--- - branch: MAIN date: Sat Jun 7 00:24:30 UTC 2014 files: - new: '1.19' old: '1.18' path: pkgsrc/www/apache-tomcat7/Makefile pathrev: pkgsrc/www/apache-tomcat7/Makefile@1.19 type: modified - new: '1.13' old: '1.12' path: pkgsrc/www/apache-tomcat7/distinfo pathrev: pkgsrc/www/apache-tomcat7/distinfo@1.13 type: modified id: 20140607T002430Z.175b6509f8a3aedb4de160abcda4668cdb6c9ef9 log: "Update to 7.0.54\n\n* Fix CVE-2014-0119\n\nChangelog:\nTomcat 7.0.54 (violetagg)\n\n \ Catalina\n\n fix\tFix custom UTF-8 decoder so that a byte of value 0xC1 is always rejected immediately as it is never valid in a UTF-8 byte sequence. Update UTF-8 decoder tests to account for UTF-8 decoding improvements in Java 8. The custom UTF-8 decoder is still required due to bugs in the UTF-8 decoder provided by Java. Java 8's decoder is better than Java 7's but it is still buggy. (markt)\n fix\t56027: Add more options for managing FIPS mode in the AprLifecycleListener. (schultz/kkolinko)\n fix\t56321: When a WAR is modified, undeploy the web application before deleting any expanded directory as the undeploy process may refer to classes that need to be loaded from the expanded directory. If the expanded directory is deleted first, any attempt to load a new class during undeploy will fail. (markt)\n fix\t56339: Avoid an infinite loop if an application calls session.invalidate() from the session destroyed event for that session. (markt)\n \ update\t56365: Simplify file name pattern matching code in StandardJarScanner. Ignore leading and trailing whitespace and empty strings when configuring patterns. Improve documentation. (kkolinko)\n fix\t56369: Ensure that removing an MBean notification listener reverts all the operations performed when adding an MBean notification listener. (markt)\n add\t56382: Information about finished deployment and its execution time is added to the log files. Patch is provided by Danila Galimov. (violetagg)\n add\t56383: Properties for disabling server information and error report are added to the org.apache.catalina.valves.ErrorReportValve. Based on the patch provided by Nick Bunn. (violetagg/kkolinko)\n fix\tOnly create XML parsing objects if required and fix associated potential memory leak in the default Servlet. (markt)\n fix\tModify generic exception handling so that StackOverflowError is not treated as a fatal error and can handled and/or logged as required. (markt)\n fix\t56409: Avoid StackOverflowError on non-Windows systems if a file named \\ is encountered when scanning for TLDs. (markt)\n add\t56430: Extend checks for suspicious URL patterns to include patterns of the form *.a.b which are not valid patterns for extension mappings. (markt)\n add\tExtend XML factory, parser etc. memory leak protection to cover some additional locations where, theoretically, a memory leak could occur. (markt)\n fix\tEnsure that a TLD parser obtained from the cache has the correct value of blockExternal. (markt)\n fix\t56441: Raise the visibility of exceptions thrown when a problem is encountered calling a getter or setter on a component attribute. The logging level is raised from debug to warning. (markt)\n fix\t56451: Make resources accessed via a context alias accessible via JNDI in the same way standard resources are available. (markt)\n add\t56463: Property for disabling server information is added to the DefaultServlet. Server information is presented in the response sent to the client when directory listings is enabled. (violetagg)\n \ add\tAdd the org.apache.naming package to the packages requiring code to have the defineClassInPackage permission when running under a security manager. (markt)\n add\tAdd the org.apache.naming.resources package to the packages requiring code to have the accessClassInPackage permission when running under a security manager. (markt)\n fix\tMake the naming context tokens for containers more robust. Require RuntimePermission when introducing a new token. (markt/kkolinko)\n \ fix\t56472: Allow NamingContextListener to clean up on stop if its start failed. (kkolinko)\n add\t56492: Avoid eclipse debugger pausing on uncaught exceptions when tomcat renews its threads. (slaurent)\n fix\tMinor fixes to ThreadLocalLeakPreventionListener. Do not trigger threads renewal for failed contexts. Do not ignore threadRenewalDelay setting. Improve documentation. (kkolinko)\n \ fix\tCorrect regression introduced in r797162 that broke authentication of users when using the JAASMemoryLoginModule. (markt)\n fix\t56501: HttpServletRequest.getContextPath() should return the undecoded context path used by the user agent. (markt)\n fix\t56523: When using SPNEGO authentication, log the exceptions associated with failed user logins at debug level rather than error level. (markt)\n fix\t56536: Ensure that HttpSessionBindingListener.valueUnbound() uses the correct class loader when the SingleSignOn valve is used. (markt)\n\n Coyote\n\n add\t56399: Assert that both Coyote and Catalina request objects have been properly recycled. (kkolinko)\n \ fix\t56416: Correct documentation for default value of socket linger for the AJP and HTTP connectors. (markt)\n\n Jasper\n\n fix\t56334: Fix a regression in the handling of back-slash escaping introduced by the fix for 55735. (markt/kkolinko)\n fix\t56425: Improve method matching for EL expressions. When looking for matching methods, an exact match between parameter types is preferred followed by an assignable match followed by a coercible match. (markt)\n fix\tCorrect the handling of back-slash escaping in the EL parser and no longer require that \\$ or \\# must be followed by { in order for the back-slash escaping to take effect. (markt)\n fix\t56529: Avoid NoSuchElementException while handling attributes with empty string value in custom tags. Patch provided by Hariprasad Manchi. (violetagg)\n\n Cluster\n\n fix\tRemove cluster and replicationValve from cluster manager template. These instance are not necessary to template. (kfujino)\n \ fix\tAdd support for cross context session replication to org.apache.catalina.ha.session.BackupManager. (kfujino)\n fix\tRemove the unnecessary cross context check. It does not matter whether the context that is referenced by other context is set to crossContext=true. The context that refers to the different context must be set to crossContext=true. (kfujino)\n code\tMove to org.apache.catalina.ha.session.ClusterManagerBase common logics of org.apache.catalina.ha.session.BackupManager and org.apache.catalina.ha.session.DeltaManager. (kfujino)\n code\tSimplify the code of o.a.c.ha.tcp.SimpleTcpCluster. In order to add or remove cluster valve to Container, use pipeline instead of IntrospectionUtils. (kfujino)\n fix\tThere is no need to set cluster instance when SimpleTcpCluster.unregisterClusterValve is called. Set null than cluster instance for cleanup. (kfujino)\n code\tBackport refactoring of AbstractReplicatedMap to implement Map rather than extend ConcurrentHashMap to enable Tomcat 7 to be built with Java 8. (markt)\n\n WebSocket\n\n fix\t56343: Avoid a NPE if Tomcat's Java WebSocket 1.0 implementation is used with the Java WebSocket 1.0 API JAR from the reference implementation. (markt)\n fix\tIncrease the default maximum size of the executor used by the WebSocket implementation for call backs associated with asynchronous writes from 10 to 200. (markt)\n add\tAdd a warning if the thread group created for WebSocket asynchronous write call backs can not be destroyed when the web application is stopped. (markt)\n fix\tEnsure that threads created to support WebSocket clients are stopped when no longer required. This will happen automatically for WebSocket client connections initiated by web applications but stand alone clients must call WsWebSocketContainer.destroy(). (markt)\n fix\t56449: When creating a new session, add the message handlers to the session before calling Endpoint.onOpen() so the message handlers are in place should the onOpen() method trigger the sending of any messages. (markt)\n \ fix\t56458: Report WebSocket sessions that are created over secure connections as secure rather than as not secure. (markt)\n fix\tStop threads used for secure WebSocket client connections when they are no longer required and give them better names for easier debugging while they are running. (markt)\n\n Web applications\n\n fix\tAdd Support for copyXML attribute of Host to Host Manager. (kfujino)\n fix\tEnsure that \"name\" request parameter is used as a application base of host if \"webapps\" request parameter is not set when adding host in HostManager Application. (kfujino)\n fix\tCorrect documentation on Windows service options, aligning it with Apache Commons Daemon documentation. (kkolinko)\n update\t55215: Improve log4j configuration example. Clarify access logging documentation. Based on patches provided by Brian Burch. (kkolinko)\n \ update\t55383: Backport improved HTML markup for tables and code fragments from Tomcat 8 documentation. (kkolinko)\n fix\t56418: Ensure that the Manager web application does not report success for a web application deployment that fails. (slaurent)\n fix\tFix target and rel attributes on links in documentation. They were lost during XSLT transformation. (kkolinko)\n update\tImprove valves documentation. Split valves into groups. (kkolinko)\n\n Other\n\n fix\tAlign DisplayName of Tomcat installed by service.bat with one installed by the *.exe installer. Print a warning in case if neither server nor client jvm is found by service.bat. (kkolinko)\n update\t56363: Update to version 1.1.30 of Tomcat Native library. (schultz)\n update\tUpdate package renamed Apache Commons BCEL to r1593495 to pick up some additional changes for Java 7 support and some code clean up. (markt)\n add\tIn tests: allow to configure directory where JUnit reports and access log are written to. (kkolinko)\n" module: pkgsrc subject: 'CVS commit: pkgsrc/www/apache-tomcat7' unixtime: '1402100670' user: ryoon