|
|
|
|
@@ -1,3 +1,835 @@
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Aug 6 09:41:41 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to Tomcat 9.0.107
|
|
|
|
|
* Fixed CVEs:
|
|
|
|
|
+ CVE-2025-52520: Align size tracking for multipart requests with
|
|
|
|
|
FileUpload's use of long. (bsc#1246388)
|
|
|
|
|
+ CVE-2025-52434: Improve stability of APR/native connector.
|
|
|
|
|
(bsc#1246389)
|
|
|
|
|
+ CVE-2025-53506: Apply the initial HTTP/2 connection limits earlier.
|
|
|
|
|
(bsc#1246318)
|
|
|
|
|
* Catalina
|
|
|
|
|
+ Fix: Ensure application configured welcome files override the defaults
|
|
|
|
|
when configuring an embedded web application programmatically. (markt)
|
|
|
|
|
+ Fix: Allow the default servlet to set the content length when the content
|
|
|
|
|
length is known, no content has been written and a Writer is being used.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69717: Correct a regression in the fix for CVE-2025-49125 that
|
|
|
|
|
prevented access to PreResources and PostResources when mounted below the
|
|
|
|
|
web application root with a path that was terminated with a file
|
|
|
|
|
separator. (remm/markt)
|
|
|
|
|
+ Fix: 69731: Fix an issue that meant that the value of maxParameterCount
|
|
|
|
|
applied was smaller than intended for multipart uploads with non-file
|
|
|
|
|
parts when the parts were processed before query string parameters.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Align size tracking for multipart requests with FileUpload's use of
|
|
|
|
|
long. (schultz)
|
|
|
|
|
* Coyote
|
|
|
|
|
+ Fix: 69710: Increase the default for maxPartCount from 10 to 50. Update
|
|
|
|
|
the documentation to provide more details on the memory requirements to
|
|
|
|
|
support multi-part uploads while avoiding a denial of service risk.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69713: Correctly handle an HTTP/2 data frame that includes padding
|
|
|
|
|
when the headers include a content-length. (remm/markt)
|
|
|
|
|
+ Fix: Correctly collect statistics for HTTP/2 requests and avoid counting
|
|
|
|
|
one request multiple times. Based on pull request #868 by qingdaoheze.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Fix JMX value for keepAliveCount on the endpoint. Also add the value
|
|
|
|
|
of useVirtualThreads in JMX. (remm)
|
|
|
|
|
+ Fix: Improve stability of APR/native connector. (markt)
|
|
|
|
|
+ Fix: 69728: Remove incorrect warning when HTTP/2 is used with optional
|
|
|
|
|
certificate verification and improve the warnings when a web application
|
|
|
|
|
tries to use CLIENT-CERT with either HTTP/2 or a JSSE implementation of
|
|
|
|
|
TLS 1.3. (markt)
|
|
|
|
|
+ Fix: When setting the initial HTTP/2 connection limit, apply those limits
|
|
|
|
|
earlier. (markt)
|
|
|
|
|
* Jasper
|
|
|
|
|
+ Code: Remove IMPL_OBJ_START from EL grammar for IDENTIFIER. (markt)
|
|
|
|
|
+ Code: Remove the INSTANCEOF and FUNCTIONSUFFIX definitions from the EL
|
|
|
|
|
grammar as both are unused. (markt)
|
|
|
|
|
* Web applications
|
|
|
|
|
+ Add: Documentation. Provide more explicit guidance regarding the security
|
|
|
|
|
considerations for enabling write access to the web application via
|
|
|
|
|
WebDAV, HTTP PUT requests or similar. (markt)
|
|
|
|
|
+ Add: Documentation. Add a section on reverse proxies to the security
|
|
|
|
|
considerations page. (markt)
|
|
|
|
|
* Other
|
|
|
|
|
+ Update: Update UnboundID to 7.0.3. (markt)
|
|
|
|
|
+ Update: Update Checkstyle to 10.25.1. (markt)
|
|
|
|
|
+ Update: Improvements to French translations. (remm)
|
|
|
|
|
+ Update: Improvements to Japanese translations provided by tak7iji. (markt)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Jun 24 09:24:21 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to Tomcat 9.0.106
|
|
|
|
|
* Fixed CVEs:
|
|
|
|
|
+ CVE-2025-46701: refactor CGI servlet to access resources via
|
|
|
|
|
WebResources (bsc#1243815)
|
|
|
|
|
+ CVE-2025-48988: limits the total number of parts in a
|
|
|
|
|
multi-part request and limits the size of
|
|
|
|
|
the headers provided with each part (bsc#1244656)
|
|
|
|
|
+ CVE-2025-49125: Expand checks for webAppMount (bsc#1244649)
|
|
|
|
|
* Catalina
|
|
|
|
|
+ Add: Support for the java:module namespace which mirrors the
|
|
|
|
|
java:comp namespace.
|
|
|
|
|
+ Add: Support parsing of multiple path parameters separated by ; in a
|
|
|
|
|
single URL segment. Based on pull request #860 by Chenjp.
|
|
|
|
|
+ Add: Support for limiting the number of parameters in HTTP requests
|
|
|
|
|
through the new ParameterLimitValve. The valve allows configurable
|
|
|
|
|
URL-specific limits on the number of parameters.
|
|
|
|
|
+ Fix: 69699: Encode redirect URL used by the rewrite valve with the
|
|
|
|
|
session id if appropriate, and handle cross context with different
|
|
|
|
|
session configuration when using rewrite.
|
|
|
|
|
+ Add: #863: Support for comments at the end of lines in text rewrite
|
|
|
|
|
map files to align behaviour with Apache httpd. Pull request
|
|
|
|
|
provided by Chenjp.
|
|
|
|
|
+ Fix: 69706: Saved request serialization issue in FORM introduced
|
|
|
|
|
when allowing infinite session timeouts.
|
|
|
|
|
+ Fix: Expand the path checks for Pre-Resources and Post-Resources
|
|
|
|
|
mounted at a path within the web application.
|
|
|
|
|
+ Fix: 69588: Enable allowLinking to be set on PreResources,
|
|
|
|
|
JarResources and PostResources. If not set explicitly, the setting
|
|
|
|
|
will be inherited from the Resources.
|
|
|
|
|
+ Add: 69633: Support for Filters using context root mappings.
|
|
|
|
|
+ Fix: #843: Off by one validation logic for partial PUT ranges and
|
|
|
|
|
associated test case. Submitted by Chenjp.
|
|
|
|
|
+ Refactor: Replace the unused buffer in
|
|
|
|
|
org.apache.catalina.connector.InputBuffer with a static, zero
|
|
|
|
|
length buffer.
|
|
|
|
|
+ Refactor: GCI servlet to access resources via the WebResource API.
|
|
|
|
|
+ Fix: 69662: Report name in exception message when a naming lookup
|
|
|
|
|
failure occurs. Based on code submitted by Donald Smith.
|
|
|
|
|
+ Fix: Ensure that the FORM authentication attribute
|
|
|
|
|
authenticationSessionTimeout works correctly when sessions have an
|
|
|
|
|
infinite timeout when authentication starts.
|
|
|
|
|
+ Add: Provide a content type based on file extension when web
|
|
|
|
|
application resources are accessed via a URL.
|
|
|
|
|
* Coyote
|
|
|
|
|
+ Refactor: #861: TaskQueue to use the new interface RetryableQueue
|
|
|
|
|
which enables better integration of custom Executors which provide
|
|
|
|
|
their own BlockingQueue implementation. Pull request provided by
|
|
|
|
|
Paulo Almeida.
|
|
|
|
|
+ Add: Finer grained control of multi-part request processing via two
|
|
|
|
|
new attributes on the Connector element. maxPartCount limits the
|
|
|
|
|
total number of parts in a multi-part request and maxPartHeaderSize
|
|
|
|
|
limits the size of the headers provided with each part. Add support
|
|
|
|
|
for these new attributes to the ParameterLimitValve.
|
|
|
|
|
+ Refactor: The SavedRequestInputFilter so the buffered data is used
|
|
|
|
|
directly rather than copied.
|
|
|
|
|
* Jasper
|
|
|
|
|
+ Fix: 69696: Mark the JSP wrapper for reload after a failed
|
|
|
|
|
compilation.
|
|
|
|
|
+ Fix: 69635: Add support to javax.el.ImportHandler for resolving
|
|
|
|
|
inner classes.
|
|
|
|
|
+ Add: #842: Support for optimized execution of c:set and c:remove
|
|
|
|
|
tags, when activated via JSP servlet param
|
|
|
|
|
useNonstandardTagOptimizations.
|
|
|
|
|
+ Fix: An edge case compilation bug for JSP and tag files on case
|
|
|
|
|
insensitive file systems that was exposed by the test case for
|
|
|
|
|
69635.
|
|
|
|
|
* Web applications
|
|
|
|
|
+ Fix: 69694: Improve error reporting of deployment tasks done using
|
|
|
|
|
the manager webapp when a copy operation fails.
|
|
|
|
|
+ Add: 68876: Documentation. Update the UML diagrams for server
|
|
|
|
|
start-up, request processing and authentication using PlantUML and
|
|
|
|
|
include the source files for each diagram.
|
|
|
|
|
* Other
|
|
|
|
|
+ Add: Thread name to webappClassLoader.stackTraceRequestThread
|
|
|
|
|
message. Patch provided by Felix Zhang.
|
|
|
|
|
+ Update: The internal fork of Apache Commons FileUpload to 1.6.0-RC1
|
|
|
|
|
(2025-06-05).
|
|
|
|
|
+ Update: EasyMock to 5.6.0.
|
|
|
|
|
+ Update: Checkstyle to 10.25.0.
|
|
|
|
|
+ Fix: #858: Extend improvements to CVE-2024-56337 protection to
|
|
|
|
|
service.bat. Pull request provided by Markus Hoffrogge.
|
|
|
|
|
+ Fix: Use the full path when the installer for Windows sets calls
|
|
|
|
|
icacls.exe to set file permissions.
|
|
|
|
|
+ Update: Improvements to Japanese translations provided by tak7iji.
|
|
|
|
|
+ Update: Jacoco to 0.8.13.
|
|
|
|
|
+ Code: Explicitly set the locale to be used for Javadoc. For
|
|
|
|
|
official releases, this locale will be English (US) to support
|
|
|
|
|
reproducible builds.
|
|
|
|
|
+ Update: Byte Buddy to 1.17.5.
|
|
|
|
|
+ Update: Checkstyle to 10.23.1.
|
|
|
|
|
+ Update: File extension to media type mappings to align with the
|
|
|
|
|
current list used by the Apache Web Server (httpd).
|
|
|
|
|
+ Update: Improvements to French translations.
|
|
|
|
|
+ Update: Improvements to Japanese translations provided by tak7iji.
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed May 7 09:32:52 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
|
|
|
|
|
|
|
|
|
|
- Hardening permissions (bsc#1242722)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri May 2 14:54:04 UTC 2025 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
- Make conflicts and provides more generic
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Apr 30 10:48:23 UTC 2025 - Michele Bussolotto <michele.bussolotto@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to Tomcat 9.0.104
|
|
|
|
|
* Fixed CVEs:
|
|
|
|
|
+ CVE-2025-31650: invalid priority field values should be ignored
|
|
|
|
|
(bsc#1242008)
|
|
|
|
|
+ CVE-2025-31651: Better handling of URLs with literal ';' and '?'
|
|
|
|
|
(bsc#1242009)
|
|
|
|
|
* Catalina
|
|
|
|
|
+ Fix: Fix use of SSS in SimpleDateFormat pattern for AccessLogValve.
|
|
|
|
|
(rjung)
|
|
|
|
|
+ Fix: Process possible path parameters rewrite production in the rewrite
|
|
|
|
|
valve. (remm)
|
|
|
|
|
+ Fix: 69643: Optimize directory listing for large amount of files. Patch
|
|
|
|
|
submitted by Loic de l'Eprevier. (remm)
|
|
|
|
|
+ Fix: Return 400 if the amount of content sent for a partial PUT is
|
|
|
|
|
inconsistent with the range that was specified. (remm)
|
|
|
|
|
+ Add: Add a new RateLimiter implementation,
|
|
|
|
|
org.apache.catalina.util.ExactRateLimiter, that can be used with
|
|
|
|
|
org.apache.catalina.filters.RateLimitFilter to provide rate limit based
|
|
|
|
|
on the exact values configured. Based on pull request #794 by Chenjp.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Fix parsing of the time-taken token in the ExtendedAccessLogValve.
|
|
|
|
|
(remm)
|
|
|
|
|
+ Fix: Fix invocation of the FFM OpenSSL code for setting a SSL engine and
|
|
|
|
|
FIPS mode. (remm)
|
|
|
|
|
+ Fix: 69600: Add IPv6 local addresses (RFC 4193 and RFC 4291) to the
|
|
|
|
|
default internal proxies for the RemoteIpFilter and RemoteIpValve.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69615: Improve integration with the not found class resources cache
|
|
|
|
|
for users who are using a custom web application class loader and/or
|
|
|
|
|
using reflection to dynamically add external repositories to the web
|
|
|
|
|
application class loader. (markt)
|
|
|
|
|
+ Add: Add a new initialisation parameter to the Default servlet -
|
|
|
|
|
allowPostAsGet - which controls whether a direct request (i.e. not a
|
|
|
|
|
forward or an include) for a static resource using the POST method will
|
|
|
|
|
be processed as if the GET method had been used. If not allowed, the
|
|
|
|
|
request will be rejected. The default behaviour of processing the request
|
|
|
|
|
as if the GET method had been used is unchanged. (markt)
|
|
|
|
|
+ Fix: 69623: Correct a long standing regression that meant that calls to
|
|
|
|
|
ClassLoader.getResource().getContent() failed when made from within a web
|
|
|
|
|
application with resource caching enabled. (markt)
|
|
|
|
|
+ Fix: 69634: Avoid NPE on JsonErrorReportValve. (remm)
|
|
|
|
|
+ Fix: Add missing throwable stack trace to JsonErrorReportValve equivalent
|
|
|
|
|
to the one from ErrorReportValve. (remm)
|
|
|
|
|
+ Fix: Improve the handling of %nn URL encoding in the RewriteValve and
|
|
|
|
|
document how %nn URL encoding may be used with rewrite rules. (markt)
|
|
|
|
|
+ Fix: Fix a potential exception when calling
|
|
|
|
|
WebappClassLoaderBase.getResource(""). (markt)
|
|
|
|
|
* Coyote
|
|
|
|
|
+ Fix: 69607: Allow failed initialization of MD5. Based on code submitted
|
|
|
|
|
by Shivam Verma. (remm)
|
|
|
|
|
+ Fix: 69614: HTTP/2 priority frames with an invalid priority field value
|
|
|
|
|
should be ignored. (markt)
|
|
|
|
|
+ Fix: Improve handling of unexpected errors during HTTP/2 processing.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Add missing code to process an OpenSSL profile, such as PROFILE=
|
|
|
|
|
SYSTEM, using FFM. (remm)
|
|
|
|
|
+ Add: Simplify the process of using a custom SSLContext for an HTTPS
|
|
|
|
|
enabled connector. Based on pull request #805 by Hakky54. (markt)
|
|
|
|
|
* Jasper
|
|
|
|
|
+ Code: Replace custom URL encoding provided by the JSP runtime library
|
|
|
|
|
with calls to java.net.URLEncoder.encode(). (markt)
|
|
|
|
|
+ Add: Add compiler using the Java Compiler API, supporting exploded web
|
|
|
|
|
applications. The compilerClassName to use is
|
|
|
|
|
org.apache.jasper.compiler.JavaCompiler. (remm)
|
|
|
|
|
+ Add: Add support for specifying Java 25 (with the value 25) as the
|
|
|
|
|
compiler source and/or compiler target for JSP compilation. If used with
|
|
|
|
|
an Eclipse JDT compiler version that does not support these values, a
|
|
|
|
|
warning will be logged and the default will be used. (markt)
|
|
|
|
|
* Cluster
|
|
|
|
|
+ Fix: Fix resetting cross context sessions in the ReplicationValve.
|
|
|
|
|
(remm)
|
|
|
|
|
* Web applications
|
|
|
|
|
+ Add: Documentation. Add a link to the Log4j documentation that describes
|
|
|
|
|
how to use Log4j rather than JULI for Tomcat's internal logging. (markt)
|
|
|
|
|
+ Add: Documentation. Document the runtime attributes available to web
|
|
|
|
|
applications via the Request or the ServletContext. Based on pull request
|
|
|
|
|
#832 by usmazat. (markt)
|
|
|
|
|
* Other
|
|
|
|
|
+ Fix: Set sun.io.useCanonCaches in service.bat. Based on pull request
|
|
|
|
|
#841 by Paul Lodge. (remm)
|
|
|
|
|
+ Fix: The minimum Java version to build a release is now Java 22,
|
|
|
|
|
mirroring Tomcat 10.1. This removes the need for using a java-ffm.home
|
|
|
|
|
property. (remm)
|
|
|
|
|
+ Update: Revert JSign to 6.0 to avoid a file locking issue. (markt)
|
|
|
|
|
+ Update: Update to NSIS 3.11. (markt)
|
|
|
|
|
+ Update: Update to ByteBuddy 1.17.4. (markt)
|
|
|
|
|
+ Update: Update to Checkstyle 10.21.4. (markt)
|
|
|
|
|
+ Update: Update to SpotBugs to 4.9.3. (markt)
|
|
|
|
|
+ Update: Improvements to French translations. (remm)
|
|
|
|
|
+ Update: Improvements to Japanese translations provided by tak7iji. (markt)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Tue Mar 18 21:04:04 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to Tomcat 9.0.102
|
|
|
|
|
* Fixes:
|
|
|
|
|
+ launch with java 17 (bsc#1239676)
|
|
|
|
|
* Catalina
|
|
|
|
|
+ Fix: Weak etags in the If-Range header should not match as strong etags
|
|
|
|
|
are required. (remm)
|
|
|
|
|
+ Fix: When looking up class loader resources by resource name, the resource
|
|
|
|
|
name should not start with '/'. If the resource name does start with '/',
|
|
|
|
|
Tomcat is lenient and looks it up as if the '/' was not present. When the
|
|
|
|
|
web application class loader was configured with external repositories and
|
|
|
|
|
names starting with '/' were used for lookups, it was possible that cached
|
|
|
|
|
'not found' results could effectively hide lookup results using the
|
|
|
|
|
correct resource name. (markt)
|
|
|
|
|
+ Fix: Enable the JNDIRealm to validate credentials provided to
|
|
|
|
|
HttpServletRequest.login(String username, String password) when the realm
|
|
|
|
|
is configured to use GSSAPI authentication. (markt)
|
|
|
|
|
+ Fix: Fix a bug in the JRE compatibility detection that incorrectly
|
|
|
|
|
identified Java 19 and Java 20 as supporting Java 21 features. (markt)
|
|
|
|
|
+ Fix: Improve the checks for exposure to and protection against
|
|
|
|
|
CVE-2024-56337 so that reflection is not used unless required. The checks
|
|
|
|
|
for whether the file system is case sensitive or not have been removed.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Avoid scenarios where temporary files used for partial PUT would not
|
|
|
|
|
be deleted. (remm)
|
|
|
|
|
+ Fix: 69602: Fix regression in releases from 12-2024 that were too strict
|
|
|
|
|
and rejected weak etags in the If-Range header. (remm)
|
|
|
|
|
+ Fix: 69576: Avoid possible failure initializing JreCompat due to uncaught
|
|
|
|
|
exception introduced for the check for CVE-2024-56337. (remm)
|
|
|
|
|
* Cluster
|
|
|
|
|
+ Add: 69598: Add detection of service account token changes to the
|
|
|
|
|
KubernetesMembershipProvider implementation and reload the token if it
|
|
|
|
|
changes. Based on a patch by Miroslav Jezbera. (markt)
|
|
|
|
|
* Coyote
|
|
|
|
|
+ Fix: 69575: Avoid using compression if a response is already compressed
|
|
|
|
|
using compress, deflate or zstd. (remm)
|
|
|
|
|
+ Update: Use Transfer-Encoding for compression rather than Content-Encoding
|
|
|
|
|
if the client submits a TE header containing gzip. (remm)
|
|
|
|
|
+ Fix: Fix a race condition in the handling of HTTP/2 stream reset that
|
|
|
|
|
could cause unexpected 500 responses. (markt)
|
|
|
|
|
* Other
|
|
|
|
|
+ Add: Add makensis as an option for building the Installer for Windows on
|
|
|
|
|
non-Windows platforms. (rjung/markt)
|
|
|
|
|
+ Update: Update Byte Buddy to 1.17.1. (markt)
|
|
|
|
|
+ Update: Update Checkstyle to 10.21.3. (markt)
|
|
|
|
|
+ Update: Update SpotBugs to 4.9.1. (markt)
|
|
|
|
|
+ Update: Update JSign to 7.1. (markt)
|
|
|
|
|
+ Add: Improvements to French translations. (remm)
|
|
|
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
|
|
|
+ Add: Add org.apache.juli.JsonFormatter to format log as one line JSON
|
|
|
|
|
documents. (remm)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Wed Mar 12 16:21:08 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to Tomcat 9.0.99
|
|
|
|
|
* Fixed CVE:
|
|
|
|
|
+ CVE-2025-24813: potential RCE and/or information disclosure/corruption with
|
|
|
|
|
partial PUT (bsc#1239302)
|
|
|
|
|
* Catalina
|
|
|
|
|
+ Update: Add tableName configuration on the DataSourcePropertyStore that
|
|
|
|
|
may be used by the WebDAV Servlet. (remm)
|
|
|
|
|
+ Update: Improve HTTP If headers processing according to RFC 9110. Based on
|
|
|
|
|
pull request #796 by Chenjp. (remm/markt)
|
|
|
|
|
+ Update: Allow readOnly attribute configuration on the Resources element
|
|
|
|
|
and allow configure the readOnly attribute value of the main resources.
|
|
|
|
|
The attribute value will also be used by the default and WebDAV Servlets.
|
|
|
|
|
(remm)
|
|
|
|
|
+ Fix: 69285: Optimise the creation of the parameter map for included
|
|
|
|
|
requests. Based on sample code and test cases provided by John
|
|
|
|
|
Engebretson. (markt)
|
|
|
|
|
+ Fix: 69527: Avoid rare cases where a cached resource could be set with 0
|
|
|
|
|
content length, or could be evicted immediately. (remm)
|
|
|
|
|
+ Fix: Fix possible edge cases (such as HTTP/1.0) with trying to detect
|
|
|
|
|
requests without body for WebDAV LOCK and PROPFIND. (remm)
|
|
|
|
|
+ Fix: 69528: Add multi-release JAR support for the bloom
|
|
|
|
|
archiveIndexStrategy of the Resources. (remm)
|
|
|
|
|
+ Fix: Improve checks for WEB-INF and META-INF in the WebDAV servlet. Based
|
|
|
|
|
on a patch submitted by Chenjp. (remm)
|
|
|
|
|
+ Add: Add a check to ensure that, if one or more web applications are
|
|
|
|
|
potentially vulnerable to CVE-2024-56337, the JVM has been configured to
|
|
|
|
|
protect against the vulnerability and to configure the JVM correctly if
|
|
|
|
|
not. Where one or more web applications are potentially vulnerable to
|
|
|
|
|
CVE-2024-56337 and the JVM cannot be correctly configured or it cannot be
|
|
|
|
|
confirmed that the JVM has been correctly configured, prevent the impacted
|
|
|
|
|
web applications from starting. (markt)
|
|
|
|
|
+ Fix: Remove unused session to client map from CrawlerSessionManagerValve.
|
|
|
|
|
Submitted by Brian Matzon. (remm)
|
|
|
|
|
+ Fix: When using the WebDAV servlet with serveSubpathOnly set to true,
|
|
|
|
|
ensure that the destination for any requested WebDAV operation is also
|
|
|
|
|
restricted to the sub-path. (markt)
|
|
|
|
|
+ Fix: Generate an appropriate Allow HTTP header when the Default servlet
|
|
|
|
|
returns a 405 (method not allowed) response in response to a DELETE
|
|
|
|
|
request because the target resource cannot be deleted. Pull request #802
|
|
|
|
|
provided by Chenjp. (markt)
|
|
|
|
|
+ Code: Refactor creation of RequestDispatcher instances so that the
|
|
|
|
|
processing of the provided path is consistent with normal request
|
|
|
|
|
processing. (markt)
|
|
|
|
|
+ Add: Add encodedReverseSolidusHandling and encodedSolidusHandling
|
|
|
|
|
attributes to Context to provide control over the handling of the path
|
|
|
|
|
used to created a RequestDispatcher. (markt)
|
|
|
|
|
+ Fix: Handle a potential NullPointerException after an IOException occurs
|
|
|
|
|
on a non-container thread during asynchronous processing. (markt)
|
|
|
|
|
+ Fix: Enhance lifecycle of temporary files used by partial PUT. (remm)
|
|
|
|
|
* Coyote
|
|
|
|
|
+ Fix: Don't log warnings for registered HTTP/2 settings that Tomcat does
|
|
|
|
|
not support. These settings are now silently ignored. (markt)
|
|
|
|
|
+ Fix: Avoid a rare NullPointerException when recycling the
|
|
|
|
|
Http11InputBuffer. (markt)
|
|
|
|
|
+ Fix: Lower the log level to debug for logging an invalid socket channel
|
|
|
|
|
when processing poller events for the NIO Connector as this may occur in
|
|
|
|
|
normal usage. (markt)
|
|
|
|
|
+ Code: Clean-up references to the HTTP/2 stream once request processing has
|
|
|
|
|
completed to aid GC and reduce the size of the HTTP/2 recycled request and
|
|
|
|
|
response cache. (markt)
|
|
|
|
|
+ Add: Add a new Connector configuration attribute,
|
|
|
|
|
encodedReverseSolidusHandling, to control how %5c sequences in URLs are
|
|
|
|
|
handled. The default behaviour is unchanged (decode) keeping in mind that
|
|
|
|
|
the allowBackslash attribute determines how the decoded URI is processed.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69545: Improve CRLF skipping for the available method of the
|
|
|
|
|
ChunkedInputFilter. (remm)
|
|
|
|
|
+ Fix: Improve the performance of repeated calls to getHeader(). Pull
|
|
|
|
|
request #813 provided by Adwait Kumar Singh. (markt)
|
|
|
|
|
+ Fix: 69559: Ensure that the Java 24 warning regarding the use of
|
|
|
|
|
sun.misc.Unsafe::invokeCleaner is only reported by the JRE when the code
|
|
|
|
|
will be used. (markt)
|
|
|
|
|
* Jasper
|
|
|
|
|
+ Fix: 69508: Correct a regression in the fix for 69382 that broke JSP
|
|
|
|
|
include actions if both the page attribute and the body contained
|
|
|
|
|
parameters. Pull request #803 provided by Chenjp. (markt)
|
|
|
|
|
+ Fix: 69521: Update the EL Parser to allow the full range of valid
|
|
|
|
|
characters in an EL identifier as defined by the Java Language
|
|
|
|
|
Specification. (markt)
|
|
|
|
|
+ Fix: 69532: Optimise the creation of ExpressionFactory instances. Patch
|
|
|
|
|
provided by John Engebretson. (markt)
|
|
|
|
|
* Web applications
|
|
|
|
|
+ Add: Documentation. Expand the description of the security implications of
|
|
|
|
|
setting mapperContextRootRedirectEnabled and/or
|
|
|
|
|
mapperDirectoryRedirectEnabled to true. (markt)
|
|
|
|
|
+ Fix: Documentation. Better document the default for the truststoreProvider
|
|
|
|
|
attribute of a SSLHostConfig element. (markt)
|
|
|
|
|
* Other
|
|
|
|
|
+ Update: Update to Commons Daemon 1.4.1. (markt)
|
|
|
|
|
+ Update: Update the internal fork of Commons Pool to 2.12.1. (markt)
|
|
|
|
|
+ Update: Update Byte Buddy to 1.16.1. (markt)
|
|
|
|
|
+ Update: Update UnboundID to 7.0.2. (markt)
|
|
|
|
|
+ Update: Update Checkstyle to 10.21.2. (markt)
|
|
|
|
|
+ Update: Update SpotBugs to 4.9.0. (markt)
|
|
|
|
|
+ Add: Improvements to French translations. (remm)
|
|
|
|
|
+ Add: Improvements to Chinese translations by leeyazhou. (markt)
|
|
|
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Jan 3 16:03:11 UTC 2025 - Ricardo Mestre <ricardo.mestre@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to Tomcat 9.0.98
|
|
|
|
|
* Fixed CVEs:
|
|
|
|
|
+ CVE-2024-54677: DoS in examples web application (bsc#1234664)
|
|
|
|
|
+ CVE-2024-50379: RCE due to TOCTOU issue in JSP compilation (bsc#1234663)
|
|
|
|
|
+ CVE-2024-52317: Request/response mix-up with HTTP/2 (bsc#1233435)
|
|
|
|
|
* Catalina
|
|
|
|
|
+ Add: Add option to serve resources from subpath only with WebDAV Servlet
|
|
|
|
|
like with DefaultServlet. (michaelo)
|
|
|
|
|
+ Fix: Add special handling for the protocols attribute of SSLHostConfig in
|
|
|
|
|
storeconfig. (remm)
|
|
|
|
|
+ Fix: 69442: Fix case sensitive check on content-type when parsing request
|
|
|
|
|
parameters. (remm)
|
|
|
|
|
+ Code: Refactor duplicate code for extracting media type and subtype from
|
|
|
|
|
content-type into a single method. (markt)
|
|
|
|
|
+ Fix: Compatibility of generated embedded code with components where
|
|
|
|
|
constructors or property related methods throw a checked exception. (remm)
|
|
|
|
|
+ Fix: The previous fix for inconsistent resource metadata during concurrent
|
|
|
|
|
reads and writes was incomplete. (markt)
|
|
|
|
|
+ Fix: 69444: Ensure that the javax.servlet.error.message request attribute
|
|
|
|
|
is set when an application defined error page is called. (markt)
|
|
|
|
|
+ Fix: Avoid quotes for numeric values in the JSON generated by the status
|
|
|
|
|
servlet. (remm)
|
|
|
|
|
+ Add: Add strong ETag support for the WebDAV and default servlet, which can
|
|
|
|
|
be enabled by using the useStrongETags init parameter with a value set to
|
|
|
|
|
true. The ETag generated will be a SHA-1 checksum of the resource content.
|
|
|
|
|
(remm)
|
|
|
|
|
+ Fix: Use client locale for directory listings. (remm)
|
|
|
|
|
+ Fix: 69439: Improve the handling of multiple Cache-Control headers in the
|
|
|
|
|
ExpiresFilter. Based on pull request #777 by Chenjp. (markt)
|
|
|
|
|
+ Fix: 69447: Update the support for caching classes the web application
|
|
|
|
|
class loader cannot find to take account of classes loaded from external
|
|
|
|
|
repositories. Prior to this fix, these classes could be incorrectly marked
|
|
|
|
|
as not found. (markt)
|
|
|
|
|
+ Fix: 69466: Rework handling of HEAD requests. Headers explicitly set by
|
|
|
|
|
users will not be removed and any header present in a HEAD request will
|
|
|
|
|
also be present in the equivalent GET request. There may be some headers,
|
|
|
|
|
as per RFC 9110, section 9.3.2, that are present in a GET request that are
|
|
|
|
|
not present in the equivalent HEAD request. (markt)
|
|
|
|
|
+ Fix: 69471: Log instances of CloseNowException caught by
|
|
|
|
|
ApplicationDispatcher.invoke() at debug level rather than error level as
|
|
|
|
|
they are very likely to have been caused by a client disconnection or
|
|
|
|
|
similar I/O issue. (markt)
|
|
|
|
|
+ Add: Add a test case for the fix for 69442. Also refactor references to
|
|
|
|
|
application/x-www-form-urlencoded. Based on pull request #779 by Chenjp.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69476: Catch possible ISE when trying to report PUT failure in the
|
|
|
|
|
DefaultServlet. (remm)
|
|
|
|
|
+ Add: Add support for RateLimit header fields for HTTP (draft) in the
|
|
|
|
|
RateLimitFilter. Based on pull request #775 provided by Chenjp. (markt)
|
|
|
|
|
+ Add: #787: Add regression tests for 69478. Pull request provided by Thomas
|
|
|
|
|
Krisch. (markt)
|
|
|
|
|
+ Fix: The default servlet now rejects HTTP range requests when two or more
|
|
|
|
|
of the requested ranges overlap. Based on pull request #782 provided by
|
|
|
|
|
Chenjp. (markt)
|
|
|
|
|
+ Fix: Enhance Content-Range verification for partial PUT requests handled
|
|
|
|
|
by the default servlet. Provided by Chenjp in pull request #778. (markt)
|
|
|
|
|
+ Fix: Harmonize DataSourceStore lookup in the global resources to
|
|
|
|
|
optionally avoid the comp/env prefix which is usually not used there.
|
|
|
|
|
(remm)
|
|
|
|
|
+ Fix: As required by RFC 9110, the HTTP Range header will now only be
|
|
|
|
|
processed for GET requests. Based on pull request #790 provided by Chenjp.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Deprecate the useAcceptRanges initialisation parameter for the
|
|
|
|
|
default servlet. It will be removed in Tomcat 12 onwards where it will
|
|
|
|
|
effectively be hard coded to true. (markt)
|
|
|
|
|
+ Add: Add DataSource based property storage for the WebdavServlet. (remm)
|
|
|
|
|
* Coyote
|
|
|
|
|
+ Fix: Align encodedSolidusHandling with the Servlet specification. If the
|
|
|
|
|
pass-through mode is used, any %25 sequences will now also be passed
|
|
|
|
|
through to avoid errors and/or corruption when the application decodes the
|
|
|
|
|
path. (markt)
|
|
|
|
|
* Jasper
|
|
|
|
|
+ Fix: Further optimise EL evaluation of method parameters. Patch provided
|
|
|
|
|
by Paolo B. (markt)
|
|
|
|
|
+ Fix: Follow-up to the fix for 69381. Apply the optimisation for method
|
|
|
|
|
lookup performance in expression language to an additional location.
|
|
|
|
|
(markt)
|
|
|
|
|
* Web applications
|
|
|
|
|
+ Fix: Documentation. Remove references to the ResourceParams element.
|
|
|
|
|
Support for ResourceParams was removed in Tomcat 5.5.x. (markt)
|
|
|
|
|
+ Fix: Documentation. 69477: Correct name of attribute for RemoteIPFilter.
|
|
|
|
|
The attribute is internalProxies rather than allowedInternalProxies. Pull
|
|
|
|
|
request #786 provided by Jorge Díaz. (markt)
|
|
|
|
|
+ Fix: Examples. Fix broken links when Servlet Request Info example is
|
|
|
|
|
called via a URL that includes a pathInfo component. (markt)
|
|
|
|
|
+ Fix: Examples. Expand the obfuscation of session cookie values in the
|
|
|
|
|
request header example to JSON responses. (markt)
|
|
|
|
|
+ Add: Examples. Add the ability to delete session attributes in the servlet
|
|
|
|
|
session example. (markt)
|
|
|
|
|
+ Add: Examples. Add a hard coded limit of 10 attributes per session for the
|
|
|
|
|
servlet session example. (markt)
|
|
|
|
|
+ Add: Examples. Add the ability to delete session attributes and add a hard
|
|
|
|
|
coded limit of 10 attributes per session for the JSP form authentication
|
|
|
|
|
example. (markt)
|
|
|
|
|
+ Add: Examples. Limit the shopping cart example to only allow adding the
|
|
|
|
|
pre-defined items to the cart. (markt)
|
|
|
|
|
+ Fix: Examples. Remove JSP calendar example. (markt)
|
|
|
|
|
* Other
|
|
|
|
|
+ Fix: 69465: Fix warnings during native image compilation using the Tomcat
|
|
|
|
|
embedded JARs. (markt)
|
|
|
|
|
+ Update: Update Tomcat's fork of Commons DBCP to 2.13.0. (markt)
|
|
|
|
|
+ Update: Update EasyMock to 5.5.0. (markt)
|
|
|
|
|
+ Update: Update Checkstyle to 10.20.2. (markt)
|
|
|
|
|
+ Update: Update BND to 7.1.0. (markt)
|
|
|
|
|
+ Add: Improvements to French translations. (remm)
|
|
|
|
|
+ Add: Improvements to Korean translations. (markt)
|
|
|
|
|
+ Add: Improvements to Chinese translations. (markt)
|
|
|
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
|
|
|
- Modified patch:
|
|
|
|
|
* tomcat-9.0-jdt.patch
|
|
|
|
|
+ rediff
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Fri Nov 22 19:51:47 UTC 2024 - Michele Bussolotto <michele.bussolotto@suse.com>
|
|
|
|
|
|
|
|
|
|
- Update to Tomcat 9.0.97
|
|
|
|
|
* Fixed CVEs:
|
|
|
|
|
+ CVE-2024-52316: If the Jakarta Authentication fails with an exception,
|
|
|
|
|
set a 500 status (bsc#1233434)
|
|
|
|
|
* Catalina
|
|
|
|
|
+ Add: Add support for the new Servlet API method
|
|
|
|
|
HttpServletResponse.sendEarlyHints(). (markt)
|
|
|
|
|
+ Add: 55470: Add debug logging that reports the class path when a
|
|
|
|
|
ClassNotFoundException occurs in the digester or the web application
|
|
|
|
|
class loader. Based on a patch by Ralf Hauser. (markt)
|
|
|
|
|
+ Update: 69374: Properly separate between table header and body in
|
|
|
|
|
DefaultServlet's listing. (michaelo)
|
|
|
|
|
+ Update: 69373: Make DefaultServlet's HTML listing file last modified
|
|
|
|
|
rendering better (flexible). (michaelo)
|
|
|
|
|
+ Update: Improve HTML output of DefaultServlet. (michaelo)
|
|
|
|
|
+ Code: Refactor RateLimitFilter to use FilterBase as the base class. The
|
|
|
|
|
primary advantage for doing this is less code to process init-param
|
|
|
|
|
values. (markt)
|
|
|
|
|
+ Update: 69370: DefaultServlet's HTML listing uses incorrect labels.
|
|
|
|
|
(michaelo)
|
|
|
|
|
+ Fix: Avoid NPE in CrawlerSessionManagerValve for partially mapped
|
|
|
|
|
requests. (remm)
|
|
|
|
|
+ Fix: Add missing WebDAV Lock-Token header in the response when locking
|
|
|
|
|
a folder. (remm)
|
|
|
|
|
+ Fix: Invalid WebDAV lock requests should be rejected with 400. (remm)
|
|
|
|
|
+ Fix: Fix regression in WebDAV when attempting to unlock a collection.
|
|
|
|
|
(remm)
|
|
|
|
|
+ Fix: Verify that destination is not locked for a WebDAV copy operation.
|
|
|
|
|
(remm)
|
|
|
|
|
+ Fix: Send 415 response to WebDAV MKCOL operations that include a
|
|
|
|
|
request body since this is optional and unsupported. (remm)
|
|
|
|
|
+ Fix: Enforce DAV: namespace on WebDAV XML elements. (remm)
|
|
|
|
|
+ Fix: Do not allow a new WebDAV lock on a child resource if a parent
|
|
|
|
|
collection is locked (RFC 4918 section 6.1). (remm)
|
|
|
|
|
+ Fix: WebDAV Delete should remove any existing lock on successfully
|
|
|
|
|
deleted resources. (remm)
|
|
|
|
|
+ Update: Remove WebDAV lock null support in accordance with RFC 4918
|
|
|
|
|
section 7.3 and annex D. Instead, a lock on a non-existing resource
|
|
|
|
|
will create an empty file locked with a regular lock. (remm)
|
|
|
|
|
+ Update: Rewrite implementation of WebDAV shared locks to comply with
|
|
|
|
|
RFC 4918. (remm)
|
|
|
|
|
+ Update: Implement WebDAV If header using code from the Apache Jackrabbit
|
|
|
|
|
project. (remm)
|
|
|
|
|
+ Add: Add PropertyStore interface in the WebDAV Servlet, to allow
|
|
|
|
|
implementation of dead properties storage. The store used can be
|
|
|
|
|
configured using the 'propertyStore' init parameter of the WebDAV
|
|
|
|
|
servlet. A simple non-persistent implementation is used if no custom
|
|
|
|
|
store is configured. (remm)
|
|
|
|
|
+ Update: Implement WebDAV PROPPATCH method using the newly added
|
|
|
|
|
PropertyStore. (remm)
|
|
|
|
|
+ Fix: Cache not found results when searching for web application class
|
|
|
|
|
loader resources. This addresses performance problems caused by
|
|
|
|
|
components such as java.sql.DriverManager which, in some circumstances,
|
|
|
|
|
will search for the same class repeatedly. In a large web application
|
|
|
|
|
this can cause performance problems. The size of the cache can be
|
|
|
|
|
controlled via the new notFoundClassResourceCacheSize on the
|
|
|
|
|
StandardContext. (markt)
|
|
|
|
|
+ Fix: Stop after INITIALIZED state should be a noop since it is possible
|
|
|
|
|
for subcomponents to be in FAILED after init. (remm)
|
|
|
|
|
+ Fix: Fix incorrect web resource cache size calculations when there are
|
|
|
|
|
concurrent PUT and DELETE requests for the same resource. (markt)
|
|
|
|
|
+ Add: Add debug logging for the web resource cache so the current size
|
|
|
|
|
can be tracked as resources are added and removed. (markt)
|
|
|
|
|
+ Update: Replace legacy WebDAV opaquelocktoken: scheme for lock tokens
|
|
|
|
|
with urn:uuid: as recommended by RFC 4918, and remove secret init
|
|
|
|
|
parameter. (remm)
|
|
|
|
|
+ Fix: Concurrent reads and writes (e.g. GET and PUT / DELETE) for the
|
|
|
|
|
same path caused corruption of the FileResource where some of the
|
|
|
|
|
fields were set as if the file exists and some as set as if it does
|
|
|
|
|
not. This resulted in inconsistent metadata. (markt)
|
|
|
|
|
+ Fix: 69415: Ensure that the ExpiresFilter only sets cache headers on
|
|
|
|
|
GET and HEAD requests. Also skip requests where the application has set
|
|
|
|
|
Cache-Control: no-store. (markt)
|
|
|
|
|
+ Fix: 69419: Improve the performance of ServletRequest.getAttribute()
|
|
|
|
|
when there are multiple levels of nested includes. Based on a patch
|
|
|
|
|
provided by John Engebretson. (markt)
|
|
|
|
|
+ Add: All applications to send an early hints informational response by
|
|
|
|
|
calling HttpServletResponse.sendError() with a status code of 103.
|
|
|
|
|
(schultz)
|
|
|
|
|
+ Fix: Ensure that the Jakarta Authentication CallbackHandler only
|
|
|
|
|
creates one GenericPrincipal in the Subject. (markt)
|
|
|
|
|
+ Fix: If the Jakarta Authentication process fails with an Exception,
|
|
|
|
|
explicitly set the HTTP response status to 500 as the ServerAuthContext
|
|
|
|
|
may not have set it. (markt)
|
|
|
|
|
+ Fix: When persisting the Jakarta Authentication provider configuration,
|
|
|
|
|
create any necessary parent directories that don't already exist.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Correct the logic used to detect errors when deleting temporary
|
|
|
|
|
files associated with persisting the Jakarta Authentication provider
|
|
|
|
|
configuration. (markt)
|
|
|
|
|
+ Fix: When processing Jakarta Authentication callbacks, don't overwrite
|
|
|
|
|
a Principal obtained from the PasswordValidationCallback with null if
|
|
|
|
|
the CallerPrincipalCallback does not provide a Principal. (markt)
|
|
|
|
|
+ Fix: Avoid store config backup loss when storing one configuration more
|
|
|
|
|
than once per second. (remm)
|
|
|
|
|
+ Fix: 69359: WebdavServlet duplicates getRelativePath() method from
|
|
|
|
|
super class with incorrect Javadoc. (michaelo)
|
|
|
|
|
+ Fix: 69360: Inconsistent DELETE behavior between WebdavServlet and
|
|
|
|
|
DefaultServlet. (michaelo)
|
|
|
|
|
+ Fix: Make WebdavServlet properly return the Allow header when deletion
|
|
|
|
|
of a resource is not allowed. (michaelo)
|
|
|
|
|
+ Fix: Add log warning if non wildcard mappings are used with the
|
|
|
|
|
WebdavServlet. (remm)
|
|
|
|
|
+ Fix: 69361: Ensure that the order of entries in a multi-status response
|
|
|
|
|
to a WebDAV is consistent with the order in which resources were
|
|
|
|
|
processed. (markt)
|
|
|
|
|
+ Fix: 69362: Provide a better multi-status response when deleting a
|
|
|
|
|
collection via WebDAV fails. Empty directories that cannot be deleted
|
|
|
|
|
will now be included in the response. (markt)
|
|
|
|
|
+ Fix: 69363: Use getPathPrefix() consistently in the WebDAV servlet to
|
|
|
|
|
ensure that the correct path is used when the WebDAV servlet is mounted
|
|
|
|
|
at a sub-path within the web application. (markt)
|
|
|
|
|
+ Fix: Improve performance of ApplicationHttpRequest.parseParameters().
|
|
|
|
|
Based on sample code and test cases provided by John Engebretson.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Add: Add support for RFC 8297 (Early Hints). Applications can use
|
|
|
|
|
this feature by casting the HttpServletResponse to
|
|
|
|
|
org.apache.catalina.connector.Reponse and then calling the method
|
|
|
|
|
void sendEarlyHints(). This method will be added to the Servlet API
|
|
|
|
|
(removing the need for the cast) in Servlet 6.2 onwards. (markt)
|
|
|
|
|
+ Fix: 69214: Do not reject a CORS request that uses POST but does not
|
|
|
|
|
include a content-type header. Tomcat now correctly processes this as
|
|
|
|
|
a simple CORS request. Based on a patch suggested by thebluemountain.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Refactor SpnegoAuthenticator so it uses Subject.callAs() rather
|
|
|
|
|
than Subject.doAs() when available. (markt)
|
|
|
|
|
|
|
|
|
|
* Coyote
|
|
|
|
|
+ Fix: Return null SSL session id on zero length byte array returned from
|
|
|
|
|
the SSL implementation. (remm)
|
|
|
|
|
+ Fix: Skip OpenSSLConf with BoringSSL since it is unsupported. (remm)
|
|
|
|
|
+ Fix: Create the HttpParser in Http11Processor if it is not present on
|
|
|
|
|
the AbstractHttp11Protocol to provide better lifecycle robustness for
|
|
|
|
|
regular HTTP/1.1. The new behavior was introduced on a previous
|
|
|
|
|
refactoring to improve HTTP/2 performance. (remm)
|
|
|
|
|
+ Fix: OpenSSLContext will now throw a KeyManagementException if something
|
|
|
|
|
is known to have gone wrong in the init method, which is the behavior
|
|
|
|
|
documented by javax.net.ssl.SSLContext.init. This makes error handling
|
|
|
|
|
more consistent. (remm)
|
|
|
|
|
+ Fix: 69316: Ensure that FastHttpDateFormat#getCurrentDate() (used to
|
|
|
|
|
generate Date headers for HTTP responses) generates the correct string
|
|
|
|
|
for the given input. Prior to this change, the output may have been
|
|
|
|
|
wrong by one second in some cases. Pull request #751 provided by Chenjp.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Add: Add server and serverRemoveAppProvidedValues to the list of
|
|
|
|
|
attributes the HTTP/2 protocol will inherit from the HTTP/1.1 connector
|
|
|
|
|
it is nested within. (markt)
|
|
|
|
|
+ Fix: Avoid possible crashes when using Apache Tomcat Native, caused by
|
|
|
|
|
destroying SSLContext objects through GC after APR has been terminated.
|
|
|
|
|
(remm)
|
|
|
|
|
+ Fix: Improve HTTP/2 handling of trailer fields for requests. Trailer
|
|
|
|
|
fields no longer need to be received before the headers of the
|
|
|
|
|
subsequent stream nor are trailer fields for an in-progress stream
|
|
|
|
|
swallowed if the Connector is paused before the trailer fields are
|
|
|
|
|
received. (markt)
|
|
|
|
|
+ Fix: Ensure the request and response are not recycled too soon for an
|
|
|
|
|
HTTP/2 stream when a stream level error is detected during the processing
|
|
|
|
|
of incoming HTTP/2 frames. This could lead to incorrect processing times
|
|
|
|
|
appearing in the access log. (markt)
|
|
|
|
|
+ Fix: Fix 69320, a regression in the fix for 69302 that meant the
|
|
|
|
|
HTTP/2 processing was likely to be broken for all clients once any
|
|
|
|
|
client sent an HTTP/2 reset frame. (markt)
|
|
|
|
|
+ Fix: Correct a regression in the fix for non-blocking reads of chunked
|
|
|
|
|
request bodies that caused InputStream.available() to return a non-zero
|
|
|
|
|
value when there was no data to read. In some circumstances this could
|
|
|
|
|
cause a blocking read to block waiting for more data rather than return
|
|
|
|
|
the data it had already received. (markt)
|
|
|
|
|
+ Add: Add a new attribute cookiesWithoutEquals to the Rfc6265CookieProcessor.
|
|
|
|
|
The default behaviour is unchanged. (markt)
|
|
|
|
|
+ Fix: Ensure that Tomcat sends a TLS close_notify message after receiving
|
|
|
|
|
one from the client when using the OpenSSLImplementation. (markt)
|
|
|
|
|
+ Fix: 69301: Fix trailer headers replacing non-trailer headers when writing
|
|
|
|
|
response headers to the access log. Based on a patch and test case
|
|
|
|
|
provided by hypnoce. (markt)
|
|
|
|
|
+ Fix: 69302: If an HTTP/2 client resets a stream before the request body is
|
|
|
|
|
fully written, ensure that any ReadListener is notified via a call to
|
|
|
|
|
ReadListener.onErrror(). (markt)
|
|
|
|
|
+ Fix: Correct regressions in the refactoring that added recycling of the
|
|
|
|
|
coyote request and response to the HTTP/2 processing. (markt)
|
|
|
|
|
+ Add: Add OpenSSL integration using the FFM API rather than Tomcat Native.
|
|
|
|
|
OpenSSL support may be enabled by adding the
|
|
|
|
|
org.apache.catalina.core.OpenSSLLifecycleListener listener on the
|
|
|
|
|
Server element when using Java 22 or later. (remm)
|
|
|
|
|
+ Fix: Ensure that HTTP/2 stream input buffers are only created when there
|
|
|
|
|
is a request body to be read. (markt)
|
|
|
|
|
+ Code: Refactor creation of HttpParser instances from the Processor level
|
|
|
|
|
to the Protocol level since the parser configuration depends on the
|
|
|
|
|
protocol and the parser is, otherwise, stateless. (markt)
|
|
|
|
|
+ Add: Align HTTP/2 with HTTP/1.1 and recycle the container internal
|
|
|
|
|
request and response processing objects by default. This behaviour can
|
|
|
|
|
be controlled via the new discardRequestsAndResponses attribute on the
|
|
|
|
|
HTTP/2 upgrade protocol. (markt)
|
|
|
|
|
|
|
|
|
|
* Jasper
|
|
|
|
|
+ Fix: Add back tag release method as deprecated in the runtime for
|
|
|
|
|
compatibility with old generated code. (remm)
|
|
|
|
|
+ Fix: 69399: Fix regression caused by the improvement 69333 which caused
|
|
|
|
|
the tag release to be called when using tag pooling, and to be skipped
|
|
|
|
|
when not using it. Patch submitted by Michal Sobkiewicz. (remm)
|
|
|
|
|
+ Fix: 69381: Improve method lookup performance in expression language.
|
|
|
|
|
When the required method has no arguments there is no need to consider
|
|
|
|
|
casting or coercion and the method lookup process can be simplified.
|
|
|
|
|
Based on pull request #770 by John Engebretson.
|
|
|
|
|
+ Fix: 69382: Improve the performance of the JSP include action by
|
|
|
|
|
re-using results of relatively expensive method calls in the generated
|
|
|
|
|
code rather than repeating them. Patch provided by John Engebretson.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69398: Avoid unnecessary object allocation in PageContextImpl.
|
|
|
|
|
Based on a suggestion by John Engebretson. (markt)
|
|
|
|
|
+ Fix: 69406: When using StringInterpreterEnum, do not throw an
|
|
|
|
|
IllegalArgumentException when an invalid Enum is encountered. Instead,
|
|
|
|
|
resolve the value at runtime. Patch provided by John Engebretson.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69429: Optimise EL evaluation of method parameters for methods
|
|
|
|
|
that do not accept any parameters. Patch provided by John Engebretson.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69333: Remove unnecessary code from generated JSPs. (markt)
|
|
|
|
|
+ Fix: 69338: Improve the performance of processing expressions that
|
|
|
|
|
include AND or OR operations with more than two operands and expressions
|
|
|
|
|
that use not empty. (markt)
|
|
|
|
|
+ Fix: 69348: Reduce memory consumption in ELContext by using lazy
|
|
|
|
|
initialization for the data structure used to track lambda arguments.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Switch the TldScanner back to logging detailed scan results at debug
|
|
|
|
|
level rather than trace level. (markt)
|
|
|
|
|
|
|
|
|
|
* Web applications
|
|
|
|
|
+ Fix: The manager webapp will now be able to access certificates again
|
|
|
|
|
when OpenSSL is used. (remm)
|
|
|
|
|
+ Fix: Documentation. Align the logging configuration documentation with
|
|
|
|
|
the current defaults. (markt)
|
|
|
|
|
|
|
|
|
|
* WebSocket
|
|
|
|
|
+ Fix: If a blocking message write exceeds the timeout, don't attempt the
|
|
|
|
|
write again before throwing the exception. (markt)
|
|
|
|
|
+ Fix: An EncodeException being thrown during a message write should not
|
|
|
|
|
automatically cause the connection to close. The application should
|
|
|
|
|
handle the exception and make the decision whether or not to close the
|
|
|
|
|
connection. (markt)
|
|
|
|
|
|
|
|
|
|
* jdbc-pool
|
|
|
|
|
+ Fix: 69255: Correct a regression in the fix for 69206 that meant exceptions
|
|
|
|
|
executing statements were wrapped in a java.lang.reflect.UndeclaredThrowableException
|
|
|
|
|
rather than the application seeing the original SQLException. Fixed by
|
|
|
|
|
pull request #744 provided by Michael Clarke. (markt)
|
|
|
|
|
+ Fix: 69279: Correct a regression in the fix for 69206 that meant that
|
|
|
|
|
methods that previously returned a null ResultSet were returning a proxy
|
|
|
|
|
with a null delegate. Fixed by pull request #745 provided by Huub de Beer.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: 69206: Ensure statements returned from Statement methods
|
|
|
|
|
executeQuery(), getResultSet() and getGeneratedKeys() are correctly
|
|
|
|
|
wrapped before being returned to the caller. Based on pull request
|
|
|
|
|
#742 provided by Michael Clarke.
|
|
|
|
|
|
|
|
|
|
* Other
|
|
|
|
|
+ Update: Switch from DigiCert ONE to ssl.com eSigner for code signing.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Update: Update Byte Buddy to 1.15.10. (markt)
|
|
|
|
|
+ Update: Update CheckStyle to 10.20.0. (markt)
|
|
|
|
|
+ Add: Improvements to German translations. (remm)
|
|
|
|
|
+ Add: Improvements to French translations. (remm)
|
|
|
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
|
|
|
+ Add: Improvements to Chinese translations by Ch_jp. (markt)
|
|
|
|
|
+ Add: Exclude the tomcat-coyote-ffm.jar from JAR scanning by default.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Fix: Change the default log handler level to ALL so log messages are
|
|
|
|
|
not dropped by default if a logger is configured to use trace (FINEST)
|
|
|
|
|
level logging. (markt)
|
|
|
|
|
+ Update: Update Hamcrest to 3.0. (markt)
|
|
|
|
|
+ Update: Update EasyMock to 5.4.0. (markt)
|
|
|
|
|
+ Update: Update Byte Buddy to 1.15.0. (markt)
|
|
|
|
|
+ Update: Update CheckStyle to 10.18.0. (markt)
|
|
|
|
|
+ Update: Update the internal fork of Apache Commons BCEL to 6.10.0.
|
|
|
|
|
(markt)
|
|
|
|
|
+ Add: Improvements to Spanish translations by Fernando. (markt)
|
|
|
|
|
+ Add: Improvements to French translations. (remm)
|
|
|
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
|
|
|
+ Fix: Fix packaging regression with missing osgi information following
|
|
|
|
|
addition of the test-only build target. (remm)
|
|
|
|
|
+ Update: Update Tomcat Native to 1.3.1. (markt)
|
|
|
|
|
+ Update: Update Byte Buddy to 1.14.18. (markt)
|
|
|
|
|
+ Add: Improvements to French translations. (remm)
|
|
|
|
|
+ Add: Improvements to Japanese translations by tak7iji. (markt)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Thu Oct 3 13:17:03 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
- Adapt the scripts to run also with javapackages-tools >= 6.3
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Sun Sep 29 19:42:03 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
- Fix build after removal of the default %%{java_home} define
|
|
|
|
|
|
|
|
|
|
-------------------------------------------------------------------
|
|
|
|
|
Mon Jul 8 16:34:38 UTC 2024 - Fridrich Strba <fstrba@suse.com>
|
|
|
|
|
|
|
|
|
|
|
