--- - branch: MAIN date: Mon Apr 11 21:35:36 UTC 2022 files: - new: '1.12' old: '1.11' path: pkgsrc/www/apache-tomcat9/Makefile pathrev: pkgsrc/www/apache-tomcat9/Makefile@1.12 type: modified - new: '1.12' old: '1.11' path: pkgsrc/www/apache-tomcat9/distinfo pathrev: pkgsrc/www/apache-tomcat9/distinfo@1.12 type: modified - new: '1.9' old: '1.8' path: pkgsrc/www/apache-tomcat9/PLIST pathrev: pkgsrc/www/apache-tomcat9/PLIST@1.9 type: modified id: 20220411T213536Z.19ea2320490d733652b24addf850d9215586bda5 log: | contains mitigation for the Spring4Shell vulnerability Upstream changelog: Tomcat 9.0.62 (remm) Catalina Add: Effectively disable the WebappClassLoaderBase.getResources() method as it is not used and if something accidently exposes the class loader this method can be used to gain access to Tomcat internals. (markt) Tomcat 9.0.61 (remm) Catalina Code: Harden the CredentialHandler implementations by switching to a constant-time implementation for credential comparisons. (schultz/markt) Coyote Fix: Use a constant for the default TLS cipher suite. This will allow skipping setting it in some cases (for example, it does not make sense for OpenSSL TLS 1.3). (remm) Fix: #487: Improve logging of unknown settings frames. Pull request by Thomas Hoffmann. (remm) Add: 65975: Add a warning if a TLS virtual host is configured with optional certificate authentication and the containing connector is also configured to support HTTP/2 as HTTP/2 does not permit optional certificate authentication. (markt) Add: 65975: Add a warning if a TLS virtual host is configured for TLS 1.3 with a JSSE implementation and a web application is configured for CLIENT-CERT authentication. CLIENT-CERT authentication requires post-handshake authentication (PHA) when used with TLS 1.3 but the JSSE TLS 1.3 implementation does not support PHA. (markt) Fix: Improve the recycling of Processor objects to make it more robust. (markt) Jasper Fix: 65959: Serialize Function as String[] rather Class[]. (remm) Web applications Fix: 65952: Align --add-opens configuration for jsvc with the current Tomcat scripts. (markt) Fix: Correct the AJP and HTTP/1.1 Connector configuration pages in the documentation web application to show which attributes are applicable to all Connectors and which are implementation specific. (markt) Other Fix: Correct a spelling mistake in the German translations. Thanks to Thomas Hoffmann. (markt) Fix: 65951: Use the tomcat.output property for OSGi bundle manifest paths. (isapir) Update: Update to Commons Daemon 1.3.0. (markt) Update: Update to Checkstyle 10.0. (markt) Update: Update to SpotBugs 4.6.0. (markt) Add: Expand the spotbugs Ant task to also cover test code. (markt) Update: Update to bnd 6.2.0. (markt) Update: Remove OSGi annotations dependency as it is no longer required with bnd 6.2.0. (markt) Code: Refactor the resource files for the Apache Tomcat installer for Windows so that all the resource files are located in a single directory in the source tree. (markt) Update: Update the packaged version of the Tomcat Native Library to 1.2.32 to pick up Windows binaries built with OpenSSL 1.1.1n.(markt) Add: Improvements to Chinese translations contributed by 15625988003. (markt) Add: Improvements to French translations. (remm) Add: Improvements to Japanese translations contributed by tak7iji. (markt) Add: Expand coverage of translations for jakarta.el package. Based on #488 from Volodymyr Siedlecki. (markt) 2022-03-14 Tomcat 9.0.60 (remm) Catalina Fix: 65921: The type substitution flag for the rewrite valve should set the content type for the response, not the request. (markt) Fix: #479: Enable the rewrite valve to redirect requests when the original request cannot be mapped to a context. This typically happens when no ROOT context is defined. Pull request by elkman. (markt) Fix: 65940: Fix NullPointerException if an exception occurs during the destruction of a Servlet. (markt) Coyote Fix: Fix regression introduced with 65757 bugfix which better identified non request threads but which introduced a similar problem when user code was doing sequential operations in a single thread. Test case code submitted by Istvan Szekely. (remm) Fix: Fix potential thread-safety issue that could cause HTTP/1.1 request processing to wait, and potentially timeout, waiting for additional data when the full request has been received. (markt) Fix: Throw IOException rather than IllegalStateException when the application attempts to write to an HTTP/2 stream after the client has closed the stream. (markt) Jasper Fix: When resolving methods in EL expressions that use beans and/or static fields, ensure that any custom type conversion is considered when identifying the method to call. (markt) Web applications Fix: Correct the name of the value attribute in the new documentation of OpenSSLConfCmd elements. (rjung) 2022-02-28 Tomcat 9.0.59 (remm) Catalina Add: Add ha-api-*.jar and jaxws-rt-*.jar to the list of JARs to skip when scanning for TLDs, web fragments and annotations. (michaelo) Add: Expand the default mappings used by ServletResponse.setLocale() to include a mapping from the ja locale to the Shift_JIS encoding. (markt) Fix: 65806: Improve the handling of session ID generation when the default algorithm for SecureRandom (SHA1PRNG) is not supported by the configured providers as will be the case for a FIPS compliant configuration. (markt) Fix: #464: Fall back to the class loader used to load JULI when the thread context class loader is not set. In a normal Tomcat configuration, this will be the system class loader. Based on a pull request by jackshirazi. (markt) Fix: #469: Include the Java Annotations API in the classes that Tomcat will not load from web applications. Pull request provided by ppkarwasz. (markt) Add: #472: Add support for additional user attributes to TomcatPrincipal and GenericPrincipal. Patch provided by Carsten Klein. (michaelo) Fix: Fix a potential StringIndexOutOfBoundsException exception when generating a WebDAV multi-status response after an error during a copy or delete. Report the paths relative to the server root for any resources with an error. (markt) Fix: Improve the format of WebDAV XML responses to make them easier for humans to read. The change ensures that there is always a line break before starting a new element. (markt) Fix: Improve validation of the Destination header for WebDAV MOVE and COPY requests. (markt) Coyote Fix: Correct a regression in the fix for 65454 that meant that minSpareThreads and maxThreads settings were ignored when the Connector used an internal executor. (markt) Fix: 65776: Improve the detection of the Linux duplicate accept bug and reduce (hopefully avoid) instances of false positives. (markt) Fix: 65848: Revert the change that attempted to align the behaviour of client certificate authentication with NIO or NIO2 with OpenSSL for TLS between MacOS and Linux/Windows as the root cause was traced to configuration differences. (markt) Fix: #467: When system time moves backwards (e.g. after clock correction), ensure that the cached formatted current date used for HTTP headers tracks this change. Pull request provided by zhenguoli. (markt) Jasper Fix: #474: Prevent a tag file from corrupting the ELContext of the calling page. Pull request provided by Dmitri Blinov. (markt) Fix: Minor optimisation of serialization for FunctionMapperImpl in response to pull request #476. (markt) Web applications Fix: Remove the applet example from the example web application as applets are no longer supported in any major browser. (markt) Code: Refactor a small number of pages in the examples web application to avoid an issue with reproducible builds due to differences in file ordering across different operating systems with Ant's zip task. (markt) Fix: Better documentation for the protocol attribute of the JNDIRealm. (markt) Fix: Clarify the settings described in the documentation web application to configure a cluster using static membership. (markt) Add: Add information on the OpenSSLConf and OpenSSLConfCmd elements to the HTTP SSL configuration page in the documentation web applications. (markt) jdbc-pool Code: Use LF line endings for text files in JARs to support reproducible builds across different operating systems. (markt) Other Code: Switch to building with Java 11 and using --release to target Java 8. Once back-ported to all currently supported branches, this will reduce the number of Java versions developers need to juggle. (markt) Code: Use LF line endings for text files in JARs to support reproducible builds across different operating systems. (markt) Fix: Fix dependencies for individual test targets in Ant build file. Based on #468 provided by Totoo chenyonghui. (markt) Update: Update the OWB module to Apache OpenWebBeans 2.0.26. (remm) Fix: Revert the cherry-pick of JavaDoc fix from DBCP applied in 9.0.57 that broke the DataSourceMXBean by using a type that isn't supported by MXBeans. (markt) 2022-01-20 Tomcat 9.0.58 (remm) Coyote Fix: Correct a regression in the fix for 65785 that broke HTTP/2 server push. (markt) not released Tomcat 9.0.57 (remm) Catalina Fix: Add additional locking to DataSourceUserDatabase to provide improved protection for concurrent modifications. (markt) Fix: Add recycling check in the input and output stream isReady to try to give a more informative ISE when the facade has been recycled. (remm) Update: Remove the deprecated JmxRemoteLifecycleListener. (markt) Fix: Make the calculation of the session storage location more robust when using file based persistent storage. (markt) Coyote Fix: 65726: Implement support for HTTP/1.1 upgrade when the request includes a body. The maximum permitted size of the body is controlled by maxSavePostSize. (markt) Fix: Restore pre-starting of minSpareThreads lost in the fix for 65454. (markt) Fix: Revert the previous fix for 65714 and implement a more comprehensive fix. (markt) Fix: 65757: Missing initial IO listener notification on Servlet container dispatch to another container thread. (remm) Fix: Expand the fix for 65757 so that rather than just checking if processing is happening on a container thread, the check is now if processing is happening on the container thread currently allocated to this request/response. (markt) Fix: Improve the fix for RST frame ordering added in 9.0.56 to avoid a potential deadlock on some systems in non-default configurations. (markt) Add: 65767: Add support for certificates that use keys encrypted using PBES2. Based on a pull request provided by xiezhaokun. (markt) Code: Refactor testing whether a String is a valid HTTP token. (markt) Fix: 65785: Perform additional validation of HTTP headers when using HTTP/2. (markt) Fix: When a Connector or Endpoint is paused, ensure that only new connections and new requests on existing connections are stopped while allowing in progress requests to run to completion. (markt) Fix: Explicitly release ByteBuffer instances associated with pooled channels when stopping the NioEndpoint and Nio2Endpoint. (markt) Fix: Narrow the scope of the logging of invalid cookie headers to just the invalid cookie rather than the whole cookie header. (markt) Jasper Fix: 65724: Fix missing messages for some PropertyNotWritableExceptions caused by a typo in the name used for a resource string. (markt) Add: Add support for specifying Java 18 (with the value 18) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the default will used. (markt) WebSocket Add: Add support for POJO WebSocket endpoints to the programmatic upgrade that allows applications to opt to upgrade an HTTP connection to WebSocket. (markt) Fix: 65763: Improve handling of WebSocket connection close if a message write times out before the message is fully written. (markt) Other Update: Update the OWB module to Apache OpenWebBeans 2.0.25. (remm) Update: Update the CXF module to Apache CXF 3.5.0. (remm) Add: Improvements to Chinese translations contributed by zhnnn. (markt) Add: Improvements to French translations. (remm) Add: Improvements to Japanese translations contributed by Shirayuking, yoshy and tak7iji. (markt) Add: Improvements to Korean translations. (woonsan) Update: Update SpotBugs to 4.5.2. (markt) Update: Update the NSIS installer to 3.08. (markt) Update: Update UnboundID to 6.0.3. (markt) Update: Update CheckStyle to 9.2.1. (markt) Update: Update BND to 6.1.0. (markt) Update: Update OSGI annotations to 1.1.1. (markt) 2021-12-02 Tomcat 9.0.56 (remm) Catalina Fix: Make SPNEGO authentication more robust for the case where the provided credential has expired. (markt) Fix: 65684: Fix a potential NullPointerException when using JULI. (markt) Docs: Document conditions under which the AprLifecycleListener can be used to avoid JVM crashes. (michaelo) Fix: Refactor the AsyncFileHandler to reduce the possibility of log messages being lost on shutdown. (markt) Update: Refactor the AsyncFileHandler to remove the need for the org.apache.juli.AsyncLoggerPollInterval. If set, this property now has no effect. (markt) Add: Add debug logging to the RestCsrfPreventionFilter. Based on pull request #452 by Polina Georgieva. (markt) Add: 65710: Implement a workaround for a JVM bug that can trigger a file descriptor leak when using multi-part upload and the application does not explicitly close an input stream for an uploaded file that was cached on disk. (markt) Coyote Fix: Improve error handling if APR/Native fails to attach TLS capabilities to a TLS enabled client connection. (markt) Fix: Improve error handling if APR/Native fails to accept an incoming connection. (markt) Add: Provide protection against a known OS bug that causes the acceptor to report an incoming connection more than once. (markt) Fix: Avoid unnecessary duplicate read registrations for blocking I/O with the NIO connector. (markt) Fix: 65677: Improve exception handling for errors during HTTP/1.1 reads with NIO2. (markt) Fix: Refactor APR/native connector shutdown to remove a potential source of JVM crashes on shutdown when sendfile is used. (markt) Fix: When an error occurs that triggers a stream reset, ensure that the first RST frame sent to the client is the one associated with the error that triggered the reset. (markt) Fix: 65714: Fix exceptions when the security manager is enabled and the first request received after starting is an HTTP request to a TLS enabled NIO2 connector. (markt) Add: Ensure that using NIO or NIO2 with OpenSSL for TLS behaves the same way on MacOS as it does on Linux and Windows when no trusted certificate authorities are configured and reject all client certificates. (markt) Fix: Avoid a potential deadlock during the concurrent processing of incoming HTTP/2 frames for a stream and that stream being reset. (markt) Other Fix: Switch from Cobertura to JaCoCo for code coverage as Cobertura does not support code coverage for code compiled for Java 11 onwards. It also removes the need to use a single thread to run the tests. (markt) 2021-11-10 Tomcat 9.0.55 (remm) Catalina Fix: Improve robustness of JNDIRealm for exceptions occurring when getting the connection. Also add missing close when running into issues getting the passord of a user. (remm) Docs: Add Javadoc comment which listeners must be nested whithin Server elements only. (michaelo) Add: Add support for custom caching strategies for web application resources. This initial implementation allows control over whether or not a resource is cached. (markt) Update: Log warning if a listener is not nested inside a Server element although it must have been. (michaelo) Coyote Code: Improve performance of Connector shutdown - primarily to reduce the time it takes to run the test suite. (markt) Fix: Refactor the APR/native connector shutdown to reduce the possibility of a JVM crash during the connector shutdown. (markt) Add: #457: Add a toString() method to MimeHeader to aid debugging. (dblevins) Add: Add experimental OpenSSL support through the Panama API incubating in Java 17, with support for OpenSSL 1.1+. This no longer requires tomcat-native or APR. Please refer to the openssl-java17 module from the main branch for more details. (remm) Fix: Fix APR connector stop so it correctly waits for the sendfile thread, if any, to exit. (markt) Fix: Do not ignore the error condition if the APR connector is not able to open a server socket as continuing in this case will trigger a JVM crash. (markt) Fix: Fix a potential JVM crash when using the APR/Native connector with TLS. A crash could occur if the connector was stopped whilst a connection was performing a TLS handshake. (markt) Jasper Update: Regenerate the EL parser using JavaCC 7.0.10. (markt) Fix: Fix a bug that prevented the EL parser correctly parsing a literal Map that used variables rather than literals for both keys and values. (markt) WebSocket Update: Add a new method WsServerContainer.upgradeHttpToWebSocket() to align with the new method that will be available from WebSocket 2.1 onwards. (markt) Tribes Fix: #454: Differentiate warning messages in KubernetesMembershipProvider so that the missing attribute is clear to the user. PR provided by Hal Deadman. (markt) 2021-10-01 Tomcat 9.0.54 (remm) Catalina Fix: Provide the DataSource in the constructor of DataSourceUserDatabase, since it is always global. (remm) Fix: Fix delete then create object manipulations with DataSourceUserDatabase. (remm) Fix: 65553: Implement a work-around for a JRE bug that can trigger a memory leak when using the JNDI realm. (markt) Fix: 65586: Fix the bloom filter used to improve performance of archive file look ups in the web resources implementation so it works correctly for directory lookups whether or not the provided directory name includes the trailing /. (markt) Fix: #451: Improve the usefulness of the thread name cache used in JULI. Pull request provided by t-gergely. (markt) Coyote Fix: 65563: Correct parsing of HTTP Content-Range headers. Tomcat was incorrectly requiring an = character after bytes. Fix based on pull request #449 by Thierry Gu辿rin. (markt) Fix: Correct a potential StackOverflowException with HTTP/2 and sendfile. (markt) Fix: Further improvements in the management of the connection flow control window. This addresses various bugs that caused streams to incorrectly report that they had timed out waiting for an allocation from the connection flow control window. (markt) Fix: 65577: Fix a AccessControlException reporting when running an NIO2 connector with TLS enabled. (markt) Update: Reclassify TLS ciphers that use AESCCM8 as medium security rather than high security to align with recent changes in OpenSSL. (markt) Fix: Fix an issue that caused some Servlet non-blocking API reads of the HTTP request body to incorrectly use blocking IO. (markt) Jasper Fix: Fix the implementation of MethodExpression.getMethodInfo() so that it returns the expected value rather than failing when the method expression is defined with the parameter values in the expression rather than the types being passed explicitly to ExpressionFactory.createMethodExpression(). (markt) WebSocket Fix: The internal upgrade handler should close the associated WebConnection on destroy. (remm) Web applications Fix: Clarify the JASPIC configuration options in the documentation web application. (markt) Other Fix: 65585: Update obsolete comments at the start of the build.properties.default file. (markt) 2021-09-10 Tomcat 9.0.53 (remm) Catalina Fix: Enable Tomcat to start if an (old) XML parser is configured that does not support allow-java-encodings. A warning will be logged if such an XML parser is detected. (markt) Fix: Change the behaviour of custom error pages. If an error occurs after the response is committed, once the custom error page content has been added to the response the connection is now closed immediately rather than closed cleanly. i.e. the last chunk that marks the end of the response body is no longer sent. This acts as an additional signal to the client that the request experienced an error. (markt) Fix: 65479: When handling requests using JASPIC authentication, ensure that PasswordValidationCallback.getResult() returns the result of the password validation rather than always returning false. Fixed via pull request #438 provided by Robert Rodewald. (markt) Code: Refactor the authenticators to delegate the check for preemptive authentication to the individual authenticators where an authentication scheme specific check can be performed. Based on pull request #444 by Robert Rodewald. (markt) Update: Improve the reusability of the UserDatabase by adding intermediate concrete implementation classes and allowing to do partial database updates on save. (remm) Add: Add a UserDatabase implementation as a superset of the DataSourceRealm functionality. (remm) Fix: Make sure the dynamic Principal returned by UserDatabaseRealm stays up to date with the database contents, and add an option to have it be static, similar to the other realms. (remm) Add: Add derby-*.jar to the list of JARs to skip when scanning for TLDs, web fragments and annotations. (markt) Fix: #447. Correct JPMS metadata for catalina.jar. Pull request provided by Hui Wang. (markt) Coyote Fix: Correct a logic error that meant setting certificateKeystoreFile to NONE did not have the expected effect. NONE was incorrectly treated as a file path. Patch provided by Mikael Sterner. (markt) Fix: 65505: When an HTTP header value is removed, ensure that the order of the remaining header values is unchanged. (markt) WebSocket Fix: 65506: Fix write timeout check that was using the read timeout value. Patch submitted by Gustavo Mahlow. (remm) Web applications Fix: Remove unnecessary Context settings from the examples web application. (markt) Fix: Document default value for unpackWARs and related clean-up. Pull request #439 provided by Robert Rodewald. (markt) Fix: Clarify the documentation of the compressionMinSize and compressibleMimeType HTTP Connector attributes. Pull request #442 provided by crisgeek. (markt) Other Fix: Fix failing build when building on non-English locales. Pull request #441 provided by Dachuan J. (markt) Update: Update to JSign version 4.0 to enable code signing without the need for the installation of additional client tools. (markt) Add: Update the internal fork of Apache Commons BCEL to 40d5eb4 (2021-09-01, 6.6.0-SNAPSHOT). Code clean-up only. (markt) Add: Update the internal fork of Apache Commons Codec to fd44e6b (2021-09-01, 1.16-SNAPSHOT). Minor refactoring. (markt) Update: Add Apache Derby 10.14.2.0 to the testsuite dependencies, for JDBC and DataSource testing. (remm) Add: 65661: Update the internal fork of Apache Commons FileUpload to 33d2d79 (2021-09-01, 2.0-SNAPSHOT). Refactoring and code clean-up. As a result of Commons File Upload now using java.nio.file.Files, applications using multi-part uploads need to ensure that the JVM is configured with sufficient direct memory to store all in progress multi-part uploads. (markt) Add: Update the internal fork of Apache Commons Pool to 2.11.1 (2021-08-17). Improvements, code clean-up and refactoring. (markt) Add: Update the internal fork of Apache Commons DBCP to 2.9.0 (2021-08-03). Improvements, code clean-up and refactoring. (markt) Update: Update the packaged version of the Tomcat Native Library to 1.2.31 to pick up Windows binaries built with OpenSSL 1.1.1l.(markt) Update: Switch to the CDN as the primary download location for ASF dependencies. (markt) Add: Improvements to Chinese translations contributed by syseal, wolibo, ZhangJieWen and DigitalFatCat. (markt) Add: Improvements to Japanese translations contributed by tak7iji. (markt) Add: Improvements to Korean translations. (woonsan) 2021-08-06 Tomcat 9.0.52 (remm) Catalina Code: 65476: Correct an error in some code clean-up that mean that web application classes were not configured with the correct package. (markt) not released Tomcat 9.0.51 (remm) Catalina Fix: 65411: Always close the connection when an uncaught NamingException occurs to avoid connection locking. Submitted by Ole Ostergaard. (remm) Fix: 65433: Correct a regression in the fix for 65397 where a StringIndexOutOfBoundsException could be triggered if the canonical path of the target of a symlink was shorter than the canonical path of the directory in which the symlink had been created. Patch provided by Cedomir Igaly. (markt) Add: 65443: Refactor the CorsFilter to make it easier to extend. (markt) Fix: To avoid unnecessary cache revalidation, do not add an HTTP Expires header when setting adding an HTTP header of CacheControl: private. (markt) Coyote Fix: When writing an HTTP/2 response via sendfile (only enabled when useAsyncIO is true) the connection flow control window was sometimes ignored leading to various error conditions. sendfile now checks both the stream and connection flow control windows before writing. (markt) Add: Add debug logging for writing an HTTP/2 response via sendfile. (markt) Fix: Correct bugs in the HTTP/2 connection flow control management that meant it was possible for a connection to stall waiting for a connection flow control window update that had already arrived. Any streams on that connection that were trying to write when this happened would time out. (markt) Fix: 65448: When using TLS with NIO, it was possible for a blocking response write to hang just before the final TLS packet associated with the response until the connection timed out at which point the final packet would be sent and the connection closed. (markt) Fix: 65454: Fix a race condition that could result in a delay to a new request. The new request could be queued to wait for an existing request to finish processing rather than the thread pool creating a new thread to process the new request. (markt) Fix: 65460: Correct a regression introduced in the previous release in the change to reduce the number of small HTTP/2 window updates sent for streams. A logic error meant that small window updates for the connection were dropped. This meant that the connection flow window slowly reduced over time until nothing could be sent. (markt) Web applications Fix: 65404: Correct a regression in the fix for 63362 that caused the server status page in the Manager web application to be truncated if HTTP upgrade was used such as when starting a WebSocket connection. (markt) Other Add: Improvements to Chinese translations contributed by ZhangJieWen and chengzheyan. (markt) Add: Improvements to French translations. (remm) Add: Improvements to Japanese translations contributed by tak7iji. (markt) Add: Improvements to Korean translations. (woonsan) Fix: Use of GraalVM native images no longer automatically disables JMX support. JMX support may still be disabled by calling org.apache.tomcat.util.modeler.Registry.disableRegistry(). (markt) 2021-07-02 Tomcat 9.0.50 (remm) Jasper Fix: Jakarta to Javax backport issue in tests. (remm) not released Tomcat 9.0.49 (remm) Catalina Code: Refactor the RemoteIpValve to use the common utility method for list to comma separated string conversion. (markt) Code: Refactor JNDIRealm$JNDIConnection so its fields are accessible to sub-classes of JNDIRealm. (markt) Fix: Fix serialization warnings in UserDatabasePrincipal reported by SpotBugs. (markt) Fix: 65397: Calls to ServletContext.getResourcePaths() no longer include symbolic links in the results unless allowLinking has been set to true. If a resource is skipped because of this change, a warning will be logged as this typically indicates a configuration issue. (markt) Coyote Fix: 65368: Improve handling of clean closes of inbound TLS connections. Treat them the same way as clean closes of non-TLS connections rather than as unknown errors. (markt) Fix: Modify the HTTP/2 connector not to sent small updates for stream flow control windows to the user agent as, depending on how the user agent is written, this may trigger small writes from the user agent that in turn trigger the overhead protection. Small updates for stream flow control windows are now combined with subsequent flow control window updates for that stream to ensure that all stream flow control window updates sent from Tomcat are larger than overheadWindowUpdateThreshold. (markt) Add: Add additional debug logging to track the current state of the HTTP/2 overhead count that Tomcat uses to detect and close potentially malicious connections. (markt) Update: Many HTTP/2 requests from browsers will trigger one overhead frame and one non-overhead frame. Change the overhead calculation so that a non-overhead frame reduces the current overhead count by 2 rather than 1. This means that, over time, the overhead count for a well-behaved connection will trend downwards. (markt) Update: Change the initial HTTP/2 overhead count from -10 to -10 * overheadCountFactor. This means that, regardless of the value chosen for overheadCountFactor, when a connection opens 10 overhead frames in a row will be required to trigger the overhead protection. (markt) Update: Increase the default overheadCountFactor from 1 to 10 and change the reduction in overhead count for a non-overhead frame from -2 to -20. This allows for a larger range (0-20) to be used for overheadCountFactor providing for finer-grained control. (markt) Fix: Modify the parsing of HTTP header values that use the 1#token to ignore empty elements as per RFC 7230 section 7 instead of treating the presence of empty elements as an error. (markt) Fix: Expand the unit tests for HttpServlet.doHead() and correct the flushing of the response buffer. The buffer used to behave as if it was one byte smaller than the configured size. The buffer was flushed (and the response committed if required) when the buffer was full. The buffer is now flushed (and the response committed if required) if the buffer is full and there is more data to write. (markt) Fix: Fix an issue where concurrent HTTP/2 writes (or concurrent reads) to the same connection could hang and eventually timeout when async IO was enabled (it is enabled by default). (markt) Jasper Fix: 65390: Correct a regression in the fix for 65124 and restore code that was removed in error leading to JSP compilation failures in some circumstances. (markt) Update: Update to the Eclipse JDT compiler 4.20. (markt) Add: Add support for specifying Java 17 (with the value 17) as the compiler source and/or compiler target for JSP compilation. If used with an Eclipse JDT compiler version that does not support these values, a warning will be logged and the latest supported version will used. (markt) Fix: 65377: Update the Java code generation for JSPs not to use the boxed primitive constructors as they have been deprecated in Java 9 and marked for future removal in Java 16. valueOf() is now used instead. (markt) WebSocket Code: Refactor the DigestAuthenticator to reuse a shared SecureRandom instance rather than create a new one to generate the cnonce if required. (markt) Web applications Fix: 65385: Correct the link in the documentation web application the Maven Central repository. (markt) Other Update: Update the OWB module to Apache OpenWebBeans 2.0.23. (remm) Update: Update the CXF module to Apache CXF 3.4.4. (remm) Fix: 65369 / #422: Add the additional --add-opens=... options required for running Tomcat on Java 16 onwards to the service.bat script to align it with the other start-up scripts. PR provided by MCMicS. (markt) Update: Update JUnit to version 4.13.2. (markt) Update: Update EasyMock to 4.3. (markt) Update: Update Objenesis to 3.2. (markt) Update: Update UnboundID to 6.0.0. (markt) Update: Update CheckStyle to 8.43. (markt) Update: Update SpotBugs to 4.2.3. (markt) Update: Update OSGi annotations to 1.1.0. (markt) 2021-06-15 Tomcat 9.0.48 (remm) Coyote Fix: Regression when generating reflection due to removed NIO classes in 9.0.47. (remm) Other Add: Use JSign to integrate the build script with the code signing service to enable release builds to be created on Linux as well as Windows. (markt) not released Tomcat 9.0.47 (remm) Catalina Fix: 65301: RemoteIpValve will now avoid getting the local host name when it is not needed. (remm) Fix: 65308: NPE in JNDIRealm when no userRoleAttribute is given. (fschumacher) Add: #412: Add commented out, sample users for the Tomcat Manager app to the default tomcat-users.xml file. Based on a PR by Arnaud Dagnelies. (markt) Add: #418: Add a new option, pass-through, to the default servlet's useBomIfPresent initialization parameter that causes the default servlet to leave any BOM in place when processing a static file and not to use the BOM to determine the encoding of the file. Based on a pull request by Jean-Louis Monteiro. (markt) Update: Add cookieName attribute to the SSO valve to configure the SSO cookie name. (remm) Fix: #419: When processing POST requests of type multipart/form-data for parts without a filename that are added to the parameter map in String form, check the size of the part before attempting conversion to String. Pull request provided by tianshuang. (markt) Fix: 62912: Don't mutate an application provided content header if it does not contain a charset. Also remove the outdated workaround for the buggy Adobe Reader 9 plug-in for IE. (markt) Fix: AprLifecycleListener does not show dev version suffix for libtcnative and libapr. (michaelo) Update: Refactor principal handling in UserDatabaseRealm using an inner class that extends GenericPrincipal. (remm) Fix: Enable the default doHead() implementation in HttpServlet to correctly handle responses where the content length needs to be represented as a long since it is larger than the maximum value that can be represented by an int. (markt) Fix: Avoid synchronization on roles verification for the memory UserDatabase. (remm) Fix: Fix the default doHead() implementation in HttpServlet to correctly handle responses where the Servlet calls ServletResponse.reset() and/or ServletResponse.resetBuffer(). (markt) Fix: Fix the default doHead() implementation in HttpServlet to correctly handle responses generated using the Servlet non-blocking API. (markt) Coyote Add: 64943: Add support for Unix Domain Sockets to org.apache.coyote.http11.Http11AprProtocol. Depends on tomcat-native 1.2.26 and up. (minfrin) Fix: 65303: Fix a possible NullPointerException if an error occurs on an HTTP/1.1 connection being upgraded to HTTP/2 or on a pushed HTTP/2 stream. (markt) Fix: 65311: Fix a race condition in the NioBlockingSelector that could cause a delay to select operations. (markt) Update: Simplify AprEndpoint socket bind for all platforms. (michaelo) Update: Add back simplification of NIO block read and write, now better validated in Tomcat 10. (remm) Fix: Optimize NIO selector handling for Java 11. (remm) Fix: 65340: Add missing check for a negative return value for Hpack.decodeInteger in the HpackDecoder, which could cause a NegativeArraySizeException exception. Submitted by Thomas, and verified the fix is present in the donated hpack code in a further update. (remm) Add: Add debug logging for HTTP/2 HPACK header decoding. (markt) Fix: Correct parsing of HTTP headers consisting of a list of tokens so that a header with an empty token is treated consistently regardless of whether the empty token is at the start, middle or end of the list of tokens. (markt) Fix: Remove support for the identity transfer encoding. The inclusion of this encoding in RFC 2616 was an error that was corrected in 2001. Requests using this transfer encoding will now receive a 501 response. (markt) Fix: Process transfer encoding headers from both HTTP 1.0 and HTTP 1.1 clients. (markt) Fix: Ensure that if the transfer encoding header contains the chunked, that the chunked encoding is the final encoding listed. (markt) Jasper Code: Review code used to generate Java source from JSPs and tags and remove code found to be unnecessary. (markt) Code: Refactor use of internal ChildInfo class to use compile time type checking rather than run time type checking. (markt) Fix: 65358: Improve expression language method matching for methods with varargs. Where multiple methods may match the provided parameters, the method that requires the fewest varargs is preferred. (markt) Add: 65332: Add a commented out section in catalina.policy that provides the necessary permissions to compile JSPs with javac when running on Java 9 onwards with a security manager. It is commented out as it will cause errors if used with earlier Java versions. (markt) WebSocket Fix: 65317: When using permessage-deflate, the WebSocket connection was incorrectly closed if the uncompressed payload size was an exact multiple of 8192. Based on a patch provided by Saksham Verma. (markt) Fix: 65342: Correct a regression introduced with the fix for 65262 that meant Tomcat's WebSocket implementation would only work with Tomcat's implementation of the Java EE WebSocket API. (markt) Web applications Fix: Improve the description of the maxConnections and acceptCount attributes in the Connector section of the documentation web application. (markt) Other Add: Improvements to French translations. (remm) Add: Improvements to Korean translations. (woonsan) Fix: 65362: Correct a regression in the previous release. The change to create OSGi Require-Capability sections in manifests for Jakarta API JARs manually rather than with bnd annotations did not add the necessary manual entries to the embedded JARs. (markt) Update: Update the packaged version of the Tomcat Native Library to 1.2.30. Also update the minimum recommended version to 1.2.30. (markt) 2021-05-12 Tomcat 9.0.46 (markt) Catalina Fix: Allow APR connector creation using the listener with the flag and the default HTTP/1.1 protocol. (rjung/remm) Code: Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK for Java. (markt) Fix: 65224: Ensure the correct escaping of attribute values and search filters in the JNDIRealm. (markt) Fix: 65235: Add missing attributes to the MBean descriptor file for the RemoteIpValve. (markt) Fix: 65244: HandlesTypes should include classes that use the specified annotation types on fields or methods. (remm) Fix: 65251: Correct a regression introduced in 9.0.44 that meant that the auto-deployment process may attempt a second, concurrent deployment of a web application that is being deployed by the Manager resulting in one of the deployments failing and errors being reported. (markt) Fix: Improve the SSLValve so it is able to handle escaped client certificate headers from Nginx. Based on a patch by Florent Guillaume. (markt) Coyote Fix: Ensure that all HTTP requests that contain an invalid character in the protocol component of the request line are rejected with a 400 response rather than some requests being rejected with a 505 response. (markt) Fix: When generating the error message for an HTTP request with an invalid request line, ensure that all the available data is included in the error message. (markt) Fix: 65272: Restore the optional HTTP feature that allows LF to be treated as a line terminator for the request line and/or HTTP headers lines as well as the standard CRLF. This behaviour was previously removed as a side-effect of the fix for CVE-2020-1935. (markt) Jasper Code: Review code used to generate Java source from JSPs and tags and remove code found to be unnecessary. (markt) Update: entries in web.xml that include a element and a negative element that is not the default value of -1 will no longer be loaded at start-up. This makes it possible to define a that will not be loaded at start-up. (markt) Fix: Allow the JSP configuration option useInstanceManagerForTags to be used with Tags that are implemented as inner classes. (markt) WebSocket Code: Refactor the way Tomcat passes path parameters to POJO end points to simplify the code. (markt) Fix: 65262: Refactor the creation of WebSocket end point, decoder and encoder instances to be more IoC friendly. Instances are now created via the InstanceManager where possible. (markt) Web applications Fix: 65235: Correct name of changeLocalName in the documentation for the RemoteIpValve. (markt) Fix: 65265: Avoid getting the boot classpath when it is not available in the Manager diagnostics. (remm) Other Fix: Create OSGi Require-Capability sections in manifests for Jakarta API JARs manually rather than via the aQute.bnd.annotation.spi.ServiceConsumer annotation as this triggers TCK failures for downstream consumers of the API JARs. (markt) Update: Update the packaged version of the Tomcat Native Library to 1.2.28. (markt) Update: Update the OWB module to Apache OpenWebBeans 2.0.22. (remm) Update: Update the CXF module to Apache CXF 3.4.3. (remm) Fix: Move SystemPropertySource to be a regular class to allow more precise configuration if needed. The system property source will still always be enabled. (remm) Add: Improvements to Chinese translations. Provided by bytesgo. (mark) Add: Improvements to French translations. (remm) Add: Improvements to Korean translations. (woonsan) 2021-04-06 Tomcat 9.0.45 (markt) Catalina Fix: Avoid NPE when a JNDI reference cannot be resolved in favor of a NamingException. (remm) Fix: Avoid using reflection for setting properties on the webapp classloader. Based on a patch submitted by Romain Manni-Bucau. (remm) Coyote Fix: Improve consistency of OpenSSL error stack handling in the TLS engine, and log all errors found as debug. (remm) Fix: Ensure that HTTP/2 streams are only recycled once as multiple attempts to recycle an HTTP/2 stream may result in NullPointerExceptions. (markt) Code: Simplify the closing on an HTTP/2 stream when an error condition is present. (markt) Fix: 64771: Prevent concurrent calls to ServletInputStream.isReady() corrupting the input buffer. (markt) Fix: 65179: Ensure that the connection level flow control window from the client to the server is updated when handling DATA frames received for completed streams else the flow control window may become exhausted. (markt) Fix: 65203: Fix a regression introduced in 9.0.44 that meant that an error during an asynchronous read broke all future asynchronous reads associated with the same request instance. (markt) Fix: Disable keep-alive when inconsistent content delimitation is present in a request. (remm) Jasper Fix: Include the new org.apache.jasper.optimizations package in the list of OSGi exported packages for the Jasper embedded JAR. Patch provided by Sokratis Zappis. (markt) Add: Add a new option for the trimSpaces configuration. extended will attempt to remove leading and trailing whitespace from template text and collapse sequences of whitespace and newlines within template text into a single new line. Based on a pull request by kamnani. (markt) Other Add: Implement the first phase of reproducible builds. Sequential builds on the same machine now produce identical output provided that the Ant property ant.tstamp.now is set. The minimum required Ant version is now 1.9.10. (markt) Add: Improvements to Chinese translations. Provided by Ruan Wenjun. (mark) Add: Improvements to French translations. (remm) Add: Improvements to Japanese translations. Provided by kfujino and Shirayuking. (markt) Add: Improvements to Korean translations. (woonsan) Update: Update the packaged version of the Tomcat Native Library to 1.2.27. (markt) 2021-03-10 Tomcat 9.0.44 (markt) Catalina Fix: Revert an incorrect fix for a potential resource leak that broke deployment via the Ant deploy task. (markt) Fix: Improve error message for failed ConfigurationSource lookups in the Catalina implementation. (remm) Fix: 64938: Align the behaviour when null is passed to the ServletResponse methods setCharacterEncoding(), setContentType() and setLocale() with the recent clarification from the Jakarta Servlet project of the expected behaviour in these cases. (markt) Fix: 65135: Rename Context method isParallelAnnotationScanning to getParallelAnnotationScanning for consistency and ease of use in JMX descriptors. (remm) Fix: Ensure that the AsyncListener.onError() event is triggered when a I/O error occurs during non-blocking I/O. There were some cases discovered where this was not happening. (markt) Add: Make the non-blocking I/O error handling more robust by handling the case where the application code swallows an IOException in WriteListener.onWritePossible() and ReadListener.onDataAvailable(). (markt) Fix: Correct syntax error in output of JsonErrorReportValve. Pull request provided by Viraj Kanwade. (markt) Code: Make the StandardContext.postWorkDirectory() protected rather than private to help users wishing to customise the default work directory behaviour. (markt) Coyote Fix: 65118: Fix a potential NullPointerException when pruning closed HTTP/2 streams from the connection. (markt) Fix: Avoid NullPointerException when a secure channel is closed before the SSL engine was initialized. (remm) Fix: Ensure that the ReadListener's onError() event is triggered if the client closes the connection before sending the entire request body and the server is ready the request body using non-blocking I/O. (markt) Fix: 65137: Ensure that a response is not corrupted as well as incomplete if the connection is closed before the response is fully written due to a write timeout. (markt) Fix: Related to bug 65131, make sure all errors from OpenSSL are fully cleared, as there could be more than one error present after an operation (confirmed in the OpenSSL API documentation). (remm) Fix: Make handling of OpenSSL read errors more robust when plain text data is reported to be available to read. (markt) Fix: Correct handling of write errors during non-blocking I/O to ensure that the associated AsyncContext was closed down correctly. (markt) Web applications Fix: 65136: Remove the restriction that prevented the Manager web application deploying different web applications in parallel. This required some refactoring, most notably to HostConfig.check() and how it is used. (markt) Other Update: Update the OWB module to Apache OpenWebBeans 2.0.21. (remm) Update: Update the CXF module to Apache CXF 3.4.2. (remm) Add: Improvements to French translations. (remm) Add: Improvements to Korean translations. (woonsan) Add: Improvements to Brazilian Portuguese translations. Provided by Thiago. (mark) Add: Improvements to Russian translations. Provided by Azat. (mark) Add: Improvements to Chinese translations. Provided by shawn. (mark) Update: Update to bnd 5.3.0. (markt) 2021-02-02 Tomcat 9.0.43 (markt) Catalina Fix: 65106: Fix the ConfigFileLoader handling of file URIs when running under a security manager on some JREs. (markt) Coyote Fix: Ensure that SNI provided host names are matched to SSL virtual host configurations in a case insensitive manner. (markt) Fix: 65111: Free direct memory buffers in the APR connector. (remm) not released Tomcat 9.0.42 (markt) Catalina Fix: 60781: Escape elements in the access log that need to be escaped for the access log to be parsed unambiguously. (fschumacher/markt) Add: 64110: Add support for additional TLS related request attributes that provide details of the protocols and ciphers requested by a client in the initial TLS handshake. (markt) Add: Let the RemoteCIDRValve inherit from RequestFilterValve and support all of its features. Especially add support for connector specific configuration using addConnectorPort. (rjung) Add: Add peerAddress to coyote request, which contains the IP address of the direct connection peer. If a reverse proxy sits in front of Tomcat and the protocol used is AJP or HTTP in combination with the RemoteIp(Valve|Filter), the peer address might differ from the remoteAddress. The latter then contains the address of the client in front of the reverse proxy, not the address of the proxy itself. Support for the peer address has been added to the RemoteAddrValve and RemoteCIDRValve with the new attribute usePeerAddress. This can be used to restrict access to Tomcat based on the reverse proxy IP address, which is especially useful to harden access to AJP connectors. The peer address can also be logged in the access log using the new %{peer}a syntax. (rjung) Fix: Avoid uncaught InaccessibleObjectException on Java 16 trying to clear references threads. (remm) Fix: 65033: Fix JNDI realm error handling when connecting to a failed server when pooling was not enabled. (remm) Fix: 65047: If the AccessLogValve is unable to open the access log file, include information on the current user in the associated log message (markt) Coyote Fix: Additional fix for 64830 to address an edge case that could trigger request corruption with h2c connections. (markt) Fix: 64974: Improve handling of pipelined HTTP requests in combination with the Servlet non-blocking IO API. It was possible that some requests could get dropped. (markt) Add: Add support for using Unix domain sockets for NIO when running on Java 16 or later. This uses NIO specific unixDomainSocketPath and unixDomainSocketPathPermissions attributes. Based on a PR submitted by Graham Leggett. (remm) Fix: 65001: Fix error handling for exceptions thrown from calls to ReadListener and WriteListener. (markt) Fix: Avoid possible infinite loop in OpenSSLEngine.unwrap when the destination buffers state is changed concurrently. (remm) Jasper Add: Add a new StringInterpreter interface that allows applications to provide customised string attribute value to type conversion within JSPs. This allows applications to provide a conversion implementation that is optimised for the application. (markt) Fix: 64965: JspContextWrapper.findAttribute should ignore expired sessions rather than throw an IllegalStateException. (remm) Update: Update to the Eclipse JDT compiler 4.18. (markt) Web applications Fix: 65007: Clarify that the commands shown in the TLS documentation for importing a signed TLS certificate from a certificate authority are typical examples that may need to be adjusted in some cases. (markt) Tribes Fix: Work around DNS caching for the DNS provider of the cloud membership. (jfclere) Other Add: Improvements to Chinese translations. Provided by leeyazhou and Yi Shen. (markt) Add: Improvements to French translations. (remm) Add: Improvements to Korean translations. (woonsan) Update: Update the packaged version of the Tomcat Native Library to 1.2.26. (markt) Add: Update the internal fork of Apache Commons Pool to 2.9.1-SNAPSHOT (2021-01-15). (markt) Add: Update the internal fork of Apache Commons DBCP to 2.9.0-SNAPSHOT (2021-01-15). (markt) Update: Migrate to new code signing service. (markt) Code: Use java.nio.file.Path to test for one directory being a sub-directory of another in a consistent way. (markt) Update: Update to Commons Daemon 1.2.4. (markt) Add: Improvements to Brazilian Portuguese translations. Provided by Rual Zaninetti Rosa and Lucas. (markt) Add: Improvements to Russian translations. Provided by Polina and Azat. (markt) Update: Update the NSIS Installer used to build the Windows installer to version 3.06.1. (kkolinko) module: pkgsrc subject: 'CVS commit: pkgsrc/www/apache-tomcat9' unixtime: '1649712936' user: spz