--- - branch: MAIN date: Thu Mar 17 21:22:56 UTC 2011 files: - new: '1.18' old: '1.17' path: pkgsrc/www/apache-tomcat55/Makefile pathrev: pkgsrc/www/apache-tomcat55/Makefile@1.18 type: modified - new: '1.8' old: '1.7' path: pkgsrc/www/apache-tomcat55/PLIST pathrev: pkgsrc/www/apache-tomcat55/PLIST@1.8 type: modified - new: '1.8' old: '1.7' path: pkgsrc/www/apache-tomcat55/distinfo pathrev: pkgsrc/www/apache-tomcat55/distinfo@1.8 type: modified id: 20110317T212256Z.51700d76482190465dc61b5a19017b4b4c0ae893 log: "Update www/apache-tomcat55 to 5.5.33\n\n- Addresses SA http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0013\n- Added LICENSE entry to pkgsrc\n- Drop MAINTAINERship\n- Changes since 5.5.28 below\n\nTomcat 5.5.33 (jim)\n\nGeneral\n\n fix\tFix permissions of version.sh in bin tarball. (rjung)\n fix\t45332, 45852, 50140: Backport numerous improvements to the Windows installer. Specify the correct encoding (the current Windows code page) rather than assuming UTF-8 when creating tomcat-users.xml - 45332, 45852. Update install/uninstall icons. Create an installation log. Allow 32-bit JVMs to be selected when installing on a 64-bit platform. Do not ignore install directory if it is specified with the command line switch on 64-bit platforms - 50140. Add support for the /? command line switch. Replace the .ini files with the script equivalents. Provide the ability to edit the roles for the added user. Clean up fully after installation. Add DetailPrint statements for operations that may take time. Improve the descriptions of the components. (kkolinko, mturk, markt)\n add\tAdd roles (admin-gui, admin-script, manager-gui, manager-script, manager-jmx, manager-status) to the Manager, Host Manager and Admin applications to allow more fine-grained control of permissions. The old roles are deprecated but will still work in the same way. (kkolinko)\n\nCatalina\n\n \ fix\tImprove HTTP specification compliance in support of Accept-Language header. (kkolinko)\n fix\t50620: Stop exceptions that occur during Session.endAccess() from preventing the normal completion of Request.recycle(). (markt/kkolinko)\n\nCoyote\n\n \ update\tRemove JSSE13Factory, JSSE13SocketFactory classes, as Tomcat 5.5 always runs on JRE 1.4 or later. (kkolinko)\n fix\t50325: When the JVM indicates support for RFC 5746, disable Tomcat's allowUnsafeLegacyRenegotiation configuration attribute and use the JVM configuration to control renegotiation. (markt/kkolinko)\n\nTomcat 5.5.32 (jim)\treleased 2011-02-01\n\nGeneral\n\n update\tUpdate to Commons Daemon 1.0.5. (mturk)\n update\tUpdate to commons-pool 1.5.5. (markt)\n fix\tEnsure POM files have correct line endings in source distributions. (rjung/markt)\n\nCatalina\n\n \ add\t43960: Expose available property of StandardWrapper via JMX. (markt)\n \ fix\t50131: Avoid possible NPE in debug output in PersistentValve. Patch provided by sebb. (kkolinko)\n fix\t50413: Ensure 304s are not returned when using static files as error pages. (markt/kkolinko)\n fix\tAvoid unnecessary cast in StandardContext. (markt)\n fix\t50460: Avoid a possible memory leak caused by using a cached exception instance. (kkolinko)\n fix\t50550: When a new directory is created (e.g. via WebDAV) ensure that a subsequent request for that directory does not result in a 404 response. (markt/kkolinko)\n\nCoyote\n\n fix\t47913: Return the IP address rather than null for getRemoteHost() with the APR connector if the IP address does not resolve. (markt)\n fix\t49521: Disable scanning for a free port in Jk AJP/1.3 connector by default. Do not change maxPort field value of ChannelSocket in its setPort() and init() methods. Add support for maxPort attribute on a Connector element as a synonym for channelSocket.maxPort. (kkolinko)\n\nJasper\n\n \ fix\t49935: Handle compilation of recursive tag files. (markt)\n\nCluster\n\n \ fix\tImprove sending an access message in DeltaManager. maxInactiveInterval of not Manager but the session is used. If maxInactiveInterval is negative, an access message is not sending. (kfujino)\n fix\t50547: Add time stamp for CHANGE_SESSION_ID message and SESSION_EXPIRED message. (kfujino)\n\nWebapps\n\n add\t50294: Add more information to documentation regarding format of configuration files. Patch provided by Luke Meyer. (markt)\n update\tImprove documentation of database connection factory. (rjung)\n fix\tImprove filtering of Manager display output. (kkolinko)\n update\tConfigure the Admin, Manager and Host-Manager web applications to use HttpOnly flag for their session cookies. (kkolinko)\n\nTomcat 5.5.31 (jim)\treleased 2010-09-16\n\nGeneral\n\n fix\tAdd svn:executable property to some script files and remove it from non-executable files. (rjung)\n\nCatalina\n\n fix\t38113 Add system property (ALLOW_EMPTY_QUERY_STRING) to allow spec compliant handling of query string. (markt/kkolinko/jim)\n fix\tReturn a copy of the URL being used from the webapp class loader, not the original array. (kkolinko/markt)\n \ fix\t49749: Use HttpOnly flag of current context when genrating a Single-Sign-On cookie. (markt)\n\nCoyote\n\n fix\t49718: Fix regression in previous fix for 46984 caused by the patch being applied to the wrong section of code. The regression caused HTTP 0.9 requests to fail. (markt)\n\nWebapps\n\n fix\t49585: Update JSVC documentation to reflect new packaging of Commons Daemon. (markt)\n fix\t49774: Add support for SSL with either JSSE or APR baaed connectors to the admin app. (markt)\n\nCluster\n\n fix\tAdd Null check when CHANGE_SESSION_ID message received. (kfujino)\n\nTomcat 5.5.30 (jim)\treleased 2010-07-09\n\nGeneral\n\n update\tUpdate to Commons Daemon 1.0.2. Use service launcher (procrun) from the Commons Daemon release. Do not keep a copy of it in our source tree. (mturk/kkolinko)\n update\tUpdate to NSIS 2.46. (kkolinko)\n update\tUpdate to Apache Commons DBCP 1.3. (markt)\n \ fix\t48840: Swallow output (if any) from use of cd when determining $CATALINA_HOME in catalina.sh and tool-wrapper.sh scripts. Based on patch provided by mdietze. (markt/kkolinko)\n fix\t49236: Do not use indexing when packing Tomcat JARs. (kkolinko)\n fix\t48990: Build windows distributions correctly on Linux and add support for the skip.installer property. (kkolinko)\n\nCatalina\n\n fix\tFix CVE-2010-1157. Prevent possible disclosure of host name or IP address via the HTTP WWW-Authenticate header when using BASIC or DIGEST authentication. (markt)\n \ fix\t44041, 48694: Fix duplicate class definition under load. Avoid possible deadlock in class loading. (markt/kkolinko)\n fix\t47774: Ensure web application class loader is used when calling session listeners. (kfujino)\n update\t48179: Improve error handling when reading or writing TLD cache file (\"tldCache.ser\"). (kkolinko)\n fix\t49398: ByteChunk.indexOf(String, int, int, int) could not find a string of length 1. (kkolinko)\n fix\tEnsure all required i18n messages are present for the APR/native Listener. (kkolinko)\n fix\tFix possible overflows when calculating session statistics. (kkolinko)\n fix\t49424: Avoid NPE if client provides no data with a chunked POST request. (markt)\n fix\tMinor code cleanup in AccessLogValve and FastCommonAccessLogValve classes. (kkolinko)\n\nCoyote\n\n \ fix\tArrange filter logic. (jfclere)\n fix\t48613: Only attempt APR/native connector initialization if the Listener element has been specified in server.xml. (fhanik/kkolinko)\n fix\t48843: Prevent possible deadlock and correct queue handling for worker allocation in APR connectors. (kkolinko)\n fix\tUse chunked encoding for http 1.1 responses with no content-length (regardless of keep-alive) so client can differentiate between complete and partial responses. (markt)\n\nJasper\n\n \ fix\t42390, 48616: Fix compilation error with some nested tag files and simple tags. Do not declare or synchronize scripting variables for JSP fragments since they are scriptless. (kkolinko)\n fix\t47878: Return â\x80\x9C404â\x80\x9Ds rather than a permanent â\x80\x9C500â\x80\x9D if a JSP is deleted. Make sure first response after deletion is correct. (markt/kkolinko)\n fix\t48701: Add a system property to allow disabling enforcement of JSP.5.3. The specification recommends, but does not require, this enforcement. (kkolinko)\n fix\t48580: Prevent AccessControlException when running under a security manager if the first access is to a JSP that uses a FunctionMapper. (markt/kknko)\n fix\t49196: Avoid NullPointerException in PageContext.getErrorData() if an error-handling JSP page is called directly. (kkolinko)\n\nCluster\n\n \ fix\t48717: When a node joins a cluster and it receives all the current sessions, ensure the sessionCreated event is fired if the Manager is configured to replicate session events. (markt)\n fix\t49170: Do not send duplicated session. (kfujino)\n \ fix\t49445: When session ID is changed after authentication, ensure the DeltaManager replicates the change in ID to the other nodes in the cluster. (kfujino)\n\nWebapps\n\n \ add\tBackport documentation stylesheet improvements from Tomcat 6: use CSS styles to provide printer-friendly layout, support generation of TOC tables, support links revision numbers, use underscores instead of spaces in anchor names. (kkolinko)\n\nTomcat 5.5.29 (fhanik)\treleased 2010-04-20\n\nGeneral\n\n add\t37847: Make location and filename of catalina.out configurable in catalina.sh. (fhanik/kkolinko)\n \ fix\t47609: Provide fail-safe EOL conversion for build process. (sebb/markt/kkolinko)\n \ fix\t47689: Enable the test Ant target to work. (markt)\n fix\t47712: Loading tcnative was broken in 5.5.28. (rjung)\n fix\tCorrect CVE-2009-3548. When installed via the Windows installer and using defaults, don't create an administrative user with a blank password. Additionally, the administrative user is only created if the manager or host-manager web applications are selected for installation. (markt/kkolinko)\n \ update\tDeprecate the jni Buffer and Thread classes. (rjung)\n update\tInclude 32-bit and 64-bit versions of Tomcat Native DLLs into the Windows installer, instead of downloading them from a web site during install, and allow it to automatically select the correct one for the current platform. (kkolinko/mturk)\n update\tUpdate Windows installer to use NSIS 2.45. (kkolinko)\n update\tUpdate to commons-pool 1.5.4. This fixes regressions in 1.5.2. (markt)\n fix\tAlign server.xml installed by the Windows installer with the one bundled in zip/tar.gz archives. (kkolinko)\n \ fix\tEncode all property files using ascii escaped UTF-8. (rjung)\n fix\tCorrect MD5 generation in the build process. (kkolinko)\n\nCatalina\n\n fix\t37848: Re-fix. Don't display info output when there is no terminal. (markt)\n fix\t39231: Call LoginModule.logout() when using JAASRealm. (markt/kkolinko)\n fix\t39844: Fix NPE when performing a non-HTTP forward. (billbarker)\n fix\t41059: Reduce the chances of errors when using ENABLE_CLEAR_REFERENCES. Patch by Curt Arnold. (markt)\n add\t45255: Add the ability to change session ID on authentication to protect against session fixation attacks. This is disabled by default. (markt/kkolinko)\n \ fix\t46967: Better handling of errors when trying to use Manager.randomFile. Based on a patch by Kirk Wolf. (kkolinko)\n fix\t47518: Correct reference in Valve Javadoc that referred to an old method. Patch provided by Christopher Schultz. (markt)\n fix\t47537: Return an error page rather than a zero length 200 response if the forward to the login or error page fails during FORM authentication. (markt)\n \ fix\t47718: Fix file descriptor leak on context stop/reload. Patch provided by George Sexton. (markt)\n fix\t47826: Correct error in debug message in org.apache.catalina.Bootstrap (markt)\n fix\t47963: Ensure that any HTTP status messages are compliant with RFC2616. (markt/kkolinko)\n fix\t47997: Enable the NamingResourcesMBean to work with non-Server (i.e. Context) containers. Patch provided by Michael Allman. (markt)\n fix\t48004: Allow applications to set the Server header. (markt)\n \ fix\t48007: Improve exception processing in CustomObjectInputStream. (kkolinko)\n \ fix\t48049: Fix copy and paste error so NamingContext.destroySubContext() works correctly. Patch provided by gingyang.xu (markt)\n update\t48097: Make WebappClassLoader to do not swallow AccessControlException. (kkolinko)\n fix\t48097: Avoid throwing an AccessControlException which can lead to a NoClassDefFoundError on first access of first jsp. (kkolinko/markt)\n fix\t48322: Single quote characters are not HTTP separators and should not be treated as such in the cookie handling. (markt)\n add\tProvide an option to allow the use of equals characters in cookie values. (markt)\n fix\t48516: Prevent NPE in JNDIRealm if requested user does not exist. Patch provided by Kevin Conaway. (markt)\n fix\t48577: Filter URL when displaying missing included page. (markt)\n fix\t48760: Remove race condition that can result in multiple threads trying to use the same InputStream. (markt)\n \ fix\tAdd an additional permission required by JULI when running under newer JDKs and a security manager. (markt)\n fix\tClose resource stream in WebappClassLoader after read error. (pero)\n fix\tDo not swallow exceptions in ApplicationContextFacade.doPrivileged() (kkolinko)\n fix\tVarious related (un)deploy improvements including: better handling of failed (un)deployment; adding checking for invalid zip file entries that don't make sense in a WAR file; and improved validation of WAR file names. These changes address CVE-2009-2693, CVE-2009-2901 and CVE-2009-2902.\n\nCoyote\n\n \ fix\t43327: Allow APR/native connector to work correctly on systems when IPv6 is enabled. (markt)\n fix\t46950: Support SSL renegotiation with APR/native connector. Note that this requires APR/native 1.1.17 or later. (markt)\n fix\t47225: Fix error in calculation of a buffer length in the mapper. (markt)\n fix\t47744: Prevent a medium term memory leak if using SSl with the JSSE provider and also using a security manager. Based on a patch by Greg Vanore. (markt)\n fix\t47987: Limit size of not found resources cache. (markt)\n fix\t48109: Ensure InputStream is closed in WebappClassLoader on error conditions. (markt)\n fix\t48311: APR should not be initialised if the APR life-cycle listener is not enabled. (markt)\n \ fix\t48581: Avoid security exception on first access. (markt)\n fix\t48584: Prevent the APR connector logging an error if the acceptor fails during shutdown since this is expected. (mturk)\n fix\tCVE-2009-3555. Provide option to disable legacy SSL renegotiation. (markt/costin)\n fix\tFix Windows installer to bundle an up-to-date version of native/APR with it. When asked to install TC-Native it was downloading some very old (1.1.4) version of it from the HEAnet site. (kkolinko)\n \ update\tUpdate the native/APR library version bundled with Tomcat to 1.1.20. (kkolinko)\n update\tUpdate recommended version for native to 1.1.19. (rjung)\n \ fix\tRemove unneeded line from the method that normalizes decodedURI. (kkolinko)\n\nJasper\n\n \ fix\t38797: Fix regression in previous fix for this bug. (markt)\n fix\t41661: Fix thread safety issue in JspConfig.init() (markt)\n fix\t41824: Need to use canonical rather than binary form when writing code. (markt)\n fix\t46907: Don't swallow input stream when debug logging is enabled. (markt)\n fix\t48582: Avoid NPE on background compile. (markt)\n\nCluster\n\n fix\tDeltaManager needs to replicate changed attributes even if session gets invalidated. Otherwise session listeners will not see the right data on the secondary nodes. (rjung)\n fix\tRemove unnecessary Java5 dependencies. (markt)\n fix\t46384: Correct synchronisation issue that could lead to a cluster member disappering permanently. (markt)\n fix\t47554: Include httpOnly attribute when re-writing session cookie after fail over. (markt)\n\nWebapps\n\n \ fix\t41564: Add some information on installing Tomcat as a service on operating systems with User Account Control, e.g. Vista. (markt)\n fix\t47656: Add information to documentation on system property replacement in configuration files. (markt)\n \ fix\t47769: Clarify the JNDI docs with repect to use of and related elements, specifically when they are required and when they may be omitted. (markt)\n fix\t48381: Add information on how Tomcat treats host names to the host configuration documentation. (markt)\n add\t48530: Add information on the Manager Server Status page to the Manager How-To in the documentation webapp. Based on a patch by Arnaud Espy. (markt)\n add\t48532: Add information to the BIO/NIO SSL configuration page in the documentation web application to specify how the defaults for the various trust store attributes are determined. (markt)\n \ fix\t48686: Fix deleting a host via the Administration web application rather than failign with a HTTP 500 response. (markt)\n add\tMake changelog.xml be directly rendered as HTML by certain browsers. (kkolinko)\n\nTomcat 5.5.28 (fhanik)\treleased 2009-09-04\n\nGeneral\n\n fix\t39194: Make the setting of the classpath consistent for the .sh and .bat startup scripts. (markt/kkolinko)\n fix\t45880: Include NOTICE file in Windows installer and make sure src files are excluded. (markt)\n \ update\tUpdate to NSIS 2.44 (kkolinko)\n update\tBuild scripts: Use different values for ${tomcat-dbcp.home} and ${jasper-compiler-jdt.home} in tomcat-deps. Fix download task checks for commons-pool and commons-dbcp. (kkolinko)\n add\tAdd the 64-bit windows service binaries to the distribution and get the Windows installer to automatically select the correct one for the current platform. (markt/kkolinko)\n \ update\tUpdate to commons-pool 1.5.2. This includes various fixes to prevent deadlocks, reduce syncs and make object allocation occur fairly - i.e. objects are allocated to threads in the order that the threads request them. This fixes a number of issues with the version of DBCP embedded within Tomcat. (markt)\n \ update\tUpdate Tomcat Windows service application (procrun) to version 2.0.5. It contains a fix for issue 41538 (mturk)\n fix\t47149: Explicitly specify encoding when performing filtering during copy, fixcrlf or replace operations in build scripts. Don't add blank lines to files when fixing line endings. Explicitly specify encoding when compiling. (kkolinko)\n fix\t47464: Some class files were accidentally included into the source distributions of TC 5.5.27. (kkolinko)\n \ docs\tDocument that building Tomcat requires Ant 1.6.2 or later. (kkolinko)\n\nCatalina\n\n \ fix\t37458: Fix sync error that may lead to NPE in rare circumstances. Patch by Konstantin Kolinko. (markt)\n fix\t37498: Fall back to container log if application log is unavailable during context destruction. (markt)\n fix\t37794: Handle POSTed parameters when sent with chunked encoding. (markt)\n fix\t37984: Strip {MD5} as well as {SHA} if present in digest passwords in LDAP directories. (markt)\n fix\t38553: A lack of certificates is normal if a user doesn't have a certificate. Return a 401 rather than a 400 in this case. (markt)\n fix\t38570: When checking docBase against appBase, make sure we check for an exact match against the appBase. (markt)\n fix\t39013: When testing for an invalid docBase, use an exact match for the appBase. (markt)\n fix\t39396: Only include TRACE in an OPTIONS response if we know it has been enabled. (markt)\n fix\tRemove wrong \"No role found\" realm debug log message, even if a role was found. (rjung)\n \ fix\t39997: Add the SSLRandomSeed option to the AprLifecycleListener to enable faster starts on development systems. (markt)\n fix\t40380: Fix potential synchronization issue in StandardSession.expire(). (markt)\n fix\t41407: JAAS Realm now works with CLIENT-CERT authentication. (markt)\n add\t42419: Add a system property that enables the name of the session cookie and session path parameter to be configured. (markt)\n fix\t42579: Support both relative and absolute search results in the JNDI Realm implementation. Patch provided by Brandon DuRette. (markt)\n fix\t42707: Make adding a host alias via JMX take effect immediately. (markt)\n fix\t43343: Correctly handle requesting a session we are in the middle of persisting. Based on a suggestion by Wade Chandler. (markt/kkolinko)\n add\t44382: Add support for using httpOnly for session cookies. This is disabled by default. (markt/fhanik)\n \ fix\t45576: JAAS Realm now works with DIGEST authentication. (markt)\n fix\t45628: JARs that do not declare any dependencies should always be considered as fulfilled. (markt)\n fix\t45933: Don't use a web application provided parser to process TLD files. (markt)\n fix\t45996: Add Accept-Ranges header to responses from the DefaultServlet with an option to disable it. (markt)\n fix\t46105: Correctly set URI encoding when replaying a request after FORM authentication. (markt)\n \ fix\t46408: Correct possible invalid case in SecurityUtil. (markt)\n fix\t46552: Return a 400 response rather than a 200 response if the request headers are too large. (markt)\n fix\t46597: Port all cookie handling changes from Tomcat 6.0.x. (markt)\n fix\t46606: Make max depth limit for WebDAV servlet configurable. (markt)\n fix\t46717: Fix hard to reproduce thread safety issue with session expiration. (markt)\n fix\t46982: Fix DST problem with AccessLogValve. (markt)\n \ fix\tImprove handling of situation where web application tries to configure logging at the context level but the security policy prevents this. (markt/rjung)\n \ fix\tFix an information disclosure vulnerability in a number of the Realms that allowed user enumeration when using FORM authentication. This is CVE-2009-0580. (markt)\n fix\tFix various WebDAV compliance issues identified by the Litmus test suite. (markt)\n fix\tUse a better default (webapps) for a Host's appBase. (idarwin/markt)\n fix\t44943: Reduce copy/paste issues caused by different engine names in server.xml. (markt, kkolinko)\n fix\tRemove obsolete classpath entry for commons-logging from start script. It is already present in the classpath set by the manifest in bootstrap.jar. (rjung)\n fix\t38483: Thread safety issues in AccessLogValve classes. (kkolinko)\n add\tAllow log file encoding to be configured for JULI FileHandler. (kkolinko)\n\nJasper\n\n fix\t36923: Parse deactivated EL expressions correctly. (markt)\n fix\t37084: Fix JspC compilation with Ant when compiling JSPs that use a custom taglib. (markt/kkolinko)\n fix\t37515: Add options for Java 1.6 and 1.7 to the JDT compiler. (markt)\n fix\t38197: Fix tag pooling when tags are used with jsp:attribute. (markt)\n fix\t38352: Make the directory defined by javax.servlet.context.tempdir readable for JSPs when running under a security manager as required by the specification. (markt)\n \ fix\t38797: Revert previous fix for 37933 and implement a new fix that does not have the side effects described in 38797.\n fix\t38897: Add uri of broken TLD to error message to aid debugging. (markt)\n fix\t41606: Fix double initialisation of JSPs. Patch provided by Chris Halstead. (markt)\n fix\t45666: Fix infinite loop on include. Patch provided by Tom Wadzinski. (markt)\n fix\t46354: Fix ArrayIndexOutOfBoundsException when using org.apache.jasper.runtime.BodyContentImpl.LIMIT_BUFFER=true. Patch provided by Konstantin Kolinko. (markt)\n fix\t46909: Only include semi-colon in type attribute for when it is required. (markt)\n\nCluster\n\n \ fix\tFix minor memory leak found by find bugs. (markt, rjung)\n fix\t40551: Enable the JvmRouteBinderValve to work with PersistentManagers as well as clustering. Patch by Chris Chandler. (markt)\n fix\t46357: Corrected test for host's parent must be an engine. (markt, rjung)\n update\t45317: Properly log the value of the state transfer timeout flag. (fhanik, rjung)\n fix\t45279: Properly close multicast socket. (fhanik, rjung)\n fix\t45447: Add Spanish resource files. Patch provided by Jesus Marin. (markt, rjung)\n fix\t46990: Fix synchronization issues in cluster membership reported by FindBugs. Patch provided by Sebb. (markt, rjung)\n fix\t47389: DeltaManager doesn't do session replication if notifySessionListenersOnReplication=false. Patch by Keiichi Fujino. (fhanik, rjung)\n fix\tSeparate statistics counter lock in FastAsyncSocketSender from inherited DataSender lock to reduce blocking during failed node detection. (rjung)\n fix\tHandle situation session ID rewriting on fail-over with parallel requests from the same client. (pero)\n fix\t43641: Use of bind attribute for membership element breaks multicast. (rjung)\n\nWebapps\n\n \ fix\tFix CVE-2009-0781. XSS in calendar example. (markt)\n fix\t36574: Fix broken PDFs. (markt)\n fix\t39603: Admin app only showed ROOT web application when clustering was enabled. (markt)\n fix\t47032: Fix /status/all in Manager webapp when using the PersistentManager. (markt)\n fix\t47235: Remove use of autoReconnect from MySQL examples. (mark)\n fix\t46509: Use correct link on error page in JSP security example. Patch provided by Michael Moody. (markt)\n \ fix\t46562: Close file when reading has finished when using SSI. (markt)\n\nCoyote\n\n \ fix\t37869: Correctly extract client certificates, including the full certificate chain when using the APR/native HTTP connector. (markt)\n fix\t39637: Correctly extract client certificates, including the full certificate chain when using the AJP connectors. Patch by Patrik Schnellmann. (markt)\n update\tSet remote port for AJP connectors from the optional request attribute AJP_REMOTE_PORT. (rjung)\n \ fix\t45026: Never return an empty HTTP status reason phrase. mod_jk and httpd 2.x do not like that. (rjung)\n fix\t45528: An invalid SSL configuration could cause an infinite logging loop on startup. (markt)\n fix\t46984: Reject requests with invalid HTTP methods with a 400 rather than a 501. (markt)\n update\tUpdate the APR/native connector to 1.1.16. (markt, kkolinko)\n fix\tCorrect potential DOS issue in Java AJP connector when processing invalid request headers. This is CVE-2009-0033. (markt)\n fix\tMake DateTool thread safe. (fhanik)\n" module: pkgsrc subject: 'CVS commit: pkgsrc/www/apache-tomcat55' unixtime: '1300396976' user: abs