506 lines
30 KiB
Plaintext
506 lines
30 KiB
Plaintext
<patchinfo incident="181">
|
|
<!-- generated from request(s) 357275 -->
|
|
<issue tracker="bnc" id="1233434">VUL-0: CVE-2024-52316: tomcat,tomcat10,tomcat6: tomcat: Apache Tomcat: Authentication bypass when using Jakarta Authentication API</issue>
|
|
<issue tracker="bnc" id="1233435">VUL-0: CVE-2024-52317: tomcat,tomcat10,tomcat6: Apache Tomcat: Request/response mix-up with HTTP/2</issue>
|
|
<issue tracker="bnc" id="1234663">VUL-0: CVE-2024-50379: tomcat,tomcat10,tomcat6: Apache Tomcat: RCE due to TOCTOU issue in JSP compilation</issue>
|
|
<issue tracker="bnc" id="1234664">VUL-0: CVE-2024-54677: tomcat,tomcat10,tomcat6: Apache Tomcat: DoS in examples web application</issue>
|
|
<issue tracker="cve" id="2024-50379"/>
|
|
<issue tracker="cve" id="2024-52316"/>
|
|
<issue tracker="cve" id="2024-52317"/>
|
|
<issue tracker="cve" id="2024-54677"/>
|
|
<packager>RMestre</packager>
|
|
<rating>critical</rating>
|
|
<category>security</category>
|
|
<summary>Security update for tomcat10</summary>
|
|
<description>This update for tomcat10 fixes the following issues:
|
|
|
|
Update to Tomcat 10.1.34
|
|
|
|
- Fixed CVEs:
|
|
+ CVE-2024-54677: DoS in examples web application (bsc#1234664)
|
|
+ CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
|
|
+ CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
|
|
+ CVE-2024-52316: If the Jakarta Authentication fails with an exception,
|
|
set a 500 status (bsc#1233434)
|
|
- Catalina
|
|
+ Add: Add option to serve resources from subpath only with WebDAV Servlet
|
|
like with DefaultServlet. (michaelo)
|
|
+ Fix: Add special handling for the protocols attribute of SSLHostConfig in
|
|
storeconfig. (remm)
|
|
+ Fix: 69442: Fix case sensitive check on content-type when parsing request
|
|
parameters. (remm)
|
|
+ Code: Refactor duplicate code for extracting media type and subtype from
|
|
content-type into a single method. (markt)
|
|
+ Fix: Compatibility of generated embedded code with components where
|
|
constructors or property related methods throw a checked exception. (remm)
|
|
+ Fix: The previous fix for inconsistent resource metadata during concurrent
|
|
reads and writes was incomplete. (markt)
|
|
+ Fix: #780: Fix content-range header length. Submitted by Chenjp. (remm)
|
|
+ Fix: 69444: Ensure that the jakarta.servlet.error.message request
|
|
attribute is set when an application defined error page is called. (markt)
|
|
+ Fix: Avoid quotes for numeric values in the JSON generated by the status
|
|
servlet. (remm)
|
|
+ Add: Add strong ETag support for the WebDAV and default servlet, which can
|
|
be enabled by using the useStrongETags init parameter with a value set to
|
|
true. The ETag generated will be a SHA-1 checksum of the resource content.
|
|
(remm)
|
|
+ Fix: Use client locale for directory listings. (remm)
|
|
+ Fix: 69439: Improve the handling of multiple Cache-Control headers in the
|
|
ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
|
|
+ Fix: 69447: Update the support for caching classes the web application
|
|
class loader cannot find to take account of classes loaded from external
|
|
repositories. Prior to this fix, these classes could be incorrectly marked
|
|
as not found. (markt)
|
|
+ Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
|
|
users will not be removed and any header present in a HEAD request will
|
|
also be present in the equivalent GET request. There may be some headers,
|
|
as per RFC 9110, section 9.3.2, that are present in a GET request that are
|
|
not present in the equivalent HEAD request. (markt)
|
|
+ Fix: 69471: Log instances of CloseNowException caught by
|
|
ApplicationDispatcher.invoke() at debug level rather than error level as
|
|
they are very likely to have been caused by a client disconnection or
|
|
similar I/O issue. (markt)
|
|
+ Add: Add a test case for the fix for 69442. Also refactor references to
|
|
application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
|
|
(markt)
|
|
+ Fix: 69476: Catch possible ISE when trying to report PUT failure in the
|
|
DefaultServlet. (remm)
|
|
+ Add: Add support for RateLimit header fields for HTTP (draft) in the
|
|
RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
|
|
+ Add: #787: Add regression tests for 69478. Pull request provided by Thomas
|
|
Krisch. (markt)
|
|
+ Fix: The default servlet now rejects HTTP range requests when two or more
|
|
of the requested ranges overlap. Based on pull request #782 provided by
|
|
Chenjp. (markt)
|
|
+ Fix: Enhance Content-Range verification for partial PUT requests handled
|
|
by the default servlet. Provided by Chenjp in pull request #778. (markt)
|
|
+ Fix: Harmonize DataSourceStore lookup in the global resources to
|
|
optionally avoid the comp/env prefix which is usually not used there.
|
|
(remm)
|
|
+ Fix: As required by RFC 9110, the HTTP Range header will now only be
|
|
processed for GET requests. Based on pull request #790 provided by Chenjp.
|
|
(markt)
|
|
+ Fix: Deprecate the useAcceptRanges initialisation parameter for the
|
|
default servlet. It will be removed in Tomcat 12 onwards where it will
|
|
effectively be hard coded to true. (markt)
|
|
+ Add: Add DataSource based property storage for the WebdavServlet. (remm)
|
|
+ Add: Add support for the new Servlet API method
|
|
HttpServletResponse.sendEarlyHints(). (markt)
|
|
+ Add: 55470: Add debug logging that reports the class path when a
|
|
ClassNotFoundException occurs in the digester or the web application class
|
|
loader. Based on a patch by Ralf Hauser. (markt)
|
|
+ Update: 69374: Properly separate between table header and body in
|
|
DefaultServlet's listing. (michaelo)
|
|
+ Update: 69373: Make DefaultServlet's HTML listing file last modified
|
|
rendering better (flexible). (michaelo)
|
|
+ Update: Improve HTML output of DefaultServlet. (michaelo)
|
|
+ Code: Refactor RateLimitFilter to use FilterBase as the base class. The
|
|
primary advantage for doing this is less code to process init-param
|
|
values. (markt)
|
|
+ Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
|
|
(michaelo)
|
|
+ Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped
|
|
requests. (remm)
|
|
+ Fix: Add missing WebDAV Lock-Token header in the response when locking a
|
|
folder. (remm)
|
|
+ Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
|
|
+ Fix: Fix regression in WebDAV when attempting to unlock a collection.
|
|
(remm)
|
|
+ Fix: Verify that destination is not locked for a WebDAV copy operation.
|
|
(remm)
|
|
+ Fix: Send 415 response to WebDAV MKCOL operations that include a request
|
|
body since this is optional and unsupported. (remm)
|
|
+ Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
|
|
+ Fix: Do not allow a new WebDAV lock on a child resource if a parent
|
|
collection is locked (RFC 4918 section 6.1). (remm)
|
|
+ Fix: WebDAV DELETE should remove any existing lock on successfully deleted
|
|
resources. (remm)
|
|
+ Update: Remove WebDAV lock null support in accordance with RFC 4918
|
|
section 7.3 and annex D. Instead a lock on a non existing resource will
|
|
create an empty file locked with a regular lock. (remm)
|
|
+ Update: Rewrite implementation of WebDAV shared locks to comply with RFC
|
|
4918. (remm)
|
|
+ Update: Implement WebDAV If header using code from the Apache Jackrabbit
|
|
project. (remm)
|
|
+ Add: Add PropertyStore interface in the WebDAV Servlet, to allow
|
|
implementation of dead properties storage. The store used can be
|
|
configured using the propertyStore init parameter of the WebDAV servlet by
|
|
specifying the class name of the store. A simple non persistent
|
|
implementation is used if no custom store is configured. (remm)
|
|
+ Update: Implement WebDAV PROPPATCH method using the newly added
|
|
PropertyStore, and update PROPFIND to support it. (remm)
|
|
+ Fix: Cache not found results when searching for web application class
|
|
loader resources. This addresses performance problems caused by components
|
|
such as java.sql.DriverManager which, in some circumstances, will search
|
|
for the same class repeatedly. In a large web application this can cause
|
|
performance problems. The size of the cache can be controlled via the new
|
|
notFoundClassResourceCacheSize on the StandardContext. (markt)
|
|
+ Fix: Stop after INITIALIZED state should be a noop since it is possible
|
|
for subcomponents to be in FAILED after init. (remm)
|
|
+ Fix: Fix incorrect web resource cache size calculations when there are
|
|
concurrent PUT and DELETE requests for the same resource. (markt)
|
|
+ Add: Add debug logging for the web resource cache so the current size can
|
|
be tracked as resources are added and removed. (markt)
|
|
+ Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens with
|
|
urn:uuid: as recommended by RFC 4918, and remove secret init parameter.
|
|
(remm)
|
|
+ Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the same
|
|
path caused corruption of the FileResource where some of the fields were
|
|
set as if the file exists and some were set as if it does not. This
|
|
resulted in inconsistent metadata. (markt)
|
|
+ Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on GET
|
|
and HEAD requests. Also skip requests where the application has set
|
|
Cache-Control: no-store. (markt)
|
|
+ Fix: 69419: Improve the performance of ServletRequest.getAttribute() when
|
|
there are multiple levels of nested includes. Based on a patch provided by
|
|
John Engebretson. (markt)
|
|
+ Add: All applications to send an early hints informational response by
|
|
calling HttpServletResponse.sendError() with a status code of 103.
|
|
(schultz)
|
|
+ Fix: Ensure that ServerAuthModule.initialize() is called when a Jakarta
|
|
Authentication module is configured via registerServerAuthModule().
|
|
(markt)
|
|
+ Fix: Ensure that the Jakarta Authentication CallbackHandler only creates
|
|
one GenericPrincipal in the Subject. (markt)
|
|
+ Fix: If the Jakarta Authentication process fails with an Exception,
|
|
explicitly set the HTTP response status to 500 as the ServerAuthContext
|
|
may not have set it. (markt)
|
|
+ Fix: When persisting the Jakarta Authentication provider configuration,
|
|
create any necessary parent directories that don't already exist. (markt)
|
|
+ Fix: Correct the logic used to detect errors when deleting temporary files
|
|
associated with persisting the Jakarta Authentication provider
|
|
configuration. (markt)
|
|
+ Fix: When processing Jakarta Authentication callbacks, don't overwrite a
|
|
Principal obtained from the PasswordValidationCallback with null if the
|
|
CallerPrincipalCallback does not provide a Principal. (markt)
|
|
+ Fix: Avoid store config backup loss when storing one configuration more
|
|
than once per second. (remm)
|
|
+ Fix: 69359: WebdavServlet duplicates getRelativePath() method from super
|
|
class with incorrect Javadoc. (michaelo)
|
|
+ Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and
|
|
DefaultServlet. (michaelo)
|
|
+ Fix: Make WebdavServlet properly return the Allow header when deletion of
|
|
a resource is not allowed. (michaelo)
|
|
+ Fix: Add log warning if non wildcard mappings are used with the
|
|
WebdavServlet. (remm)
|
|
+ Fix: 69361: Ensure that the order of entires in a multi-status response to
|
|
a WebDAV is consistent with the order in which resources were processed.
|
|
(markt)
|
|
+ Fix: 69362: Provide a better multi-status response when deleting a
|
|
collection via WebDAV fails. Empty directories that cannot be deleted will
|
|
now be included in the response. (markt)
|
|
+ Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to
|
|
ensure that the correct path is used when the WebDAV servlet is mounted at
|
|
a sub-path within the web application. (markt)
|
|
+ Fix: Improve performance of ApplicationHttpRequest.parseParameters().
|
|
Based on sample code and test cases provided by John Engebretson. (markt)
|
|
+ Add: Add support for RFC 8297 (Early Hints). Applications can use this
|
|
feature by casting the HttpServletResponse to
|
|
org.apache.catalina.connector.Reponse and then calling the method void
|
|
sendEarlyHints(). This method will be added to the Servlet API (removing
|
|
the need for the cast) in Servlet 6.2 onwards. (markt)
|
|
+ Fix: 69214: Do not reject a CORS request that uses POST but does not
|
|
include a content-type header. Tomcat now correctly processes this as a
|
|
simple CORS request. Based on a patch suggested by thebluemountain.
|
|
(markt)
|
|
+ Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather than
|
|
Subject.doAs() when the available. (markt)
|
|
+ Fix: Allow JAASRealm to use the configuration source to load a configured
|
|
configFile, for easier use with testing. (remm)
|
|
+ Fix: Add missing algorithm callback to the JAASCallbackHandler. (remm)
|
|
+ Fix: Add the OpenSSL version number on the APR and OpenSSL status classes.
|
|
(remm)
|
|
+ Fix: 69131: Expand the implementation of the filter value of the
|
|
Authenticator attribute allowCorsPreflight, so that it applies to all
|
|
requests that match the configured URL patterns for the CORS filter,
|
|
rather than only applying if the CORS filter is mapped to /*. (markt)
|
|
+ Fix: Using the OpenSSLListener will now cause the connector to use OpenSSL
|
|
if available. (remm)
|
|
+ Add: Add support for shallow copies when using WebDAV. (markt)
|
|
+ Code: Deprecate the WebdavFixFilter as it is no longer required. (markt)
|
|
+ Fix: 69066: Fix regression in SPNEGO authenticator when processing Base64.
|
|
Submitted by Daniel Lyko. (remm)
|
|
+ Add: Add RealmBase.getPrincipal(GSSName, GSSCredential, GSSContext) for
|
|
retrieving extended/additional information from an established GSS
|
|
context. (michaelo)
|
|
+ Fix: Correct a regression in the fix for 68721 that caused some instances
|
|
of LinkageError to be reported as ClassNotFoundException. (markt)
|
|
+ Fix: Ensure that static resources deployed via a JAR file remain
|
|
accessible when the context is configured to use a bloom filter. Based on
|
|
pull request #730 provided by bergander. (markt)
|
|
+ Add: Introduce reference counting so the AprLifecycleListener is more
|
|
robust. This particularly targets more complex embedded configurations
|
|
with multiple server instances with independent lifecycles where more than
|
|
one server instance requires the AprLifecycleListener. (markt)
|
|
- Coyote
|
|
+ Fix: Align encodedSolidusHandling with the Servlet specification. If the
|
|
pass-through mode is used, any %25 sequences will now also be passed
|
|
through to avoid errors and/or corruption when the application decodes the
|
|
path. (markt)
|
|
+ Fix: Return null SSL session id on zero length byte array returned from
|
|
the SSL implementation. (remm)
|
|
+ Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
|
|
+ Fix: Create the HttpParser in Http11Processor if it is not present on the
|
|
AbstractHttp11Protocol to provide better lifecycle robustness for regular
|
|
HTTP/1.1. The new behavior was introduced on a previous refactoring to
|
|
improve HTTP/2 performance. (remm)
|
|
+ Fix: OpenSSLContext will now throw a KeyManagementException if something
|
|
is known to have gone wrong in the init method, which is the behavior
|
|
documented by javax.net.ssl.SSLContext.init. This makes error handling
|
|
more consistent. (remm)
|
|
+ Fix: 69379: The default HEAD response no longer includes the payload HTTP
|
|
header fields as per section 9.3.2 of RFC 9110. (markt)
|
|
+ Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to
|
|
generate Date headers for HTTP responses) generates the correct string for
|
|
the given input. Prior to this change, the output may have wrong by one
|
|
second in some cases. Pull request #751 provided by Chenjp. (markt)
|
|
+ Fix: Request start time may not have been accurately recorded for HTTP/1.1
|
|
requests preceded by a large number of blank lines. (markt)
|
|
+ Add: Add server and serverRemoveAppProvidedValues to the list of
|
|
attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector it
|
|
is nested within. (markt)
|
|
+ Fix: Avoid possible crashes when using Apache Tomcat Native, caused by
|
|
destroying SSLContext objects through GC after APR has been terminated.
|
|
(remm)
|
|
+ Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer
|
|
fields no longer need to be recieved before the headers of the subsequent
|
|
stream nor are trailer fields for an in progress stream swallowed if the
|
|
Connector is paused before the trailer fields are received. (markt)
|
|
+ Fix: Ensure the request and response are not recycled too soon for an
|
|
HTTP/2 stream when a stream level error is detected during the processing
|
|
of incoming HTTP/2 frames. This could lead to incorrect processing times
|
|
appearing in the access log. (markt)
|
|
+ Fix: Fix 69320, a regression in the fix for 69302 that meant the HTTP/2
|
|
processing was likely to be broken for all clients once any client sent an
|
|
HTTP/2 reset frame. (markt)
|
|
+ Fix: Correct a regression in the fix for non-blocking reads of chunked
|
|
request bodies that caused InputStream.available() to return a non-zero
|
|
value when there was no data to read. In some circumstances this could
|
|
cause a blocking read to block waiting for more data rather than return
|
|
the data it had already received. (markt)
|
|
+ Add: Add a new attribute cookiesWithoutEquals to the
|
|
Rfc6265CookieProcessor. The default behaviour is unchanged. (markt)
|
|
+ Fix: Ensure that Tomcat sends a TLS close_notify message after receiving
|
|
one from the client when using the OpenSSLImplementation. (markt)
|
|
+ Fix: 69301: Fix trailer headers replacing non-trailer headers when writing
|
|
response headers to the access log. Based on a patch and test case
|
|
provided by hypnoce. (markt)
|
|
+ Fix: 69302: If an HTTP/2 client resets a stream before the request body is
|
|
fully written, ensure that any ReadListener is notified via a call to
|
|
ReadListener.onErrror(). (markt)
|
|
+ Fix: Correct regressions in the refactoring that added recycling of the
|
|
coyote request and response to the HTTP/2 processing. (markt)
|
|
+ Fix: Ensure that HTTP/2 stream input buffers are only created when there
|
|
is a request body to be read. (markt)
|
|
+ Code: Refactor creation of HttpParser instances from the Processor level
|
|
to the Protocol level since the parser configuration depends on the
|
|
protocol and the parser is, otherwise, stateless. (markt)
|
|
+ Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal request
|
|
and response processing objects by default. This behaviour can be
|
|
controlled via the new discardRequestsAndResponses attribute on the HTTP/2
|
|
upgrade protocol. (markt)
|
|
+ Fix: Clean and log OpenSSL errors before processing of OpenSSL conf
|
|
commands in the FFM code. (remm)
|
|
+ Fix: 69121: Ensure that the onComplete() event is triggered if
|
|
AsyncListener.onError() dispatches to a target that throws an exception.
|
|
(markt)
|
|
+ Fix: Following the trailer header field refactoring, -1 is no longer an
|
|
allowed value for maxTrailerSize. Adjust documentation accordingly. (remm)
|
|
+ Update: Move OpenSSL support using FFM to a separate JAR named
|
|
tomcat-coyote-ffm.jar that advertises Java 22 in its manifest. (remm)
|
|
+ Fix: Fix search for OpenSSL library for FFM on Mac OS so that
|
|
java.library.path is searched. (markt)
|
|
+ Update: Add FFM compatibility methods for LibreSSL support. Renegotiation
|
|
is not supported at the moment. (remm)
|
|
+ Update: Add org.apache.tomcat.util.openssl.LIBRARY_NAME (specifies the
|
|
name of the library to load) and
|
|
org.apache.tomcat.util.openssl.USE_SYSTEM_LOAD_LIBRARY (set to true to use
|
|
System.loadLibrary rather than the FFM library loading code) to configure
|
|
the OpenSSL library loading using FFM. (remm)
|
|
+ Update: Add FFM compatibility methods for BoringSSL support. Renegotiation
|
|
is not supported in many cases. (remm)
|
|
+ Fix: Fix OpenSSL FFM use of ERR_error_string with a 128 byte buffer, and
|
|
use ERR_error_string_n instead. (remm)
|
|
+ Fix: Fix a crash on Windows setting CA certificate on null path. (remm)
|
|
+ Fix: 69068: Ensure read timouts are triggered for asynchronous,
|
|
non-blocking reads when using HTTP/2. (markt)
|
|
+ Update: 69133: Add task queue size configuration on the Connector element,
|
|
similar to the Executor element, for consistency. (remm)
|
|
+ Fix: Make counting of active HTTP/2 streams per connection more robust.
|
|
(markt)
|
|
+ Add: Add support for TLS 1.3 client initiated re-keying. (markt)
|
|
+ Fix: Improve the algorithm used to identify the IP address to use to
|
|
unlock the acceptor thread when a Connector is listening on all local
|
|
addresses. Interfaces that are configured for point to point connections
|
|
or are not currently up are now skipped. (markt)
|
|
- Jasper
|
|
+ Fix: Follow-up to the fix for 69381. Apply the optimisation for method
|
|
lookup performance in expression language to an additional location.
|
|
(markt)
|
|
+ Fix: Add back tag release method as deprecated in the runtime for compat
|
|
with old generated code. (remm)
|
|
+ Fix: 69399: Fix regression caused by the improvement 69333 which caused
|
|
the tag release to be called when using tag pooling, and to be skipped
|
|
when not using it. Patch submitted by Michal Sobkiewicz. (remm)
|
|
+ Fix: 69381: Improve method lookup performance in expression language. When
|
|
the required method has no arguments there is no need to consider casting
|
|
or coercion and the method lookup process can be simplified. Based on pull
|
|
request #770 by John Engebretson. (markt)
|
|
+ Fix: 69382: Improve the performance of the JSP include action by re-using
|
|
results of relatively expensive method calls in the generated code rather
|
|
than repeating them. Patch provided by John Engebretson. (markt)
|
|
+ Fix: 69398: Avoid unnecessary object allocation in PageContextImpl. Based
|
|
on a suggestion by John Engebretson. (markt)
|
|
+ Fix: 69406: When using StringInterpreterEnum, do not throw an
|
|
IllegalArgumentException when an invalid Enum is encountered. Instead,
|
|
resolve the value at runtime. Patch provided by John Engebretson. (markt)
|
|
+ Fix: 69429: Optimise EL evaluation of method parameters for methods that
|
|
do not accept any parameters. Patch provided by John Engebretson. (markt)
|
|
+ Fix: Further optimise EL evaluation of method parameters. Patch provided
|
|
by Paolo B. (markt)
|
|
+ Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
|
|
+ Fix: 69338: Improve the performance of processing expressions that include
|
|
AND or OR operations with more than two operands and expressions that use
|
|
not empty. (markt)
|
|
+ Fix: 69348: Reduce memory consumption in ELContext by using lazy
|
|
initialization for the data structure used to track lambda arguments.
|
|
(markt)
|
|
+ Fix: Switch the TldScanner back to logging detailed scan results at debug
|
|
level rather than trace level. (markt)
|
|
+ Fix: Update the optimisation in jakarta.el.ImportHandler so it is aware of
|
|
new classes added to the java.lang package in Java 23. (markt)
|
|
+ Fix: Ensure that an exception in toString() still results in an
|
|
ELException when an object is coerced to a String using
|
|
ExpressionFactory.coerceToType(). (markt)
|
|
+ Add: Add support for specifying Java 24 (with the value 24) as the
|
|
compiler source and/or compiler target for JSP compilation. If used with
|
|
an Eclipse JDT compiler version that does not support these values, a
|
|
warning will be logged and the default will used. (markt)
|
|
+ Fix: 69135: When using include directives in a tag file packaged in a JAR
|
|
file, ensure that context relative includes are processed correctly.
|
|
(markt)
|
|
+ Fix: 69135: When using include directives in a tag file packaged in a JAR
|
|
file, ensure that file relative includes are processed correctly. (markt)
|
|
+ Fix: 69135: When using include directives in a tag file packaged in a JAR
|
|
file, ensure that file relative includes are are not permitted to access
|
|
files outside of the /META_INF/tags/ directory nor outside of the JAR
|
|
file. (markt)
|
|
+ Fix: 68546: Small additional optimisation for initial loading of Servlet
|
|
code generated for JSPs. Based on a suggestion by Dan Armstrong. (markt)
|
|
- Jdbc-pool
|
|
+ Fix: 69255: Correct a regression in the fix for 69206 that meant
|
|
exceptions executing statements were wrapped in an
|
|
java.lang.reflect.UndeclaredThrowableException rather than the application
|
|
seeing the original SQLException. Fixed by pull request #744 provided by
|
|
Michael Clarke. (markt)
|
|
+ Fix: 69279: Correct a regression in the fix for 69206 that meant that
|
|
methods that previously returned a null ResultSet were returning a proxy
|
|
with a null delegate. Fixed by pull request #745 provided by Huub de Beer.
|
|
(markt)
|
|
+ Fix: 69206: Ensure statements returned from Statement methods
|
|
executeQuery(), getResultSet() and getGeneratedKeys() are correctly
|
|
wrapped before being returned to the caller. Based on pull request #742
|
|
provided by Michael Clarke.
|
|
- Web applications
|
|
+ Fix: Documentation. Remove references to the ResourceParams element.
|
|
Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
|
|
+ Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
|
|
The attribute is internalProxies rather than allowedInternalProxies. Pull
|
|
request #786 (markt)
|
|
+ Fix: Examples. Fix broken links when Servlet Request Info example is
|
|
called via a URL that includes a pathInfo component. (markt)
|
|
+ Fix: Examples. Expand the obfuscation of session cookie values in the
|
|
request header example to JSON responses. (markt)
|
|
+ Add: Examples. Add the ability to delete session attributes in the servlet
|
|
session example. (markt)
|
|
+ Add: Examples. Add a hard coded limit of 10 attributes per session for the
|
|
servlet session example. (markt)
|
|
+ Add: Examples. Add the ability to delete session attributes and add a hard
|
|
coded limit of 10 attributes per session for the JSP form authentication
|
|
example. (markt)
|
|
+ Add: Examples. Limit the shopping cart example to only allow adding the
|
|
pre-defined items to the cart. (markt)
|
|
+ Fix: Examples. Remove JSP calendar example. (markt)
|
|
+ Fix: The manager webapp will now be able to access certificates again when
|
|
OpenSSL is used. (remm)
|
|
+ Fix: Documentation. Align the logging configuration documentation with the
|
|
current defaults. (markt)
|
|
+ Fix: Fix status servlet detailed view of the connectors when using
|
|
automatic port. (remm)
|
|
+ Add: Add the ability to set a sub-title for the Manager web application
|
|
main page. This is intended to allow users with lots of instances to
|
|
easily distinguish them. Based on pull request #724 by Simon Arame.
|
|
(markt)
|
|
- Websocket
|
|
+ Fix: If a blocking message write exceeds the timeout, don't attempt the
|
|
write again before throwing the exception. (markt)
|
|
+ Fix: An EncodeException being thrown during a message write should not
|
|
automatically cause the connection to close. The application should handle
|
|
the exception and make the decision whether or not to close the
|
|
connection. (markt)
|
|
- Other
|
|
+ Fix: 69465: Fix warnings during native image compilation using the Tomcat
|
|
embedded JARs. (markt)
|
|
+ Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
|
|
+ Update: Update EasyMock to 5.5.0. (markt)
|
|
+ Update: Update Checkstyle to 10.20.2. (markt)
|
|
+ Update: Update BND to 7.1.0. (markt)
|
|
+ Add: Improvements to French translations. (remm)
|
|
+ Add: Improvements to Korean translations. (markt)
|
|
+ Add: Improvements to Chinese translations. (markt)
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
+ Fix: Fix release build issue.
|
|
+ Update: Switch from DigiCert ONE to ssl.com eSigner for code signing.
|
|
(markt)
|
|
+ Update: Update Byte Buddy to 1.15.10. (markt)
|
|
+ Update: Update CheckStyle to 10.20.0. (markt)
|
|
+ Add: Improvements to German translations. (remm)
|
|
+ Update: Update Byte Buddy to 1.15.3. (markt)
|
|
+ Update: Update CheckStyle to 10.18.2. (markt)
|
|
+ Add: Improvements to French translations. (remm)
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
+ Add: Improvements to Chinese translations by Ch_jp. (markt)
|
|
+ Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default.
|
|
(markt)
|
|
+ Fix: Change the default log handler level to ALL so log messages are not
|
|
dropped by default if a logger is configured to use trace (FINEST) level
|
|
logging. (markt)
|
|
+ Update: Update Hamcrest to 3.0. (markt)
|
|
+ Update: Update EasyMock to 5.4.0. (markt)
|
|
+ Update: Update Byte Buddy to 1.15.0. (markt)
|
|
+ Update: Update CheckStyle to 10.18.0. (markt)
|
|
+ Update: Update the internal fork of Apache Commons BCEL to 6.10.0. (markt)
|
|
+ Add: Improvements to Spanish translations by Fernando. (markt)
|
|
+ Add: Improvements to French translations. (remm)
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
+ Fix: Fix packaging regression with missing osgi information following
|
|
addition of the test-only build target. (remm)
|
|
+ Update: Update Tomcat Native to 2.0.8. (markt)
|
|
+ Update: Update Byte Buddy to 1.14.18. (markt)
|
|
+ Add: Improvements to French translations. (remm)
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
+ Update: Add test-only build target to allow running only the testsuite,
|
|
supporting Java versions down to the minimum supported to run Tomcat.
|
|
(rjung)
|
|
+ Update: Update UnboundID to 7.0.1. (markt)
|
|
+ Update: Update to SpotBugs 4.8.6. (markt)
|
|
+ Update: Remove cglib dependency as it is not required by the version of
|
|
EasyMock used by the unit tests. (markt)
|
|
+ Update: Update EasyMock to 5.3.0. This adds a test dependency on
|
|
Byte-Buddy 1.14.17. (markt)
|
|
+ Add: Improvements to Czech translations by Vladimr Chlup. (markt)
|
|
+ Add: Improvements to French translations. (remm)
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
+ Add: Improvements to Chinese translations by fangzheng. (markt)
|
|
+ Update: Revert Derby to 10.16.1.1 as that is the latest version of Derby
|
|
that runs on Java 17. (markt)
|
|
+ Update: Update to Commons Daemon 1.4.0. (markt)
|
|
+ Update: Update to Objenesis 3.4. (markt)
|
|
+ Update: Update to Checkstyle 10.17.0. (markt)
|
|
+ Update: Update to SpotBugs 4.8.5. (markt)
|
|
+ Add: Improvements to French translations. (remm)
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
</description>
|
|
<package>tomcat10</package>
|
|
<seperate_build_arch/>
|
|
</patchinfo> |