Now
MAIN commitmail json YAML
Update apache-tomcat8 to 8.0.36
Huge number of fixes listed at
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
Highlights of fixes:
* Fix: RMI Target related memory leaks are avoidable which makes them
an application bug that needs to be fixed rather than a JRE bug to
work around. Therefore, start logging RMI Target related memory
leaks on web application stop. Add an option that controls if the
check for these leaks is made. Log a warning if running on Java 9
with this check enabled but without the command line option it
requires. (markt)
* Fix: Ensure NPE will not be thrown during deployment when scanning
jar files without MANIFEST.MF file. (violetagg)
* Fix: 59604: Correct the assumption made in the URL decoding that
the default platform encoding is always compatible with ISO-8859-1.
This assumption is not always valid, e.g. on z/OS. (markt)
* Fix: 59608: Skip over any invalid Class-Path attribute from JAR
manifests. Log errors at debug level due to many bad libraries.
(remm)
* Fix: Ensure that requests with HTTP method names that are not
tokens (as required by RFC 7231) are rejected with a 400 response.
(markt)
* Fix: When an asynchronous request is processed by the AJP
connector, ensure that request processing has fully completed
before starting the next request. (markt)
* Fix: If an async dispatch results in the completion of request
processing, ensure that any remaining request body is swallowed
before starting the processing of the next request else the
remaining body may be read as the start of the next request leading
to a 400 response. (markt)
* Fix: Fix a memory leak in the expression language implementation
that caused the class loader of the first web application to use
expressions to be pinned in memory. (markt)
* Fix: Correctly configure the base path for a resources directory
provided by an expanded JAR file. Patch provided by hengyunabc.
(markt)
* Fix: 59317: Ensure that HttpServletRequest.getRequestURI() returns
an encoded URI rather than a decoded URI after a dispatch. (markt)
Highlights of non-fixes:
* Update: Update the internal fork of Commons DBCP 2 to r1743696
(2.1.1 plus additional fixes). (markt)
* Update: Update the internal fork of Commons Pool 2 to r1743697
(2.4.2 plus additional fixes). (markt)
* Update: Update the internal fork of Commons File Upload to r1743698
(1.3.1 plus additional fixes). (markt)
* Update: Update the option code coverage tool Cobertura to 2.1.1 so
it is easier to compare the change in lines of code between 8.0.x
and 9.0.x. (markt)
* Add: Add a new environment variable JSSE_OPTS that is intended to
be used to pass JVM wide configuration to the JSSE implementation.
The default value is -Djdk.tls.ephemeralDHKeySize=2048 which
protects against weak Diffie-Hellman keys with Java 8. (markt)
* Update: Exclude ciphers that use RSA keys from the default cipher
list since they do not support forward secrecy. (markt)
* Update: Update the packaged version of the Tomcat Native Library to
1.2.7 to pick up the Windows binaries that are based on OpenSSL
1.0.2h and APR 1.5.2. (markt)
Huge number of fixes listed at
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
Highlights of fixes:
* Fix: RMI Target related memory leaks are avoidable which makes them
an application bug that needs to be fixed rather than a JRE bug to
work around. Therefore, start logging RMI Target related memory
leaks on web application stop. Add an option that controls if the
check for these leaks is made. Log a warning if running on Java 9
with this check enabled but without the command line option it
requires. (markt)
* Fix: Ensure NPE will not be thrown during deployment when scanning
jar files without MANIFEST.MF file. (violetagg)
* Fix: 59604: Correct the assumption made in the URL decoding that
the default platform encoding is always compatible with ISO-8859-1.
This assumption is not always valid, e.g. on z/OS. (markt)
* Fix: 59608: Skip over any invalid Class-Path attribute from JAR
manifests. Log errors at debug level due to many bad libraries.
(remm)
* Fix: Ensure that requests with HTTP method names that are not
tokens (as required by RFC 7231) are rejected with a 400 response.
(markt)
* Fix: When an asynchronous request is processed by the AJP
connector, ensure that request processing has fully completed
before starting the next request. (markt)
* Fix: If an async dispatch results in the completion of request
processing, ensure that any remaining request body is swallowed
before starting the processing of the next request else the
remaining body may be read as the start of the next request leading
to a 400 response. (markt)
* Fix: Fix a memory leak in the expression language implementation
that caused the class loader of the first web application to use
expressions to be pinned in memory. (markt)
* Fix: Correctly configure the base path for a resources directory
provided by an expanded JAR file. Patch provided by hengyunabc.
(markt)
* Fix: 59317: Ensure that HttpServletRequest.getRequestURI() returns
an encoded URI rather than a decoded URI after a dispatch. (markt)
Highlights of non-fixes:
* Update: Update the internal fork of Commons DBCP 2 to r1743696
(2.1.1 plus additional fixes). (markt)
* Update: Update the internal fork of Commons Pool 2 to r1743697
(2.4.2 plus additional fixes). (markt)
* Update: Update the internal fork of Commons File Upload to r1743698
(1.3.1 plus additional fixes). (markt)
* Update: Update the option code coverage tool Cobertura to 2.1.1 so
it is easier to compare the change in lines of code between 8.0.x
and 9.0.x. (markt)
* Add: Add a new environment variable JSSE_OPTS that is intended to
be used to pass JVM wide configuration to the JSSE implementation.
The default value is -Djdk.tls.ephemeralDHKeySize=2048 which
protects against weak Diffie-Hellman keys with Java 8. (markt)
* Update: Exclude ciphers that use RSA keys from the default cipher
list since they do not support forward secrecy. (markt)
* Update: Update the packaged version of the Tomcat Native Library to
1.2.7 to pick up the Windows binaries that are based on OpenSSL
1.0.2h and APR 1.5.2. (markt)