You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2023/08/23 23:22:38 UTC

[VOTE] Release Apache Tomcat 11.0.0-M11

The proposed Apache Tomcat 11.0.0-M11 release is now available for
voting.

Apache Tomcat 11.0.0-M11 is a milestone release of the 11.0.x branch and 
has been made to provide users with early access to the new features in 
Apache Tomcat 11.0.x so that they may provide feedback. The notable 
changes compared to the previous milestone include:

- Update the HTTP parameter handling to align with the changes in the
   Jakarta Servlet 6.1 API Javadoc for the ServletRequest methods used
   to obtain request parameters. Invalid parameters and/or exceeding
   parameter size and/or quantity limits now triggerm exceptions. As a
   consequence, the FailedRequestFilter has been removed.

- If an application or library sets both a non-500 error code and the
   jakarta.servlet.error.exception</code> request attribute, use the
   provided error code during error page processing rather than assuming
   an error code of 500.

- Fix for FORM authentication open redirect - CVE-2023-41080


For full details, see the change log:
https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html

Applications that run on Tomcat 9 and earlier will not run on Tomcat 11 
without changes. Java EE applications designed for Tomcat 9 and earlier 
may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat 
will automatically convert them to Jakarta EE and copy them to the 
webapps directory. Applications using deprecated APIs may require 
further changes.

It can be obtained from:
https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.0-M11/

The Maven staging repo is:
https://repository.apache.org/content/repositories/orgapachetomcat-1451

The tag is:
https://github.com/apache/tomcat/tree/11.0.0-M11
ae109f6248e00a1952f706d6941ff930ad4466e1


The proposed 11.0.0-M11 release is:
[ ] -1 Broken - do not release
[ ] +1 Alpha  - go ahead and release as 11.0.0-M11

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 11.0.0-M11

Posted by Rémy Maucherat <re...@apache.org>.

On Thu, Aug 24, 2023 at 1:23 AM Mark Thomas <ma...@apache.org> wrote:
>
> The proposed Apache Tomcat 11.0.0-M11 release is now available for
> voting.
>
> Apache Tomcat 11.0.0-M11 is a milestone release of the 11.0.x branch and
> has been made to provide users with early access to the new features in
> Apache Tomcat 11.0.x so that they may provide feedback. The notable
> changes compared to the previous milestone include:
>
> - Update the HTTP parameter handling to align with the changes in the
>    Jakarta Servlet 6.1 API Javadoc for the ServletRequest methods used
>    to obtain request parameters. Invalid parameters and/or exceeding
>    parameter size and/or quantity limits now triggerm exceptions. As a
>    consequence, the FailedRequestFilter has been removed.
>
> - If an application or library sets both a non-500 error code and the
>    jakarta.servlet.error.exception</code> request attribute, use the
>    provided error code during error page processing rather than assuming
>    an error code of 500.
>
> - Fix for FORM authentication open redirect - CVE-2023-41080
>
>
> For full details, see the change log:
> https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html
>
> Applications that run on Tomcat 9 and earlier will not run on Tomcat 11
> without changes. Java EE applications designed for Tomcat 9 and earlier
> may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat
> will automatically convert them to Jakarta EE and copy them to the
> webapps directory. Applications using deprecated APIs may require
> further changes.
>
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.0-M11/
>
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1451
>
> The tag is:
> https://github.com/apache/tomcat/tree/11.0.0-M11
> ae109f6248e00a1952f706d6941ff930ad4466e1
>
>
> The proposed 11.0.0-M11 release is:
> [ ] -1 Broken - do not release
> [X] +1 Alpha  - go ahead and release as 11.0.0-M11

Rémy

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 11.0.0-M11

Posted by Mark Thomas <ma...@apache.org>.

On 23/08/2023 16:22, Mark Thomas wrote:

> The proposed 11.0.0-M11 release is:
> [ ] -1 Broken - do not release
> [X] +1 Alpha  - go ahead and release as 11.0.0-M11

Tests pass on x64 Linux and M1 MacOS with Tomcat Native 1.2.38.

There were three test failures on x64 Windows with Tomcat Natibe 2.0.5. 
I have traced these failures to issues with the newly added tests for 
parameter handling. The tests don't take acocunt of all of the OS 
differences. I have fixes for these tests that I'll commit shortly.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[VOTE][RESULT] Release Apache Tomcat 11.0.0-M11

Posted by Mark Thomas <ma...@apache.org>.

The following votes were cast:

Binding:
+1: lihan, markt, remm

No other votes were cast. The vote therefore passes.

Thanks to everyone who contributed to this release.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: [VOTE] Release Apache Tomcat 11.0.0-M11

Posted by Han Li <li...@apache.org>.


> On Aug 24, 2023, at 07:22, Mark Thomas <ma...@apache.org> wrote:
> 
> The proposed Apache Tomcat 11.0.0-M11 release is now available for
> voting.
> 
> Apache Tomcat 11.0.0-M11 is a milestone release of the 11.0.x branch and has been made to provide users with early access to the new features in Apache Tomcat 11.0.x so that they may provide feedback. The notable changes compared to the previous milestone include:
> 
> - Update the HTTP parameter handling to align with the changes in the
>  Jakarta Servlet 6.1 API Javadoc for the ServletRequest methods used
>  to obtain request parameters. Invalid parameters and/or exceeding
>  parameter size and/or quantity limits now triggerm exceptions. As a
>  consequence, the FailedRequestFilter has been removed.
> 
> - If an application or library sets both a non-500 error code and the
>  jakarta.servlet.error.exception</code> request attribute, use the
>  provided error code during error page processing rather than assuming
>  an error code of 500.
> 
> - Fix for FORM authentication open redirect - CVE-2023-41080
> 
> 
> For full details, see the change log:
> https://nightlies.apache.org/tomcat/tomcat-11.0.x/docs/changelog.html
> 
> Applications that run on Tomcat 9 and earlier will not run on Tomcat 11 without changes. Java EE applications designed for Tomcat 9 and earlier may be placed in the $CATALINA_BASE/webapps-javaee directory and Tomcat will automatically convert them to Jakarta EE and copy them to the webapps directory. Applications using deprecated APIs may require further changes.
> 
> It can be obtained from:
> https://dist.apache.org/repos/dist/dev/tomcat/tomcat-11/v11.0.0-M11/
> 
> The Maven staging repo is:
> https://repository.apache.org/content/repositories/orgapachetomcat-1451
> 
> The tag is:
> https://github.com/apache/tomcat/tree/11.0.0-M11
> ae109f6248e00a1952f706d6941ff930ad4466e1
> 
> 
> The proposed 11.0.0-M11 release is:
> [ ] -1 Broken - do not release
> [X] +1 Alpha  - go ahead and release as 11.0.0-M11

Tests pass on macOS(intel).

Han
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org