43bce1edc3- Update to Tomcat 9.0.107 * Fixed CVEs: + CVE-2025-52520: Align size tracking for multipart requests with FileUpload's use of long. (bsc#1246388) + CVE-2025-52434: Improve stability of APR/native connector. (bsc#1246389) + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier. (bsc#1246318) * Catalina + Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt) + Fix: Allow the default servlet to set the content length when the content length is known, no content has been written and a Writer is being used. (markt) + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt) + Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt) + Fix: Align size tracking for multipart requests with FileUpload's use of long. (schultz) * Coyote + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt) + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt) + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt) + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm) + Fix: Improve stability of APR/native connector. (markt) + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt) + Fix: When setting the initial HTTP/2 connection limit, apply those limits earlier. (markt) * Jasper + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt) + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt) * Web applications + Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV, HTTP PUT requests or similar. (markt) + Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt) * Other + Update: Update UnboundID to 7.0.3. (markt) + Update: Update Checkstyle to 10.25.1. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)Fridrich Strba2025-08-14 08:01:12 +00:00
2930750469- Update to Tomcat 9.0.107 * Fixed CVEs: + CVE-2025-52520: Align size tracking for multipart requests with FileUpload's use of long. (bsc#1246388) + CVE-2025-52434: Improve stability of APR/native connector. (bsc#1246389) + CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier. (bsc#1246318) * Catalina + Fix: Ensure application configured welcome files override the defaults when configuring an embedded web application programmatically. (markt) + Fix: Allow the default servlet to set the content length when the content length is known, no content has been written and a Writer is being used. (markt) + Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that prevented access to PreResources and PostResources when mounted below the web application root with a path that was terminated with a file separator. (remm/markt) + Fix: 69731: Fix an issue that meant that the value of maxParameterCount applied was smaller than intended for multipart uploads with non-file parts when the parts were processed before query string parameters. (markt) + Fix: Align size tracking for multipart requests with FileUpload's use of long. (schultz) * Coyote + Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update the documentation to provide more details on the memory requirements to support multi-part uploads while avoiding a denial of service risk. (markt) + Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding when the headers include a content-length. (remm/markt) + Fix: Correctly collect statistics for HTTP/2 requests and avoid counting one request multiple times. Based on pull request #868 by qingdaoheze. (markt) + Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value of useVirtualThreads in JMX. (remm) + Fix: Improve stability of APR/native connector. (markt) + Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional certificate verification and improve the warnings when a web application tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of TLS 1.3. (markt) + Fix: When setting the initial HTTP/2 connection limit, apply those limits earlier. (markt) * Jasper + Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt) + Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL grammar as both are unused. (markt) * Web applications + Add: Documentation. Provide more explicit guidance regarding the security considerations for enabling write access to the web application via WebDAV, HTTP PUT requests or similar. (markt) + Add: Documentation. Add a section on reverse proxies to the security considerations page. (markt) * Other + Update: Update UnboundID to 7.0.3. (markt) + Update: Update Checkstyle to 10.25.1. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)Fridrich Strba2025-08-14 08:01:12 +00:00
0bd3dc595dAccepting request 1288243 from Java:packagesAna Guerrero2025-06-24 18:50:22 +00:00
614337f646- Update to Tomcat 9.0.106 * Fixed CVEs: + CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815) + CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656) + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649) * Catalina + Add: Support for the java:module namespace which mirrors the java:comp namespace. + Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. + Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. + Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. + Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. + Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts. + Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. + Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. + Add: 69633: Support for Filters using context root mappings. + Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. + Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer. + Refactor: GCI servlet to access resources via the WebResource API. + Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. + Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. + Add: Provide a content type based on file extension when web application resources are accessed via a URL. * Coyote + Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. + Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. + Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied. * Jasper + Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. + Fix: 69635: Add support to javax.el.ImportHandler for resolving inner classes. + Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. + Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. * Web applications + Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. + Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. * Other + Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). + Update: EasyMock to 5.6.0. + Update: Checkstyle to 10.25.0. + Fix: #858: Extend improvements to CVE-2024-56337 protection to service.bat. Pull request provided by Markus Hoffrogge. + Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. + Update: Improvements to Japanese translations provided by tak7iji. + Update: Jacoco to 0.8.13. + Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. + Update: Byte Buddy to 1.17.5. + Update: Checkstyle to 10.23.1. + Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd). + Update: Improvements to French translations. + Update: Improvements to Japanese translations provided by tak7iji.Fridrich Strba2025-06-24 12:02:49 +00:00
059ae74e05- Update to Tomcat 9.0.106 * Fixed CVEs: + CVE-2025-46701: refactor CGI servlet to access resources via WebResources (bsc#1243815) + CVE-2025-48988: limits the total number of parts in a multi-part request and limits the size of the headers provided with each part (bsc#1244656) + CVE-2025-49125: Expand checks for webAppMount (bsc#1244649) * Catalina + Add: Support for the java:module namespace which mirrors the java:comp namespace. + Add: Support parsing of multiple path parameters separated by ; in a single URL segment. Based on pull request #860 by Chenjp. + Add: Support for limiting the number of parameters in HTTP requests through the new ParameterLimitValve. The valve allows configurable URL-specific limits on the number of parameters. + Fix: 69699: Encode redirect URL used by the rewrite valve with the session id if appropriate, and handle cross context with different session configuration when using rewrite. + Add: #863: Support for comments at the end of lines in text rewrite map files to align behaviour with Apache httpd. Pull request provided by Chenjp. + Fix: 69706: Saved request serialization issue in FORM introduced when allowing infinite session timeouts. + Fix: Expand the path checks for Pre-Resources and Post-Resources mounted at a path within the web application. + Fix: 69588: Enable allowLinking to be set on PreResources, JarResources and PostResources. If not set explicitly, the setting will be inherited from the Resources. + Add: 69633: Support for Filters using context root mappings. + Fix: #843: Off by one validation logic for partial PUT ranges and associated test case. Submitted by Chenjp. + Refactor: Replace the unused buffer in org.apache.catalina.connector.InputBuffer with a static, zero length buffer. + Refactor: GCI servlet to access resources via the WebResource API. + Fix: 69662: Report name in exception message when a naming lookup failure occurs. Based on code submitted by Donald Smith. + Fix: Ensure that the FORM authentication attribute authenticationSessionTimeout works correctly when sessions have an infinite timeout when authentication starts. + Add: Provide a content type based on file extension when web application resources are accessed via a URL. * Coyote + Refactor: #861: TaskQueue to use the new interface RetryableQueue which enables better integration of custom Executors which provide their own BlockingQueue implementation. Pull request provided by Paulo Almeida. + Add: Finer grained control of multi-part request processing via two new attributes on the Connector element. maxPartCount limits the total number of parts in a multi-part request and maxPartHeaderSize limits the size of the headers provided with each part. Add support for these new attributes to the ParameterLimitValve. + Refactor: The SavedRequestInputFilter so the buffered data is used directly rather than copied. * Jasper + Fix: 69696: Mark the JSP wrapper for reload after a failed compilation. + Fix: 69635: Add support to javax.el.ImportHandler for resolving inner classes. + Add: #842: Support for optimized execution of c:set and c:remove tags, when activated via JSP servlet param useNonstandardTagOptimizations. + Fix: An edge case compilation bug for JSP and tag files on case insensitive file systems that was exposed by the test case for 69635. * Web applications + Fix: 69694: Improve error reporting of deployment tasks done using the manager webapp when a copy operation fails. + Add: 68876: Documentation. Update the UML diagrams for server start-up, request processing and authentication using PlantUML and include the source files for each diagram. * Other + Add: Thread name to webappClassLoader.stackTraceRequestThread message. Patch provided by Felix Zhang. + Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1 (2025-06-05). + Update: EasyMock to 5.6.0. + Update: Checkstyle to 10.25.0. + Fix: #858: Extend improvements to CVE-2024-56337 protection to service.bat. Pull request provided by Markus Hoffrogge. + Fix: Use the full path when the installer for Windows sets calls icacls.exe to set file permissions. + Update: Improvements to Japanese translations provided by tak7iji. + Update: Jacoco to 0.8.13. + Code: Explicitly set the locale to be used for Javadoc. For official releases, this locale will be English (US) to support reproducible builds. + Update: Byte Buddy to 1.17.5. + Update: Checkstyle to 10.23.1. + Update: File extension to media type mappings to align with the current list used by the Apache Web Server (httpd). + Update: Improvements to French translations. + Update: Improvements to Japanese translations provided by tak7iji.Fridrich Strba2025-06-24 12:02:49 +00:00
458b116f9dAccepting request 1279298 from Java:packagesAna Guerrero2025-05-22 14:59:32 +00:00
ea357e0c4a- Update to Tomcat 9.0.104 * Fixed CVEs: + CVE-2025-31650: invalid priority field values should be ignored (bsc#1242008) + CVE-2025-31651: Better handling of URLs with literal ';' and '?' (bsc#1242009) * Catalina + Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve. (rjung) + Fix: Process possible path parameters rewrite production in the rewrite valve. (remm) + Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. (remm) + Fix: Return 400 if the amount of content sent for a partial PUT is inconsistent with the range that was specified. (remm) + Add: Add a new RateLimiter implementation, org.apache.catalina.util.ExactRateLimiter, that can be used with org.apache.catalina.filters.RateLimitFilter to provide rate limit based on the exact values configured. Based on pull request #794 by Chenjp. (markt) + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve. (remm) + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and FIPS mode. (remm) + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the default internal proxies for the RemoteIpFilter and RemoteIpValve. (markt) + Fix: 69615: Improve integration with the not found class resources cache for users who are using a custom web application class loader and/or using reflection to dynamically add external repositories to the web application class loader. (markt) + Add: Add a new initialisation parameter to the Default servlet - allowPostAsGet - which controls whether a direct request (i.e. not a forward or an include) for a static resource using the POST method will be processed as if the GET method had been used. If not allowed, the request will be rejected. The default behaviour of processing the request as if the GET method had been used is unchanged. (markt) + Fix: 69623: Correct a long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled. (markt) + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm) + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent to the one from ErrorReportValve. (remm) + Fix: Improve the handling of %nn URL encoding in the RewriteValve and document how %nn URL encoding may be used with rewrite rules. (markt) + Fix: Fix a potential exception when calling WebappClassLoaderBase.getResource(""). (markt) * Coyote + Fix: 69607: Allow failed initialization of MD5. Based on code submitted by Shivam Verma. (remm) + Fix: 69614: HTTP/2 priority frames with an invalid priority field value should be ignored. (markt) + Fix: Improve handling of unexpected errors during HTTP/2 processing. (markt) + Fix: Add missing code to process an OpenSSL profile, such as PROFILE= SYSTEM, using FFM. (remm) + Add: Simplify the process of using a custom SSLContext for an HTTPS enabled connector. Based on pull request #805 by Hakky54. (markt) * Jasper + Code: Replace custom URL encoding provided by the JSP runtime library with calls to java.net.URLEncoder.encode(). (markt) + Add: Add compiler using the Java Compiler API, supporting exploded web applications. The compilerClassName to use is org.apache.jasper.compiler.JavaCompiler. (remm) + Add: Add support for specifying Java 25 (with the value 25) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will be used. (markt) * Cluster + Fix: Fix resetting cross context sessions in the ReplicationValve. (remm) * Web applications + Add: Documentation. Add a link to the Log4j documentation that describes how to use Log4j rather than JULI for Tomcat's internal logging. (markt) + Add: Documentation. Document the runtime attributes available to web applications via the Request or the ServletContext. Based on pull request #832 by usmazat. (markt) * Other + Fix: Set sun.io.useCanonCaches in service.bat. Based on pull request #841 by Paul Lodge. (remm) + Fix: The minimum Java version to build a release is now Java 22, mirroring Tomcat 10.1. This removes the need for using a java-ffm.home property. (remm) + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt) + Update: Update to NSIS 3.11. (markt) + Update: Update to ByteBuddy 1.17.4. (markt) + Update: Update to Checkstyle 10.21.4. (markt) + Update: Update to SpotBugs to 4.9.3. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)Fridrich Strba2025-05-01 12:10:14 +00:00
bf26d83f72- Update to Tomcat 9.0.104 * Fixed CVEs: + CVE-2025-31650: invalid priority field values should be ignored (bsc#1242008) + CVE-2025-31651: Better handling of URLs with literal ';' and '?' (bsc#1242009) * Catalina + Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve. (rjung) + Fix: Process possible path parameters rewrite production in the rewrite valve. (remm) + Fix: 69643: Optimize directory listing for large amount of files. Patch submitted by Loic de l'Eprevier. (remm) + Fix: Return 400 if the amount of content sent for a partial PUT is inconsistent with the range that was specified. (remm) + Add: Add a new RateLimiter implementation, org.apache.catalina.util.ExactRateLimiter, that can be used with org.apache.catalina.filters.RateLimitFilter to provide rate limit based on the exact values configured. Based on pull request #794 by Chenjp. (markt) + Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve. (remm) + Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and FIPS mode. (remm) + Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the default internal proxies for the RemoteIpFilter and RemoteIpValve. (markt) + Fix: 69615: Improve integration with the not found class resources cache for users who are using a custom web application class loader and/or using reflection to dynamically add external repositories to the web application class loader. (markt) + Add: Add a new initialisation parameter to the Default servlet - allowPostAsGet - which controls whether a direct request (i.e. not a forward or an include) for a static resource using the POST method will be processed as if the GET method had been used. If not allowed, the request will be rejected. The default behaviour of processing the request as if the GET method had been used is unchanged. (markt) + Fix: 69623: Correct a long standing regression that meant that calls to ClassLoader.getResource().getContent() failed when made from within a web application with resource caching enabled. (markt) + Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm) + Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent to the one from ErrorReportValve. (remm) + Fix: Improve the handling of %nn URL encoding in the RewriteValve and document how %nn URL encoding may be used with rewrite rules. (markt) + Fix: Fix a potential exception when calling WebappClassLoaderBase.getResource(""). (markt) * Coyote + Fix: 69607: Allow failed initialization of MD5. Based on code submitted by Shivam Verma. (remm) + Fix: 69614: HTTP/2 priority frames with an invalid priority field value should be ignored. (markt) + Fix: Improve handling of unexpected errors during HTTP/2 processing. (markt) + Fix: Add missing code to process an OpenSSL profile, such as PROFILE= SYSTEM, using FFM. (remm) + Add: Simplify the process of using a custom SSLContext for an HTTPS enabled connector. Based on pull request #805 by Hakky54. (markt) * Jasper + Code: Replace custom URL encoding provided by the JSP runtime library with calls to java.net.URLEncoder.encode(). (markt) + Add: Add compiler using the Java Compiler API, supporting exploded web applications. The compilerClassName to use is org.apache.jasper.compiler.JavaCompiler. (remm) + Add: Add support for specifying Java 25 (with the value 25) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will be used. (markt) * Cluster + Fix: Fix resetting cross context sessions in the ReplicationValve. (remm) * Web applications + Add: Documentation. Add a link to the Log4j documentation that describes how to use Log4j rather than JULI for Tomcat's internal logging. (markt) + Add: Documentation. Document the runtime attributes available to web applications via the Request or the ServletContext. Based on pull request #832 by usmazat. (markt) * Other + Fix: Set sun.io.useCanonCaches in service.bat. Based on pull request #841 by Paul Lodge. (remm) + Fix: The minimum Java version to build a release is now Java 22, mirroring Tomcat 10.1. This removes the need for using a java-ffm.home property. (remm) + Update: Revert JSign to 6.0 to avoid a file locking issue. (markt) + Update: Update to NSIS 3.11. (markt) + Update: Update to ByteBuddy 1.17.4. (markt) + Update: Update to Checkstyle 10.21.4. (markt) + Update: Update to SpotBugs to 4.9.3. (markt) + Update: Improvements to French translations. (remm) + Update: Improvements to Japanese translations provided by tak7iji. (markt)Fridrich Strba2025-05-01 12:10:14 +00:00
6a9e8b3ebaAccepting request 1254481 from Java:packagesAna Guerrero2025-03-19 21:34:29 +00:00
e023232c7b- update Tomcat to version 9.0.102 - align addressed CVEs and bugzilla ids in tomcat.changesFridrich Strba2025-03-19 16:03:16 +00:00
e753e9aed9- update Tomcat to version 9.0.102 - align addressed CVEs and bugzilla ids in tomcat.changesFridrich Strba2025-03-19 16:03:16 +00:00
a7046a4585Accepting request 1253768 from Java:packagesAna Guerrero2025-03-17 21:18:45 +00:00
97f056cd11CVE-2024-56337 and the JVM cannot be correctly configured or it cannot beMichele Bussolotto2025-03-17 12:06:15 +00:00
57be33120fCVE-2024-56337 and the JVM cannot be correctly configured or it cannot beMichele Bussolotto2025-03-17 12:06:15 +00:00
83dbcc5d2aAccepting request 1252935 from Java:packagesAna Guerrero2025-03-14 22:51:22 +00:00
4100978dbd- Update to Tomcat 9.0.99 * Fixed CVE: + CVE-2025-24813: potential RCE and/or information disclosure/corruption with partial PUT (bsc#1239302) * Catalina + Update: Add tableName configuration on the DataSourcePropertyStore that may be used by the WebDAV Servlet. (remm) + Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request #796 by Chenjp. (remm/markt) + Update: Allow readOnly attribute configuration on the Resources element and allow configure the readOnly attribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm) + Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt) + Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm) + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm) + Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategy of the Resources. (remm) + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based on a patch submitted by Chenjp. (remm) + Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impactedFridrich Strba2025-03-13 20:42:03 +00:00
680a9d1be0- Update to Tomcat 9.0.99 * Fixed CVE: + CVE-2025-24813: potential RCE and/or information disclosure/corruption with partial PUT (bsc#1239302) * Catalina + Update: Add tableName configuration on the DataSourcePropertyStore that may be used by the WebDAV Servlet. (remm) + Update: Improve HTTP If headers processing according to RFC 9110. Based on pull request #796 by Chenjp. (remm/markt) + Update: Allow readOnly attribute configuration on the Resources element and allow configure the readOnly attribute value of the main resources. The attribute value will also be used by the default and WebDAV Servlets. (remm) + Fix: 69285: Optimise the creation of the parameter map for included requests. Based on sample code and test cases provided by John Engebretson. (markt) + Fix: 69527: Avoid rare cases where a cached resource could be set with 0 content length, or could be evicted immediately. (remm) + Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect requests without body for WebDAV LOCK and PROPFIND. (remm) + Fix: 69528: Add multi-release JAR support for the bloom archiveIndexStrategy of the Resources. (remm) + Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based on a patch submitted by Chenjp. (remm) + Add: Add a check to ensure that, if one or more web applications are potentially vulnerable to CVE-2024-56337, the JVM has been configured to protect against the vulnerability and to configure the JVM correctly if not. Where one or more web applications are potentially vulnerable to CVE-2004-56337 and the JVM cannot be correctly configured or it cannot be confirmed that the JVM has been correctly configured, prevent the impactedFridrich Strba2025-03-13 20:42:03 +00:00
545eefb931Accepting request 1235267 from Java:packagesAna Guerrero2025-01-07 19:52:30 +00:00
0dedcc8e34Accepting request 1234765 from home:RMestre:branches:Java:packagesFridrich Strba2025-01-06 16:20:19 +00:00
5d3c84a4fd- Update to Tomcat 9.0.98 * Fixed CVEs: + CVE-2024-54677: DoS in examples web application (bsc#1233434) + CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663) * Catalina + Add: Add option to serve resources from subpath only with WebDAV Servlet like with DefaultServlet. (michaelo) + Fix: Add special handling for the protocols attribute of SSLHostConfig in storeconfig. (remm) + Fix: 69442: Fix case sensitive check on content-type when parsing request parameters. (remm) + Code: Refactor duplicate code for extracting media type and subtype from content-type into a single method. (markt) + Fix: Compatibility of generated embedded code with components where constructors or property related methods throw a checked exception. (remm) + Fix: The previous fix for inconsistent resource metadata during concurrent reads and writes was incomplete. (markt) + Fix: 69444: Ensure that the javax.servlet.error.message request attribute is set when an application defined error page is called. (markt) + Fix: Avoid quotes for numeric values in the JSON generated by the status servlet. (remm) + Add: Add strong ETag support for the WebDAV and default servlet, which can be enabled by using the useStrongETags init parameter with a value set to true. The ETag generated will be a SHA-1 checksum of the resource content. (remm) + Fix: Use client locale for directory listings. (remm) + Fix: 69439: Improve the handling of multiple Cache-Control headers in the ExpiresFilter. Based on pull request #777 by Chenjp. (markt) + Fix: 69447: Update the support for caching classes the web application class loader cannot find to take account of classes loaded from externalFridrich Strba2025-01-06 16:20:19 +00:00
757a8a54bfAccepting request 1226304 from Java:packagesAna Guerrero2024-11-25 22:23:34 +00:00
41b9f53787Accepting request 1225911 from home:mbussolotto:branches:Java:packagesMichele Bussolotto2024-11-25 14:54:00 +00:00
8ef7eb2a60- Update to Tomcat 9.0.97 * Fixed CVEs: + CVE-2024-52316: If the Jakarta Authentication fails with an exception, set a 500 status (bsc#1233434) * Catalina + Add: Add support for the new Servlet API method HttpServletResponse.sendEarlyHints(). (markt) + Add: 55470: Add debug logging that reports the class path when a ClassNotFoundException occurs in the digester or the web application class loader. Based on a patch by Ralf Hauser. (markt) + Update: 69374: Properly separate between table header and body in DefaultServlet's listing. (michaelo) + Update: 69373: Make DefaultServlet's HTML listing file last modified rendering better (flexible). (michaelo) + Update: Improve HTML output of DefaultServlet. (michaelo) + Code: Refactor RateLimitFilter to use FilterBase as the base class. The primary advantage for doing this is less code to process init-param values. (markt) + Update: 69370: DefaultServlet's HTML listing uses incorrect labels. (michaelo) + Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped requests. (remm) + Fix: Add missing WebDAV Lock-Token header in the response when locking a folder. (remm) + Fix: Invalid WebDAV lock requests should be rejected with 400. (remm) + Fix: Fix regression in WebDAV when attempting to unlock a collection. (remm) + Fix: Verify that destination is not locked for a WebDAV copy operation. (remm) + Fix: Send 415 response to WebDAV MKCOL operations that include a request body since this is optional and unsupported. (remm) + Fix: Enforce DAV: namespace on WebDAV XML elements. (remm) + Fix: Do not allow a new WebDAV lock on a child resource if a parent collection is locked (RFC 4918 section 6.1). (remm) + Fix: WebDAV Delete should remove any existing lock on successfully deleted resources. (remm) + Update: Remove WebDAV lock null support in accordance with RFC 4918 section 7.3 and annex D. Instead, a lock on a non-existing resource will create an empty file locked with a regular lock. (remm) + Update: Rewrite implementation of WebDAV shared locks to comply with RFC 4918. (remm) + Update: Implement WebDAV If header using code from the Apache Jackrabbit project. (remm) + Add: Add PropertyStore interface in the WebDAV Servlet, to allow implementation of dead properties storage. The store used can be configured using the 'propertyStore' init parameter of the WebDAV servlet. A simple non-persistent implementation is used if no custom store is configured. (remm) + Update: Implement WebDAV PROPPATCH method using the newly added PropertyStore. (remm) + Fix: Cache not found results when searching for web application class loader resources. This addresses performance problems caused by components such as java.sql.DriverManager which, in some circumstances, will search for the same class repeatedly. In a large web application this can cause performance problems. The size of the cache can be controlled via the new notFoundClassResourceCacheSize on the StandardContext. (markt) + Fix: Stop after INITIALIZED state should be a noop since it is possible for subcomponents to be in FAILED after init. (remm) + Fix: Fix incorrect web resource cache size calculations when there are concurrent PUT and DELETE requests for the same resource. (markt) + Add: Add debug logging for the web resource cache so the current size can be tracked as resources are added and removed. (markt) + Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens with urn:uuid: as recommended by RFC 4918, and remove secret init parameter. (remm) + Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the same path caused corruption of the FileResource where some of the fields were set as if the file exists and some as set as if it does not. This resulted in inconsistent metadata. (markt) + Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on GET and HEAD requests. Also skip requests where the application has set Cache-Control: no-store. (markt) + Fix: 69419: Improve the performance of ServletRequest.getAttribute() when there are multiple levels of nested includes. Based on a patch provided by John Engebretson. (markt) + Add: All applications to send an early hints informational response by calling HttpServletResponse.sendError() with a status code of 103. (schultz) + Fix: Ensure that the Jakarta Authentication CallbackHandler only creates one GenericPrincipal in the Subject. (markt) + Fix: If the Jakarta Authentication process fails with an Exception, explicitly set the HTTP response status to 500 as the ServerAuthContext may not have set it. (markt) + Fix: When persisting the Jakarta Authentication provider configuration, create any necessary parent directories that don't already exist. (markt) + Fix: Correct the logic used to detect errors when deleting temporary files associated with persisting the Jakarta Authentication provider configuration. (markt) + Fix: When processing Jakarta Authentication callbacks, don't overwrite a Principal obtained from the PasswordValidationCallback with null if the CallerPrincipalCallback does not provide a Principal. (markt) + Fix: Avoid store config backup loss when storing one configuration more than once per second. (remm) + Fix: 69359: WebdavServlet duplicates getRelativePath() method from super class with incorrect Javadoc. (michaelo) + Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and DefaultServlet. (michaelo) + Fix: Make WebdavServlet properly return the Allow header when deletion of a resource is not allowed. (michaelo) + Fix: Add log warning if non wildcard mappings are used with the WebdavServlet. (remm) + Fix: 69361: Ensure that the order of entries in a multi-status response to a WebDAV is consistent with the order in which resources were processed. (markt) + Fix: 69362: Provide a better multi-status response when deleting a collection via WebDAV fails. Empty directories that cannot be deleted will now be included in the response. (markt) + Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to ensure that the correct path is used when the WebDAV servlet is mounted at a sub-path within the web application. (markt) + Fix: Improve performance of ApplicationHttpRequest.parseParameters(). Based on sample code and test cases provided by John Engebretson. (markt) + Add: Add support for RFC 8297 (Early Hints). Applications can use this feature by casting the HttpServletResponse to org.apache.catalina.connector.Reponse and then calling the method void sendEarlyHints(). This method will be added to the Servlet API (removing the need for the cast) in Servlet 6.2 onwards. (markt) + Fix: 69214: Do not reject a CORS request that uses POST but does not include a content-type header. Tomcat now correctly processes this as a simple CORS request. Based on a patch suggested by thebluemountain. (markt) + Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than Subject.doAs() when available. (markt) * Coyote + Fix: Return null SSL session id on zero length byte array returned from the SSL implementation. (remm) + Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm) + Fix: Create the HttpParser in Http11Processor if it is not present on the AbstractHttp11Protocol to provide better lifecycle robustness for regular HTTP/1.1. The new behavior was introduced on a previous refactoring to improve HTTP/2 performance. (remm) + Fix: OpenSSLContext will now throw a KeyManagementException if something is known to have gone wrong in the init method, which is the behavior documented by javax.net.ssl.SSLContext.init. This makes error handling more consistent. (remm) + Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to generate Date headers for HTTP responses) generates the correct string for the given input. Prior to this change, the output may have been wrong by one second in some cases. Pull request #751 provided by Chenjp. (markt) + Add: Add server and serverRemoveAppProvidedValues to the list of attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it is nested within. (markt) + Fix: Avoid possible crashes when using Apache Tomcat Native, caused by destroying SSLContext objects through GC after APR has been terminated. (remm) + Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer fields no longer need to be received before the headers of the subsequent stream nor are trailer fields for an in-progress stream swallowed if the Connector is paused before the trailer fields are received. (markt) + Fix: Ensure the request and response are not recycled too soon for an HTTP/2 stream when a stream level error is detected during the processing of incoming HTTP/2 frames. This could lead to incorrect processing times appearing in the access log. (markt) + Fix: Fix 69320, a regression in the fix for 69302 that meant the HTTP/2 processing was likely to be broken for all clients once any client sent an HTTP/2 reset frame. (markt) + Fix: Correct a regression in the fix for non-blocking reads of chunked request bodies that caused InputStream.available() to return a non-zero value when there was no data to read. In some circumstances this could cause a blocking read to block waiting for more data rather than return the data it had already received. (markt) + Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor. The default behaviour is unchanged. (markt) + Fix: Ensure that Tomcat sends a TLS close_notify message after receiving one from the client when using the OpenSSLImplementation. (markt) + Fix: 69301: Fix trailer headers replacing non-trailer headers when writing response headers to the access log. Based on a patch and test case provided by hypnoce. (markt) + Fix: 69302: If an HTTP/2 client resets a stream before the request body is fully written, ensure that any ReadListener is notified via a call to ReadListener.onErrror(). (markt) + Fix: Correct regressions in the refactoring that added recycling of the coyote request and response to the HTTP/2 processing. (markt) + Add: Add OpenSSL integration using the FFM API rather than Tomcat Native. OpenSSL support may be enabled by adding the org.apache.catalina.core.OpenSSLLifecycleListener listener on the Server element when using Java 22 or later. (remm) + Fix: Ensure that HTTP/2 stream input buffers are only created when there is a request body to be read. (markt) + Code: Refactor creation of HttpParser instances from the Processor level to the Protocol level since the parser configuration depends on the protocol and the parser is, otherwise, stateless. (markt) + Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request and response processing objects by default. This behaviour can be controlled via the new discardRequestsAndResponses attribute on the HTTP/2 upgrade protocol. (markt) * Jasper + Fix: Add back tag release method as deprecated in the runtime for compatibility with old generated code. (remm) + Fix: 69399: Fix regression caused by the improvement 69333 which caused the tag release to be called when using tag pooling, and to be skipped when not using it. Patch submitted by Michal Sobkiewicz. (remm) + Fix: 69381: Improve method lookup performance in expression language. When the required method has no arguments there is no need to consider casting or coercion and the method lookup process can be simplified. Based on pull request #770 by John Engebretson. + Fix: 69382: Improve the performance of the JSP include action by re-using results of relatively expensive method calls in the generated code rather than repeating them. Patch provided by John Engebretson. (markt) + Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based on a suggestion by John Engebretson. (markt) + Fix: 69406: When using StringInterpreterEnum, do not throw an IllegalArgumentException when an invalid Enum is encountered. Instead, resolve the value at runtime. Patch provided by John Engebretson. (markt) + Fix: 69429: Optimise EL evaluation of method parameters for methods that do not accept any parameters. Patch provided by John Engebretson. (markt) + Fix: 69333: Remove unnecessary code from generated JSPs. (markt) + Fix: 69338: Improve the performance of processing expressions that include AND or OR operations with more than two operands and expressions that use not empty. (markt) + Fix: 69348: Reduce memory consumption in ELContext by using lazy initialization for the data structure used to track lambda arguments. (markt) + Fix: Switch the TldScanner back to logging detailed scan results at debug level rather than trace level. (markt) * Web applications + Fix: The manager webapp will now be able to access certificates again when OpenSSL is used. (remm) + Fix: Documentation. Align the logging configuration documentation with the current defaults. (markt) * WebSocket + Fix: If a blocking message write exceeds the timeout, don't attempt the write again before throwing the exception. (markt) + Fix: An EncodeException being thrown during a message write should not automatically cause the connection to close. The application should handle the exception and make the decision whether or not to close the connection. (markt) * jdbc-pool + Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException rather than the application seeing the original SQLException. Fixed by pull request #744 provided by Michael Clarke. (markt) + Fix: 69279: Correct a regression in the fix for 69206 that meant that methods that previously returned a null ResultSet were returning a proxy with a null delegate. Fixed by pull request #745 provided by Huub de Beer. (markt) + Fix: 69206: Ensure statements returned from Statement methods executeQuery(), getResultSet() and getGeneratedKeys() are correctly wrapped before being returned to the caller. Based on pull request #742 provided by Michael Clarke. * Other + Update: Switch from DigiCert ONE to ssl.com eSigner for code signing. (markt) + Update: Update Byte Buddy to 1.15.10. (markt) + Update: Update CheckStyle to 10.20.0. (markt) + Add: Improvements to German translations. (remm) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Add: Improvements to Chinese translations by Ch_jp. (markt) + Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default. (markt) + Fix: Change the default log handler level to ALL so log messages are not dropped by default if a logger is configured to use trace (FINEST) level logging. (markt) + Update: Update Hamcrest to 3.0. (markt) + Update: Update EasyMock to 5.4.0. (markt) + Update: Update Byte Buddy to 1.15.0. (markt) + Update: Update CheckStyle to 10.18.0. (markt) + Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt) + Add: Improvements to Spanish translations by Fernando. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt) + Fix: Fix packaging regression with missing osgi information following addition of the test-only build target. (remm) + Update: Update Tomcat Native to 1.3.1. (markt) + Update: Update Byte Buddy to 1.14.18. (markt) + Add: Improvements to French translations. (remm) + Add: Improvements to Japanese translations by tak7iji. (markt)Michele Bussolotto2024-11-25 14:54:00 +00:00
de5e9775bbAccepting request 1205527 from Java:packagesAna Guerrero2024-10-03 15:40:54 +00:00
main
mbussolotto
Dominique Leuenberger
Fridrich Strba
Ana Guerrero