DATA</code> and
- <code>WINDOW_UPDATE</code> frames to avoid false positives as a result
- of client side buffering behaviour that causes a small percentage of
- non-final DATA frames to be smaller than expected. (markt)
- </fix>
- <fix>
- <bug>63706</bug>: Avoid NPE accessing https port with plaintext. (remm)
- </fix>
- <fix>
- Correct typos in the names of the configuration attributes
- <code>overheadDataThreshold</code> and
- <code>overheadWindowUpdateThreshold</code>. (markt)
- </fix>
- <fix>
- If the HTTP/2 connection requires an initial window size larger than the
- default, send a WINDOW_UPDATE to increase the flow control window for the
- connection so that the initial size of the flow control window for the
- connection is consistent with the increased value. (markt)
- </fix>
- <fix>
- <bug>63710</bug>: When using HTTP/2, ensure that a
- <code>content-length</code> header is not set for those responses with
- status codes that do not permit one. (markt)
- </fix>
- <fix>
- <bug>63737</bug>: Correct various issues when parsing the
- <code>accept-encoding</code> header to determine if gzip encoding is
- supported including only parsing the first header found. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>63724</bug>: Correct a regression introduced in 9.0.21 that broke
- compilation of JSPs in some configurations. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Correct the source code links on the index page for the ROOT web
- application to point to Git rather than Subversion. (markt)
- </fix>
- <fix>
- Fix various issues with the Javadoc generated for the documentation web
- application to enable release builds to be built with Java 10 onwards.
- (markt)
- </fix>
- <fix>
- <bug>63733</bug>: Remove the documentation for the "Additional
- Components" since they have been removed / merged into the core
- Tomcat distribution for 9.0.5 onwards. (markt)
- </fix>
- <fix>
- <bug>63739</bug>: Correct the invalid <code>Automatic-Module-Name</code>
- manifest entries for the Tomcat provided JARs included in the Tomcat
- embedded distribution. (markt)
- </fix>
- <fix>
- Fix a large number of Javadoc and documentation typos. Patch provided by
- KangZhiDong. (markt)
- </fix>
- <fix>
- Spelling and formatting corrections for the cluster how-to. Pull request
- provided by Bill Mitchell. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- <add>
- Expand the coverage and quality of the Simplified Chinese translations
- provided with Apache Tomcat. Includes contributions by leeyazhou and
- 康智冬. (markt)
- </add>
- <fix>
- <bug>62140</bug>: Additional usage documentation in comments for
- <code>catalina.[bat|sh]</code>. (markt)
- </fix>
- <fix>
- Fix <code>JSSE_OPTS</code> quoting in <code>catalina.bat</code>.
- Contributed by Peter Uhnak. (fschumacher)
- </fix>
- <update>
- <bug>63625</bug>: Update to Commons Daemon 1.2.1. This corrects several
- regressions in Commons Daemon 1.2.1, most notably the Windows Service
- crashing on start when using 32-bit JVMs. (markt)
- </update>
- <fix>
- <bug>63689</bug>: Correct a regression in the fix for <bug>63285</bug>
- that meant that when installing a service, the service display name was
- not set. (markt)
- </fix>
- <fix>
- When performing a silent install with the Windows Installer, ensure that
- the registry entries are added to the 64-bit registry when using a
- 64-bit JVM. (markt)
- </fix>
- <fix>
- Remove unused i18n messages and associated translations. Patch provided
- by KangZhiDong. (markt)
- </fix>
- <add>
- Expand the coverage and quality of the Korean translations provided
- with Apache Tomcat. (woonsan)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.24 (markt)" rtext="2019-08-17">
- <subsection name="Coyote">
- <changelog>
- <scode>
- Remove the code in the sendfile poller that ensured smaller pollsets
- were used with older, no longer supported versions of Windows that
- could not support larger pollsets. (markt)
- </scode>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.23 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>57665</bug>: Add support for the <code>X-Forwarded-Host</code>
- header to the <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>.
- (markt)
- </add>
- <add>
- <bug>62496</bug>: Add option to write auth information (remote user/auth type)
- to response headers. (michaelo)
- </add>
- <fix>
- <bug>63550</bug>: Only try the <code>alternateURL</code> in the
- <code>JNDIRealm</code> if one has been specified. (markt)
- </fix>
- <add>
- <bug>63556</bug>: Mark request as forwarded in RemoteIpValve and
- RemoteIpFilter (michaelo)
- </add>
- <fix>
- <bug>63579</bug>: Correct parsing of malformed OPTIONS requests and
- reject them with a 400 response rather than triggering an internal error
- that results in a 500 response. (markt)
- </fix>
- <fix>
- <bug>63608</bug>: Align the implementation of the negative match feature
- for patterns used with the <code>RewriteValve</code> with the
- description in the documentation. (markt)
- </fix>
- <update>
- <bug>63627</bug>: Implement more fine-grained handling in
- <code>RealmBase.authenticate(GSSContext, boolean)</code>. (michaelo)
- </update>
- <fix>
- If an unhandled exception occurs on a asynchronous thread started via
- <code>AsyncContext.start(Runnable)</code>, process it using the standard
- error page mechanism. (markt)
- </fix>
- <fix>
- Discard large byte buffers allocated using setBufferSize when recycling
- the request. (remm)
- </fix>
- <fix>
- Avoid a <code>NullPointerException</code> in the
- <code>CrawlerSessionManagerValve</code> if no ROOT Context is deployed
- and a request does not map to any of the other deployed Contexts. Patch
- provided by Jop Zinkweg. (markt)
- </fix>
- <fix>
- <bug>63636</bug>: <code>Context.findRoleMapping()</code> never called
- in <code>StandardWrapper.findSecurityReference()</code>. (michaelo)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <scode>
- Refactor the APR poller to always use a single pollset now that the
- Windows operating systems that required multiple smaller pollsets to be
- used are no longer supported. (markt)
- </scode>
- <fix>
- <bug>63524</bug>: Improve the handling of PEM file based keys and
- certificates that do not include a full certificate chain when
- configuring the internal, in-memory key store. Improve the handling of
- PKCS#1 formatted private keys when configuring the internal, in-memory
- key store. (markt)
- </fix>
- <update>
- Add callback when finishing the set properties rule in the digester.
- (remm)
- </update>
- <fix>
- <bug>63568</bug>: Avoid error when trying to set tcpNoDelay on socket
- types that do not support it, which can occur when using the NIO
- inherited channel capability. Submitted by František Kučera. (remm)
- </fix>
- <fix>
- <bug>63570</bug>: Fix regression retrieving local address with
- the NIO connector. Submitted by Aditya Kadakia. (remm)
- </fix>
- <fix>
- Correct parsing of invalid host names that contain bytes in the range
- 128 to 255 and reject them with a 400 response rather than triggering an
- internal error that results in a 500 response. (markt)
- </fix>
- <fix>
- <bug>63571</bug>: Allow users to configure infinite TLS session caches
- and/or timeouts. (markt)
- </fix>
- <fix>
- <bug>63578</bug>: Improve handling of invalid requests so that 400
- responses are returned to the client rather than 500 responses. (markt)
- </fix>
- <fix>
- Fix h2spec test suite failure. It is an error if a Huffman encoded
- string literal contains the EOS symbol. (jfclere)
- </fix>
- <add>
- Connections that fail the TLS handshake will now appear in the access
- logs with a 400 status code. (markt)
- </add>
- <fix>
- Timeouts for HTTP/2 connections were not always correctly handled
- leaving some connections open for longer than expected. (markt)
- </fix>
- <fix>
- <bug>63650</bug>: Refactor initialisation for JSSE based TLS connectors
- to enable custom JSSE providers that provide custom cipher suites to be
- used. (markt)
- </fix>
- <add>
- Expand the HTTP/2 excessive overhead protection to cover various forms
- of abusive client behaviour and close the connection if any such
- behaviour is detected. (markt)
- </add>
- <fix>
- Fix a crash on shutdown with the APR/native connector when a blocking
- I/O operation was still in progress when the connector stopped. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <fix>
- Avoid failing Kubernetes membership (and preventing startup) if the
- stream cannot be opened, to get the same behavior as the DNS based
- membership. The namespace is still a failure on startup but it is easy
- to provide. (remm)
- </fix>
- <fix>
- Avoid non fatal NPEs with Tribes when JMX is not available. (remm)
- </fix>
- <fix>
- Make Kube environment optional for Kube memberships, for easier testing
- and Graal training. A warn log will occur if the environment is not
- present. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>63597</bug>: Update the custom 404 error page for the Host Manager
- to take account of previous refactoring so that the page is used for
- 404 errors rather than falling back to the default error page. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- JNDI support for GraalVM native images. (remm)
- </fix>
- <fix>
- JSP runtime library support for GraalVM native images. (remm)
- </fix>
- <fix>
- java.util.logging configuration for GraalVM native images. (remm)
- </fix>
- <update>
- Update Checkstyle to 8.22. (markt)
- </update>
- <fix>
- <bug>55969</bug>: Tighten up the security of the Apache Tomcat
- installation created by the Windows installer. Change the default
- shutdown port used by the Windows installer from <code>8005</code> to
- <code>-1</code> (disabled). Limit access to the chosen installation
- directory to local administrators, Local System and Local Service.
- (markt)
- </fix>
- <update>
- <bug>62696</bug>: The digital signature for the Windows installer now
- uses SHA-256 for hashes. (markt)
- </update>
- <add>
- <bug>63285</bug>: Add an option to <code>service.bat</code> so that when
- installing a Windows service, the name of the executables used by the
- Windows service may be changed to match the service name. This
- makes the installation behaviour consistent with the Windows installer.
- The original executable names will be restored when the Windows service
- is removed. The renaming can be enabled by using the new
- <code>--rename</code> option after the service name. (markt)
- </add>
- <update>
- <bug>63310</bug>: Update to Commons Daemon 1.2.0. This provides improved
- support for Java 11. This also changes the user configured by the
- Windows installer for the Windows service from <code>Local System</code>
- to the lower privileged <code>Local Service</code>. (markt)
- </update>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- <fix>
- <bug>63555</bug>: Add <code>Automatic-Module-Name</code> entries for
- each of the Tomcat provided JARs included in the Tomcat embedded
- distribution. (markt)
- </fix>
- <fix>
- <bug>63567</bug>: Restore the passing of <code>$LOGGING_MANAGER</code>
- to the jvm in <code>catalina.sh</code> when calling <code>stop</code>.
- (markt)
- </fix>
- <fix>
- Correct broken OSGi data in JAR file manifests. (markt)
- </fix>
- <fix>
- Add "embed" to the <code>Bundle-Name</code> and
- <code>Bundle-Symbolic-Name</code> for the Tomcat embedded WebSocket JAR
- to align the naming with the other embedded JARs and to differentiate it
- from the standard WebSocket JAR that does not include the API classes.
- (markt)
- </fix>
- <update>
- Update dependency on bnd to 4.2.0. (markt)
- </update>
- <update>
- Update the internal fork of Commons Codec to 3ebef4a (2018-08-01) to
- pick up the fix for CODEC-134. (markt)
- </update>
- <update>
- Update the internal fork of Commons Pool2 to 796e32d (2018-08-01) to
- pick up the changes Commons Pool2 2.7.0. (markt)
- </update>
- <update>
- Update the internal fork of Commons DBCP2 to 87d9e3a (2018-08-01) to
- pick up the changes Commons DBCP2 2.7.0 and DBCP-555. (markt)
- </update>
- <update>
- <bug>63648</bug>: Update the test TLS keys and certificates used in the
- test suite to replace the keys and certificates that are about to
- expire. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.22 (markt)" rtext="2019-07-09">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Improve parsing of Range request headers. (markt)
- </fix>
- <fix>
- Range headers that specify a range unit Tomcat does not recognise should
- be ignored rather than triggering a 416 response. Based on a pull
- request by zhanhb. (markt)
- </fix>
- <fix>
- When comparing a date from a <code>If-Range</code> header, an exact
- match is required. Based on a pull request by zhanhb. (markt)
- </fix>
- <fix>
- Add an option to the default servlet to disable processing of PUT
- requests with Content-Range headers as partial PUTs. The default
- behaviour (processing as partial PUT) is unchanged. Based on a pull
- request by zhanhb. (markt)
- </fix>
- <fix>
- Improve parsing of Content-Range headers. (markt)
- </fix>
- <update>
- Update the recommended minimum Tomcat Native version to 1.2.23. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Remove a source of potential deadlocks when using HTTP/2 when the
- Connector is configured with <code>useAsyncIO</code> as
- <code>true</code>. (markt)
- </fix>
- <fix>
- <bug>63523</bug>: Restore SSLUtilBase methods as protected to preserve
- compatibility. (remm)
- </fix>
- <fix>
- Fix typo in UTF-32LE charset name. Patch by zhanhb via Github.
- (fschumacher)
- </fix>
- <fix>
- Once a URI is identified as invalid don't attempt to process it further.
- Based on a PR by Alex Repert. (markt)
- </fix>
- <fix>
- Fix to avoid the possibility of long poll times for individual pollers
- when using multiple pollers with APR. (markt)
- </fix>
- <fix>
- Refactor the fix for <bug>63205</bug> so it only applies when using
- PKCS12 keystores as regressions have been reported with some other
- keystore types. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- Include file names if SMAP processor is unable to delete or rename a
- class file during SMAP generation. (markt)
- </add>
- <update>
- Update to the Eclipse JDT compiler 4.12. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>63521</bug>: As required by the WebSocket specification, if a POJO
- that is deployed as a result of the SCI scan for annotated POJOs is
- subsequently deployed via the programmatic API ignore the programmatic
- deployment. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Switch the check for terminal availability to test for stdin as using
- stdout does not work when output is piped to another process. Patch
- provided by Radosław Józwik. (markt)
- </fix>
- <add>
- Add user buildable optional modules for easier CDI 2 and JAX-RS
- support. Also include a new documentation page describing how
- to use it. (remm)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.21 (markt)" rtext="2019-06-07">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>57287</bug>: Add file sorting to DefaultServlet (schultz)
- </add>
- <fix>
- Fix <code>--no-jmx</code> flag processing, which was called after
- registry initialization. (remm)
- </fix>
- <fix>
- Ensure that a default request character encoding set on a
- <code>ServletContext</code> is used when calling
- <code>ServletRequest#getReader()</code>. (markt)
- </fix>
- <fix>
- Make a best efforts attempt to clean-up if a request fails during
- processing due to an <code>OutOfMemoryException</code>. (markt)
- </fix>
- <fix>
- Improve the BoM detection for static files handled by the default
- servlet for the rarely used UTF-32 encodings. Identified by Coverity
- Scan. (markt)
- </fix>
- <fix>
- Ensure that the default servlet reads the entire global XSLT file if
- one is defined. Identified by Coverity Scan. (markt)
- </fix>
- <fix>
- Avoid potential <code>NullPointerException</code> when generating an
- HTTP <code>Allow</code> header. Identified by Coverity Scan. (markt)
- </fix>
- <scode>
- Add <code>Context.createInstanceManager()</code> for easier framework
- integration. (remm)
- </scode>
- <scode>
- Add utility <code>org.apache.catalina.core.FrameworkListener</code> to
- allow replicating adding a Listener to context.xml in a programmatic
- way. (remm)
- </scode>
- <scode>
- Move <code>Container.ADD_CHILD_EVENT</code> to before the child
- container start, and <code>Container.REMOVE_CHILD_EVENT</code> to
- before removal of the child from the internal child collection.
- (remm)
- </scode>
- <add>
- Remove any fragment included in the target path used to obtain a
- <code>RequestDispatcher</code>. The requested target path is logged as a
- warning since this is an application error. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- NIO poller seems to create some unwanted concurrency, causing rare
- CI test failures. Add sync when processing async operation to avoid
- this. (remm)
- </fix>
- <fix>
- Fix concurrency issue that lead to incorrect HTTP/2 connection timeout.
- (remm/markt)
- </fix>
- <fix>
- Avoid useless exception wrapping in async IO. (remm)
- </fix>
- <fix>
- <bug>63412</bug>: Security manager failure when using the async IO
- API from a webapp. (remm)
- </fix>
- <fix>
- Remove <code>acceptorThreadCount</code> Connector attribute,
- one accept thread is sufficient. As documented, value <code>2</code>
- was the only other sensible value, but without and impact beyond
- certain microbenchmarks. (remm)
- </fix>
- <fix>
- Avoid possible NPEs on connector stop. (remm)
- </fix>
- <update>
- Remove <code>pollerThreadCount</code> Connector attribute for NIO,
- one poller thread is sufficient. (remm)
- </update>
- <add>
- Add async IO for APR connector for consistency, but disable it by
- default due to low performance. (remm)
- </add>
- <fix>
- Avoid blocking write of internal buffer when using async IO. (remm)
- </fix>
- <scode>
- Refactor async IO implementation to the <code>SocketWrapperBase</code>.
- (remm)
- </scode>
- <update>
- Refactor <code>SocketWrapperBase</code> close using an atomic boolean
- and a <code>doClose</code> method that subclasses will implement, with
- a guarantee that it will be run only once. (remm)
- </update>
- <fix>
- Decouple the socket wrapper, which is not recycled, from the NIOx
- channel after close, and replace it with a dummy static object. (remm)
- </fix>
- <fix>
- Clear buffers on socket wrapper close. (remm)
- </fix>
- <fix>
- NIO2 failed to properly close sockets on connector stop. (remm)
- </fix>
- <update>
- Reduce the default for <code>maxConcurrentStreams</code> on the
- <code>Http2Protocol</code> from 200 to 100 to align with typical
- defaults for HTTP/2 implementations. (markt)
- </update>
- <update>
- Reduce the default HTTP/2 header list size from 4GB to 32kB to align
- with typical HTTP/2 implementations. (markt)
- </update>
- <add>
- Add support for same-site cookie attribute. Patch provided by John
- Kelly. (markt)
- </add>
- <fix>
- Drop legacy NIO double socket close (close channel, then close
- socket). (remm)
- </fix>
- <fix>
- Fix HTTP/2 end of stream concurrency with async. (remm)
- </fix>
- <fix>
- Correct a bug in the stream flushing code that could lead to multiple
- threads processing the stream concurrently which in turn could cause
- errors processing the stream. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <fix>
- <bug>62841</bug>: Refactor the <code>DeltaRequest</code> serialization
- to reduce the window during which the <code>DeltaSession</code> is
- locked and to remove a potential cause of deadlocks during
- serialization. (markt)
- </fix>
- <fix>
- <bug>63441</bug>: Further streamline the processing of session creation
- messages in the <code>DeltaManager</code> to reduce the possibility of a
- session update message being processed before the session has been
- created. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Fix timeout logic for async non blocking writes. Identified by
- Coverity Scan. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Expand the explanation of how deprecated TLS configuration attributes
- are converted to the new TLS configuration style. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Treat <code>NoRouteToHostException</code> the same way as
- <code>SocketTimeoutException</code> when checking the health of group
- members. This avoids a SEVERE log message every time the check is
- performed when the host associated with a group member is not powered
- on. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Switch from FindBugs to SpotBugs. (fschumacher)
- </update>
- <update>
- Start Graal native image compatibility, using the tomcat-maven
- packaging. (remm)
- </update>
- <fix>
- <bug>63403</bug>: Fix TestHttp2InitialConnection test failures when
- running with a non-English locale. (kkolinko)
- </fix>
- <fix>
- Add Graal JreCompat, and use it to disable JMX and URL stream handlers.
- (remm)
- </fix>
- <add>
- Expand the coverage and quality of the Czech translations provided
- with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
- </add>
- <add>
- Expand the coverage and quality of the German translations provided
- with Apache Tomcat. Includes contributions by Niklasmerz, dusiema and
- Jens. (markt)
- </add>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- <add>
- Expand the coverage and quality of the Simplified Chinese translations
- provided with Apache Tomcat. Includes contributions by 諵. (markt)
- </add>
- <fix>
- Use the <code>test</code> command to check for terminal availability
- rather than the <code>tty</code> command since the <code>tty</code>
- based test fails on non-English locales. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.20 (markt)" rtext="2019-05-13">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Fix some edge cases where the docBase was not being set using a canonical
- path which in turn meant resource URLs were not being constructed as
- expected. (markt)
- </fix>
- <fix>
- Fix a potential resource leak when executing CGI scripts from a WAR
- file. Identified by Coverity scan. (markt)
- </fix>
- <fix>
- Fix a potential concurrency issue in the StringCache identified by
- Coverity scan. (markt)
- </fix>
- <fix>
- Fix a potential concurrency issue in the main Sendfile thread of the APR
- connector. Identified by Coverity scan. (markt)
- </fix>
- <fix>
- Fix a potential resource leak when running a web application from a WAR
- file. Identified by Coverity scan. (markt)
- </fix>
- <fix>
- Fix a potential resource leak on some exception paths in the
- <code>DataSourceRealm</code>. Identified by Coverity scan. (markt)
- </fix>
- <fix>
- Fix a potential resource leak on an exception path when parsing JSP
- files. Identified by Coverity scan. (markt)
- </fix>
- <fix>
- Fix a potential resource leak when a JNDI lookup returns an object of an
- in compatible class. Identified by Coverity scan. (markt)
- </fix>
- <scode>
- Refactor <code>ManagerServlet</code> to avoid loading classes when
- filtering JNDI resources for resources of a specified type. (markt)
- </scode>
- <fix>
- <bug>63324</bug>: Refactor the <code>CrawlerSessionManagerValve</code>
- so that the object placed in the session is compatible with session
- serialization with mem-cached. Patch provided by Martin Lemanski.
- (markt)
- </fix>
- <add>
- <bug>63358</bug>: Expand the <code>throwOnFailure</code> support in the
- <code>Connector</code> to include the adding of a <code>Connector</code>
- to a running <code>Service</code>. (markt)
- </add>
- <add>
- <bug>63361</bug>: Add a new method
- (<code>Registry.disableRegistry()</code>) that can be used to disable
- JMX registration of Tomcat components providing it is called before the
- first component is registered. (markt)
- </add>
- <fix>
- Avoid <code>OutOfMemoryError</code>s and
- <code>ArrayIndexOutOfBoundsException</code>s when accessing large files
- via the default servlet when resource caching has been disabled. (markt)
- </fix>
- <fix>
- Avoid a <code>NullPointerException</code> when a <code>Context</code> is
- defined in <code>server.xml</code> with a <code>docBase</code> but not
- the optional <code>path</code>. (markt)
- </fix>
- <fix>
- <bug>63333</bug>: Override the <code>isAvailable()</code> method in the
- <code>JAASRealm</code> so that only login failures caused by invalid
- credentials trigger account lock out when the <code>LockOutRealm</code>
- is in use. Patch provided by jchobantonov. (markt)
- </fix>
- <fix>
- Add <code>--no-jmx</code> flag to allow disabling JMX in
- <code>startup.Tomcat.main</code>. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- The <code>useAsyncIO</code> boolean attribute on the Connector element
- value now defaults to <code>true</code>. (remm)
- </fix>
- <fix>
- Possible HTTP/2 connection leak issue when using async with NIO. (remm)
- </fix>
- <fix>
- Fix socket close discrepancies for NIO, now the wrapper close
- is used everywhere except for socket accept problems. (remm)
- </fix>
- <fix>
- Implement poller timeout when using async IO with NIO. (remm)
- </fix>
- <fix>
- Avoid creating and using object caches when they are disabled. (remm)
- </fix>
- <fix>
- When running on newer JREs that don't support SSLv2Hello, don't warn
- that it is not available unless explicitly configured. (markt)
- </fix>
- <fix>
- Change default value of <code>pollerThreadCount</code> of NIO
- to <code>1</code>. (remm)
- </fix>
- <fix>
- Associate BlockPoller thread name with its NIO connector for better
- readability. (remm)
- </fix>
- <fix>
- The async HTTP/2 frame parser should tolerate concurrency so clearing
- shared buffers before attempting a read is not possible. (remm)
- </fix>
- <update>
- Update the HTTP/2 connection preface and initial frame reading to be
- asynchronous instead of blocking IO. (remm)
- </update>
- <scode>
- Refactor Hostname validation to improve performance. Patch provided by
- Uwe Hees. (markt)
- </scode>
- <update>
- Add additional NIO2 style read and write methods closer to core NIO2,
- for possible use with an asynchronous workflow like CompletableFuture.
- (remm)
- </update>
- <fix>
- Expand HTTP/2 timeout handling to include connection window exhaustion
- on write. This is the fix for CVE-2019-10072. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>63359</bug>: Ensure that the type conversions used when converting
- from strings for <code>jsp:setProperty</code> actions are correctly
- implemented as per section JSP.1.14.2.1 of the JSP 2.3 specification.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>63335</bug>: Ensure that stack traces written by the
- <code>OneLineFormatter</code> are fully indented. The entire stack trace
- is now indented by an additional TAB character. (markt)
- </fix>
- <fix>
- <bug>63370</bug>: Message files (LocalStrings_*.properties) of the
- examples webapp not converted to ascii. (woonsan)
- </fix>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- <add>
- Expand the coverage and quality of the Japanese translations provided
- with Apache Tomcat. Includes contributions by motohashi.yuki. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Czech translations provided
- with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
- </add>
- <fix>
- When using the <code>OneLineFormatter</code>, don't print a blank line
- in the log after printing a stack trace. (markt)
- </fix>
- <update>
- Update the internal fork of Apache Commons FileUpload to 41e4047
- (2019-04-24) pick up some enhancements. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons DBCP 2 to dcdbc72
- (2019-04-24) to pick up some clean-up and enhancements. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons Pool 2 to 0664f4d
- (2019-04-30) to pick up some enhancements and bug fixes. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.19 (markt)" rtext="2019-04-13">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Fix wrong JMX registration regression in 9.0.18. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <update>
- Add vectoring for NIO in the base and SSL channels. (remm)
- </update>
- <add>
- Add asynchronous IO from NIO2 to the NIO connector, with support for
- the async IO implementations for HTTP/2 and Websockets. The
- <code>useAsyncIO</code> boolean attribute on the Connector element
- allows enabling use of the asynchronous IO API. (remm)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Ensure that the correct files are included in the source distribution
- for javacc based parsers depending on whether jjtree is used or not.
- (markt)
- </fix>
- <fix>
- Ensure that text files in the source distribution have the correct line
- endings for the target platform. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.18 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>63196</bug>: Provide a default (<code>X-Forwarded-Proto</code>) for
- the <code>protocolHeader</code> attribute of the
- <code>RemoteIpFilter</code> and <code>RemoteIpValve</code>. (markt)
- </fix>
- <fix>
- <bug>63235</bug>: Refactor Charset cache to reduce start time. (markt)
- </fix>
- <fix>
- <bug>63249</bug>: Use a consistent log level (<code>WARN</code>) when
- logging the failure to register or deregister a JMX Bean. (markt)
- </fix>
- <fix>
- <bug>63249</bug>: Use a consistent log level (<code>ERROR</code>) when
- logging the <code>LifecycleException</code> associated with the failure
- to start or stop a component. (markt)
- </fix>
- <fix>
- When the SSI directive <code>fsize</code> is used with an invalid
- target, return a file size of <code>-</code> rather than
- <code>1k</code>. (markt)
- </fix>
- <fix>
- <bug>63251</bug>: Implement a work-around for a known JRE bug (<a
- href="https://bugs.openjdk.java.net/browse/JDK-8194653">JDK-8194653</a>)
- that may cause a dead-lock when Tomcat starts. (markt)
- </fix>
- <fix>
- <bug>63275</bug>: When using a <code>RequestDispatcher</code> ensure
- that <code>HttpServletRequest.getContextPath()</code> returns an encoded
- path in the dispatched request. (markt)
- </fix>
- <update>
- Add optional listeners for Server/Listener, as a slight variant of
- a standard listener. The difference is that loading is not fatal when
- it fails. This would allow adding example configuration to the standard
- server.xml if deemed useful. Storeconfig will not attempt to persist
- the new listener. (remm)
- </update>
- <fix>
- <bug>63286</bug>: Document the differences in behaviour between the
- <code>LogFormat</code> directive in httpd and the <code>pattern</code>
- attribute in the <code>AccessLogValve</code> for <code>%D</code> and
- <code>%T</code>. (markt)
- </fix>
- <fix>
- <bug>63287</bug>: Make logging levels more consistent for similar issues
- of similar severity. (markt)
- </fix>
- <fix>
- <bug>63311</bug>: Add support for https URLs to the local resolver within
- Tomcat used to resolve standard XML DTDs and schemas when Tomcat is
- configured to validate XML configuration files such as web.xml. (markt)
- </fix>
- <fix>
- Encode the output of the SSI <code>printenv</code> command. This is the
- fix for CVE-2019-0221. (markt)
- </fix>
- <scode>
- Use constants for SSI encoding values. (markt)
- </scode>
- <add>
- When the CGI Servlet is configured with
- <code>enableCmdLineArguments</code> set to true, limit the encoded form
- of the individual command line arguments to those values allowed by RFC
- 3875. This restriction may be relaxed by the use of the new
- initialisation parameter <code>cmdLineArgumentsEncoded</code>. (markt)
- </add>
- <add>
- When the CGI Servlet is configured with
- <code>enableCmdLineArguments</code> set to true, limit the decoded form
- of the individual command line arguments to known safe values when
- running on Windows. This restriction may be relaxed by the use of the
- new initialisation parameter <code>cmdLineArgumentsDecoded</code>. This
- is the fix for CVE-2019-0232. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Fix bad interaction between NIO2 async read API and the regular read.
- (remm)
- </fix>
- <fix>
- Refactor NIO2 write pending strategy for the classic IO API. (remm)
- </fix>
- <fix>
- Restore original maxConnections default for NIO2 as the underlying
- close issues have been fixed. (remm)
- </fix>
- <fix>
- Harmonize NIO2 isReadyForWrite with isReadyForRead code. (remm)
- </fix>
- <fix>
- When using a JSSE TLS connector that supported ALPN (Java 9 onwards) and
- a protocol was not negotiated, Tomcat failed to fallback to HTTP/1.1 and
- instead dropped the connection. (markt)
- </fix>
- <fix>
- Correct a regression in the TLS connector refactoring in Tomcat 9.0.17
- that prevented the use of PKCS#8 private keys with OpenSSL based
- connectors. (markt)
- </fix>
- <fix>
- Fix NIO2 SSL edge cases. (remm)
- </fix>
- <fix>
- When performing an upgrade from HTTP/1.1 to HTTP/2, ensure that any
- query string present in the original HTTP/1.1 request is passed to the
- HTTP/2 request processing. (markt)
- </fix>
- <fix>
- When Tomcat writes a final response without reading all of an HTTP/2
- request, reset the stream to inform the client that the remaining
- request body is not required. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- Add support for specifying Java 11 (with the value <code>11</code>) as
- the compiler source and/or compiler target for JSP compilation. (markt)
- </add>
- <add>
- Add support for specifying Java 12 (with the value <code>12</code>) and
- Java 13 (with the value <code>13</code>) as the compiler source and/or
- compiler target for JSP compilation. If used with an ECJ version that
- does not support these values, a warning will be logged and the latest
- supported version will used. Based on a patch by Thomas Collignon.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>63184</bug>: Expand the SSI documentation to provide more
- information on the supported directives and their attributes. Patch
- provided by nightwatchcyber. (markt)
- </fix>
- <add>
- Add a note to the documentation about the risk of DoS with poorly
- written regular expressions and the <code>RewriteValve</code>. Patch
- provided by salgattas. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- Improved maxAge handling. Add support for age check on idle connections.
- Connection that expired reconnects rather than closes it. Patch provided
- by toby1984. (kfujino)
- </fix>
- <fix>
- <bug>63320</bug>: Ensure that <code>StatementCache</code> caches
- statements that include arrays in arguments. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update to the Eclipse JDT compiler 4.10. (markt)
- </update>
- <add>
- Expand the coverage and quality of the Spanish translations provided
- with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta.
- (markt)
- </add>
- <add>
- Expand the coverage and quality of the Czech translations provided
- with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Chinese translations provided
- with Apache Tomcat. Includes contributions by winsonzhao and wjt.
- (markt)
- </add>
- <add>
- Expand the coverage and quality of the Russian translations provided
- with Apache Tomcat. (kkolinko)
- </add>
- <add>
- Expand the coverage and quality of the Japanese translations provided
- with Apache Tomcat. (kfujino)
- </add>
- <add>
- Expand the coverage and quality of the Korean translations provided
- with Apache Tomcat. (woonsan)
- </add>
- <add>
- Expand the coverage and quality of the German translations provided
- with Apache Tomcat. (fschumacher)
- </add>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.17 (markt)" rtext="2019-03-18">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Refactor how cookies are transferred from the base request to a
- <code>PushBuilder</code> so that they are accessible, and may be edited,
- via the standard <code>PushBuilder</code> methods for working with HTTP
- headers. (markt)
- </fix>
- <update>
- Simplify the value of <code>jarsToSkip</code> property in
- <code>catalina.properties</code> file for tomcat-i18n jar files.
- Use prefix pattern instead of listing each language. (kkolinko)
- </update>
- <fix>
- Restore the getter and setter for the access log valve attribute
- <code>maxLogMessageBufferSize</code> that were accidentally removed.
- (markt)
- </fix>
- <add>
- <bug>63206</bug>: Add a new attribute to <code>Context</code> -
- <code>createUploadTargets</code> which, if <code>true</code> enables
- Tomcat to create the temporary upload location used by a Servlet if the
- location specified by the Servlet does not already exist. The default
- value is <code>false</code>. (markt)
- </add>
- <fix>
- <bug>63210</bug>: Ensure that the Apache Commons DBCP 2 based default
- connection pool is correctly shutdown when it is no longer required.
- This ensures that a non-daemon thread is not left running that will
- prevent Tomcat from shutting down cleanly. (markt)
- </fix>
- <fix>
- <bug>63213</bug>: Ensure the correct escaping of group names when
- searching for nested groups when the JNDIRealm is configured with
- <code>roleNested</code> set to <code>true</code>. (markt)
- </fix>
- <fix>
- <bug>63236</bug>: Use <code>String.intern()</code> as suggested by
- Phillip Webb to reduce memory wasted due to String duplication. This
- changes saves ~245k when starting a clean installation. With additional
- thanks to YourKit Java profiler for helping to track down the wasted
- memory and the root causes. (markt)
- </fix>
- <fix>
- <bug>63246</bug>: Fix a potential <code>NullPointerException</code> when
- calling <code>AsyncContext.dispatch()</code>. (markt)
- </fix>
- <fix>
- Always use the absolute path of the <code>docBase</code> during the
- deployment process to determine the Context name, deployment type,
- whether the <code>docBase</code> is located within the
- <code>appBase</code> etc. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- When performing an HTTP/1.1 upgrade to HTTP/2 (h2c) ensure that the hostname
- and port from the HTTP/1.1 Host header of the upgraded request are made
- available via the standard methods
- <code>ServletRequest.getServerName()</code> and
- <code>ServletRequest.getServerPort()</code>. (markt)
- </fix>
- <fix>
- Refactor the APR/Native endpoint TLS configuration code to enable JSSE
- style configuration - including JKS keystores - to be used with the
- APR/Native connector. (markt)
- </fix>
- <add>
- With the TLS configuration refactoring, the configuration attributes
- <code>sessionCacheSize</code> and <code>sessionTimeout</code> are no
- longer limited to JSSE implementations. They may now be used with
- OpenSSL implementations as well. (markt)
- </add>
- <fix>
- Refactor NIO2 read pending strategy for the classic IO API. (remm)
- </fix>
- <fix>
- <bug>63182</bug>: Avoid extra read notifications for HTTP/1.1 with
- NIO2 when using asynchronous threads. (remm)
- </fix>
- <add>
- <bug>63205</bug>: Add a work-around for a known
- <a href="https://bugs.openjdk.java.net/browse/JDK-8157404">JRE KeyStore
- loading bug</a>. (markt)
- </add>
- <fix>
- NIO2 should try to use SocketTimeoutException everywhere rather than a
- mix of it and InterruptedByTimeout. (remm)
- </fix>
- <fix>
- Correct an error in the request validation that meant that HTTP/2 push
- requests always resulted in a 400 response. (markt)
- </fix>
- <fix>
- <bug>63223</bug>: Correctly account for push requests when tracking
- currently active HTTP/2 streams. (markt)
- </fix>
- <fix>
- Ensure enough buffer space when using TLS with NIO2 by using the main
- read buffer to store additional decrypted data. (remm)
- </fix>
- <fix>
- Verify HTTP/2 stream is still writable before assuming a timeout
- occurred. (remm)
- </fix>
- <fix>
- Avoid some overflow cases with OpenSSL to improve efficiency, as the
- OpenSSL engine has an internal buffer. (remm)
- </fix>
- <fix>
- Harmonize HTTP/1.1 NIO2 keepalive code. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <scode>
- Remove the <code>STREAMS_DROP_EMPTY_MESSAGES</code> system property that
- was introduced to work-around four failing TCK tests. An alternative
- solution has been implemented. Sending messages via
- <code>getSendStream()</code> and <code>getSendWriter()</code> will now
- only result in messages on the wire if data is written to the
- <code>OutputStream</code> or <code>Writer</code>. Writing zero length
- data will result in an empty message. Note that sending a message via an
- <code>Encoder</code> may result in the message being send via
- <code>getSendStream()</code> or <code>getSendWriter()</code>. (markt)
- </scode>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Fix messages used by Manager and Host Manager web applications.
- Disambiguate message keys used when adding or removing a host.
- Improve display of summary values on the status page: separate
- terms and values with a whitespace. Improve wording of messages
- for expire sessions command. (kkolinko)
- </fix>
- <fix>
- Do not add CSRF nonce parameter and suppress Referer header for external
- links in Manager and Host Manager web applications. (kkolinko)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <add>
- Add feature that discover local member from the static member list.
- (kfujino)
- </add>
- <fix>
- Ensure that members registered in the addSuspects list are static
- members. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- <fix>
- <bug>63041</bug>: Revert the changes for <bug>53930</bug> that added
- support for the <code>CATALINA_OUT_CMD</code> environment variable as
- they prevented correct operation with systemd configurations that did
- not explicitly specify a PID file. (markt)
- </fix>
- <add>
- Expand the coverage and quality of the Russian translations provided
- with Apache Tomcat. (kkolinko)
- </add>
- <fix>
- Fix the artifactId of <code>tomcat-i18n-cs</code>. (rjung)
- </fix>
- <add>
- Expand the coverage and quality of the Korean translations provided
- with Apache Tomcat. (woonsan)
- </add>
- <add>
- Expand the coverage and quality of the Chinese translations provided
- with Apache Tomcat. Includes contributions by winsonzhao. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Czech translations provided
- with Apache Tomcat. Includes contributions by Arnošt Havelka. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Spanish translations provided
- with Apache Tomcat. Includes contributions by Ulises Gonzalez Horta.
- (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.16 (markt)" rtext="2019-02-08">
- <subsection name="Web applications">
- <changelog>
- <fix>
- Use client's preferred language for the Server Status page of the
- Manager web application. Review and fix several cases when the
- client's language preference was not respected in Manager and
- Host Manager web applications. (kkolinko)
- </fix>
- <fix>
- <bug>63141</bug>: Ensure that translated manager response strings still
- start with <code>OK -</code> where expected by the associated Ant tasks.
- (markt)
- </fix>
- <fix>
- <bug>63143</bug>: Ensure that the Manager web application respects the
- language preferences of the user as configured in the browser when the
- language of the default system locale is not English. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Remove unnecessary shutdown for executor. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the NSIS Installer used to build the Windows installer to version
- 3.04. (markt)
- </update>
- <add>
- Add Czech translations to Apache Tomcat. Includes contributions from
- Arnošt Havelka and Alice. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Spanish translations provided
- with Apache Tomcat. Includes contributions from Ulises Gonzalez Horta.
- (markt)
- </add>
- <add>
- Expand the coverage and quality of the French translations provided
- with Apache Tomcat. (remm)
- </add>
- <add>
- Expand the coverage and quality of the Korean translations provided
- with Apache Tomcat. (woonsan)
- </add>
- <add>
- Expand the coverage and quality of the Japanese translations provided
- with Apache Tomcat. Includes contributions from Yujiorama. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Chinese translations provided
- with Apache Tomcat. Includes contributions from zheng. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Russian translations provided
- with Apache Tomcat. (kkolinko)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.15 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>54741</bug>: Add a new method,
- <code>Tomcat.addWebapp(String,URL)</code>, that allows a web application
- to be deployed from a URL when using Tomcat in embedded mode. (markt)
- </fix>
- <fix>
- <bug>63002</bug>: Fix setting rewrite qsdiscard flag. (remm)
- </fix>
- <fix>
- Implement the requirements of section 8.2.2 2c of the Servlet
- specification and prevent a web application from deploying if it has
- fragments with duplicate names and is configured to use relative
- ordering of fragments. (markt)
- </fix>
- <fix>
- Ensure that the HEAD response is consistent with the GET response when
- <code>HttpServlet</code> is relied upon to generate the HEAD response
- and the GET response uses chunking. (markt)
- </fix>
- <fix>
- Ensure that the <code>ServletOutputStream</code> implementation is
- consistent with the requirements of asynchronous I/O and that all of the
- write methods use a single write rather than multiple writes. (markt)
- </fix>
- <fix>
- Correct the Javadoc for <code>Context.getDocBase()</code> and
- <code>Context.setDocBase()</code> and remove text that indicates that a
- URL may be used for the <code>docBase</code> as this has not been the
- case for quite some time. (markt)
- </fix>
- <update>
- Add basic health check valve. (remm)
- </update>
- <fix>
- Correct a bug exposed in 9.0.14 and ensure that the Tomcat terminates in
- a timely manner when running as a service. (markt)
- </fix>
- <fix>
- Log a message when using a Connector that requires Apr without enabling
- the AprLifecycleListener first. (csutherl)
- </fix>
- <fix>
- Utility thread count for special negative or zero values will again be
- based on Runtime.getRuntime().availableProcessors(). (remm)
- </fix>
- <scode>
- Treat I/O errors during request body reads the same way as I/O errors
- during response body writes. The errors are treated as client side
- errors rather than server side errors and only logged at debug level.
- (markt)
- </scode>
- <fix>
- <bug>63038</bug>: Ensure that a <code>ClassNotFoundException</code> is
- thrown when attempting to load a class from a corrupted JAR file.
- (markt)
- </fix>
- <fix>
- <bug>63078</bug>: Ensure the utility thread pool is at least two, as the
- deployer uses a blocking pattern. (remm, markt)
- </fix>
- <add>
- Make the removal of leading and trailing whitespace from credentials
- passed to BASIC authentication configurable via a new attribute,
- <code>trimCredentials</code> on the <code>BasicAuthenticator</code>.
- (markt)
- </add>
- <fix>
- <bug>63003</bug>: Extend the <code>unloadDelay</code> attribute on a
- <code>Context</code> to include in-flight asynchronous requests. (markt)
- </fix>
- <add>
- <bug>63026</bug>: Add a new attribute, <code>forceDnHexEscape</code>, to
- the <code>JNDIRealm</code> that forces escaping in the String
- representation of a distinguished name to use the <code>\nn</code> form.
- This may avoid issues with realms using Active Directory which appears
- to be more tolerant of optional escaping when the <code>\nn</code> form
- is used. (markt)
- </add>
- <fix>
- Avoid a swallowed (and therefore ignored) access failure during web
- application class loading when running under a
- <code>SecurityManager</code>. (markt)
- </fix>
- <update>
- Add SSL configuration options to the JMX remote listener using the
- <code>SSLHostConfig</code> framework. (remm)
- </update>
- <update>
- Update the recommended minimum Tomcat Native version to 1.2.21. (markt)
- </update>
- <fix>
- <bug>63137</bug>: If the resources for a web application have been
- configured with multiple locations mapped to
- <code>/WEB-INF/classes</code>, ensure that all of those locations are
- used when building the web application class path. Patch provided by
- Marcin Gołębski. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- <bug>63009</bug>: Include the optional <code>content-length</code>
- header in HTTP/2 responses where an appropriate value is available.
- (markt)
- </add>
- <fix>
- <bug>63022</bug>: Do not use the socket open state when using the
- wrapper isClosed method for NIO and NIO2, as it will disable all
- further processing. (remm)
- </fix>
- <fix>
- Fix socket close discrepancies for NIO2, now the wrapper close
- is used everywhere except for socket accept problems. (remm)
- </fix>
- <fix>
- Fix use of write timeout instead of read timeout for HTTP/2 NIO2
- frame read. (remm)
- </fix>
- <fix>
- Fix incorrect APR sendfile thread stop. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>63056</bug>: Correct a regression in the fix for <bug>53737</bug>
- that did not correctly scan the web application directory structure for
- JSPs. (markt)
- </fix>
- <fix>
- Update the performance optimisation for using expressions in tags that
- depend on uninitialised tag attributes with implied scope to make the
- performance optimisation aware of the new public class
- (<code>java.lang.Enum$EnumDesc</code>) added in Java 12. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>57974</bug>: Ensure implementation of
- <code>Session.getOpenSessions()</code> returns correct value for both
- client-side and server-side calls. (markt)
- </fix>
- <fix>
- <bug>63019</bug>: Use payload remaining bytes rather than limit when
- writing. Submitted by Benoit Courtilly. (remm)
- </fix>
- <fix>
- When running under a <code>SecurityManager</code>, ensure that the
- <code>ServiceLoader</code> look-up for the default
- <code>javax.websocket.server.ServerEndpointConfig.Configurator</code>
- implementation completes correctly rather than silently using the
- hard-coded fall-back. (markt)
- </fix>
- <fix>
- Ensure that the network connection is closed if the client receives an
- I/O error trying to communicate with the server. (markt)
- </fix>
- <fix>
- Ignore synthetic methods when scanning POJO methods. (markt)
- </fix>
- <fix>
- Implement the requirements of section 5.2.1 of the WebSocket 1.1
- specification and ensure that if the deployment of one Endpoint fails,
- no Endpoints are deployed for that web application. (markt)
- </fix>
- <fix>
- Implement the requirements of section 4.3 of the WebSocket 1.1
- specification and ensure that the deployment of an Endpoint fails if
- <code>@PathParam</code> is used with an invalid parameter type. (markt)
- </fix>
- <fix>
- Ensure a <code>DeploymentException</code> rather than an
- <code>IllegalArgumentException</code> is thrown if a method annotated
- with <code>@OnMessage</code> does not conform to the requirements set
- out in the Javadoc. (markt)
- </fix>
- <fix>
- Improve algorithm that determines if two <code>@OnMessage</code>
- annotations have been added for the same message type. Prior to this
- change some matches were missed. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>63103</bug>: Remove the unused source.jsp file and associated tag
- from the examples web application as it is no longer used. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <update>
- Add dns-ping support to enumerate cluster members. This is much simpler
- than getting the pod list but it does not indicate pod status.
- Submitted by Maxime Beck. (remm)
- </update>
- <fix>
- Never expire the local member from a Membership. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update container image with monitoring contraptions. (remm)
- </update>
- <add>
- Expand the coverage and quality of the Korean translations provided with
- Apache Tomcat. Includes contributions from woonsan and Chris Cho.
- (markt)
- </add>
- <add>
- Expand the coverage and quality of the Japanese translations provided
- with Apache Tomcat. Includes contributions from kfujino, Yujiorama and
- motohashi.yuki. (markt)
- </add>
- <add>
- Expand the coverage and quality of the French translations provided with
- Apache Tomcat. Includes contributions from remm, Ludovic Pénet and
- evernat. (markt)
- </add>
- <add>
- Expand the coverage and quality of the German translations provided
- with Apache Tomcat. Includes contributions from fschumacher, Stefan and
- burghard. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Chinese (simplified) translations
- provided with Apache Tomcat. Includes contributions from winsonzhao,
- Lanranzi, shawn, Winsonzhoa, JinXiqian, RichardHo, qingshi huang,
- Greenman0007, Jim Ma, huxing, 袁宇杰 and evernat. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Spanish translations provided
- with Apache Tomcat. Includes contributions from Ulises Gonzalez Horta,
- Israel, Eduardo Quintanilla and Miguel Ortega. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Russian translations provided
- with Apache Tomcat. Includes contributions from Andrei Maiseyenka and
- solomax. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Brazilian Portuguese translations
- provided with Apache Tomcat. Includes contributions from Victor Caetano
- and Dabilo. (markt)
- </add>
- <fix>
- <bug>63041</bug>: Correct a regression in the fix for <bug>53930</bug>
- that prevented Tomcat from working correctly with systemd. Patch
- provided by Patrik S. (markt)
- </fix>
- <update>
- <fix>63072</fix>: Remove extras (JMX remote listener and webservices
- object factories) and merge them back into the core build.
- (remm)
- </update>
- <add>
- Update the internal fork of Apache Commons FileUpload to pick up the
- changes in the Apache Commons FileUpload 1.4 release. (markt)
- </add>
- <update>
- Update the internal fork of Apache Commons DBCP 2 to de20b77
- (2019-01-29) to pick up some bug fixes and enhancements. (markt)
- </update>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.21 to
- pick up the memory leak fixes when using NIO/NIO2 with OpenSSL. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.14 (markt)" rtext="2018-12-12">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>62788</bug>: Add explicit logging configuration to write log files
- using UTF-8 to align with Tomcat's use of UTF-8 by default
- elsewhere. (markt)
- </fix>
- <fix>
- The default Servlet should not override a previously set content-type.
- (remm)
- </fix>
- <fix>
- Fix storeconfig for the cluster encryption interceptor key attribute.
- (remm)
- </fix>
- <add>
- Add a scheduled executor to the Server, which can be used to
- process periodic utility tasks. The utility threads are non daemon
- by default. (remm)
- </add>
- <update>
- Refactor container background processor using the Server executor, and
- add monitoring to reschedule it in case of an unexpected error. (remm)
- </update>
- <update>
- Refactor parallel deployment threads using the Server executor. (remm)
- </update>
- <add>
- Introduce a ConfigurationSource API to standardize access to the core
- configuration resources of Tomcat. (remm)
- </add>
- <update>
- Update the Tomcat embedded API by allowing to set a configuration
- source, which will allow processing of core configuration. (remm)
- </update>
- <update>
- Refactor processing of server.xml, web.xml, context.xml, other
- configuration files and resources using the ConfigurationSource API.
- JASPIC persistent providers load and store remains file based.
- StoreConfig Tomcat configuration files storing remains file based
- at their previous default locations. (remm)
- </update>
- <add>
- <bug>62897</bug>: Provide a property
- (<code>clearReferencesThreadLocals</code>) on the standard
- <code>Context</code> implementation that enables the check for memory
- leaks via <code>ThreadLocal</code>s to be disabled because this check
- depends on the use of an API that has been deprecated in later versions
- of Java. (markt)
- </add>
- <fix>
- Fix more storeconfig issues with duplicated SSL attributes. (remm)
- </fix>
- <fix>
- <bug>62924</bug>: Fix file descriptor leak introduced in the code that
- monitors <code>tomcat-users.xml</code> for modifications. (markt)
- </fix>
- <update>
- Add periodic event notification for lifecycle listeners configured on
- the Server. (remm)
- </update>
- <fix>
- <bug>62968</bug>: Avoid unnecessary (and relatively expensive)
- <code>getResources()</code> call in the Mapper when processing rule 7.
- (markt)
- </fix>
- <update>
- Update the recommended minimum Tomcat Native version to 1.2.19. (markt)
- </update>
- <fix>
- <bug>62978</bug>: Update the RemoteIpValve to handle multiple values in
- the <code>x-forwarded-proto</code> header. Patch provided by Tom Groot.
- (markt)
- </fix>
- <fix>
- Update the RemoteIpFilter to handle multiple values in the
- <code>x-forwarded-proto</code> header. Based on a patch provided by Tom
- Groot. (markt)
- </fix>
- <scode>
- <bug>62986</bug>: Refactor the code that performs class scanning during
- web application start to make integration simpler for downstream users.
- Patch provided by rmannibucau. (markt)
- </scode>
- <fix>
- Filter out tomcat-web.xml from the watched resources list in
- storeconfig. (remm)
- </fix>
- <fix>
- <bug>62988</bug>: Fix the <code>LoadBalancerDrainingValve</code> so it
- works when the session cookie configuration is not explicitly declared.
- Based on a patch provided by Andreas Kurth. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <update>
- Refactor connector async timeout threads using a scheduled executor.
- (remm)
- </update>
- <update>
- Avoid using a dedicated thread for accept on the NIO2 connector, it is
- always less efficient. (remm)
- </update>
- <update>
- Load SSL configuration resources for JSSE using the ConfigurationSource
- API. OpenSSL use requires actual files. (remm)
- </update>
- <fix>
- <bug>62899</bug>: Prevent the incorrect timing out of connections when
- Servlet non-blocking I/O is used to read a request body over an HTTP/2
- stream. (markt)
- </fix>
- <fix>
- Avoid bad SSLHostConfig JMX registrations before init. (remm)
- </fix>
- <fix>
- Avoid a potential hang when a client connects using TLS 1.0 to a Tomcat
- HTTPS connector configured to use NIO or NIO2 with OpenSSL 1.1.1 or
- later. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <update>
- Update the Eclipse Compiler for Java to 4.9. Additional patch by Lukasz
- Jader. (markt)
- </update>
- <add>
- <bug>53737</bug>: Extend JspC, the precompilation tool, to include
- support for resource JARs. (markt)
- </add>
- <fix>
- <bug>62976</bug>: Avoid an <code>IllegalStateException</code> when using
- background compilation when tag files are packaged in JAR files. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- <bug>53553</bug>: Add the ability to specify a context.xml from the
- server to use when uploading a web application for deployment with the
- Manager web application. Patch provided by Anton Lindström. (markt)
- </add>
- <fix>
- <bug>62918</bug>: Filter out subtype mbeans to avoid breaking the
- connector status page. (remm)
- </fix>
- <fix>
- Unify letter case of the word 'How-To' in the webapps (csutherl)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <update>
- Refactor various operations performed in tribes using a scheduled
- executor. When tribes is not running standalone, it will use the
- executor from the Catalina Server. If running independently, the
- Channel will provide the executor. (remm)
- </update>
- <fix>
- Make EncryptInterceptor thread-safe. This makes this interceptor
- actually usable. (schultz/markt)
- </fix>
- <add>
- Add support for GCM mode to EncryptInterceptor. (schultz)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Prevent an error when running in a Cygwin shell and the
- <code>JAVA_ENDORSED_DIRS</code> system property is empty. Patch provided
- by Zemian Deng. (markt)
- </fix>
- <add>
- Expand the coverage and quality of the French translations provided with
- Apache Tomcat. Includes contributions from remm, soliplaya, Ludovic
- Pénet, David, NicolasG and bdelacretaz. (markt)
- </add>
- <add>
- Add Simplified Chinese translations to the translations to Apache
- Tomcat. Includes contributions from Darren Luo, syseal, Winsonzhao,
- 袁宇杰, Lanranzi, ZhangJieWen, Jerry, yinzhili001, 安柏诚, shawn, lavender,
- Zheng Feng, zengwc, RichardHo, mm, gingshi huang, Bob, geekwang, zheng,
- Deanzhg, Tianfengjingjing, Panblack, oking, Dave Newman, Cnfnss, Jim Ma,
- 852394875, huxing and Greenman0007. (markt)
- </add>
- <add>
- Add Korean translations to Apache Tomcat. Includes contributions from
- woonsan, JunSang Park, song choe and OhChan. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Spanish translations provided
- with Apache Tomcat. Includes contributions from Ulises Gonzalez Horta,
- Israel, Eduardo Quintanilla and Miguel suarez. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Russian translations provided
- with Apache Tomcat. Includes contributions from solomax, Rafael Sachakov
- and Andrei Maiseyenka. (markt)
- </add>
- <add>
- Expand the coverage and quality of the German translations provided
- with Apache Tomcat. Includes contributions from Matk80, burghard,
- Daniel Wehringer and Felix Schumacher. (markt)
- </add>
- <add>
- Expand the coverage and quality of the Japanese translations provided
- with Apache Tomcat. Includes contributions from Yujiorama,
- motohashi.yuki and kfujino. (markt)
- </add>
- <add>
- Add Brazilian Portuguese translations to Apache Tomcat. Includes
- contributions from geraldo netto. (markt)
- </add>
- <fix>
- Include Brazilian Portuguese translations in the standard Tomcat
- distribution. (markt)
- </fix>
- <fix>
- Include Simplified Chinese translations in the standard Tomcat
- distribution. (markt)
- </fix>
- <fix>
- Include Korean translations in the standard Tomcat distribution. (markt)
- </fix>
- <add>
- Add a packaging method for Tomcat using Maven, as well as a container
- build file for it. (remm)
- </add>
- <fix>
- Add XML Namespace to the project element of all POM files so that the
- XML files are Well Formed and Valid. (csutherl)
- </fix>
- <add>
- <bug>53930</bug>: Add support for the <code>CATALINA_OUT_CMD</code>
- environment variable that defines a command to which captured stdout and
- stderr will be redirected. Patch provided by Casey Lucas. (markt)
- </add>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.19 to
- pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL
- 1.1.1a. (markt)
- </update>
- <update>
- Add i18n to many strings that lacked it. (remm)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.13 (markt)" rtext="2018-11-07">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>58590</bug>: Add the ability for a UserDatabase to monitor the
- backing XML file for changes and reload the source file if a change in
- the last modified time is detected. This is enabled by default meaning
- that changes to <code>$CATALINA_BASE/conf/tomcat-users.xml</code> will
- now take effect a short time after the file is saved. (markt)
- </add>
- <add>
- <bug>61171</bug>: Add the <code>portOffset</code> attribute to the
- <code>Server</code> element which is added to the configured shutdown
- and <code>Connector</code> ports. Based on a patch by Marek Czernek.
- (markt)
- </add>
- <add>
- <bug>61692</bug>: Add the ability to control which HTTP methods are
- handled by the CGI Servlet via a new initialization parameter
- <code>cgiMethods</code>. (markt)
- </add>
- <fix>
- <bug>62687</bug>: Expose content length information for resources
- when using a compressed war. (remm)
- </fix>
- <fix>
- <bug>62737</bug>: Fix rewrite substitutions parsing of {} nesting.
- (remm)
- </fix>
- <fix>
- Add rewrite flags output when getting the rewrite configuration back.
- (remm)
- </fix>
- <fix>
- Add missing qsdiscard flag to the rewrite flags as a cleaner way to
- discard the query string. (remm)
- </fix>
- <add>
- <bug>62755</bug>: Add ability to opt out of adding the default web.xml
- config when embedding Tomcat and adding a context via
- <code>addWebapp()</code>. Call
- <code>setAddDefaultWebXmlToWebapp(false)</code> to prevent the automatic
- config. (isapir)
- </add>
- <fix>
- Add documentation about the files <code>context.xml.default</code> and
- <code>web.xml.default</code> that can be used to customize
- <code>conf/context.xml</code> and <code>conf/web.xml</code> on a per
- host basis. (fschumacher)
- </fix>
- <fix>
- Ensure that a canonical path is always used for the docBase of a Context
- to ensure consistent behaviour. (markt)
- </fix>
- <fix>
- <bug>62803</bug>: Fix SSL connector configuration processing
- in storeconfig. (remm)
- </fix>
- <fix>
- <bug>62797</bug>: Pass throwable to keep client aborts with status 200
- rather than 500. Patch submitted by zikfat. (remm)
- </fix>
- <fix>
- <bug>62802</bug>: Restore the <code>appContextProtection</code>
- attribute to the <code>JreMemoryLeakPreventionListener</code> as
- application code may still trigger this memory leak. (markt)
- </fix>
- <fix>
- <bug>62809</bug>: Correct a regression in the implementation of DIGEST
- authentication support for the Deployer Ant tasks (bug <bug>45832</bug>)
- that prevented the <code>DeployTask</code> from working when
- authentication was required. (markt)
- </fix>
- <update>
- Update the recommended minimum Tomcat Native version to 1.2.18. (markt)
- </update>
- <add>
- Ignore an attribute named <code>source</code> on <code>Context</code>
- elements provided by <code>StandardContext</code>. This is to suppress
- warnings generated by the Eclipse / Tomcat integration provided by
- Eclipse. Based on a patch by mdfst13. (markt)
- </add>
- <add>
- <bug>62830</bug>: Added <code>JniLifeCycleListener</code> and static
- methods <code>Library.loadLibrary(libraryName)</code> and
- <code>Library.load(filename)</code> to load a native library by a
- shared class loader so that more than one Webapp can use it. (isapir)
- </add>
- <scode>
- Refactor the <code>Connector</code> so that the port is obtained from
- the <code>Endpoint</code> rather than a local field that could end up
- out of sync. (markt)
- </scode>
- <fix>
- Correct a typo in the Spanish resource files. Patch provided by Diego
- Agulló. (markt)
- </fix>
- <fix>
- <bug>62868</bug>: Order the <code>Enumeration<URL></code> provided
- by <code>WebappClassLoaderBase.getResources(String)</code> according to
- the setting of the delegate flag. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- Add TLSv1.3 to the default protocols and to the <code>all</code>
- alias for JSSE based TLS connectors when running on a JVM that
- supports TLS version 1.3. One such JVM is OpenJDK version 11. (rjung)
- </add>
- <fix>
- <bug>62685</bug>: Correct an error in host name validation parsing that
- did not allow a fully qualified domain name to terminate with a period.
- Patch provided by AG. (markt)
- </fix>
- <fix>
- Make PEM file parser a public utility class. (remm)
- </fix>
- <fix>
- <bug>62739</bug>: Do not reject requests with an empty HTTP Host header.
- Such requests are unusual but not invalid. Patch provided by Michael
- Orr. (markt)
- </fix>
- <add>
- <bug>62748</bug>: Add TLS 1.3 support for the APR/Native connector and
- the NIO/NIO2 connector when using the OpenSSL backed JSSE
- implementation. (schultz/markt)
- </add>
- <fix>
- <bug>62791</bug>: Remove an unnecessary check in the NIO TLS
- implementation that prevented from secure WebSocket connections from
- being established. (markt)
- </fix>
- <fix>
- Fix server initiated TLS renegotiation to obtain a client certificate
- when using NIO/NIO2 and the OpenSSL backed JSSE TLS implementation.
- (markt)
- </fix>
- <fix>
- Ensure open sockets etc. are cleaned up if the socket binding process
- fails. (markt)
- </fix>
- <fix>
- <bug>62871</bug>: Improve MBeans for Endpoint instances (type
- <code>ThreadPool</code> in JMX) by using explicit declaration of
- attributes and operations rather than relying on introspection. Add a
- new MBean to expose the <code>Socketproperties</code> values. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Correct parsing of XML whitespace in TLD function signatures that
- incorrectly only looked for the space character. (markt)
- </fix>
- <fix>
- <bug>62674</bug>: Correct a regression in the stand-alone JSP compiler
- utility, <code>JspC</code>, caused by the fix for <bug>53492</bug>, that
- caused the JSP compiler to hang. (markt)
- </fix>
- <fix>
- <bug>62721</bug>: Correct generation of web.xml header when using JspC.
- (markt)
- </fix>
- <fix>
- <bug>62757</bug>: Correct a regression in the fix for <bug>62603</bug>
- that caused <code>NullPointerException</code>s when compiling tag files
- on first access when development mode was disabled and background
- compilation was enabled. Based on a patch by Jordi Llach. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>62731</bug>: Make the URI returned by
- <code>HandshakeRequest.getRequestURI()</code> and
- <code>Session.getRequestURI()</code> absolute so that the scheme, host
- and port are accessible. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>62676</bug>: Expand the CORS filter documentation to make it clear
- that explicit configuration is required to enable support for
- cross-origin requests. (markt)
- </fix>
- <fix>
- <bug>62712</bug>: Correct NPE in Manager application when attempting to
- view configured certificates for an APR/native TLS connector. (markt)
- </fix>
- <fix>
- <bug>62761</bug>: Correct the advanced CORS example in the Filter
- documentation to use a valid configuration. (markt)
- </fix>
- <fix>
- <bug>62786</bug>: Add a note to the Context documentation to explain
- that, by default, settings for a Context element defined in server.xml
- will be overwritten by settings specified in a default context file such
- as <code>conf/context.xml</code>. (markt)
- </fix>
- <fix>
- Create a little visual separation between the Undeploy button and the
- other buttons in the Manager application. Patch provided by Łukasz
- Jąder. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <add>
- Add <code>setMembershipService</code> method to the
- <code>MembershipProvider</code>. (kfujino)
- </add>
- <add>
- Experimental Kubernetes aware cloud membership provider, based on code
- by Maxime Beck. Contains code derived from jgroups. (remm/kfujino)
- </add>
- <fix>
- Move the event notification <code>ThreadPoolExecutor</code> to
- <code>MembershipProviderBase</code>. (kfujino)
- </fix>
- <fix>
- Even if all members have already disappeared and PING can not be sent,
- ensure that members will be expired. (kfujino)
- </fix>
- <fix>
- Ensure that remove the member from suspect list when member added.
- (kfujino)
- </fix>
- <add>
- Add EncryptInterceptor to the portfolio of available clustering
- interceptors. This adds symmetric encryption of session data
- to Tomcat clustering regardless of the type of cluster manager
- or membership being used. (schultz)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Port DBCP transaction synchronization registry fix
- (commit d49d45e). (remm)
- </fix>
- <update>
- Update the internal fork of Apache Commons Pool 2 to d4e0e88
- (2018-09-12) to pick up some bug fixes and enhancements. (markt)
- </update>
- <add>
- <bug>62705</bug>: Added a fail fast check for minimum required Apache
- Ant version 1.9.8 when building Tomcat. (isapir)
- </add>
- <add>
- Added ant target ide-intellij to create an IntelliJ IDEA project. (isapir)
- </add>
- <add>
- Utility JSON parser generated from a public domain javacc grammar
- written by Robert Fischer. (remm)
- </add>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.18 to
- pick up the latest Windows binaries built with APR 1.6.5 and OpenSSL
- 1.1.1. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.12 (markt)" rtext="2018-09-10">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Improve the handling of path parameters when working with
- RequestDispatcher objects. (markt)
- </fix>
- <fix>
- <bug>62664</bug>: Process requests with content type
- <code>multipart/form-data</code> to servlets with a
- <code>@MultipartConfig</code> annotation regardless of HTTP method.
- (markt)
- </fix>
- <fix>
- <bug>62667</bug>: Add recursion to rewrite substitution parsing. (remm)
- </fix>
- <fix>
- <bug>62669</bug>: When using the SSIFilter and a resource does not
- specify a content type, do not force the content type to
- <code>application/x-octet-stream</code>. (markt)
- </fix>
- <fix>
- <bug>62670</bug>: Adjust the memory leak protection for the
- <code>DriverManager</code> so that JDBC drivers located in
- <code>$CATALINA_HOME/lib</code> and <code>$CATALINA_BASE/lib</code> are
- loaded via the service loader mechanism when the protection is enabled.
- (markt)
- </fix>
- <fix>
- When generating a redirect to a directory in the Default Servlet, avoid
- generating a protocol relative redirect. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Fix potential deadlocks when using asynchronous Servlet processing with
- HTTP/2 connectors. (markt)
- </fix>
- <fix>
- <bug>62620</bug>: Fix corruption of response bodies when writing large
- bodies using asynchronous processing over HTTP/2. (markt)
- </fix>
- <fix>
- <bug>62628</bug>: Additional fixes for output corruption of response
- bodies when writing large bodies using asynchronous processing over
- HTTP/2. (markt)
- </fix>
- <scode>
- Support for Netware in the <code>org.apache.tomcat.jni</code> package
- has been removed as there has not been a supported Netware platform for
- a number of years. (markt)
- </scode>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Correct the JSP version in the X-PoweredBy HTTP header generated when
- the xpoweredBy option is enabled. (markt)
- </fix>
- <fix>
- <bug>62662</bug>: Fix the corruption of web.xml output during JSP
- compilation caused by the fix for <bug>53492</bug>. Patch provided by
- Bernhard Frauendienst. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Expand the information in the documentation web application regarding
- the use of <code>CATALINA_HOME</code> and <code>CATALINA_BASE</code>.
- Patch provided by Marek Czernek. (markt)
- </add>
- <fix>
- <bug>62652</bug>: Make it clearer that the version of DBCP that is
- packaged in Tomcat 9.0.x is DBCP 2. Correct the names of some DBCP 2
- configuration attributes that changed between 1.x and 2.x. (markt)
- </fix>
- <add>
- <bug>62666</bug>: Expand internationalisation support in the Manager
- application to include the server status page and provide Russian
- translations in addition to English. Patch provided by Artem Chebykin.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Switch the build script to use http for downloads from an ASF mirror
- using the closer.lua script to avoid failures due to HTTPS to HTTP
- redirects. (rjung)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.11 (markt)" rtext="2018-08-17">
- <subsection name="Catalina">
- <changelog>
- <add>
- Make the <code>isLocked()</code> method of the <code>LockOutRealm</code>
- public and expose the method via JMX. (markt)
- </add>
- <add>
- <bug>53387</bug>: Add support for regular expression capture groups to
- the SSI servlet and filter. (markt)
- </add>
- <fix>
- <bug>53411</bug>: Improve the handling of HTTP requests that do not
- explicitly specify a host name when no default host is configured. Also
- improve the tracking of changes to the default host as hosts are added
- and removed while Tomcat is running. (markt)
- </fix>
- <fix>
- Ensure that the HTTP Vary header is set correctly when using the CORS
- filter and improve the cacheability of requests that pass through the
- COPRS filter. (markt)
- </fix>
- <fix>
- <bug>62527</bug>: Revert restriction of JNDI to the <code>java:</code>
- namespace. (remm)
- </fix>
- <add>
- Introduce a new class - <code>MultiThrowable</code> - to report
- exceptions when multiple actions are taken where each action may throw
- an exception but all actions are taken before any errors are reported.
- Use this new class when reporting multiple container (e.g. web
- application) failures during start. (markt)
- </add>
- <fix>
- Correctly decode URL paths (<code>+</code> should not be decoded to a
- space in the path) in the <code>RequestDispatcher</code> and the web
- application class loader. (markt)
- </fix>
- <add>
- Make logout more robust if JASPIC subject is unexpectedly unavailable.
- (markt)
- </add>
- <fix>
- <bug>62547</bug>: JASPIC <code>cleanSubject()</code> was not called on
- logout when the authenticator was configured to cache the authenticated
- Principal. Patch provided by Guillermo González de Agüero. (markt)
- </fix>
- <add>
- <bug>62559</bug>: Add <code>jaxb-*.jar</code> to the list of JARs
- ignored by <code>StandardJarScanner</code>. (markt)
- </add>
- <add>
- <bug>62560</bug>: Add <code>oraclepki.jar</code> to the list of JARs
- ignored by <code>StandardJarScanner</code>. (markt)
- </add>
- <add>
- <bug>62607</bug>: Return a non-zero exit code from
- <code>catalina.[bat|sh] run</code> if Tomcat fails to start. (markt)
- </add>
- <fix>
- Use short circuit logic to prevent potential NPE in CorsFilter. (fschumacher)
- </fix>
- <scode>
- Simplify construction of appName from container name in JAASRealm. (fschumacher)
- </scode>
- <scode>
- Remove <code>ServletException</code> from declaration of
- <code>Tomcat.addWebapp(String,String)</code> since it is never thrown.
- Patch provided by Tzafrir. (markt)
- </scode>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <scode>
- Refactor HTTP date creation and parsing to reduce code duplication,
- reduce the use of ThreadLocals and to increase the use of caching.
- (markt)
- </scode>
- <fix>
- <bug>56676</bug>: Add a default location for the native library, as
- ${catalina.home}/bin, which the testsuite already uses. (remm)
- </fix>
- <update>
- <bug>60560</bug>: Add support for using an inherited channel to
- the NIO connector. Based on a patch submitted by Thomas Meyer with
- testing and suggestions by Coty Sutherland. (remm)
- </update>
- <fix>
- <bug>62507</bug>: Ensure that JSSE based TLS connectors work correctly
- with a DKS keystore. (markt)
- </fix>
- <fix>
- Refactor code that adds an additional header name to the
- <code>Vary</code> HTTP response header to use a common utility method
- that addresses several additional edge cases. (markt)
- </fix>
- <fix>
- <bug>62515</bug>: When a connector is configured (via setting
- <code>bindOnInit</code> to <code>false</code>) to bind/unbind the server
- socket during start/stop, close the socket earlier in the stop process
- so new connections do not sit in the TCP backlog during the shutdown
- process only to be dropped as stop completes. In this scenario new
- connections will now be refused immediately. (markt)
- </fix>
- <fix>
- <bug>62526</bug>: Correctly handle PKCS12 format key stores when the key
- store password is configured to be the empty string. (markt)
- </fix>
- <fix>
- <bug>62605</bug>: Ensure <code>ReadListener.onDataAvailable()</code> is
- called when the initial request body data arrives after the request
- headers when using asynchronous processing over HTTP/2. (markt)
- </fix>
- <fix>
- <bug>62614</bug>: Ensure that
- <code>WriteListener.onWritePossible()</code> is called after
- <code>isReady()</code> returns <code>false</code> and the window size is
- subsequently incremented when using asynchronous processing over HTTP/2.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- <bug>53492</bug>: Make the Java file generation process multi-threaded.
- By default, one thread will be used per core. Based on a patch by Dan
- Fabulich. (markt)
- </add>
- <add>
- <bug>62453</bug>: Add a performance optimisation for using expressions
- in tags that depend on uninitialised tag attributes with implied scope.
- Generally, using an explicit scope with tag attributes in EL is the best
- way to avoid various potential performance issues. (markt)
- </add>
- <fix>
- Correctly decode URL paths (<code>+</code> should not be decoded to a
- space in the path) in the Jasper class loader. (markt)
- </fix>
- <fix>
- <bug>62603</bug>: Fix a potential race condition when development mode
- is disabled and background compilation checks are enabled. It was
- possible that some updates would not take effect and/or
- <code>ClassNotFoundException</code>s would occur. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>62596</bug>: Remove the limit on the size of the initial HTTP
- upgrade request used to establish the web socket connection. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- <bug>62558</bug>: Add Russian translations for the Manager and Host
- Manager web applications. Based on a patch by Ivan Krasnov. (markt)
- </add>
- <add>
- Add documents for Static Membership service. (kfujino)
- </add>
- <add>
- <bug>62561</bug>: Add advanced class loader configuration information
- regarding the use of the Server and Shared class loaders to the
- documentation web application. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Ensures that the specified <code>rxBufSize</code> is correctly set to
- receiver buffer size. (kfujino)
- </fix>
- <fix>
- Correct the stop order of the Channel components. It stops in the
- reverse order to that at startup. (kfujino)
- </fix>
- <add>
- Added new StaticMembership implementation. This implementation does not
- require any additional configuration of other
- <code>ChannelInterceptors</code>. It works only with membership service.
- (kfujino)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Support building with Java 9+ while preserving the Java 8 compatibility
- at runtime (requires Ant 1.9.8 or later). (ebourg)
- </update>
- <update>
- Update WSDL4J library to version 1.6.3 (from 1.6.2). (kkolinko)
- </update>
- <update>
- Update JUnit library to version 4.12 (from 4.11). (kkolinko)
- </update>
- <update>
- Downgrade CGLib library used for testing with EasyMock to version
- 2.2.2 (from 2.2.3) as version 2.2.3 is not available from Maven Central.
- (markt)
- </update>
- <add>
- Implement checksum checks when downloading dependencies that are used
- to build Tomcat. (kkolinko)
- </add>
- <fix>
- Fixed spelling. Patch provided by Jimmy Casey via GitHub. (violetagg)
- </fix>
- <update>
- Update the internal fork of Apache Commons Pool 2 to 3e02523
- (2018-08-09) to pick up some bug fixes and enhancements. (markt)
- </update>
- <update>
- Update the internal fork of Apache Commons DBCP 2 to abc0484
- (2018-08-09) to pick up some bug fixes and enhancements. (markt)
- </update>
- <fix>
- Correct various spelling errors throughout the source code and
- documentation. Patch provided by Kazuhiro Sera. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.10 (markt)" rtext="2018-06-25">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>62476</bug>: Use GMT timezone for the value of
- <code>Expires</code> header as required by HTTP specification
- (RFC 7231, 7234). (kkolinko)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.9 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Treat the <code><mapped-name></code> element of a
- <code><env-entry></code> in web.xml in the same way as the
- <code>mappedName</code> element of the equivalent <code>@Resource</code>
- annotation. Both now attempt to set the <code>mappedName</code> property
- of the resource. (markt)
- </fix>
- <fix>
- Correct the processing of resources with
- <code><injection-target></code>s defined in web.xml. First look
- for a match using JavaBean property names and then, only if a match is
- not found, look for a match using fields. (markt)
- </fix>
- <fix>
- When restoring a saved request with a request body after FORM
- authentication, ensure that calls to the <code>HttpServletRequest</code>
- methods <code>getRequestURI()</code>, <code>getQueryString()</code> and
- <code>getProtocol()</code> are not corrupted by the processing of the
- saved request body. (markt)
- </fix>
- <fix>
- JNDI resources that are defined with injection targets but no value are
- now treated as if the resource is not defined. (markt)
- </fix>
- <fix>
- Ensure that JNDI names used for <code><lookup-name></code> entries
- in web.xml and for <code>lookup</code> elements of
- <code>@Resource</code> annotations specify a name with an explicit
- <code>java:</code> namespace. (markt)
- </fix>
- <fix>
- <bug>50019</bug>: Add support for <code><lookup-name></code>.
- Based on a patch by Gurkan Erdogdu. (markt)
- </fix>
- <add>
- Add the <code>AuthenticatedUserRealm</code> for use with CLIENT-CERT and
- SPNEGO when just the authenticated user name is required. (markt)
- </add>
- <fix>
- <bug>50175</bug>: Add a new attribute to the standard context
- implementation, <code>skipMemoryLeakChecksOnJvmShutdown</code>, that
- allows the user to configure Tomcat to skip the memory leak checks
- usually performed during web application stop if that stop is triggered
- by a JVM shutdown. (markt)
- </fix>
- <add>
- <bug>51497</bug>: Add an option, <code>ipv6Canonical</code>, to the
- <code>AccessLogValve</code> that causes IPv6 addresses to be output in
- canonical form defined by RFC 5952. (ognjen/markt)
- </add>
- <add>
- <bug>51953</bug>: Add the <code>RemoteCIDRFilter</code> and
- <code>RemoteCIDRValve</code> that can be used to allow/deny requests
- based on IPv4 and/or IPv6 client address where the IP ranges are defined
- using CIDR notation. Based on a patch by Francis Galiegue. (markt)
- </add>
- <fix>
- <bug>62343</bug>: Make CORS filter defaults more secure. This is the fix
- for CVE-2018-8014. (markt)
- </fix>
- <fix>
- Ensure that the web application resources implementation does not
- incorrectly cache results for resources that are only visible as class
- loader resources. (markt)
- </fix>
- <fix>
- <bug>62387</bug>: Do not log a warning message if the file based
- persistent session store fails to delete the file for a session when the
- session is invalidated because the file has not been created yet.
- (markt)
- </fix>
- <fix>
- Make all loggers associated with Tomcat provided Filters non-static to
- ensure that log messages are not lost when a web application is
- reloaded. (markt)
- </fix>
- <fix>
- Correct the manifest for the annotations-api.jar. The JAR implements the
- Common Annotations API 1.3 and the manifest should reflect that. (markt)
- </fix>
- <fix>
- Switch to non-static loggers where there is a possibility of a logger
- becoming associated with a web application class loader causing log
- messages to be lost if the web application is stopped. (markt)
- </fix>
- <add>
- <bug>62389</bug>: Add the IPv6 loopback address to the default
- <code>internalProxies</code> regular expression. Patch by Craig Andrews.
- (markt)
- </add>
- <fix>
- In the <code>RemoteIpValve</code> and <code>RemoteIpFilter</code>,
- correctly handle the case when the request passes through one or more
- <code>trustedProxies</code> but no <code>internalProxies</code>. Based
- on a patch by zhanhb. (markt)
- </fix>
- <fix>
- Correct the logic in <code>MBeanFactory.removeConnector()</code> to
- ensure that the correct Connector is removed when there are multiple
- Connectors using different addresses but the same port. (markt)
- </fix>
- <fix>
- Make <code>JAASRealm</code> mis-configuration more obvious by requiring
- the authenticated Subject to include at least one Principal of a type
- specified by <code>userClassNames</code>. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Correct a regression in the error page handling that prevented error
- pages from issuing redirects or taking other action that required the
- response status code to be changed. (markt)
- </fix>
- <fix>
- Consistent exception propagation for NIO2 SSL close. (remm)
- </fix>
- <fix>
- Followup sync fix for NIO2 async IO blocking read/writes. (remm)
- </fix>
- <fix>
- Log an error message if the AJP connector detects that the reverse proxy
- is sending AJP messages that are too large for the configured
- <code>packetSize</code>. (markt)
- </fix>
- <fix>
- Relax Host validation by removing the requirement that the final
- component of a FQDN must be alphabetic. (markt)
- </fix>
- <fix>
- <bug>62371</bug>: Improve logging of Host validation failures. (markt)
- </fix>
- <fix>
- Fix a couple of unlikely edge cases in the shutting down of the
- APR/native connector. (markt)
- </fix>
- <fix>
- Add missing handshake timeout for NIO2. (remm)
- </fix>
- <fix>
- Correctly handle a digest authorization header when the user name
- contains an escaped character. (markt)
- </fix>
- <fix>
- Correctly handle a digest authorization header when one of the hex
- field values ends the header with in an invalid character. (markt)
- </fix>
- <fix>
- Correctly handle an invalid quality value in an
- <code>Accept-Language</code> header. (markt)
- </fix>
- <docs>
- <bug>62423</bug>: Fix SSL docs CRL attribute typo. (remm)
- </docs>
- <fix>
- Improve IPv6 validation by ensuring that IPv4-Mapped IPv6 addresses do
- not contain leading zeros in the IPv4 part. Based on a patch by Katya
- Stoycheva. (markt)
- </fix>
- <fix>
- Fix <code>NullPointerException</code> thrown from <code>
- replaceSystemProperties()</code> when trying to log messages. (csutherl)
- </fix>
- <fix>
- Avoid unnecessary processing of async timeouts. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- <bug>50234</bug>: Add the capability to generate a web-fragment.xml file
- to JspC. (markt)
- </add>
- <fix>
- <bug>62080</bug>: Ensure that all reads of the current thread's context
- class loader made by the UEL API and implementation are performed via a
- <code>PrivilegedAction</code> to ensure that a
- <code>SecurityException</code> is not triggered when running under a
- <code>SecurityManager</code>. (mark)
- </fix>
- <fix>
- <bug>62350</bug>: Refactor
- <code>org.apache.jasper.runtime.BodyContentImpl</code> so a
- <code>SecurityException</code> is not thrown when running under a
- SecurityManger and additional permissions are not required in the
- <code>catalina.policy</code> file. This is a follow-up to the fix for
- <bug>43925</bug>. (kkolinko/markt)
- </fix>
- <fix>
- Enable JspC from Tomcat 9 to work with Maven JspC compiler plug-ins
- written for Tomcat 8.5.x. Patch provided by Pavel Cibulka. (markt)
- </fix>
- <fix>
- Update web.xml, web-fragment.xml and web.xml extracts generated by JspC
- to use the Servlet 4.0 version of the relevant schemas. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <fix>
- Remove duplicate calls when creating a replicated session to reduce the
- time taken to create the session and thereby reduce the chances of a
- subsequent session update message being ignored because the session does
- not yet exist. (markt)
- </fix>
- <add>
- Add the method to send a message with a specified sendOptions. (kfujino)
- </add>
- <fix>
- When sending the <code>GET_ALL_SESSIONS</code> message, make sure that
- sends with asynchronous option in order to avoid ack timeout. Waiting to
- receive the <code>ALL_SESSION_DATA</code> message should be done with
- <code>waitForSendAllSessions</code> instead of ACK. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <update>
- Use NIO2 API for websockets writes. (remm)
- </update>
- <fix>
- When decoding of path parameter failed, make sure to throw
- <code>DecodeException</code> instead of throwing
- <code>ArrayIndexOutOfBoundsException</code>. (kfujino)
- </fix>
- <fix>
- Improve the handling of exceptions during TLS handshakes for the
- WebSocket client. (markt)
- </fix>
- <fix>
- Enable host name verification when using TLS with the WebSocket client.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>62395</bug>: Clarify the meaning of the connector attribute
- <code>minSpareThreads</code> in the documentation web application.
- (markt)
- </fix>
- <fix>
- Correct the documentation for the <code>allowHostHeaderMismatch</code>
- attribute of the standard HTTP Connector implementations. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Ensure that the correct default value is returned when retrieve unset
- properties in <code>McastService</code>. (kfujino)
- </fix>
- <add>
- Make <code>MembershipService</code> more easily extensible. (kfujino)
- </add>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- When <code>logValidationErrors</code> is set to true, the connection
- validation error is logged as <code>SEVERE</code> instead of
- <code>WARNING</code>. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Ensure that Apache Tomcat may be built from source with Java 11. (markt)
- </fix>
- <add>
- <bug>52381</bug>: Add OSGi metadata to JAR files. (markt)
- </add>
- <fix>
- <bug>62391</bug>: Remove references to <code>javaw.exe</code> as this
- file is not required by Tomcat and the references prevent the use of the
- Server JRE. (markt)
- </fix>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.17 to
- pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL
- 1.0.2o. (markt)
- </update>
- <update>
- <bug>62458</bug>: Update the internal fork of Commons Pool 2 to dfef97b
- (2018-06-18) to pick up some bug fixes and enhancements. (markt)
- </update>
- <update>
- Update the internal fork of Commons DBCP 2 to 2.4.0. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.8 (markt)" rtext="2018-05-03">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>62263</bug>: Avoid a <code>NullPointerException</code> when the
- <code>RemoteIpValve</code> processes a request for which no Context can
- be found. (markt)
- </fix>
- <add>
- <bug>62258</bug>: Don't trigger the standard error page mechanism when
- the error has caused the connection to the client to be closed as no-one
- will ever see the error page. (markt)
- </add>
- <fix>
- Register MBean when DataSource Resource <code>
- type="javax.sql.XADataSource"</code>. Patch provided by Masafumi Miura.
- (csutherl)
- </fix>
- <fix>
- Fix a rare edge case that is unlikely to occur in real usage. This edge
- case meant that writing long streams of UTF-8 characters to the HTTP
- response that consisted almost entirely of surrogate pairs could result
- in one surrogate pair being dropped. (markt)
- </fix>
- <add>
- Update the internal fork of Apache Commons BCEL to r1829827 to add early
- access Java 11 support to the annotation scanning code. (markt)
- </add>
- <fix>
- <bug>62297</bug>: Enable the <code>CrawlerSessionManagerValve</code> to
- correctly handle bots that crawl multiple hosts and/or web applications
- when the Valve is configured on a Host or an Engine. (fschumacher)
- </fix>
- <fix>
- <bug>62309</bug>: Fix a <code>SecurityException</code> when using JASPIC
- under a <code>SecurityManager</code> when authentication is not
- mandatory. (markt)
- </fix>
- <fix>
- <bug>62329</bug>: Correctly list resources in JAR files when directories
- do not have dedicated entries. Patch provided by Meelis Müür. (markt)
- </fix>
- <add>
- Collapse multiple leading <code>/</code> characters to a single
- <code>/</code> in the return value of
- <code>HttpServletRequest#getContextPath()</code> to avoid issues if the
- value is used with <code>HttpServletResponse#sendRedirect()</code>. This
- behaviour is enabled by default and configurable via the new Context
- attribute <code>allowMultipleLeadingForwardSlashInPath</code>. (markt)
- </add>
- <fix>
- Improve handling of overflow in the UTF-8 decoder with supplementary
- characters. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Correct off-by-one error in thread pool that allowed thread pools to
- increase in size to one more than the configured limit. Patch provided
- by usc. (markt)
- </fix>
- <fix>
- Prevent unexpected TLS handshake failures caused by errors during a
- previous handshake that were not correctly cleaned-up when using the NIO
- or NIO2 connector with the <code>OpenSSLImplementation</code>. (markt)
- </fix>
- <add>
- <bug>62273</bug>: Implement configuration options to work-around
- specification non-compliant user agents (including all the major
- browsers) that do not correctly %nn encode URI paths and query strings
- as required by RFC 7230 and RFC 3986. (markt)
- </add>
- <fix>
- Fix sync for NIO2 async IO blocking read/writes. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <update>
- Update the Eclipse Compiler for Java to 4.7.3a. (markt)
- </update>
- <update>
- Allow <code>9</code> to be used to specify Java 9 as the compiler source
- and/or compiler target for JSP compilation. The Early Access value of
- <code>1.9</code> is still supported. (markt)
- </update>
- <add>
- Add support for specifying Java 10 (with the value <code>10</code>) as
- the compiler source and/or compiler target for JSP compilation. (markt)
- </add>
- <fix>
- <bug>62287</bug>: Do not rely on hash codes to test instances of
- <code>ValueExpressionImpl</code> for equality. Patch provided by Mark
- Struberg. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>62301</bug>: Correct a regression in the fix for <bug>61491</bug>
- that didn't correctly handle a final empty message part in all
- circumstances when using <code>PerMessageDeflate</code>. (markt)
- </fix>
- <fix>
- <bug>62332</bug>: Ensure WebSocket connections are closed after an I/O
- error is experienced reading from the client. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Avoid warning when running under Cygwin when the
- <code>JAVA_ENDORSED_DIRS</code> environment variable is not set. Patch
- provided by Zemian Deng. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.7 (markt)" rtext="2018-04-07">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>51195</bug>: Avoid a false positive report of a web application
- memory leak by clearing <code>ObjectStreamClass$Caches</code> of classes
- loaded by the web application when the web application is stopped.
- (markt)
- </fix>
- <fix>
- <bug>52688</bug>: Add support for the <code>maxDays</code> attribute to
- the <code>AccessLogValve</code> and <code>ExtendedAccessLogValve</code>.
- This allows the maximum number of days for which rotated access logs
- should be retained before deletion to be defined. (markt)
- </fix>
- <fix>
- Ensure the MBean names for the <code>SSLHostConfig</code> and
- <code>SSLHostConfigCertificate</code> are correctly formed when the
- <code>Connector</code> is bound to a specific IP address. (markt)
- </fix>
- <fix>
- <bug>62168</bug>: When using the <code>PersistentManager</code> honor a
- value of <code>-1</code> for <code>minIdleSwap</code> and do not swap
- out sessions to keep the number of active sessions under
- <code>maxActive</code>. Patch provided by Holger Sunke. (markt)
- </fix>
- <fix>
- <bug>62172</bug>: Improve Javadoc for
- <code>org.apache.catalina.startup.Constants</code> and ensure that the
- constants are correctly used. (markt)
- </fix>
- <fix>
- <bug>62175</bug>: Avoid infinite recursion, when trying to validate
- a session while loading it with <code>PersistentManager</code>.
- (fschumacher)
- </fix>
- <fix>
- Ensure that <code>NamingContextListener</code> instances are only
- notified once of property changes on the associated naming resources.
- (markt)
- </fix>
- <add>
- <bug>62224</bug>: Disable the <code>forkJoinCommonPoolProtection</code>
- of the <code>JreMemoryLeakPreventionListener</code> when running on Java
- 9 and above since the underlying JRE bug has been fixed. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Avoid potential loop in APR/Native poller. (markt)
- </fix>
- <fix>
- Ensure streams that are received but not processed are excluded from the
- tracking of maximum ID of processed streams. (markt)
- </fix>
- <fix>
- Refactor the check for a paused connector to consistently prevent new
- streams from being created after the connector has been paused. (markt)
- </fix>
- <fix>
- Improve debug logging for HTTP/2 pushed streams. (markt)
- </fix>
- <fix>
- The OpenSSL engine SSL session will now ignore invalid accesses. (remm)
- </fix>
- <fix>
- <bug>62177</bug>: Correct two protocol errors with HTTP/2
- <code>PUSH_PROMISE</code> frames. Firstly, the HTTP/2 protocol only
- permits pushes to be sent on peer initiated requests. Secondly, pushes
- must be sent in order of increasing stream ID. These restriction were
- not being enforced leading to protocol errors at the client. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Add document for <code>FragmentationInterceptor</code>. (kfujino)
- </add>
- <add>
- Document how the roles for an authenticated user are determined when the
- <code>CombinedRealm</code> is used. (markt)
- </add>
- <fix>
- <bug>62163</bug>: Correct the Tomcat Setup documentation that
- incorrectly referred to Java 7 as the minimum version rather than Java
- 8. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Add JMX support for <code>FragmentationInterceptor</code> in order to
- prevent warning of startup. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- Ensure that <code>SQLWarning</code> has been cleared when connection
- returns to the pool. (kfujino)
- </fix>
- <add>
- Enable clearing of <code>SQLWarning</code> via JMX. (kfujino)
- </add>
- <fix>
- Ensure that parameters have been cleared when
- <code>PreparedStatement</code> and/or <code>CallableStatement</code> are
- cached. (kfujino)
- </fix>
- <fix>
- Enable PoolCleaner to be started even if <code>validationQuery</code>
- is not set. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the build script so MD5 hashes are no longer generated for
- releases as per the change in the ASF distribution policy. (markt)
- </update>
- <fix>
- <bug>62164</bug>: Switch the build script to use TLS for downloads from
- SourceForge and Maven Central to avoid failures due to HTTP to HTTPS
- redirects. (markt)
- </fix>
- <add>
- Always report the OS's umask when launching the JVM. (schultz)
- </add>
- <add>
- Add managed connections package to the package renamed DBCP 2 to provide
- a complete DBCP 2 in Tomcat. (remm)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.6 (markt)" rtext="2018-03-08">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>43866</bug>: Add additional attributes to the Manager to provide
- control over which listeners are called when an attribute is added to
- the session when it has already been added under the same name. This is
- to aid clustering scenarios where <code>setAttribute()</code> is often
- called to signal that the attribute value has been mutated and needs to
- be replicated but it may not be required, or even desired, for the
- associated listeners to be triggered. The default behaviour has not been
- changed. (markt)
- </fix>
- <fix>
- Minor optimization when calling class transformers. (rjung)
- </fix>
- <add>
- Pass errors triggered by invalid requests or unavailable services to the
- application provided error handling and/or the container provided error
- handling (<code>ErrorReportValve</code>) as appropriate. (markt)
- </add>
- <add>
- <bug>41007</bug>: Add the ability to specify static HTML responses for
- specific error codes and/or exception types with the
- <code>ErrorReportValve</code>. (markt)
- </add>
- <fix>
- Prevent Tomcat from applying gzip compression to content that is already
- compressed with brotli compression. Based on a patch provided by burka.
- (markt)
- </fix>
- <fix>
- <bug>62090</bug>: Null container names are not allowed. (remm)
- </fix>
- <fix>
- <bug>62104</bug>: Fix programmatic login regression as the
- NonLoginAuthenticator has to be set for it to work (if no login method
- is specified). (remm)
- </fix>
- <fix>
- <bug>62117</bug>: Improve error message in <code>catalina.sh</code> when
- calling <code>kill -0 <pid></code> fails. Based on a suggestion
- from Mark Morschhaeuser. (markt)
- </fix>
- <fix>
- <bug>62118</bug>: Correctly create a JNDI <code>ServiceRef</code> using
- the specified interface rather than the concrete type. Based on a
- suggestion by Ángel Álvarez Páscua. (markt)
- </fix>
- <fix>
- Fix for <code>RequestDumperFilter</code> log attribute. Patch provided
- by Kirill Romanov via Github. (violetagg)
- </fix>
- <fix>
- <bug>62123</bug>: Avoid <code>ConcurrentModificationException</code>
- when attempting to clean up application triggered RMI memory leaks on
- web application stop. (markt)
- </fix>
- <add>
- When a deployment descriptor is deployed that includes a
- <code>path</code> attribute, log a warning that the <code>path</code>
- attribute will be ignored. (markt)
- </add>
- <add>
- When a deployment descriptor is deployed that references an external
- <code>docBase</code> and, as a result, a <code>docBase</code> under the
- <code>appBase</code> will be ignored, log a warning. (markt)
- </add>
- <fix>
- Correct a regression in the fix for <bug>60276</bug> that meant that
- compression was applied to all MIME types. Patch provided by Stefan
- Knoblich. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- Add async HTTP/2 parser for NIO2. (remm)
- </add>
- <fix>
- Add minor HPACK fixes, based on fixes by Stuart Douglas. (remm)
- </fix>
- <fix>
- <bug>61751</bug>: Follow up fix so that OpenSSL engine returns
- underflow when unwrapping if no bytes were produced and the input is
- empty. (remm)
- </fix>
- <fix>
- Minor OpenSSL engine cleanups. (remm)
- </fix>
- <fix>
- NIO SSL handshake should throw an exception on overflow status, like
- NIO2 SSL. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- <bug>47467</bug>: When deploying a web application via the manager
- application and a path is not explicitly specified, derive it from the
- provided deployment descriptor or, if that is not present, the WAR or
- DIR. (markt)
- </add>
- <add>
- <bug>48672</bug>: Add documentation for the Host Manager web
- application. Patch provided by Marek Czernek. (markt)
- </add>
- <add>
- Add support for specifying the application version when deploying an
- application via the Manager application HTML interface. (markt)
- </add>
- <add>
- Work-around a known, non-specification compliant behaviour in some
- versions of IE that can allow XSS when the Manager application generates
- a plain text response. Based on a suggestion from Muthukumar Marikani.
- (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.5 (markt)" rtext="2018-02-11">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Prevent a stack trace being written to standard out when running on Java
- 10 due to changes in the <code>LogManager</code> implementation. (markt)
- </fix>
- <fix>
- Avoid duplicate load attempts if one has been made already. (remm)
- </fix>
- <fix>
- Avoid NPE in ThreadLocalLeakPreventionListener if there is no Engine.
- (remm)
- </fix>
- <fix>
- <bug>62000</bug>: When a JNDI reference cannot be resolved, ensure that
- the root cause exception is reported rather than swallowed. (markt)
- </fix>
- <fix>
- <bug>62036</bug>: When caching an authenticated user Principal in the
- session when the web application is configured with the
- <code>NonLoginAuthenticator</code>, cache the internal Principal object
- rather than the user facing Principal object as Tomcat requires the
- internal object to correctly process later authorization checks. (markt)
- </fix>
- <add>
- Refactor error handling to enable errors that occur before processing is
- passed to the application to be handled by the application provided
- error handling and/or the container provided error handling
- (<code>ErrorReportValve</code>) as appropriate. (markt)
- </add>
- <add>
- Pass 404 errors triggered by a missing ROOT web application to the
- container error handling to generate the response body. (markt)
- </add>
- <add>
- Pass 400 errors triggered by invalid request targets to the container
- error handling to generate the response body. (markt)
- </add>
- <fix>
- Provide a correct <code>Allow</code> header when responding to an HTTP
- <code>TRACE</code> request for a JSP with a 405 status code. (markt)
- </fix>
- <fix>
- When using Tomcat embedded, only perform Authenticator configuration
- once during web application start. (markt)
- </fix>
- <fix>
- <bug>62067</bug>: Correctly apply security constraints mapped to the
- context root using a URL pattern of <code>""</code>. (markt)
- </fix>
- <fix>
- Process all <code>ServletSecurity</code> annotations at web application
- start rather than at servlet load time to ensure constraints are applied
- consistently. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>61751</bug>: Fix truncated request input streams when using NIO2
- with TLS. (markt)
- </fix>
- <fix>
- <bug>62023</bug>: Log error reporting multiple SSLHostConfig elements
- when using the APR Connector instead of crashing Tomcat. (csutherl)
- </fix>
- <fix>
- <bug>62032</bug>: Fix NullPointerException when certificateFile is not
- defined on an SSLHostConfig and unify the behavior when a
- certificateFile is defined but the file does not exist for both
- JKS and PEM file types. (csutherl)
- </fix>
- <fix>
- Ensure that the <code>toString()</code> method behaves consistently for
- <code>ByteChunk</code> and <code>CharChunk</code> and that
- <code>null</code> is returned when <code>toString()</code> is called
- both on newly created objects and immediately after a call to
- <code>recycle()</code>. This should not impact typical Tomcat users. It
- may impact users who use these classes directly in their own code.
- (markt)
- </fix>
- <fix>
- Ensure that the <code>toString()</code>, <code>toBytes()</code> and
- <code>toChars()</code> methods of <code>MessageBytes</code> behave
- consistently and do not throw a <code>NullPointerException</code> both
- on newly created objects and immediately after a call to
- <code>recycle()</code>. This should not impact typical Tomcat users. It
- may impact users who use these classes directly in their own code.
- (markt)
- </fix>
- <fix>
- When processing an HTTP 1.0 request in the HTTP connector and no host
- information is provided in the request, obtain the server port from the
- local port rather than the connector configuration since the configured
- value maybe zero. (markt)
- </fix>
- <add>
- Enable strict validation of the provided host name and port for all
- connectors. Requests with invalid host names and/or ports will be
- rejected with a 400 response. (markt)
- </add>
- <fix>
- Update the host validation to permit host names and components of domain
- names (excluding top-level domains) to start with a number and to ensure
- that top-level domains are fully alphabetic. (markt)
- </fix>
- <fix>
- <bug>62053</bug>: Fix NPE when writing push headers with HTTP/2 NIO2.
- Patch submitted by Holger Sunke. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Include an HTTP <code>Allow</code> header when a JSP generates a
- 405 response due to a request with an unsupported method. (markt)
- </fix>
- <add>
- Add support for the HTTP <code>OPTION</code> method to JSPs. The
- JSP specification explicitly states that the behaviour for this
- method is undefined for JSPs so this is a Tomcat specific
- behaviour. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>62024</bug>: When closing a connection with an abnormal close,
- close the socket immediately rather than waiting for a close message
- from the client that may never arrive. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Webapps">
- <changelog>
- <fix>
- <bug>62049</bug>: Fix missing class from manager 404 JSP error page.
- (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <add>
- Enhance the JMX support for jdbc-pool in order to expose
- <code>PooledConnection</code> and <code>JdbcInterceptors</code>.
- (kfujino)
- </add>
- <add>
- Add MBean for <code>PooledConnection</code>. (kfujino)
- </add>
- <add>
- <bug>62011</bug>: Add MBean for <code>StatementCache</code>. (kfujino)
- </add>
- <add>
- Expose the cache size for each connection via JMX in
- <code>StatementCache</code>. (kfujino)
- </add>
- <add>
- Add MBean for <code>ResetAbandonedTimer</code>. (kfujino)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the list with the public interfaces in the RELEASE-NOTES.
- (violetagg)
- </update>
- <update>
- Update the NSIS Installer used to build the Windows installer to version
- 3.03. (kkolinko)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.4 (markt)" rtext="2018-01-22">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Correct a regression in the previous fix for <bug>61916</bug> that meant
- that any call to <code>addHeader()</code> would have been replaced with
- a call to <code>setHeader()</code> for all requests mapped to the
- <code>AddDefaultCharsetFilter</code>. (markt)
- </fix>
- <fix>
- <bug>61999</bug>: maxSavePostSize set to 0 should disable saving POST
- data during authentication. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Fix NIO2 HTTP/2 sendfile. (remm)
- </fix>
- <fix>
- <bug>61993</bug>: Improve handling for <code>ByteChunk</code> and
- <code>CharChunk</code> instances that grow close to the maximum size
- allowed by the JRE. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- <bug>43925</bug>: Add a new system property
- (<code>org.apache.jasper.runtime.BodyContentImpl.BUFFER_SIZE</code>) to
- control the size of the buffer used by Jasper when buffering tag bodies.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>62006</bug>: Document the new <code>JvmOptions9</code> command line
- parameter for <code>tomcat9.exe</code>. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.3 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>57619</bug>: Implement a small optimisation to how JAR URLs are
- processed to reduce the storage of duplicate String objects in memory.
- Patch provided by Dmitri Blinov. (markt)
- </add>
- <fix>
- Add some missing NPEs to ServletContext. (remm)
- </fix>
- <fix>
- Update the Java EE 8 XML schema to the released versions. (markt)
- </fix>
- <fix>
- Minor HTTP/2 push fixes. (remm)
- </fix>
- <fix>
- <bug>61916</bug>: Extend the <code>AddDefaultCharsetFilter</code> to add
- a character set when the content type is set via
- <code>setHeader()</code> or <code>addHeader()</code> as well as when it
- is set via <code>setContentType()</code>. (markt)
- </fix>
- <fix>
- When using WebDAV to copy a file resource to a destination that requires
- a collection to be overwritten, ensure that the operation succeeds
- rather than fails (with a 500 response). This enables Tomcat to pass two
- additional tests from the Litmus WebDAV test suite. (markt)
- </fix>
- <update>
- Modify the Default and WebDAV Servlets so that a 405 status code is
- returned for <code>PUT</code> and <code>DELETE</code> requests when
- disabled via the <code>readonly</code> initialisation parameter.
- </update>
- <fix>
- Align the contents of the <code>Allow</code> header with the response
- code for the Default and WebDAV Servlets. For any given resource a
- method that returns a 405 status code will not be listed in the
- <code>Allow</code> header and a method listed in the <code>Allow</code>
- header will not return a 405 status code. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- <bug>60276</bug>: Implement GZIP compression support for responses
- served over HTTP/2. (markt)
- </add>
- <fix>
- Do not call onDataAvailable without any data to read. (remm)
- </fix>
- <fix>
- Correctly handle EOF when <code>ServletInputStream.isReady()</code> is
- called. (markt)
- </fix>
- <fix>
- <bug>61886</bug>: Log errors on non-container threads at
- <code>DEBUG</code> rather than <code>INFO</code>. The exception will be
- made available to the application via the asynchronous error handling
- mechanism. (markt)
- </fix>
- <fix>
- <bug>61914</bug>: Possible NPE with Java 9 when creating an SSL engine.
- Patch submitted by Evgenij Ryazanov. (remm)
- </fix>
- <fix>
- <bug>61918</bug>: Fix connectionLimitLatch counting when closing an
- already closed socket. Based on a patch by Ryan Fong. (remm)
- </fix>
- <add>
- Add support for the OpenSSL ARIA ciphers to the OpenSSL to JSSE
- cipher mapping. (markt)
- </add>
- <fix>
- <bug>61932</bug>: Allow a call to <code>AsyncContext.dispatch()</code>
- to terminate non-blocking I/O. (markt)
- </fix>
- <fix>
- <bug>61948</bug>: Improve the handling of malformed ClientHello messages
- in the code that extracts the SNI information from a TLS handshake for
- the JSSE based NIO and NIO2 connectors. (markt)
- </fix>
- <fix>
- Fix NIO2 handshaking with a full input buffer. (remm)
- </fix>
- <add>
- Return a simple, plain text error message if a client attempts to make a
- plain text HTTP connection to a TLS enabled NIO or NIO2 Connector.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>61854</bug>: When using sets and/or maps in EL expressions, ensure
- that Jasper correctly parses the expression. Patch provided by Ricardo
- Martin Camarero. (markt)
- </fix>
- <fix>
- Improve the handling of methods with varargs in EL expressions. In
- particular, the calling of a varargs method with no parameters now works
- correctly. Based on a patch by Nitkalya (Ing) Wiriyanuparb. (markt)
- </fix>
- <fix>
- <bug>61945</bug>: Fix prototype mode used to compile tags. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- <bug>61223</bug>: Add the mbeans-descriptors.dtd file to the custom
- MBean documentation so users have a reference to use when constructing
- mbeans-descriptors.xml files for custom components. (markt)
- </add>
- <add>
- <bug>61565</bug>: Add the ability to trigger a reloading of TLS host
- configuration (certificate and key files, server.xml is not re-parsed)
- via the Manager web application. (markt)
- </add>
- <add>
- <bug>61566</bug>: Expose the currently in use certificate chain and list
- of trusted certificates for all virtual hosts configured using the JSSE
- style (keystore) TLS configuration via the Manager web application.
- (markt)
- </add>
- <fix>
- Partial fix for <bug>61886</bug>. Ensure that multiple threads do not
- attempt to complete the <code>AsyncContext</code> if an I/O error occurs
- in the stock ticker example Servlet. (markt)
- </fix>
- <fix>
- <bug>61886</bug>: Prevent <code>ConcurrentModificationException</code>
- when running the asynchronous stock ticker in the examples web
- application. (markt)
- </fix>
- <fix>
- <bug>61886</bug>: Prevent <code>NullPointerException</code> and other
- errors if the stock ticker example is running when the examples web
- application is stopped. (markt)
- </fix>
- <fix>
- <bug>61910</bug>: Clarify the meaning of the <code>allowLinking</code>
- option in the documentation web application. (markt)
- </fix>
- <add>
- Add OCSP configuration information to the SSL How-To. Patch provided by
- Marek Czernek. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- <bug>61312</bug>: Prevent <code>NullPointerException</code> when using
- the statement cache of connection that has been closed. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Add an additional system property for the system property replacement.
- (remm)
- </fix>
- <fix>
- Add missing SHA-512 hash for release artifacts to the build script.
- (markt)
- </fix>
- <update>
- Update the internal fork of Commons Pool 2 to 2.4.3. (markt)
- </update>
- <update>
- Update the internal fork of Commons DBCP 2 to 8a71764 (2017-10-18) to
- pick up some bug fixes and enhancements. (markt)
- </update>
- <update>
- Update the internal fork of Commons FileUpload to 6c00d57 (2017-11-23)
- to pick up some code clean-up. (markt)
- </update>
- <update>
- Update the internal fork of Commons Codec to r1817136 to pick up some
- code clean-up. (markt)
- </update>
- <fix>
- The native source bundles (for Commons Daemon and Tomcat Native) are no
- longer copied to the bin directory for the deploy target. They are now
- only copied to the bin directory for the release target. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.2 (markt)" rtext="2017-11-30">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Fix possible <code>SecurityException</code> when using TLS related
- request attributes. (markt)
- </fix>
- <fix>
- <bug>61597</bug>: Extend the <code>StandardJarScanner</code> to scan
- JARs on the module path when running on Java 9 and class path scanning
- is enabled. (markt)
- </fix>
- <fix>
- <bug>61601</bug>: Add support for multi-release JARs in JAR scanning and
- web application class loading. (markt)
- </fix>
- <fix>
- <bug>61681</bug>: Allow HTTP/2 push when using request wrapping. (remm)
- </fix>
- <add>
- Provide the <code>SessionInitializerFilter</code> that can be used to
- ensure that an HTTP session exists when initiating a WebSocket
- connection. Patch provided by isapir. (markt)
- </add>
- <fix>
- <bug>61682</bug>: When re-prioritising HTTP/2 streams, ensure that both
- parent and children fields are correctly updated to avoid a possible
- <code>StackOverflowError</code>. (markt)
- </fix>
- <fix>
- Improve concurrency by reducing the scope of the synchronisation for
- <code>javax.security.auth.message.config.AuthConfigFactory</code> in the
- JASPIC API implementation. Based on a patch by Pavan Kumar. (markt)
- </fix>
- <fix>
- Avoid a possible <code>NullPointerException</code> when timing out
- <code>AsyncContext</code> instances during shut down. (markt)
- </fix>
- <fix>
- <bug>61777</bug>: Avoid a <code>NullPointerException</code> when
- detaching a JASPIC <code>RegistrationListener</code>. Patch provided by
- Lazar. (markt)
- </fix>
- <fix>
- <bug>61778</bug>: Correct the return value when detaching a JASPIC
- <code>RegistrationListener</code>. Patch provided by Lazar. (markt)
- </fix>
- <fix>
- <bug>61779</bug>: Avoid a <code>NullPointerException</code> when a
- <code>null</code> <code>RegistrationListener</code> is passed to
- <code>AuthConfigFactory.getConfigProvider()</code>. Patch provided by
- Lazar. (markt)
- </fix>
- <fix>
- <bug>61780</bug>: Only include the default JASPIC registration ID in the
- return value for a call to
- <code>AuthConfigFactory.getRegistrationIDs()</code> if a
- <code>RegistrationContext</code> has been registered using the default
- registration ID. Patch provided by Lazar. (markt)
- </fix>
- <fix>
- <bug>61781</bug>: Enable JASPIC provider registrations to be persisted
- when the layer and/or application context are <code>null</code>. Patch
- provided by Lazar. (markt)
- </fix>
- <fix>
- <bug>61782</bug>: When calling
- <code>AuthConfigFactory.doRegisterConfigProvider()</code> and the
- requested JASPIC config provider class is found by the web application
- class loader, do not attempt to load the class with the class loader
- that loaded the JASPIC API. Patch provided by Lazar. (markt)
- </fix>
- <fix>
- <bug>61783</bug>: When calling
- <code>AuthConfigFactory.removeRegistration()</code> and the registration
- is persistent, it should be removed from the persistent store. Patch
- provided by Lazar. (markt)
- </fix>
- <fix>
- <bug>61784</bug>: Correctly handle the case when
- <code>AuthConfigFactoryImpl.registerConfigProvider()</code> is called
- with a provider name of <code>null</code>. Patch provided by Lazar.
- (markt)
- </fix>
- <add>
- <bug>61795</bug>: Add a property to the <code>Authenticator</code>
- implementations to enable a custom JASPIC <code>CallbackHandler</code>
- to be specified. Patch provided by Lazar. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>61568</bug>: Avoid a potential <code>SecurityException</code> when
- using the NIO2 connector and a new thread is added to the pool. (markt)
- </fix>
- <fix>
- <bug>61583</bug>: Correct a further regression in the fix to enable the
- use of Java key stores that contained multiple keys that did not all
- have the same password. This fixes PKCS11 key store handling with
- multiple keys selected with an alias. (markt)
- </fix>
- <fix>
- Improve NIO2 syncing for async IO operations. (remm)
- </fix>
- <add>
- Sendfile support for HTTP/2 and NIO2. (remm)
- </add>
- <fix>
- Reduce default HTTP/2 stream concurrent execution within a connection
- from 200 to 20. (remm)
- </fix>
- <fix>
- <bug>61668</bug>: Avoid a possible NPE when calling
- <code>AbstractHttp11Protocol.getSSLProtocol()</code>. (markt)
- </fix>
- <fix>
- <bug>61673</bug>: Avoid a possible
- <code>ConcurrentModificationException</code> when working with the
- streams associated with a connection. (markt)
- </fix>
- <fix>
- <bug>61719</bug>: Avoid possible NPE calling
- InputStream.setReadListener with HTTP/2. (remm)
- </fix>
- <fix>
- <bug>61736</bug>: Improve performance of NIO connector when clients
- leave large time gaps between network packets. Patch provided by Zilong
- Song. (markt)
- </fix>
- <fix>
- <bug>61740</bug>: Correct an off-by-one error in the Hpack header index
- validation that caused intermittent request failures when using HTTP/2.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>61604</bug>: Fix SMAP generation for JSPs that generate no output.
- (markt)
- </fix>
- <fix>
- <bug>61816</bug>: Invalid expressions in attribute values or template
- text should trigger a translation (compile time) error, not a run time
- error. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>61604</bug>: Add support for authentication in the websocket
- client. Patch submitted by J Fernandez. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Correct Javadoc links to point to Java SE 8 and Java EE 8. (markt)
- </fix>
- <fix>
- Enable Javadoc to be built with Java 9. (markt)
- </fix>
- <fix>
- <bug>61603</bug>: Add XML filtering for the status servlet output where
- needed. (remm)
- </fix>
- <fix>
- Correct the description of how the CGI servlet maps a request to a
- script in the CGI How-To. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Fix incorrect behavior that attempts to resend channel messages more
- than the actual setting value of <code>maxRetryAttempts</code>.
- (kfujino)
- </fix>
- <fix>
- Ensure that the remaining Sender can send channel messages by avoiding
- unintended <code>ChannelException</code> caused by comparing the number
- of failed members and the number of remaining Senders. (kfujino)
- </fix>
- <fix>
- Ensure that remaining SelectionKeys that were not handled by throwing a
- <code>ChannelException</code> during SelectionKey processing are
- handled. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Improve the fix for <bug>61439</bug> and exclude the JPA, JAX-WS and EJB
- annotations completely from the Tomcat distributions. (markt)
- </fix>
- <fix>
- Improve handling of endorsed directories. The endorsed directory
- mechanism will only be used if the <code>JAVA_ENDORSED_DIRS</code>
- system property is explicitly set or if
- <code>$CATALINA_HOME/endorsed</code> exists. When running on Java 9, any
- such attempted use of the endorsed directory mechanism will trigger an
- error and Tomcat will fail to start. (rjung)
- </fix>
- <add>
- <bug>51496</bug>: When using the Windows installer, check if the
- requested service name already exists and, if it does, prompt the user
- to select an alternative service name. Patch provided by Ralph
- Plawetzki. (markt)
- </add>
- <fix>
- <bug>61590</bug>: Enable <code>service.bat</code> to recognise when
- <code>JAVA_HOME</code> is configured for a Java 9 JDK. (markt)
- </fix>
- <fix>
- <bug>61598</bug>: Update the Windows installer to search the new (as of
- Java 9) registry locations when looking for a JRE. (markt)
- </fix>
- <add>
- Add generation of a SHA-512 hash for release artifacts to the build
- script. (markt)
- </add>
- <fix>
- <bug>61658</bug>: Update MIME mappings for fonts to use
- <code>font/*</code> as per RFC8081. (markt)
- </fix>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.16 to
- pick up the latest Windows binaries built with APR 1.6.3 and OpenSSL
- 1.0.2m. (markt)
- </update>
- <update>
- Update the NSIS Installer used to build the Windows installer to version
- 3.02.1. (kkolinko)
- </update>
- <update>
- Update the Windows installer to use "The Apache Software Foundation" as
- the Publisher when Tomcat is displayed in the list of installed
- applications in Microsoft Windows. (kkolinko)
- </update>
- <fix>
- <bug>61803</bug>: Remove outdated SSL information from the Security
- documentation. (remm)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.1 (markt)" rtext="2017-09-30">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Use the correct path when loading the JVM <code>logging.properties</code>
- file for Java 9. (rjung)
- </fix>
- <fix>
- Add additional validation to the resource handling required to fix
- CVE-2017-12617 on Windows. The checks were being performed elsewhere but
- adding them to the resource handling ensures that the checks are always
- performed. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>61563</bug>: Correct typos in Spanish translation. Patch provided by
- Gonzalo Vásquez. (csutherl)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
- uploaded via a specially crafted request when HTTP PUT was enabled.
- (markt)
- </fix>
- <fix>
- <bug>61554</bug>: Exclude test files in unusual encodings and markdown
- files intended for display in GitHub from RAT analysis. Patch provided
- by Chris Thistlethwaite. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- <bug>60762</bug>: Add the ability to make changes to the TLS
- configuration of a connector at runtime without having to restart the
- Connector. (markt)
- </add>
- <add>
- Add an option to reject requests that contain HTTP headers with invalid
- (non-token) header names with a 400 response and reject such requests by
- default. (markt)
- </add>
- <fix>
- Implement the requirements of RFC 7230 (and RFC 2616) that HTTP/1.1
- requests must include a <code>Host</code> header and any request that
- does not must be rejected with a 400 response. (markt)
- </fix>
- <fix>
- Implement the requirements of RFC 7230 that any HTTP/1.1 request that
- specifies a host in the request line, must specify the same host in the
- <code>Host</code> header and that any such request that does not, must
- be rejected with a 400 response. This check is optional but enabled by
- default. It may be disabled with the
- <code>allowHostHeaderMismatch</code> attribute of the Connector. (markt)
- </fix>
- <fix>
- Implement the requirements of RFC 7230 that any HTTP/1.1 request that
- contains multiple <code>Host</code> headers is rejected with a 400
- response. (markt)
- </fix>
- <update>
- Add a way to set the property source in embedded mode. (remm)
- </update>
- <fix>
- <bug>61557</bug>: Correct a further regression in the fix to enable the
- use of Java key stores that contain multiple keys that do not all have
- the same password. The regression broke support for some FIPS compliant
- key stores. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- <bug>61545</bug>: Correctly handle invocations of methods defined in the
- <code>PooledConnection</code> interface when using pooled XA
- connections. Patch provided by Nils Winkler. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Update fix for <bug>59904</bug> so that values less than zero are accepted
- instead of throwing a NegativeArraySizeException. (remm)
- </fix>
- <add>
- Complete the implementation of the Servlet 4.0 specification. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M27 (markt)" rtext="2017-09-19">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Before generating an error page in the <code>ErrorReportValve</code>,
- check to see if I/O is still permitted for the associated connection
- before generating the error page so that the page generation can be
- skipped if the page is never going to be sent. (markt)
- </fix>
- <add>
- <bug>61189</bug>: Add the ability to set environment variables for
- individual CGI scripts. Based on a patch by jm009. (markt)
- </add>
- <fix>
- <bug>61210</bug>: When running under a SecurityManager, do not print a
- warning about not being able to read a logging configuration file when
- that file does not exist. (markt)
- </fix>
- <add>
- <bug>61280</bug>: Add RFC 7617 support to the
- <code>BasicAuthenticator</code>. Note that the default configuration
- does not change the existing behaviour. (markt)
- </add>
- <fix>
- <bug>61424</bug>: Avoid a possible <code>StackOverflowError</code> when
- running under a <code>SecurityManager</code> and using
- <code>Subject.doAs()</code>. (markt)
- </fix>
- <add>
- When running under Java 9 or later, and the
- <code>urlCacheProtection</code> option of the
- <code>JreMemoryLeakPreventionListener</code> is enabled, use the API
- added in Java 9 to only disable the caching for JAR URL connections.
- (markt)
- </add>
- <add>
- <bug>61489</bug>: When using the CGI servlet, make the generation of
- command line arguments from the query string (as per section 4.4 of RFC
- 3875) optional and disabled by default. Based on a patch by jm009.
- (markt)
- </add>
- <fix>
- <bug>61503</bug>: This corrects a potential regression in the fix for
- <bug>60940</bug> with an alternative solution that adds the
- <code>JarEntry</code> objects normally skipped by a
- <code>JarInputStream</code> only if those entries exist. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <update>
- The minimum required Tomcat Native version has been increased to 1.2.14.
- This version includes a new API needed for correct client certificate
- support when using a Java connector with OpenSSL TLS implementation and
- support for the <code>SSL_CONF</code> OpenSSL API. (rjung)
- </update>
- <add>
- Add support for the OpenSSL <code>SSL_CONF</code> API when using
- TLS with OpenSSL implementation. It can be used by adding
- <code>OpenSSLConf</code> elements underneath <code>SSLHostConfig</code>.
- The new element contains a list of <code>OpenSSLConfCmd</code> elements,
- each with the attributes <code>name</code> and <code>value</code>.
- (rjung)
- </add>
- <fix>
- When using a Java connector in combination with the OpenSSL TLS
- implementation, do not configure each SSL connection object via
- the OpenSSLEngine. For OpenSSL the SSL object inherits its
- settings from the SSL_CTX which we have already configured.
- (rjung)
- </fix>
- <fix>
- When using JSSE TLS configuration with the OpenSSL implementation and
- client certificates: include client CA subjects in the TLS handshake
- so that the client can choose an appropriate client certificate to
- present. (rjung)
- </fix>
- <fix>
- If an invalid option is specified for the
- <code>certificateVerification</code> attribute of an
- <code>SSLHostConfig</code> element, treat it as <code>required</code>
- which is the most secure / restrictive option in addition to reporting
- the configuration error. (markt)
- </fix>
- <fix>
- Improve the handling of client disconnections during the TLS
- renegotiation handshake. (markt)
- </fix>
- <fix>
- Prevent exceptions being thrown during normal shutdown of NIO
- connections. This enables TLS connections to close cleanly. (markt)
- </fix>
- <fix>
- Fix possible race condition when setting IO listeners on an upgraded
- connection. (remm)
- </fix>
- <fix>
- Ensure that the APR/native connector uses blocking I/O for TLS
- renegotiation. (markt)
- </fix>
- <fix>
- <bug>48655</bug>: Enable Tomcat to shutdown cleanly when using sendfile,
- the APR/native connector and a multi-part download is in progress.
- (markt)
- </fix>
- <fix>
- <bug>58244</bug>: Handle the case when OpenSSL resumes a TLS session
- using a ticket and the full client certificate chain is not available.
- In this case the client certificate without the chain will be presented
- to the application. (markt)
- </fix>
- <fix>
- Improve the warning message when JSSE and OpenSSL configuration styles
- are mixed on the same <code>SSLHostConfig</code>. (markt)
- </fix>
- <fix>
- <bug>61415</bug>: Fix TLS renegotiation with OpenSSL based connections
- and session caching. (markt)
- </fix>
- <fix>
- Delay checking that the configured attributes for an
- <code>SSLHostConfig</code> instance are consistent with the configured
- SSL implementation until <code>Connector</code> start to avoid incorrect
- warnings when the SSL implementation changes during initialisation.
- (markt)
- </fix>
- <fix>
- <bug>61450</bug>: Fix default key alias algorithm. (remm)
- </fix>
- <fix>
- <bug>61451</bug>: Correct a regression in the fix to enable the use of
- Java key stores that contained multiple keys that did not all have the
- same password. The regression broke support for any key store that did
- not store keys in PKCS #8 format such as hardware key stores and Windows
- key stores. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>60523</bug>: Reduce the number of packets used to send WebSocket
- messages by not flushing between the header and the payload when the
- two are written together. (markt)
- </fix>
- <fix>
- <bug>61491</bug>: When using the <code>permessage-deflate</code>
- extension, correctly handle the sending of empty messages after
- non-empty messages to avoid the <code>IllegalArgumentException</code>.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Show connector cipher list in the manager web application in the
- correct cipher order. (rjung)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- To avoid unexpected session timeout notification from backup session,
- update the access time when receiving the map member notification
- message. (kfujino)
- </fix>
- <fix>
- Add member info to the log message when the failure detection check
- fails in <code>TcpFailureDetector</code>. (kfujino)
- </fix>
- <fix>
- Avoid Ping timeout until the added map member by receiving
- <code>MSG_START</code> message is completely started. (kfujino)
- </fix>
- <fix>
- When sending a channel message, make sure that the Sender has connected.
- (kfujino)
- </fix>
- <fix>
- Correct the backup node selection logic that node 0 is returned twice
- consecutively. (kfujino)
- </fix>
- <fix>
- Fix race condition of <code>responseMap</code> in
- <code>RpcChannel</code>. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- <bug>61391</bug>: Ensure that failed queries are logged if the
- <code>SlowQueryReport</code> interceptor is configured to do so and the
- connection has been abandoned. Patch provided by Craig Webb. (markt)
- </fix>
- <fix>
- <bug>61425</bug>: Ensure that transaction of idle connection has
- terminated when the <code>testWhileIdle</code> is set to
- <code>true</code> and <code>defaultAutoCommit</code> is set to
- <code>false</code>. Patch provided by WangZheng. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>61419</bug>: Replace a Unix style comment in the DOS bat file
- <code>catalina.bat</code> with the correct <code>rem</code> markup.
- (rjung)
- </fix>
- <fix>
- <bug>61439</bug>: Remove the Java Annotation API classes from
- tomcat-embed-core.jar and package them in a separate JAR in the
- embedded distribution to provide end users with greater flexibility to
- handle potential conflicts with the JRE and/or other JARs. (markt)
- </fix>
- <fix>
- <bug>61441</bug>: Improve the detection of <code>JAVA_HOME</code> by the
- <code>daemon.sh</code> script when running on a platform where Java has
- been installed from an RPM. (rjung)
- </fix>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.14 to
- pick up the latest Windows binaries built with APR 1.6.2 and OpenSSL
- 1.0.2l. (markt)
- </update>
- <update>
- <bug>61599</bug>: Update to Commons Daemon 1.1.0 for improved Java 9
- support. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M26 (markt)" rtext="2017-08-08">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Correct multiple regressions in the fix for <bug>49464</bug> that could
- corrupt static content served by the <code>DefaultServlet</code>.(markt)
- </fix>
- <fix>
- Correct a bug in the <code>PushBuilder</code> implementation that
- meant push URLs containing <code>%nn</code> sequences were not correctly
- decoded. Identified by FindBugs. (markt)
- </fix>
- <add>
- <bug>61164</bug>: Add support for the <code>%X</code> pattern in the
- <code>AccessLogValve</code> that reports the connection status at the
- end of the request. Patch provided by Zemian Deng. (markt)
- </add>
- <fix>
- <bug>61351</bug>: Correctly handle %nn decoding of URL patterns in
- web.xml and similar locations that may legitimately contain characters
- that are not permitted by RFC 3986. (markt)
- </fix>
- <add>
- <bug>61366</bug>: Add a new attribute, <code>localDataSource</code>, to
- the <code>JDBCStore</code> that allows the Store to be configured to use
- a DataSource defined by the web application rather than the default of
- using a globally defined DataSource. Patch provided by Jonathan
- Horowitz. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>61086</bug>: Ensure to explicitly signal an empty request body for
- HTTP 205 responses. Additional fix to r1795278. Based on a patch
- provided by Alexandr Saperov. (violetagg)
- </fix>
- <update>
- <bug>61345</bug>: Add a server listener that can be used to do system
- property replacement from the property source configured in the
- digester. (remm)
- </update>
- <add>
- Add additional logging to record problems that occur while waiting for
- the NIO pollers to stop during the Connector stop process. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>61364</bug>: Ensure that files are closed after detecting encoding
- of JSPs so that files do not remain locked by the file system. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <add>
- <bug>57767</bug>: Add support to the WebSocket client for following
- redirects when attempting to establish a WebSocket connection. Patch
- provided by J Fernandez. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M25 (markt)" rtext="2017-07-28">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Performance improvements for service loader look-ups (and look-ups of
- other class loader resources) when the web application is deployed in a
- packed WAR file. (markt)
- </fix>
- <fix>
- <bug>60963</bug>: Add <code>ExtractingRoot</code>, a new
- <code>WebResourceRoot</code> implementation that extracts JARs to the
- work directory for improved performance when deploying packed WAR files.
- (markt)
- </fix>
- <fix>
- <bug>61253</bug>: Add warn message when Digester.updateAttributes
- throws an exception instead of ignoring it. (csutherl)
- </fix>
- <fix>
- Correct a further regression in the fix for <bug>49464</bug> that could
- cause an byte order mark character to appear at the start of content
- included by the <code>DefaultServlet</code>. (markt)
- </fix>
- <fix>
- <bug>61313</bug>: Make the read timeout configurable in the
- <code>JNDIRealm</code> and ensure that a read timeout will result in an
- attempt to fail over to the alternateURL. Based on patches by Peter
- Maloney and Felix Schumacher. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Correct the documentation for how <code>StandardRoot</code> is
- configured. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>61316</bug>: Fix corruption of UTF-16 encoded source files in
- released source distributions. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M24 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>52924</bug>: Add support for a Tomcat specific deployment
- descriptor, <code>/WEB-INF/tomcat-web.xml</code>. This descriptor has an
- identical format to <code>/WEB-INF/web.xml</code>. The Tomcat descriptor
- takes precedence over any settings in <code>conf/web.xml</code> but does
- not take precedence over any settings in <code>/WEB-INF/web.xml</code>.
- (markt)
- </add>
- <fix>
- <bug>61232</bug>: When log rotation is disabled only one separator will
- be used when generating the log file name. For example if the prefix is
- <code>catalina.</code> and the suffix is <code>.log</code> then the log
- file name will be <code>catalina.log</code> instead of
- <code>catalina..log</code>. Patch provided by Katya Stoycheva.
- (violetagg)
- </fix>
- <fix>
- <bug>61264</bug>: Correct a regression in the refactoring to use
- <code>Charset</code> rather than <code>String</code> to store request
- character encoding that prevented <code>getReader()</code> throwing an
- <code>UnsupportedEncodingException</code> if the user agent specifies
- an unsupported character encoding. (markt)
- </fix>
- <fix>
- Correct a regression in the fix for <bug>49464</bug> that could cause an
- incorrect <code>Content-Length</code> header to be sent by the
- <code>DefaultServlet</code> if the encoding of a static is not
- consistent with the encoding of the response. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Enable TLS connectors to use Java key stores that contain multiple keys
- where each key has a separate password. Based on a patch by Frank
- Taffelt. (markt)
- </fix>
- <fix>
- Improve the handling of HTTP/2 stream resets due to excessive headers
- when a continuation frame is used. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <add>
- <bug>53031</bug>: Add support for the <code>fork</code> option when
- compiling JSPs with the Jasper Ant task and javac. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- <bug>52791</bug>: Add the ability to set the defaults used by the
- Windows installer from a configuration file. Patch provided by Sandra
- Madden. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M23 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>49464</bug>: Improve the Default Servlet's handling of static files
- when the file encoding is not compatible with the required response
- encoding. (markt)
- </fix>
- <fix>
- <bug>61214</bug>: Remove deleted attribute <code>servlets</code> from
- the Context MBean description. Patch provided by Alexis Hassler. (markt)
- </fix>
- <fix>
- <bug>61215</bug>: Correctly define <code>addConnectorPort</code> and
- <code>invalidAuthenticationWhenDeny</code> in the
- <code>mbean-descriptors.xml</code> file for the
- <code>org.apache.catalina.valves</code> package so that the attributes
- are accessible via JMX. (markt)
- </fix>
- <fix>
- <bug>61216</bug>: Improve layout for <code>CompositeData</code> and
- <code>TabularData</code> when viewing via the JMX proxy servlet. Patch
- provided by Alexis Hassler. (markt)
- </fix>
- <fix>
- Additional permission for deleting files is granted to JULI as it is
- required by FileHandler when running under a Security Manager. The
- thread that cleans the log files is marked as daemon thread.
- (violetagg)
- </fix>
- <fix>
- <bug>61229</bug>: Correct a regression in 9.0.0.M21 that broke WebDAV
- handling for resources with names that included a <code>&</code>
- character. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Restore the ability to configure support for SSLv3. Enabling this
- protocol will trigger a warning in the logs since it is known to be
- insecure. (markt)
- </fix>
- <add>
- Add LoadBalancerDrainingValve, a Valve designed to reduce the amount of
- time required for a node to drain its authenticated users. (schultz)
- </add>
- <fix>
- Do not log a warning when a <code>null</code> session is returned for an
- OpenSSL based TLS session since this is expected when session tickets
- are enabled. (markt)
- </fix>
- <fix>
- When the access log valve logs a TLS related request attribute and the
- NIO2 connector is used with OpenSSL, ensure that the TLS attributes are
- available to the access log valve when the connection is closing.
- (markt)
- </fix>
- <fix>
- <bug>60461</bug>: Sync SSL session access for the APR connector. (remm)
- </fix>
- <fix>
- <bug>61224</bug>: Make the <code>GlobalRequestProcessor</code> MBean
- attributes read-only. Patch provided by Alexis Hassler. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>49176</bug>: When generating JSP runtime error messages that quote
- the relevant JSP source code, switch from using the results of the JSP
- page parsing process to using the JSR 045 source map data to identify
- the correct part of the JSP source from the stack trace. This
- significantly reduces the memory footprint of Jasper in development
- mode, provides a small performance improvement for error page generation
- and enables source quotes to continue to be provided after a Tomcat
- restart. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Remove references to the Loader attribute
- <code>searchExternalFirst</code> from the documentation since the
- attribute is no longer supported. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <add>
- <bug>51513</bug>: Add support for the <code>compressionMinSize</code>
- attribute to the <code>GzipInterceptor</code>, add optional statistics
- collection and expose the Interceptor over JMX. Based on a patch by
- Christian Stöber. (markt)
- </add>
- <add>
- <bug>61127</bug>: Allow human-readable names for channelSendOptions and
- mapSendOptions. Patch provided by Igal Sapir. (schultz)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <scode>
- Restore the local definition of the web service annotations since the
- JRE provided versions are deprecated and Java 9 does not provide them by
- default. (markt)
- </scode>
- <fix>
- Add necessary Java 9 configuration options to the startup scripts to
- prevent warnings being generated on web application stop. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M22 (markt)" rtext="2017-06-26">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>48543</bug>: Add the option to specify an alternative file name for
- the <code>catalina.config</code> system property. Also document that
- relative, as well as absolute, URLs are permitted. (markt)
- </fix>
- <fix>
- <bug>61072</bug>: Respect the documentation statements that allow
- using the platform default secure random for session id generation.
- (remm)
- </fix>
- <fix>
- Correct the javadoc for
- <code>o.a.c.connector.CoyoteAdapter#parseSessionCookiesId</code>.
- Patch provided by John Andrew (XUZHOUWANG) via Github. (violetagg)
- </fix>
- <fix>
- <bug>61101</bug>: CORS filter should set Vary header in response.
- Submitted by Rick Riemer. (remm)
- </fix>
- <add>
- <bug>61105</bug>: Add a new JULI FileHandler configuration for
- specifying the maximum number of days to keep the log files. By default
- the log files will be kept 90 days as configured in
- <code>logging.properties</code>. (violetagg)
- </add>
- <update>
- Update the Servlet 4.0 implementation to add support for setting
- trailer fields for HTTP responses. (markt)
- </update>
- <fix>
- <bug>61125</bug>: Ensure that <code>WarURLConnection</code> returns the
- correct value for calls to <code>getLastModified()</code> as this is
- required for the correct detection of JSP modifications when the JSP is
- packaged in a WAR file. (markt)
- </fix>
- <fix>
- Improve the <code>SSLValve</code> so it is able to handle client
- certificate headers from Nginx. Based on a patch by Lucas Ventura Carro.
- (markt)
- </fix>
- <fix>
- <bug>61134</bug>: Do not use '[' and ']' symbols around substituted
- text fragments when generating the default error pages. Patch provided
- by Katya Todorova. (violetagg)
- </fix>
- <fix>
- <bug>61154</bug>: Allow the Manager and Host Manager web applications to
- start by default when running under a security manager. This was
- accomplished by adding a custom permission,
- <code>org.apache.catalina.security.DeployXmlPermission</code>, that
- permits an application to use a <code>META-INF/context.xml</code> file
- and then granting that permission to the Manager and Host Manager.
- (markt)
- </fix>
- <fix>
- <bug>61173</bug>: Polish the javadoc for
- <code>o.a.catalina.startup.Tomcat</code>. Patch provided by
- peterhansson_se. (violetagg)
- </fix>
- <add>
- A new configuration property <code>crawlerIps</code> is added to the
- <code>o.a.catalina.valves.CrawlerSessionManagerValve</code>. Using this
- property one can specify a regular expression that will be used to
- identify crawlers based on their IP address. Based on a patch provided
- by Tetradeus. (violetagg)
- </add>
- <fix>
- <bug>61180</bug>: Log a warning message rather than an information
- message if it takes more than 100ms to initialised a
- <code>SecureRandom</code> instance for a web application to use to
- generate session identifiers. Patch provided by Piotr Chlebda. (markt)
- </fix>
- <fix>
- <bug>61185</bug>: When an asynchronous request is dispatched via
- <code>AsyncContext.dispatch()</code> ensure that
- <code>getRequestURI()</code> for the dispatched request matches that of
- the original request. (markt)
- </fix>
- <fix>
- <bug>61197</bug>: Ensure that the charset name used in the
- <code>Content-Type</code> header has exactly the same form as that
- provided by the application. This reverts a behavioural change in
- 9.0.0.M21 that caused problems for some clients. (markt)
- </fix>
- <fix>
- <bug>61201</bug>: Ensure that the <code>SCRIPT_NAME</code> environment
- variable for CGI executables is populated in a consistent way regardless
- of how the CGI servlet is mapped to a request. (markt)
- </fix>
- <fix>
- Ensure to send a space between trailer field name and field value
- for HTTP responses trailer fields. (huxing)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>61086</bug>: Explicitly signal an empty request body for HTTP 205
- responses. (markt)
- </fix>
- <fix>
- <bug>61120</bug>: Do not ignore path parameters when processing HTTP/2
- requests. (markt)
- </fix>
- <fix>
- Revert a change introduced in the fix for bug <bug>60718</bug> that
- changed the status code recorded in the access log when the client
- dropped the connection from 200 to 500. (markt)
- </fix>
- <fix>
- Make asynchronous error handling more robust. In particular ensure that
- <code>onError()</code> is called for any registered
- <code>AsyncListener</code>s after an I/O error on a non-container
- thread. (markt)
- </fix>
- <fix>
- Add additional syncs to the SSL session object provided by the OpenSSL
- engine so that a concurrent destruction cannot cause a JVM crash.
- (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>44787</bug>: Improve error message when JSP compiler configuration
- options are not valid. (markt)
- </fix>
- <add>
- <bug>45931</bug>: Extend Jasper's <code>timeSpaces</code> option to add
- support for <code>single</code> which replaces template text that
- consists entirely of whitespace with a single space character. Based on
- a patch by Meetesh Karia. (markt)
- </add>
- <fix>
- <bug>53011</bug>: When pre-compiling with JspC, report all compilation
- errors rather than stopping after the first error. A new option
- <code>-failFast</code> can be used to restore the previous behaviour of
- stopping after the first error. Based on a patch provided by Marc Pompl.
- (markt)
- </fix>
- <fix>
- <bug>61137</bug>: <code>j.s.jsp.tagext.TagLibraryInfo#uri</code> and
- <code>j.s.jsp.tagext.TagLibraryInfo#prefix</code> fields should not be
- final. Patch provided by Katya Todorova. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Correct the log message when a <code>MessageHandler</code> for
- <code>PongMessage</code> does not implement
- <code>MessageHandler.Whole</code>. (rjung)
- </fix>
- <fix>
- Improve thread-safety of <code>Future</code>s used to report the result
- of sending WebSocket messages. (markt)
- </fix>
- <fix>
- <bug>61183</bug>: Correct a regression in the previous fix for
- <bug>58624</bug> that could trigger a deadlock depending on the locking
- strategy employed by the client code. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Better document the meaning of the trimSpaces option for Jasper. (markt)
- </fix>
- <fix>
- <bug>61150</bug>: Configure the Manager and Host-Manager web
- applications to permit serialization and deserialization of
- CRSFPreventionFilter related session objects to avoid warning messages
- and/or stack traces on web application stop and/or start when running
- under a security manager. (markt)
- </fix>
- <fix>
- Correct the TLS configuration documentation to remove SSLv2 and SSLv3
- from the list of supported protocols. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- <bug>45832</bug>: Add HTTP DIGEST authentication support to the Catalina
- Ant tasks used to communicate with the Manager application. (markt)
- </add>
- <fix>
- <bug>45879</bug>: Add the <code>RELEASE-NOTES</code> file to the root of
- the installation created by the Tomcat installer for Windows to make it
- easier for users to identify the installed Tomcat version. (markt)
- </fix>
- <fix>
- <bug>61055</bug>: Clarify the code comments in the rewrite valve to make
- clear that there are no plans to provide proxy support for this valve
- since Tomcat does not have proxy capabilities. (markt)
- </fix>
- <fix>
- <bug>61076</bug>: Document the <code>altDDName</code> attribute for the
- <code>Context</code> element. (markt)
- </fix>
- <fix>
- Correct typo in Jar Scan Filter Configuration Reference.
- Issue reported via comments.apache.org. (violetagg)
- </fix>
- <fix>
- Correct the requirement for the minimum Java SE version in Application
- Developer's Guide. Issue reported via comments.apache.org. (violetagg)
- </fix>
- <fix>
- <bug>61145</bug>: Add missing <code>@Documented</code> annotation to
- annotations in the annotations API. Patch provided by Katya Todorova.
- (markt)
- </fix>
- <fix>
- <bug>61146</bug>: Add missing <code>lookup()</code> method to
- <code>@EJB</code> annotation in the annotations API. Patch provided by
- Katya Todorova. (markt)
- </fix>
- <fix>
- Correct typo in Context Container Configuration Reference.
- Patch provided by Katya Todorova. (violetagg)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M21 (markt)" rtext="2017-05-10">
- <subsection name="General">
- <changelog>
- <add>
- Allow to exclude JUnit test classes using the build property
- <code>test.exclude</code> and document the property in
- BUILDING.txt. (rjung)
- </add>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <fix>
- Review those places where Tomcat re-encodes a URI or URI component and
- ensure that the correct encoding (path differs from query string) is
- applied and that the encoding is applied consistently. (markt)
- </fix>
- <fix>
- Avoid a <code>NullPointerException</code> when reading attributes for a
- initialised HTTP connector where TLS is enabled. (markt)
- </fix>
- <fix>
- Always quote the <code>hostName</code> of an <code>SSLHostConfig</code>
- element when using it as part of the JMX object name to avoid errors that
- prevent the associated TLS connector from starting if a wild card
- <code>hostName</code> is configured (because <code>*</code> is a
- reserved character for JMX object names). (markt)
- </fix>
- <update>
- Update the default <code>URIEncoding</code> for a <code>Connector</code>
- to <code>UTF-8</code> as required by the Servlet 4.0 specification.
- (markt)
- </update>
- <scode>
- Switch to using <code>Charset</code> rather than <code>String</code> to
- store encoding settings (including for configuration and for the
- <code>Content-Type header</code>) to reduce the number of places the
- associated <code>Charset</code> needs to be looked up. (markt)
- </scode>
- <fix>
- Use a more reliable mechanism for the <code>DefaultServlet</code> when
- determining if the current request is for custom error page or not.
- (markt)
- </fix>
- <fix>
- Ensure that when the Default or WebDAV servlets process an error
- dispatch that the error resource is processed via the
- <code>doGet()</code> method irrespective of the method used for the
- original request that triggered the error. (markt)
- </fix>
- <fix>
- If a static custom error page is specified that does not exist or cannot
- be read, ensure that the intended error status is returned rather than a
- 404 or 403. (markt)
- </fix>
- <fix>
- When the WebDAV servlet is configured and an error dispatch is made to a
- custom error page located below <code>WEB-INF</code>, ensure that the
- target error page is displayed rather than a 404 response. (markt)
- </fix>
- <update>
- Update the Servlet 4.0 implementation to add support for obtaining
- trailer fields from chunked HTTP requests. (markt)
- </update>
- <add>
- <bug>61047</bug>: Add MIME mapping for woff2 fonts in the default
- web.xml. Patch provided by Justin Williamson. (violetagg)
- </add>
- <fix>
- Correct the logic that selects the encoding to use to decode the query
- string in the <code>SSIServletExternalResolver</code> so that the
- <code>useBodyEncodingForURI</code> attribute of the
- <code>Connector</code> is correctly taken into account. (markt)
- </fix>
- <fix>
- Within the Expires filter, make the content type value specified with the
- <code>ExpiresByType</code> parameter, case insensitive. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- When a <code>TrustManager</code> is configured that does not support
- <code>certificateVerificationDepth</code> only log a warning about that
- lack of support when <code>certificateVerificationDepth</code> has been
- explicitly set. (markt)
- </fix>
- <fix>
- <bug>60970</bug>: Extend the fix for large headers to push requests.
- (markt)
- </fix>
- <fix>
- Do not include a <code>Date</code> header in HTTP/2 responses with
- status codes less than 200. (markt)
- </fix>
- <fix>
- When sending an HTTP/2 push promise with the NIO2 connector, the pushed
- stream ID should only be included with the initial push promise frame
- and not any subsequent continuation frames. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- When no BOM is present and an encoding is detected, do not skip the
- bytes used to detect the encoding since they are not part of a BOM.
- (markt)
- </fix>
- <update>
- <bug>61057</bug>: Update to Eclipse JDT Compiler 4.6.3. (violetagg)
- </update>
- <fix>
- <bug>61065</bug>: Ensure that once the class is resolved by
- <code>jakarta.el.ImportHandler#resolveClass</code> it will be cached with
- the proper name. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <add>
- Introduce new API <code>o.a.tomcat.websocket.WsSession#suspend</code>/
- <code>o.a.tomcat.websocket.WsSession#resume</code> that can be used to
- suspend/resume reading of the incoming messages. (violetagg)
- </add>
- <fix>
- <bug>61003</bug>: Ensure the flags for reading/writing in
- <code>o.a.t.websocket.AsyncChannelWrapperSecure</code> are correctly
- reset even if some exceptions occurred during processing. (markt/violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <add>
- Add documents for <code>maxIdleTime</code> attribute to Channel Receiver
- docs. (kfujino)
- </add>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <add>
- Add features to get the statistics of the thread pool of the
- <code>Receiver</code> component and
- <code>MessageDispatchInterceptor</code>. These statistics information
- can be acquired via JMX. (kfujino)
- </add>
- <add>
- Add <code>maxIdleTime</code> attribute to <code>NioReceiverMBean</code>
- in order to expose to JMX. (kfujino)
- </add>
- <add>
- Add JMX support for <code>Channel Interceptors</code>. The Interceptors
- that implement JMX support are <code>TcpFailureDetector</code>,
- <code>ThroughputInterceptor</code>, <code>TcpPingInterceptor</code>,
- <code>StaticMembershipInterceptor</code>,
- <code>MessageDispatchInterceptor</code> and
- <code>DomainFilterInterceptor</code>. (kfujino)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Modify the Ant build script used to publish to a Maven repository so
- that it no longer requires artifacts to be GPG signed. This is make it
- possible for the CI system to upload snapshot builds to the ASF Maven
- repository. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M20 (markt)" rtext="2017-04-18">
- <subsection name="Catalina">
- <changelog>
- <update>
- Update the Servlet 4.0 API implementation to reflect the change in
- method name from <code>getPushBuilder()</code> to
- <code>newPushBuilder()</code>. (markt)
- </update>
- <fix>
- Correct various edge cases in the new HTTP Host header validation
- parser. Patch provided by Katya Todorova. (martk)
- </fix>
- <fix>
- Correct a regression in the X to comma refactoring that broke JMX
- operations that take parameters. (markt)
- </fix>
- <fix>
- Avoid a <code>NullPointerException</code> when reading attributes for a
- running HTTP connector where TLS is not enabled. (markt)
- </fix>
- <fix>
- <bug>47214</bug>: Refactor code so that explicitly referenced inner
- classes are given explicit names rather than being anonymous. (markt)
- </fix>
- <fix>
- <bug>59825</bug>: Log a message that lists the components in the
- processing chain that do not support async processing when a call to
- <code>ServletRequest.startAsync()</code> fails. (markt)
- </fix>
- <fix>
- <bug>60940</bug>: Improve the handling of the <code>META-INF/</code> and
- <code>META-INF/MANIFEST.MF</code> entries for Jar files located in
- <code>/WEB-INF/lib</code> when running a web application from a packed
- WAR file. (markt)
- </fix>
- <fix>
- Pre-load the <code>ExceptionUtils</code> class. Since the class is used
- extensively in error handling, it is prudent to pre-load it to avoid any
- failure to load this class masking the true problem during error
- handling. (markt)
- </fix>
- <fix>
- Avoid potential <code>NullPointerException</code>s related to access
- logging during shutdown, some of which have been observed when running
- the unit tests. (markt)
- </fix>
- <fix>
- When there is no <code>javax.servlet.WriteListener</code> registered
- then a call to <code>javax.servlet.ServletOutputStream#isReady</code>
- will return <code>false</code> instead of throwing
- <code>IllegalStateException</code>. (violetagg)
- </fix>
- <fix>
- When there is no <code>javax.servlet.ReadListener</code> registered
- then a call to <code>javax.servlet.ServletInputStream#isReady</code>
- will return <code>false</code> instead of throwing
- <code>IllegalStateException</code>. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Align cipher configuration parsing with current OpenSSL master. (markt)
- </fix>
- <fix>
- <bug>60970</bug>: Fix infinite loop if application tries to write a
- large header to the response when using HTTP/2. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>47214</bug>: Refactor code so that explicitly referenced inner
- classes are given explicit names rather than being anonymous. (markt)
- </fix>
- <fix>
- <bug>60925</bug>: Improve the handling of access to properties defined
- by interfaces when a <code>BeanELResolver</code> is used under a
- <code>SecurityManager</code>. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <add>
- Add JMX support for Tribes components. (kfujino)
- </add>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <scode>
- Refactor the creating a constructor for a proxy class to reduce
- duplicate code. (kfujino)
- </scode>
- <fix>
- In <code>StatementFacade</code>, the method call on the statements that
- have been closed throw <code>SQLException</code> rather than
- <code>NullPointerException</code>. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>60932</bug>: Correctly escape single quotes when used in i18n
- messages. Based on a patch by Michael Osipov. (markt)
- </fix>
- <scode>
- Review i18n property files, remove unnecessary escaping and consistently
- use <code>[...]</code> to delimit inserted values. (markt)
- </scode>
- <fix>
- Update the custom Ant task that integrates with the Symantec code
- signing service to use the now mandatory 2-factor authentication.
- (markt)
- </fix>
- <scode>
- Refactoring in preparation for Java 9. Refactor to avoid using some
- methods that will be deprecated in Java 9 onwards. (markt)
- </scode>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M19 (markt)" rtext="2017-03-30">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>54618</bug>: Add support to the
- <code>HttpHeaderSecurityFilter</code> for the HSTS preload parameter.
- (markt)
- </add>
- <fix>
- Correct a bug in the implementation of the Servlet 4.0 feature that
- allows specifying a default request and/or response character encoding
- per web application. <code>null</code> values passed via the
- programmatic interface no longer trigger a
- <code>NullPointerException</code>. (markt)
- </fix>
- <fix>
- Correct a potential exception during shutdown when one or more
- Containers are configured with a value of 1 for startStopThreads.
- (markt)
- </fix>
- <fix>
- <bug>60853</bug>: Expose the <code>SSLHostConfig</code> and
- <code>SSLHostConfigCertificate</code> objects via JMX. (markt)
- </fix>
- <fix>
- <bug>60876</bug>: Ensure that <code>Set-Cookie</code> headers generated
- by the <code>Rfc6265CookieProcessor</code> are aligned with the
- specification. Patch provided by Jim Griswold. (markt)
- </fix>
- <fix>
- <bug>60882</bug>: Fix a <code>NullPointerException</code> when obtaining
- a <code>RequestDispatcher</code> for a request that will not have any
- pathInfo associated with it. This was a regression in the changes in
- 9.0.0.M18 for the Servlet 4.0 API changes. (markt)
- </fix>
- <update>
- Align <code>PushBuilder</code> API with changes from the Servlet expert
- group. (markt)
- </update>
- <update>
- Align web.xml parsing rules with changes from the Servlet expert group
- for <code><request-character-encoding></code> and
- <code><response-character-encoding></code>. (markt)
- </update>
- <scode>
- Refactor the various implementations of X to comma separated list to a
- single utility class and update the code to use the new utility class.
- (markt)
- </scode>
- <fix>
- <bug>60911</bug>: Ensure NPE will not be thrown when looking for SSL
- session ID. Based on a patch by Didier Gutacker. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Add async based IO groundwork for HTTP/2. (remm)
- </fix>
- <fix>
- Fix HTTP/2 incorrect input unblocking on EOF. (remm)
- </fix>
- <fix>
- Close the connection sooner if an event occurs for a current connection
- that is not consistent with the current state of that connection.
- (markt)
- </fix>
- <fix>
- Speed up shutdown when using multiple acceptor threads by ensuring that
- the code that unlocks the acceptor threads correctly handles the case
- where there are multiple threads. (markt)
- </fix>
- <fix>
- <bug>60851</bug>: Add <code>application/xml</code> and
- <code>application/json</code> to the default list of compressible MIME
- types. Patch by Michael Osipov. (markt)
- </fix>
- <fix>
- <bug>60852</bug>: Correctly spell compressible when used in
- configuration attributes and internal code. Based on a patch by Michael
- Osipov. (markt)
- </fix>
- <fix>
- <bug>60900</bug>: Avoid a <code>NullPointerException</code> in the APR
- Poller if a connection is closed at the same time as new data arrives on
- that connection. (markt)
- </fix>
- <fix>
- Improve HPACK specification compliance by fixing some test failures
- reported by the h2spec tool written by Moto Ishizawa. (markt)
- </fix>
- <fix>
- Improve HTTP/2 specification compliance by fixing some test failures
- reported by the h2spec tool written by Moto Ishizawa. (markt)
- </fix>
- <fix>
- <bug>60918</bug>: Fix sendfile processing error that could lead to
- subsequent requests experiencing an <code>IllegalStateException</code>.
- (markt)
- </fix>
- <fix>
- Improve sendfile handling when requests are pipelined. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>60844</bug>: Correctly handle the error when fewer parameter values
- than required by the method are used to invoke an EL method expression.
- Patch provided by Daniel Gray. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- <bug>60764</bug>: Implement <code>equals()</code> and
- <code>hashCode()</code> in the <code>StatementFacade</code> in order to
- enable these methods to be called on the closed statements if any
- statement proxy is set. This behavior can be changed with
- <code>useStatementFacade</code> attribute. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Refactor the build script and the NSIS installer script so that either
- NSIS 2.x or NSIS 3.x can be used to build the installer. This is
- primarily to re-enable building the installer on the Linux based CI
- system where the combination of NSIS 3.x and wine leads to failed
- installer builds. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M18 (markt)" rtext="2017-03-13">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>60469</bug>: Refactor <code>RealmBase</code> for better code re-use
- when implementing Realms that use a custom <code>Principal</code>.
- (markt)
- </fix>
- <fix>
- <bug>60490</bug>: Various formatting and layout improvements for the
- <code>ErrorReportValve</code>. Patch provided by Michael Osipov. (markt)
- </fix>
- <fix>
- <bug>60573</bug>: Remove the reason phrase when sending a
- <code>100</code> response status for consistency with other response
- status lines. Patch provided by Michael Osipov. (markt)
- </fix>
- <update>
- <bug>60596</bug>: Improve performance of DefaultServlet when sendfile
- feature is disabled on connector. (kkolinko)
- </update>
- <scode>
- Make it easier for sub-classes of <code>Tomcat</code> to modify the
- default web.xml settings by over-riding
- <code>getDefaultWebXmlListener()</code>. Patch provided by Aaron
- Anderson. (markt)
- </scode>
- <fix>
- Reduce the contention in the default <code>InstanceManager</code>
- implementation when multiple threads are managing objects and need to
- reference the annotation cache. (markt)
- </fix>
- <fix>
- <bug>60623</bug>: When startStopThreads is 1 (or a special value that
- is equivalent to 1) then rather than using an
- <code>ExecutorService</code> to start the children of the current
- component, the children will be started on the current thread. (markt)
- </fix>
- <scode>
- <bug>60674</bug>: Remove <code>final</code> marker from
- <code>CorsFilter</code> to enable sub-classing. (markt)
- </scode>
- <fix>
- <bug>60683</bug>: Security manager failure causing NPEs when doing IO
- on some JVMs. (csutherl)
- </fix>
- <fix>
- <bug>60688</bug>: Update the internal fork of Apache Commons BCEL to
- r1782855 to add early access Java 9 support to the annotation scanning
- code. (markt)
- </fix>
- <fix>
- <bug>60694</bug>: Prevent NPE during authentication when no JASPIC
- <code>AuthConfigFactory</code> is available. (markt)
- </fix>
- <fix>
- <bug>60697</bug>: When HTTP TRACE requests are disabled on the
- Connector, ensure that the HTTP OPTIONS response from custom servlets
- does not include TRACE in the returned Allow header. (markt)
- </fix>
- <fix>
- <bug>60718</bug>: Improve error handling for asynchronous processing and
- correct a number of cases where the <code>requestDestroyed()</code>
- event was not being fired and an entry wasn't being made in the access
- logs. (markt)
- </fix>
- <fix>
- <bug>60720</bug>: Replace "WWW-Authenticate" literal with static final
- AUTH_HEADER_NAME in SpnegoAuthenticator. Patch provided by Michael
- Osipov. (violetagg)
- </fix>
- <fix>
- The default JASPIC <code>AuthConfigFactory</code> now correctly notifies
- registered <code>RegistrationListener</code>s when a new
- <code>AuthConfigProvider</code> is registered. (markt)
- </fix>
- <scode>
- Improve the performance of <code>AuthenticatorBase</code> when there is
- no JASPIC configuration available. (violetagg)
- </scode>
- <fix>
- When HTTP TRACE requests are disabled on the Connector, ensure that the
- HTTP OPTIONS response from the WebDAV servlet does not include
- TRACE in the returned Allow header. (markt)
- </fix>
- <fix>
- <bug>60722</bug>: Take account of the
- <strong>dispatchersUseEncodedPaths</strong> setting on the current
- <strong>Context</strong> when generating paths for dispatches triggered
- by <code>AsyncContext.dispatch()</code>. (markt)
- </fix>
- <fix>
- <bug>60728</bug>: Make the separator Tomcat uses in the Tomcat specific
- <code>war:file:...</code> URL protocol customizable via a system
- property. The separator is equivalent to the use of the <code>!</code>
- character in <code>jar:file:...</code> URLs. The default separator of
- <code>*</code> remains unchanged. (markt)
- </fix>
- <update>
- Update the Servlet 4.0 API implementation to align with the latest
- proposals from the Servlet 4.0 expert group. This includes updates to
- the new Servlet mapping API, new methods on the
- <code>ServletContext</code> to make the available API more equivalent to
- the deployment descriptor, updates to the HTTP push API and the ability
- to set default request and response character encoding per web
- application. Note that the Servlet 4.0 API is still a work in progress
- and further changes are likely. (markt)
- </update>
- <fix>
- <bug>60798</bug>: Correct a bug in the handling of JARs in unpacked WARs
- that meant multiple attempts to read the same entry from a JAR in
- succession would fail for the second and subsequent attempts. (markt)
- </fix>
- <fix>
- <bug>60808</bug>: Ensure that the <code>Map</code> returned by
- <code>ServletRequest.getParameterMap()</code> is fully immutable. Based
- on a patch provided by woosan. (markt)
- </fix>
- <fix>
- <bug>60824</bug>: Correctly cache the <code>Subject</code> in the
- session - if there is a session - when running under a
- <code>SecurityManager</code>. Patch provided by Jan Engehausen. (markt)
- </fix>
- <fix>
- Ensure request and response facades are used when firing application
- listeners. (markt/remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Improve handling of case when an HTTP/2 client sends more data that is
- subject to flow control than the current window size allows. (markt)
- </fix>
- <fix>
- Improve NIO2 look-ahead parsing of TLS client hello for SNI with large
- client hello messages. (markt)
- </fix>
- <add>
- Enable ALPN and also, therefore, HTTP/2 for the NIO and NIO2 HTTP
- connectors when using the JSSE implementation for TLS when running on
- Java 9. (markt)
- </add>
- <fix>
- Restore Java 9 direct byte buffer compatibility. (remm)
- </fix>
- <fix>
- <bug>59807</bug>: Provide a better error message when there is no
- <strong>SSLHostConfig</strong> defined with a <code>hostName</code> that
- matches the <code>defaultSSLHostConfigName</code> for the associated
- <strong>Connector</strong>. (markt)
- </fix>
- <fix>
- <bug>60627</bug>: Modify the <code>Rfc6265CookieProcessor</code> so that
- in addition to cookie headers that start with an explicit RFC 2109
- <code>$Version=1</code>, cookies that start with <code>$Version=0</code>
- are also parsed as RFC 2109 cookies. (markt)
- </fix>
- <fix>
- Include the value of <code>SslHostConfig.truststoreAlgorithm</code> when
- warning that the algorithm does not support the
- <code>certificateVerificationDepth</code> configuration option. (markt)
- </fix>
- <fix>
- Ensure that executor thread pools used with connectors pre-start the
- configured minimum number of idle threads. (markt)
- </fix>
- <fix>
- <bug>60716</bug>: Add a new JSSE specific attribute,
- <code>revocationEnabled</code>, to <code>SSLHostConfig</code> to permit
- JSSE provider revocation checks to be enabled when no
- <code>certificateRevocationListFile</code> has been configured. The
- expectation is that configuration will be performed via a JSSE provider
- specific mechanisms. (markt)
- </fix>
- <fix>
- Modify the cookie header generated by the
- <code>Rfc6265CookieProcessor</code> so it always sends an
- <code>Expires</code> attribute as well as a <code>Max-Age</code>
- attribute to avoid problems with Microsoft browsers that do not support
- the <code>Max-Age</code> attribute. (markt)
- </fix>
- <fix>
- <bug>60761</bug>: Expose a protected getter and setter for
- <code>NioEndpoint.stopLatch</code> to make the class easier to extend.
- (markt)
- </fix>
- <fix>
- Prevent blocking reads after a stream exception occurs with HTTP/2.
- (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Follow up to the fix for <bug>58178</bug>. When creating the
- <code>ELContext</code> for a tag file, ensure that any registered
- <code>ELContextListener</code>s are fired. (markt)
- </fix>
- <fix>
- Refactor code generated for JSPs to reduce the size of the code required
- for tags. (markt)
- </fix>
- <fix>
- Improve the error handling for simple tags to ensure that the tag is
- released and destroyed once used. (remm, violetagg)
- </fix>
- <fix>
- <bug>60769</bug>: Correct a regression in the XML encoding detection
- refactoring carried out for 9.0.0.M16 that incorrectly always used the
- detected BOM encoding in preference to any encoding specified in the
- prolog. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <add>
- Make the <code>accessTimeout</code> configurable in
- <code>BackupManager</code> and <code>ClusterSingleSignOn</code>. The
- <code>accessTimeout</code> is used as a timeout period for PING in
- replication map. (kfujino)
- </add>
- <fix>
- <bug>60806</bug>: To avoid <code>ClassNotFoundException</code>, make
- sure that the web application class loader is passed to
- <code>ReplicatedContext</code>. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>60617</bug>: Correctly create a <code>CONNECT</code> request when
- establishing a WebSocket connection via a proxy. Patch provided by
- Svetlin Zarev. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <add>
- Add log message that PING message has received beyond the timeout
- period. (kfujino)
- </add>
- <fix>
- When a PING message that beyond the time-out period has been received,
- make sure that valid member is added to the map membership. (kfujino)
- </fix>
- <fix>
- Ensure that <code>NoRpcChannelReply</code> messages are not received on
- <code>RpcCallback</code>. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <fix>
- Add Specification and Javadoc references for JASPIC to the Docs
- application. (csutherl)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Spelling corrections provided by Josh Soref. (violetagg)
- </fix>
- <scode>
- Remove local definition of web service annotations since these are
- provided by the JRE. (markt)
- </scode>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.12 to
- pick up the latest Windows binaries built with OpenSSL 1.0.2k. (violetagg)
- </update>
- <add>
- <bug>60784</bug>: Update all unit tests that test the HTTP status line
- to check for the required space after the status code. Patch provided by
- Michael Osipov. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M17 (markt)" rtext="2017-01-16">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>60620</bug>:
- Extend the <code>JreMemoryLeakPreventionListener</code> to provide
- protection against <code>ForkJoinPool.commonPool()</code> related memory
- leaks. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Ensure UpgradeProcessor instances associated with closed connections are
- removed from the map of current connections to Processors. (markt)
- </fix>
- <fix>
- Remove a workaround for a problem previously reported with WebSocket,
- TLS and APR that treated some error conditions as not errors. The
- original problem cannot be reproduced with the current code and the
- work-around is now causing problems. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>60497</bug>: Follow up fix using a better variable name for the
- tag reuse flag. (remm)
- </fix>
- <fix>
- Revert use of try/finally for simple tags. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Prevent potential processing loop on unexpected WebSocket connection
- closure. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <add>
- Enable reset the statistics without restarting the pool. (kfujino)
- </add>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the NSIS Installer used to build the Windows installer to version
- 3.01. (markt)
- </update>
- <fix>
- Spelling corrections provided by Josh Soref. (violetagg)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M16 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>53602</bug>: Add HTTP status code 451 (RFC 7725) to the list of
- HTTP status codes recognised by the ErrorReportValve. (markt)
- </add>
- <fix>
- <bug>60446</bug>: Handle the case where the stored user credential uses
- a different key length than the length currently configured for the
- <code>CredentialHandler</code>. Based on a patch by Niklas Holm. (markt)
- </fix>
- <update>
- Update the warnings that reference required options for running on Java
- 9 to use the latest syntax for those options. (markt)
- </update>
- <fix>
- <bug>60513</bug>: Fix thread safety issue with RMI cleanup code. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Expand the search process for a server certificate when OpenSSL is used
- with a JSSE connector and an explicit alias has not been configured.
- (markt)
- </fix>
- <scode>
- Extract the common Acceptor code from each Endpoint into a new Acceptor
- class that is used by all Endpoints. (markt)
- </scode>
- <fix>
- <bug>60450</bug>: Improve the selection algorithm for the default trust
- store type for a TLS Virtual Host. In particular, don't use
- <code>PKCS12</code> as a default trust store type. Better document how
- the default trust store type is selected for a TLS virtual host. (markt)
- </fix>
- <fix>
- <bug>60451</bug>: Correctly handle HTTP/2 header values that contain
- characters with unicode code points in the range 128 to 255. Reject
- with a clear error message HTTP/2 header values that contain characters
- with unicode code points above 255. (markt)
- </fix>
- <fix>
- Improve the logic that selects an address to use to unlock the Acceptor
- to take account of platforms what do not listen on all local addresses
- when configured with an address of <code>0.0.0.0</code> or
- <code>::</code>. (markt)
- </fix>
- <fix>
- Correct a regression in the refactoring to make wider use of
- <code>ByteBuffer</code> that caused an intermittent failure in the unit
- tests. (markt)
- </fix>
- <fix>
- <bug>60482</bug>: HTTP/2 shouldn't do URL decoding on the query string.
- (remm)
- </fix>
- <fix>
- Fix an HTTP/2 compression error. Once a new size has been agreed for the
- dynamic HPACK table, the next header block must begin with a dynamic
- table update. (markt)
- </fix>
- <fix>
- <bug>60508</bug>: Set request start time for HTTP/2. (remm)
- </fix>
- <fix>
- The default output buffer size for AJP connectors is now based on the
- configured AJP packet size rather than the minimum permitted AJP packet
- size. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <update>
- Implement a simpler JSP file encoding detector that delegates XML prolog
- encoding detection to the JRE rather than using a custom XML parser.
- (markt)
- </update>
- <fix>
- <bug>60497</bug>: Restore previous tag reuse behavior following the use
- of try/finally. (remm)
- </fix>
- <fix>
- Improve the error handling for simple tags to ensure that the tag is
- released and destroyed once used. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Correctly handle blocking WebSocket writes when the write times out just
- before the write is attempted. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <fix>
- <bug>60344</bug>: Add a note to BUILDING.txt regarding using the source
- bundle with the correct line endings. (markt)
- </fix>
- <fix>
- <bug>60467</bug>: remove problematic characters from XML documentation.
- Based upon a patch by Michael Osipov. (schultz)
- </fix>
- <add>
- In the documentation web application, be explicit that clustering
- requires a secure network for all of the cluster network traffic.
- (markt)
- </add>
- <update>
- Update the ASF logos to the new versions.
- </update>
- <fix>
- <bug>60468</bug>: Correct the format of the sample ISO-8601 date used
- to report the build date for the documentation. Patch provided by
- Michael Osipov. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the ASF logos used in the Apache Tomcat installer for Windows to
- use the new versions.
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M15 (markt)" rtext="2016-12-08">
- <subsection name="Other">
- <changelog>
- <scode>
- Increment version due a local build configuration error with 9.0.0.M14
- that wasn't caught until after digital signing had been completed
- Signing requires unique names so a new tag was required. (markt)
- </scode>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M14 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <update>
- <bug>60202</bug>: Add an available flag to realms, to indicate the
- state, or the realm backend. Update lockout realm to only register
- auth failures if the realm is available. (remm)
- </update>
- <fix>
- <bug>60340</bug>: Readability improvements for CSS used in
- DefaultServlet and ErrorReportValve. Patch provided by Michael
- Osipov. (violetagg)
- </fix>
- <fix>
- <bug>60351</bug>: Delay creating <code>META-INF/war-tracker</code> file
- until after the WAR has been expanded to address the case where the
- Tomcat process terminates during the expansion. (markt)
- </fix>
- <fix>
- Correctly generate URLs for resources located inside JARs that are
- themselves located inside a packed WAR file. (markt)
- </fix>
- <fix>
- Correctly handle the <code>configClass</code> attribute of a Host when
- embedding Tomcat. (markt)
- </fix>
- <update>
- <bug>60368</bug>: Stop creating a default connector on start in
- embedded mode. (remm)
- </update>
- <fix>
- <bug>60379</bug>: Dispose of the GSS credential once it is no longer
- required. Patch provided by Michael Osipov. (markt)
- </fix>
- <fix>
- <bug>60380</bug>: Ensure that a call to
- <code>HttpServletRequest#logout()</code> triggers a call to
- <code>TomcatPrincipal#logout()</code>. Based on a patch by Michael
- Osipov. (markt)
- </fix>
- <fix>
- <bug>60381</bug>: Provide a standard <code>toString()</code>
- implementation for components that implement <code>Contained</code>.
- (markt)
- </fix>
- <fix>
- <bug>60387</bug>: Correct the javadoc for
- <code>o.a.catalina.AccessLog.setRequestAttributesEnabled</code>.
- The default value is different for the different implementations.
- (violetagg)
- </fix>
- <scode>
- <bug>60393</bug>: Use consistent parameter naming in implementations of
- <code>Realm#authenticate(GSSContext, boolean)</code>. (markt)
- </scode>
- <scode>
- Refactor the <code>org.apache.naming</code> package to reduce duplicate
- code. Duplicate code identified by the Simian tool. (markt)
- </scode>
- <scode>
- Refactor the implementations of
- <code>HttpServletRequest#getRequestURL()</code> to reduce duplicate
- code. Duplicate code identified by the Simian tool. (markt)
- </scode>
- <scode>
- Refactor Catalina interfaces to make wider use of the
- <code>Contained</code> interface and reduce duplication. (markt)
- </scode>
- <scode>
- Remove the <code>getName()</code> method from <code>RealmBase</code>
- along with the various constants used by the sub-classes to store the
- return value. (markt)
- </scode>
- <fix>
- <bug>60395</bug>: Log when an <code>Authenticator</code> passes an
- incomplete <code>GSSContext</code> to a Realm since it indicates a bug
- in the <code>Authenticator</code>. Patch provided by Michael Osipov.
- (markt)
- </fix>
- <fix>
- <bug>60400</bug>: When expanding the buffer used for reading the
- request body, ensure the read position will be restored to the
- original one. (violetagg)
- </fix>
- <scode>
- Refactor the MBean implementations for the internal Tomcat components
- to reduce code duplication. (markt)
- </scode>
- <fix>
- <bug>60410</bug>: Ensure that multiple calls to
- <code>JarInputStreamWrapper#close()</code> do not incorrectly trigger
- the closure of the underlying JAR or WAR file. (markt)
- </fix>
- <fix>
- <bug>60411</bug>: Implement support in the <code>RewriteValve</code> for
- symbolic names to specify the redirect code to use when returning a
- redirect response to the user agent. Patch provided by Michael Osipov.
- (markt)
- </fix>
- <fix>
- <bug>60413</bug>: In the <code>RewriteValve</code> write empty capture
- groups as the empty string rather than as <code>"null"</code>
- when generating the re-written URL. Based on a patch by Michael Osipov.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>60372</bug>: Ensure the response headers' buffer limit is reset to
- the capacity of this buffer when IOException occurs while writing the
- headers to the socket. (violetagg)
- </fix>
- <fix>
- Ensure that the availability of configured upgrade protocols that
- require ALPN is correctly reported during Tomcat start. (markt)
- </fix>
- <fix>
- <bug>60386</bug>: Implement a more sophisticated pruning algorithm for
- removing closed streams from the priority tree to ensure that the tree
- does not grow too large. (markt)
- </fix>
- <fix>
- <bug>60409</bug>: When unable to complete sendfile request, ensure the
- Processor will be added to the cache only once. (markt/violetagg)
- </fix>
- <fix>
- Ensure that the endpoint is able to unlock the acceptor thread during
- shutdown if the endpoint is configured to listen to any local address
- of a specific type such as <code>0.0.0.0</code> or <code>::</code>.
- (markt)
- </fix>
- <add>
- Add a new configuration option, <code>ipv6v6only</code> to the APR
- connectors that allows them to be configure to only accept IPv6
- connections when configured with an IPv6 address rather than the
- default which is to accept IPv4 connections as well if the operating
- system uses a dual network stack. (markt)
- </add>
- <fix>
- Improve the logic that unlocks the acceptor thread so a better choice is
- made for the address to connect to when a connector is configured for
- any local port. This reduces the likelihood of the unlock failing.
- (markt)
- </fix>
- <fix>
- <bug>60436</bug>: Avoid a potential NPE when processing async timeouts.
- (markt)
- </fix>
- <fix>
- Reduce the window in which an async request that has just started
- processing on a container thread remains eligible for an async timeout.
- (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>60431</bug>: Improve handling of varargs in UEL expressions. Based
- on a patch by Ben Wolfe. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Correct a typo in Host Configuration Reference.
- Issue reported via comments.apache.org. (violetagg)
- </fix>
- <fix>
- <bug>60412</bug>: Add information on the comment syntax for the
- <code>RewriteValve</code> configuration. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Reduce the warning logs for a message received from a different domain
- in order to avoid excessive log outputs. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>60437</bug>: Avoid possible handshake overflows in the websocket
- client. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <add>
- <bug>58816</bug>: Implement the statistics of jdbc-pool. The stats infos
- are <code>borrowedCount</code>, <code>returnedCount</code>,
- <code>createdCount</code>, <code>releasedCount</code>,
- <code>reconnectedCount</code>, <code>releasedIdleCount</code> and
- <code>removeAbandonedCount</code>. (kfujino)
- </add>
- <fix>
- <bug>60194</bug>: If <code>validationQuery</code> is not specified,
- connection validation is done by calling the <code>isValid()</code>
- method. (kfujino)
- </fix>
- <fix>
- <bug>60398</bug>: Fix testcase of <code>TestSlowQueryReport</code>.
- (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Allow customization of service.bat, such as heap memory size, service
- startup mode and JVM args. Patch provided by isapir via Github.
- (violetagg)
- </fix>
- <fix>
- <bug>60366</bug>: Change <code>catalina.bat</code> to use directly
- <code>LOGGING_MANAGER</code> and <code>LOGGING_CONFIG</code> variables
- in order to configure logging, instead of modifying
- <code>JAVA_OPTS</code>. Patch provided by Petter Isberg. (violetagg)
- </fix>
- <fix>
- <bug>60383</bug>: JASPIC API is added as a dependency to the
- <code>org.apache.tomcat:tomcat-catalina</code> maven artifact.
- (violetagg)
- </fix>
- <fix>
- Update the comments associated with the TLS Connector examples in
- <code>server.xml</code>. (markt)
- </fix>
- <add>
- New property is added <code>test.verbose</code> in order to control
- whether the output of the tests is displayed on the console or not.
- Patch provided by Emmanuel Bourg. (violetagg)
- </add>
- <scode>
- <code>TestOpenSSLCipherConfigurationParser.testSpecification</code>
- - if there are test failures, provide more detailed information. Patch
- provided by Emmanuel Bourg. (violetagg)
- </scode>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M13 (markt)" rtext="2016-11-08">
- <subsection name="Coyote">
- <changelog>
- <fix>
- Check that threadPriority values used in AbstractProtocol are valid.
- (fschumacher)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M12 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- When creating a new Connector via JMX, ensure that both HTTP/1.1 and
- AJP/1.3 connectors can be created. (markt)
- </fix>
- <fix>
- Reduce multiple error messages when Connector fails to instantiate the
- associated ProtocolHandler. (markt)
- </fix>
- <fix>
- <bug>60152</bug>: Provide an option for Connector Lifecycle exceptions
- to be re-thrown rather than logged. This is controlled by the new
- <code>throwOnFailure</code> attribute of the Connector. (markt)
- </fix>
- <fix>
- Include the Context name in the log message when an item cannot be
- added to the cache. (markt)
- </fix>
- <fix>
- Exclude JAR files in <code>/WEB-INF/lib</code> from the static resource
- cache. (markt)
- </fix>
- <fix>
- When calling <code>getResourceAsStream()</code> on a directory, ensure
- that <code>null</code> is returned. (markt)
- </fix>
- <fix>
- <bug>60161</bug>: Allow creating subcategories of the container logger,
- and use it for the rewrite valve. (remm)
- </fix>
- <fix>
- Correctly test for control characters when reading the provided shutdown
- password. (markt)
- </fix>
- <fix>
- <bug>60297</bug>: Simplify connector creation in embedded mode. (remm)
- </fix>
- <fix>
- Refactor creation of containers in embedded mode for more consistency
- and flexibility. (remm)
- </fix>
- <add>
- Log a warning if running on Java 9 with the ThreadLocal memory leak
- detection enabled (the default) but without the command line option it
- now requires. (markt)
- </add>
- <fix>
- When a Connector is configured to use an executor, ensure that the
- StoreConfig component includes the executor name when writing the
- Connector configuration. (markt)
- </fix>
- <fix>
- When configuring the JMX remote listener, specify the allowed types for
- the credentials. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Correct the HPACK header table size configuration that transposed the
- client and server table sizes when creating the encoder and decoder.
- (markt)
- </fix>
- <scode>
- Review HTTP/2 implementation removing unused code, reducing visibility
- where possible and using final where appropriate. (markt)
- </scode>
- <fix>
- Don't continue to process an HTTP/2 stream if it is reset during header
- parsing. (markt)
- </fix>
- <fix>
- HTTP/2 uses separate headers for each Cookie. As required by RFC 7540,
- merge these into a single Cookie header before processing continues.
- (markt)
- </fix>
- <fix>
- Align the HTTP/2 implementation with the HTTP/1.1 implementation and
- return a 500 response when an unhandled exception occurs during request
- processing. (markt)
- </fix>
- <fix>
- Correct the HTTP header parser so that DEL is not treated as a valid
- token character. (markt)
- </fix>
- <add>
- Add checks around the handling of HTTP/2 pseudo headers. (markt)
- </add>
- <add>
- Add support for trailer headers to the HTTP/2 implementation. (markt)
- </add>
- <fix>
- <bug>60232</bug>: When processing headers for an HTTP/2 stream, ensure
- that the read buffer is large enough for the header being processed.
- (markt)
- </fix>
- <add>
- Add configuration options to the HTTP/2 implementation to control the
- maximum number of headers allowed, the maximum size of headers allowed,
- the maximum number of trailer headers allowed, the maximum size of
- trailer headers allowed and the maximum number of cookies allowed.
- (markt)
- </add>
- <fix>
- Correctly differentiate between sending and receiving a reset frame when
- tracking the state of an HTTP/2 stream. (markt)
- </fix>
- <scode>
- Remove the undocumented support for using the old Connector attribute
- names <code>backlog</code>, <code>soLinger</code> and
- <code>soTimeout</code> that were renamed several major versions ago.
- (markt)
- </scode>
- <fix>
- <bug>60319</bug>: When using an Executor, disconnect it from the
- Connector attributes <code>maxThreads</code>,
- <code>minSpareThreads</code> and <code>threadPriority</code> to enable
- the configuration settings to be consistently reported. These Connector
- attributes will be reported as <code>-1</code> when an Executor is in
- use. The values used by the executor may be set and obtained via the
- Executor. (markt)
- </fix>
- <fix>
- If an I/O error occurs during async processing on a non-container
- thread, ensure that the <code>onError()</code> event is triggered.
- (markt)
- </fix>
- <fix>
- Improve detection of I/O errors during async processing on non-container
- threads and trigger async error handling when they are detected. (markt)
- </fix>
- <add>
- Add additional checks for valid characters to the HTTP request line
- parsing so invalid request lines are rejected sooner. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <update>
- Update to the Eclipse JDT Compiler 4.6.1. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Add HTTP/2 configuration information to the documentation web
- application. (markt)
- </add>
- <fix>
- Fix default value of <code>validationInterval</code> attribute in
- jdbc-pool. (kfujino)
- </fix>
- <fix>
- Correct a typo in CGI How-To.
- Issue reported via comments.apache.org. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- When the proxy node sends a backup retrieve message, ensure that using
- the <code>channelSendOptions</code> that has been set rather than the
- default <code>channelSendOptions</code>. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Add the JASPIC API jar to the Maven Central publication script. (markt)
- </add>
- <fix>
- Remove classes from tomcat-util-scan.jar that are duplicates of those in
- tomcat-util.jar. (markt)
- </fix>
- <add>
- Update the NSIS Installer used to build the Windows installer to version
- 3.0. (markt)
- </add>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M11 (markt)" rtext="2016-10-10">
- <subsection name="Catalina">
- <changelog>
- <add>
- <bug>59961</bug>: Add an option to the <code>StandardJarScanner</code>
- to control whether or not JAR Manifests are scanned for additional
- class path entries. (markt)
- </add>
- <fix>
- <bug>60013</bug>: Refactor the previous fix to align the behaviour of
- the Rewrite Valve with mod_rewrite. As part of this, provide an
- implementation for the <code>B</code> and <code>NE</code> flags and
- improve the handling for the <code>QSA</code> flag. Includes multiple
- test cases by Santhana Preethiand a patch by Tiago Oliveira. (markt)
- </fix>
- <fix>
- <bug>60087</bug>: Refactor the web resources handling to use the Tomcat
- specific <code>war:file:...</code> URL protocol to refer to WAR files
- and their contents rather than the standard <code>jar:file:...</code>
- form since some components of the JRE, such as JAR verification, give
- unexpected results when the standard form is used. A side-effect of the
- refactoring is that when using packed WARs, it is now possible to
- reference a WAR and/or specific JARs within a WAR in the security policy
- file used when running under a <code>SecurityManager</code>. (markt)
- </fix>
- <fix>
- <bug>60116</bug>: Fix a problem with the rewrite valve that caused back
- references evaluated in conditions to be forced to lower case when using
- the <code>NC</code> flag. (markt)
- </fix>
- <fix>
- Ensure <code>Digester.useContextClassLoader</code> is considered in
- case the class loader is used. (violetagg)
- </fix>
- <fix>
- <bug>60117</bug>: Ensure that the name of <code>LogLevel</code> is
- localized when using <code>OneLineFormatter</code>. Patch provided by
- Tatsuya Bessho. (kfujino)
- </fix>
- <fix>
- <bug>60138</bug>: Fix the <code>SSLHostConfig</code> so that the
- <code>protocols</code> attribute is limited to the protocols supported
- by the current JSSE implementation rather than the default protocols
- used by the implementation. (markt)
- </fix>
- <fix>
- <bug>60146</bug>: Improve performance for resource retrieval by making
- calls to WebResource.getInputStream() trigger caching if the resource is
- small enough. Patch provided by mohitchugh. (markt)
- </fix>
- <add>
- <bug>60151</bug>: Improve the exception error messages when a
- <code>ResourceLink</code> fails to specify the type, specifies an
- unknown type or specifies the wrong type. (markt)
- </add>
- <fix>
- <bug>60167</bug>: Ignore empty lines in <code>/etc/passwd</code> files
- when using the <code>PasswdUserDatabase</code>. (markt)
- </fix>
- <fix>
- <bug>60170</bug>: Exclude the compressed test file
- <code>index.html.br</code> from RAT analysis. Patch provided by Gavin
- McDonald. (markt)
- </fix>
- <fix>
- When starting web resources, ensure that class resources are only
- started once. (markt)
- </fix>
- <fix>
- Improve the access checks for linked global resources to handle the case
- where the current class loader is a child of the web application class
- loader. (markt)
- </fix>
- <fix>
- <bug>60196</bug>: Ensure that the <code>isMandatory</code> flag is
- correctly set when using JASPIC authentication. (markt)
- </fix>
- <fix>
- <bug>60199</bug>: Log a warning if deserialization issues prevent a
- session attribute from being loaded. (markt)
- </fix>
- <fix>
- <bug>60208</bug>: When using RFC6265 compliant cookies, the
- <code>/</code> character should not be allowed in a cookie name since
- the RFC6265 will drop such cookies as invalid. (markt)
- </fix>
- <add>
- Introduce new methods <code>read(ByteBuffer)</code>/
- <code>write(ByteBuffer)</code> in
- <code>o.a.catalina.connector.CoyoteInputStream</code>/
- <code>o.a.catalina.connector.CoyoteOutputStream</code>. (violetagg)
- </add>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <add>
- Refactor the code that implements the requirement that a call to
- <code>complete()</code> or <code>dispatch()</code> made from a
- non-container thread before the container initiated thread that called
- <code>startAsync()</code> completes must be delayed until the container
- initiated thread has completed. Rather than implementing this by
- blocking the non-container thread, extend the internal state machine to
- track this. This removes the possibility that blocking the non-container
- thread could trigger a deadlock. (markt)
- </add>
- <fix>
- Fail earlier if the client closes the connection during SNI processing.
- (markt)
- </fix>
- <fix>
- <bug>60123</bug>: Avoid potential threading issues that could cause
- excessively large values to be returned for the processing time of
- a current request. (markt)
- </fix>
- <fix>
- <bug>60174</bug>: Log instances of <code>HeadersTooLargeException</code>
- during request processing. (markt)
- </fix>
- <fix>
- <bug>60173</bug>: Allow up to 64kB HTTP/2 header table size limit. (remm)
- </fix>
- <fix>
- Java 9 compatibility of direct ByteBuffer cleaner. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>60101</bug>: Remove preloading of the class that was deleted.
- (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <add>
- Expand the documentation for the nested elements within a
- <code>Resources</code> element to clarify the behaviour of different
- configuration options with respect to the order in which resources are
- searched. (markt)
- </add>
- <add>
- Add an example of using the <code>classesToInitialize</code> attribute
- of the <code>JreMemoryLeakPreventionListener</code> to the documentation
- web application. Based on a patch by Cris Berneburg. (markt)
- </add>
- <fix>
- <bug>60192</bug>: Correct a typo in the status output of the Manager
- application. Patch provided by Radhakrishna Pemmasani. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- Notify jmx when returning the connection that has been marked suspect.
- (kfujino)
- </fix>
- <fix>
- Ensure that the <code>POOL_EMPTY</code> notification has been added to
- the jmx notification types. (kfujino)
- </fix>
- <fix>
- <bug>60099</bug>: Ensure that use all method arguments as a cache key
- when using <code>StatementCache</code>. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Update the download location for Objenesis. (violetagg)
- </fix>
- <fix>
- <bug>60164</bug>: Replace <code>log4j-core*.jar</code> with
- <code>log4j-web*.jar</code> since it is <code>log4j-web*.jar</code> that
- contains the <code>ServletContainerInitializer</code>. (markt)
- </fix>
- <add>
- Add documentation to the bin/catalina.bat script to remind users that
- environment variables don't affect the configuration of Tomcat when
- run as a Windows Service. Based upon a documentation patch by
- James H.H. Lampert. (schultz)
- </add>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.10 to
- pick up the latest Windows binaries built with OpenSSL 1.0.2j. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M10 (markt)" rtext="2016-09-05">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>59813</bug>: Ensure that circular relations of the Class-Path
- attribute from JAR manifests will be processed correctly. (violetagg)
- </fix>
- <fix>
- Ensure that reading the <code>singleThreadModel</code> attribute of a
- <code>StandardWrapper</code> via JMX does not trigger initialisation of
- the associated servlet. With some frameworks this can trigger an
- unexpected initialisation thread and if initialisation is not thread-safe
- the initialisation can then fail. (markt)
- </fix>
- <fix>
- Compatibility with rewrite from httpd for non existing headers.
- (jfclere)
- </fix>
- <fix>
- By default, treat paths used to obtain a request dispatcher as encoded.
- This behaviour can be changed per web application via the
- <code>dispatchersUseEncodedPaths</code> attribute of the Context.
- (markt)
- </fix>
- <add>
- Provide a mechanism that enables the container to check if a component
- (typically a web application) has been granted a given permission when
- running under a SecurityManager without the current execution stack
- having to have passed through the component. Use this new mechanism to
- extend SecurityManager protection to the system property replacement
- feature of the digester. (markt)
- </add>
- <add>
- When retrieving an object via a <code>ResourceLink</code>, ensure that
- the object obtained is of the expected type. (markt)
- </add>
- <fix>
- <bug>59823</bug>: Ensure that JASPIC configuration is taken into account
- when calling <code>HttpServletRequest.authenticate()</code>. (markt)
- </fix>
- <fix>
- <bug>59824</bug>: Mark the <code>RewriteValve</code> as supporting async
- processing by default. (markt)
- </fix>
- <fix>
- <bug>59839</bug>: Apply <code>roleSearchAsUser</code> to all nested
- searches in JNDIRealm. (fschumacher)
- </fix>
- <fix>
- <bug>59859</bug>: Fix resource leak in WebDAV servlet. Based on patch by
- Coty Sutherland. (fschumacher)
- </fix>
- <fix>
- <bug>59862</bug>: Allow nested jar files scanning to be filtered with
- the system property
- <code>tomcat.util.scan.StandardJarScanFilter.jarsToSkip</code>. Patch
- is provided by Terence Bandoian. (violetagg)
- </fix>
- <fix>
- <bug>59866</bug>: When scanning <code>WEB-INF/classes</code> for
- annotations, don't scan the contents of
- <code>WEB-INF/classes/META-INF</code> (if present) since classes will
- never be loaded from that location. (markt)
- </fix>
- <fix>
- <bug>59888</bug>: Correctly handle tabs and spaces in quoted version one
- cookies when using the <code>Rfc6265CookieProcessor</code>. (markt)
- </fix>
- <fix>
- A number of the JRE memory leaks addressed by the
- <code>JreMemoryLeakPreventionListener</code> have been fixed in Java 9
- so the associated protection is now disabled when running on Java 9
- onwards. (markt)
- </fix>
- <fix>
- <bug>59912</bug>: Fix an edge case in input stream handling where an
- <code>IOException</code> could be thrown when reading a POST body.
- (markt)
- </fix>
- <fix>
- <bug>59913</bug>: Correct a regression introduced with the support for
- the Servlet 4 <code>HttpServletRequest.getMapping()</code> API that
- caused the attributes for forwarded requests to be lost if requested
- from within a subsequent include. (markt)
- </fix>
- <fix>
- <bug>59966</bug>: Do not start the web application if the error page
- configuration in web.xml is invalid. (markt)
- </fix>
- <fix>
- Switch the CGI servlet to the standard logging mechanism and remove
- support for the debug attribute. (markt)
- </fix>
- <fix>
- <bug>60012</bug>: Improvements in the log messages. Based on
- suggestions by Nemo Chen. (violetagg)
- </fix>
- <fix>
- Changes to the <code>allowLinking</code> attribute of a
- <code>StandardRoot</code> instance now invalidate the cache if caching
- is enabled. (markt)
- </fix>
- <add>
- Add a new initialisation parameter, <code>envHttpHeaders</code>, to
- the CGI Servlet to mitigate <a href="https://httpoxy.org">httpoxy</a>
- (<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388"
- >CVE-2016-5388</a>) by default and to provide a mechanism that can be
- used to mitigate any future, similar issues. (markt)
- </add>
- <add>
- When adding and removing <code>ResourceLink</code>s dynamically, ensure
- that the global resource is only visible via the
- <code>ResourceLinkFactory</code> when it is meant to be. (markt)
- </add>
- <fix>
- <bug>60008</bug>: When processing CORs requests, treat any origin with a
- URI scheme of <code>file</code> as a valid origin. (markt)
- </fix>
- <fix>
- Improve handling of exceptions during a Lifecycle events triggered by a
- state transition. The exception is now caught and the component is now
- placed into the <code>FAILED</code> state. (markt)
- </fix>
- <fix>
- <bug>60013</bug>: Fix encoding issues when using the RewriteValve with
- UTF-8 query strings or UTF-8 redirect URLs. (markt)
- </fix>
- <fix>
- <bug>60022</bug>: Improve handling when a WAR file and/or the associated
- exploded directory are symlinked into the <code>appBase</code>. (markt)
- </fix>
- <fix>
- Fix a file descriptor leak when reading the global web.xml. (markt)
- </fix>
- <fix>
- Consistently decode URL patterns provided via web.xml using the encoding
- of the web.xml file where specified or UTF-8 where no explicit encoding
- is specified. (markt)
- </fix>
- <fix>
- Make timing attacks against the Realm implementations harder. (schultz)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Correct a regression in refactoring to enable injection of custom
- keystores that broke the automatic conversion of OpenSSL style PEM
- key and certificate files for use with JSSE TLS connectors. (markt)
- </fix>
- <fix>
- <bug>59910</bug>: Don't hardcode key alias value to "tomcat" for JSSE.
- When using a keystore, OpenSSL will still default to it. (remm)
- </fix>
- <fix>
- <bug>59904</bug>: Add a limit (default 200) for the number of cookies
- allowed per request. Based on a patch by gehui. (markt)
- </fix>
- <fix>
- <bug>59925</bug>: Correct regression in r1628368 and ensure that HTTP
- separators are handled as configured in the
- <code>LegacyCookieProcessor</code>. Patch provided by Kyohei Nakamura.
- (markt)
- </fix>
- <fix>
- <bug>59950</bug>: Correct log message when reporting that the current
- number of HTTP/2 streams for a connection could not be pruned to below
- the limit. (markt)
- </fix>
- <fix>
- Ensure that <code>Semaphore.release</code> is called in all cases. Even
- when there is an exception. (violetagg)
- </fix>
- <fix>
- <bug>60030</bug>: Correct a potential infinite loop in the SNI parsing
- code triggered by failing to handle an end of stream condition. (markt)
- </fix>
- <fix>
- Refactor the JSSE client certificate validation so that the
- effectiveness of the <code>certificateVerificationDepth</code>
- configuration attribute does not depend on the presence of a certificate
- revocation list. (markt)
- </fix>
- <fix>
- Small logging optimization in the <code>Rfc6265CookieProcessor</code>.
- Patch provided by Svetlin Zarev. (markt)
- </fix>
- <fix>
- OpenSSL now disables 3DES by default so reflect this when using OpenSSL
- syntax to select ciphers. (markt)
- </fix>
- <fix>
- Use the proper ERROR socket status code for async errors with NIO2.
- (remm)
- </fix>
- <fix>
- <bug>60035</bug>: Fix a potential connection leak if the client drops a
- TLS connection before the handshake completes. (markt)
- </fix>
- <add>
- Log a warning at start up if a JSSE TLS connector is configured with
- a trusted certificate that is either not yet valid or has expired.
- (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- When writing out a full web.xml file with JspC ensure that the encoding
- used in the XML prolog matches the encoding used to write the contents
- of the file. (markt)
- </fix>
- <fix>
- Improve the error handling for custom tags to ensure that the tag is
- returned to the pool or released and destroyed once used. (markt)
- </fix>
- <fix>
- <bug>60032</bug>: Fix handling of method calls that use varargs within
- EL value expressions. (markt)
- </fix>
- <fix>
- Ignore <code>engineOptionsClass</code> and <code>scratchdir</code> when
- running under a security manager. (markt)
- </fix>
- <fix>
- Fixed StringIndexOutOfBoundsException. Based on a patch provided by
- wuwen via Github. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>59908</bug>: Ensure that a reason phrase is included in the close
- message if a session is closed due to a timeout. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>59867</bug>: Correct the documentation provided by Manager's
- 403.jsp. (violetagg)
- </fix>
- <fix>
- <bug>59868</bug>: Clarify the documentation for the Manager web
- application to make clearer that the host name and IP address in the
- server section are the primary host name and IP address. (markt)
- </fix>
- <fix>
- <bug>59940</bug>: Correct the name of the
- <code>truststorePassword</code> attribute of the
- <code>SSLHostConfig</code> element in the configuration documentation.
- (markt)
- </fix>
- <fix>
- MBeans Descriptors How-To is moved to
- <code>mbeans-descriptors-howto.html</code>. Patch provided by Radoslav
- Husar. (violetagg)
- </fix>
- <fix>
- Update NIO Connector configuration documentation with an information
- about <code>socket.directSslBuffer</code>. (violetagg)
- </fix>
- <fix>
- <bug>60034</bug>: Correct a typo in the Manager How-To page of the
- documentation web application. (markt)
- </fix>
- <fix>
- Correct the name of the CRL location configuration attributes in the
- documentation web application. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- In order to avoid the unintended skip of <code>PoolCleaner</code>,
- remove the check code of the execution interval in the task that has
- been scheduled. (kfujino)
- </fix>
- <fix>
- <bug>59850</bug>: Ensure that the <code>ResultSet</code> is closed when
- enabling the <code>StatementCache</code> interceptor. (kfujino)
- </fix>
- <fix>
- <bug>59923</bug>: Reduce the default value of
- <code>validationInterval</code> in order to avoid the potential issue
- that continues to return an invalid connection after database restart.
- (kfujino)
- </fix>
- <fix>
- Ensure that the <code>ResultSet</code> is returned as Proxy object when
- enabling the <code>StatementDecoratorInterceptor</code>. (kfujino)
- </fix>
- <fix>
- <bug>60043</bug>: Ensure that the <code>suspectTimeout</code> works
- without removing connection when the <code>removeAbandoned</code> is
- disabled. (kfujino)
- </fix>
- <fix>
- Add log message of when returning the connection that has been marked
- suspect. (kfujino)
- </fix>
- <fix>
- Correct Javadoc for <code>ConnectionPool.suspect()</code>. Based on a
- patch by Yahya Cahyadi. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- <bug>59871</bug>: Add a property (<code>timeFormat</code>) to
- JULI's <code>OneLineFormatter</code> to enable the format of the
- time stamp used in log messages to be configured. (markt)
- </add>
- <fix>
- <bug>59899</bug>: Update Tomcat's copy of the Java Persistence
- annotations to include the changes made in 2.1 / JavaEE 7. (markt)
- </fix>
- <fix>
- Fixed typos in mbeans-descriptors.xml files. (violetagg)
- </fix>
- <update>
- Update the internal fork of Commons BCEL to r1757132 to align with the
- BCEL 6 release. (markt)
- </update>
- <update>
- Update the internal fork of Commons DBCP 2 to r1757164 to pick up a
- couple of bug fixes. (markt)
- </update>
- <update>
- Update the internal fork of Commons Codec to r1757174. Code formatting
- changes only. (markt)
- </update>
- <update>
- Update the internal fork of Commons FileUpload to afdedc9. This pulls in
- a fix to improve the performance with large multipart boundaries.
- (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M9 (markt)" rtext="2016-07-12">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>18500</bug>: Add limited support for wildcard host names and host
- aliases. Names of the form <code>*.domainname</code> are now permitted.
- Note that an exact host name match takes precedence over a wild card
- host name match. (markt)
- </fix>
- <fix>
- <bug>57705</bug>: Add debug logging for requests denied by the remote
- host and remote address valves and filters. Based on a patch by Graham
- Leggett. (markt)
- </fix>
- <fix>
- Correct a regression in the fix for <bug>58588</bug> that removed the
- entire <code>org.apache.juli</code> package from the embedded JARs
- rendering them unusable. (markt)
- </fix>
- <add>
- <bug>59399</bug>: Add a new option to the Realm implementations that
- ship with Tomcat that allows the HTTP status code used for HTTP -> HTTPS
- redirects to be controlled per Realm. (markt)
- </add>
- <fix>
- <bug>59708</bug>: Modify the LockOutRealm logic. Valid authentication
- attempts during the lock out period will no longer reset the lock out
- timer to zero. (markt)
- </fix>
- <update>
- Change the default of the
- <code>sessionCookiePathUsesTrailingSlash</code> attribute of the
- <code>Context</code> element to <code>false</code> since the problems
- caused when a Servlet is mapped to <code>/*</code> are more significant
- than the security risk of not enabling this option by default. (markt)
- </update>
- <fix>
- Follow-up to <bug>59655</bug>. Improve the documentation for configuring
- permitted cookie names. Patch provided by Kyohei Nakamura. (markt)
- </fix>
- <fix>
- Do not attempt to start web resources during a web application's
- initialisation phase since the web application is not fully configured
- at that point and the web resources may not be correctly configured.
- (markt)
- </fix>
- <fix>
- Improve error handling around user code prior to calling
- <code>InstanceManager.destroy()</code> to ensure that the method is
- executed. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Fix a cause of multiple attempts to close the same socket. (markt)
- </fix>
- <scode>
- Refactor the certificate keystore and trust store generation to make it
- easier for embedded users to inject their own key stores. (markt)
- </scode>
- <update>
- Add a <code>maxConcurrentStreamExecution</code> on the HTTP/2
- protocol handler to allow restricting the amount of concurrent stream
- that are being executed in a single connection. The default is to
- not limit it. (remm)
- </update>
- <add>
- <bug>59233</bug>: Add the ability to add TLS virtual hosts dynamically.
- (markt)
- </add>
- <fix>
- Correct a problem with <code>ServletRequest.getServerPort()</code> for
- secure HTTP/2 connections that meant an incorrect value was returned when
- using the default port. (markt)
- </fix>
- <fix>
- Improve error handling around user code prior to calling
- <code>InstanceManager.destroy()</code> to ensure that the method is
- executed. (markt)
- </fix>
- <fix>
- Document the default for the HTTP/2 configuration parameter
- <code>maxConcurrentStreamExecution</code> as 20. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- Improve error handling around user code prior to calling
- <code>InstanceManager.destroy()</code> to ensure that the method is
- executed. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <scode>
- Now the WebSocket implementation is not built directly on top of the
- Servlet API and can use Tomcat internals, there is no need for the
- dedicated WebSocket Executor. It has been replaced by the use of the
- Connector/Endpoint provided Executor. (markt)
- </scode>
- <fix>
- Improve error handling around user code prior to calling
- <code>InstanceManager.destroy()</code> to ensure that the method is
- executed. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <fix>
- Do not log an additional case of <code>IOException</code>s in the
- error handler for the Drawboard WebSocket example when the root cause is
- the client disconnecting since the logs add no value. (markt)
- </fix>
- <fix>
- <bug>59642</bug>: Mention the <code>localDataSource</code> in the
- <code>DataSourceRealm</code> section of the Realm How-To. (markt)
- </fix>
- <fix>
- <bug>59672</bug>: Update the security considerations page of the
- documentation web application to take account of the fact that the
- Manager and HostManager applications now have a
- <code>RemoteAddrValve</code> configured by default. (markt)
- </fix>
- <fix>
- Follow-up to the fix for <bug>59399</bug>. Ensure that the new attribute
- <code>transportGuaranteeRedirectStatus</code> is documented for all
- <strong>Realm</strong>s. Also document the <code>NullRealm</code> and
- when it is automatically created for an <strong>Engine</strong>. (markt)
- </fix>
- <fix>
- Fix the description of <code>maxAge</code> attribute in jdbc-pool doc.
- This attribute works both when a connection is returned and when a
- connection is borrowed. (kfujino)
- </fix>
- <fix>
- <bug>59774</bug>: Correct the <code>prefix</code> values in the
- documented examples for configuring the <code>AccessLogValve</code>.
- Patch provided by Mike Noordermeer. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <add>
- Add log message when the ping has timed-out. (kfujino)
- </add>
- <fix>
- If the ping message has been received at the
- <code>AbstractReplicatedMap#leftOver</code> method, ensure that notify
- the member is alive than ignore it. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- Fix the duplicated connection release when connection verification
- failed. (kfujino)
- </fix>
- <fix>
- Ensure that do not remove the abandoned connection that has been already
- released. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- Remove JULI plus log4j extras and embedded artifacts from Maven release
- script. (markt)
- </fix>
- <add>
- Use the mirror network rather than the ASF master site to download the
- current ASF dependencies. (markt)
- </add>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.8 to
- pick up the latest fixes and make 1.2.8 the minimum recommended version.
- (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M8 (markt)" rtext="2016-06-13">
- <subsection name="Coyote">
- <changelog>
- <fix>
- Remove accidentally committed debug code. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M7 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- RMI Target related memory leaks are avoidable which makes them an
- application bug that needs to be fixed rather than a JRE bug to work
- around. Therefore, start logging RMI Target related memory leaks on web
- application stop. Add an option that controls if the check for these
- leaks is made. Log a warning if running on Java 9 with this check
- enabled but without the command line option it requires. (markt)
- </fix>
- <fix>
- Ensure NPE will not be thrown during deployment when scanning jar files
- without MANIFEST.MF file. (violetagg)
- </fix>
- <scode>
- Remove the <code>clearReferencesStatic</code> option from
- <code>StandardContext</code>. It was known to cause problems with some
- libraries (such as log4j) and was only linked to suspected memory leaks
- rather than known memory leaks. It had been disabled by default with no
- increase in the reports of memory leaks for some time. (markt)
- </scode>
- <fix>
- <bug>59604</bug>: Correct the assumption made in the URL decoding that
- the default platform encoding is always compatible with ISO-8859-1. This
- assumption is not always valid, e.g. on z/OS. (markt)
- </fix>
- <fix>
- <bug>59608</bug>: Skip over any invalid <code>Class-Path</code> attribute
- from JAR manifests. Log errors at debug level due to many bad libraries.
- (remm)
- </fix>
- <fix>
- Fix error message when failed to register MBean. (kfujino)
- </fix>
- <fix>
- <bug>59655</bug>: Configure the cookie name validation to use RFC6265
- rules by default to align it with the default cookie parser. Document
- the impact system properties have on cookie name validation. (mark)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Ensure that requests with HTTP method names that are not tokens (as
- required by RFC 7231) are rejected with a 400 response. (markt)
- </fix>
- <fix>
- When an asynchronous request is processed by the AJP connector, ensure
- that request processing has fully completed before starting the next
- request. (markt)
- </fix>
- <fix>
- Improve handling of HTTP/2 stream resets. (markt)
- </fix>
- <add>
- <bug>58750</bug>: The HTTP Server header is no longer set by default. A
- Server header may be configured by setting the <code>server</code>
- attribute on the <code>Connector</code>. A new <code>Connector</code>
- attribute, <code>serverRemoveAppProvidedValues</code> may be used to
- remove any Server header set by a web application. (markt)
- </add>
- <fix>
- <bug>59564</bug>: Correct offset when reading into HTTP/2 input buffer
- that could cause problems reading request bodies. (violetagg/markt)
- </fix>
- <fix>
- Modify the handling of read/write timeouts so that the appropriate error
- handling (<code>ReadListener.onError()</code>,
- <code>WriteListener.onError()</code> or
- <code>AsyncListener.onError()</code>) is called. (markt)
- </fix>
- <fix>
- If an async dispatch results in the completion of request processing,
- ensure that any remaining request body is swallowed before starting the
- processing of the next request else the remaining body may be read as the
- start of the next request leading to a 400 response. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>59567</bug>: Fix NPE scanning webapps for TLDs when an exploded
- JAR has an empty WEB-INF/classes/META-INF folder. (remm)
- </fix>
- <fix>
- Fix a memory leak in the expression language implementation that caused
- the class loader of the first web application to use expressions to be
- pinned in memory. (markt)
- </fix>
- <fix>
- <bug>59654</bug>: Improve error message when attempting to use a TLD
- file from an invalid location. Patch provided by Huxing Zhang. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>59659</bug>: Fix possible memory leak in WebSocket handling of
- unexpected client disconnects. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>58891</bug>: Update the SSL How-To. Based on a suggestion by
- Alexander Kjäll. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Extras">
- <changelog>
- <scode>
- <bug>58588</bug>: Remove the JULI extras package from the distribution.
- It was only useful for switching Tomcat's internal logging to log4j
- 1.2.x and that version of log4j is no longer supported. No additional
- Tomcat code is required if switching Tomcat's internal logging to log
- via log4j 2.x. (markt)
- </scode>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- Fix a memory leak with the pool cleaner thread that retained a reference
- to the web application class loader for the first web application to use
- a connection pool. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update the internal fork of Commons DBCP 2 to r1743696 (2.1.1 plus
- additional fixes). (markt)
- </update>
- <update>
- Update the internal fork of Commons Pool 2 to r1743697 (2.4.2 plus
- additional fixes). (markt)
- </update>
- <update>
- Update the internal fork of Commons File Upload to r1743698 (1.3.1 plus
- additional fixes). (markt)
- </update>
- <scode>
- Use UTF-8 with a standard prolog for all XML files. (markt)
- </scode>
- <fix>
- <bug>58626</bug>: Add support for a new environment variable
- (<code>USE_NOHUP</code>) that causes <code>nohup</code> to be used when
- starting Tomcat. It is disabled by default except on HP-UX where it is
- enabled by default since it is required when starting Tomcat at boot on
- HP-UX. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M6 (markt)" rtext="2016-05-16">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Ensure that annotated web components packed in web fragments will be
- processed when <code>unpackWARs</code> is enabled. (violetagg)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M5 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <fix>
- <bug>48922</bug>: Apply a very small performance improvement to the
- date formatting in Tomcat's internal request object. Based on a patch
- provided by Ondrej Medek. (markt)
- </fix>
- <fix>
- <bug>59206</bug>: Ensure NPE will not be thrown by
- <code>o.a.tomcat.util.file.ConfigFileLoader</code> when
- <code>catalina.base</code> is not specified. (violetagg)
- </fix>
- <fix>
- <bug>59217</bug>: Remove duplication in the recycling of the path in
- <code>o.a.tomcat.util.http.ServerCookie</code>. Patch is provided by
- Kyohei Nakamura. (violetagg)
- </fix>
- <fix>
- Fixed possible NPE in
- <code>o.a.catalina.loader.WebappClassLoaderBase.getResourceAsStream</code>
- (violetagg)
- </fix>
- <fix>
- <bug>59213</bug>: Async dispatches should be based off a wrapped
- request. (remm)
- </fix>
- <fix>
- Ensure that <code>javax.servlet.ServletRequest</code> and
- <code>javax.servlet.ServletResponse</code> provided during
- <code>javax.servlet.AsyncListener</code> registration are made
- available via <code>javax.servlet.AsyncEvent.getSuppliedRequest</code>
- and <code>javax.servlet.AsyncEvent.getSuppliedResponse</code>
- (violetagg)
- </fix>
- <fix>
- <bug>59219</bug>: Ensure <code>AsyncListener.onError()</code> is called
- if an <code>Exception</code> is thrown during async processing. (markt)
- </fix>
- <fix>
- <bug>59220</bug>: Ensure that <code>AsyncListener.onComplete()</code> is
- called if the async request times out and the response is already
- committed. (markt)
- </fix>
- <fix>
- <bug>59226</bug>: Process the <code>Class-Path</code> attribute from
- JAR manifests for JARs on the class path excluding JARs packaged in
- <code>WEB-INF/lib</code>. (markt)
- </fix>
- <fix>
- <bug>59255</bug>: Fix possible NPE in mapper. (kkolinko/remm)
- </fix>
- <fix>
- <bug>59256</bug>: <code>slf4j-taglib*.jar</code> should not be excluded
- from the standard JAR scanning by default. (violetagg)
- </fix>
- <fix>
- Clarify the log message that specifying both urlPatterns and value
- attributes in @WebServlet and @WebFilter annotations is not allowed.
- (violetagg)
- </fix>
- <fix>
- Ensure the exceptions caused by Valves will be available in the log
- files so that they can be evaluated when
- <code>o.a.catalina.valves.ErrorReportValve.showReport</code> is
- disabled. Patch is provided by Svetlin Zarev. (violetagg)
- </fix>
- <fix>
- Remove unused <code>distributable</code> attribute that is defined as
- <code>TransientAttribute</code> of <code>Manager</code> in StoreConfig.
- (kfujino)
- </fix>
- <fix>
- Fix handling of Cluster Receiver in StoreConfig. The <code>bind</code>
- and <code>host</code> attributes define as
- <code>TransientAttribute</code>. (kfujino)
- </fix>
- <fix>
- <bug>59261</bug>: <code>ServletRequest.getAsyncContext()</code> now
- throws an <code>IllegalStateException</code> as required by the Servlet
- specification if the request is not in asynchronous mode when called.
- (markt)
- </fix>
- <fix>
- <bug>59269</bug>: Correct the implementation of
- <code>PersistentManagerBase</code> so that <code>minIdleSwap</code>
- functions as designed and sessions are swapped out to keep the active
- session count below <code>maxActiveSessions</code>. (markt)
- </fix>
- <update>
- Update the implementation of the proposed Servlet 4.0 API to provide
- mapping type information for the current request to reflect discussions
- within the EG. (markt)
- </update>
- <fix>
- Correctly configure the base path for a resources directory provided by
- an expanded JAR file. Patch provided by hengyunabc. (markt)
- </fix>
- <add>
- When multiple compressed formats are available and the client does not
- express a preference, use the server order to determine the preferred
- format. Based on a patch by gmokki. (markt)
- </add>
- <fix>
- <bug>59284</bug>: Allow the Tomcat provided JASPIC
- <code>SimpleServerAuthConfig</code> to pick up module configuration
- properties from either the property set passed to its constructor or
- from the properties passed in the call to <code>getAuthContext</code>.
- Based on a patch by Thomas Maslen. (markt)
- </fix>
- <fix>
- <bug>59310</bug>: Do not add a <code>Content-Length: 0</code> header for
- custom responses to <code>HEAD</code> requests that do not set a
- <code>Content-Length</code> value. (markt)
- </fix>
- <fix>
- When normalizing paths, improve the handling when paths end with
- <code>/.</code> or <code>/..</code> and ensure that input and output are
- consistent with respect to whether or not they end with <code>/</code>.
- (markt)
- </fix>
- <fix>
- <bug>59317</bug>: Ensure that
- <code>HttpServletRequest.getRequestURI()</code> returns an encoded URI
- rather than a decoded URI after a dispatch. (markt)
- </fix>
- <fix>
- Use the correct URL for the fragment when reporting errors processing
- a <code>web-fragment.xml</code> file from a JAR located in an unpacked
- WAR. (markt)
- </fix>
- <fix>
- Ensure that <code>JarScanner</code> only uses the explicit call-back to
- process <code>WEB-INF/classes</code> and only when configured to treat
- the contents of <code>WEB-INF/classes</code> as a possible exploded JAR.
- (markt)
- </fix>
- <scode>
- Remove the <code>java2DDisposerProtection</code> option from the
- <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java
- 7 onwards and Tomcat 9 requires Java 8 so the option is unnecessary.
- (markt)
- </scode>
- <scode>
- Remove the <code>securityPolicyProtection</code> option from the
- <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in Java
- 8 onwards and Tomcat 9 requires Java 8 so the option is unnecessary.
- (markt)
- </scode>
- <scode>
- Remove the <code>securityLoginConfigurationProtection</code> option from
- the <code>JreMemoryLeakPreventionListener</code>. The leak is fixed in
- Java 8 onwards and Tomcat 9 requires Java 8 so the option is
- unnecessary. (markt)
- </scode>
- <fix>
- Ensure that the value for the header <code>X-Frame-Options</code> is
- constructed correctly according to the specification when
- <code>ALLOW-FROM</code> option is used. (violetagg)
- </fix>
- <fix>
- Fix an <code>IllegalArgumentException</code> if the first use of an
- internal <code>Response</code> object requires JASPIC authentication.
- (markt)
- </fix>
- <fix>
- Do not trigger unnecessary session ID changes when using JASPIC and the
- user is authenticated using cached credentials. (markt)
- </fix>
- <fix>
- <bug>59437</bug>: Ensure that the JASPIC <code>CallbackHandler</code> is
- thread-safe. (markt)
- </fix>
- <fix>
- <bug>59449</bug>: In <code>ContainerBase</code>, ensure that the process
- to remove a child container is the reverse of the process to add one.
- Patch provided by Huxing Zhang. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Improves OpenSSL engine robustness when SSL allocation fails for
- some reason. (remm)
- </fix>
- <fix>
- OpenSSL engine code cleanups. (remm)
- </fix>
- <fix>
- Align cipher configuration parsing with current OpenSSL master. (markt)
- </fix>
- <update>
- Change the default for <code>honorCipherOrder</code> to
- <code>false</code>. With the current default TLS configuration, it is no
- longer necessary for this to be <code>true</code> for a reasonably
- secure configuration. (markt)
- </update>
- <add>
- Add a new environment variable <code>JSSE_OPTS</code> that is intended
- to be used to pass JVM wide configuration to the JSSE implementation.
- The default value is <code>-Djdk.tls.ephemeralDHKeySize=2048</code>
- which protects against weak Diffie-Hellman keys. (markt)
- </add>
- <fix>
- <bug>58970</bug>: Fix a connection counting bug in the NIO connector
- that meant some dropped connections were not removed from the current
- connection count. (markt)
- </fix>
- <fix>
- <bug>59289</bug>: Do not recycle upgrade processors in unexpected close
- situations. (remm)
- </fix>
- <fix>
- <bug>59295</bug>: Use <code>Locale.toLanguageTag()</code> to construct
- the <code>Content-Language</code> HTTP header to ensure the locale is
- correctly represented. Patch provided by zikfat. (markt)
- </fix>
- <update>
- <bug>59295</bug>: Add support for using pem encoded certificates with
- JSSE SSL. Submitted by Emmanuel Bourg with additional tweaks. (remm)
- </update>
- <fix>
- Make the TLS certificate chain available to clients when using
- JSSE+OpenSSL with the certificate chain stored in a Java KeyStore.
- (markt)
- </fix>
- <fix>
- Work around <a href="https://github.com/openssl/openssl/issues/188">a
- known issue in OpenSSL</a> that does not permit the TLS handshake to be
- failed if the ALPN negotiation fails. (markt)
- </fix>
- <update>
- <bug>59421</bug>: Add direct HTTP/2 connection support. (remm)
- </update>
- <fix>
- Correctly handle a call to <code>AsyncContext.complete()</code> from a
- non-container thread when non-blocking I/O is being used. (markt)
- </fix>
- <fix>
- <bug>59451</bug>: Correct Javadoc for <code>MessageBytes</code>. Patch
- provided by Kyohei Nakamura. (markt)
- </fix>
- <fix>
- <bug>59450</bug>: Correctly handle the case where the
- <code>LegacyCookieProcessor</code> is configured with
- <code>allowHttpSepsInV0</code> set to <code>false</code> and
- <code>forwardSlashIsSeparator</code> set to <code>true</code>. Patch
- provided by Kyohei Nakamura. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- When scanning JARs for TLDs, correctly handle the (rare) case where a
- JAR has been exploded into <code>WEB-INF/classes</code> and the web
- application is deployed as a packed WAR. (markt)
- </fix>
- <fix>
- <bug>59640</bug>: NPEs with not found TLDs. (remm)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- <bug>59189</bug>: Explicitly release the native memory held by the
- <code>Inflater</code> and <code>Deflater</code> when using
- PerMessageDeflate and the WebSocket session ends. Based on a patch by
- Henrik Olsson. (markt)
- </fix>
- <fix>
- Restore the <code>WsServerContainer.doUpgrade()</code> method which was
- accidentally removed since it is not used by Tomcat. (markt)
- </fix>
- <fix>
- Fix a regression caused by the connector refactoring and ensure that the
- thread context class loader is set to the web application
- classloader when processing WebSocket messages on the server. (markt)
- </fix>
- <fix>
- Ensure that a client disconnection triggers the error handling for the
- associated WebSocket end point. (markt)
- </fix>
- <add>
- Make WebSocket client more robust when handling errors during the close
- of a WebSocket session. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- <bug>59218</bug>: Correct the path to <code>jaspic-providers.xml</code>
- in Jaspic How-To. Patch is provided by Tatsuya Bessho. (violetagg)
- </fix>
- <fix>
- Remove button that has accidentally been added to the host manager.
- Submitted by Coty Sutherland. (remm)
- </fix>
- <fix>
- Update in the documentation the link to the maven repository where
- Tomcat snapshot artifacts are deployed. (markt/violetagg)
- </fix>
- <fix>
- Clarify in the documentation that calls to
- <code>ServletContext.log(String, Throwable)</code> or
- <code>GenericServlet.log(String, Throwable)</code> are logged at the
- SEVERE level. (violetagg)
- </fix>
- <fix>
- Correct a typo in SSL/TLS Configuration How-To.
- Issue reported via comments.apache.org. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Avoid NPE when a proxy node failed to retrieve a backup entry. (kfujino)
- </fix>
- <add>
- Add the flag indicating that member is a localMember. (kfujino)
- </add>
- <fix>
- Fix potential NPE that depends on the setting order of attributes of
- static member when using the static cluster. (kfujino)
- </fix>
- <add>
- Add get/set method for the channel that is related to
- <code>ChannelInterceptor</code>. (kfujino)
- </add>
- <fix>
- As with the multicast cluster environment, in the static cluster
- environment, the local member inherits properties from the cluster
- receiver. (kfujino)
- </fix>
- <add>
- Add get/set method for the channel that is related to each Channel
- services. (kfujino)
- </add>
- <add>
- Add name to channel in order to identify channels. In tomcat cluster
- environment, it is set the cluster name + "-Channel" as default value.
- (kfujino)
- </add>
- <add>
- Add the channel name to the thread which is invoked by channel services
- in order to identify the associated channel. (kfujino)
- </add>
- <fix>
- Ensure that clear the channel instance from channel services when
- stopping channel. (kfujino)
- </fix>
- <add>
- Implement map state in the replication map. (kfujino)
- </add>
- <fix>
- Ensure that the ping is not executed during the start/stop of the
- replication map. (kfujino)
- </fix>
- <fix>
- In ping processing in the replication map, send not the
- <code>INIT</code> message but the newly introduced <code>PING</code>
- message. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>59211</bug>: Add hamcrest to Eclipse classpath. Patch is provided
- by Huxing Zhang. (violetagg)
- </fix>
- <update>
- <bug>59276</bug>: Update optional Checkstyle library to 6.17.
- (kkolinko)
- </update>
- <update>
- <bug>59280</bug>: Update the NSIS Installer used to build the
- Windows Installers to version 2.51. (kkolinko)
- </update>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.7 to
- pick up the Windows binaries that are based on OpenSSL 1.0.2h and APR
- 1.5.2. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M4 (markt)" rtext="2016-03-16">
- <subsection name="Catalina">
- <changelog>
- <fix>
- Ensure that <code>/WEB-INF/classes</code> is never processed as a web
- fragment. (markt)
- </fix>
- <update>
- Switch default connector when native is installed. Unless configured
- otherwise, the NIO endpoint will be used by default. If SSL is
- configured, OpenSSL will be used rather than JSSE. (remm)
- </update>
- <fix>
- Correct a regression in the fix for <bug>58867</bug>. When configuring a
- Context to use an external directory for the <code>docBase</code>, and
- that directory happens to be located along side the original WAR, use
- the directory as the <code>docBase</code> rather than expanding the
- WAR into the <code>appBase</code> and using the newly created expanded
- directory as the <code>docBase</code>. (markt)
- </fix>
- <add>
- <bug>58351</bug>: Make the server build date and server version number
- accessible via JMX. Patch provided by Huxing Zhang. (markt)
- </add>
- <add>
- <bug>58988</bug>: Special characters in the substitutions for the
- RewriteValve can now be quoted with a backslash. (fschumacher)
- </add>
- <fix>
- <bug>58999</bug>: Fix class and resource name filtering in
- WebappClassLoader. It throws a StringIndexOutOfBoundsException if the
- name is exactly "org" or "javax". (rjung)
- </fix>
- <add>
- Add JASPIC (JSR-196) support. (markt)
- </add>
- <add>
- Make checking for var and map replacement in RewriteValve a bit stricter
- and correct detection of colon in var replacement. (fschumacher)
- </add>
- <fix>
- Refactor the web application class loader to reduce the impact of JAR
- scanning on the memory footprint of the web application. (markt)
- </fix>
- <fix>
- Fix some resource leaks in the error handling for accessing files from
- JARs and WARs. (markt)
- </fix>
- <fix>
- Refactor the JAR and JAR-in-WAR resource handling to reduce the memory
- footprint of the web application. (markt)
- </fix>
- <fix>
- Refactor the web.xml parsing so a new parser is created every time the
- web application starts rather than creating and caching the parser when
- the Context is created. This enables the parser to take account of
- modified Context configuration parameters and reduces (slightly) the
- memory footprint of a running Tomcat instance. (markt)
- </fix>
- <update>
- Switch the web application class loader to the
- <code>ParallelWebappClassLoader</code> by default. (markt)
- </update>
- <fix>
- <bug>57809</bug>: Remove the custom context attribute that held the
- effective web.xml. Components needing access to configuration
- information may access it via the Servlet API. (markt)
- </fix>
- <fix>
- Refactor JAR scanning to reduce memory footprint. (markt)
- </fix>
- <fix>
- <bug>59001</bug>: Correctly handle the case when Tomcat is installed on
- a path where one of the segments ends in an exclamation mark. (markt)
- </fix>
- <fix>
- Expand the fix for <bug>59001</bug> to cover the special sequences used
- in Tomcat's custom jar:war: URLs. (markt)
- </fix>
- <fix>
- <bug>59043</bug>: Avoid warning while expiring sessions associated with
- a single sign on if <code>HttpServletRequest.logout()</code> is used.
- (markt)
- </fix>
- <fix>
- <bug>59054</bug>: Ensure that using the
- <code>CrawlerSessionManagerValve</code> in a distributed environment
- does not trigger an error when the Valve registers itself in the
- session. (markt)
- </fix>
- <fix>
- Add socket properties support to storeconfig. (remm)
- </fix>
- <fix>
- Fix incorrect parsing of the NE and NC flags in rewrite rules. (remm)
- </fix>
- <fix>
- <bug>59065</bug>: Correct the timing of the check for colons in paths
- on non-Windows systems implemented in <code>catalina.sh</code> so it
- works correctly with Cygwin. Patch provided by Ed Randall. (markt)
- </fix>
- <fix>
- When a Host is configured with an appBase that does not exist, create
- the appBase before trying to expand an external WAR file into it.
- (markt)
- </fix>
- <fix>
- <bug>59115</bug>: When using the Servlet 3.0 file upload, the submitted
- file name may be provided as a token or a quoted-string. If a
- quoted-string, unquote the string before returning it to the user.
- (markt)
- </fix>
- <fix>
- <bug>59123</bug>: Close <code>NamingEnumeration</code> objects used by
- the <code>JNDIRealm</code> once they are no longer required.
- (fschumacher/markt)
- </fix>
- <add>
- Implement the proposed Servlet 4.0 API to provide mapping type
- information for the current request. (markt)
- </add>
- <fix>
- <bug>59138</bug>: Correct a false positive warning for ThreadLocal
- related memory leaks when the key class but not the value class has been
- loaded by the web application class loader. (markt)
- </fix>
- <add>
- <bug>59017</bug>: Make the pre-compressed file support in the Default
- Servlet generic so any compression may be used rather than just gzip.
- Patch provided by Mikko Tiihonen. (markt)
- </add>
- <fix>
- <bug>59145</bug>: Don't log an invalid warning when a user logs out of
- a session associated with SSO. (markt)
- </fix>
- <fix>
- <bug>59150</bug>: Add an additional flag on APR listener to allow
- disabling automatic use of OpenSSL. (remm)
- </fix>
- <fix>
- <bug>59151</bug>: Fix a regression in the fix for <bug>56917</bug> that
- added additional (and arguably unnecessary) validation to the provided
- redirect location. (markt)
- </fix>
- <fix>
- <bug>59154</bug>: Fix a <code>NullPointerException</code> in the
- <code>JAASMemoryLoginModule</code> resulting from the introduction of
- the <code>CredentialHandler</code> to <code>Realm</code>s.
- (schultz/markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Handle the case in the NIO2 connector where the required TLS buffer
- sizes increase after the connection has been initiated. (markt/remm)
- </fix>
- <fix>
- Bad processing of handshake errors in NIO2. (remm)
- </fix>
- <fix>
- Use JSSE session configuration options with OpenSSL. (remm)
- </fix>
- <fix>
- <bug>59015</bug>: Fix potential cause of endless APR Poller loop during
- shutdown if the Poller experiences an error during the shutdown process.
- (markt)
- </fix>
- <fix>
- Align cipher aliases for <code>kECDHE</code> and <code>ECDHE</code> with
- the current OpenSSL implementation. (markt)
- </fix>
- <fix>
- <bug>59081</bug>: Retain the user defined cipher order when defining
- ciphers. (markt)
- </fix>
- <fix>
- <bug>59089</bug>: Correctly ignore HTTP headers that include non-token
- characters in the header name. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <update>
- Update to the Eclipse JDT Compiler 4.5.1. (markt)
- </update>
- <fix>
- <bug>57583</bug>: Improve the performance of
- <code>javax.servlet.jsp.el.ScopedAttributeELResolver</code> when
- resolving attributes that do not exist. This improvement only works when
- Jasper is used with Tomcat's EL implementation. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <fix>
- Fix a timing issue on session close that could result in an exception
- being thrown for an incomplete message even through the message was
- completed. (markt)
- </fix>
- <fix>
- Correctly handle compression of partial messages when the final message
- fragment has a zero length payload. (markt)
- </fix>
- <fix>
- <bug>59119</bug>: Correct read logic for WebSocket client when using
- secure connections. (markt)
- </fix>
- <fix>
- <bug>59134</bug>: Correct client connect logic for secure connections
- made through a proxy. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web applications">
- <changelog>
- <fix>
- Correct an error in the documentation of the expected behaviour for
- automatic deployment. If a WAR is updated and an expanded directory is
- present, the directory will always be deleted and recreated by expanding
- the WAR if <code>unpackWARs</code> is <code>true</code>. (markt)
- </fix>
- <fix>
- <bug>48674</bug>: Implement an option within the Host Manager web
- application to persist the current configuration. Based on a patch by
- Coty Sutherland. (markt)
- </fix>
- <fix>
- <bug>58935</bug>: Remove incorrect references in the documentation to
- using <code>jar:file:</code> URLs with the Manager application. (markt)
- </fix>
- <fix>
- Correct the description of the
- <code>ServletRequest.getServerPort()</code> in Proxy How-To.
- Issue reported via comments.apache.org. (violetagg)
- </fix>
- <add>
- The Manager and Host Manager applications are now only accessible via
- <code>localhost</code> by default. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- If promoting a proxy node to a primary node when getting a session,
- notify the change of the new primary node to the original backup node.
- (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <fix>
- <bug>58283</bug>: Change the default download location for libraries
- during the build process from <code>/usr/share/java</code> to
- <code>${user.home}/temp</code>. Patch provided by Ahmed Hosni. (markt)
- </fix>
- <fix>
- <bug>59031</bug>: When using the Windows uninstaller, do not remove the
- contents of any directories that have been symlinked into the Tomcat
- directory structure. (markt)
- </fix>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.5 to
- pick up the Windows binaries that are based on OpenSSL 1.0.2g and APR
- 1.5.1. (markt)
- </update>
- <update>
- Modify the default <code>tomcat-users.xml</code> file to make it harder
- for users to configure the entries intended for use with the examples
- web application for the Manager application. (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M3 (markt)" rtext="2016-02-05">
- <subsection name="General">
- <changelog>
- <add>
- Allow to configure multiple JUnit test class patterns with the build
- property <code>test.name</code> and document the property in
- BUILDING.txt. (rjung)
- </add>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <fix>
- Protect initialization of <code>ResourceLinkFactory</code> when
- running with a SecurityManager. (kkolinko)
- </fix>
- <fix>
- Correct a thread safety issue in the filtering of session attributes
- based on the implementing class name of the value object. (markt)
- </fix>
- <fix>
- Fix class loader decision on the delegation for class loading and
- resource lookup and make it faster too. (rjung)
- </fix>
- <fix>
- <bug>58768</bug>: Log a warning if a redirect fails because of an
- invalid location. (markt)
- </fix>
- <scode>
- <bug>58827</bug>: Remove remains of JSR-77 implementation. (markt)
- </scode>
- <fix>
- <bug>58946</bug>: Ensure that the request parameter map remains
- immutable when processing via a RequestDispatcher. (markt)
- </fix>
- <fix>
- <bug>58905</bug>: Ensure that <code>Tomcat.silence()</code> silences the
- correct logger and respects the current setting. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- Correct a regression in the connector refactoring in 9.0.0.M2 that broke
- TLS support for the APR/native connector. (remm)
- </fix>
- <fix>
- Correct an NPE when listing the enabled ciphers (e.g. via the Manager
- web application) for a TLS enabled APR/native connector. (markt)
- </fix>
- <add>
- New configuration option <code>ajpFlush</code> for the AJP connectors
- to disable the sending of AJP flush packets. (rjung)
- </add>
- <fix>
- Handle the case in the NIO connector where the required TLS buffer sizes
- increase after the connection has been initiated. (markt)
- </fix>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M2 (markt)" rtext="not released">
- <subsection name="Catalina">
- <changelog>
- <scode>
- Refactor creation of <code>MapperListener</code> to ensure that the
- <code>Mapper</code> used is the <code>Mapper</code> associated with the
- <code>Service</code> for which the listener was created. (markt)
- </scode>
- <add>
- Move the functionality that provides redirects for context roots and
- directories where a trailing <code>/</code> is added from the Mapper to
- the <code>DefaultServlet</code>. This enables such requests to be
- processed by any configured Valves and Filters before the redirect is
- made. This behaviour is configurable via the
- <code>mapperContextRootRedirectEnabled</code> and
- <code>mapperDirectoryRedirectEnabled</code> attributes of the Context
- which may be used to restore the previous behaviour. (markt)
- </add>
- <scode>
- Refactor <code>Service.getContainer()</code> to return an
- <code>Engine</code> rather than a <code>Container</code>. (markt)
- </scode>
- <fix>
- <bug>34319</bug>: Only load those keys in <code>StoreBase.processExpire</code>
- from JDBCStore, that are old enough, to be expired. Based on a patch
- by Tom Anderson. (fschumacher)
- </fix>
- <add>
- <bug>56917</bug>: As per RFC7231 (HTTP/1.1), allow HTTP/1.1 and later
- redirects to use relative URIs. This is controlled by a new attribute
- <code>useRelativeRedirects</code> on the <strong>Context</strong> and
- defaults to <code>true</code>. (markt)
- </add>
- <fix>
- <bug>58629</bug>: Allow an embedded Tomcat instance to start when the
- <code>Service</code> has no <code>Engine</code> configured. (markt)
- </fix>
- <fix>
- Correctly notify the MapperListener associated with a Service if the
- Engine for that Service is changed. (markt)
- </fix>
- <add>
- Make a web application's CredentialHandler available through a context
- attribute. This allows a web application to use the same algorithm
- for validating or generating new stored credentials from cleartext
- ones. (schultz)
- </add>
- <fix>
- <bug>58635</bug>: Enable break points to be set within agent code when
- running Tomcat with a Java agent. Based on a patch by Huxing Zhang.
- (markt)
- </fix>
- <fix>
- Fixed potential NPE in <code>HostConfig</code> while deploying an
- application. Issue reported by coverity scan. (violetagg)
- </fix>
- <fix>
- <bug>58655</bug>: Fix an <code> IllegalStateException</code> when
- calling <code>HttpServletResponse.sendRedirect()</code> with the
- <code>RemoteIpFilter</code>. This was caused by trying to correctly
- generate the absolute URI for the redirect. With the fix for
- <bug>56917</bug>, redirects may now be relative making the
- <code>sendRedirect()</code> implementation for the
- <code>RemoteIpFilter</code> much simpler. This also addresses issues
- where the redirect may not have behaved as expected when redirecting
- from http to https to from https to http. (markt)
- </fix>
- <fix>
- <bug>58657</bug>: Exceptions in a Servlet 3.1 <code>ReadListener</code>
- or <code>WriteListener</code> do not need to be immediately fatal to the
- connection. Allow an error response to be written. (markt)
- </fix>
- <fix>
- Correct implementation of
- <code>validateClientProvidedNewSessionId</code> so client provided
- session IDs may be rejected if validation is enabled. (markt)
- </fix>
- <fix>
- <bug>58701</bug>: Reset the <code>instanceInitialized</code> field in
- <code>StandardWrapper</code> when unloading a Servlet so that a new
- instance may be correctly initialized. (markt)
- </fix>
- <update>
- Add a new flag <code>aprPreferred</code> to the Apr listener. if set to
- <code>false</code>, when using the connector defaults, it will use
- NIO + OpenSSL if tomcat-native is available, rather than the APR
- connector. (remm)
- </update>
- <fix>
- Add path parameter handling to
- <code>HttpServletRequest.getContextPath()</code>. This is a follow-up to
- the fix for <bug>57215</bug>. (markt)
- </fix>
- <fix>
- <bug>58692</bug>: Make <code>StandardJarScanner</code> more robust. Log
- a warning if a class path entry cannot be scanned rather than triggering
- the failure of the web application. Includes a test case written by
- Derek Abdine. (markt)
- </fix>
- <fix>
- <bug>58702</bug>: Ensure an access log entry is generated if the client
- aborts the connection. (markt)
- </fix>
- <fix>
- Fixed various issues reported by Findbugs. (violetagg)
- </fix>
- <fix>
- <bug>58735</bug>: Add support for the <code>X-XSS-Protection</code>
- header to the <code>HttpHeaderSecurityFilter</code>. Patch provided by
- Jacopo Cappellato. (markt)
- </fix>
- <fix>
- Add the <code>StatusManagerServlet</code> to the list of Servlets that
- can only be loaded by privileged applications. (markt)
- </fix>
- <fix>
- Simplify code and fix messages in
- <code>org.apache.catalina.core.DefaultInstanceManager</code> class.
- (kkolinko)
- </fix>
- <fix>
- <bug>58751</bug>: Correctly handle the case where an
- <code>AsyncListener</code> dispatches to a Servlet on an asynchronous
- timeout and the Servlet uses <code>sendError()</code> to trigger an
- error page. Includes a test case based on code provided by Andy
- Wilkinson.(markt)
- </fix>
- <fix>
- Ensure that the proper file encoding if specified will be used when
- a readme file is served by DefaultServlet. (violetagg)
- </fix>
- <fix>
- Fix declaration of <code>localPort</code> attribute of Connector MBean:
- it is read-only. (kkolinko)
- </fix>
- <fix>
- <bug>58766</bug>: Make skipping non-class files during annotation
- scanning faster by checking the file name first. Improve debug logging.
- (kkolinko)
- </fix>
- <fix>
- <bug>58836</bug>: Correctly merge query string parameters when
- processing a forwarded request where the target includes a query string
- that contains a parameter with no value. (markt/kkolinko)
- </fix>
- <fix>
- Make sure that shared Digester is reset in an unlikely error case
- in <code>HostConfig.deployWAR()</code>. (kkolinko)
- </fix>
- <add>
- Extend the feature available in the cluster session manager
- implementations that enables session attribute replication to be
- filtered based on attribute name to all session manager implementations.
- Note that configuration attribute name has changed from
- <code>sessionAttributeFilter</code> to
- <code>sessionAttributeNameFilter</code>. Apply the filter on load as
- well as unload to ensure that configuration changes made while the web
- application is stopped are applied to any persisted data. (markt)
- </add>
- <add>
- Extend the session attribute filtering options to include filtering
- based on the implementation class of the value and optional
- <code>WARN</code> level logging if an attribute is filtered. These
- options are available for all of the Manager implementations that ship
- with Tomcat. When a <code>SecurityManager</code> is used filtering will
- be enabled by default. (markt)
- </add>
- <scode>
- Remove <code>distributable</code> and <code>maxInactiveInterval</code>
- from the <code>Manager</code> interface because the attributes are never
- used. The equivalent attributes from the <code>Context</code> always
- take precedence. (markt)
- </scode>
- <fix>
- <bug>58867</bug>: Improve checking on Host start for WAR files that have
- been modified while Tomcat has stopped and re-expand them if
- <code>unpackWARs</code> is <code>true</code>. (markt)
- </fix>
- <fix>
- <bug>58900</bug>: Correctly undeploy symlinked resources and prevent an
- infinite cycle of deploy / undeploy. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <fix>
- <bug>58621</bug>: The certificate chain cannot be set using the main
- certificate attribute, so restore the certificate chain property. (remm)
- </fix>
- <fix>
- Allow a new SSL config type where a connector can use either JSSE or
- OpenSSL. Both could be allowed, but it would likely create support
- issues. This type is used by the OpenSSL implementation for NIOx. (remm)
- </fix>
- <fix>
- Improve upgrade context classloader handling by using Context.bind and
- unbind. (remm)
- </fix>
- <add>
- Improve OpenSSL keystore/truststore configuration by using the code
- from the JSSE implementation. (remm, jfclere)
- </add>
- <fix>
- Fix a potential loop when a client drops the connection unexpectedly.
- (markt)
- </fix>
- <add>
- OpenSSL renegotiation support for client certificate authentication.
- (remm)
- </add>
- <fix>
- Fix NIO connector renegotiation. (remm)
- </fix>
- <fix>
- <bug>58659</bug>: Fix a potential deadlock during HTTP/2 processing when
- the connection window size is limited. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Jasper">
- <changelog>
- <fix>
- <bug>57136#c25</bug>: Change default value of
- <code>quoteAttributeEL</code> setting in Jasper to be <code>true</code>
- for better compatibility with other implementations and older versions
- of Tomcat. Add command line option <code>-no-quoteAttributeEL</code> in
- JspC. (kkolinko)
- </fix>
- <fix>
- Fix handling of missing messages in
- <code>org.apache.el.util.MessageFactory</code>. (violetagg)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Cluster">
- <changelog>
- <fix>
- Enable an explicit configuration of local member in the static cluster
- membership. (kfujino)
- </fix>
- <fix>
- Fix potential integer overflow in <code>DeltaSession</code>.
- Reported by coverity scan. (fschumacher)
- </fix>
- <fix>
- In order to avoid that the heartbeat thread and the background thread to
- run <code>Channel.heartbeat</code> simultaneously, if
- <code>heartbeatBackgroundEnabled</code> of <code>SimpleTcpCluster</code>
- set to <code>true</code>, ensure that the heartbeat thread does not
- start. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="WebSocket">
- <changelog>
- <add>
- <bug>55006</bug>: The WebSocket client now honors the
- <code>java.net.java.net.ProxySelector</code> configuration (using the
- HTTP type) when establishing WebSocket connections to servers. Based on
- a patch by Niki Dokovski. (markt)
- </add>
- <fix>
- <bug>58624</bug>: Correct a potential deadlock if the WebSocket
- connection is closed when a message write is in progress. (markt)
- </fix>
- <fix>
- <bug>57489</bug>: Ensure <code>onClose()</code> is called when a
- WebSocket connection is closed even if the sending of the close message
- fails. Includes test cases by Barry Coughlan. (markt)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Web Applications">
- <changelog>
- <fix>
- <bug>58631</bug>: Correct the continuation character use in the Windows
- Service How-To page of the documentation web application. (markt)
- </fix>
- <fix>
- Correct the SSL documentation for deprecated attributes to point to the
- correct, new location for attributes related to individual certificates.
- (markt)
- </fix>
- <fix>
- Correct some typos in the JNDI resources How-To. (markt)
- </fix>
- <fix>
- Don't create session unnecessarily in the Manager application. (markt)
- </fix>
- <fix>
- Don't create session unnecessarily in the Host Manager application.
- (markt)
- </fix>
- <fix>
- <bug>58723</bug>: Clarify documentation and error messages for the text
- interface of the manager to make clear that version must be used with
- path when referencing contexts deployed using parallel deployment.
- (markt)
- </fix>
- <add>
- Document <code>test.threads</code> option in BUILDING.txt. (kkolinko)
- </add>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Ensure that the static member is registered to the add suspect list even
- if the static member that is registered to the remove suspect list has
- disappeared. (kfujino)
- </fix>
- <fix>
- When using a static cluster, add the members that have been cached in
- the membership service to the map members list in order to ensure that
- the map member is a static member. (kfujino)
- </fix>
- <fix>
- Add support for the startup notification of local members in the static
- cluster. (kfujino)
- </fix>
- <fix>
- Ignore the unnecessary member remove operation from different domain.
- (kfujino)
- </fix>
- <fix>
- Add support for the shutdown notification of local members in the static
- cluster. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="jdbc-pool">
- <changelog>
- <fix>
- Correct evaluation of system property
- <code>org.apache.tomcat.jdbc.pool.onlyAttemptCurrentClassLoader</code>.
- It was basically ignored before. Reported by coverity scan. (fschumacher)
- </fix>
- <fix>
- Fix potential integer overflow in <code>ConnectionPool</code> and
- <code>PooledConnection</code>. Reported by coverity scan. (fschumacher)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <update>
- Update optional Checkstyle library to 6.14.1. (kkolinko)
- </update>
- <update>
- Update the packaged version of the Tomcat Native Library to 1.2.4 to
- pick up the Windows binaries that are based on OpenSSL 1.0.2e and APR
- 1.5.1. (markt)
- </update>
- <update>
- Update the NSIS Installer used to build the Windows Installers to
- version 2.50. (markt/kkolinko)
- </update>
- <update>
- Update the internal fork of Commons BCEL to r1725718 to align with the
- refactoring for BCEL 6, the next major BCEL release. (markt)
- </update>
- <update>
- Update the internal fork of Commons DBCP 2 to r1725730 (2.1.1 plus
- additional fixes). (markt)
- </update>
- <update>
- Update the internal fork of Commons Pool 2 to r1725738 (2.4.2 plus
- additional fixes). (markt)
- </update>
- <update>
- Update the internal fork of Commons Codec to r1725746 (1.9 plus
- additional fixes). (markt)
- </update>
- </changelog>
- </subsection>
-</section>
-<section name="Tomcat 9.0.0.M1 (markt)" rtext="2015-11-17">
- <subsection name="General">
- <changelog>
- <add>
- Make Java 8 the minimum required version to build and run Tomcat 9.
- (markt)
- </add>
- <update>
- Remove support for Comet. (markt)
- </update>
- <update>
- Tighten up the default file permissions for the <code>.tar.gz</code>
- distribution so no files or directories are world readable by default.
- Configure Tomcat to run with a default umask of <code>0027</code> which
- may be overridden by setting <code>UMASK</code> in
- <code>setenv.sh</code>. (markt)
- </update>
- <update>
- Remove native code (Windows Service Wrapper, APR/native connector)
- support for Windows Itanium. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Catalina">
- <changelog>
- <update>
- The default HTTP cookie parser has been changed to
- <code>org.apache.tomcat.util.http.Rfc6265CookieProcessor</code>. (markt)
- </update>
- </changelog>
- </subsection>
- <subsection name="Coyote">
- <changelog>
- <update>
- Remove support for the HTTP BIO and AJP BIO connectors. (markt)
- </update>
- <scode>
- Refactor HTTP upgrade and AJP implementations to reduce duplication.
- (markt)
- </scode>
- <add>
- Add support for HPACK header encoding and decoding, contributed
- by Stuart Douglas. (remm)
- </add>
- <add>
- <bug>57108</bug>: Add support for Server Name Indication (SNI). There
- has been significant changes to the SSL configuration in server.xml to
- support this. (markt)
- </add>
- <add>
- Add SSL engine for JSSE backed by OpenSSL. Includes ALPN support.
- Based on code contributed by Numa de Montmollin and derived from code
- developed by Twitter and Netty. (remm)
- </add>
- <fix>
- RFC 7230 states that clients should ignore reason phrases in HTTP/1.1
- response messages. Since the reason phrase is optional, Tomcat no longer
- sends it. As a result the system property
- <code>org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER</code> is no
- longer used and has been removed. (markt)
- </fix>
- <update>
- The minimum required Tomcat Native version has been increased to 1.2.2.
- The 1.2.x branch includes ALPN and SNI support which are required for
- HTTP/2. (markt)
- </update>
- <add>
- Add support for HTTP/2 including server push. (markt)
- </add>
- </changelog>
- </subsection>
- <subsection name="Tribes">
- <changelog>
- <fix>
- Clarify the handling of Copy message and Copy nodes. (kfujino)
- </fix>
- </changelog>
- </subsection>
- <subsection name="Other">
- <changelog>
- <add>
- Support the use of the <code>threads</code> attribute on Ant's
- junit task. Note that using this with a value of greater than one will
- disable Cobertura code coverage. (markt)
- </add>
- </changelog>
- </subsection>
+<section name="Tomcat 10.0.0.0-M1 (markt)" rtext="in development">
</section>
</body>
</document>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org