diff --git a/tomcat.changes b/tomcat.changes index dbcbf60..6aeec7e 100644 --- a/tomcat.changes +++ b/tomcat.changes @@ -13,6 +13,212 @@ Mon Jul 8 14:54:54 UTC 2024 - Ricardo Mestre * Fixed CVEs: + CVE-2024-34750: Improper handling of exceptional conditions (bsc#1227399) + * Catalina + + Fix: Allow JAASRealm to use the configuration source to load a configured + configFile, for easier use with testing. (remm) + + Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm) + + Fix: 69131: Expand the implementation of the filter value of the + Authenticator attribute allowCorsPreflight, so that it applies to all + requests that match the configured URL patterns for the CORS filter, + rather than only applying if the CORS filter is mapped to /*. (markt) + + Add: Add support for shallow copies when using WebDAV. (markt) + + Code: Deprecate the WebdavFixFilter as it is no longer required. (markt) + + Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64. + Submitted by Daniel Lyko. (remm) + + Update: Update minimum recommended version of Tomcat Native to 1.3.0. Pull + request #728 provided by Dimitrios Soumis. (markt) + + Update: The system property org.apache.catalina.connector.RECYCLE_FACADES + will now default to true if not specified, which will in turn set the + default value for the discardFacades connector attribute, thus causing + facade objects to be discarded by default. (remm) + + Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for + retrieving extended/additional information from an established GSS + context. (michaelo) + + Fix: Correct a regression in the fix for 68721 that caused some instances + of LinkageError to be reported as ClassNotFoundException. (markt) + + Fix: Ensure that static resources deployed via a JAR file remain + accessible when the context is configured to use a bloom filter. Based on + pull request #730 provided by bergander. (markt) + + Add: Introduce reference counting so the AprLifecycleListener is more + robust. This particularly targets more complex embedded configurations + with multiple server instances with independent lifecycles where more than + one server instance requires the AprLifecycleListener. (markt) + + Update: Deprecate and remove sessionCounter (replaced by the addition of + the active session count and the expired session count, as a reasonable + approximation) and duplicates (which does not represent a possible event + in current implementations) statistics from the session manager. (remm) + + Fix: 68890 Align output encoding of JSPs in the Manager webapp with the + XML declarations in those same files. (schultz) + + Fix: Update Basic authentication to implement the requirements of RFC 7617 + including the changing of the trimCredentials setting which is now + defaults to false. Note that the trimCredentials setting will be removed + in Tomcat 11. (markt) + + Add: Small performance optimization when logging cookies with no values. + (schultz) + + Fix: Correct error handling for asynchronous requests. If the application + performs an dispatch during AsyncListener.onError() the dispatch is now + performed rather than completing the request using the error page + mechanism. (markt) + + Fix: Fix WebDAV lock null (locks for non existing resources) thread safety + and removal. (remm) + + Fix: Add periodic checking for WebDAV locks expiration. (remm) + + Fix: Extend Asn1Parser to parse UTF8Strings. (michaelo) + + Update: Add highConcurrencyStatus attribute to the SemaphoreValve to + optionally allow the valve to return an error status code to the client + when a permit cannot be acquired from the semaphore. (remm) + + Add: Add checking of the "age" of the running Tomcat instance since its + build-date to the SecurityListener, and log a warning if the server is + old. (schultz) + + Fix: When using the AsyncContext, throw an IllegalStateException, rather + than allowing an NullPointerException, if an attempt is made to use the + AsyncContext after it has been recycled. (markt) + + Fix: Change the thread-safety mechanism for protecting + StandardServer.services from a simple synchronized lock to a + ReentrantReadWriteLock to allow multiple readers to operate + simultaneously. Based upon a suggestion by Markus Wolfe. (schultz) + + Fix: Improve Service connectors, Container children and Service executors + access sync using a ReentrantReadWriteLock. (remm) + + Fix: Improve handling of integer overflow if an attempt is made to upload + a file via the Servlet API and the file is larger than + Integer.MAX_VALUE. (markt) + + Fix: 68862: Handle possible response commit when processing read errors. + (remm) + * Jasper + + Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of + new classes added to the java.lang package in Java 23. (markt) + + Fix: Ensure that an exception in toString() still results in an + ELException when an object is coerced to a String using + ExpressionFactory.coerceToType(). (markt) + + Add: Add support for specifying Java 24 (with the value 24) as the + compiler source and/or compiler target for JSP compilation. If used with + an Eclipse JDT compiler version that does not support these values, a + warning will be logged and the default will used. (markt) + + Fix: 69135: When using include directives in a tag file packaged in a JAR + file, ensure that context relative includes are processed correctly. ( + markt) + + Fix: 69135: When using include directives in a tag file packaged in a JAR + file, ensure that file relative includes are processed correctly. (markt) + + Fix: 69135: When using include directives in a tag file packaged in a JAR + file, ensure that file relative includes are are not permitted to access + files outside of the /META_INF/tags/ directory nor outside of the JAR + file. (markt) + + Fix: 68546: Small additional optimisation for initial loading of Servlet + code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt) + + Add: Add support for specifying Java 23 (with the value 23) as the + compiler source and/or compiler target for JSP compilation. If used with + an Eclipse JDT compiler version that does not support these values, a + warning will be logged and the default will used. (markt) + + Fix: Handle the case where the JSP engine forwards a request/response to a + Servlet that uses an OutputStream rather than a Writer. This was + triggering an IllegalStateException on code paths where there was a + subsequent attempt to obtain a Writer. (markt) + + Fix: Correctly handle the case where a tag library is packaged in a JAR + file and the web application is deployed as a WAR file rather than an + unpacked directory. (markt) + + Fix: Prevent the web application's ClassLoader from being pinned by the + JSP compiler if an application uses a custom XMLInputFactory. Based upon a + suggestion from Simon Niederberger. (schultz) + * Web applications + + Fix: Fix status servlet detailed view of the connectors when using + automatic port. (remm) + + Add: Add the ability to set a sub-title for the Manager web application + main page. This is intended to allow users with lots of instances to + easily distinguish them. Based on pull request #724 by Simon Arame. + (markt) + + Fix: Examples: Improve performance of WebSocket chat application when + multiple clients disconnect at the same time. (markt) + + Update: Examples: Increase the number of previous messages displayed when + using the WebSocket chat application. (markt) + + Fix: Examples: Improve performance of WebSocket snake application when + multiple clients disconnect at the same time. (markt) + * Coyote + + Fix: Improve the algorithm used to identify the IP address to use to + unlock the acceptor thread when a Connector is listening on all local + addresses. Interfaces that are configured for point to point connections + or are not currently up are now skipped. (markt) + + Fix: 69121: Ensure that the onComplete() event is triggered if + AsyncListener.onError() dispatches to a target that throws an exception. + (markt) + + Fix: Following the trailer header field refactoring, -1 is no longer an + allowed value for maxTrailerSize. Adjust documentation accordingly. (remm) + + Fix: 69068: Ensure read timouts are triggered for asynchronous, + non-blocking reads when using HTTP/2. (markt) + + Update: 69133: Add task queue size configuration on the Connector element, + similar to the Executor element, for consistency. (remm) + + Fix: Make counting of active HTTP/2 streams per connection more robust. + (markt) + + Add: Add support for TLS 1.3 client initiated re-keying. (markt) + + Fix: Align non-secure and secure writes with NIO and skip the write + attempt when there are no bytes to be written. (markt) + + Fix: Allow any positive value for socket.unlockTimeout. If a negative or + zero value is configured, the default of 250ms will be used. (mark) + + Fix: Reduce the time spent waiting for the connector to unlock. The + previous default of 10s was noticeably too long for cases where the unlock + has failed. The wait time is now 100ms plus twice socket.unlockTimeout. + (markt) + + Fix: Ensure that the onAllDataRead() event is triggered when the request + body uses chunked encoding and is read using non-blocking IO. (markt) + + Fix: 68934: Add debug logging in the latch object when exceeding + maxConnections. (remm) + + Fix: Refactor trailer field handling to use a MimeHeaders instance to + store trailer fields. (markt) + + Fix: Ensure that multiple instances of the same trailer field are handled + correctly. (markt) + + Fix: Fix non-blocking reads of chunked request bodies. (markt) + + Fix: When an invalid HTTP response header was dropped, an off-by-one error + meant that the first header in the response was also dropped. Fix based on + pull request #710 by foremans. (markt) + + Fix: Add threadsMaxIdleTime attribute to the endpoint, to allow + configuring the amount of time before an internal executor will scale back + to the configured minSpareThreads size. (remm) + * WebSocket + + Fix: 68884: Reduce the write timeout when writing WebSocket close messages + for abnormal closes. The timeout defaults to 50 milliseconds and may be + controlled using the + org.apache.tomcat.websocket.ABNORMAL_SESSION_CLOSE_SEND_TIMEOUT property + in the user properties collection associated with the WebSocket session. + (markt) + * Other + + Update: Add test-only build target to allow running only the testsuite, + supporting Java versions down to the minimum supported to run Tomcat. + (rjung) + + Update: Update UnboundID to 7.0.1. (markt) + + Update: Update to SpotBugs 4.8.6. (markt) + + Update: Remove cglib dependency as it is not required by the version of + EasyMock used by the unit tests. (markt) + + Update: Update EasyMock to 5.3.0. This adds a test dependency on + Byte-Buddy 1.14.17. (markt) + + Add: Improvements to Czech translations by VladimĂ­r Chlup. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (markt) + + Add: Improvements to Chinese translations by fangzheng. (markt) + + Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby + that runs on Java 17. (markt) + + Update: Update to Commons Daemon 1.4.0. (markt) + + Update: Update to Objenesis 3.4. (markt) + + Update: Update to Checkstyle 10.17.0. (markt) + + Update: Update to SpotBugs 4.8.5. (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (markt) + + Update: Switch to using the Base64 encoder and decoder provided by the JRE + rather than the version provided by Commons Codec. The internal fork of + Commons Codec has been deprecated and will be removed in Tomcat 11. + (markt) + + Update: Update NSIS to 3.10. (mark0t) + + Update: Update UnboundID to 7.0.0. (markt) + + Update: Update Checkstyle to 10.16.0. (markt) + + Update: Update JaCoCo to 0.8.12. (markt) + + Update: Update SpotBugs to 4.8.4. (markt) + + Update: Update the internal fork of Apache Commons BCEL to 6.9.0. (markt) + + Update: Update the internal fork of Apache Commons DBCP to 2.12.0. (markt) + + Add: Improvements to Japanese translations by tak7iji. (markt) + + Update: Update Checkstyle to 10.14.1. (markt) + + Update: Update the internal fork of Apache Commons BCEL to 6.8.2. (markt) + + Update: Update the internal fork of Apache Commons Codec to 1.16.1. + (markt) + + Add: Improvements to French translations. (remm) + + Add: Improvements to Japanese translations by tak7iji. (remm) + + Add: Improvements to Chinese translations by leeyazhou. (remm) - Modified patch: * tomcat-9.0-build-with-java-11.patch + rediff to changed context