43bce1edc3- Update to Tomcat 9.0.107 * Fixed CVEs: + CVE-2025-52520: Align size tracking for multipart requests with FileUpload's use of long. (bsc#1246388) + CVE-2025-52434: Improve stability of APR/native connector. (bsc#1246389) + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier. (bsc#1246318) * Catalina + Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt) + Fix: Allow the default servlet to set the content length when the content length is known, no content has been written and a Writer is being used. (markt) + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt) + Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt) + Fix: Align size tracking for multipart requests with FileUpload's use of long. (schultz) * Coyote + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt) + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt) + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt) + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm) + Fix: Improve stability of APR/native connector. (markt) + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt) + Fix: When setting the initial HTTP/2 connection limit, apply those limits earlier. (markt) * Jasper + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt) + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt) * Web applications + Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV, HTTP PUT requests or similar. (markt) + Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt) * Other + Update: Update UnboundID to 7.0.3. (markt) + Update: Update Checkstyle to 10.25.1. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)
main
Fridrich Strba2025-08-14 08:01:12 +00:00
614337f646- Update to Tomcat 9.0.106 * Fixed CVEs: + CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815) + CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656) + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649) * Catalina + Add: Support for the java:module namespace which mirrors the java:comp namespace. + Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. + Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. + Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. + Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. + Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts. + Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. + Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. + Add: 69633: Support for Filters using context root mappings. + Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. + Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer. + Refactor: GCI servlet to access resources via the WebResource API. + Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. + Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. + Add: Provide a content type based on file extension when web application resources are accessed via a URL. * Coyote + Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. + Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. + Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied. * Jasper + Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. + Fix: 69635: Add support to javax.el.ImportHandler for resolving inner classes. + Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. + Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. * Web applications + Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. + Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. * Other + Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). + Update: EasyMock to 5.6.0. + Update: Checkstyle to 10.25.0. + Fix: #858: Extend improvements to CVE-2024-56337 protection to service.bat. Pull request provided by Markus Hoffrogge. + Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. + Update: Improvements to Japanese translations provided by tak7iji. + Update: Jacoco to 0.8.13. + Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. + Update: Byte Buddy to 1.17.5. + Update: Checkstyle to 10.23.1. + Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd). + Update: Improvements to French translations. + Update: Improvements to Japanese translations provided by tak7iji.Fridrich Strba2025-06-24 12:02:49 +00:00
ea357e0c4a- Update to Tomcat 9.0.104 * Fixed CVEs: + CVE-2025-31650: invalid priority field values should be ignored (bsc#1242008) + CVE-2025-31651: Better handling of URLs with literal ';' and '?' (bsc#1242009) * Catalina + Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve. (rjung) + Fix: Process possible path parameters rewrite production in the rewrite valve. (remm) + Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. (remm) + Fix: Return 400 if the amount of content sent for a partial PUT is inconsistent with the range that was specified. (remm) + Add: Add a new RateLimiter implementation, org.apache.catalina.util.ExactRateLimiter, that can be used with org.apache.catalina.filters.RateLimitFilter to provide rate limit based on the exact values configured. Based on pull request #794 by Chenjp. (markt) + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve. (remm) + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and FIPS mode. (remm) + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the default internal proxies for the RemoteIpFilter and RemoteIpValve. (markt) + Fix: 69615: Improve integration with the not found class resources cache for users who are using a custom web application class loader and/or using reflection to dynamically add external repositories to the web application class loader. (markt) + Add: Add a new initialisation parameter to the Default servlet - allowPostAsGet - which controls whether a direct request (i.e. not a forward or an include) for a static resource using the POST method will be processed as if the GET method had been used. If not allowed, the request will be rejected. The default behaviour of processing the request as if the GET method had been used is unchanged. (markt) + Fix: 69623: Correct a long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled. (markt) + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm) + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent to the one from ErrorReportValve. (remm) + Fix: Improve the handling of %nn URL encoding in the RewriteValve and document how %nn URL encoding may be used with rewrite rules. (markt) + Fix: Fix a potential exception when calling WebappClassLoaderBase.getResource(""). (markt) * Coyote + Fix: 69607: Allow failed initialization of MD5. Based on code submitted by Shivam Verma. (remm) + Fix: 69614: HTTP/2 priority frames with an invalid priority field value should be ignored. (markt) + Fix: Improve handling of unexpected errors during HTTP/2 processing. (markt) + Fix: Add missing code to process an OpenSSL profile, such as PROFILE= SYSTEM, using FFM. (remm) + Add: Simplify the process of using a custom SSLContext for an HTTPS enabled connector. Based on pull request #805 by Hakky54. (markt) * Jasper + Code: Replace custom URL encoding provided by the JSP runtime library with calls to java.net.URLEncoder.encode(). (markt) + Add: Add compiler using the Java Compiler API, supporting exploded web applications. The compilerClassName to use is org.apache.jasper.compiler.JavaCompiler. (remm) + Add: Add support for specifying Java 25 (with the value 25) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will be used. (markt) * Cluster + Fix: Fix resetting cross context sessions in the ReplicationValve. (remm) * Web applications + Add: Documentation. Add a link to the Log4j documentation that describes how to use Log4j rather than JULI for Tomcat's internal logging. (markt) + Add: Documentation. Document the runtime attributes available to web applications via the Request or the ServletContext. Based on pull request #832 by usmazat. (markt) * Other + Fix: Set sun.io.useCanonCaches in service.bat. Based on pull request #841 by Paul Lodge. (remm) + Fix: The minimum Java version to build a release is now Java 22, mirroring Tomcat 10.1. This removes the need for using a java-ffm.home property. (remm) + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt) + Update: Update to NSIS 3.11. (markt) + Update: Update to ByteBuddy 1.17.4. (markt) + Update: Update to Checkstyle 10.21.4. (markt) + Update: Update to SpotBugs to 4.9.3. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)Fridrich Strba2025-05-01 12:10:14 +00:00
e023232c7b- update Tomcat to version 9.0.102 - align addressed CVEs and bugzilla ids in tomcat.changesFridrich Strba2025-03-19 16:03:16 +00:00
97f056cd11CVE-2024-56337 and the JVM cannot be correctly configured or it cannot beMichele Bussolotto2025-03-17 12:06:15 +00:00
4100978dbd- Update to Tomcat 9.0.99 * Fixed CVE: + CVE-2025-24813: potential RCE and/or information disclosure/corruption with partial PUT (bsc#1239302) * Catalina + Update: Add tableName configuration on the DataSourcePropertyStore that may be used by the WebDAV Servlet. (remm) + Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request #796 by Chenjp. (remm/markt) + Update: Allow readOnly attribute configuration on the Resources element and allow configure the readOnly attribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm) + Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt) + Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm) + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm) + Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategy of the Resources. (remm) + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based on a patch submitted by Chenjp. (remm) + Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impactedFridrich Strba2025-03-13 20:42:03 +00:00
Fridrich Strba
Michele Bussolotto
Matei Albu